System Security 2012

aprillovell01 · November 8, 2011

I had system security 2012 virus on my system today, I was able to run Malwarebytes and remove it. The problem now is I am getting pop-ups from my system tray for Malwarebytes anti-malware has successfully blocked an IP address. My internet explorer keeps freezing and only the 64-bit version works. I was running 32-bit and it worked fine until I got the virus. The tools button also does not work for internet explorer, if i click on it explorer will freeze and crash. I am running windows 7. If anyone could help I would be very thankful

RPMcMurphy · November 11, 2011

Hello and welcome. Please follow these guidelines while we work on your PC:

Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
Please do not run any scans or install/uninstall any applications without being directed to do so.
Any underlined text in my posts indicates a clickable link.
If you have any questions at all, please stop and ask before proceeding.

Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr

DDS.com

DDS.pif

Disable any script blocking protection (How to Disable your Security Programs)
Double click DDS icon to run the tool (may take up to 3 minutes to run)
When done, DDS.txt will open.
After a few moments, attach.txt will open in a second window.
Save both reports to your desktop.

---------------------------------------------------

Post the contents of the DDS.txt report in your next reply
Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

Please include the following in your next post:

DDS.txt and Attach.txt logs

aprillovell01 · November 12, 2011

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514

Run by April Lovell at 23:08:55 on 2011-11-11

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2013.898 [GMT -5:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}

SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\LSI SoftModem\agr64svc.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Spyware Doctor\BDT\BDTUpdateService.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files (x86)\CrossriderWebApps\Crossrider.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe

c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe

C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe

C:\Program Files (x86)\Secunia\PSI\PSIA.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe

C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe

C:\Program Files (x86)\Spyware Doctor\pctsTray.exe

C:\Program Files (x86)\Secunia\PSI\psi_tray.exe

C:\Windows\system32\SearchIndexer.exe

c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Secunia\PSI\sua.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\DllHost.exe

C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Windows Live\Mail\wlmail.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10x_ActiveX.exe

C:\Program Files (x86)\Spyware Doctor\upgrade.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - C:\Program Files (x86)\Spyware Doctor\BDT\PCTBrowserDefender.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - C:\Program Files (x86)\Spyware Doctor\BDT\PCTBrowserDefender.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [CrossRiderPlugin] C:\Program Files (x86)\CrossriderWebApps\Crossrider.exe

mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe

mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun: [iSTray] "C:\Program Files (x86)\Spyware Doctor\pctsTray.exe"

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL

LSP: C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.254.254 192.168.254.254

TCP: Interfaces\{771E7F86-6D01-4A6E-A7F1-C7604A55984C} : DhcpNameServer = 192.168.254.254 192.168.254.254

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: PC Tools Browser Guard BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files (x86)\Spyware Doctor\BDT\PCTBrowserDefender.dll

BHO-X64: Browser Defender BHO - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO-X64: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll

TB-X64: PC Tools Browser Guard: {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files (x86)\Spyware Doctor\BDT\PCTBrowserDefender.dll

TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

mRun-x64: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe

mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun-x64: [iSTray] "C:\Program Files (x86)\Spyware Doctor\pctsTray.exe"

.

============= SERVICES / DRIVERS ===============

.

R0 PCTCore;PCTools KDS;C:\Windows\system32\drivers\PCTCore64.sys --> C:\Windows\system32\drivers\PCTCore64.sys [?]

R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]

R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]

R2 Browser Defender Update Service;Browser Defender Update Service;C:\Program Files (x86)\Spyware Doctor\BDT\BDTUpdateService.exe [2011-11-11 112592]

R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-6-21 85560]

R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]

R2 sdAuxService;PC Tools Auxiliary Service;C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe [2011-11-11 366840]

R2 sdCoreService;PC Tools Security Service;C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe [2011-11-11 1142224]

R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-10-14 994360]

R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-10-14 399416]

R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]

R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]

R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]

R3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2010-12-3 136360]

S2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2010-12-3 269480]

S2 AviraUpgradeService;Avira Upgrade Service;"C:\Windows\TEMP\AVSETUP_4eba6d90\avupgsvc.exe" /TEMPSTART:""C:\Windows\TEMP\AVSETUP_4eba6d90\setup.exe" /NOTEMPCLEANUP /CROSSUPGRADE" --> C:\Windows\TEMP\AVSETUP_4eba6d90\avupgsvc.exe [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2011-11-12 04:00:53 -------- d-----w- C:\Users\April Lovell\AppData\Local\{2E3C21A2-9597-4EDA-96E8-F6822650000D}

2011-11-12 04:00:42 -------- d-----w- C:\Users\April Lovell\AppData\Local\{F03CD1E0-BD5E-4207-AF45-F8FB9907608F}

2011-11-12 03:45:29 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0FCA783E-9CCD-4404-9960-3540FF454F1B}\offreg.dll

2011-11-12 03:45:28 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0FCA783E-9CCD-4404-9960-3540FF454F1B}\mpengine.dll

2011-11-11 19:11:53 -------- d-----w- C:\ProgramData\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}

2011-11-11 18:41:35 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\Malwarebytes

2011-11-11 18:41:17 -------- d-----w- C:\ProgramData\Malwarebytes

2011-11-11 18:41:12 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-11-11 18:41:11 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-11-11 18:28:11 767952 ----a-w- C:\Windows\BDTSupport.dll

2011-11-11 18:28:10 149456 ----a-w- C:\Windows\SGDetectionTool.dll

2011-11-11 18:28:09 165840 ----a-w- C:\Windows\PCTBDRes.dll

2011-11-11 18:28:09 1652688 ----a-w- C:\Windows\PCTBDCore.dll

2011-11-11 18:22:52 -------- d-----w- C:\Users\April Lovell\AppData\Local\PackageAware

2011-11-11 18:17:02 306648 ----a-w- C:\Windows\System32\drivers\pctgntdi64.sys

2011-11-11 18:17:02 133072 ----a-w- C:\Windows\System32\drivers\pctwfpfilter64.sys

2011-11-11 18:16:56 233488 ----a-w- C:\Windows\System32\drivers\PCTCore64.sys

2011-11-11 18:16:43 92896 ----a-w- C:\Windows\System32\drivers\pctplsg64.sys

2011-11-11 18:15:56 -------- d-----w- C:\Program Files (x86)\Spyware Doctor

2011-11-11 18:07:44 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\fzcD4sd8hVzADFG

2011-11-11 18:07:43 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\Gbaf8hrtyiFmJ

2011-11-11 17:01:24 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\h7L9gXjYCkVzt0S

2011-11-11 17:01:23 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\nuv2b45sdf9RqUk

2011-11-11 16:38:17 -------- d-----w- C:\Windows\SysWow64\Adobe

2011-11-11 16:31:34 525544 ----a-w- C:\Windows\System32\deployJava1.dll

2011-11-11 16:22:19 -------- d-----w- C:\Users\April Lovell\AppData\Local\Secunia PSI

2011-11-11 16:22:13 -------- d-----w- C:\Program Files (x86)\Secunia

2011-11-11 14:52:19 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\Z7fEL8gZq

2011-11-11 14:52:19 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\SeOuDaKgCOubG6W

2011-11-11 14:52:17 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\D7799

2011-11-11 14:52:06 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\YdEK8fRZ9YwUeIt

2011-11-11 14:52:05 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\Zvo4HWd8ZhwUeOt

2011-11-11 14:52:03 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\F40D7

2011-11-11 14:52:03 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\ayAvi3naHKru2

2011-11-11 14:52:00 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\zVl0ycA1iDoFpHs

2011-11-10 20:57:53 -------- d-----w- C:\Users\April Lovell\AppData\Local\{A28CAFBB-EA74-4290-95E8-44A5686A9711}

2011-11-10 20:57:42 -------- d-----w- C:\Users\April Lovell\AppData\Local\{F5A60FA0-18BF-4ECF-A689-2ACA57370A70}

2011-11-09 22:32:08 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-11-09 19:30:13 -------- d-----w- C:\Users\April Lovell\AppData\Local\{B4E64B5D-98D6-4A3E-B584-59037301516D}

2011-11-09 19:30:02 -------- d-----w- C:\Users\April Lovell\AppData\Local\{518C7D66-AA91-4A37-A54D-02687F3AAD21}

2011-11-09 17:32:00 -------- d-----w- C:\Program Files (x86)\Coupons

2011-11-09 03:42:08 -------- d-----w- C:\ProgramData\{D3B41B92-9BC2-43EB-916A-4FA9E8191837}

2011-11-09 02:11:39 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2011-11-09 02:05:59 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll

2011-11-09 02:05:58 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll

2011-11-09 02:01:29 3144704 ----a-w- C:\Windows\System32\win32k.sys

2011-11-09 01:51:22 1188864 ----a-w- C:\Windows\System32\wininet.dll

2011-11-09 01:51:08 1013248 ----a-w- C:\Program Files\Internet Explorer\iedvtool.dll

2011-11-09 01:51:04 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2011-11-09 01:51:03 860672 ----a-w- C:\Program Files (x86)\Internet Explorer\iedvtool.dll

2011-11-09 01:45:38 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax

2011-11-09 01:45:38 613888 ----a-w- C:\Windows\System32\psisdecd.dll

2011-11-09 01:45:37 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll

2011-11-09 01:45:34 108032 ----a-w- C:\Windows\System32\psisrndr.ax

2011-11-09 01:43:43 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8649BBB1-2D48-42D8-AC45-C5B5BFC9D0D3}\gapaengine.dll

2011-11-09 01:43:18 6144 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll

2011-11-09 01:43:18 6144 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll

2011-11-09 01:38:53 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client

2011-11-09 01:38:41 -------- d-----w- C:\Program Files\Microsoft Security Client

2011-11-09 01:38:21 861696 ----a-w- C:\Windows\System32\oleaut32.dll

2011-11-09 01:38:21 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll

2011-11-09 01:38:21 331776 ----a-w- C:\Windows\System32\oleacc.dll

2011-11-09 01:38:21 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll

2011-11-09 01:07:48 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\Sammsoft

2011-11-09 01:02:49 8862544 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{00A399FA-E597-4B72-BA2E-CA9BD637B031}\mpengine.dll

2011-11-09 01:00:18 -------- d-----w- C:\ProgramData\Avira

2011-11-08 23:18:36 -------- d-----w- C:\ProgramData\STOPzilla!

2011-11-08 21:53:26 -------- d-----w- C:\Program Files (x86)\ESET

2011-11-08 20:47:18 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\PC Tools

2011-11-08 20:47:18 -------- d-----w- C:\Program Files (x86)\PC Tools Security

2011-11-08 20:47:18 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools

2011-11-08 20:43:56 -------- d-----w- C:\ProgramData\PC Tools

2011-11-08 18:53:46 -------- d-----we C:\Windows\system64

2011-11-08 18:53:38 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\KTTZZqhYCwkUVlx

2011-11-08 18:53:25 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\aLL88gRRZwUelBz

2011-11-08 18:53:23 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\RgqCIlN01DoGm6W

2011-11-08 18:53:22 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\FbFp5Q6WR9XUNAv

2011-11-08 18:53:20 -------- d-----w- C:\Users\April Lovell\AppData\Roaming\wiD4J9hXVe

2011-11-08 15:08:49 -------- d-----w- C:\Users\April Lovell\AppData\Local\{E27CE8B0-1E76-499C-BAA1-D403B09D3758}

2011-11-08 15:08:38 -------- d-----w- C:\Users\April Lovell\AppData\Local\{B3E81474-8975-4161-B7DB-D28F666E32CC}

2011-11-07 22:14:57 -------- d-----w- C:\Users\April Lovell\AppData\Local\{376F015E-544D-42D9-91CB-F7913496BA20}

2011-11-07 22:14:44 -------- d-----w- C:\Users\April Lovell\AppData\Local\{9CD0DB94-BCB5-4F7B-A168-062BAE6925FE}

2011-11-07 22:11:58 -------- d-----w- C:\ProgramData\EA Core

2011-11-07 22:10:42 -------- d-----w- C:\Program Files (x86)\Microsoft WSE

2011-11-07 16:15:39 -------- d-----w- C:\Program Files (x86)\Origin Games

.

==================== Find3M ====================

.

2011-11-11 16:44:14 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2011-11-11 16:36:58 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-10-01 03:25:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2011-10-01 02:42:56 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

.

============= FINISH: 23:11:42.23 ===============

RPMcMurphy · November 12, 2011

aprillovell01:

Please do this next:

Download Combofix from either of the links below, and save it to your desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
When finished, it will produce a report for you.

.

Please include the following in your next post:

ComboFix log

aprillovell01 · November 12, 2011

Here's the ComboFix File. Attached

psialog.txt

RPMcMurphy · November 12, 2011

aprillovell01:

The log you attached is not from ComboFix - this will re-open the ComboFix log, please post that for me:

Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:

c:\ComboFix.txt

Please include the following in your next post:

ComboFix log

aprillovell01 · November 13, 2011

aprillovell01:
The log you attached is not from ComboFix - this will re-open the ComboFix log, please post that for me:
Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:
c:\ComboFix.txt
Please include the following in your next post:
ComboFix log

ComboFix.txt

RPMcMurphy · November 13, 2011

aprillovell01:

Please do this next:

Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::

Folder::
c:\users\April Lovell\AppData\Roaming\fzcD4sd8hVzADFG
c:\users\April Lovell\AppData\Roaming\Gbaf8hrtyiFmJ
c:\users\April Lovell\AppData\Roaming\h7L9gXjYCkVzt0S
c:\users\April Lovell\AppData\Roaming\nuv2b45sdf9RqUk
c:\users\April Lovell\AppData\Roaming\Z7fEL8gZq
c:\users\April Lovell\AppData\Roaming\SeOuDaKgCOubG6W
c:\users\April Lovell\AppData\Roaming\D7799
c:\users\April Lovell\AppData\Roaming\YdEK8fRZ9YwUeIt
c:\users\April Lovell\AppData\Roaming\Zvo4HWd8ZhwUeOt
c:\users\April Lovell\AppData\Roaming\F40D7
c:\users\April Lovell\AppData\Roaming\ayAvi3naHKru2
c:\users\April Lovell\AppData\Roaming\zVl0ycA1iDoFpHs
c:\users\April Lovell\AppData\Roaming\KTTZZqhYCwkUVlx
c:\users\April Lovell\AppData\Roaming\aLL88gRRZwUelBz
c:\users\April Lovell\AppData\Roaming\RgqCIlN01DoGm6W
c:\users\April Lovell\AppData\Roaming\FbFp5Q6WR9XUNAv
c:\users\April Lovell\AppData\Roaming\wiD4J9hXVe
DirLook::
c:\windows\system64

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

ComboFix log

aprillovell01 · November 13, 2011

aprillovell01:
Please do this next:
Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::
Folder::
c:\users\April Lovell\AppData\Roaming\fzcD4sd8hVzADFG
c:\users\April Lovell\AppData\Roaming\Gbaf8hrtyiFmJ
c:\users\April Lovell\AppData\Roaming\h7L9gXjYCkVzt0S
c:\users\April Lovell\AppData\Roaming\nuv2b45sdf9RqUk
c:\users\April Lovell\AppData\Roaming\Z7fEL8gZq
c:\users\April Lovell\AppData\Roaming\SeOuDaKgCOubG6W
c:\users\April Lovell\AppData\Roaming\D7799
c:\users\April Lovell\AppData\Roaming\YdEK8fRZ9YwUeIt
c:\users\April Lovell\AppData\Roaming\Zvo4HWd8ZhwUeOt
c:\users\April Lovell\AppData\Roaming\F40D7
c:\users\April Lovell\AppData\Roaming\ayAvi3naHKru2
c:\users\April Lovell\AppData\Roaming\zVl0ycA1iDoFpHs
c:\users\April Lovell\AppData\Roaming\KTTZZqhYCwkUVlx
c:\users\April Lovell\AppData\Roaming\aLL88gRRZwUelBz
c:\users\April Lovell\AppData\Roaming\RgqCIlN01DoGm6W
c:\users\April Lovell\AppData\Roaming\FbFp5Q6WR9XUNAv
c:\users\April Lovell\AppData\Roaming\wiD4J9hXVe
DirLook::
c:\windows\system64
Save this as CFScript to your desktop.
Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Please include the following in your next post:
ComboFix log

combofix2.txt

RPMcMurphy · November 13, 2011

aprillovell01:

Please do this next:

Open notepad and copy/paste the text in the quotebox below into it:

@echo off
rd "c:\users\April Lovell\AppData\Roaming\fzcD4sd8hVzADFG"
rd "c:\users\April Lovell\AppData\Roaming\Gbaf8hrtyiFmJ"
rd "c:\users\April Lovell\AppData\Roaming\h7L9gXjYCkVzt0S"
rd "c:\users\April Lovell\AppData\Roaming\nuv2b45sdf9RqUk"
rd "c:\users\April Lovell\AppData\Roaming\Z7fEL8gZq"
rd "c:\users\April Lovell\AppData\Roaming\SeOuDaKgCOubG6W"
rd "c:\users\April Lovell\AppData\Roaming\D7799"
rd "c:\users\April Lovell\AppData\Roaming\YdEK8fRZ9YwUeIt"
rd "c:\users\April Lovell\AppData\Roaming\Zvo4HWd8ZhwUeOt"
rd "c:\users\April Lovell\AppData\Roaming\F40D7"
rd "c:\users\April Lovell\AppData\Roaming\ayAvi3naHKru2"
rd "c:\users\April Lovell\AppData\Roaming\zVl0ycA1iDoFpHs"
rd "c:\users\April Lovell\AppData\Roaming\KTTZZqhYCwkUVlx"
rd "c:\users\April Lovell\AppData\Roaming\aLL88gRRZwUelBz"
rd "c:\users\April Lovell\AppData\Roaming\RgqCIlN01DoGm6W"
rd "c:\users\April Lovell\AppData\Roaming\FbFp5Q6WR9XUNAv"
rd "c:\users\April Lovell\AppData\Roaming\wiD4J9hXVe"
del /Q %0

Save this as fix.bat Choose to "Save type as - All Files"

It should look like this:

Double click on fix.bat & allow it to run.

Open notepad and copy/paste the text in the quotebox below into it:

@echo off
dir /a /s "c:\windows\system64" > log.txt
notepad log.txt
del log.txt

Save this as peek.bat Choose to "Save type as - All Files"

It should look like this:

Double click on peek.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.

Please include the following in your next post:

Peek.bat log

aprillovell01 · November 13, 2011

aprillovell01:
Please do this next:
Open notepad and copy/paste the text in the quotebox below into it:
@echo off
rd "c:\users\April Lovell\AppData\Roaming\fzcD4sd8hVzADFG"
rd "c:\users\April Lovell\AppData\Roaming\Gbaf8hrtyiFmJ"
rd "c:\users\April Lovell\AppData\Roaming\h7L9gXjYCkVzt0S"
rd "c:\users\April Lovell\AppData\Roaming\nuv2b45sdf9RqUk"
rd "c:\users\April Lovell\AppData\Roaming\Z7fEL8gZq"
rd "c:\users\April Lovell\AppData\Roaming\SeOuDaKgCOubG6W"
rd "c:\users\April Lovell\AppData\Roaming\D7799"
rd "c:\users\April Lovell\AppData\Roaming\YdEK8fRZ9YwUeIt"
rd "c:\users\April Lovell\AppData\Roaming\Zvo4HWd8ZhwUeOt"
rd "c:\users\April Lovell\AppData\Roaming\F40D7"
rd "c:\users\April Lovell\AppData\Roaming\ayAvi3naHKru2"
rd "c:\users\April Lovell\AppData\Roaming\zVl0ycA1iDoFpHs"
rd "c:\users\April Lovell\AppData\Roaming\KTTZZqhYCwkUVlx"
rd "c:\users\April Lovell\AppData\Roaming\aLL88gRRZwUelBz"
rd "c:\users\April Lovell\AppData\Roaming\RgqCIlN01DoGm6W"
rd "c:\users\April Lovell\AppData\Roaming\FbFp5Q6WR9XUNAv"
rd "c:\users\April Lovell\AppData\Roaming\wiD4J9hXVe"
del /Q %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run.
Open notepad and copy/paste the text in the quotebox below into it:
Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:
Double click on peek.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.
Please include the following in your next post:
Peek.bat log

aprillovell01 · November 13, 2011

Here it is

peek.bat log.txt

RPMcMurphy · November 13, 2011

aprillovell01:

Please do this next:

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Uncheck any entries from C:\System Volume Information or C:\Qoobox
Make sure that everything else is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Download Security Check from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please include the following in your next post:

MBAM log
SecurityCheck log

aprillovell01 · November 14, 2011

check up log

Results of screen317's Security Check version 0.99.26

Windows 7 x64 (UAC is enabled)

Internet Explorer 9

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

WMI entry may not exist for antivirus; attempting automatic update.

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 29

Adobe Flash Player ( 10.3.183.10) Flash Player Out of Date!

Adobe Reader X (10.1.1)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Microsoft Security Essentials msseces.exe

``````````End of Log````````````

mbam-log-2011-11-14 (17-01-20).txt

aprillovell01 · November 14, 2011

I noticed Avira is still showing up but I removed it a couple of weeks ago.

RPMcMurphy · November 15, 2011

aprillovell01:

How is the computer running now? See if you can get rid of Avira with this:

Download AppRemover from here saving it to your desktop.

Double click to run AppRemover
Follow the prompts to remove Avira
Reboot

Please go to here to run an online scan with ESET.

- Turn off the real time scanner of any existing antivirus program while performing the online scan
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the activex control to install
- Click Start
- Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
- Click on Advanced Settings and ensure these options are ticked:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology

[*]Click Scan

[*]Wait for the scan to finish

[*]If any threats were found, click the 'List of found threats' , then click Export to text file....

[*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Please include the following in your next post:

How is your computer running now?
ESET log

aprillovell01 · November 15, 2011

I ran the scan and it came back with no threats found. My computer seems to be back to normal now. This was the first virus my computer has ever had. I can't thank you enough for your help.

RPMcMurphy · November 15, 2011

aprillovell01:

Great! All I have left for you to do is some very important cleanup:

Uninstall ComboFix

Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
Combofix /Uninstall

Delete the following tools along with any other logs you saved from our work:

DDS

Download TFC to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

Restart any anti-malware programs that we disabled while we were cleaning your machine.
Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
Please read this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

aprillovell01 · November 17, 2011

Thank you so much, computer is back to normal.

RPMcMurphy · November 17, 2011

You're welcome, aprillovell01. Take care.

LDTate · November 17, 2011

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

System Security 2012

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information