Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Update disabled after ZeroAccess infection [Solved]

Started by lee2012 , Oct 02 2012 10:02 AM

  • This topic is locked This topic is locked

#1
lee2012
Posted 02 October 2012 - 10:02 AM

lee2012

    New Member

  • Member
  • Pip
  • 3 posts
Last week, I was locked out of Normal Mode by a ransomware virus ("Your computer is locked", claiming to be local police, "send a £100 fine to this UKash account" etc.)

I was able to get into Safe Mode with Networking and cycled through a few different scanners (Malwarebytes, ESET, RogueKiller, TDSS, aswMBR). TDSS and aswMBR didn't report any problems, while the other three scanners detected and removed a bunch of files relating to ZeroAccess (from what I can gather, the newer variant that installs under C:\Users\username\AppData).

This seems to have removed the infection - the ransomware is gone, Normal Mode is up again, the browser redirects I noticed while downloading the scanners in Safe Mode have gone, Windows Firewall and Windows Defender are both running again (the infection had disabled them), and further scans over the past few days (with updates) have all been clean.

However, Windows Update appears to have been disabled: the Action Center flag on my taskbar constantly has the item "Change Windows Update settings (Important)", but the service isn't running, doesn't show up as a "Stopped" service, and when I try to manually check for updates from the "Windows Update" section of Control Panel, I'm told that it can't check for updates "because the service is not running".

So, I'm not sure whether I'm still infected or the scanners just haven't fully fixed the damage left by the removed infections.

Here is the log of an OTL scan I've just run:

OTL logfile created on: 10/2/2012 3:04:58 PM - Run 1
OTL by OldTimer - Version 3.2.70.1 Folder = C:\Users\lee\Downloads
Starter Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1013.30 Mb Total Physical Memory | 174.73 Mb Available Physical Memory | 17.24% Memory free
1.99 Gb Paging File | 0.98 Gb Available in Paging File | 49.28% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 66.97 Gb Total Space | 13.10 Gb Free Space | 19.56% Space Free | Partition Type: NTFS
Drive D: | 66.98 Gb Total Space | 0.80 Gb Free Space | 1.20% Space Free | Partition Type: NTFS

Computer Name: L-PC | User Name: lee | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/02 15:04:38 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\lee\Downloads\OTL.exe
PRC - [2010/05/21 00:55:00 | 011,312,128 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2010/05/21 00:54:56 | 011,318,784 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2010/04/20 14:26:44 | 000,300,912 | ---- | M] () -- C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe
PRC - [2009/11/04 05:11:48 | 000,835,072 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/10/26 12:53:14 | 000,091,136 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
PRC - [2009/10/13 11:03:04 | 000,716,800 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe
PRC - [2009/10/02 17:48:26 | 002,364,704 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2009/10/02 17:48:26 | 000,795,936 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2009/10/02 17:48:26 | 000,595,232 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe


========== Modules (No Company Name) ==========

MOD - [2012/09/25 10:42:58 | 000,460,312 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\ppgooglenaclpluginchrome.dll
MOD - [2012/09/25 10:42:57 | 012,278,808 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\PepperFlash\pepflashplayer.dll
MOD - [2012/09/25 10:42:55 | 004,005,912 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\pdf.dll
MOD - [2012/09/25 10:41:39 | 000,578,072 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\libglesv2.dll
MOD - [2012/09/25 10:41:38 | 000,123,416 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\libegl.dll
MOD - [2012/09/25 10:41:27 | 000,156,712 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\avutil-51.dll
MOD - [2012/09/25 10:41:26 | 000,275,496 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\avformat-54.dll
MOD - [2012/09/25 10:41:24 | 002,168,360 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\avcodec-54.dll
MOD - [2010/05/04 15:36:28 | 000,970,752 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2010/04/20 14:26:44 | 000,300,912 | ---- | M] () -- C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe
MOD - [2010/04/16 14:11:02 | 000,155,648 | ---- | M] () -- C:\Program Files\Samsung\Samsung Update Plus\HMXML.dll
MOD - [2006/08/12 04:48:40 | 000,049,152 | ---- | M] () -- C:\Program Files\Samsung\Easy Display Manager\HookDllPS2.dll


========== Services (SafeList) ==========

SRV - [2009/10/20 19:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd)
SRV - [2009/10/02 17:48:26 | 000,595,232 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/03/05 10:54:50 | 000,311,296 | ---- | M] () [Disabled | Stopped] -- C:\Windows\System32\Rezip.exe -- (Rezip)


========== Driver Services (SafeList) ==========

DRV - [2009/11/13 23:58:20 | 000,546,816 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rtl819xp.sys -- (rtl819xp)
DRV - [2009/10/20 19:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2009/09/28 10:22:00 | 000,315,392 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2009/07/17 16:53:38 | 000,080,384 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2009/07/14 00:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/01 21:46:20 | 000,043,944 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\btusbflt.sys -- (btusbflt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.co...ng}&rlz=1I7SMSN
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co...=smsn&bmod=smsn
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32_11_3_300_262.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\lee\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\lee\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/07/18 21:34:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{DAFB0515-075B-11E2-8271-B8AC6F996F26}: C:\Users\lee\AppData\Local\{DAFB0515-075B-11E2-8271-B8AC6F996F26}\ [2012/09/25 22:56:31 | 000,000,000 | ---D | M]

[2011/07/18 21:53:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\lee\AppData\Roaming\Mozilla\Extensions
[2011/07/18 21:34:32 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/09/25 22:56:31 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\USERS\LEE\APPDATA\LOCAL\{DAFB0515-075B-11E2-8271-B8AC6F996F26}
[2011/07/08 08:31:28 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 09:00:00 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2010/01/01 09:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/01/01 09:00:00 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2010/01/01 09:00:00 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2010/01/01 09:00:00 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

========== Chrome ==========

CHR - homepage: http://www.google.co.uk/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www.google.co.uk/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\lee\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files\Microsoft\Office Live\npOLW.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Google Update (Enabled) = C:\Users\lee\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - Extension: YouTube = C:\Users\lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: AdBlock = C:\Users\lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.45_0\
CHR - Extension: Gmail = C:\Users\lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/07/27 20:12:05 | 000,000,921 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - Startup: C:\Users\lee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.7.2)
O16 - DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{029B0DFC-C29A-4240-B7CB-8BB9769098B0}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{ede6138f-d5ed-11df-8815-b482fe50af9c}\Shell - "" = AutoRun
O33 - MountPoints2\{ede6138f-d5ed-11df-8815-b482fe50af9c}\Shell\AutoRun\command - "" = E:\wubi.exe --cdmenu
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/02 03:53:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/10/02 03:17:54 | 000,000,000 | ---D | C] -- C:\Users\lee\Desktop\RK_Quarantine
[2012/09/27 00:29:49 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/09/26 00:05:55 | 000,000,000 | ---D | C] -- C:\Users\lee\AppData\Roaming\Malwarebytes
[2012/09/26 00:05:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/09/26 00:05:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/09/26 00:05:40 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2012/09/26 00:05:40 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/09/25 22:56:31 | 000,000,000 | ---D | C] -- C:\Users\lee\AppData\Local\{DAFB0515-075B-11E2-8271-B8AC6F996F26}
[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/10/02 15:04:01 | 000,000,900 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2071869296-2185399040-3217962726-1000UA.job
[2012/10/02 14:58:37 | 000,010,272 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/10/02 14:58:37 | 000,010,272 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/10/02 14:55:23 | 000,664,734 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2012/10/02 14:55:23 | 000,125,438 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2012/10/02 14:50:43 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012/10/02 14:50:38 | 796,889,088 | -HS- | M] () -- C:\hiberfil.sys
[2012/10/01 17:04:02 | 000,000,848 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2071869296-2185399040-3217962726-1000Core.job
[2012/09/27 12:10:50 | 000,002,439 | ---- | M] () -- C:\Users\lee\Desktop\Google Chrome.lnk
[2012/09/27 00:28:47 | 000,000,512 | ---- | M] () -- C:\MBR.dat
[2012/09/25 23:33:04 | 000,102,400 | ---- | M] () -- C:\windows\RegBootClean.exe
[2012/09/25 23:30:58 | 000,162,556 | ---- | M] () -- C:\Users\lee\AppData\Local\census.cache
[2012/09/25 23:30:47 | 000,092,453 | ---- | M] () -- C:\Users\lee\AppData\Local\ars.cache
[2012/09/25 23:16:18 | 000,000,036 | ---- | M] () -- C:\Users\lee\AppData\Local\housecall.guid.cache
[2012/09/25 23:12:35 | 000,006,464 | ---- | M] () -- C:\Users\lee\AppData\Local\chromeupdate.crx
[2012/09/24 23:05:56 | 000,203,808 | ---- | M] () -- C:\Users\lee\Desktop\EECS-2006-1.pdf
[2012/09/21 17:53:25 | 000,011,535 | ---- | M] () -- C:\Users\lee\_viminfo
[2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/27 00:28:47 | 000,000,512 | ---- | C] () -- C:\MBR.dat
[2012/09/25 23:32:51 | 000,102,400 | ---- | C] () -- C:\windows\RegBootClean.exe
[2012/09/25 23:30:58 | 000,162,556 | ---- | C] () -- C:\Users\lee\AppData\Local\census.cache
[2012/09/25 23:30:47 | 000,092,453 | ---- | C] () -- C:\Users\lee\AppData\Local\ars.cache
[2012/09/25 23:16:18 | 000,000,036 | ---- | C] () -- C:\Users\lee\AppData\Local\housecall.guid.cache
[2012/09/25 22:56:31 | 000,006,464 | ---- | C] () -- C:\Users\lee\AppData\Local\chromeupdate.crx
[2012/09/24 23:05:56 | 000,203,808 | ---- | C] () -- C:\Users\lee\Desktop\EECS-2006-1.pdf
[2012/04/24 15:54:41 | 000,007,604 | ---- | C] () -- C:\Users\lee\AppData\Local\Resmon.ResmonCfg
[2012/04/11 03:06:00 | 000,000,118 | ---- | C] () -- C:\windows\System32\MRT.INI
[2011/06/05 17:51:42 | 000,000,129 | ---- | C] () -- C:\Users\lee\jagex_runescape_preferences2.dat
[2011/06/05 17:49:35 | 000,000,034 | ---- | C] () -- C:\Users\lee\jagex_runescape_preferences.dat
[2011/02/25 20:41:47 | 000,000,206 | ---- | C] () -- C:\Users\lee\.swfinfo
[2010/06/11 19:28:00 | 000,011,535 | ---- | C] () -- C:\Users\lee\_viminfo
[2010/06/11 16:28:29 | 000,131,368 | ---- | C] () -- C:\ProgramData\FullRemove.exe

========== ZeroAccess Check ==========

[2009/07/14 05:42:31 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
"ThreadingModel" = Both
"" = shell32.dll -- [2012/06/09 05:46:56 | 012,868,608 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 05:46:56 | 012,868,608 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/14 02:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 02:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/06/16 15:55:16 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\.anki
[2012/06/08 10:51:23 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\.matplotlib
[2012/08/27 15:33:39 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\Audacity
[2010/11/09 15:53:27 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\flightgear.org
[2010/11/18 18:57:50 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\Jeskola
[2010/12/29 00:30:39 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\Microchip
[2010/07/21 10:34:08 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\OpenOffice.org
[2011/09/25 17:46:26 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\Renoise
[2010/10/08 00:12:03 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\Stellarium
[2012/09/24 20:05:53 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\uTorrent
[2010/06/13 16:31:01 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\Wireshark

========== Purity Check ==========



< End of report >
  • 0

Advertisements

#2
Essexboy
Posted 02 October 2012 - 11:20 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi lets clear one bad boy and then check the service status

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Posted Image

    :OTL
[2012/09/25 22:56:31 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\USERS\LEE\APPDATA\LOCAL\{DAFB0515-075B-11E2-8271-B8AC6F996F26}
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

:Files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

run farbar service scanner

Posted Image

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.
  • 0

#3
lee2012
Posted 02 October 2012 - 12:19 PM

lee2012

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
New OTL log:


OTL logfile created on: 10/2/2012 6:56:48 PM - Run 2
OTL by OldTimer - Version 3.2.70.1 Folder = C:\Users\lee\Downloads
Starter Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1013.30 Mb Total Physical Memory | 303.68 Mb Available Physical Memory | 29.97% Memory free
1.99 Gb Paging File | 1.15 Gb Available in Paging File | 57.80% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 66.97 Gb Total Space | 16.82 Gb Free Space | 25.11% Space Free | Partition Type: NTFS
Drive D: | 66.98 Gb Total Space | 0.80 Gb Free Space | 1.20% Space Free | Partition Type: NTFS

Computer Name: L-PC | User Name: lee | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/02 15:04:38 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\lee\Downloads\OTL.exe
PRC - [2010/05/21 00:55:00 | 011,312,128 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2010/05/21 00:54:56 | 011,318,784 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2010/04/20 14:26:44 | 000,300,912 | ---- | M] () -- C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe
PRC - [2009/11/04 05:11:48 | 000,835,072 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/10/26 12:53:14 | 000,091,136 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
PRC - [2009/10/13 11:03:04 | 000,716,800 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe
PRC - [2009/10/02 17:48:26 | 002,364,704 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2009/10/02 17:48:26 | 000,795,936 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2009/10/02 17:48:26 | 000,595,232 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe


========== Modules (No Company Name) ==========

MOD - [2012/09/25 10:42:58 | 000,460,312 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\ppgooglenaclpluginchrome.dll
MOD - [2012/09/25 10:42:55 | 004,005,912 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\pdf.dll
MOD - [2012/09/25 10:41:39 | 000,578,072 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\libglesv2.dll
MOD - [2012/09/25 10:41:38 | 000,123,416 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\libegl.dll
MOD - [2012/09/25 10:41:27 | 000,156,712 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\avutil-51.dll
MOD - [2012/09/25 10:41:26 | 000,275,496 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\avformat-54.dll
MOD - [2012/09/25 10:41:24 | 002,168,360 | ---- | M] () -- C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\avcodec-54.dll
MOD - [2010/05/04 15:36:28 | 000,970,752 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2010/04/20 14:26:44 | 000,300,912 | ---- | M] () -- C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe
MOD - [2010/04/16 14:11:02 | 000,155,648 | ---- | M] () -- C:\Program Files\Samsung\Samsung Update Plus\HMXML.dll
MOD - [2006/08/12 04:48:40 | 000,049,152 | ---- | M] () -- C:\Program Files\Samsung\Easy Display Manager\HookDllPS2.dll


========== Services (SafeList) ==========

SRV - [2009/10/20 19:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd)
SRV - [2009/10/02 17:48:26 | 000,595,232 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/03/05 10:54:50 | 000,311,296 | ---- | M] () [Disabled | Stopped] -- C:\Windows\System32\Rezip.exe -- (Rezip)


========== Driver Services (SafeList) ==========

DRV - [2009/11/13 23:58:20 | 000,546,816 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rtl819xp.sys -- (rtl819xp)
DRV - [2009/10/20 19:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2009/09/28 10:22:00 | 000,315,392 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2009/07/17 16:53:38 | 000,080,384 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2009/07/14 00:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/01 21:46:20 | 000,043,944 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\btusbflt.sys -- (btusbflt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.co...ng}&rlz=1I7SMSN
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co...=smsn&bmod=smsn
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32_11_3_300_262.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\lee\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\lee\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/07/18 21:34:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{DAFB0515-075B-11E2-8271-B8AC6F996F26}: C:\Users\lee\AppData\Local\{DAFB0515-075B-11E2-8271-B8AC6F996F26}\

[2011/07/18 21:53:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\lee\AppData\Roaming\Mozilla\Extensions
[2011/07/18 21:34:32 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) -- C:\USERS\LEE\APPDATA\LOCAL\{DAFB0515-075B-11E2-8271-B8AC6F996F26}
[2011/07/08 08:31:28 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 09:00:00 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2010/01/01 09:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/01/01 09:00:00 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2010/01/01 09:00:00 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2010/01/01 09:00:00 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

========== Chrome ==========

CHR - homepage: http://www.google.co.uk/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www.google.co.uk/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\lee\AppData\Local\Google\Chrome\Application\22.0.1229.79\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\lee\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files\Microsoft\Office Live\npOLW.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Google Update (Enabled) = C:\Users\lee\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - Extension: YouTube = C:\Users\lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: AdBlock = C:\Users\lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.45_0\
CHR - Extension: Gmail = C:\Users\lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/10/02 18:38:44 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - Startup: C:\Users\lee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.7.2)
O16 - DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{029B0DFC-C29A-4240-B7CB-8BB9769098B0}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{ede6138f-d5ed-11df-8815-b482fe50af9c}\Shell - "" = AutoRun
O33 - MountPoints2\{ede6138f-d5ed-11df-8815-b482fe50af9c}\Shell\AutoRun\command - "" = E:\wubi.exe --cdmenu
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/02 18:38:21 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/10/02 03:53:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/10/02 03:17:54 | 000,000,000 | ---D | C] -- C:\Users\lee\Desktop\RK_Quarantine
[2012/09/27 00:29:49 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/09/26 00:05:55 | 000,000,000 | ---D | C] -- C:\Users\lee\AppData\Roaming\Malwarebytes
[2012/09/26 00:05:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/09/26 00:05:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/09/26 00:05:40 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2012/09/26 00:05:40 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

========== Files - Modified Within 30 Days ==========

[2012/10/02 18:59:11 | 000,010,272 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/10/02 18:59:11 | 000,010,272 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/10/02 18:56:32 | 000,664,734 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2012/10/02 18:56:32 | 000,125,438 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2012/10/02 18:51:57 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012/10/02 18:51:51 | 796,889,088 | -HS- | M] () -- C:\hiberfil.sys
[2012/10/02 18:38:44 | 000,000,098 | ---- | M] () -- C:\windows\System32\drivers\etc\Hosts
[2012/10/02 18:04:01 | 000,000,900 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2071869296-2185399040-3217962726-1000UA.job
[2012/10/02 17:04:01 | 000,000,848 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2071869296-2185399040-3217962726-1000Core.job
[2012/09/27 12:10:50 | 000,002,439 | ---- | M] () -- C:\Users\lee\Desktop\Google Chrome.lnk
[2012/09/27 00:28:47 | 000,000,512 | ---- | M] () -- C:\MBR.dat
[2012/09/25 23:33:04 | 000,102,400 | ---- | M] () -- C:\windows\RegBootClean.exe
[2012/09/25 23:30:58 | 000,162,556 | ---- | M] () -- C:\Users\lee\AppData\Local\census.cache
[2012/09/25 23:30:47 | 000,092,453 | ---- | M] () -- C:\Users\lee\AppData\Local\ars.cache
[2012/09/25 23:16:18 | 000,000,036 | ---- | M] () -- C:\Users\lee\AppData\Local\housecall.guid.cache
[2012/09/25 23:12:35 | 000,006,464 | ---- | M] () -- C:\Users\lee\AppData\Local\chromeupdate.crx
[2012/09/24 23:05:56 | 000,203,808 | ---- | M] () -- C:\Users\lee\Desktop\EECS-2006-1.pdf
[2012/09/21 17:53:25 | 000,011,535 | ---- | M] () -- C:\Users\lee\_viminfo
[2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2012/09/27 00:28:47 | 000,000,512 | ---- | C] () -- C:\MBR.dat
[2012/09/25 23:32:51 | 000,102,400 | ---- | C] () -- C:\windows\RegBootClean.exe
[2012/09/25 23:30:58 | 000,162,556 | ---- | C] () -- C:\Users\lee\AppData\Local\census.cache
[2012/09/25 23:30:47 | 000,092,453 | ---- | C] () -- C:\Users\lee\AppData\Local\ars.cache
[2012/09/25 23:16:18 | 000,000,036 | ---- | C] () -- C:\Users\lee\AppData\Local\housecall.guid.cache
[2012/09/25 22:56:31 | 000,006,464 | ---- | C] () -- C:\Users\lee\AppData\Local\chromeupdate.crx
[2012/09/24 23:05:56 | 000,203,808 | ---- | C] () -- C:\Users\lee\Desktop\EECS-2006-1.pdf
[2012/04/24 15:54:41 | 000,007,604 | ---- | C] () -- C:\Users\lee\AppData\Local\Resmon.ResmonCfg
[2012/04/11 03:06:00 | 000,000,118 | ---- | C] () -- C:\windows\System32\MRT.INI
[2011/06/05 17:51:42 | 000,000,129 | ---- | C] () -- C:\Users\lee\jagex_runescape_preferences2.dat
[2011/06/05 17:49:35 | 000,000,034 | ---- | C] () -- C:\Users\lee\jagex_runescape_preferences.dat
[2011/02/25 20:41:47 | 000,000,206 | ---- | C] () -- C:\Users\lee\.swfinfo
[2010/06/11 19:28:00 | 000,011,535 | ---- | C] () -- C:\Users\lee\_viminfo
[2010/06/11 16:28:29 | 000,131,368 | ---- | C] () -- C:\ProgramData\FullRemove.exe

========== ZeroAccess Check ==========

[2009/07/14 05:42:31 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
"ThreadingModel" = Both
"" = shell32.dll -- [2012/06/09 05:46:56 | 012,868,608 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 05:46:56 | 012,868,608 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/14 02:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 02:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/06/16 15:55:16 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\.anki
[2012/06/08 10:51:23 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\.matplotlib
[2012/08/27 15:33:39 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\Audacity
[2010/11/09 15:53:27 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\flightgear.org
[2010/11/18 18:57:50 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\Jeskola
[2010/12/29 00:30:39 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\Microchip
[2010/07/21 10:34:08 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\OpenOffice.org
[2011/09/25 17:46:26 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\Renoise
[2010/10/08 00:12:03 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\Stellarium
[2012/09/24 20:05:53 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\uTorrent
[2010/06/13 16:31:01 | 000,000,000 | ---D | M] -- C:\Users\lee\AppData\Roaming\Wireshark

========== Purity Check ==========

< End of report >



And the FSS log:


Farbar Service Scanner Version: 19-09-2012
Ran by lee (administrator) on 02-10-2012 at 19:15:39
Running from "C:\Users\lee\Downloads"
Microsoft Windows 7 Starter (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\windows\system32\nsisvc.dll => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\windows\system32\dhcpcore.dll => MD5 is legit
C:\windows\system32\Drivers\afd.sys => MD5 is legit
C:\windows\system32\Drivers\tdx.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys
[2012-05-09 19:03] - [2012-03-30 11:29] - 1287024 ____A (Microsoft Corporation) 55E9965552741F3850CB22CBBA9671ED

C:\windows\system32\dnsrslvr.dll
[2011-05-08 19:48] - [2011-03-03 06:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\windows\system32\mpssvc.dll
[2009-07-14 00:53] - [2009-07-14 02:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\windows\system32\bfe.dll
[2009-07-14 00:54] - [2009-07-14 02:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\SDRSVC.dll
[2009-07-14 00:23] - [2009-07-14 02:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\windows\system32\vssvc.exe
[2009-07-14 00:24] - [2009-07-14 02:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\windows\system32\wscsvc.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\wuaueng.dll => MD5 is legit
C:\windows\system32\qmgr.dll
[2009-07-14 00:30] - [2009-07-14 02:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\windows\system32\es.dll => MD5 is legit
C:\windows\system32\cryptsvc.dll
[2012-07-11 21:06] - [2012-04-24 05:47] - 0139264 ____A (Microsoft Corporation) 520A108A2657F4BCA7FCED9CA7D885DE

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\windows\system32\ipnathlp.dll => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#4
Essexboy
Posted 02 October 2012 - 12:36 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets repair the registry next

Download the two reg files to your desktop
Double click each in turn and allow to merge

[attachment=60830:BITS.reg]
[attachment=60831:wuauserv.reg]

Reboot the computer
Then try windows updates
Let me know the result plus any other problems you are having
  • 0

#5
lee2012
Posted 02 October 2012 - 01:29 PM

lee2012

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Yep, that looks like it's cracked it.

The two services are running, I'm getting the "New updates are available" system tray notification, and I can run Windows Update manually from the Start menu.

Thanks a lot for your help. :thumbsup:
  • 0

#6
Essexboy
Posted 02 October 2012 - 01:54 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
What antivirus are you running ?

Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Go to control panel
  • Select folder options (Appearance > Folder options in category view)
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

SPRING CLEAN

To manually create a new Restore Point
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create

Now we can purge the infected ones
  • GoStart > All programs > Accessories > system tools
  • Right click Disc cleanup and select run as administrator
  • Select Your main drive and accept the warning if you get one
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave:
  • 0

#7
Essexboy
Posted 04 October 2012 - 07:15 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP