Jump to content

Anyone else noticed this?


bw41101
 Share

Recommended Posts

Greetings all;

 

I'm running Windows XP Proffesional (SP4) and whilst checking through my system I noticed that within the following:

 

C:\Documents and Settings\LocalService\Cookies

 

An absolutely humungeous amount of cookies have appeared within this subdirectory?

 

Naturaly upon seeing this I immediately started to delete same (over 1000), only to find that soon after more started appearing and not just in ones and twos but in blocks of 10- 20 -30 or more. What's more puzzling is the fact that this is happening when no browser is actually open??

 

I've searched on the net to see whether this is a known phenomenon but with no luck. In addition I've run all of my anti virus/malware programmes - including Malware bytes and all come up clean.

 

Could anyone please advise me as to whether this activity is normal and (if it turns out to be malware) how to effectivelly deal with it?

 

Please advise

 

Regards

 

BW41101

Link to post
Share on other sites

Hello bw41101 and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
It is normal to be a lot. You could clean and control them. Here you go a good article about that:

http://www.aboutcookies.org/page-1

http://www.aboutcookies.org/default.aspx?page=2

Somewhat generates them and if you want I could take a look. Please follow the instructions here and then post the log files in your next reply.

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

Greetings again

 

Many thanks for the prompt reply.

 

I have set my Cookie control in Firefox and am happy that the controls are working.However like I said in my original post the problrm with the cookie generation is only occuring in my:

 

C:\Documents and Settings\LocalService\Cookies

 

I have made a scan which I have attached below and would be grateful if you would kindly have a look at it.

 

******************************************************** Attach.txt **********************************************

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 15/02/2009 17:44:24
System Uptime: 18/09/2013 21:13:51 (0 hours ago)
.
Motherboard: ASUSTeK COMPUTER INC. |  | PCH-DL
Processor:                   Intel® Xeon CPU 3.06GHz | Socket 604 | 3073/133mhz
Processor:                   Intel® Xeon CPU 3.06GHz | Socket 604 | 3073/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 56.118 GiB free.
D: is FIXED (FAT32) - 76 GiB total, 50.21 GiB free.
E: is FIXED (NTFS) - 59 GiB total, 51.597 GiB free.
F: is FIXED (NTFS) - 16 GiB total, 15.139 GiB free.
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/1000 CT Network Connection
Device ID: PCI\VEN_8086&DEV_1075&SUBSYS_81151043&REV_00\4&2D894BD&0&0818
Manufacturer: Intel
Name: Intel® PRO/1000 CT Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1075&SUBSYS_81151043&REV_00\4&2D894BD&0&0818
Service: E1000
.
==== System Restore Points ===================
.
RP270: 21/06/2013 19:19:02 - System Checkpoint
RP271: 28/06/2013 19:48:41 - System Checkpoint
RP272: 29/06/2013 20:06:23 - System Checkpoint
RP273: 06/07/2013 19:16:40 - System Checkpoint
RP274: 12/07/2013 19:32:07 - System Checkpoint
RP275: 13/07/2013 20:30:03 - System Checkpoint
RP276: 26/07/2013 19:08:52 - System Checkpoint
RP277: 02/08/2013 19:11:28 - System Checkpoint
RP278: 04/08/2013 12:34:45 - System Checkpoint
RP279: 09/08/2013 19:09:13 - System Checkpoint
RP280: 17/08/2013 20:17:22 - System Checkpoint
RP281: 23/08/2013 19:32:28 - System Checkpoint
RP282: 25/08/2013 16:07:21 - System Checkpoint
RP283: 30/08/2013 22:19:27 - System Checkpoint
RP284: 13/09/2013 19:16:07 - System Checkpoint
RP285: 15/09/2013 17:52:48 - System Checkpoint
.
==== Installed Programs ======================
.
ACDSee 5.0 Standard Trial
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.5
Adobe Shockwave Player 11.6
Advanced File Fixer 2012 version 2.8
AnyDVD
µTorrent
Auslogics BoostSpeed
Auslogics BoostSpeed 5.4
AVG 2013
AVG PC Tuneup
BBC Globe Screen Saver
CloneDVD2
ConvertHelper 2.2
Corel WinDVD 9
CyberLink PhotoNow
CyberLink PowerDirector
Email Updater
FileASSASSIN
Free FLV Converter V 7.0.0
Freez FLV to MP3 Converter
Hauppauge WinTV Source Selector
Hauppauge WinTV2000
HDD Regenerator
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2779562)
ImTOO MPEG Encoder Platinum
Intel® Network Connections 13.5.32.0
Java Auto Updater
Java 6 Update 17
Java 7 Update 1
JDownloader 0.9
K-Lite Mega Codec Pack 6.8.0
Magic FLAC to MP3 Converter 3.72
MahJong Suite 2009 v6.1
MahJong Suite Graphics Pack Volume 1 - v1.9
MahJong Suite Graphics Pack Volume 2 - v2.9
Malwarebytes Anti-Malware version 1.75.0.1300
Media Player Classic - Home Cinema v1.5.2.3456
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Microsoft OpenType Font File Properties Extension
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mozilla Firefox 24.0 (x86 en-US)
Mozilla Thunderbird 17.0.8 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 6 Ultra Edition
Nero Digital
Nero Media Player
Pale Moon 19.0.1 (x86 en-US)
PeerBlock 1.1 (r518)
PerfectDisk 11 Professional
PicaView
Pinnacle Studio AV/DV
Pinnacle Studio DC10plus
Pinnacle Studio LINX
PowerISO
Radialpoint Security Advisor 2.5.13
RapidLinkConverter
RealPlayer
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820917)
SiSoftware Sandra Professional Business 2009.SP3
SoundMAX
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
SpywareBlaster 5.0
Studio
Super Fast Shutdown 1.0
Super Video Joiner 5.7.8
Super Video Splitter 5.4
SUPERAntiSpyware
swMSM
System Requirements Lab
Trust Webcam 14921
Turbo ZIP Cracker v. 1.0
TweakNow RegCleaner Professional
Unlocker 1.9.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
uTorrentBar Toolbar
VC 9.0 Runtime
Video Grabber
Virgin Media Chat Extension 2.0.23
Virgin Media Digital Home Support 3.7.20
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WD SmartWare
WebFldrs XP
Window Washer
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
WinZip 14.5
XP Smoker Pro 5.4
Yahoo! BrowserPlus 2.9.8
.
==== Event Viewer Messages From Past Week ========
.
15/09/2013 13:59:14, error: W32Time [17]  - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
14/09/2013 17:28:04, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  Lbd PCIIde Pnp680 Pnp680r UlSata
13/09/2013 16:20:28, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  Lbd
13/09/2013 16:20:28, error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
13/09/2013 16:20:28, error: Service Control Manager [7000]  - The OMSCAN service failed to start due to the following error:  The system cannot find the file specified.
13/09/2013 16:20:28, error: Service Control Manager [7000]  - The ASInsHelp service failed to start due to the following error:  The system cannot find the file specified.
.
==== End Of File ===========================

 

*************************************************************************** dds.txt.*************************************

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.1.0
Run by Chris D at 21:45:18 on 2013-09-18
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.3454.2849 [GMT 1:00]
.
AV: AVG Internet Security 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Internet Security 2013 *Enabled*
FW: AVG Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2013\avgfws.exe
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Virgin Media\Chat Extension\HsdService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Virgin Media\Digital Home Support\ServicepointService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\WDVRCtrl.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.

mSearchAssistant = about:blank
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: AutorunsDisabled - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: uTorrentBar Toolbar: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - c:\program files\utorrentbar\prxtbuTo2.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinDVRCtrl] c:\windows\WDVRCtrl.exe
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instal~1.lnk - c:\windows\explorer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:147
uPolicies-Explorer: DisallowRun = dword:0
uPolicies-Explorer: DisallowCpl = dword:1
uPolicies-Explorer: NoCDBurning = dword:1
uPolicies-Explorer: MaxRecentDocs = dword:11
mPolicies-Explorer: NoDriveTypeAutoRun = dword:147
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
LSP: mswsock.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.











SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 mpa.one.microsoft.com
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chris d\application data\mozilla\firefox\profiles\yvkzwzdw.default\
FF - prefs.js: browser.search.selectedEngine - Delta Search

FF - plugin: c:\documents and settings\chris d\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\virgin media\digital home support\nprpspa.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_168.dll
FF - ExtSQL: 2013-08-17 22:29; jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack; c:\documents and settings\chris d\application data\mozilla\firefox\profiles\yvkzwzdw.default\extensions\jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack.xpi
FF - ExtSQL: 2013-08-27 19:18; treestyletab@piro.sakura.ne.jp; c:\documents and settings\chris d\application data\mozilla\firefox\profiles\yvkzwzdw.default\extensions\treestyletab@piro.sakura.ne.jp.xpi
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-2-8 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-2-8 245048]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 96568]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 39224]
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [2009-3-1 71720]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-2-26 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-3-1 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 170808]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 182072]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-8-12 116608]
R2 avgfws;AVG Firewall;c:\program files\avg\avg2013\avgfws.exe [2013-2-19 1418184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2013-2-19 282624]
R2 HsdService;HsdService;c:\program files\virgin media\chat extension\HsdService.exe [2010-10-9 1410288]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-12 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-2 701512]
R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2013-2-15 123248]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 ServicepointService;ServicepointService;c:\program files\virgin media\digital home support\ServicepointService.exe [2010-10-9 689392]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-2-15 618896]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30944]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2012-7-12 472644]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-2 22856]
S0 eigvon;eigvon;c:\windows\system32\drivers\nbahv.sys --> c:\windows\system32\drivers\nbahv.sys [?]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S0 mofmjxqe;mofmjxqe;c:\windows\system32\drivers\wwjgdp.sys --> c:\windows\system32\drivers\wwjgdp.sys [?]
S1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;c:\windows\system32\drivers\dcxxmjpg.sys --> c:\windows\system32\drivers\DCxxMJPG.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2013-2-27 4937264]
S3 AF9035HB;AF9035 Hybrid Device;c:\windows\system32\drivers\AF9035HB.sys [2011-10-2 863616]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30944]
S3 BT848;Studio WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2002-4-1 211936]
S3 BTTUNER;Studio WDM TvTuner;c:\windows\system32\drivers\bttuner.sys [2002-4-1 10052]
S3 BTXBAR;Studio WDM Crossbar;c:\windows\system32\drivers\btxbar.sys [1999-7-21 13308]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-2-6 35144]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-4-10 19056]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra professional business 2009.sp1b\RpcAgentSrv.exe [2009-2-16 98488]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
S4 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
.
=============== File Associations ===============
.
FileExt: .vbs: VBSFile=c:\windows\system32\WScript.exe "%1" %* [userChoice]
.
=============== Created Last 30 ================
.
2013-09-15 14:31:44    --------    d-----w-    c:\documents and settings\chris d\local settings\application data\Conduit
.
==================== Find3M  ====================
.
2013-09-13 15:27:22    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-13 15:27:20    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-12 16:32:35    13824    ----a-w-    c:\windows\system32\LAYOUT.DLL
2013-06-28 21:50:12    0    ----a-w-    c:\windows\system32\TempWmicBatchFile.bat
2013-05-14 10:54:38    2174976    ----a-w-    c:\program files\common files\atimpenc.dll
.
============= FINISH: 21:45:31.68 ===============

Thanks again- look forward to you reply.

 

Kind Regards

 

Chris (BW41101)
 

Link to post
Share on other sites

Step 1

Please uninstall the following applications:

µTorrent

AVG PC Tuneup

uTorrentBar Toolbar

XP Smoker Pro 5.4

Step 2

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 3

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.
Step 4

Download TFC to your desktop

  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
Step 5
  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

  • Junkware Removal Tool log
  • AdwCleaner log
  • Malwarebytes' Anti-Malware log
Link to post
Share on other sites

Greetings again

Have progressed as per your instructions above - except for running the TFC programme. I tried several times to run this and couldn't get it to work - the last time I left it for over an hour and nothing happened. Also when I tried to exit the programme the status bar showed [not responding] in fact the whole computer locked up forcing me to do a hard re-boot.

Results for the others as below:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.1 (09.15.2013:1)
OS: Microsoft Windows XP x86
Ran by Chris D on 22/09/2013 at 16:22:59.41
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs\\Tabs



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{39CB8175-E224-4446-8746-00566302DF8D}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escortapp.dll
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escorteng.dll
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escortlbr.dll
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\esrv.exe
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\pricegong
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\softonic
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1454471165-299502267-1547161642-1003\Software\SweetIM
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\tarma installer
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\prod.cap
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4B2468513CA2D6943A1A233CD3F88CE7
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2786678
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}



~~~ Files

Successfully deleted: [File] "C:\WINDOWS\system32\conduitengine.tmp"



~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\Chris D\Local Settings\Application Data\conduit"
Successfully deleted: [Folder] "C:\Program Files\conduit"



~~~ FireFox

Successfully deleted: [File] C:\Documents and Settings\Chris D\Application Data\mozilla\firefox\profiles\yvkzwzdw.default\user.js
Successfully deleted: [File] C:\Documents and Settings\Chris D\Application Data\mozilla\firefox\profiles\yvkzwzdw.default\invalidprefs.js
Successfully deleted: [File] C:\Documents and Settings\Chris D\Application Data\mozilla\firefox\profiles\yvkzwzdw.default\extensions\browserprotect@browserprotect.com.xpi
Successfully deleted the following from C:\Documents and Settings\Chris D\Application Data\mozilla\firefox\profiles\yvkzwzdw.default\prefs.js

user_pref("browser.search.selectedEngine", "Delta Search");






~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 22/09/2013 at 16:32:04.25
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


# AdwCleaner v3.004 - Report created 22/09/2013 at 16:43:25
# Updated 15/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Chris D - SCROTTEB-BB8E88
# Running from : C:\Documents and Settings\Chris D\Desktop\Malware tools\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\Chris D\Local Settings\Application Data\PackageAware
Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
Folder Deleted : C:\Documents and Settings\Chris D\Application Data\Mozilla\Firefox\Profiles\yvkzwzdw.default\jetpack
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Software\85588d8bc6ae914
Key Deleted : HKLM\SOFTWARE\85588d8bc6ae914
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Key Deleted : HKCU\Software\Microsoft\Babylon
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Delta Chrome Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Delta
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wajam

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Documents and Settings\Chris D\Application Data\Mozilla\Firefox\Profiles\yvkzwzdw.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [2476 octets] - [22/09/2013 16:40:43]
AdwCleaner[s0].txt - [2439 octets] - [22/09/2013 16:43:25]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2499 octets] ##########

Malwarebytes log


2013/09/22 16:01:48 +0100    SCROTTEB-BB8E88        MESSAGE    Starting protection
2013/09/22 16:01:48 +0100    SCROTTEB-BB8E88        MESSAGE    Protection started successfully
2013/09/22 16:01:48 +0100    SCROTTEB-BB8E88        MESSAGE    Starting IP protection
2013/09/22 16:02:23 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    IP Protection started successfully
2013/09/22 16:17:47 +0100    SCROTTEB-BB8E88    Chris D    IP-BLOCK    5.149.255.46 (Type: outgoing)
2013/09/22 16:17:50 +0100    SCROTTEB-BB8E88    Chris D    IP-BLOCK    5.149.255.46 (Type: outgoing)
2013/09/22 16:17:56 +0100    SCROTTEB-BB8E88    Chris D    IP-BLOCK    5.149.255.46 (Type: outgoing)
2013/09/22 16:46:22 +0100    SCROTTEB-BB8E88        MESSAGE    Starting protection
2013/09/22 16:46:22 +0100    SCROTTEB-BB8E88        MESSAGE    Protection started successfully
2013/09/22 16:46:23 +0100    SCROTTEB-BB8E88        MESSAGE    Starting IP protection
2013/09/22 16:47:05 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    IP Protection started successfully
2013/09/22 16:59:01 +0100    SCROTTEB-BB8E88        MESSAGE    Starting protection
2013/09/22 16:59:02 +0100    SCROTTEB-BB8E88        MESSAGE    Protection started successfully
2013/09/22 16:59:02 +0100    SCROTTEB-BB8E88        MESSAGE    Starting IP protection
2013/09/22 16:59:40 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    IP Protection started successfully
2013/09/22 17:47:42 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Starting protection
2013/09/22 17:47:42 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Protection started successfully
2013/09/22 17:47:42 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Starting IP protection
2013/09/22 17:48:14 +0100    SCROTTEB-BB8E88    Chris D    ERROR    IP protection failed:  PfBindInterfaceToIPAddress failed with error code 87
2013/09/22 18:06:53 +0100    SCROTTEB-BB8E88        MESSAGE    Starting protection
2013/09/22 18:06:53 +0100    SCROTTEB-BB8E88        MESSAGE    Protection started successfully
2013/09/22 18:06:53 +0100    SCROTTEB-BB8E88        MESSAGE    Starting IP protection
2013/09/22 18:07:03 +0100    SCROTTEB-BB8E88        MESSAGE    IP Protection started successfully
2013/09/22 18:17:54 +0100    SCROTTEB-BB8E88        MESSAGE    Starting protection
2013/09/22 18:17:55 +0100    SCROTTEB-BB8E88        MESSAGE    Protection started successfully
2013/09/22 18:17:55 +0100    SCROTTEB-BB8E88        MESSAGE    Starting IP protection
2013/09/22 18:29:29 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Starting protection
2013/09/22 18:29:30 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Protection started successfully
2013/09/22 18:29:30 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Starting IP protection
2013/09/22 18:29:59 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    IP Protection started successfully
2013/09/22 19:34:39 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Starting protection
2013/09/22 19:34:39 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Protection started successfully
2013/09/22 19:34:39 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Starting IP protection
2013/09/22 19:35:09 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    IP Protection started successfully
2013/09/22 19:36:09 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Starting database refresh
2013/09/22 19:36:09 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Stopping IP protection
2013/09/22 19:36:09 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    IP Protection stopped successfully
2013/09/22 19:36:19 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Database refreshed successfully
2013/09/22 19:36:19 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Starting IP protection
2013/09/22 19:36:46 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    IP Protection started successfully
2013/09/22 19:44:30 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Starting protection
2013/09/22 19:44:30 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Protection started successfully
2013/09/22 19:44:31 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    Starting IP protection
2013/09/22 19:45:02 +0100    SCROTTEB-BB8E88    Chris D    MESSAGE    IP Protection started successfully
2013/09/22 20:01:56 +0100    SCROTTEB-BB8E88    Chris D    IP-BLOCK    5.149.255.46 (Type: outgoing)
2013/09/22 20:01:58 +0100    SCROTTEB-BB8E88    Chris D    IP-BLOCK    5.149.255.46 (Type: outgoing)
2013/09/22 20:02:05 +0100    SCROTTEB-BB8E88    Chris D    IP-BLOCK    5.149.255.46 (Type: outgoing)
2013/09/22 20:02:11 +0100    SCROTTEB-BB8E88    Chris D    IP-BLOCK    5.149.255.46 (Type: outgoing)
2013/09/22 20:02:14 +0100    SCROTTEB-BB8E88    Chris D    IP-BLOCK    5.149.255.46 (Type: outgoing)
2013/09/22 20:02:20 +0100    SCROTTEB-BB8E88    Chris D    IP-BLOCK    5.149.255.46 (Type: outgoing)
2013/09/22 21:27:42 +0100    SCROTTEB-BB8E88    Chris D    IP-BLOCK    31.207.2.154 (Type: outgoing)
2013/09/22 21:27:45 +0100    SCROTTEB-BB8E88    Chris D    IP-BLOCK    31.207.2.154 (Type: outgoing)
2013/09/22 21:27:51 +0100    SCROTTEB-BB8E88    Chris D    IP-BLOCK    31.207.2.154 (Type: outgoing)

Am still getting the same problem with the cookie generation occuring in my:

C:\Documents and Settings\LocalService\Cookies

Thanks again

Regards

Link to post
Share on other sites

Greetings again;

 

Apologies for the slow reply as I've been away on company business - so not near my PC. I've followed Maniac's advice and have managed to run TFC successfully including Malwarebytes scanning. However after all this, I'm still suffering with the same problem as previously described, I.e. loads of cookies appearing within my C:\Documents and Settings\LocalService\Cookies.

 

I've tried everything to track down where these are coming from but cannot detect any processes running in the background. Perhaps as this cookie folder is normally hidden this may be normal and hence the title of my thread - "had anyone else noticed this"?

 

Looking forward to your inputs

 

Regards

Link to post
Share on other sites

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
  • Please copy/paste the contents or attach that log file to your next reply.
  • If needed the file can be located here: C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites

Back again!

 

Have run ComboFix - results:

 

ComboFix 13-09-28.02 - Chris D 28/09/2013  19:18:16.1.4 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.3454.2821 [GMT 1:00]
Running from: c:\documents and settings\Chris D\Desktop\ComboFix.exe
AV: AVG update module *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: AVG update module *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
ADS - system32: deleted 40 bytes in 1 streams.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\A39268BD60.sys
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{D36DD326-7280-11D8-97C8-000129760CBE}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\RAIDTest
c:\documents and settings\All Users\Application Data\xml4F.tmp
c:\documents and settings\All Users\Application Data\xml50.tmp
c:\documents and settings\All Users\Application Data\xml51.tmp
c:\documents and settings\All Users\Start Menu\Programs\Startup\install.exe.lnk
c:\documents and settings\Chris D\WINDOWS
c:\windows\$NtUninstallKB59052$
c:\windows\$NtUninstallKB59052$\1449177292\@
c:\windows\$NtUninstallKB59052$\1449177292\Desktop.ini
c:\windows\$NtUninstallKB59052$\1449177292\L\00000004.@
c:\windows\$NtUninstallKB59052$\1449177292\L\201d3dde
c:\windows\$NtUninstallKB59052$\1449177292\L\6715e287
c:\windows\$NtUninstallKB59052$\1449177292\L\76603ac3
c:\windows\$NtUninstallKB59052$\1449177292\L\hpaatoxo
c:\windows\$NtUninstallKB59052$\1449177292\U\00000004.@
c:\windows\$NtUninstallKB59052$\1449177292\U\00000008.@
c:\windows\$NtUninstallKB59052$\1449177292\U\000000cb.@
c:\windows\$NtUninstallKB59052$\1449177292\U\80000000.@
c:\windows\$NtUninstallKB59052$\1449177292\U\80000032.@
c:\windows\$NtUninstallKB59052$\3838291087
c:\windows\system32\Cache
c:\windows\system32\Cache\08a61509af93bf6d.fb
c:\windows\system32\Cache\2007c417fe96506c.fb
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\3279f0a0608e9c2c.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\4197d7ad02ba45f5.fb
c:\windows\system32\Cache\45cec46626a5d32e.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\89e9acde41c828cd.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\baca9499959642d2.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\e62b1fca887b2155.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\Temp
c:\windows\WINDOWS
.
Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected
Restored copy from - The cat found it :)
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BROWSERDEFENDERT
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-28 to 2013-09-28  )))))))))))))))))))))))))))))))
.
.
2013-09-28 18:16 . 2011-07-15 13:29    456320    -c--a-w-    c:\windows\system32\dllcache\mrxsmb.sys
2013-09-28 18:16 . 2011-07-15 13:29    456320    ----a-w-    c:\windows\system32\drivers\mrxsmb.sys
2013-09-28 18:12 . 2013-09-28 18:15    --------    d-----w-    c:\windows\system32\MRT
2013-09-28 17:50 . 2013-09-28 17:50    --------    d-sh--w-    c:\documents and settings\LocalService.NT AUTHORITY
2013-09-22 15:39 . 2013-09-22 18:39    --------    d-----w-    C:\AdwCleaner
2013-09-22 15:22 . 2013-09-22 15:22    --------    d-----w-    c:\windows\ERUNT
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-23 21:26 . 2012-03-29 20:40    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-23 21:26 . 2011-05-19 21:13    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-10 00:34 . 2013-03-01 09:32    22328    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2013-09-05 00:43 . 2010-09-07 02:48    39224    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
2013-07-20 00:51 . 2013-02-08 03:37    246072    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2013-07-20 00:50 . 2013-02-26 22:40    208184    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-07-20 00:50 . 2013-02-08 03:37    60216    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2013-07-20 00:50 . 2010-09-07 02:48    171320    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2013-07-12 16:32 . 2009-03-03 22:45    13824    ----a-w-    c:\windows\system32\LAYOUT.DLL
2013-07-01 00:45 . 2010-09-07 02:48    96568    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2013-05-14 10:54 . 2013-05-14 10:54    2174976    ----a-w-    c:\program files\Common Files\atimpenc.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"WinDVRCtrl"="c:\windows\WDVRCtrl.exe" [2002-04-01 94208]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-08-15 4411440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe View=show_in_tray
.
 
View=show_in_tray [2009-10-14 9085760]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)
"MaxRecentDocs"= 11 (0xb)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       PDBoot.exe\0autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [08/02/2013 04:37 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [08/02/2013 04:37 246072]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 03:48 39224]
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [01/03/2009 18:46 71720]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [26/02/2013 23:40 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [01/03/2013 10:32 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 03:48 171320]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [07/09/2010 03:49 182072]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [12/08/2011 00:38 116608]
R2 avgfws;AVG Firewall;c:\program files\AVG\AVG2013\avgfws.exe [04/09/2013 09:20 1432080]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [04/07/2013 15:53 4939312]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [23/07/2013 19:09 283136]
R2 HsdService;HsdService;c:\program files\Virgin Media\Chat Extension\HsdService.exe [09/10/2010 19:22 1410288]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [12/09/2012 21:58 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [02/08/2011 21:52 701512]
R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [15/02/2013 01:14 123248]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [17/04/2007 21:09 11032]
R2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Digital Home Support\ServicepointService.exe [09/10/2010 19:22 689392]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [15/02/2009 22:35 618896]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/07/2010 04:33 30944]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [12/07/2012 22:54 472644]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [02/08/2011 21:52 22856]
S0 eigvon;eigvon;c:\windows\system32\drivers\nbahv.sys --> c:\windows\system32\drivers\nbahv.sys [?]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 mofmjxqe;mofmjxqe;c:\windows\system32\drivers\wwjgdp.sys --> c:\windows\system32\drivers\wwjgdp.sys [?]
S1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;c:\windows\system32\drivers\DCxxMJPG.sys --> c:\windows\system32\drivers\DCxxMJPG.sys [?]
S3 AF9035HB;AF9035 Hybrid Device;c:\windows\system32\drivers\AF9035HB.sys [02/10/2011 15:25 863616]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/07/2010 04:33 30944]
S3 BT848;Studio WDM Video Capture;c:\windows\system32\drivers\BT848.sys [01/04/2002 13:00 211936]
S3 BTTUNER;Studio WDM TvTuner;c:\windows\system32\drivers\bttuner.sys [01/04/2002 13:00 10052]
S3 BTXBAR;Studio WDM Crossbar;c:\windows\system32\drivers\btxbar.sys [21/07/1999 15:28 13308]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [06/02/2013 00:01 35144]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [10/04/2010 13:27 19056]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Professional Business 2009.SP1b\RpcAgentSrv.exe [16/02/2009 20:54 98488]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [06/05/2008 17:06 11520]
S4 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [14/10/2009 15:31 98304]
S4 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [16/06/2009 10:58 20480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 21:26]
.
2013-06-29 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-02-20 15:31]
.
.
------- Supplementary Scan -------
.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\documents and settings\Chris D\Application Data\Mozilla\Firefox\Profiles\yvkzwzdw.default\

FF - ExtSQL: 2013-08-17 22:29; jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack; c:\documents and settings\Chris D\Application Data\Mozilla\Firefox\Profiles\yvkzwzdw.default\extensions\jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack.xpi
FF - ExtSQL: 2013-08-27 19:18; treestyletab@piro.sakura.ne.jp; c:\documents and settings\Chris D\Application Data\Mozilla\Firefox\Profiles\yvkzwzdw.default\extensions\treestyletab@piro.sakura.ne.jp.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
MSConfigStartUp-CTFMON - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-28 19:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:31,53,04,eb,fa,ed,2b,8d,6a,63,b6,7b
"LastWPAEventLogged"=hex:
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2220)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Raxco\PerfectDisk10\PDEngine.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2013-09-28  19:51:31 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-28 18:51
.
Pre-Run: 63,973,318,656 bytes free
Post-Run: 64,770,469,888 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 8F291FFE1B6740CF06C93E7C5044A75A
8F558EB6672622401DA993E1E865C861
 

Regards

Link to post
Share on other sites

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.

    ESET OnlineScan

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.

      Save it to your Desktop.

    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Link to post
Share on other sites

Greetings;

 

Result ofthe scan:

 

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DeltaToolbar27.zip    Win32/Bagle.gen.zip worm    cleaned by deleting - quarantined
C:\Documents and Settings\Chris D\Desktop\Applications\Nero-6.6.1.15a.exe    Win32/Toolbar.AskSBar application    deleted - quarantined
C:\Documents and Settings\Chris D\Desktop\Applications\Setup_FreeFlvConverter.exe    Win32/Toolbar.Widgi application    cleaned by deleting - quarantined
C:\Documents and Settings\Chris D\Desktop\JL Dowmloads\ImTOO.Video.Converter.Ultimate.7.7.2.20130225.rar    Win32/HackTool.Patcher.AC application    deleted - quarantined
C:\Documents and Settings\Chris D\Desktop\Old Firefox Data\prefs.j~    JS/SecurityDisabler.A.Gen application    cleaned by deleting - quarantined
C:\Documents and Settings\Chris D\Desktop\Old Firefox Data\extensions\plugin@yontoo.com.xpi    Win32/Adware.Yontoo application    deleted - quarantined
C:\Documents and Settings\Chris D\Desktop\torrent downloads\Corel WinDVD 9.rar    a variant of Win32/Keygen.AF application    deleted - quarantined
C:\Documents and Settings\Chris D\Desktop\torrent downloads\car radio code calculator\Car Radio Universal Code Calculator ©2.2 Keygen.rar    multiple threats    deleted - quarantined
C:\Documents and Settings\Chris D\Desktop\torrent downloads\Windows XP Pro SP3 - Activated\WXPVOL_EN.iso    multiple threats    deleted - quarantined
C:\Documents and Settings\Chris D\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\52\67ddc5b4-65f48022    multiple threats    cleaned by deleting - quarantined
C:\Program Files\ImTOO\MPEG Encoder Platinum\ImTOO MPEG Encoder Ultimate 5.1.37 Build-0723_Patch.exe    Win32/HackTool.Patcher.AC application    cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mrxsmb.sys.vir    a variant of Win32/Rootkit.Kryptik.UI trojan    cleaned by deleting - quarantined
D:\Backup May30 07\Nero-6.6.1.15a.exe    Win32/Toolbar.AskSBar application    deleted - quarantined
E:\Mozilla Backups\Firefox 11.0 (en-GB) - 2012-04-06.pcv    JS/SecurityDisabler.A.Gen application    deleted - quarantined
E:\Mozilla Backups\Firefox 23.0.1 (en-US) - 2013-08-28.pcv    JS/SecurityDisabler.A.Gen application    deleted - quarantined
E:\Mozilla Backups\Firefox 3.6.16 (en-GB) - 2011-04-25.pcv    JS/SecurityDisabler.A.Gen application    deleted - quarantined
E:\Mozilla Backups\Firefox 8.0 (en-GB) - 2011-12-18.pcv    JS/SecurityDisabler.A.Gen application    deleted - quarantined
 

Upon reading the above, the pcv files are created via a utility called Mozbackup. What's really disturbing is that is just how long I've had these infected backups - the first one being circa 2010. The thing is (as these are Firefox backups) whre did the infections come from?  Also noticed that (after running Combofix), the cookies subdirectory has disapeared from: C:\Documents and Settings\LocalService - addressing my original problem. One thing though - the following were been created at the same time:

 

C:\Documents and Settings\LocalService.NT AUTHORITY

C:\Documents and Settings\LocalService.NT AUTHORITY.000

 

Is there any action required (on my part) for the above?

 

Also noticed that the Microsoft security updates have suddenly come through as well - which was welcome.

 

Am wondering if there's anything else that needs doing?

 

Regards

Link to post
Share on other sites

Well it's been nearly a week since my last message and no reply.This being the case, I can only assume that you guys consider that my issue has been dealt with - to which I can concur. In view of this, I would like to take this opprorunity to thank all those involved for their help and advice.

 

Cheers all

 

Regards;

 

Chris (bw41101).

Link to post
Share on other sites

Sorry I think there may be misunderstanding on my part, as I was thinking that there was/is no more treatment that was needed for my PC? If you consider that there is more to do - then yes we can go ahead. Like I said earlier in this thread, the original problem I had with:

 

C:\Documents and Settings\LocalService\Cookies

 

Has gone, I.e. the cookies subdirectory no longer exists and I am receiving security updates from Microsoft.

 

Regards

 

Chris (bw41101)

Link to post
Share on other sites

Oh, okay. In this case, we can clean these tools and I have a recommendation for you.

Step 1

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
Step 2
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Uninstall
  • Confirm with Yes
Step 3

Please uninstall ESET Online Scanner .

Step 4

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing! :)

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.