Jump to content

Laptop may be infected - Mbam won't run


Recommended Posts

Hi there.

 

I'm trying to sort out a friends laptop. She has Mbam installed, but the database was months out of date. I tried to update, but it said "program blocked by group policy". The same happened when I tried to re-install Mbam.

 

I have tried using Chameleon to open Mbam, along with the other methods suggested in the FAQ, but to no avail.

 

Please can you take a look at the attached scan results and let me know how to proceed.

 

Kind regards,

Mark

attach.txt

dds.txt

Link to post
Share on other sites

download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

 

  •  

     

  • Double-click to run it. When the tool opens click Yes to disclaimer.

     

     

  • Press Scan button.

     

     

  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

     

     

  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

     

     

 

 

If FRST will not run from normal windows use the following instructions to run from the recovery environment....

 

download Farbar Recovery Scan Tool from here:                                                                  

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

Plug the flash drive into the infected PC.

 

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt Here: http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/ to enter System Recovery Command prompt.

 

If you are using Vista or Windows 7 enter System Recovery Options.

 

Plug the flashdrive into the infected PC.

 

Enter System Recovery Options I give two methods, use whichever is convenient for you.

 

To enter System Recovery Options from the Advanced Boot Options:

 

  •  

     

  • Restart the computer.

     

     

  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.

     

     

  • Use the arrow keys to select the Repair your computer menu item.

     

     

  • Select Your Country as the keyboard language settings, and then click Next.

     

     

  • Select the operating system you want to repair, and then click Next.

     

     

  • Select your user account an click Next.

     

     

 

 

To enter System Recovery Options by using Windows installation disc:

 

  •  

     

  • Insert the installation disc.

     

     

  • Restart your computer.

     

     

  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.

     

     

  • Click Repair your computer.

     

     

  • Select Your Country as the keyboard language settings, and then click Next.

     

     

  • Select the operating system you want to repair, and then click Next.

     

     

  • Select your user account and click Next.

     

     

 

 

On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

 

 

  •  

     

  • Select Command Prompt

     

     

  • In the command window type in notepad and press Enter.

     

     

  • The notepad opens. Under File menu select Open.

     

     

  • Select "Computer" and find your flash drive letter and close the notepad.

     

     

  • In the command window type  e:\frst64 or e:\frst depending on your version. Press Enter

     

    Note: Replace letter e with the drive letter of your flash drive.

     

  • The tool will start to run.

     

     

  • When the tool opens click Yes to disclaimer.

     

     

  • Press Scan button.

     

     

  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

 

Kevin....

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-09-2013
Ran by Camille (administrator) on DIDI-JUNIOR on 09-09-2013 15:08:06
Running from C:\Users\Camille\Desktop
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgcsrvx.exe
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
(Toshiba Europe GmbH) C:\Program Files\Toshiba TEMPRO\TempoSVC.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
(TOSHIBA Corporation) C:\Windows\system32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
(Ulead Systems, Inc.) C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
(AVG Secure Search) C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe
(Conexant Systems, Inc.) C:\Windows\system32\DRIVERS\xaudio.exe
() C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\loggingserver.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgemcx.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
(Google) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
(Toshiba Europe GmbH) C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
() C:\Program Files\AVG Secure Search\vprot.exe
(CANON INC.) C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
(CANON INC.) C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
(CANON INC.) C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(TOSHIBA) C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
(Spotify Ltd) C:\Users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\SpotifyWebHelper.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
(Intel Corporation) C:\Windows\system32\igfxext.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1348904 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [NDSTray.exe] - NDSTray.exe
HKLM\...\Run: [cfFncEnabler.exe] - cfFncEnabler.exe
HKLM\...\Run: [Google Desktop Search] - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-06-24] (Google)
HKLM\...\Run: [Google EULA Launcher] - c:\Program Files\Google\Google EULA\GoogleEULALauncher.exe [20480 2008-05-28] ( )
HKLM\...\Run: [Toshiba TEMPO] - C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe [103824 2008-04-24] (Toshiba Europe GmbH)
HKLM\...\Run: [topi] - C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe [581632 2007-07-10] (TOSHIBA)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [6037504 2008-04-08] (Realtek Semiconductor)
HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [431456 2008-01-17] (TOSHIBA Corporation)
HKLM\...\Run: [smoothView] - C:\Program Files\Toshiba\SmoothView\SmoothView.exe [509816 2008-06-24] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [716800 2008-05-09] (TOSHIBA Corporation)
HKLM\...\Run: [Toshiba Registration] - C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe [574864 2008-01-11] (Toshiba)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-11-28] (Apple Inc.)
HKLM\...\Run: [vProt] - C:\Program Files\AVG Secure Search\vprot.exe [2314416 2013-08-21] ()
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2569616 2010-07-25] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenuEx] - C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE [1213848 2010-09-14] (CANON INC.)
HKLM\...\Run: [iJNetworkScannerSelectorEX] - C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452016 2010-09-09] (CANON INC.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152544 2012-12-12] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [AVG_UI] - C:\Program Files\AVG\AVG2013\avgui.exe [4411440 2013-07-01] (AVG Technologies CZ, s.r.o.)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\avg8 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe,,C:\Users\Camille\AppData\Local\fuiywmlk\nbalhmqp.exe
Winlogon\Notify\niaxama: C:\Windows\system32\config\systemprofile\AppData\Local\niaxama.dll [X]
HKCU\...\Run: [TOSCDSPD] - TOSCDSPD.EXE
HKCU\...\Run: [Google Update] - C:\Users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-10-25] (Google Inc.)
HKCU\...\Run: [spotify Web Helper] - C:\Users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\SpotifyWebHelper.exe [1104384 2013-07-15] (Spotify Ltd)
HKCU\...\Run: [bhgeftl] - regsvr32.exe /s "C:\ProgramData\bhgeftl.dat"
MountPoints2: {cd33be28-17f1-11e3-a24d-001e339b2b2d} - G:\LaunchU3.exe -a
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2008-04-24] (TOSHIBA)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2008-04-24] (TOSHIBA)
HKU\Guest\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Guest\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2008-04-24] (TOSHIBA)
HKU\Guest\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2008-08-07] (Google Inc.)
HKU\Guest\...\RunOnce: [avg_spchecker] - C:\Program Files\AVG\AVG8\Notification\SPChecker.exe [ 2011-05-12] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Audible Download Manager.lnk
ShortcutTarget: Audible Download Manager.lnk -> C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (No File)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.microsoftonline.com/login.srf?wa=wsignin1.0&rpsnv=2&ct=1374234529&rver=6.1.6206.0&wp=MBI_KEY&wreply=https:%2F%2Fwww.outlook.com%2Fowa%2F&id=260563&whr=live.ucl.ac.uk&CBCXT=out
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA;
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = https://www.facebook.com/login.php
http://www.bbc.co.uk/weather/6690829
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA
URLSearchHook: (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} -  No File
SearchScopes: HKLM - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
SearchScopes: HKCU - DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={6A819604-E2F7-4A6F-9A58-2E351EB0FD68}&mid=420426222ce8c74b079ab3a85f7dbb17-53c806d2fdf5d7c9d39cea3adfe46617edbcff5a〈=en&ds=AVG&pr=fr&d=2013-07-15 23:28:43&v=15.3.0.11&pid=avg&sg=0&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=uXjrKJFXAOSzNW-RN-gp2eHbivM?q={searchTerms}
SearchScopes: HKCU - {814C76CB-2623-43F4-AAD0-58A0E5190A20} URL = http://rws.search.ke.voila.fr/RW/S/opensearch_orange?rdata={searchTerms}
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={6A819604-E2F7-4A6F-9A58-2E351EB0FD68}&mid=420426222ce8c74b079ab3a85f7dbb17-53c806d2fdf5d7c9d39cea3adfe46617edbcff5a〈=en&ds=AVG&pr=fr&d=2013-07-15 23:28:43&v=15.3.0.11&pid=avg&sg=0&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {A3E1749E-5BAB-4713-A4D5-6F1230F8ECDD} URL = http://www.google.fr/search?hl=fr&q={searchTerms}+&meta=&rlz=1I7TSEA_en-GBGB369
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: No Name - {1d970ed5-3eda-438d-bffd-715931e2775b} -  No File
BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\15.5.0.2\AVG Secure Search_toolbar.dll (AVG Secure Search)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKLM - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\15.5.0.2\AVG Secure Search_toolbar.dll (AVG Secure Search)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKCU -No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Toolbar: HKCU -No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\15.5.0\ViProtocol.dll (AVG Secure Search)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)

Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100

Chrome:
=======


CHR Extension: (AVG Secure Search) - C:\Users\Camille\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof\13.2.0.5_0
CHR HKLM\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG Secure Search\ChromeExt\15.3.0.11\avg.crx

========================== Services (Whitelisted) =================

S3 AVG Security Toolbar Service; C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-07-23] (AVG Technologies CZ, s.r.o.)
R2 ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [40960 2008-04-17] (TOSHIBA CORPORATION)
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-06-24] (Google)
S3 jswpsapi; C:\Program Files\Jumpstart\jswpsapi.exe [954368 2008-04-16] (Atheros Communications, Inc.)
R2 TempoMonitoringService; C:\Program Files\Toshiba TEMPRO\TempoSVC.exe [99720 2008-04-24] (Toshiba Europe GmbH)
R2 TOSHIBA SMART Log Service; C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [126976 2008-02-06] (TOSHIBA Corporation)
R2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
R2 vToolbarUpdater15.5.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [1643184 2013-08-21] (AVG Secure Search)
S2 AMService; C:\Windows\TEMP\taojeg\setup.exe run [x]

==================== Drivers (Whitelisted) ====================

R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-07-20] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-03-01] (AVG Technologies CZ, s.r.o.)
R1 AvgLdx86; C:\Windows\System32\DRIVERS\avgldx86.sys [171320 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [246072 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 AvgMfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-07-01] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiX; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2013-03-21] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [37664 2013-08-21] (AVG Technologies)
R0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-11] (Microsoft Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2013-09-09] (Malwarebytes Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
U4 MpsSvc;
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
U4 WinDefend;
U4 wscsvc;
U3 mbr; \??\C:\Users\Camille\AppData\Local\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-09-09 15:07 - 2013-09-09 15:07 - 01082207 _____ (Farbar) C:\Users\Camille\Desktop\FRST.exe
2013-09-09 11:53 - 2013-09-09 11:53 - 00008193 _____ C:\Users\Camille\Desktop\attach.txt
2013-09-09 11:53 - 2013-09-09 11:52 - 00014563 _____ C:\Users\Camille\Desktop\dds.txt
2013-09-09 11:49 - 2013-09-09 11:49 - 00688992 ____R (Swearware) C:\Users\Camille\Desktop\dds.scr
2013-09-09 11:38 - 2013-09-09 11:38 - 00000911 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-09 11:16 - 2013-09-09 11:16 - 00000000 ____D C:\Windows\pss
2013-08-30 15:59 - 2013-08-30 15:59 - 00274432 _____ C:\ProgramData\bhgeftl.dat

==================== One Month Modified Files and Folders =======

2013-09-09 15:07 - 2013-09-09 15:07 - 01082207 _____ (Farbar) C:\Users\Camille\Desktop\FRST.exe
2013-09-09 14:52 - 2012-07-31 12:47 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-09 14:52 - 2011-12-11 22:17 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000UA.job
2013-09-09 14:52 - 2010-02-03 20:31 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-09 13:27 - 2006-11-02 13:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-09 13:27 - 2006-11-02 13:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-09 11:53 - 2013-09-09 11:53 - 00008193 _____ C:\Users\Camille\Desktop\attach.txt
2013-09-09 11:52 - 2013-09-09 11:53 - 00014563 _____ C:\Users\Camille\Desktop\dds.txt
2013-09-09 11:49 - 2013-09-09 11:49 - 00688992 ____R (Swearware) C:\Users\Camille\Desktop\dds.scr
2013-09-09 11:38 - 2013-09-09 11:38 - 00000911 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-09 11:38 - 2013-07-15 23:25 - 00000000 ____D C:\ProgramData\MFAData
2013-09-09 11:38 - 2012-01-19 17:35 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-09-09 11:27 - 2013-06-07 18:47 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-09-09 11:27 - 2010-02-03 20:31 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-09 11:27 - 2006-11-02 14:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-09 11:23 - 2013-08-02 15:41 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2013-09-09 11:16 - 2013-09-09 11:16 - 00000000 ____D C:\Windows\pss
2013-09-09 11:16 - 2006-11-02 14:01 - 00032648 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-08 23:30 - 2011-12-11 22:17 - 00000864 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000Core.job
2013-09-08 01:52 - 2009-07-24 12:50 - 01481909 _____ C:\Windows\WindowsUpdate.log
2013-09-07 20:19 - 2006-11-02 11:33 - 00703516 _____ C:\Windows\system32\PerfStringBackup.INI
2013-09-07 20:18 - 2013-07-28 16:59 - 00000795 _____ C:\Windows\setupact.log
2013-09-07 19:25 - 2012-11-21 13:38 - 00000000 ____D C:\Users\Camille\Documents\PGCE
2013-09-07 12:34 - 2011-09-27 11:33 - 00000000 ____D C:\Program Files\Common Files\Adobe AIR
2013-09-01 23:44 - 2011-05-15 23:37 - 00000000 ____D C:\Users\Camille\AppData\Roaming\Spotify
2013-08-30 21:51 - 2011-05-15 23:37 - 00000000 ____D C:\Users\Camille\AppData\Local\Spotify
2013-08-30 15:59 - 2013-08-30 15:59 - 00274432 _____ C:\ProgramData\bhgeftl.dat
2013-08-21 21:15 - 2009-07-24 13:21 - 00000000 ____D C:\Users\Camille\AppData\Local\Google
2013-08-21 20:11 - 2013-07-15 23:28 - 00000000 ____D C:\Program Files\AVG Secure Search
2013-08-21 20:11 - 2012-09-04 16:47 - 00037664 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx86.sys

ZeroAccess:
C:\Users\Camille\AppData\Local\91072392
C:\Users\Camille\AppData\Local\91072392\@
C:\Users\Camille\AppData\Local\91072392\loader.tlb

Files to move or delete:
====================
C:\ProgramData\bhgeftl.dat
C:\Users\Camille\AppData\Local\Temp\ehgdiqumxfxbnrjtckf.bfg

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-09-09 11:34

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

 

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

 

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Please download AdwCleaner by Xplode and save to your Desktop.

 

 

  •  

     

  • Double click on AdwCleaner.exe to run the tool.

     

     

  • Vista/Windows 7/8 users right-click and select Run As Administrator

     

     

  • Click on the Scan button.

     

     

  • AdwCleaner will begin...be patient as the scan may take some time to complete.

     

     

  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.

     

     

  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.

     

     

  • Look over the log especially under Files/Folders for any program you want to save.

     

     

  • If there's a program you want to save, just uncheck it from AdwCleaner.

     

     

  • If you're not sure, post the log for review.

     

     

  • If you're ready to clean it all up.....click the Clean button.

     

     

  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.

     

     

  • Copy and paste the contents of that logfile in your next reply.

     

     

  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

     

     

  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine

     

     

  • To restore an item that has been deleted (if necessary):

     

     

  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

     

     

 

 

Next,

 

Please download RogueKiller from here:

] <- 32 bit version

] <- 64 bit version

 

 

 

 

Post logs from FRST, AdwCleaner and RogueKiller in next reply, also give update on current issues/concerns.

 

Kevin

Link to post
Share on other sites

Hi Kevin.

This is not my computer so I don't know all the issues. What I do know:

* issues attaching files and downloading files from email client (outlook) in IE9 and Chrome

* machine running slowly

* can't update or install anti malware software etc

Logs:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-09-2013
Ran by Camille at 2013-09-09 19:17:27 Run:1
Running from C:\Users\Camille\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Start
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

<====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\avg8 <======

ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes

<====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <======

ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM\...\Winlogon: [userinit] C:\Windows\system32

\userinit.exe,,C:\Users\Camille\AppData\Local\fuiywmlk\nbalhmqp.exe
Winlogon\Notify\niaxama: C:\Windows\system32\config\systemprofile\AppData\Local\niaxama.dll [X]
HKCU\...\Run: [bhgeftl] - regsvr32.exe /s "C:\ProgramData\bhgeftl.dat"
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%

SystemRoot%\system32\NLAapi.dll"
C:\Users\Camille\AppData\Local\fuiywmlk
C:\Windows\system32\config\systemprofile\AppData\Local\niaxama.dll [X]
C:\Users\Camille\AppData\Local\Temp\ehgdiqumxfxbnrjtckf.bfg
C:\ProgramData\bhgeftl.dat
C:\Users\Camille\AppData\Local\91072392
C:\Users\Camille\AppData\Local\91072392\@
C:\Users\Camille\AppData\Local\91072392\loader.tlb
end
*****************

HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => Value was restored successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\niaxama => Key deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\bhgeftl => Value deleted successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
C:\Users\Camille\AppData\Local\fuiywmlk => Moved successfully.
"C:\Windows\system32\config\systemprofile\AppData\Local\niaxama.dll [X]" => File/Directory not found.
C:\Users\Camille\AppData\Local\Temp\ehgdiqumxfxbnrjtckf.bfg => Moved successfully.
C:\ProgramData\bhgeftl.dat => Moved successfully.
C:\Users\Camille\AppData\Local\91072392 => Moved successfully.
"C:\Users\Camille\AppData\Local\91072392\@" => File/Directory not found.
"C:\Users\Camille\AppData\Local\91072392\loader.tlb" => File/Directory not found.

==== End of Fixlog ====

# AdwCleaner v3.003 - Report created 09/09/2013 at 19:30:52
# Updated 07/09/2013 by Xplode
# Operating System : Windows Vista Home Premium Service Pack 2 (32 bits)
# Username : Camille - DIDI-JUNIOR
# Running from : C:\Users\Camille\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Users\Camille\AppData\Local\AVG Secure Search
Folder Deleted : C:\Users\Camille\AppData\LocalLow\AVG Secure Search
Folder Deleted : C:\Users\Camille\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\Camille\AppData\Local\Google\Chrome\User

Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof

***** [ Shortcuts ] *****

***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\SearchBar.Client
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-

sitesafety-plugin
Key Deleted : HKCU\Software\97d5087d4ec0f304
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C9A6357B-25CC-4BCF-96C1-78736985D412}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1D970ED5-3EDA-438D-

BFFD-715931E2775B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-

A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-

B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D970ED5-3EDA-438D-BFFD-715931E2775B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C9A6357B-25CC-4BCF-96C1-78736985D412}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C9A6357B-25CC-4BCF-96C1-78736985D412}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-

4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-

E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-

4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-

4ED3E9456D39}]
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16496

-\\ Google Chrome v

[ File : C:\Users\Camille\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage
Deleted : icon_url

*************************

AdwCleaner[R0].txt - [7043 octets] - [09/09/2013 19:28:19]
AdwCleaner[s0].txt - [7036 octets] - [09/09/2013 19:30:52]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [7096 octets] ##########

 

RogueKiller V8.6.10 [sep  9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Camille [Admin rights]
Mode : Scan -- Date : 09/09/2013 19:55:07
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : Google Update ("C:\Users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe" /c

[7]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-3611875381-1350613575-1696103304-1000\[...]\Run : Google Update

("C:\Users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe" /c [7]) -> FOUND
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ SECU] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ SECU] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ SECU] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 6 ¤¤¤
[V1][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000UA.job :

C:\Users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> FOUND
[V1][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000Core.job :

C:\Users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> FOUND
[V1][sUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\Windows\TEMP\{94FA0F51-4C53-4DE2-9ADB-

887B506285BE}.exe - --uninstall=1 [x] -> FOUND
[V2][sUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv : C:\Windows\TEMP\{94FA0F51-4C53-4DE2-9ADB-

887B506285BE}.exe - --uninstall=1 [x] -> FOUND
[V2][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000Core :

C:\Users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> FOUND
[V2][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000UA :

C:\Users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Junction] $NtUninstallKB45717$ : C:\Windows\$NtUninstallKB45717$ >> \systemroot\system32\config [-] -

-> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK2552GSX +++++
--- User ---
[MBR] 2d3dc68908aab396c3cd200166af115d
[bSP] 1b9df28a06213392a181ed3cf23fef47 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 119000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 246786048 | Size: 117973 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_09092013_195507.txt >>

 

 

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-09-2013
Ran by Camille (administrator) on DIDI-JUNIOR on 09-09-2013 22:21:33
Running from C:\Users\Camille\Desktop
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgcsrvx.exe
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
(Toshiba Europe GmbH) C:\Program Files\Toshiba TEMPRO\TempoSVC.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
(TOSHIBA Corporation) C:\Windows\system32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
(Ulead Systems, Inc.) C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
(Conexant Systems, Inc.) C:\Windows\system32\DRIVERS\xaudio.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgemcx.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
(Google) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
(Toshiba Europe GmbH) C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
(CANON INC.) C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
(CANON INC.) C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
(CANON INC.) C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgui.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(TOSHIBA) C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
(Spotify Ltd) C:\Users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\SpotifyWebHelper.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Windows\system32\igfxext.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1348904 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [NDSTray.exe] - NDSTray.exe
HKLM\...\Run: [cfFncEnabler.exe] - cfFncEnabler.exe
HKLM\...\Run: [Google Desktop Search] - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-06-24] (Google)
HKLM\...\Run: [Google EULA Launcher] - c:\Program Files\Google\Google EULA\GoogleEULALauncher.exe [20480 2008-05-28] ( )
HKLM\...\Run: [Toshiba TEMPO] - C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe [103824 2008-04-24] (Toshiba Europe GmbH)
HKLM\...\Run: [topi] - C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe [581632 2007-07-10] (TOSHIBA)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [6037504 2008-04-08] (Realtek Semiconductor)
HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [431456 2008-01-17] (TOSHIBA Corporation)
HKLM\...\Run: [smoothView] - C:\Program Files\Toshiba\SmoothView\SmoothView.exe [509816 2008-06-24] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [716800 2008-05-09] (TOSHIBA Corporation)
HKLM\...\Run: [Toshiba Registration] - C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe [574864 2008-01-11] (Toshiba)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-11-28] (Apple Inc.)
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2569616 2010-07-25] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenuEx] - C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE [1213848 2010-09-14] (CANON INC.)
HKLM\...\Run: [iJNetworkScannerSelectorEX] - C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452016 2010-09-09] (CANON INC.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152544 2012-12-12] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [AVG_UI] - C:\Program Files\AVG\AVG2013\avgui.exe [4411440 2013-07-01] (AVG Technologies CZ, s.r.o.)
HKCU\...\Run: [TOSCDSPD] - TOSCDSPD.EXE
HKCU\...\Run: [Google Update] - C:\Users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-10-25] (Google Inc.)
HKCU\...\Run: [spotify Web Helper] - C:\Users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\SpotifyWebHelper.exe [1104384 2013-07-15] (Spotify Ltd)
MountPoints2: {cd33be28-17f1-11e3-a24d-001e339b2b2d} - G:\LaunchU3.exe -a
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2008-04-24] (TOSHIBA)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2008-04-24] (TOSHIBA)
HKU\Guest\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Guest\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2008-04-24] (TOSHIBA)
HKU\Guest\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2008-08-07] (Google Inc.)
HKU\Guest\...\RunOnce: [avg_spchecker] - C:\Program Files\AVG\AVG8\Notification\SPChecker.exe [ 2011-05-12] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Audible Download Manager.lnk
ShortcutTarget: Audible Download Manager.lnk -> C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (No File)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.microsoftonline.com/login.srf?wa=wsignin1.0&rpsnv=2&ct=1374234529&rver=6.1.6206.0&wp=MBI_KEY&wreply=https:%2F%2Fwww.outlook.com%2Fowa%2F&id=260563&whr=live.ucl.ac.uk&CBCXT=out
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA;
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = https://www.facebook.com/login.php
http://www.bbc.co.uk/weather/6690829
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA
URLSearchHook: (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} -  No File
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {814C76CB-2623-43F4-AAD0-58A0E5190A20} URL = http://rws.search.ke.voila.fr/RW/S/opensearch_orange?rdata={searchTerms}
SearchScopes: HKCU - {A3E1749E-5BAB-4713-A4D5-6F1230F8ECDD} URL = http://www.google.fr/search?hl=fr&q={searchTerms}+&meta=&rlz=1I7TSEA_en-GBGB369
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)

Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100

Chrome:
=======

========================== Services (Whitelisted) =================

S3 AVG Security Toolbar Service; C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-07-23] (AVG Technologies CZ, s.r.o.)
R2 ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [40960 2008-04-17] (TOSHIBA CORPORATION)
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-06-24] (Google)
S3 jswpsapi; C:\Program Files\Jumpstart\jswpsapi.exe [954368 2008-04-16] (Atheros Communications, Inc.)
R2 TempoMonitoringService; C:\Program Files\Toshiba TEMPRO\TempoSVC.exe [99720 2008-04-24] (Toshiba Europe GmbH)
R2 TOSHIBA SMART Log Service; C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [126976 2008-02-06] (TOSHIBA Corporation)
R2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
S2 AMService; C:\Windows\TEMP\taojeg\setup.exe run [x]
S2 vToolbarUpdater15.5.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [x]

==================== Drivers (Whitelisted) ====================

R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-07-20] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-03-01] (AVG Technologies CZ, s.r.o.)
R1 AvgLdx86; C:\Windows\System32\DRIVERS\avgldx86.sys [171320 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [246072 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 AvgMfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-07-01] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiX; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2013-03-21] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [37664 2013-08-21] (AVG Technologies)
R0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-11] (Microsoft Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2013-09-09] (Malwarebytes Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
U4 MpsSvc;
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
U4 WinDefend;
U4 wscsvc;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-09-09 19:47 - 2013-09-09 19:57 - 00000000 ____D C:\Users\Camille\Desktop\RK_Quarantine
2013-09-09 19:47 - 2013-09-09 19:55 - 00014200 _____ C:\Users\Camille\Desktop\to paste.txt
2013-09-09 19:45 - 2013-09-09 19:45 - 00918016 _____ C:\Users\Camille\Desktop\RogueKiller.exe
2013-09-09 19:28 - 2013-09-09 19:31 - 00000000 ____D C:\AdwCleaner
2013-09-09 19:27 - 2013-09-09 19:27 - 01037278 _____ C:\Users\Camille\Desktop\AdwCleaner.exe
2013-09-09 15:08 - 2013-09-09 15:09 - 00026597 _____ C:\Users\Camille\Desktop\Addition.txt
2013-09-09 15:08 - 2013-09-09 15:08 - 00000000 ____D C:\FRST
2013-09-09 15:07 - 2013-09-09 15:07 - 01082207 _____ (Farbar) C:\Users\Camille\Desktop\FRST.exe
2013-09-09 11:53 - 2013-09-09 11:53 - 00008193 _____ C:\Users\Camille\Desktop\attach.txt
2013-09-09 11:53 - 2013-09-09 11:52 - 00014563 _____ C:\Users\Camille\Desktop\dds.txt
2013-09-09 11:49 - 2013-09-09 11:49 - 00688992 ____R (Swearware) C:\Users\Camille\Desktop\dds.scr
2013-09-09 11:38 - 2013-09-09 11:38 - 00000911 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-09 11:16 - 2013-09-09 11:16 - 00000000 ____D C:\Windows\pss

==================== One Month Modified Files and Folders =======

2013-09-09 21:48 - 2011-12-11 22:17 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000UA.job
2013-09-09 21:33 - 2006-11-02 13:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-09 21:33 - 2006-11-02 13:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-09 21:31 - 2012-07-31 12:47 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-09 21:29 - 2010-02-03 20:31 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-09 19:57 - 2013-09-09 19:47 - 00000000 ____D C:\Users\Camille\Desktop\RK_Quarantine
2013-09-09 19:55 - 2013-09-09 19:55 - 00003499 _____ C:\Users\Camille\Desktop\RKreport[0]_S_09092013_195507.txt
2013-09-09 19:55 - 2013-09-09 19:47 - 00014200 _____ C:\Users\Camille\Desktop\to paste.txt
2013-09-09 19:45 - 2013-09-09 19:45 - 00918016 _____ C:\Users\Camille\Desktop\RogueKiller.exe
2013-09-09 19:38 - 2013-06-07 18:47 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-09-09 19:38 - 2010-02-03 20:31 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-09 19:33 - 2006-11-02 14:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-09 19:31 - 2013-09-09 19:28 - 00000000 ____D C:\AdwCleaner
2013-09-09 19:31 - 2006-11-02 14:01 - 00032648 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-09 19:27 - 2013-09-09 19:27 - 01037278 _____ C:\Users\Camille\Desktop\AdwCleaner.exe
2013-09-09 17:04 - 2013-07-15 23:25 - 00000000 ____D C:\ProgramData\MFAData
2013-09-09 15:09 - 2013-09-09 15:08 - 00026597 _____ C:\Users\Camille\Desktop\Addition.txt
2013-09-09 15:08 - 2013-09-09 15:08 - 00000000 ____D C:\FRST
2013-09-09 15:07 - 2013-09-09 15:07 - 01082207 _____ (Farbar) C:\Users\Camille\Desktop\FRST.exe
2013-09-09 11:53 - 2013-09-09 11:53 - 00008193 _____ C:\Users\Camille\Desktop\attach.txt
2013-09-09 11:52 - 2013-09-09 11:53 - 00014563 _____ C:\Users\Camille\Desktop\dds.txt
2013-09-09 11:49 - 2013-09-09 11:49 - 00688992 ____R (Swearware) C:\Users\Camille\Desktop\dds.scr
2013-09-09 11:38 - 2013-09-09 11:38 - 00000911 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-09 11:38 - 2012-01-19 17:35 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-09-09 11:23 - 2013-08-02 15:41 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2013-09-09 11:16 - 2013-09-09 11:16 - 00000000 ____D C:\Windows\pss
2013-09-08 23:30 - 2011-12-11 22:17 - 00000864 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000Core.job
2013-09-08 01:52 - 2009-07-24 12:50 - 01481909 _____ C:\Windows\WindowsUpdate.log
2013-09-07 20:19 - 2006-11-02 11:33 - 00703516 _____ C:\Windows\system32\PerfStringBackup.INI
2013-09-07 20:18 - 2013-07-28 16:59 - 00000795 _____ C:\Windows\setupact.log
2013-09-07 19:25 - 2012-11-21 13:38 - 00000000 ____D C:\Users\Camille\Documents\PGCE
2013-09-07 12:34 - 2011-09-27 11:33 - 00000000 ____D C:\Program Files\Common Files\Adobe AIR
2013-09-01 23:44 - 2011-05-15 23:37 - 00000000 ____D C:\Users\Camille\AppData\Roaming\Spotify
2013-08-30 21:51 - 2011-05-15 23:37 - 00000000 ____D C:\Users\Camille\AppData\Local\Spotify
2013-08-21 21:15 - 2009-07-24 13:21 - 00000000 ____D C:\Users\Camille\AppData\Local\Google
2013-08-21 20:11 - 2012-09-04 16:47 - 00037664 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx86.sys

Files to move or delete:
====================
C:\Users\Camille\AppData\Local\Temp\Quarantine.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-09-09 19:43

==================== End Of Log ============================

Link to post
Share on other sites

Delete the old fixlist.txt from last run of FRST fix. Next,

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

 

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
     
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
     
  • Close any open browsers and any other programs you might have running
     
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
     
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
     
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
     
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*


    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post the logs from FRST fix and Combofix in next reply please...

 

Kevin

Link to post
Share on other sites

I'm running Combofix on the affected machine at the moment, but it has been stuck on the "scanning for infected files...." page for some time. I'll leave it running unless there's no hard drive activity.

 

Question: All of a sudden Windows is trying to update as is Flash. Shall I prevent these updates for the time being?

Link to post
Share on other sites

Hi Kevin.

 

Logs below. I am still being prompted to shut down the machine and install new Windows updates.

 

Also, web pages are taking a long time to load and sometimes only partially load. It took three refresh attempts to get this page to display in its entirety.

 

Thanks Keving.

FYI - I had to uninstall AVG free prior to running ComboFix as the program was still saying AVG was active afterf I'd tried to disable it.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-09-2013
Ran by Camille at 2013-09-10 09:03:03 Run:2
Running from C:\Users\Camille\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Start
C:\Users\Camille\AppData\Local\Temp\Quarantine.exe
end
*****************

C:\Users\Camille\AppData\Local\Temp\Quarantine.exe => Moved successfully.

==== End of Fixlog ====

 

ComboFix 13-09-09.04 - Camille 10/09/2013  11:24:51.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2939.2274 [GMT 1:00]
Running from: c:\users\Camille\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Setup.exe
c:\users\Camille\Documents\~WRL1132.tmp
c:\users\Camille\Documents\~WRL2332.tmp
c:\windows\$NtUninstallKB45717$
c:\windows\$NtUninstallKB45717$\1963827381
c:\windows\$NtUninstallKB45717$\2433164178\@
c:\windows\$NtUninstallKB45717$\2433164178\bckfg.tmp
c:\windows\$NtUninstallKB45717$\2433164178\cfg.ini
c:\windows\$NtUninstallKB45717$\2433164178\Desktop.ini
c:\windows\$NtUninstallKB45717$\2433164178\keywords
c:\windows\$NtUninstallKB45717$\2433164178\kwrd.dll
c:\windows\$NtUninstallKB45717$\2433164178\L\qnbwvoto
c:\windows\$NtUninstallKB45717$\2433164178\U\00000001.@
c:\windows\$NtUninstallKB45717$\2433164178\U\00000002.@
c:\windows\$NtUninstallKB45717$\2433164178\U\00000004.@
c:\windows\$NtUninstallKB45717$\2433164178\U\80000000.@
c:\windows\$NtUninstallKB45717$\2433164178\U\80000004.@
c:\windows\$NtUninstallKB45717$\2433164178\U\80000032.@
c:\windows\system32\pt
c:\windows\system32\pt\toscdspd.cpl.mui
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_AMService
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-10 to 2013-09-10  )))))))))))))))))))))))))))))))
.
.
2013-09-10 10:35 . 2013-09-10 10:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-10 10:34 . 2013-09-10 10:39 -------- d-----w- c:\users\Camille\AppData\Local\temp
2013-09-10 10:34 . 2013-09-10 10:34 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-09-10 08:44 . 2013-08-19 23:47 7166848 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{10B501AF-3E45-4CA2-9BDA-A301831E1EBE}\mpengine.dll
2013-09-09 18:28 . 2013-09-09 18:31 -------- d-----w- C:\AdwCleaner
2013-09-09 14:08 . 2013-09-09 14:08 -------- d-----w- C:\FRST
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-09 10:23 . 2013-08-02 14:41 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-08-21 19:11 . 2012-09-04 15:47 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-08-07 03:22 . 2009-10-02 16:11 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-07-16 12:49 . 2012-04-09 18:14 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-16 12:49 . 2011-06-19 19:48 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-15 10:19 . 2011-05-11 16:26 4640768 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\spotify.exe
2013-07-15 10:19 . 2013-04-20 16:58 62464 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpotifyLauncher.exe
2013-07-15 10:19 . 2013-04-20 16:58 9964032 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\icudt.dll
2013-07-15 10:19 . 2013-04-20 16:58 24985600 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\libcef.dll
2013-07-15 10:19 . 2013-04-20 16:58 1104384 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\SpotifyWebHelper.exe
2011-01-19 09:34 . 2011-01-19 09:34 2993152 ----a-w- c:\program files\openofficeorg33.msi
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"NDSTray.exe"="NDSTray.exe" [bU]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-24 30192]
"Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-05-28 20480]
"Toshiba TEMPO"="c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe" [2008-04-24 103824]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-24 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2008-01-11 574864]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-25 2569616]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-09-14 1213848]
"IJNetworkScannerSelectorEX"="c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2010-09-09 452016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
.
c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
HsfXAudioService REG_MULTI_SZ    HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 12:49]
.
2013-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:31]
.
2013-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:31]
.
2013-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000Core.job
- c:\users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-11 19:29]
.
2013-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000UA.job
- c:\users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-11 19:29]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.microsoftonline.com/login.srf?wa=wsignin1.0&rpsnv=2&ct=1374234529&rver=6.1.6206.0&wp=MBI_KEY&wreply=https:%2F%2Fwww.outlook.com%2Fowa%2F&id=260563&whr=live.ucl.ac.uk&CBCXT=out

uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 0.0.0.0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe /Startup
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-10 11:40
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Toshiba TEMPRO\TempoSVC.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\RtHDVCpl.exe
c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\igfxext.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2013-09-10  11:43:41 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-10 10:43
.
Pre-Run: 60,890,783,744 bytes free
Post-Run: 61,106,462,720 bytes free
.
- - End Of File - - 583CDCBA98873033B42027E7FBF4DB9E
5C616939100B85E558DA92B899A0FC36

Link to post
Share on other sites

Leave Windows updates for now, continue..

 

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

ClearJavaCache::

 

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

Next,

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report here

 

Post both logs in next reply, also give update on current issues/concerns..

 

Kevin..

 

Link to post
Share on other sites

Hi Kevin.

 

Logs as follows:

 

ComboFix 13-09-09.04 - Camille 10/09/2013  14:38:02.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2939.1716 [GMT 1:00]
Running from: c:\users\Camille\Desktop\ComboFix.exe
Command switches used :: c:\users\Camille\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-10 to 2013-09-10  )))))))))))))))))))))))))))))))
.
.
2013-09-10 13:46 . 2013-09-10 13:46 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-09-10 13:46 . 2013-09-10 13:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-10 10:34 . 2013-09-10 13:46 -------- d-----w- c:\users\Camille\AppData\Local\temp
2013-09-10 08:44 . 2013-08-19 23:47 7166848 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{10B501AF-3E45-4CA2-9BDA-A301831E1EBE}\mpengine.dll
2013-09-09 18:28 . 2013-09-09 18:31 -------- d-----w- C:\AdwCleaner
2013-09-09 14:08 . 2013-09-09 14:08 -------- d-----w- C:\FRST
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-09 10:23 . 2013-08-02 14:41 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-08-21 19:11 . 2012-09-04 15:47 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-08-07 03:22 . 2009-10-02 16:11 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-07-16 12:49 . 2012-04-09 18:14 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-16 12:49 . 2011-06-19 19:48 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-15 10:19 . 2011-05-11 16:26 4640768 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\spotify.exe
2013-07-15 10:19 . 2013-04-20 16:58 62464 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpotifyLauncher.exe
2013-07-15 10:19 . 2013-04-20 16:58 9964032 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\icudt.dll
2013-07-15 10:19 . 2013-04-20 16:58 24985600 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\libcef.dll
2013-07-15 10:19 . 2013-04-20 16:58 1104384 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\SpotifyWebHelper.exe
2011-01-19 09:34 . 2011-01-19 09:34 2993152 ----a-w- c:\program files\openofficeorg33.msi
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"NDSTray.exe"="NDSTray.exe" [bU]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-24 30192]
"Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-05-28 20480]
"Toshiba TEMPO"="c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe" [2008-04-24 103824]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-24 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2008-01-11 574864]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-25 2569616]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-09-14 1213848]
"IJNetworkScannerSelectorEX"="c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2010-09-09 452016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
.
c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
HsfXAudioService REG_MULTI_SZ    HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 12:49]
.
2013-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:31]
.
2013-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:31]
.
2013-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000Core.job
- c:\users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-11 19:29]
.
2013-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000UA.job
- c:\users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-11 19:29]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.microsoftonline.com/login.srf?wa=wsignin1.0&rpsnv=2&ct=1374234529&rver=6.1.6206.0&wp=MBI_KEY&wreply=https:%2F%2Fwww.outlook.com%2Fowa%2F&id=260563&whr=live.ucl.ac.uk&CBCXT=out

uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 0.0.0.0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-10 14:46
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-09-10  14:47:55
ComboFix-quarantined-files.txt  2013-09-10 13:47
ComboFix2.txt  2013-09-10 10:43
.
Pre-Run: 60,927,221,760 bytes free
Post-Run: 60,950,757,376 bytes free
.
- - End Of File - - 4EB5911DF0FC1E787554CF65B2A37C50
5C616939100B85E558DA92B899A0FC36
 

 

 

ESET SCAN:

C:\Documents and Settings\Camille\AppData\Roaming\Adobe\AIR\ELS\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1\APSPrivateData2\0\Resources\SceKEbCUuLjmo3f2edzwQo8KDIh8=\ODY2RDI5RkItNjNEOS0zQTAwLUEyNkEtRkY5NjM5NTMxNzVF\net.exe a variant of Win32/Injector.ALMX trojan
C:\FRST\Quarantine\bhgeftl.dat a variant of Win32/Kryptik.BJMV trojan
C:\FRST\Quarantine\ehgdiqumxfxbnrjtckf.bfg a variant of Win32/Injector.ALMX trojan
C:\Users\Camille\AppData\Roaming\Adobe\AIR\ELS\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1\APSPrivateData2\0\Resources\SceKEbCUuLjmo3f2edzwQo8KDIh8=\ODY2RDI5RkItNjNEOS0zQTAwLUEyNkEtRkY5NjM5NTMxNzVF\net.exe a variant of Win32/Injector.ALMX trojan
 

Link to post
Share on other sites

Thanks for the logs, continue:

 

Download OTM from either of the following links and save to your Desktop:

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion....

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :FilesC:\Documents and Settings\Camille\AppData\Roaming\Adobe\AIR\ELS\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1\APSPrivateData2\0\Resources\SceKEbCUuLjmo3f2edzwQo8KDIh8=\ODY2RDI5RkItNjNEOS0zQTAwLUEyNkEtRkY5NjM5NTMxNzVF\net.exeC:\Users\Camille\AppData\Roaming\Adobe\AIR\ELS\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1\APSPrivateData2\0\Resources\SceKEbCUuLjmo3f2edzwQo8KDIh8=\ODY2RDI5RkItNjNEOS0zQTAwLUEyNkEtRkY5NjM5NTMxNzVF\net.exeipconfig /flushdns /c:Commands[EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

 

Next,

 

Run Malwarebytes, update and run Quick scan, post the log....

 

Post both logs from above, also let me know what issues/concerns remain..

 

Kevin

Link to post
Share on other sites

Hi Kevin.

 

Logs below. I am thinking that it would now be a good idea to install all the essential Windows updates and use the machine for a while. How does that sound?

 

Also, I uninstalled AVG, but I have seen traces of it on many of the scans we've performed (and also Kaperski). Is there a way to completely remove these programs? or is there no need to do that?

 

Many thanks for your help so far!

 

All processes killed
========== FILES ==========
File move failed. C:\Documents and Settings\Camille\AppData\Roaming\Adobe\AIR\ELS\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1\APSPrivateData2\0\Resources\SceKEbCUuLjmo3f2edzwQo8KDIh8=\ODY2RDI5RkItNjNEOS0zQTAwLUEyNkEtRkY5NjM5NTMxNzVF\net.exe scheduled to be moved on reboot.
C:\Users\Camille\AppData\Roaming\Adobe\AIR\ELS\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1\APSPrivateData2\0\Resources\SceKEbCUuLjmo3f2edzwQo8KDIh8=\ODY2RDI5RkItNjNEOS0zQTAwLUEyNkEtRkY5NjM5NTMxNzVF\net.exe moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Camille\Desktop\cmd.bat deleted successfully.
C:\Users\Camille\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Camille
->Temp folder emptied: 53718 bytes
->Temporary Internet Files folder emptied: 10910535 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 7932003 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 1973520 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 57472 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6118296 bytes
->Flash cache emptied: 601 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3020 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 26.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 09102013_210923

Files moved on Reboot...
File C:\Documents and Settings\Camille\AppData\Roaming\Adobe\AIR\ELS\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1\APSPrivateData2\0\Resources\SceKEbCUuLjmo3f2edzwQo8KDIh8=\ODY2RDI5RkItNjNEOS0zQTAwLUEyNkEtRkY5NjM5NTMxNzVF\net.exe not found!

Registry entries deleted on Reboot...

 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.10.10

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Camille :: DIDI-JUNIOR [administrator]

10/09/2013 21:14:59
mbam-log-2013-09-10 (21-14-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 256663
Time elapsed: 10 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

Yes I would remove all traces of AVG, use the relevent removal utility from here: http://www.avg.com/us-en/utilities Also Kaspersky have one available here: http://support.kaspersky.com/common/service.aspx?el=1464

Obviously you will have to install security before you progress, I`d recommend Microsofte Security Essentials, available here: http://www.microsoft.com/en-gb/security/pc-security/mse.aspx

When that is complete run the windows updates and test the system to see how it responds, let me know how you get on...

Cheers,

Kevin...

Link to post
Share on other sites

Evening Kevin.

 

I tried the instructions in post #2 (including all the manual instructions), but no joy, so I took a chance on the solution on the following page (post #2) and it worked first time. Hope this may be a useful resource for you!

 

Do you have any other suggestion except to test the system and report?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.