Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infection?


  • Please log in to reply

#16
brewsrgr8

brewsrgr8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
Unfortuneately it was not included with this PC.

Edited by brewsrgr8, 16 February 2013 - 09:36 AM.

  • 0

Advertisements


#17
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts

Unfortuneately it was included with this PC.

You mean not included?
  • 0

#18
brewsrgr8

brewsrgr8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
Yes, yes sorry duh :blush:
  • 0

#19
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK. Then proceed with this:

Please download ComboFix from one of the following locations to your Desktop:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here.
  • Double click on ComboFix.exe and follow the prompts.
  • Accept the disclaimer and allow to update if it asks.

Posted Image

Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

  • 0

#20
brewsrgr8

brewsrgr8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
ComboFix 13-02-13.02 - BJs 02/14/2013 18:26:08.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3837.2367 [GMT -5:00]
Running from: c:\users\BJs\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\47570680
c:\windows\SysWow64\spool\prtprocs\w32x86\ppbiPr.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-01-14 to 2013-02-14 )))))))))))))))))))))))))))))))
.
.
2013-02-14 23:42 . 2013-02-14 23:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-14 23:42 . 2013-02-14 23:42 -------- d-----w- c:\users\BJs\AppData\Local\temp
2013-02-14 19:57 . 2012-10-23 11:04 972264 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9E56CACC-C507-46B3-A8BB-893E1655D6B7}\gapaengine.dll
2013-02-14 19:57 . 2013-01-18 17:15 9161176 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5E3CE208-0158-43B1-B374-D5C06956303A}\mpengine.dll
2013-02-14 19:25 . 2013-02-14 19:25 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2013-02-14 19:24 . 2010-04-06 08:34 345984 ----a-w- c:\windows\system32\drivers\netio.sys
2013-02-12 23:56 . 2013-02-12 23:56 -------- d-----w- C:\_OTL
2013-02-12 23:32 . 2013-02-14 19:25 -------- d-----w- c:\program files\Microsoft Security Client
2013-02-12 23:28 . 2013-02-13 03:48 -------- d-----w- C:\b350f94be727b8d154f2dddd
2013-02-12 23:22 . 2013-02-12 23:22 -------- d-----w- c:\users\BJs\AppData\Local\Avg2013
2013-02-10 02:30 . 2013-02-10 14:32 15739760 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2013-02-09 13:46 . 2013-02-09 13:46 -------- d-----w- c:\users\Guest
2013-01-22 00:07 . 2013-01-22 00:07 -------- d-----w- c:\users\JB
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-10 16:34 . 2006-11-02 12:35 67599240 ---ha-w- c:\windows\system32\mrt.exe
2013-01-08 23:54 . 2012-04-09 16:33 697864 ---ha-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-08 23:54 . 2011-05-19 22:55 74248 ---ha-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-16 13:31 . 2012-12-21 18:13 48128 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 13:12 . 2012-12-21 18:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-16 11:08 . 2012-12-21 18:13 368128 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 10:50 . 2012-12-21 18:13 293376 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-11-23 01:54 . 2013-01-09 23:44 2770432 ----a-w- c:\windows\system32\win32k.sys
2012-11-22 04:22 . 2013-01-09 23:44 456192 ----a-w- c:\windows\system32\shlwapi.dll
2012-11-20 04:22 . 2013-01-09 23:44 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-11-20 04:21 . 2013-01-09 23:44 253952 ----a-w- c:\windows\system32\ncrypt.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 152064]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-05 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
.
c:\users\BJs\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NISDRV
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 23:54]
.
2013-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-14 03:09]
.
2013-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-14 03:09]
.
2013-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2688393006-2681721238-2150527008-1000Core.job
- c:\users\BJs\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-29 00:31]
.
2013-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2688393006-2681721238-2150527008-1000UA.job
- c:\users\BJs\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-29 00:31]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1687848]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKLM-Run-HF_G_Jul - c:\program files (x86)\AVG Secure Search\HF_G_Jul.exe
Wow6432Node-HKLM-Run-ROC_ROC_JULY_P1 - c:\program files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-02-14 18:51:42
ComboFix-quarantined-files.txt 2013-02-14 23:51
.
Pre-Run: 200,967,839,744 bytes free
Post-Run: 204,112,961,536 bytes free
.
- - End Of File - - BA3C3A64A1738A4F5CC15F14AAB6ADE5
  • 0

#21
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK. Please proceed with this:

Posted Image Malwarebytes' Anti-Malware

Please download latest version of Malwarebytes' Anti-Malware from Here and double click on mbam-setup.exe to install the application

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Click on Check for Updates button.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  • 0

#22
brewsrgr8

brewsrgr8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.15.01

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
BJs :: JB [administrator]

Protection: Enabled

2/14/2013 8:41:25 PM
mbam-log-2013-02-14 (20-41-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 288147
Time elapsed: 9 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
  • 0

#23
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
We should proceed with general antimalware scan which can take quite a long time so please be patient.

Download Virus Removal Tool (VRT) from Here to your desktop
(You have to enter your e-mail address and click on Submit Form button. Please download latest English version of this tool)

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
(Please be patient as this scan can take a few hours)
Posted Image

Allow VRT to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post


Now the Analysis

Rerun VRT and select the Manual Disinfection tab and press Start Gathering System Information

Posted Image

On completion click on Report sending and then the link avptool sysinfo.zip (open the file manager) to locate the zip file to upload and attach to your next post

Posted Image
  • 0

#24
brewsrgr8

brewsrgr8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
When I attempt to run Kaspersky my PC shuts down.
  • 0

#25
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK. Try whit this:

  • Please download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.

    Posted Image
  • When asked if you want to download Avast's virus definitions please select Yes.
    Note: If avast! antivirus is already installed, just do the next step.
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply.
  • Also on Desktop there should be a file called MBR.dat after that. Please attach it here.

How to add an attachment to a new topic or reply
  • 0

Advertisements


#26
brewsrgr8

brewsrgr8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
OK, but wait, the 3rd time I ran it worked...I think... a report generated but then the PC shut down. Would you like the report (you'll have to tell me where it is) or would you rather me do the lastest download/scan instead?
  • 0

#27
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
HI,

Please just proceed with aswMBR scan as instructed here.
  • 0

#28
brewsrgr8

brewsrgr8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-16 08:44:38
-----------------------------
08:44:38.724 OS Version: Windows x64 6.0.6002 Service Pack 2
08:44:38.724 Number of processors: 2 586 0x301
08:44:38.724 ComputerName: JB UserName:
08:44:42.078 Initialize success
08:46:01.307 AVAST engine defs: 13021600
08:46:56.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-0
08:46:56.125 Disk 0 Vendor: FUJITSU_MJA2320BH_G2 00400018 Size: 305245MB BusType: 3
08:46:56.141 Disk 0 MBR read successfully
08:46:56.141 Disk 0 MBR scan
08:46:56.156 Disk 0 Windows VISTA default MBR code
08:46:56.187 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
08:46:56.219 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 293019 MB offset 3074048
08:46:56.281 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 10725 MB offset 603176960
08:46:56.390 Disk 0 scanning C:\Windows\system32\drivers
08:47:33.003 Service scanning
08:49:49.566 Modules scanning
08:49:49.597 Disk 0 trace - called modules:
08:49:49.644 ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
08:49:49.675 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005c40790]
08:49:49.691 3 CLASSPNP.SYS[fffffa60015d0c33] -> nt!IofCallDriver -> \Device\THPDRV1[0xfffffa8005931200]
08:49:49.706 5 thpdrv.sys[fffffa60019d109d] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-0[0xfffffa8004beb060]
08:50:09.518 AVAST engine scan C:\Windows
08:50:27.739 AVAST engine scan C:\Windows\system32
09:00:07.529 AVAST engine scan C:\Windows\system32\drivers
09:00:47.231 AVAST engine scan C:\Users\BJs
09:08:30.831 AVAST engine scan C:\ProgramData
09:15:55.665 Scan finished successfully
09:20:13.143 Disk 0 MBR has been saved successfully to "C:\Users\BJs\Desktop\MBR.dat"
09:20:13.159 The log file has been saved successfully to "C:\Users\BJs\Desktop\aswMBR.txt"
  • 0

#29
brewsrgr8

brewsrgr8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
:thumbsup:

Attached Files

  • Attached File  MBR.dat   512bytes   19 downloads

  • 0

#30
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi and sorry for the delay. I was away.

Logs looks clean. Can you please give me an update on how your computer's running.

Also download RealTemp here, run it and tell me what temperatures are on CPU's cores.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP