Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Vista 2012 Antivirus Malware


  • Please log in to reply

#1
Jennifer M

Jennifer M

    New Member

  • Member
  • Pip
  • 1 posts
My husband was on a forum for his Kindle phone app and got his computer infected with this malware. We're using this computer and a USB drive to try to fix it.

He was able to download the most recent MBAM and run it but it didn't help much. Then he was no longer able to use a browser so here we are.

We ran Rogue Killer and got the following results:


RogueKiller V6.2.0 [12/12/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Safe mode with network support
User: Drew [Admin rights]
Mode: Scan -- Date : 12/22/2011 21:00:17

¤¤¤ Bad processes: 1 ¤¤¤
[WINDOW : Vista Antivirus 2012] tvd.exe -- C:\Users\Drew\AppData\Local\tvd.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 12 ¤¤¤
[HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorUser (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[FILEASSO] HKCU\[...]Software\Classes\.exe\shell\open\command : ("C:\Users\Drew\AppData\Local\tvd.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\[...].exe\shell\open\command : ("C:\Users\Drew\AppData\Local\tvd.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\.exe : (O50) -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command : ("C:\Users\Drew\AppData\Local\tvd.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command : ("C:\Users\Drew\AppData\Local\tvd.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("C:\Users\Drew\AppData\Local\tvd.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤
--- User ---
[MBR] b5aee0d55464694b51f9a287c42e8ae5
[BSP] 8d527f0925c429137dfa00addcf14190 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo
1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 81920 | Size: 115343 Mo
2 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 225361920 | Size: 134672 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt


Then ran OTL and got the following results:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
CREATERESTOREPOINT

And the Extras file:


OTL Extras logfile created on: 12/22/2011 9:02:36 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = H:\Computer Recovery
Windows Vista Home Basic Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.27 Gb Available Physical Memory | 63.83% Memory free
4.24 Gb Paging File | 3.77 Gb Available in Paging File | 88.98% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 125.42 Gb Total Space | 26.09 Gb Free Space | 20.80% Space Free | Partition Type: NTFS
Drive D: | 107.42 Gb Total Space | 50.94 Gb Free Space | 47.42% Space Free | Partition Type: NTFS
Drive F: | 2.63 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 562.92 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 479.48 Mb Total Space | 86.11 Mb Free Space | 17.96% Space Free | Partition Type: FAT32
Drive J: | 553.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: JENNIFER-PC | User Name: Drew | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-4121544440-2439384158-1445081869-1001\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- Reg Error: Key error. File not found
.exe [@ = h32] -- C:\Users\Drew\AppData\Local\tvd.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
https [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Orbitdownloader\orbitdm.exe" = C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{107B1E4F-C498-44FF-BACA-6C822BE892DB}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{2400C7D4-286C-4D23-9602-069A5DD3FC89}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{2E9D8F94-A3D0-4D8B-996F-A9A556A2E234}" = rport=138 | protocol=17 | dir=out | app=system |
"{308E460E-7E98-4644-992D-9D6FA630F483}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{31200B81-095C-471A-888C-3FFF2EAF634E}" = rport=139 | protocol=6 | dir=out | app=system |
"{383B7842-08EC-41B6-A10F-2D0B4E58087E}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{3D9BA907-7CE3-4174-9E4E-56E1EF0D862F}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{47F7CE97-30BB-46A5-A2AD-7A8B93014420}" = rport=137 | protocol=17 | dir=out | app=system |
"{5058A0E5-3466-4324-8FFD-B003789960CF}" = lport=445 | protocol=6 | dir=in | app=system |
"{61EFAB74-3EDA-4BD5-8855-DBE03FFB9805}" = lport=138 | protocol=17 | dir=in | app=system |
"{6B2179E4-562B-4829-8093-EFFFC3256C69}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{6D19F31E-6B49-49C6-9E56-00815D3E4678}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{7F19D398-0D11-47A1-A24D-1D19EB6B51E0}" = lport=137 | protocol=17 | dir=in | app=system |
"{8B73BCC4-3478-4C82-9A26-6DB712EC2621}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{AAED4FEA-27E3-4958-8806-E0082763D2F8}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=c:\windows\system32\spoolsv.exe |
"{D0BA66E6-8ED2-453E-8E2C-2B2303DD9E3E}" = rport=445 | protocol=6 | dir=out | app=system |
"{D6FB9BF2-D722-453B-A7F2-F6BD7CE4DFC3}" = lport=139 | protocol=6 | dir=in | app=system |
"{F9940987-849D-4011-B72F-3F55883B712A}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{FFEF4A44-1121-4CAC-B1F3-9F604E4012BA}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=file and printer sharing (spooler service - rpc-epmap) |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{171EF933-73AB-4A3F-85CB-EDA0F68C9A04}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{27547442-E722-4205-8A83-105C151A54FD}" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe |
"{2922D9F2-9BC7-4033-89DF-16F68366C17E}" = protocol=17 | dir=in | app=c:\program files\pando networks\pando\pando.exe |
"{30379607-82B1-4738-807E-9C57BB0AFECB}" = protocol=1 | dir=in | name=file and printer sharing (echo request - icmpv4-in) |
"{373F6CAA-F152-42C8-9311-89CABF8FC039}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{41A88E1F-2E63-4D5F-9E95-0B7C876E7C56}" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe |
"{43F93E54-1CC1-475D-A0C9-4C5158D413D8}" = protocol=6 | dir=in | app=c:\program files\pando networks\pando\pando.exe |
"{463225C7-F37F-4211-A771-6CC067FF2151}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgdiagex.exe |
"{486005C2-B217-4CF5-9A94-D07AA42BED4C}" = dir=in | app=d:\pando\pando.exe |
"{5DD30D0A-C9D6-42E9-AF6B-21311E0EBDAB}" = protocol=58 | dir=out | name=file and printer sharing (echo request - icmpv6-out) |
"{6C29BCBC-29FE-4366-AF71-B03497A76CEF}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe |
"{73B41AE4-5CE8-4506-8292-88E865307CEB}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{7A2D5FD0-D2AA-4A7D-9AB9-3529FEB1CAAD}" = protocol=58 | dir=in | name=file and printer sharing (echo request - icmpv6-in) |
"{884A5A61-9F53-4589-A15D-4B15339328A3}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe |
"{A6A78A61-6499-4CBD-B4F6-CC15E51CF5B0}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{AD3D79E4-258B-49E2-B0CB-0DA0EEE1667C}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe |
"{AFC07491-670C-466F-A840-BB5CC9E146F7}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe |
"{C086B451-C521-444B-A7D9-343649F52FDE}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe |
"{C1FBA363-30FD-47EF-A922-E87926EFDD6D}" = protocol=6 | dir=in | app=d:\pando\pando.exe |
"{C9C8519F-69EC-427A-9D99-00DFBBBB0B1A}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe |
"{CDE3BD2E-0AEC-4125-8BE7-B03365240BC1}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe |
"{D1F8AAF7-7E38-458C-84BC-667B8143AF6B}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{D6A0D847-6EC0-43C7-B24F-CC97792EB5D3}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgdiagex.exe |
"{EC0023D8-8101-4E76-BA89-FC6E5D02CBBE}" = dir=in | app=c:\program files\pando networks\pando\pando.exe |
"{ECC7B221-C749-457C-A25F-F798C91F6C40}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{EDC97647-5797-40F3-A01E-3E5B53436AA5}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{EF3CEC1A-00AD-40CC-BA0A-47D9A433C034}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{EFE39407-F996-4536-A24F-EA5741EABA83}" = protocol=17 | dir=in | app=d:\pando\pando.exe |
"{F5E3E64E-304D-45C0-A14E-2720F8DF0165}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgdiagex.exe |
"{F60356EC-2B87-4210-9524-85887A3AAE4D}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgdiagex.exe |
"{F90A7E2D-E266-40FA-8F62-984D7EBE2AB2}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe |
"{FAD4386D-870B-4C30-B521-623465B0A745}" = protocol=1 | dir=out | name=file and printer sharing (echo request - icmpv4-out) |
"TCP Query User{2AD25724-1FA7-4695-BD65-6A83B4F7F163}C:\program files\belkin\router setup and monitor\belkinsetup.exe" = protocol=6 | dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe |
"TCP Query User{33DA7050-E3FA-4D07-ACA4-1AB6E60BDA65}C:\program files\orbitdownloader\orbitnet.exe" = protocol=6 | dir=in | app=c:\program files\orbitdownloader\orbitnet.exe |
"TCP Query User{8028D67E-DF24-4BCF-845B-0C6C303D182F}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{94BEC674-4FAE-488B-9CDB-5CD0350CD1B0}C:\program files\orbitdownloader\orbitnet.exe" = protocol=6 | dir=in | app=c:\program files\orbitdownloader\orbitnet.exe |
"TCP Query User{9717CC47-7087-4A73-9705-E6AD63B32C10}C:\program files\opera\opera.exe" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe |
"TCP Query User{A000EEDA-C9AD-4D15-8793-C552290EE2FE}D:\operaportabletest\app\opera\opera.exe" = protocol=6 | dir=in | app=d:\operaportabletest\app\opera\opera.exe |
"TCP Query User{A40FA3BB-7143-490C-AEE7-9DC19CA93160}C:\users\drew\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\drew\appdata\roaming\spotify\spotify.exe |
"TCP Query User{BC230E58-76A0-41BD-98EE-C28179FEC02A}D:\operaportabletest\app\opera\opera.exe" = protocol=6 | dir=in | app=d:\operaportabletest\app\opera\opera.exe |
"TCP Query User{CAE235E9-6A45-4B44-8C7D-08593966DF3D}C:\program files\belkin\router setup and monitor\belkinsetup.exe" = protocol=6 | dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe |
"TCP Query User{D6827F54-FDDD-4FBF-AA45-F0AA5C6C288E}C:\program files\belkin\belkin usb print and storage center\connect.exe" = protocol=6 | dir=in | app=c:\program files\belkin\belkin usb print and storage center\connect.exe |
"TCP Query User{D8D2E309-F45A-4703-ADA2-4A6C8D9BB51F}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{E31FB489-B473-47A6-827E-7A88C0ABC481}C:\program files\belkin\belkin usb print and storage center\connect.exe" = protocol=6 | dir=in | app=c:\program files\belkin\belkin usb print and storage center\connect.exe |
"TCP Query User{F77374E2-886B-43EF-80B1-E6204B612FF1}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{00C035EF-759D-4C38-986E-8118971BA468}C:\program files\belkin\belkin usb print and storage center\connect.exe" = protocol=17 | dir=in | app=c:\program files\belkin\belkin usb print and storage center\connect.exe |
"UDP Query User{00F85F63-6F7F-4C0E-8668-209FB94E4EDF}C:\program files\orbitdownloader\orbitnet.exe" = protocol=17 | dir=in | app=c:\program files\orbitdownloader\orbitnet.exe |
"UDP Query User{506BD867-5438-463E-9F80-0CCA9037FFC6}C:\program files\belkin\router setup and monitor\belkinsetup.exe" = protocol=17 | dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe |
"UDP Query User{76BA7839-1859-4CA1-883D-583E71C9EA98}D:\operaportabletest\app\opera\opera.exe" = protocol=17 | dir=in | app=d:\operaportabletest\app\opera\opera.exe |
"UDP Query User{97D6B7D3-30F0-4B39-AE4A-A0A06F165599}C:\program files\opera\opera.exe" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe |
"UDP Query User{99771609-6C8C-4172-99CE-A1CC7967DE35}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{A132FD2E-BB52-4644-B9E4-6424B9B36A3B}C:\program files\orbitdownloader\orbitnet.exe" = protocol=17 | dir=in | app=c:\program files\orbitdownloader\orbitnet.exe |
"UDP Query User{B8D16E90-2838-4585-B651-952D53B9EAF9}C:\users\drew\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\drew\appdata\roaming\spotify\spotify.exe |
"UDP Query User{C031FBF4-C24A-4C8A-AB5E-C6F946FC1CD9}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{CF9F6801-04AB-4230-86F2-EF378737B4DC}D:\operaportabletest\app\opera\opera.exe" = protocol=17 | dir=in | app=d:\operaportabletest\app\opera\opera.exe |
"UDP Query User{DEDA7549-9067-4BC7-A999-E9025AA35517}C:\program files\belkin\belkin usb print and storage center\connect.exe" = protocol=17 | dir=in | app=c:\program files\belkin\belkin usb print and storage center\connect.exe |
"UDP Query User{E993DBC4-DEE7-421B-B1A1-91B8750337FE}C:\program files\belkin\router setup and monitor\belkinsetup.exe" = protocol=17 | dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe |
"UDP Query User{EF17E857-39F0-469C-937F-F6E2896C48F0}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0D2E9DCB-9938-475E-B4DD-8851738852FF}" = AIO_Scan
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216016F0}" = Java™ 6 Update 16
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{342126E1-173C-4585-BFBE-3EBDD20E3E9E}" = Mobipocket Reader 6.2
"{373C7B28-788D-4528-A4AD-86CB960AB615}" = TurningPoint 2008
"{385DD1DD-65AA-408D-8E70-74601C2DB7E6}" = Ad-Aware
"{3B0F52AC-EF5C-4831-B221-06C782E41280}" = Quicken 2008
"{3B3D2CFD-3C21-4AA0-94DE-45577B5BAB16}" = Family Tree Maker 2011
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4BF021F7-37A7-4086-B4F1-D5914925D18B}" = VZAccess Manager
"{4E5386F5-C0F6-4532-A54A-374865AEAB71}" = Cisco PEAP Module
"{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup 2011
"{5335DADB-34BA-4AE8-A519-648D78498846}" = Skype™ 5.3
"{574157B0-9D84-49d9-B08B-5296638BF5EE}" = 4300_Help
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{656A70D4-98FD-41F8-B172-575F60C922BB}" = AVG 2011
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{6BB2C35F-C2AC-499E-918F-FB63E9A563F9}" = Nitro PDF Professional
"{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{76F9CF97-FC4B-4E20-B363-D127C888448F}" = Cisco LEAP Module
"{7821C7B2-7E21-4CF3-925B-58B6A8BC6311}" = LibreOffice 3.4
"{7A7DC702-DEDE-42A8-8722-B3BA724D546F}" = Fax
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{926CC8AE-8414-43DF-8EB4-CF26D9C3C663}" =
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95D08F4E-DFC2-4ce3-ACB7-8C8E206217E9}" = MarketResearch
"{978C25EE-5777-46e4-8988-732C297CBDBD}" = Status
"{9B1FD9CE-0776-4f0b-A6F5-C6AB7B650CDF}" = Destinations
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{A3B7C670-4A1E-4EE2-950E-C875BC1965D0}" = Copy
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB480DA0-7EE9-465D-9C12-4CDE65BF18FB}" = Pando
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.7
"{AEC0CEBC-0FC7-4716-8222-1C4A742719B1}" = Samsung Master
"{AFE499B5-FCC4-45E6-A1A5-3C51AE0E539B}" = Mobipocket Creator 4.2
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B0B2407C-AA1A-4812-85DA-E833D5BC3E97}" = 4300
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Toolbars
"{B6F7DBE7-2FE2-458F-A738-B10832746036}" = Microsoft Reader
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{BF53252E-4AB2-4C7F-A0FD-6100755745E3}" = Cisco EAP-FAST Module
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}" = HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D05E8183-866A-11D3-97DF-0000F8D8F2E9}" = Symantec pcAnywhere
"{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
"{D93E970F-5B4B-4BE6-89CB-E46963E3B1E4}" = DupeFree Pro
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.0.8.320
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{DFAA3C20-5968-46A3-B7B0-0AF72D758A59}" = HTC Sync
"{E06F04B9-45E6-4AC0-8083-85F7515F40F7}" = UnloadSupport
"{E09575B2-498D-4C8B-A9D2-623F78574F29}" = AIO_CDB_Software
"{E1CAE438-DEF7-44C2-A3A9-6915ABF2A732}" = calibre
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E7112940-5F8E-4918-B9FE-251F2F8DC81F}" = AIO_CDB_ProductContext
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}" = HPSSupply
"{EBEAF45A-58C3-44c8-8714-87909EBD6BC2}" = 4300Trb
"{EF9D9FAD-D31E-493B-9A6B-28D56FE4EB8F}" = Zimbra Desktop
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FA1162AE-AF27-44A9-9C78-0C46BD44D75F}" = AVG 2011
"{FF075778-6E50-47ed-991D-3B07FD4E3250}" = TrayApp
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Article Editor_is1" = Article Editor v2.0
"Ashampoo Burning Studio 10_is1" = Ashampoo Burning Studio 10 v.10.0.11
"AVG" = AVG 2011
"Belkin Setup and Router Monitor_is1" = Belkin Setup and Router Monitor
"Belkin USB Print and Storage Center" = Belkin USB Print and Storage Center
"BN_DesktopReader" = NOOK for PC
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative OEM002" = Laptop Integrated Webcam Driver (1.04.01.1011)
"CutePDF Writer Installation" = CutePDF Writer 2.8
"Digital Editions" = Adobe Digital Editions
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FaceOffMax" = Face Off Max
"Family Tree Maker 2011" = Family Tree Maker 2011
"ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
"FormatFactory" = FormatFactory 2.70
"Google Chrome" = Google Chrome
"GPL Ghostscript 8.60" = GPL Ghostscript 8.60
"GPL Ghostscript 9.02" = GPL Ghostscript
"GPL Ghostscript Fonts" = GPL Ghostscript Fonts
"HASP4 Device Drivers" = HASP4 Device Drivers
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPExtendedCapabilities" = HP Customer Participation Program 8.0
"HPOCR" = HP OCR Software 8.0
"HTC_WModemDriver" = WModem Driver Installer
"IrfanView" = IrfanView (remove only)
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate1.6" = LiveUpdate 1.6 (Symantec Corporation)
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.20)" = Mozilla Firefox (3.6.20)
"Opera 11.11.2109" = Opera 11.11
"Orbit_is1" = Orbit Downloader
"PDF Creator" = PDF Creator (Remove Only)
"QuickTime" = QuickTime
"Storybook" = Storybook
"The Rosetta Stone" = The Rosetta Stone
"TVWiz" = Intel® TV Wizard
"Video Mover_is1" = Video Mover
"Vivitar Experience Image Manager" = Vivitar Experience Image Manager
"VLC media player" = VLC media player 1.0.5
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"WordWeb" = WordWeb
"yWriter5_is1" = yWriter5

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4121544440-2439384158-1445081869-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Amazon Kindle" = Amazon Kindle
"Dexpot" = Dexpot
"Spotify" = Spotify

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/18/2011 12:22:40 PM | Computer Name = Jennifer-PC | Source = WinMgmt | ID = 10
Description =

Error - 12/18/2011 12:25:58 PM | Computer Name = Jennifer-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 12/18/2011 6:04:09 PM | Computer Name = Jennifer-PC | Source = WinMgmt | ID = 10
Description =

Error - 12/18/2011 6:07:38 PM | Computer Name = Jennifer-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 12/19/2011 1:41:59 AM | Computer Name = Jennifer-PC | Source = WinMgmt | ID = 10
Description =

Error - 12/19/2011 1:43:45 AM | Computer Name = Jennifer-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 12/19/2011 1:59:34 AM | Computer Name = Jennifer-PC | Source = WinMgmt | ID = 10
Description =

Error - 12/19/2011 2:01:24 AM | Computer Name = Jennifer-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 12/21/2011 6:58:27 PM | Computer Name = Jennifer-PC | Source = WinMgmt | ID = 10
Description =

Error - 12/21/2011 7:00:01 PM | Computer Name = Jennifer-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ Broadcom Wireless LAN Events ]
Error - 11/8/2010 12:35:31 AM | Computer Name = Jennifer-PC | Source = WLAN-Tray | ID = 0
Description = 22:35:30, Sun, Nov 07, 10 Error - Unable to gain access to user store


Error - 11/23/2010 12:48:04 AM | Computer Name = Jennifer-PC | Source = WLAN-Tray | ID = 0
Description = 22:48:03, Mon, Nov 22, 10 Error - Unable to gain access to user store


Error - 11/24/2010 1:04:39 AM | Computer Name = Jennifer-PC | Source = WLAN-Tray | ID = 0
Description = 23:04:39, Tue, Nov 23, 10 Error - Unable to gain access to user store


Error - 11/25/2010 11:52:09 PM | Computer Name = Jennifer-PC | Source = WLAN-Tray | ID = 0
Description = 21:52:08, Thu, Nov 25, 10 Error - Unable to gain access to user store


Error - 12/10/2010 1:13:54 AM | Computer Name = Jennifer-PC | Source = WLAN-Tray | ID = 0
Description = 23:13:53, Thu, Dec 09, 10 Error - Unable to gain access to user store


Error - 12/23/2010 1:05:32 AM | Computer Name = Jennifer-PC | Source = WLAN-Tray | ID = 0
Description = 23:05:31, Wed, Dec 22, 10 Error - Unable to gain access to user store


Error - 12/29/2010 9:28:26 PM | Computer Name = Jennifer-PC | Source = WLAN-Tray | ID = 0
Description = 19:28:26, Wed, Dec 29, 10 Error - Unable to decrypt string

Error - 12/30/2010 5:49:39 AM | Computer Name = Jennifer-PC | Source = WLAN-Tray | ID = 0
Description = 03:49:38, Thu, Dec 30, 10 Error - Unable to gain access to user store


Error - 12/31/2010 8:55:18 PM | Computer Name = Jennifer-PC | Source = WLAN-Tray | ID = 0
Description = 18:55:18, Fri, Dec 31, 10 Error - Unable to gain access to user store


Error - 5/22/2011 6:47:37 PM | Computer Name = Jennifer-PC | Source = WLAN-Tray | ID = 0
Description = 17:47:36, Sun, May 22, 11 Error - Unable to gain access to user store


[ System Events ]
Error - 12/22/2011 10:57:05 AM | Computer Name = Jennifer-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 12/22/2011 10:58:21 AM | Computer Name = Jennifer-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 12/22/2011 10:58:22 AM | Computer Name = Jennifer-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 12/22/2011 10:00:19 PM | Computer Name = Jennifer-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 7:58:25 PM on 12/22/2011 was unexpected.

Error - 12/22/2011 10:00:33 PM | Computer Name = Jennifer-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 12/22/2011 10:00:33 PM | Computer Name = Jennifer-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 12/22/2011 10:00:46 PM | Computer Name = Jennifer-PC | Source = DCOM | ID = 10005
Description =

Error - 12/22/2011 10:00:47 PM | Computer Name = Jennifer-PC | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000
Description =

Error - 12/22/2011 10:00:59 PM | Computer Name = Jennifer-PC | Source = DCOM | ID = 10005
Description =

Error - 12/22/2011 10:01:03 PM | Computer Name = Jennifer-PC | Source = DCOM | ID = 10005
Description =


< End of report >


So now what?? Thanks for your time - I'm sure you'd rather being preparing for Christmas!
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
I'm more of the bah humbug type so no problem working on your system.

You will need to download the programs mention in the following and either burn them to a CD or put them on a USB drive and move them to the desktop of the sick PC.

Get unhookexec.inf from:

http://securityrespo.../UnHookExec.inf

Save it to the desktop of the sick PC then right click on it and INSTALL it.


ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then right click and Run as Administrator

If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Download aswMBR.exe ( 511KB ) to your desktop.
Right click aswMBR.exe and Run as Administrator

change the a-v scan to None.
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply


Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.




Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Do the following:
  • Click on the Start button and then choose Control Panel.
  • Click on the System and Security link.

    Note: If you're viewing the Large icons or Small icons view of Control Panel, you won't see this link so just click on the Administrative Tools icon and skip to Step 4.
  • In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
  • In the Administrative Tools window, double-click on the Computer Management icon.
  • When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.

    After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.

    Note: If you don't see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.
Take a screen Shot of the Disk Management Window and attach the screen shot to your reply. Make sure that the column with the partition size is visible.
http://graphicssoft....nscreenshot.htm Save the file as a .jpg or the forum won't allow it.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP