Jump to content

VuuPC Installer


Recommended Posts

Hi,

 

The VuuPC installer keeps popping up after reboot. We are able to close the window by ending the process (something.tmp) but it keeps returning.

 

Thanks for any guidance....

 

FRST.TXT

----------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-04-2014
Ran by Eileen (administrator) on EILEEN-PC on 28-04-2014 10:27:27
Running from C:\Users\Eileen\Downloads
Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version:
Download link for 64-Bit Version:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(ATI Technologies Inc.) C:\Windows\system32\Ati2evxx.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(ATI Technologies Inc.) C:\Windows\system32\Ati2evxx.exe
(http://yourfiledownloader.com) C:\Program Files\YourFileDownloader Updater\YourFileUpdater.exe
() C:\Users\Eileen\AppData\Local\Mikogo4\Viewer\Service\M4-Service.exe
(New Boundary Technologies, Inc.) C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
() C:\Users\Eileen\AppData\Local\Mikogo4\Viewer\Service\M4-Capture.exe
() C:\Users\Eileen\AppData\Roaming\VOPackage\VOsrv.exe
(Conexant Systems, Inc.) C:\Windows\system32\DRIVERS\xaudio.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Google) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
(McAfee, Inc.) C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
(Nikon Corporation) C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
(Microsoft Corporation) C:\Program Files\Windows Mail\WinMail.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
(Microsoft Corporation) C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe
(Microsoft Corporation) C:\Windows\system32\wuauclt.exe
(                                                            ) C:\Users\Eileen\AppData\Local\Temp\nsi9981.tmp
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Adobe Systems Incorporated) C:\Windows\system32\Macromed\Flash\FlashUtil32_12_0_0_77_ActiveX.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ATICCC] => C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [90112 2006-07-11] ()
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [3784704 2006-11-09] (Realtek Semiconductor)
HKLM\...\Run: [Google Desktop Search] => C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-08-11] (Google)
HKLM\...\Run: [NapsterShell] => C:\Program Files\Napster\napster.exe /systray
HKLM\...\Run: [bigFix] => c:\program files\Bigfix\bigfix.exe /atstartup
HKLM\...\Run: [siteAdvisor] => C:\Program Files\SiteAdvisor\6253\SiteAdv.exe [35928 2006-10-18] (McAfee, Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [286720 2007-10-19] (Apple Inc.)
HKLM\...\Run: [ROC_roc_dec12] => "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
HKLM\...\Run: [MSC] => "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey <===== ATTENTION (File name is altered)
HKLM\...\Runonce: [AvgUninstallURL] - cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBJAC0ATgBIADcAQgBWAC0ANgBaAFkAWgBSAC0ARgBLAFAAWQBBAC0AMgA0AEsAVQBQAC0AUwBFAFUATABGAA"&"inst=NwA2AC0ANQAwADQANAAzADIAMAA1ADcALQBCADEALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AWABLACsAMQAtAFgATwAzADYAKwAxAC0AVABCADkAKwAyAC0ATgAxAEQAKwAxAC0AUABMACsAOQAtAEMASQBBADkAMAArADIALQBDAEkAUAArADIALQBEAEQAVAArADMAOQA5ADAANQAtAEQARAA5ADAAKwAxAC0AUwBUADkAMABBAFAAUAArADEALQBQADkAMABNADEAMgBDACsAMQAtAFUAOQA1ACsAMQAtAFQAQgArADEALQBGAFUASQArADIALQBQADkAMABUAEIAKwAyAA"&"prod=94"&"ver=9.0.894
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-3074645540-534623877-3370066440-1000\...\Run: [updateMgr] => C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [313472 2006-03-30] (Adobe Systems Incorporated)
HKU\S-1-5-21-3074645540-534623877-3370066440-1000\...\Run: [Optimizer Pro] => C:\Program Files\Optimizer Pro\OptProLauncher.exe [135128 2014-04-22] (PC Utilities Software Limited)
AppInit_DLLs: avgrsstx.dll => avgrsstx.dll File Not Found
AppInit_DLLs:  c:\progra~1\google\google~1\goec62~1.dll => C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll [123392 2010-08-11] (Google)
AppInit_DLLs:  c:\progra~1\optimi~1\optpro~2.dll => C:\Program Files\Optimizer Pro\OptProCrash.dll [3000792 2014-04-24] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Nikon Monitor.lnk
ShortcutTarget: Nikon Monitor.lnk -> C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
Startup: C:\Users\Eileen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E-mail - Shortcut.lnk
ShortcutTarget: E-mail - Shortcut.lnk ->  (No File)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082
SearchScopes: HKLM - DefaultScope {B9AAA9F3-8C8B-44FE-B740-9CCB4BF17D0D} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex}&startPage={startPage}
SearchScopes: HKLM - {B9AAA9F3-8C8B-44FE-B740-9CCB4BF17D0D} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex}&startPage={startPage}
SearchScopes: HKLM - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
SearchScopes: HKCU - DefaultScope {813451A1-5FC8-4067-8FCA-C7398EC928A8} URL = http://www.google.com/search?q={searchTerms}
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?gd=&ctid=CT3321541&octid=EB_ORIGINAL_CTID&ISID=M7D8AFB3E-F8E3-42DF-9B07-9B9844465964&SearchSource=58&CUI=&UM=5&UP=SP9F99D655-B567-4BA2-8A34-526C68681F78&q={searchTerms}&SSPV=
SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=LhNGnJ8MO4aDIYvF8DdPEV0j09k?q={searchTerms}
SearchScopes: HKCU - {813451A1-5FC8-4067-8FCA-C7398EC928A8} URL = http://www.google.com/search?q={searchTerms}
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={A719E545-1D2F-4C86-8944-90A31E8388AE}&mid=3bf65070414b09c598e8594b65341c55-2df0726de42e1acb8c097575b5a85d3532acd782〈=us&ds=AVG&pr=pa&d=2011-12-05 05:30:26&v=9.0.0.18&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {B9AAA9F3-8C8B-44FE-B740-9CCB4BF17D0D} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex}&startPage={startPage}
SearchScopes: HKCU - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://search.avg.com/route/?d=4bb0e47c&v=6.10.6.4&i=26&tp=chrome&q={searchTerms}&lng={language}&iy=&ychte=us
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: No Name - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll ()
BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll (Gateway Inc.)
Toolbar: HKLM - McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll ()
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKCU - &Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\Eileen\AppData\Local\Citrix\Plugins\79\npappdetector.dll (Citrix Online)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF HKCU\...\Firefox\Extensions: [{1650a312-02bc-40ee-977e-83f158701739}] - C:\Program Files\SiteAdvisor\6253\FF\
FF Extension: McAfee SiteAdvisor - C:\Program Files\SiteAdvisor\6253\FF\ []

Chrome: 
=======
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION
CHR Extension: (Google Wallet) - C:\Users\Eileen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-01]

========================== Services (Whitelisted) =================

R2 ca82e1a5; C:\Program Files\Optimizer Pro\OptProCrashSvc.dll [186496 2014-04-24] ()
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-08-11] (Google)
R2 M4-Service; C:\Users\Eileen\AppData\Local\Mikogo4\Viewer\Service\M4-Service.exe [1008968 2013-05-16] ()
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20472 2012-09-12] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [287824 2012-09-12] (Microsoft Corporation)
R2 PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [65536 2006-12-16] (New Boundary Technologies, Inc.)
R2 vosr; C:\Users\Eileen\AppData\Roaming\VOPackage\VOsrv.exe [355328 2014-04-23] ()
S3 B-Service; C:\Users\Eileen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1T6BNYZ\B-Service.exe [X]

==================== Drivers (Whitelisted) ====================

R1 Cdr4_xp; C:\Windows\system32\Drivers\Cdr4_xp.sys [44288 2005-09-07] (Sonic Solutions)
R1 Cdralw2k; C:\Windows\system32\Drivers\Cdralw2k.sys [24960 2005-09-07] (Sonic Solutions)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)
S3 NETw2v32; C:\Windows\System32\DRIVERS\NETw2v32.sys [2589184 2006-11-02] (Intel® Corporation)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-28 10:27 - 2014-04-28 10:29 - 00013488 _____ () C:\Users\Eileen\Downloads\FRST.txt
2014-04-28 10:27 - 2014-04-28 10:27 - 00000000 ____D () C:\FRST
2014-04-28 10:26 - 2014-04-28 10:26 - 01049600 _____ (Farbar) C:\Users\Eileen\Downloads\FRST.exe
2014-04-25 15:23 - 2014-04-25 15:24 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-25 15:23 - 2014-04-25 15:23 - 00000899 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-25 15:23 - 2014-04-25 15:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-04-25 15:23 - 2014-04-25 15:23 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-25 15:23 - 2014-04-25 15:23 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-25 15:23 - 2014-04-03 09:51 - 00073432 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-25 15:23 - 2014-04-03 09:51 - 00051416 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-25 15:23 - 2014-04-03 09:50 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-25 15:15 - 2014-04-25 15:15 - 00000000 ____D () C:\Users\Eileen\AppData\Local\Mikogo
2014-04-24 14:07 - 2014-04-28 10:25 - 00000887 _____ () C:\Users\Eileen\Desktop\Continue VuuPC Installation.lnk
2014-04-24 14:04 - 2014-04-24 14:04 - 00000000 ____D () C:\Users\Eileen\Documents\Optimizer Pro
2014-04-24 14:04 - 2014-04-24 14:04 - 00000000 ____D () C:\Users\Eileen\AppData\Roaming\Optimizer Pro
2014-04-24 13:59 - 2014-04-24 13:59 - 00000859 _____ () C:\Users\Eileen\Desktop\Optimizer Pro.lnk
2014-04-24 13:59 - 2014-04-24 13:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2
2014-04-24 13:58 - 2014-04-24 13:59 - 00002862 _____ () C:\Users\Eileen\AppData\Roaming\aps.scan.results
2014-04-24 13:58 - 2014-04-24 13:59 - 00001160 _____ () C:\Users\Eileen\AppData\Roaming\aps.scan.quick.results
2014-04-24 13:58 - 2014-04-24 13:59 - 00000318 _____ () C:\Users\Eileen\AppData\Roaming\aps.uninstall.scan.results
2014-04-24 13:58 - 2014-04-24 13:59 - 00000000 ____D () C:\Program Files\Optimizer Pro
2014-04-24 13:58 - 2014-04-24 13:58 - 00000842 _____ () C:\Users\Eileen\Desktop\AnyProtect.lnk
2014-04-24 13:58 - 2014-04-24 13:58 - 00000000 ____D () C:\Users\Eileen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnyProtect PC Backup
2014-04-24 13:58 - 2014-04-24 13:58 - 00000000 ____D () C:\Users\Eileen\AppData\Local\SearchProtect
2014-04-24 13:56 - 2014-04-24 13:58 - 00000004 _____ () C:\end
2014-04-24 13:56 - 2014-04-24 13:58 - 00000000 ____D () C:\Program Files\AnyProtectEx
2014-04-24 13:56 - 2014-04-24 13:56 - 01107304 _____ (AnyProtect.com) C:\Users\Eileen\AppData\Local\nsq35BB.tmp
2014-04-24 13:56 - 2014-04-24 13:56 - 00001760 _____ () C:\Users\Public\Desktop\YourFile Downloader.lnk
2014-04-24 13:56 - 2014-04-24 13:56 - 00000000 ____D () C:\Users\Eileen\AppData\Roaming\VOPackage
2014-04-24 13:56 - 2014-04-24 13:56 - 00000000 ____D () C:\Users\Eileen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage
2014-04-24 13:56 - 2014-04-24 13:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\YourFileDownloader
2014-04-24 13:55 - 2014-04-24 13:56 - 00000000 ____D () C:\Program Files\YourFileDownloader Updater
2014-04-24 13:55 - 2014-04-24 13:55 - 00000000 ____D () C:\Users\Eileen\AppData\Roaming\YourFileDownloader

==================== One Month Modified Files and Folders =======

2014-04-28 10:29 - 2014-04-28 10:27 - 00013488 _____ () C:\Users\Eileen\Downloads\FRST.txt
2014-04-28 10:29 - 2006-12-16 16:37 - 02053547 _____ () C:\Windows\WindowsUpdate.log
2014-04-28 10:27 - 2014-04-28 10:27 - 00000000 ____D () C:\FRST
2014-04-28 10:26 - 2014-04-28 10:26 - 01049600 _____ (Farbar) C:\Users\Eileen\Downloads\FRST.exe
2014-04-28 10:25 - 2014-04-24 14:07 - 00000887 _____ () C:\Users\Eileen\Desktop\Continue VuuPC Installation.lnk
2014-04-28 10:13 - 2012-06-28 18:00 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-28 10:05 - 2012-10-29 09:51 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-28 10:01 - 2006-11-02 05:33 - 00703516 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-28 09:54 - 2012-06-28 18:00 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-28 09:54 - 2006-11-02 07:45 - 00003168 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-28 09:54 - 2006-11-02 07:45 - 00003168 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-28 09:53 - 2006-12-16 17:17 - 00125090 _____ () C:\Windows\PFRO.log
2014-04-28 09:53 - 2006-11-02 07:58 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-28 09:53 - 2006-11-02 06:18 - 00000000 ___RD () C:\Windows\Offline Web Pages
2014-04-28 09:52 - 2006-11-02 07:58 - 00032594 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-04-25 15:26 - 2013-05-16 16:44 - 00000132 _____ () C:\Users\Eileen\Desktop\Mikogo.url
2014-04-25 15:24 - 2014-04-25 15:23 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-25 15:23 - 2014-04-25 15:23 - 00000899 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-25 15:23 - 2014-04-25 15:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-04-25 15:23 - 2014-04-25 15:23 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-25 15:23 - 2014-04-25 15:23 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-25 15:15 - 2014-04-25 15:15 - 00000000 ____D () C:\Users\Eileen\AppData\Local\Mikogo
2014-04-25 15:15 - 2010-03-29 12:17 - 00000000 ____D () C:\Users\Eileen\Documents\Mikogo
2014-04-25 11:20 - 2012-10-29 09:53 - 00001971 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-04-24 14:04 - 2014-04-24 14:04 - 00000000 ____D () C:\Users\Eileen\Documents\Optimizer Pro
2014-04-24 14:04 - 2014-04-24 14:04 - 00000000 ____D () C:\Users\Eileen\AppData\Roaming\Optimizer Pro
2014-04-24 13:59 - 2014-04-24 13:59 - 00000859 _____ () C:\Users\Eileen\Desktop\Optimizer Pro.lnk
2014-04-24 13:59 - 2014-04-24 13:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2
2014-04-24 13:59 - 2014-04-24 13:58 - 00002862 _____ () C:\Users\Eileen\AppData\Roaming\aps.scan.results
2014-04-24 13:59 - 2014-04-24 13:58 - 00001160 _____ () C:\Users\Eileen\AppData\Roaming\aps.scan.quick.results
2014-04-24 13:59 - 2014-04-24 13:58 - 00000318 _____ () C:\Users\Eileen\AppData\Roaming\aps.uninstall.scan.results
2014-04-24 13:59 - 2014-04-24 13:58 - 00000000 ____D () C:\Program Files\Optimizer Pro
2014-04-24 13:58 - 2014-04-24 13:58 - 00000842 _____ () C:\Users\Eileen\Desktop\AnyProtect.lnk
2014-04-24 13:58 - 2014-04-24 13:58 - 00000000 ____D () C:\Users\Eileen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnyProtect PC Backup
2014-04-24 13:58 - 2014-04-24 13:58 - 00000000 ____D () C:\Users\Eileen\AppData\Local\SearchProtect
2014-04-24 13:58 - 2014-04-24 13:56 - 00000004 _____ () C:\end
2014-04-24 13:58 - 2014-04-24 13:56 - 00000000 ____D () C:\Program Files\AnyProtectEx
2014-04-24 13:56 - 2014-04-24 13:56 - 01107304 _____ (AnyProtect.com) C:\Users\Eileen\AppData\Local\nsq35BB.tmp
2014-04-24 13:56 - 2014-04-24 13:56 - 00001760 _____ () C:\Users\Public\Desktop\YourFile Downloader.lnk
2014-04-24 13:56 - 2014-04-24 13:56 - 00000000 ____D () C:\Users\Eileen\AppData\Roaming\VOPackage
2014-04-24 13:56 - 2014-04-24 13:56 - 00000000 ____D () C:\Users\Eileen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage
2014-04-24 13:56 - 2014-04-24 13:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\YourFileDownloader
2014-04-24 13:56 - 2014-04-24 13:55 - 00000000 ____D () C:\Program Files\YourFileDownloader Updater
2014-04-24 13:55 - 2014-04-24 13:55 - 00000000 ____D () C:\Users\Eileen\AppData\Roaming\YourFileDownloader
2014-04-22 14:28 - 2007-04-12 13:47 - 00025928 _____ () C:\Users\Eileen\AppData\Roaming\wklnhst.dat
2014-04-03 09:51 - 2014-04-25 15:23 - 00073432 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-03 09:51 - 2014-04-25 15:23 - 00051416 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-03 09:50 - 2014-04-25 15:23 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

ZeroAccess:
C:\Windows\Installer\{a1dff535-8c3b-104b-481c-8ceb9be89fd0}

Files to move or delete:
====================
C:\ProgramData\PKP_DLdu.DAT


Some content of TEMP:
====================
C:\Users\Eileen\AppData\Local\Temp\CommonInstaller.exe
C:\Users\Eileen\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Eileen\AppData\Local\Temp\G2MCoreInstExtractor.exe
C:\Users\Eileen\AppData\Local\Temp\G2MInstallerExtractor.exe
C:\Users\Eileen\AppData\Local\Temp\htmlayout.dll
C:\Users\Eileen\AppData\Local\Temp\npappdetector.dll
C:\Users\Eileen\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\Eileen\AppData\Local\Temp\setup.exe
C:\Users\Eileen\AppData\Local\Temp\toolbar2674293230.exe
C:\Users\Eileen\AppData\Local\Temp\toolbar2674302426.exe
C:\Users\Eileen\AppData\Local\Temp\toolbar2674319718.exe
C:\Users\Eileen\AppData\Local\Temp\toolbar2674325128.exe
C:\Users\Eileen\AppData\Local\Temp\Uninstall.exe
C:\Users\Eileen\AppData\Local\Temp\vp.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-04-28 10:00

==================== End Of Log ============================

 

 

addition.txt

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Hello and :welcome:

Please read the following and post back the logs when ready.

General P2P/Piracy Warning:
 

 
If you're using
Peer 2 Peer
software such as
uTorrent, BitTorrent
or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have
illegal/cracked software, cracks, keygens etc
. on the system, please remove or uninstall them now and read the policy on
Piracy
.




Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.
  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

    [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)


STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.
 


Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.
  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe


STEP 02
Please run a Threat Scan with MBAM.  If you're unable to run or complete the scan as shown below please see the following:  MBAM Clean Removal Process 2x
When reinstalling the program please try the latest beta version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.
 
 
STEP 03
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • RogueKiller 32-bit | RogueKiller 64-bit
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes Close the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!!
  • Post back the report which should be located on your desktop.


 
Thank you
 

Link to post
Share on other sites

Thank you! Here are the results:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 

Protection, 4/25/2014 3:23:59 PM, SYSTEM, EILEEN-PC, Protection, Malware Protection, Starting, 
Protection, 4/25/2014 3:23:59 PM, SYSTEM, EILEEN-PC, Protection, Malware Protection, Started, 
Protection, 4/25/2014 3:23:59 PM, SYSTEM, EILEEN-PC, Protection, Malicious Website Protection, Starting, 
Update, 4/25/2014 3:24:06 PM, SYSTEM, EILEEN-PC, Manual, Rootkit Database, 2014.2.20.1, 2014.3.27.1, 
Update, 4/25/2014 3:24:12 PM, SYSTEM, EILEEN-PC, Manual, Malware Database, 2014.3.4.9, 2014.4.25.10, 
Protection, 4/25/2014 3:24:17 PM, SYSTEM, EILEEN-PC, Protection, Refresh, Starting, 
Protection, 4/25/2014 3:24:18 PM, SYSTEM, EILEEN-PC, Protection, Malicious Website Protection, Started, 
Protection, 4/25/2014 3:24:18 PM, SYSTEM, EILEEN-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 4/25/2014 3:24:19 PM, SYSTEM, EILEEN-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 4/25/2014 3:24:29 PM, SYSTEM, EILEEN-PC, Protection, Refresh, Success, 
Protection, 4/25/2014 3:24:29 PM, SYSTEM, EILEEN-PC, Protection, Malicious Website Protection, Starting, 
Protection, 4/25/2014 3:24:30 PM, SYSTEM, EILEEN-PC, Protection, Malicious Website Protection, Started, 
Protection, 4/25/2014 3:24:31 PM, SYSTEM, EILEEN-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 4/25/2014 3:24:32 PM, SYSTEM, EILEEN-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 4/25/2014 3:24:32 PM, SYSTEM, EILEEN-PC, Protection, Malware Protection, Stopping, 
Protection, 4/25/2014 3:24:32 PM, SYSTEM, EILEEN-PC, Protection, Malware Protection, Stopped,
 
(end)
 
RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software

mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Eileen [Admin rights]
Mode : Scan -- Date : 05/12/2014 13:47:17
| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤
[sUSP PATH] M4-Service.exe -- C:\Users\Eileen\AppData\Local\Mikogo4\Viewer\Service\M4-Service.exe [7] -> KILLED [TermProc]
[sUSP PATH] M4-Capture.exe -- C:\Users\Eileen\AppData\Local\Mikogo4\Viewer\Service\M4-Capture.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] U : C:\Windows\Installer\{a1dff535-8c3b-104b-481c-8ceb9be89fd0}\U [-] --> FOUND
[ZeroAccess][Folder] L : C:\Windows\Installer\{a1dff535-8c3b-104b-481c-8ceb9be89fd0}\L [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] EAT @explorer.exe (AddGadgetMessageHandler) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A152C)
[Address] EAT @explorer.exe (AttachWndProcA) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC80A)
[Address] EAT @explorer.exe (AttachWndProcW) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459DD2C)
[Address] EAT @explorer.exe (AutoTrace) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A7041)
[Address] EAT @explorer.exe (BeginTransition) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC9A7)
[Address] EAT @explorer.exe (BuildAnimation) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A1135)
[Address] EAT @explorer.exe (BuildDropTarget) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A7131)
[Address] EAT @explorer.exe (BuildInterpolation) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A118C)
[Address] EAT @explorer.exe (CreateAction) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74597339)
[Address] EAT @explorer.exe (CreateGadget) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74595197)
[Address] EAT @explorer.exe (CreateTransition) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC83A)
[Address] EAT @explorer.exe (DUserBuildGadget) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB7E8)
[Address] EAT @explorer.exe (DUserCastClass) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC776)
[Address] EAT @explorer.exe (DUserCastDirect) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC7B9)
[Address] EAT @explorer.exe (DUserCastHandle) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB81E)
[Address] EAT @explorer.exe (DUserDeleteGadget) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB9C1)
[Address] EAT @explorer.exe (DUserFindClass) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC6E7)
[Address] EAT @explorer.exe (DUserFlushDeferredMessages) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A0020)
[Address] EAT @explorer.exe (DUserFlushMessages) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A0096)
[Address] EAT @explorer.exe (DUserGetAlphaPRID) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A78FD)
[Address] EAT @explorer.exe (DUserGetGutsData) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC7C9)
[Address] EAT @explorer.exe (DUserGetRectPRID) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A7908)
[Address] EAT @explorer.exe (DUserGetRotatePRID) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A7913)
[Address] EAT @explorer.exe (DUserGetScalePRID) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A791E)
[Address] EAT @explorer.exe (DUserInstanceOf) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC735)
[Address] EAT @explorer.exe (DUserPostEvent) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459630F)
[Address] EAT @explorer.exe (DUserPostMethod) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB639)
[Address] EAT @explorer.exe (DUserRegisterGuts) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459A5B1)
[Address] EAT @explorer.exe (DUserRegisterStub) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74599F93)
[Address] EAT @explorer.exe (DUserRegisterSuper) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459B046)
[Address] EAT @explorer.exe (DUserSendEvent) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74593258)
[Address] EAT @explorer.exe (DUserSendMethod) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB5B0)
[Address] EAT @explorer.exe (DUserStopAnimation) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A84E4)
[Address] EAT @explorer.exe (DeleteHandle) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74593EF8)
[Address] EAT @explorer.exe (DetachWndProc) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459657D)
[Address] EAT @explorer.exe (DllMain) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745976F9)
[Address] EAT @explorer.exe (DrawGadgetTree) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC646)
[Address] EAT @explorer.exe (EndTransition) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ACA90)
[Address] EAT @explorer.exe (EnumGadgets) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC30F)
[Address] EAT @explorer.exe (FindGadgetFromPoint) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74596DA8)
[Address] EAT @explorer.exe (FindGadgetMessages) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC19D)
[Address] EAT @explorer.exe (FindStdColor) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459DC66)
[Address] EAT @explorer.exe (FireGadgetMessages) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC06B)
[Address] EAT @explorer.exe (ForwardGadgetMessage) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A1CB5)
[Address] EAT @explorer.exe (GetActionTimeslice) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ACB05)
[Address] EAT @explorer.exe (GetDebug) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A705D)
[Address] EAT @explorer.exe (GetGadget) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC527)
[Address] EAT @explorer.exe (GetGadgetAnimation) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74597083)
[Address] EAT @explorer.exe (GetGadgetBufferInfo) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A2D45)
[Address] EAT @explorer.exe (GetGadgetCenterPoint) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ABE6F)
[Address] EAT @explorer.exe (GetGadgetFocus) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459CE28)
[Address] EAT @explorer.exe (GetGadgetMessageFilter) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC5BA)
[Address] EAT @explorer.exe (GetGadgetProperty) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74597135)
[Address] EAT @explorer.exe (GetGadgetRect) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74592D8E)
[Address] EAT @explorer.exe (GetGadgetRgn) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459540A)
[Address] EAT @explorer.exe (GetGadgetRootInfo) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ABFBB)
[Address] EAT @explorer.exe (GetGadgetRotation) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ABD35)
[Address] EAT @explorer.exe (GetGadgetScale) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ABBE9)
[Address] EAT @explorer.exe (GetGadgetSize) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC3CA)
[Address] EAT @explorer.exe (GetGadgetStyle) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A232C)
[Address] EAT @explorer.exe (GetGadgetTicket) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459C94F)
[Address] EAT @explorer.exe (GetMessageExA) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459F459)
[Address] EAT @explorer.exe (GetMessageExW) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB6C3)
[Address] EAT @explorer.exe (GetStdColorBrushF) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ACBEA)
[Address] EAT @explorer.exe (GetStdColorBrushI) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74592C3B)
[Address] EAT @explorer.exe (GetStdColorF) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ACE45)
[Address] EAT @explorer.exe (GetStdColorI) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459FAF7)
[Address] EAT @explorer.exe (GetStdColorName) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ACD46)
[Address] EAT @explorer.exe (GetStdColorPenF) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ACCD2)
[Address] EAT @explorer.exe (GetStdColorPenI) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ACC5E)
[Address] EAT @explorer.exe (GetStdPalette) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB82E)
[Address] EAT @explorer.exe (GetTransitionInterface) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC933)
[Address] EAT @explorer.exe (InitGadgetComponent) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB8BE)
[Address] EAT @explorer.exe (InitGadgets) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459E373)
[Address] EAT @explorer.exe (InvalidateGadget) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74593DE5)
[Address] EAT @explorer.exe (IsGadgetParentChainStyle) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ABA7F)
[Address] EAT @explorer.exe (IsInsideContext) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB56C)
[Address] EAT @explorer.exe (IsStartDelete) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A121D)
[Address] EAT @explorer.exe (LookupGadgetTicket) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ACDBC)
[Address] EAT @explorer.exe (MapGadgetPoints) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A3861)
[Address] EAT @explorer.exe (PeekMessageExA) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB710)
[Address] EAT @explorer.exe (PeekMessageExW) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB75E)
[Address] EAT @explorer.exe (PlayTransition) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC8B0)
[Address] EAT @explorer.exe (PrintTransition) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ACA1C)
[Address] EAT @explorer.exe (RegisterGadgetMessage) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74597BA3)
[Address] EAT @explorer.exe (RegisterGadgetMessageString) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC149)
[Address] EAT @explorer.exe (RegisterGadgetProperty) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74597D5D)
[Address] EAT @explorer.exe (RemoveGadgetMessageHandler) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC21A)
[Address] EAT @explorer.exe (RemoveGadgetProperty) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A0DEE)
[Address] EAT @explorer.exe (SetActionTimeslice) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ACB82)
[Address] EAT @explorer.exe (SetGadgetBufferInfo) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A2C09)
[Address] EAT @explorer.exe (SetGadgetCenterPoint) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ABF0A)
[Address] EAT @explorer.exe (SetGadgetFillF) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ABB47)
[Address] EAT @explorer.exe (SetGadgetFillI) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A2149)
[Address] EAT @explorer.exe (SetGadgetFocus) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459CEBB)
[Address] EAT @explorer.exe (SetGadgetFocusEx) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A3188)
[Address] EAT @explorer.exe (SetGadgetMessageFilter) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74595A70)
[Address] EAT @explorer.exe (SetGadgetOrder) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC45D)
[Address] EAT @explorer.exe (SetGadgetParent) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745955F8)
[Address] EAT @explorer.exe (SetGadgetProperty) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745A1284)
[Address] EAT @explorer.exe (SetGadgetRect) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74595305)
[Address] EAT @explorer.exe (SetGadgetRootInfo) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x7459E857)
[Address] EAT @explorer.exe (SetGadgetRotation) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ABDC9)
[Address] EAT @explorer.exe (SetGadgetScale) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ABC84)
[Address] EAT @explorer.exe (SetGadgetStyle) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x74594C48)
[Address] EAT @explorer.exe (UninitGadgetComponent) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB93F)
[Address] EAT @explorer.exe (UnregisterGadgetMessage) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC171)
[Address] EAT @explorer.exe (UnregisterGadgetMessageString) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC149)
[Address] EAT @explorer.exe (UnregisterGadgetProperty) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AC2E3)
[Address] EAT @explorer.exe (UtilBuildFont) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB83A)
[Address] EAT @explorer.exe (UtilDrawBlendRect) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB84A)
[Address] EAT @explorer.exe (UtilDrawOutlineRect) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB85A)
[Address] EAT @explorer.exe (UtilGetColor) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB86A)
[Address] EAT @explorer.exe (UtilSetBackground) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745ACD78)
[Address] EAT @explorer.exe (WaitMessageEx) : WINTRUST.dll -> HOOKED (C:\Windows\system32\DUser.dll @ 0x745AB7AC)
[Address] IAT @iexplore.exe (SHGetValueW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6CCA4927)
[Address] IAT @iexplore.exe (SHRegGetValueW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6CCA4984)
[Address] IAT @iexplore.exe (SHSetValueW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6CCC2BC2)
[Address] IAT @iexplore.exe (PathIsURLW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6CCAFA79)
[Address] IAT @iexplore.exe (SHGetValueW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6CCA4927)
[Address] IAT @iexplore.exe (SHRegGetValueW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6CCA4984)
[Address] IAT @iexplore.exe (SHSetValueW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6CCC2BC2)
[Address] IAT @iexplore.exe (PathIsURLW) : SHLWAPI.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6CCAFA79)

¤¤¤ External Hives: ¤¤¤
-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - x:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost
::1             localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST3160212A ATA Device +++++
--- User ---
[MBR] 63722a15bdbcee31dd06a1707dbedbf8
[bSP] 107bb2816be0d452767ea2321ea18ee1 : Legit.B MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 8714 MB
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 17848215 | Size: 143910 MB
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) Generic USB SD Reader USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) Generic USB CF Reader USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive3: (\\.\PHYSICALDRIVE3 @ USB) Generic USB SM Reader USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive4: (\\.\PHYSICALDRIVE4 @ USB) Generic USB MS Reader USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_S_05122014_134717.txt >>

Link to post
Share on other sites

  • Root Admin

Thank you, Please go ahead and run through the following steps and post back the logs when ready.
 
STEP 04
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus


STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.


STEP 06
Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.


STEP 07
button_eos.gif

Please go here to run the online antivirus scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology


    [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.


STEP 08
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Link to post
Share on other sites

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows Vista Home Basic x86
Ran by Eileen on Thu 05/15/2014 at  9:51:15.20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 

~~~ Services
 
 
 
~~~ Registry Values
 
Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\optimizer pro
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\optimizer pro
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yourfiledownloader
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\searchprotect
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\yourfiledownloader
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\optimizer pro_is1
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{856BD941-ABFE-4E28-CEFA-AD73FE12B95B}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{856BD941-ABFE-4E28-CEFA-AD73FE12B95B}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{856BD941-ABFE-4E28-CEFA-AD73FE12B95B}
 
 
 
~~~ Files
 
Successfully deleted: [File] "C:\Windows\System32\Tasks\YourFile DownloaderUpdate"
Successfully deleted: [File] "C:\end"
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\Eileen\AppData\Roaming\optimizer pro"
Successfully deleted: [Folder] "C:\Users\Eileen\AppData\Roaming\yourfiledownloader"
Successfully deleted: [Folder] "C:\Users\Eileen\Local Settings\Application Data\searchprotect"
Successfully deleted: [Folder] "C:\Program Files\bigfix"
Successfully deleted: [Folder] "C:\Program Files\optimizer pro"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\optimizer pro v3.2"
Successfully deleted: [Folder] "C:\Users\Eileen\documents\optimizer pro"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 05/15/2014 at  9:59:42.83
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
# AdwCleaner v3.208 - Report created 15/05/2014 at 13:30:49
# Updated 11/05/2014 by Xplode
# Operating System : Windows Vista Home Basic Service Pack 2 (32 bits)
# Username : Eileen - EILEEN-PC
# Running from : C:\Users\Eileen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DU4OZXMS\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
[#] Service Deleted : ca82e1a5
Service Deleted : vosr
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\saverneT
Folder Deleted : C:\Program Files\AnyProtectEx
Folder Deleted : C:\Program Files\YourFileDownloader Updater
Folder Deleted : C:\Users\Eileen\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\Eileen\AppData\Roaming\VOPackage
Folder Deleted : C:\Users\Eileen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnyProtect PC Backup
Folder Deleted : C:\Users\Eileen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage
File Deleted : C:\Users\Public\Desktop\YourFile Downloader.lnk
File Deleted : C:\Users\Eileen\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Users\Eileen\AppData\Roaming\aps.scan.quick.results
File Deleted : C:\Users\Eileen\AppData\Roaming\aps.scan.results
File Deleted : C:\Users\Eileen\AppData\Roaming\aps.uninstall.scan.results
File Deleted : C:\Users\Eileen\Desktop\AnyProtect.lnk
File Deleted : C:\Users\Eileen\Desktop\Continue VuuPC Installation.lnk
File Deleted : C:\Users\Eileen\Desktop\Optimizer Pro.lnk
 
***** [ Shortcuts ] *****
 

***** [ Registry ] *****
 
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D9CE68B6-8119-4532-984F-2AEF0B909D21}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D9CE68B6-8119-4532-984F-2AEF0B909D21}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Key Deleted : HKCU\Software\AnyProtect
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{614925F9-841A-53FE-A28F-DC30FA07239B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnyProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16545
 

-\\ Google Chrome v34.0.1847.131
 
[ File : C:\Users\Eileen\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [3593 octets] - [15/05/2014 13:27:26]
AdwCleaner[s0].txt - [3594 octets] - [15/05/2014 13:30:49]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [3654 octets] ##########
 

Malwarebytes Anti-Malware

www.malwarebytes.org

Update, 5/15/2014 2:17:33 PM, SYSTEM, EILEEN-PC, Manual, Malware Database, 2014.5.12.6, 2014.5.15.14,

(end)

 

We had some trouble with ESET. I have some screen shots attached here - along with the Farbar logs

 

Thanks!

 

Addition.txt

post-162190-0-09477000-1400537677_thumb.

post-162190-0-70610800-1400537678_thumb.

post-162190-0-95466100-1400537679_thumb.

FRST.txt

Link to post
Share on other sites

  • Root Admin

Please go into Control Panel, Add/Remove and uninstall ALL versions of Java and then run the following
 
Please download JavaRa-1.16 and save it to your computer.

  • Double click to open the zip file and then select all and choose Copy.
  • Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
  • Quit all browsers and other running applications.
  • Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.

 

 

Next run this and when done make sure to restart the computer.
 
Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

 

After the restart please run the following

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

 

Link to post
Share on other sites

  • 5 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.