CDL_1976 Posted September 9, 2013 ID:727392 Share Posted September 9, 2013 My IP address has been blocked from sending emails by spamhaus, which claims that my computer is infected with torpig. I have no idea whether the spamhaus diagnosis is accurate. I am a complete novice at detecting malware and removing it from my system. My anti-virus does not detect any issues, nor does the Microsoft Malicious Software Removal Tool. I should be grateful for any informed advice and suggestions. Link to post Share on other sites More sharing options...
Psychotic Posted September 9, 2013 ID:727428 Share Posted September 9, 2013 Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding. Scan with DDSDownload DDS and save it to your desktop from here or here orhere.Disable any script blocker, and then double click dds.scr to run the tool.When done, DDS will open two (2) logsDDS.txt: save to your desktop then post its contents in your topicAttach.txt: save to your desktop then attach it to your next reply Scan with aswMBRPlease download aswMBR ( 4.5MB ) to your desktop.Double click the aswMBR.exe icon, and click Run. There will be a short delay before the next dialog box comes up. Please just wait a minute or two. When asked if you'd like to "download the latest Avast! virus definitions", click Yes. Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready. Click the Scan button to start the scan once the update has finished downloading On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record). Link to post Share on other sites More sharing options...
CDL_1976 Posted September 9, 2013 Author ID:727441 Share Posted September 9, 2013 Dear Marius, Thank you indeed for such a quick and constructive reply. Before I start on your instructions, I suspect (from my very minimal knowledge) that I should let you know that I ran a Quick Scan with the Malwarebytes Antimalware tool (the generic advice on this site recommends that one do so as a first step). I am so dim with these things that I cannot interpret the log. I assume it is not safe merely to delete all of the results, as false positives can also be produced by scanning process. I copy the log below. If none of the results indicates a torpig infection, is this conclusive evidence that I am in fact not infected? Many thanks again for your assistance. I will of course proceed with your instructions pending your advice regarding the scan I have performed. - - - - - Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.09.08.07 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 8.0.6001.19453 C D Larcombe :: CDLARCOMBE-PC [administrator] 9/09/2013 2:22:58 PM MBAM-log-2013-09-09 (17-52-07).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 694373 Time elapsed: 3 hour(s), 14 minute(s), 43 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 7 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847} (PUP.Optional.SweetPacks) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847} (PUP.Optional.SweetPacks) -> No action taken. HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj (PUP.FunMoods) -> No action taken. HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) -> No action taken. HKCU\SOFTWARE\SWEETIM (PUP.Optional.SweetIM.A) -> No action taken. HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj (PUP.FunMoods) -> No action taken. HKLM\SOFTWARE\SWEETIM (PUP.Optional.SweetIM.A) -> No action taken. Registry Values Detected: 3 HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) -> Data: 0G1G1H2Z1L1U1TtF0Z1E -> No action taken. HKCU\Software\SweetIM|simapp_id (PUP.Optional.SweetIM.A) -> Data: {9FA7CDE0-EB4B-11E0-9A8A-00214F4B9636} -> No action taken. HKLM\Software\SweetIM|simapp_id (PUP.Optional.SweetIM.A) -> Data: {9FA7CDE0-EB4B-11E0-9A8A-00214F4B9636} -> No action taken. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 1 C:\Users\C D Larcombe\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) -> No action taken. Files Detected: 11 C:\Users\C D Larcombe\AppData\Local\Temp\6rMU6I1u.exe.part (PUP.Optional.Installex) -> No action taken. C:\Users\C D Larcombe\AppData\Local\Temp\_C11dQiO.exe.part (PUP.Optional.Installex) -> No action taken. C:\Users\C D Larcombe\AppData\Local\Temp\xR01kB2D.exe.part (PUP.Optional.Installex) -> No action taken. C:\Users\C D Larcombe\AppData\Local\Temp\r5PMMSSU.exe.part (PUP.Optional.Installex) -> No action taken. C:\Users\C D Larcombe\AppData\Local\Temp\{D47AD21F-BF0B-B0AB-5240-F7290F99F0E9}\sweetim.exe (PUP.Optional.SweetIM) -> No action taken. C:\Users\C D Larcombe\AppData\Local\Temp\is1988980107\MyBabylonTB.exe (PUP.Optional.Babylon.A) -> No action taken. C:\Users\C D Larcombe\Downloads\winamp563_full_bundle_emusic-7plus_all.exe (PUP.Optional.OpenCandy) -> No action taken. C:\Users\C D Larcombe\Local Settings\Temporary Internet Files\Content.IE5\I6IP52P3\sweetim[1].exe (PUP.Optional.SweetIM) -> No action taken. C:\Users\C D Larcombe\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cjpglkicenollcignonpgiafdgfeehoj_0.localstorage (PUP.FunMoods) -> No action taken. C:\Users\C D Larcombe\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cjpglkicenollcignonpgiafdgfeehoj_0.localstorage (PUP.FunMoods) -> No action taken. C:\Users\C D Larcombe\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> No action taken. (end) - - - - Link to post Share on other sites More sharing options...
CDL_1976 Posted September 9, 2013 Author ID:727443 Share Posted September 9, 2013 Incidentally, I performed the scan before receiving your response above, and the advice you give not to run scans unless instructed. Link to post Share on other sites More sharing options...
CDL_1976 Posted September 9, 2013 Author ID:727445 Share Posted September 9, 2013 Apologies - I did not properly attach the Malwarebytes log. Please find log attached. Link to post Share on other sites More sharing options...
CDL_1976 Posted September 9, 2013 Author ID:727447 Share Posted September 9, 2013 Apologies - I did not properly attach the Malwarebyte.s log. Please find log attached: MBAM-log-2013-09-09 (17-52-07).txt Link to post Share on other sites More sharing options...
CDL_1976 Posted September 9, 2013 Author ID:727496 Share Posted September 9, 2013 DDS (Ver_2012-11-20.01) - NTFS_x86Internet Explorer: 8.0.6001.19453 BrowserJavaVersion: 1.6.0_26Run by C D Larcombe at 22:03:07 on 2013-09-09Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3070.1106 [GMT 10:00].AV: Kaspersky PURE 3.0 *Enabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}SP: Kaspersky PURE 3.0 *Enabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}FW: Kaspersky PURE 3.0 *Enabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}.============== Running Processes ================.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\nvservice.exeC:\Windows\system32\nvvsvc.exeC:\Windows\system32\SLsvc.exeC:\Windows\system32\rundll32.exeC:\Windows\RtkAudioService.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\Windows\system32\taskeng.exeC:\Windows\System32\spoolsv.exeC:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exeC:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exeC:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeC:\Program Files\Sony\Network Utility\NSUService.exeC:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exeC:\Windows\system32\spool\drivers\w32x86\3\NetFaxServer.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\Program Files\Common Files\Sony Shared\SOHLib\SOHDBSvr.exeC:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exeC:\Program Files\Sony\VAIO Event Service\VESMgr.exeC:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exeC:\Windows\system32\DllHost.exeC:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exeC:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exeC:\Program Files\Sony\VAIO Event Service\VESMgrSub.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Windows\system32\DllHost.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\System32\WUDFHost.exeC:\Program Files\Common Files\Sony Shared\SOHLib\SOHDms.exeC:\Program Files\Common Files\Sony Shared\SOHLib\SOHDs.exeC:\Program Files\Common Files\Sony Shared\SOHLib\SOHPlMgr.exeC:\Program Files\Common Files\Sony Shared\SOHLib\SOHCImp.exeC:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\System32\rundll32.exeC:\Program Files\Alwil Software\Avast5\AvastUI.exeC:\Program Files\Common Files\Common Desktop Agent\CDASrv.exeC:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exeC:\Program Files\Sony\Network Utility\LANUtil.exeC:\Windows\ehome\ehtray.exeC:\Users\C D Larcombe\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Sony\VAIO Update\VAIOUpdt.exeC:\Windows\ehome\ehmsas.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\Sony\VAIO Power Management\SPMService.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files\Sony\VAIO Update\VUAgent.exeC:\Windows\system32\conime.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\system32\conime.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\svchost.exe -k bthsvcsC:\Windows\System32\svchost.exe -k HPZ12C:\Windows\System32\svchost.exe -k HPZ12C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k SDRSVC.============== Pseudo HJT Report ===============.BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: Kaspersky Passsword Manager Toolbar: {215BA832-75A3-426E-A4FC-7C5B58CE6A10} - c:\program files\kaspersky lab\kaspersky pure 3.0\kaspersky password manager\spIEBho.dllBHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dllBHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dllBHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky pure 3.0\ieext\contentblocker\ie_content_blocker_plugin.dllBHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dllBHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky pure 3.0\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dllBHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dllBHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dllBHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - c:\program files\kaspersky lab\kaspersky pure 3.0\ieext\onlinebanking\online_banking_bho.dllBHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky pure 3.0\ieext\urladvisor\klwtbbho.dllTB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dllTB: Kaspersky Passsword Manager Toolbar: {215BA832-75A3-426E-A4FC-7C5B58CE6A10} - c:\program files\kaspersky lab\kaspersky pure 3.0\kaspersky password manager\spIEBho.dlluRun: [NSUFloatingUI] "c:\program files\sony\network utility\LANUtil.exe"uRun: [ehTray.exe] c:\windows\ehome\ehTray.exeuRun: [spotify Web Helper] "c:\users\c d larcombe\appdata\roaming\spotify\data\SpotifyWebHelper.exe"uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exeuRun: [KSS] "c:\program files\kaspersky lab\kaspersky security scan 2.0\kss.exe" /autorunmRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hidemRun: [RtHDVCpl] RtHDVCpl.exemRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /noguimRun: [CDAServer] c:\program files\common files\common desktop agent\CDASrv.exemRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [AVP] "c:\program files\kaspersky lab\kaspersky pure 3.0\avp.exe"mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silentuPolicies-Explorer: NoDriveTypeAutoRun = dword:255mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0mPolicies-Explorer: NoDriveTypeAutoRun = dword:28mPolicies-System: EnableUIADesktopToggle = dword:0IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky pure 3.0\ie_banner_deny.htmIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htmIE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htmIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dllIE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky pure 3.0\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dllIE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dllIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htmIE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky pure 3.0\ieext\urladvisor\klwtbbho.dllIE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htmTCP: NameServer = 10.0.0.138TCP: Interfaces\{2C0E2C70-A966-44F6-BF49-7BDCB8581403} : DHCPNameServer = 10.0.0.138TCP: Interfaces\{6965D9E8-23BD-4D58-8668-8902A576C458} : DHCPNameServer = 10.0.0.138TCP: Interfaces\{75B90F3A-AD59-4F62-8CFE-895B4311856C} : DHCPNameServer = 10.0.0.138Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dllHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dllNotify: VESWinlogon - VESWinlogon.dllSEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} -LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg.================= FIREFOX ===================.FF - ProfilePath - c:\users\c d larcombe\appdata\roaming\mozilla\firefox\profiles\5waw5psb.default\FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dllFF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dllFF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dllFF - plugin: c:\program files\divx\divx plus web player\npdivx32.dllFF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dllFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dllFF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dllFF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dllFF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dllFF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlchromebrowserrecordext.dllFF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlhtml5videoshim.dllFF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlpepperflashvideoshim.dllFF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\npdlplugin.dllFF - plugin: c:\windows\system32\adobe\director\np32dsw_1202122.dllFF - ExtSQL: 2013-08-02 22:27; kitsune@kitsune.sourceforge.net; c:\users\c d larcombe\appdata\roaming\mozilla\firefox\profiles\5waw5psb.default\extensions\kitsune@kitsune.sourceforge.netFF - ExtSQL: 2013-09-09 13:03; anti_banner@kaspersky.com; c:\program files\kaspersky lab\kaspersky pure 3.0\ffext\anti_banner@kaspersky.comFF - ExtSQL: 2013-09-09 13:03; content_blocker@kaspersky.com; c:\program files\kaspersky lab\kaspersky pure 3.0\ffext\content_blocker@kaspersky.comFF - ExtSQL: 2013-09-09 13:04; online_banking@kaspersky.com; c:\program files\kaspersky lab\kaspersky pure 3.0\ffext\online_banking@kaspersky.comFF - ExtSQL: 2013-09-09 13:04; url_advisor@kaspersky.com; c:\program files\kaspersky lab\kaspersky pure 3.0\ffext\url_advisor@kaspersky.comFF - ExtSQL: 2013-09-09 13:04; virtual_keyboard@kaspersky.com; c:\program files\kaspersky lab\kaspersky pure 3.0\ffext\virtual_keyboard@kaspersky.com.---- FIREFOX POLICIES ----FF - user.js: network.cookie.cookieBehavior - 0FF - user.js: privacy.clearOnShutdown.cookies - falseFF - user.js: security.warn_viewing_mixed - falseFF - user.js: security.warn_viewing_mixed.show_once - falseFF - user.js: security.warn_submit_insecure - falseFF - user.js: security.warn_submit_insecure.show_once - falseFF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110808&tt=3412_4FF - user.js: extensions.BabylonToolbar_i.babExt -FF - user.js: extensions.BabylonToolbar_i.srcExt - ssFF - user.js: extensions.BabylonToolbar.id - 5414ff5600000000000000234ddfeecfFF - user.js: extensions.BabylonToolbar.instlDay - 15577FF - user.js: extensions.BabylonToolbar.vrsn - 1.6.4.6FF - user.js: extensions.BabylonToolbar.vrsni - 1.6.4.6FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.6.4.60:16:43FF - user.js: extensions.BabylonToolbar.prtnrId - babylonFF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbarFF - user.js: extensions.BabylonToolbar.aflt - babsstFF - user.js: extensions.BabylonToolbar_i.smplGrp - noneFF - user.js: extensions.BabylonToolbar.tlbrId - tb9FF - user.js: extensions.BabylonToolbar.instlRef - sstFF - user.js: extensions.BabylonToolbar.dfltLng - enFF - user.js: extensions.BabylonToolbar.excTlbr - falseFF - user.js: extensions.BabylonToolbar.admin - falseFF - user.js: extensions.searchya.hmpg - trueFF - user.js: extensions.searchya.dfltSrch - trueFF - user.js: extensions.searchya.srchPrvdr - SearchYa!FF - user.js: extensions.searchya.dnsErr - trueFF - user.js: extensions.searchya_i.newTab - falseFF - user.js: extensions.searchya.id - 00234DDFEECFFF56FF - user.js: extensions.searchya.instlDay - 15763FF - user.js: extensions.searchya.vrsn - 1.8.8.0FF - user.js: extensions.searchya.vrsni - 1.8.8.0FF - user.js: extensions.searchya_i.vrsnTs - 1.8.8.02:18:14FF - user.js: extensions.searchya.prtnrId - searchyaFF - user.js: extensions.searchya.prdct - searchyaFF - user.js: extensions.searchya.aflt - dnldyhoFF - user.js: extensions.searchya_i.smplGrp - noneFF - user.js: extensions.searchya.tlbrId - baseFF - user.js: extensions.searchya.instlRef -FF - user.js: extensions.searchya.dfltLng -FF - user.js: extensions.searchya.appId - {1973277F-87B0-4EA3-9ED2-470A91D284CF}FF - user.js: extensions.searchya.excTlbr - falseFF - user.js: extensions.searchya_i.hmpg - trueFF - user.js: extensions.irspeeddial.aflt - dnldyhoFF - user.js: extensions.irspeeddial.instlRef -FF - user.js: extensions.irspeeddial.cr - 1170014487FF - user.js: extensions.irspeeddial.cd - 2XzuyEtN2Y1L1QzutDtDtBtAyE0D0D0F0E0E0C0F0F0FyDyCtN0D0Tzu0CyEtBtAtN1L2XzutBtFtBtFtCtFyDtDtAtN1L1Czu1Q1G1I1Q2U1M1F.============= SERVICES / DRIVERS ===============.R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-5-22 49376]R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-5-22 175176]R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [2013-9-9 88632]R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-5 770344]R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-6-13 369584]R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [2013-9-9 39736]R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2012-8-2 24408]R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-10-18 44000]R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 145040]R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\common files\abbyy\finereader\9.00\licensing\pe\NetworkLicenseServer.exe [2008-10-27 759072]R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-17 169312]R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-13 29816]R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-6-13 66336]R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-2 46808]R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky pure 3.0\avp.exe [2012-12-20 356968]R2 CSObjectsSrv;CryptoStorage control service;c:\program files\common files\infowatch\cryptostorage\ProtectedObjectsSrv.exe [2012-12-21 819040]R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]R2 NSUService;NSUService;c:\program files\sony\network utility\NSUService.exe [2009-1-3 303104]R2 nvservice;NVIDIA GuardService;c:\windows\system32\nvservice.exe [2013-3-17 160544]R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2012-11-29 38608]R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]R2 RtkAudioService;Realtek Audio Service;c:\windows\RTKAUDIOSERVICE.EXE [2008-12-5 102400]R2 Samsung Network Fax Server;Samsung Network Fax Server;c:\windows\system32\spool\drivers\w32x86\3\NetFaxServer.exe [2013-5-27 181760]R2 SOHCImp;VAIO Media plus Content Importer;c:\program files\common files\sony shared\sohlib\SOHCImp.exe [2013-7-17 122008]R2 SOHDBSvr;VAIO Media plus Database Manager;c:\program files\common files\sony shared\sohlib\SOHDBSvr.exe [2013-7-17 72856]R2 SOHDms;VAIO Media plus Digital Media Server;c:\program files\common files\sony shared\sohlib\SOHDms.exe [2013-7-17 392344]R2 SOHDs;VAIO Media plus Device Searcher;c:\program files\common files\sony shared\sohlib\SOHDs.exe [2013-7-17 76952]R2 SOHPlMgr;VAIO Media plus Playlist Manager;c:\program files\common files\sony shared\sohlib\SOHPlMgr.exe [2013-7-17 93336]R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2012-2-15 5120]R2 uCamMonitor;CamMonitor;c:\program files\arcsoft\magic-i visual effects 2\uCamMonitor.exe [2009-1-3 104960]R2 VAIO Power Management;VAIO Power Management;c:\program files\sony\vaio power management\SPMService.exe [2009-5-30 415584]R2 VCFw;VAIO Content Folder Watcher;c:\program files\common files\sony shared\vaio content folder watcher\VCFw.exe [2009-3-5 5189992]R2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2011-4-20 480624]R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2009-1-3 17920]R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2008-12-4 225408]R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-9-3 25944]R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-9-3 25944]R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-9-9 40776]R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-12-4 9344]R3 VUAgent;VUAgent;c:\program files\sony\vaio update\VUAgent.exe [2012-11-22 1013808]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 KSS;Kaspersky Security Scan Service;c:\program files\kaspersky lab\kaspersky security scan 2.0\kss.exe [2012-12-7 202328]S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-12-5 29736]S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v2.sys [2010-5-15 206336]S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2010-11-18 83312]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856].=============== File Associations ===============.FileExt: .txt: Applications\Winword.exe="c:\program files\microsoft office\office12\WINWORD.EXE" /n /dde [userChoice] [default=edit - 'Open' doesn't exist]ShellExec: VCExporterLaunch.exe: open="c:\program files\sony\vaio vp utilities\VCELaunch.exe" "%1".=============== Created Last 30 ================.2013-09-09 11:25:14 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2013-09-09 11:02:39 -------- d-----w- c:\users\c d larcombe\appdata\local\{7BDDC5CD-DB09-47B7-9D7F-D64DE15DE7B8}2013-09-09 04:21:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys2013-09-09 04:21:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2013-09-09 03:05:02 39736 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys2013-09-09 03:04:46 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys2013-09-09 03:03:55 -------- d-----w- c:\program files\common files\InfoWatch2013-09-09 02:55:13 74848 ----a-w- c:\windows\system32\drivers\klflt.sys2013-09-09 00:17:32 -------- d-----w- c:\programdata\Kaspersky Lab2013-09-09 00:17:32 -------- d-----w- c:\program files\Kaspersky Lab2013-09-08 23:35:37 -------- d-----w- C:\TDSSKiller_Quarantine2013-09-08 23:01:27 -------- d-----w- c:\users\c d larcombe\appdata\local\{368CA0E9-F771-493F-89AA-6C36826855B4}2013-09-08 00:54:17 -------- d-----w- c:\users\c d larcombe\appdata\local\{0CBF12F5-6DE0-4AFF-832D-1B61BE8EC0C9}2013-09-07 02:12:44 -------- d-----w- c:\users\c d larcombe\appdata\local\{6C91A057-1D35-4E30-BAAE-D18230676053}2013-09-06 15:56:02 7166848 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{869e30a0-fa0b-4163-a8fd-b9ee06642009}\mpengine.dll2013-09-06 14:08:26 -------- d-----w- c:\users\c d larcombe\appdata\local\{B4D82C52-E254-4EB5-A986-11D44817957D}2013-09-06 01:41:29 -------- d-----w- c:\users\c d larcombe\appdata\local\{30B144A6-6449-413C-86A9-DC375EC5BDE3}2013-09-05 14:33:05 -------- d-----w- c:\users\c d larcombe\appdata\local\{49F6364F-37AB-42F4-AA95-C93260014633}2013-09-05 02:19:10 -------- d-----w- c:\users\c d larcombe\appdata\local\{2606083F-F601-4B60-8C21-596BA8658AB8}2013-09-03 23:43:57 -------- d-----w- c:\users\c d larcombe\appdata\local\{E515E1C9-BF8B-404D-B466-358970FA89A5}2013-09-03 02:39:32 -------- d-----w- c:\users\c d larcombe\appdata\local\{2B6D5380-C84E-4720-AEFE-B7D9BF2EE929}2013-09-02 02:23:46 -------- d-----w- c:\users\c d larcombe\appdata\local\{CAEFE10E-CE1D-4D1C-83E0-CD2F807C2901}2013-09-01 14:05:34 -------- d-----w- c:\users\c d larcombe\appdata\local\{6A75BDD7-4FCC-4830-B35D-70B027C08A77}2013-09-01 01:50:35 -------- d-----w- c:\users\c d larcombe\appdata\local\{5491E519-0883-4458-9B0B-246EB39CB9B3}2013-08-31 13:40:05 -------- d-----w- c:\users\c d larcombe\appdata\local\{A6868B4B-2853-489C-9761-BC0F9D6D52FD}2013-08-31 00:48:13 -------- d-----w- c:\users\c d larcombe\appdata\local\{6CC057F7-41EC-413D-84C2-2122F9F7B0F1}2013-08-31 00:40:47 -------- d-----w- c:\users\c d larcombe\appdata\local\{559BB7BB-CA8D-4598-9B40-2BE6D210603C}2013-08-30 09:38:02 -------- d-----w- c:\users\c d larcombe\appdata\local\{DEBAF5D8-C6CA-4C40-8823-96C57580390B}2013-08-29 15:08:18 -------- d-----w- c:\users\c d larcombe\appdata\local\{7FE79887-68FB-46AF-830B-04A6E1152C48}2013-08-29 02:29:51 -------- d-----w- c:\users\c d larcombe\appdata\local\{FBB0D241-0D5E-43A0-9A54-7CAD36846AC1}2013-08-28 10:25:12 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL2013-08-28 10:22:08 -------- d-----w- c:\users\c d larcombe\appdata\local\{D6FA43A0-19AA-415A-BF68-6D022203C629}2013-08-27 20:24:56 -------- d-----w- c:\users\c d larcombe\appdata\local\{13FD319E-31EF-4FF5-8D83-FBE0549568BA}2013-08-27 03:36:15 -------- d-----w- c:\users\c d larcombe\appdata\local\{DD9862F9-671E-4D98-8CBC-CDC51DDBAAA9}2013-08-26 15:15:30 -------- d-----w- c:\users\c d larcombe\appdata\local\{DABC5FEB-A2A7-44A4-B6BD-474792E3F160}2013-08-26 15:05:02 -------- d-----w- c:\users\c d larcombe\appdata\local\{2E76A85A-896C-4448-AC7A-5F4E18DAC0CF}2013-08-26 03:02:28 -------- d-----w- c:\users\c d larcombe\appdata\local\{8FCEA357-CDC0-4121-955C-4B22C3BDF56B}2013-08-25 15:02:04 -------- d-----w- c:\users\c d larcombe\appdata\local\{205BDF1A-DCB2-4D50-B9DD-B7A24EF18A4C}2013-08-25 03:01:40 -------- d-----w- c:\users\c d larcombe\appdata\local\{6475999F-CF09-4D36-8635-C34B490561D4}2013-08-24 04:51:20 -------- d-----w- c:\users\c d larcombe\appdata\local\{E671AC10-6F90-4743-8DFF-D9D0E8B558E5}2013-08-24 03:52:55 -------- d-----w- c:\users\c d larcombe\appdata\local\{D77746CA-60CB-4E43-BFEB-1E174B41CF54}2013-08-23 15:20:40 -------- d-----w- c:\users\c d larcombe\appdata\local\{1AFCAC29-6241-4967-8877-97564C269A37}2013-08-23 03:20:17 -------- d-----w- c:\users\c d larcombe\appdata\local\{B1826BFD-2039-4BE1-B6B5-7CB142AA5420}2013-08-22 14:31:44 -------- d-----w- c:\users\c d larcombe\appdata\local\{087AC138-70C2-4629-86E0-7923B0C9EF32}2013-08-22 02:22:17 -------- d-----w- c:\users\c d larcombe\appdata\local\{F5DDC6C4-DA44-4DA1-BD5C-36F509EF95BD}2013-08-21 03:24:20 -------- d-----w- c:\users\c d larcombe\appdata\local\{108453CD-CCA0-4760-A7DC-8014DABA33A6}2013-08-20 15:00:50 -------- d-----w- c:\users\c d larcombe\appdata\local\{5CC438BF-ADEA-42AE-A5F2-895FCFE3C356}2013-08-20 14:47:46 -------- d-----w- c:\users\c d larcombe\appdata\local\{D9D574BB-D64F-4196-81BC-C1930848CBEE}2013-08-20 14:36:25 -------- d-----w- c:\users\c d larcombe\appdata\local\{24E1EE6C-736E-427B-92DD-4AFB5FEB2C91}2013-08-20 14:33:01 -------- d-----w- c:\users\c d larcombe\appdata\local\{9879017B-4EA2-4165-947B-23EAD8D21C6E}2013-08-20 14:20:59 -------- d-----w- c:\users\c d larcombe\appdata\local\{1885B3C8-F788-4981-AF52-F933679A9CA7}2013-08-20 13:54:25 -------- d-----w- c:\users\c d larcombe\appdata\local\{171B10CA-3A03-411D-9C11-0A129320B50A}2013-08-20 13:43:07 -------- d-----w- c:\users\c d larcombe\appdata\local\{DF248175-12DB-434E-917C-103F859C0A0B}2013-08-20 13:15:55 -------- d-----w- c:\users\c d larcombe\appdata\local\{91AEA189-CF7D-4E8F-B4AD-2454651CFE5A}2013-08-20 13:11:05 -------- d-----w- c:\users\c d larcombe\appdata\local\{F55DE9E7-68D5-4053-914D-FC42BF7A7251}2013-08-20 13:08:54 -------- d-----w- c:\users\c d larcombe\appdata\local\{55D51E36-69F6-49AC-A1C7-3C15C5FEA176}2013-08-20 01:06:42 -------- d-----w- c:\users\c d larcombe\appdata\local\{991BD0A7-8DAB-4474-A27B-2BBDE65B9DDC}2013-08-19 08:28:34 -------- d-----w- c:\users\c d larcombe\appdata\local\{02B04C32-8ACD-4CE8-8A39-6DC7CCE8DFBA}2013-08-18 15:02:15 -------- d-----w- c:\users\c d larcombe\appdata\local\{9128EEBA-22D5-406A-9B38-A3B5A5CC75F1}2013-08-18 02:57:22 -------- d-----w- c:\users\c d larcombe\appdata\local\{19C20AD2-B087-4218-BF5E-B7D543F63C7B}2013-08-17 13:08:55 -------- d-----w- c:\users\c d larcombe\appdata\local\{EAEF891E-07DE-4D2C-8DE4-6D7A434D81CD}2013-08-17 00:50:35 -------- d-----w- c:\users\c d larcombe\appdata\local\{AFB84056-66DF-49CA-84D9-A97C040D7F50}2013-08-16 08:26:30 -------- d-----w- c:\users\c d larcombe\appdata\local\{1C76A654-A812-42FC-A910-B748296A3791}2013-08-15 15:21:46 -------- d-----w- c:\users\c d larcombe\appdata\local\{09F2E3D2-666D-4E14-AA6D-3AB8A0D217B1}2013-08-15 02:37:28 -------- d-----w- c:\users\c d larcombe\appdata\local\{2EF64EF7-4F56-45C6-85E4-B1B9AF5D5DA1}2013-08-14 15:58:13 -------- d-----w- c:\windows\system32\MRT2013-08-14 13:17:00 -------- d-----w- c:\users\c d larcombe\appdata\local\{4C35DC6C-DB8A-47A0-A4A5-2BEA38FAD20C}2013-08-14 10:52:19 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys2013-08-14 10:52:17 15872 ----a-w- c:\windows\system32\icaapi.dll2013-08-14 10:52:13 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys2013-08-14 01:16:22 -------- d-----w- c:\users\c d larcombe\appdata\local\{0C624780-46F5-4BE8-BDA1-EE3A09B1E497}2013-08-13 10:07:04 -------- d-----w- c:\users\c d larcombe\appdata\local\{6B2C07C1-A9D3-4725-BAAA-00A978C407EA}2013-08-12 16:29:33 -------- d-----w- c:\users\c d larcombe\appdata\local\{9D99F667-F55A-4E50-A57F-9A29C3C92EAC}2013-08-12 15:50:05 -------- d-----w- c:\users\c d larcombe\appdata\local\{E8C180B0-66F7-4C49-BA96-CBB94F85F00C}2013-08-12 15:41:40 -------- d-----w- c:\users\c d larcombe\appdata\local\{4A5A692C-8A27-4A75-829A-3205D790CD7C}2013-08-12 02:56:11 -------- d-----w- c:\users\c d larcombe\appdata\local\{B0ADD78B-2C26-4564-B7A2-5A10CC1BE07E}2013-08-11 05:52:26 -------- d-----w- c:\users\c d larcombe\appdata\local\{A84F6C96-22B2-475D-A2EC-1A47CD60DAA5}2013-08-10 16:10:17 -------- d-----w- c:\users\c d larcombe\appdata\local\{1D8854FF-F0D9-40EE-924D-053A226A74BB}2013-08-10 13:47:01 -------- d-----w- c:\users\c d larcombe\appdata\local\{359A4FDC-96E7-48ED-BDD9-37467DB0F4A5}.==================== Find3M ====================.2013-09-09 03:31:39 145040 ----a-w- c:\windows\system32\drivers\kneps.sys2013-09-09 03:31:38 44000 ----a-w- c:\windows\system32\drivers\kltdi.sys2013-07-24 00:33:07 916480 ----a-w- c:\windows\system32\wininet.dll2013-07-24 00:32:57 43520 ----a-w- c:\windows\system32\licmgr10.dll2013-07-24 00:32:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2013-07-24 00:32:56 109056 ----a-w- c:\windows\system32\iesysprep.dll2013-07-24 00:32:55 71680 ----a-w- c:\windows\system32\iesetup.dll2013-07-23 23:56:25 385024 ----a-w- c:\windows\system32\html.iec2013-07-23 23:49:27 133632 ----a-w- c:\windows\system32\ieUnatt.exe2013-07-23 23:49:13 1638912 ----a-w- c:\windows\system32\mshtml.tlb2013-07-17 19:41:34 2048 ----a-w- c:\windows\system32\tzres.dll2013-07-10 09:47:00 783360 ----a-w- c:\windows\system32\rpcrt4.dll2013-07-09 12:10:36 1205168 ----a-w- c:\windows\system32\ntdll.dll2013-07-08 04:55:51 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe2013-07-08 04:55:51 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe2013-07-08 04:20:04 172544 ----a-w- c:\windows\system32\wintrust.dll2013-07-08 04:16:55 98304 ----a-w- c:\windows\system32\cryptnet.dll2013-07-08 04:16:55 133120 ----a-w- c:\windows\system32\cryptsvc.dll2013-07-08 04:16:54 992768 ----a-w- c:\windows\system32\crypt32.dll2013-06-28 00:15:43 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys2013-06-28 00:15:43 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys2007-12-07 11:13:46 4192768 ----a-r- c:\program files\ABBYY FineReader 9.0 Professional Edition.msi2007-12-06 14:15:52 390432 ----a-r- c:\program files\Setup.exe2003-04-21 04:09:50 245408 ----a-r- c:\program files\unicows.dll2002-03-11 01:06:30 1822520 ----a-r- c:\program files\instmsiw.exe.============= FINISH: 22:06:38.54 =============== Link to post Share on other sites More sharing options...
CDL_1976 Posted September 9, 2013 Author ID:727500 Share Posted September 9, 2013 Relevant file attached. Thank you.Attach.txt Link to post Share on other sites More sharing options...
Psychotic Posted September 9, 2013 ID:727519 Share Posted September 9, 2013 Don´t forget to create and post the aswMBR log Link to post Share on other sites More sharing options...
CDL_1976 Posted September 9, 2013 Author ID:727529 Share Posted September 9, 2013 Thank you for that reminder. Here is the log: aswMBR version 0.9.9.1771 Copyright© 2011 AVAST SoftwareRun date: 2013-09-09 22:36:40-----------------------------22:36:40.065 OS Version: Windows 6.0.6002 Service Pack 222:36:40.065 Number of processors: 2 586 0x170A22:36:40.066 ComputerName: CDLARCOMBE-PC UserName: C D Larcombe22:36:41.379 Initialize success22:36:44.167 AVAST engine defs: 1309090022:37:23.548 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-022:37:23.550 Disk 0 Vendor: ST3500820AS AD2X Size: 476940MB BusType: 322:37:23.552 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000006422:37:23.554 Disk 1 Vendor: RICOH 01 Size: 476940MB BusType: 022:37:23.557 Disk 2 \Device\Harddisk2\DR2 -> \Device\0000006522:37:23.559 Disk 2 Vendor: RICOH 02 Size: 476940MB BusType: 022:37:23.564 Disk 0 MBR read successfully22:37:23.566 Disk 0 MBR scan22:37:24.058 Disk 0 Windows VISTA default MBR code22:37:24.070 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12429 MB offset 204822:37:24.772 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 464509 MB offset 2545664022:37:24.821 Disk 0 scanning sectors +97677112022:37:25.349 Disk 0 scanning C:\Windows\system32\drivers22:37:44.801 Service scanning22:37:54.345 Service kl1 C:\Windows\system32\DRIVERS\kl1.sys **LOCKED** 522:37:54.471 Service KLIM6 C:\Windows\system32\DRIVERS\klim6.sys **LOCKED** 522:37:54.502 Service klkbdflt C:\Windows\system32\DRIVERS\klkbdflt.sys **LOCKED** 522:37:54.555 Service klmouflt C:\Windows\system32\DRIVERS\klmouflt.sys **LOCKED** 522:37:54.605 Service kltdi C:\Windows\system32\DRIVERS\kltdi.sys **LOCKED** 522:37:54.643 Service kneps C:\Windows\system32\DRIVERS\kneps.sys **LOCKED** 522:38:11.096 Modules scanning22:38:22.659 Disk 0 trace - called modules:22:38:22.676 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86cf71e8]<<22:38:22.679 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f63a18]22:38:22.683 3 CLASSPNP.SYS[8c3a78b3] -> nt!IofCallDriver -> [0x86020918]22:38:22.686 5 acpi.sys[807b86bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8600e528]22:38:22.690 \Driver\atapi[0x86393758] -> IRP_MJ_CREATE -> 0x86cf71e822:38:24.097 AVAST engine scan C:\Windows22:38:27.893 AVAST engine scan C:\Windows\system3222:42:22.997 AVAST engine scan C:\Windows\system32\drivers22:42:47.458 AVAST engine scan C:\Users\C D Larcombe22:48:47.596 Disk 0 MBR has been saved successfully to "C:\Users\C D Larcombe\Desktop\MBR.dat"22:48:47.598 The log file has been saved successfully to "C:\Users\C D Larcombe\Desktop\aswMBR.txt" aswMBR version 0.9.9.1771 Copyright© 2011 AVAST SoftwareRun date: 2013-09-09 22:36:40-----------------------------22:36:40.065 OS Version: Windows 6.0.6002 Service Pack 222:36:40.065 Number of processors: 2 586 0x170A22:36:40.066 ComputerName: CDLARCOMBE-PC UserName: C D Larcombe22:36:41.379 Initialize success22:36:44.167 AVAST engine defs: 1309090022:37:23.548 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-022:37:23.550 Disk 0 Vendor: ST3500820AS AD2X Size: 476940MB BusType: 322:37:23.552 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000006422:37:23.554 Disk 1 Vendor: RICOH 01 Size: 476940MB BusType: 022:37:23.557 Disk 2 \Device\Harddisk2\DR2 -> \Device\0000006522:37:23.559 Disk 2 Vendor: RICOH 02 Size: 476940MB BusType: 022:37:23.564 Disk 0 MBR read successfully22:37:23.566 Disk 0 MBR scan22:37:24.058 Disk 0 Windows VISTA default MBR code22:37:24.070 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12429 MB offset 204822:37:24.772 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 464509 MB offset 2545664022:37:24.821 Disk 0 scanning sectors +97677112022:37:25.349 Disk 0 scanning C:\Windows\system32\drivers22:37:44.801 Service scanning22:37:54.345 Service kl1 C:\Windows\system32\DRIVERS\kl1.sys **LOCKED** 522:37:54.471 Service KLIM6 C:\Windows\system32\DRIVERS\klim6.sys **LOCKED** 522:37:54.502 Service klkbdflt C:\Windows\system32\DRIVERS\klkbdflt.sys **LOCKED** 522:37:54.555 Service klmouflt C:\Windows\system32\DRIVERS\klmouflt.sys **LOCKED** 522:37:54.605 Service kltdi C:\Windows\system32\DRIVERS\kltdi.sys **LOCKED** 522:37:54.643 Service kneps C:\Windows\system32\DRIVERS\kneps.sys **LOCKED** 522:38:11.096 Modules scanning22:38:22.659 Disk 0 trace - called modules:22:38:22.676 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86cf71e8]<<22:38:22.679 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f63a18]22:38:22.683 3 CLASSPNP.SYS[8c3a78b3] -> nt!IofCallDriver -> [0x86020918]22:38:22.686 5 acpi.sys[807b86bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8600e528]22:38:22.690 \Driver\atapi[0x86393758] -> IRP_MJ_CREATE -> 0x86cf71e822:38:24.097 AVAST engine scan C:\Windows22:38:27.893 AVAST engine scan C:\Windows\system3222:42:22.997 AVAST engine scan C:\Windows\system32\drivers22:42:47.458 AVAST engine scan C:\Users\C D Larcombe22:48:47.596 Disk 0 MBR has been saved successfully to "C:\Users\C D Larcombe\Desktop\MBR.dat"22:48:47.598 The log file has been saved successfully to "C:\Users\C D Larcombe\Desktop\aswMBR.txt"23:04:19.846 Disk 0 MBR has been saved successfully to "C:\Users\C D Larcombe\Desktop\MBR.dat"23:04:19.847 The log file has been saved successfully to "C:\Users\C D Larcombe\Desktop\aswMBR.txt" aswMBR version 0.9.9.1771 Copyright© 2011 AVAST SoftwareRun date: 2013-09-09 23:09:26-----------------------------23:09:26.503 OS Version: Windows 6.0.6002 Service Pack 223:09:26.503 Number of processors: 2 586 0x170A23:09:26.504 ComputerName: CDLARCOMBE-PC UserName: C D Larcombe23:09:29.662 Initialize success23:09:32.588 AVAST engine defs: 1309090023:09:45.400 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-023:09:45.427 Disk 0 Vendor: ST3500820AS AD2X Size: 476940MB BusType: 323:09:45.430 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000006423:09:45.432 Disk 1 Vendor: RICOH 01 Size: 476940MB BusType: 023:09:45.435 Disk 2 \Device\Harddisk2\DR2 -> \Device\0000006523:09:45.437 Disk 2 Vendor: RICOH 02 Size: 476940MB BusType: 023:09:45.551 Disk 0 MBR read successfully23:09:45.559 Disk 0 MBR scan23:09:45.563 Disk 0 Windows VISTA default MBR code23:09:45.602 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12429 MB offset 204823:09:45.622 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 464509 MB offset 2545664023:09:45.689 Disk 0 scanning sectors +97677112023:09:45.908 Disk 0 scanning C:\Windows\system32\drivers23:10:17.111 Service scanning23:10:26.530 Service kl1 C:\Windows\system32\DRIVERS\kl1.sys **LOCKED** 523:10:26.713 Service KLIM6 C:\Windows\system32\DRIVERS\klim6.sys **LOCKED** 523:10:26.753 Service klkbdflt C:\Windows\system32\DRIVERS\klkbdflt.sys **LOCKED** 523:10:26.806 Service klmouflt C:\Windows\system32\DRIVERS\klmouflt.sys **LOCKED** 523:10:26.863 Service kltdi C:\Windows\system32\DRIVERS\kltdi.sys **LOCKED** 523:10:26.894 Service kneps C:\Windows\system32\DRIVERS\kneps.sys **LOCKED** 523:10:40.682 Modules scanning23:11:19.059 Disk 0 trace - called modules:23:11:19.079 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86cf71e8]<<23:11:19.083 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f63a18]23:11:19.086 3 CLASSPNP.SYS[8c3a78b3] -> nt!IofCallDriver -> [0x86020918]23:11:19.090 5 acpi.sys[807b86bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8600e528]23:11:19.093 \Driver\atapi[0x86393758] -> IRP_MJ_CREATE -> 0x86cf71e823:11:21.838 AVAST engine scan C:\Windows23:12:01.970 AVAST engine scan C:\Windows\system3223:18:08.651 AVAST engine scan C:\Windows\system32\drivers23:18:51.121 AVAST engine scan C:\Users\C D Larcombe23:21:29.919 Disk 0 MBR has been saved successfully to "C:\Users\C D Larcombe\Desktop\MBR.dat"23:21:29.926 The log file has been saved successfully to "C:\Users\C D Larcombe\Desktop\aswMBR.txt" Link to post Share on other sites More sharing options...
Psychotic Posted September 10, 2013 ID:727798 Share Posted September 10, 2013 Ah, there we go! CombofixCombofix should only be run when adviced by a team member!LinkImportant - Save the file to your desktop! Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work. Run Combofix.exeWhen finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this. Link to post Share on other sites More sharing options...
CDL_1976 Posted September 11, 2013 Author ID:728150 Share Posted September 11, 2013 Please find leg below: ComboFix 13-09-10.01 - C D Larcombe 11/09/2013 2:41.2.2 - x86Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3070.1792 [GMT 10:00]Running from: c:\users\C D Larcombe\Desktop\ComboFix.exeAV: avast! Antivirus *Disabled/Outdated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}AV: Kaspersky PURE 3.0 *Disabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}FW: Kaspersky PURE 3.0 *Disabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}SP: avast! Antivirus *Disabled/Outdated* {904CF271-6431-DA47-5FCE-A87D98DFB681}SP: Kaspersky PURE 3.0 *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\program files\Setup.exe..((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))..-------\Legacy_RKHIT-------\Service_RkHit..((((((((((((((((((((((((( Files Created from 2013-08-11 to 2013-09-11 )))))))))))))))))))))))))))))))..2013-09-10 23:39 . 2013-09-10 23:39 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B477EE33-CC6A-4EF6-BE28-CF4E0C88FD41}\offreg.dll2013-09-10 23:13 . 2013-08-06 07:28 7166848 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B477EE33-CC6A-4EF6-BE28-CF4E0C88FD41}\mpengine.dll2013-09-10 23:05 . 2013-09-10 23:13 -------- d-----w- C:\19896072c2fd9024f1f22013-09-10 17:22 . 2013-09-11 02:00 -------- d-----w- c:\users\C D Larcombe\AppData\Local\temp2013-09-10 17:22 . 2013-09-10 17:22 -------- d-----w- c:\users\Default\AppData\Local\temp2013-09-09 04:21 . 2013-09-09 04:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2013-09-09 04:21 . 2013-04-04 04:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys2013-09-09 03:05 . 2011-06-02 04:39 39736 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys2013-09-09 03:04 . 2011-06-02 04:39 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys2013-09-09 03:03 . 2013-09-09 03:03 -------- d-----w- c:\program files\Common Files\InfoWatch2013-09-09 02:55 . 2013-09-09 03:31 74848 ----a-w- c:\windows\system32\drivers\klflt.sys2013-09-09 00:17 . 2013-09-11 02:00 -------- d-----w- c:\programdata\Kaspersky Lab2013-09-09 00:17 . 2013-09-09 03:03 -------- d-----w- c:\program files\Kaspersky Lab2013-09-08 23:35 . 2013-09-08 23:50 -------- d-----w- C:\TDSSKiller_Quarantine2013-08-28 10:25 . 2013-08-02 04:09 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL2013-08-14 15:58 . 2013-08-14 16:00 -------- d-----w- c:\windows\system32\MRT2013-08-14 10:52 . 2013-06-15 11:23 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys2013-08-14 10:52 . 2013-06-15 13:22 15872 ----a-w- c:\windows\system32\icaapi.dll2013-08-14 10:52 . 2013-07-05 04:53 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-09-09 03:31 . 2012-08-13 06:49 145040 ----a-w- c:\windows\system32\drivers\kneps.sys2013-09-09 03:31 . 2012-10-18 04:50 44000 ----a-w- c:\windows\system32\drivers\kltdi.sys2013-06-28 00:15 . 2013-05-22 11:49 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys2013-06-28 00:15 . 2011-06-05 08:39 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys2013-06-28 00:15 . 2009-06-12 14:48 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys2007-12-07 11:13 . 2007-12-07 11:13 4192768 ----a-r- c:\program files\ABBYY FineReader 9.0 Professional Edition.msi2003-04-21 04:09 . 2003-04-21 04:09 245408 ----a-r- c:\program files\unicows.dll2002-03-11 01:06 . 2002-03-11 01:06 1822520 ----a-r- c:\program files\instmsiw.exe..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]@="{472083B0-C522-11CF-8763-00608CC02F24}"[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]2013-05-09 08:58 121968 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]@="{dd230880-495a-11d1-b064-008048ec2fc5}"[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]2012-12-20 08:20 459784 ----a-w- c:\program files\Kaspersky Lab\Kaspersky PURE 3.0\shellex.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NSUFloatingUI"="c:\program files\Sony\Network Utility\LANUtil.exe" [2008-12-05 270336]"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]"Spotify Web Helper"="c:\users\C D Larcombe\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-07-22 1104384]"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]"KSS"="c:\program files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-12-07 202328].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RtHDVCpl"="RtHDVCpl.exe" [2008-10-17 6281760]"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-30 13556256]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-30 92704]"CDAServer"="c:\program files\Common Files\Common Desktop Agent\CDASrv.exe" [2012-02-20 344064]"AVP"="c:\program files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe" [2012-12-20 356968].c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audio Filter.lnk - c:\program files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe [2009-1-3 4243232].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]2008-11-06 02:32 98304 ----a-w- c:\windows\System32\VESWinlogon.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drv.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]@="Service".[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]2013-05-08 21:20 41056 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]"DisableMonitoring"=dword:00000001.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]"AntiVirusOverride"=dword:00000001.S2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2008-10-27 759072]S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]..[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]bthsvcs REG_MULTI_SZ BthServLocalServiceAndNoImpersonation REG_MULTI_SZ FontCacheHPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12.Contents of the 'Scheduled Tasks' folder.2013-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-01 13:05].2013-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-01 13:05]..------- Supplementary Scan -------.uInternet Settings,ProxyOverride = *.localIE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky PURE 3.0\ie_banner_deny.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmIE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htmTCP: DhcpNameServer = 10.0.0.138FF - ProfilePath - c:\users\C D Larcombe\AppData\Roaming\Mozilla\Firefox\Profiles\5waw5psb.default\FF - ExtSQL: 2013-08-02 22:27; kitsune@kitsune.sourceforge.net; c:\users\C D Larcombe\AppData\Roaming\Mozilla\Firefox\Profiles\5waw5psb.default\extensions\kitsune@kitsune.sourceforge.netFF - ExtSQL: 2013-09-09 13:03; anti_banner@kaspersky.com; c:\program files\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\anti_banner@kaspersky.comFF - ExtSQL: 2013-09-09 13:03; content_blocker@kaspersky.com; c:\program files\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\content_blocker@kaspersky.comFF - ExtSQL: 2013-09-09 13:04; online_banking@kaspersky.com; c:\program files\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\online_banking@kaspersky.comFF - ExtSQL: 2013-09-09 13:04; url_advisor@kaspersky.com; c:\program files\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\url_advisor@kaspersky.comFF - ExtSQL: 2013-09-09 13:04; virtual_keyboard@kaspersky.com; c:\program files\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\virtual_keyboard@kaspersky.comFF - ExtSQL: 2013-09-11 01:22; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\users\C D Larcombe\AppData\Roaming\Mozilla\Firefox\Profiles\5waw5psb.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}FF - user.js: network.cookie.cookieBehavior - 0FF - user.js: privacy.clearOnShutdown.cookies - falseFF - user.js: security.warn_viewing_mixed - falseFF - user.js: security.warn_viewing_mixed.show_once - falseFF - user.js: security.warn_submit_insecure - falseFF - user.js: security.warn_submit_insecure.show_once - falseFF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110808&tt=3412_4FF - user.js: extensions.BabylonToolbar_i.babExt -FF - user.js: extensions.BabylonToolbar_i.srcExt - ssFF - user.js: extensions.BabylonToolbar.id - 5414ff5600000000000000234ddfeecfFF - user.js: extensions.BabylonToolbar.instlDay - 15577FF - user.js: extensions.BabylonToolbar.vrsn - 1.6.4.6FF - user.js: extensions.BabylonToolbar.vrsni - 1.6.4.6FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.6.4.60:16FF - user.js: extensions.BabylonToolbar.prtnrId - babylonFF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbarFF - user.js: extensions.BabylonToolbar.aflt - babsstFF - user.js: extensions.BabylonToolbar_i.smplGrp - noneFF - user.js: extensions.BabylonToolbar.tlbrId - tb9FF - user.js: extensions.BabylonToolbar.instlRef - sstFF - user.js: extensions.BabylonToolbar.dfltLng - enFF - user.js: extensions.BabylonToolbar.excTlbr - falseFF - user.js: extensions.BabylonToolbar.admin - falseFF - user.js: extensions.searchya.hmpg - trueFF - user.js: extensions.searchya.dfltSrch - trueFF - user.js: extensions.searchya.srchPrvdr - SearchYa!FF - user.js: extensions.searchya.dnsErr - trueFF - user.js: extensions.searchya_i.newTab - falseFF - user.js: extensions.searchya.id - 00234DDFEECFFF56FF - user.js: extensions.searchya.instlDay - 15763FF - user.js: extensions.searchya.vrsn - 1.8.8.0FF - user.js: extensions.searchya.vrsni - 1.8.8.0FF - user.js: extensions.searchya_i.vrsnTs - 1.8.8.02:18FF - user.js: extensions.searchya.prtnrId - searchyaFF - user.js: extensions.searchya.prdct - searchyaFF - user.js: extensions.searchya.aflt - dnldyhoFF - user.js: extensions.searchya_i.smplGrp - noneFF - user.js: extensions.searchya.tlbrId - baseFF - user.js: extensions.searchya.instlRef -FF - user.js: extensions.searchya.dfltLng -FF - user.js: extensions.searchya.appId - {1973277F-87B0-4EA3-9ED2-470A91D284CF}FF - user.js: extensions.searchya.excTlbr - falseFF - user.js: extensions.searchya_i.hmpg - trueFF - user.js: extensions.irspeeddial.aflt - dnldyhoFF - user.js: extensions.irspeeddial.instlRef -FF - user.js: extensions.irspeeddial.cr - 1170014487FF - user.js: extensions.irspeeddial.cd - 2XzuyEtN2Y1L1QzutDtDtBtAyE0D0D0F0E0E0C0F0F0FyDyCtN0D0Tzu0CyEtBtAtN1L2XzutBtFtBtFtCtFyDtDtAtN1L1Czu1Q1G1I1Q2U1M1F.- - - - ORPHANS REMOVED - - - -.HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exeSafeBoot-10997470.sysSafeBoot-WudfPfSafeBoot-WudfRd...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2013-09-11 12:00Windows 6.0.6002 Service Pack 2 NTFS.scanning hidden processes ... .scanning hidden autostart entries ....scanning hidden files ... ..c:\windows\TEMP\TMP0000001937940858D293BBFA 524288 bytes.scan completed successfullyhidden files: 1.**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'Explorer.exe'(8388)c:\windows\system32\btncopy.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\nvservice.exec:\windows\system32\nvvsvc.exec:\windows\RtkAudioService.exec:\windows\system32\rundll32.exec:\program files\Alwil Software\Avast5\AvastSvc.exec:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exec:\program files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exec:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exec:\program files\Sony\Network Utility\NSUService.exec:\program files\RealNetworks\RealDownloader\rndlresolversvc.exec:\windows\system32\spool\drivers\w32x86\3\NetFaxServer.exec:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exec:\program files\Common Files\Sony Shared\SOHLib\SOHDBSvr.exec:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exec:\program files\Sony\VAIO Event Service\VESMgr.exec:\program files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exec:\windows\system32\DllHost.exec:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exec:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exec:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEc:\program files\Sony\VAIO Event Service\VESMgrSub.exec:\windows\system32\DllHost.exec:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exec:\windows\System32\WUDFHost.exec:\program files\Common Files\Sony Shared\SOHLib\SOHDms.exec:\program files\Common Files\Sony Shared\SOHLib\SOHDs.exec:\program files\Common Files\Sony Shared\SOHLib\SOHPlMgr.exec:\program files\Common Files\Sony Shared\SOHLib\SOHCImp.exec:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exec:\program files\Sony\VAIO Power Management\SPMService.exec:\program files\Windows Media Player\wmpnetwk.exec:\windows\system32\conime.exec:\windows\System32\rundll32.exec:\windows\ehome\ehmsas.exec:\program files\Sony\VAIO Update\VAIOUpdt.exec:\program files\Sony\VAIO Update\VUAgent.exe.**************************************************************************.Completion time: 2013-09-11 12:05:45 - machine was rebootedComboFix-quarantined-files.txt 2013-09-11 02:05.Pre-Run: 292,946,747,392 bytes freePost-Run: 302,647,074,816 bytes free.- - End Of File - - DD231F34A57495BA60BE9E5A690D63045C616939100B85E558DA92B899A0FC36 Link to post Share on other sites More sharing options...
Psychotic Posted September 11, 2013 ID:728219 Share Posted September 11, 2013 Multiple Antivirus Programs installed!I do not recommend that you have more than one anti-virus product installed and running on your computer at a time.The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti-virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.Therefore please go to add/remove in the control panel and remove either avast! or Kaspersky PURE. Link to post Share on other sites More sharing options...
CDL_1976 Posted September 11, 2013 Author ID:728311 Share Posted September 11, 2013 Marius, thanks for your advice. I only downloaded Kaspersky after I was notified of the infection, with the intent that I would run a scan to see if Kaspersky could identify what Avast (my original anti-virus) could not. I have disabled avast since then. I also disabled Kaspersky when running Combofix. I have now removed Kaspersky. Link to post Share on other sites More sharing options...
Psychotic Posted September 11, 2013 ID:728314 Share Posted September 11, 2013 Combofix scripting1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Download the attached CFScript.txt and save it to the location where Combofix is.Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.CFScript.txt Link to post Share on other sites More sharing options...
CDL_1976 Posted September 11, 2013 Author ID:728400 Share Posted September 11, 2013 Thank you: log below as instructed. ComboFix 13-09-10.03 - C D Larcombe 11/09/2013 23:12:09.3.2 - x86Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3070.1607 [GMT 10:00]Running from: c:\users\C D Larcombe\Desktop\ComboFix.exeCommand switches used :: c:\users\C D Larcombe\Desktop\CFScript.txtAV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\programdata\ntuser.dat.Infected copy of c:\windows\system32\Services.exe was found and disinfected Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!services.exe ..((((((((((((((((((((((((( Files Created from 2013-08-11 to 2013-09-11 )))))))))))))))))))))))))))))))..2013-09-11 13:27 . 2013-09-11 13:33 -------- d-----w- c:\users\C D Larcombe\AppData\Local\temp2013-09-11 13:27 . 2013-09-11 13:27 -------- d-----w- c:\users\Default\AppData\Local\temp2013-09-09 04:21 . 2013-09-09 04:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2013-09-09 04:21 . 2013-04-04 04:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys2013-09-09 00:17 . 2013-09-11 11:27 -------- d-----w- c:\programdata\Kaspersky Lab2013-09-09 00:17 . 2013-09-11 11:27 -------- d-----w- c:\program files\Kaspersky Lab2013-09-08 23:35 . 2013-09-08 23:50 -------- d-----w- C:\TDSSKiller_Quarantine2013-08-28 10:25 . 2013-08-02 04:09 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL2013-08-14 15:58 . 2013-08-14 16:00 -------- d-----w- c:\windows\system32\MRT2013-08-14 10:52 . 2013-06-15 11:23 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys2013-08-14 10:52 . 2013-06-15 13:22 15872 ----a-w- c:\windows\system32\icaapi.dll2013-08-14 10:52 . 2013-07-05 04:53 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-09-10 23:39 . 2013-09-10 23:39 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B477EE33-CC6A-4EF6-BE28-CF4E0C88FD41}\offreg.dll2013-08-30 07:48 . 2013-05-22 11:49 177864 ----a-w- c:\windows\system32\drivers\aswVmm.sys2013-08-30 07:48 . 2009-06-12 14:48 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys2013-08-30 07:48 . 2009-06-12 14:48 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys2013-08-30 07:48 . 2013-05-22 11:49 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys2013-08-30 07:48 . 2011-06-05 08:39 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys2013-08-30 07:48 . 2009-06-12 14:48 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys2013-08-30 07:48 . 2009-06-12 14:48 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys2013-08-30 07:48 . 2009-06-12 14:47 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys2013-08-30 07:47 . 2010-10-02 05:07 41664 ----a-w- c:\windows\avastSS.scr2013-08-30 07:47 . 2009-06-12 14:47 229648 ----a-w- c:\windows\system32\aswBoot.exe2013-08-06 07:28 . 2013-09-10 23:13 7166848 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B477EE33-CC6A-4EF6-BE28-CF4E0C88FD41}\mpengine.dll2007-12-07 11:13 . 2007-12-07 11:13 4192768 ----a-r- c:\program files\ABBYY FineReader 9.0 Professional Edition.msi2003-04-21 04:09 . 2003-04-21 04:09 245408 ----a-r- c:\program files\unicows.dll2002-03-11 01:06 . 2002-03-11 01:06 1822520 ----a-r- c:\program files\instmsiw.exe..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]@="{472083B0-C522-11CF-8763-00608CC02F24}"[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]2013-08-30 07:47 121968 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NSUFloatingUI"="c:\program files\Sony\Network Utility\LANUtil.exe" [2008-12-05 270336]"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]"Spotify Web Helper"="c:\users\C D Larcombe\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-07-22 1104384]"KSS"="c:\program files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-12-07 202328]"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RtHDVCpl"="RtHDVCpl.exe" [2008-10-17 6281760]"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-30 13556256]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-30 92704]"CDAServer"="c:\program files\Common Files\Common Desktop Agent\CDASrv.exe" [2012-02-20 344064].c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audio Filter.lnk - c:\program files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe [2009-1-3 4243232].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]2008-11-06 02:32 98304 ----a-w- c:\windows\System32\VESWinlogon.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drv.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]@="Service".[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]2013-05-08 21:20 41056 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]"AntiVirusOverride"=dword:00000001.S2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2008-10-27 759072]S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]..[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]bthsvcs REG_MULTI_SZ BthServLocalServiceAndNoImpersonation REG_MULTI_SZ FontCacheHPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12.Contents of the 'Scheduled Tasks' folder.2013-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-01 13:05].2013-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-01 13:05]..------- Supplementary Scan -------.uInternet Settings,ProxyOverride = *.localIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmIE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htmTCP: DhcpNameServer = 10.0.0.138FF - ProfilePath - c:\users\C D Larcombe\AppData\Roaming\Mozilla\Firefox\Profiles\5waw5psb.default\FF - ExtSQL: 2013-08-02 22:27; kitsune@kitsune.sourceforge.net; c:\users\C D Larcombe\AppData\Roaming\Mozilla\Firefox\Profiles\5waw5psb.default\extensions\kitsune@kitsune.sourceforge.netFF - ExtSQL: 2013-09-11 01:22; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\users\C D Larcombe\AppData\Roaming\Mozilla\Firefox\Profiles\5waw5psb.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}..**************************************************************************scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: .**************************************************************************.------------------------ Other Running Processes ------------------------.c:\windows\system32\nvservice.exec:\windows\system32\nvvsvc.exec:\windows\RtkAudioService.exec:\windows\system32\rundll32.exec:\program files\Alwil Software\Avast5\AvastSvc.exec:\windows\System32\lpksetup.exec:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exec:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exec:\program files\Sony\Network Utility\NSUService.exec:\program files\RealNetworks\RealDownloader\rndlresolversvc.exec:\windows\system32\spool\drivers\w32x86\3\NetFaxServer.exec:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exec:\program files\Common Files\Sony Shared\SOHLib\SOHDBSvr.exec:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exec:\program files\Sony\VAIO Event Service\VESMgr.exec:\windows\system32\DllHost.exec:\program files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exec:\program files\Sony\VAIO Event Service\VESMgrSub.exec:\windows\system32\DllHost.exec:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exec:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exec:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEc:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exec:\windows\System32\WUDFHost.exec:\program files\Common Files\Sony Shared\SOHLib\SOHDms.exec:\program files\Common Files\Sony Shared\SOHLib\SOHDs.exec:\program files\Common Files\Sony Shared\SOHLib\SOHPlMgr.exec:\program files\Common Files\Sony Shared\SOHLib\SOHCImp.exec:\windows\servicing\TrustedInstaller.exec:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exec:\windows\system32\conime.exec:\program files\Sony\VAIO Update\VAIOUpdt.exec:\windows\System32\rundll32.exec:\windows\ehome\ehmsas.exec:\program files\Windows Media Player\wmpnetwk.exec:\program files\Sony\VAIO Power Management\SPMService.exec:\program files\Sony\VAIO Update\VUAgent.exe.**************************************************************************.Completion time: 2013-09-11 23:41:16 - machine was rebootedComboFix-quarantined-files.txt 2013-09-11 13:40ComboFix2.txt 2013-09-11 02:05.Pre-Run: 303,333,326,848 bytes freePost-Run: 303,126,499,328 bytes free.- - End Of File - - C8EE882890235830950E0C32B054B0FA5C616939100B85E558DA92B899A0FC36 Link to post Share on other sites More sharing options...
Psychotic Posted September 12, 2013 ID:728738 Share Posted September 12, 2013 Full System Scan with Malwarebytes AntimalwareIf not existing, please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If the program is already installed:Run Malwarebytes Antimalware If an update is found, it will download and install the latest version. Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt Post that log back here. Scan with ESET Online ScanPlease go to here to run the online scannner from ESET. Turn off the real time scanner of any existing antivirus program while performing the online scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activex control to installClick StartMake sure that the option Remove found threats is unticked Click on Advanced Settings and ensure these options are ticked:Scan for potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth Technology[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic. Link to post Share on other sites More sharing options...
CDL_1976 Posted September 12, 2013 Author ID:728978 Share Posted September 12, 2013 Hi Marius, I fear I may have caused some problems for the sequence of logs you need. I ran the Malwarebytes scan, which ran for just over 2 hours. It highlighted about 15 infected files. I then proceeded to select each file and remove them. At that point, the programme froze and remained frozen for about 30-40 minutes. I then used task manager to close the programme, with the intent I would run the scan again. The problem is that, whie I can run the scan again, the infected filed detected in the first scan have been placed in quarantine; therefore, the subsequent scan does not detect them. I fear this has consequences for the log which any subsequent scan will generate. I have searched for any log generated by the first scan, but cannot find it. Apologies for this complication. May I ask what you advise me to do from here? Link to post Share on other sites More sharing options...
Psychotic Posted September 13, 2013 ID:729245 Share Posted September 13, 2013 No problem You told us that you removed several items with Malwarebytes´ Antimalware. This tool creates a log on every run and we need to see them.The logs can be found here:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt Zip any and all of these logs and attach the file to your next reply. Scan with ESET Online ScanPlease go to here to run the online scannner from ESET. Turn off the real time scanner of any existing antivirus program while performing the online scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activex control to installClick StartMake sure that the option Remove found threats is unticked Click on Advanced Settings and ensure these options are ticked:Scan for potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth Technology[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic. Link to post Share on other sites More sharing options...
CDL_1976 Posted September 13, 2013 Author ID:729257 Share Posted September 13, 2013 Sorry Marius - there is no log recording the scan which detected all the infected files which were then marked for removal. In the process of removal the programme froze. The only logs that are saved at the locations you cite record (1) updating of the programme and (2) my subsequent scan. 1. Before running first scan which detected the infected files and marked them for removal:- - - - 2013/09/12 21:01:47 +1000 CDLARCOMBE-PC C D Larcombe MESSAGE Starting database refresh2013/09/12 21:02:07 +1000 CDLARCOMBE-PC C D Larcombe MESSAGE Database refreshed successfully - - - - 2. Log from subsequent scan, performed after the programme froze in the process of removing the detected threats discovered as a result of first scan (2 hours or so): Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.09.12.04Windows Vista Service Pack 2 x86 NTFSInternet Explorer 8.0.6001.19458C D Larcombe :: CDLARCOMBE-PC [administrator]12/09/2013 11:31:08 PMmbam-log-2013-09-12 (23-31-08).txtScan type: Full scan (C:\|D:\|E:\|F:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 139006Time elapsed: 54 minute(s), 9 second(s) [aborted]Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end) - - - - I CANNOT IDENTIFY ANY LOG OF THE FIRST AND CRUCIAL SCAN WHICH DETECTED THE THREATS. : ( I will await your instructions. Sorry! Link to post Share on other sites More sharing options...
Psychotic Posted September 13, 2013 ID:729258 Share Posted September 13, 2013 OK, then proceed with ESET. Link to post Share on other sites More sharing options...
CDL_1976 Posted September 13, 2013 Author ID:729267 Share Posted September 13, 2013 Thanks, Marius. Results of ESET scan below. Should I uninstall ESET? - - - - C:\Program Files\ABBYY FineReader 9.0\FineReader.exe a variant of Win32/HackTool.Patcher.N applicationC:\temp\FR90PE\ABBYY FineReader 9.0\FineReader.exe a variant of Win32/HackTool.Patcher.N applicationC:\Users\C D Larcombe\Downloads\Alcohol52_FE_2.0.2.3931.exe a variant of Win32/InstallCore.AF applicationC:\Users\C D Larcombe\Downloads\Kanji_Dictionary.exe a variant of Win32/Toolbar.Babylon.H applicationC:\Users\C D Larcombe\Downloads\RN_ErrorsFix_Setup.exe a variant of Win32/RegistryNuke applicationC:\Users\C D Larcombe\Downloads\Spydig_Setup.exe multiple threats - - - - - Link to post Share on other sites More sharing options...
CDL_1976 Posted September 13, 2013 Author ID:729279 Share Posted September 13, 2013 Hi Marius, incidentally, I'm a little concerned that my Abbyy finereader showed up. I've had that for a few years now and it was expensive. I purchased it from the cnet downloads. Link to post Share on other sites More sharing options...
Psychotic Posted September 14, 2013 ID:729797 Share Posted September 14, 2013 Let´s cross check: Scan file(s) via VirusTotalPlease check the file in the code box via Virustotal Click browse copy the following into the search box C:\Program Files\ABBYY FineReader 9.0\FineReader.exe and click open. click Send File. please be patinet until the file is uploade completely. If you get the message File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis: click on Reanalyse. Wait until Current status: Finished appears. Now, copy the link from within your browser´s adress bar and poste it here. Link to post Share on other sites More sharing options...
CDL_1976 Posted September 14, 2013 Author ID:729909 Share Posted September 14, 2013 Link as instructed: does not look good! https://www.virustotal.com/en-gb/file/7a53f2252f53ae870c78e5714a8aae7e187d60642db6c80d39ab28d3179bb003/analysis/1379168340/ Link to post Share on other sites More sharing options...
Recommended Posts