[ramaflore]

Here you are :

 

C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\SPCV7\Source\program files\AskPartnerNetwork\Toolbar\apnmcp.exe.vir    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\SPCV7\Source\program files\AskPartnerNetwork\Toolbar\searchhook.dll.vir    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\SPCV7\Source\program files\AskPartnerNetwork\Toolbar\ServiceLocator.exe.vir    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\SPCV7\Source\program files\AskPartnerNetwork\Toolbar\SO.dll.vir    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\SPCV7\Source\program files\AskPartnerNetwork\Toolbar\toolbar.dll.vir    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\SPCV7\Source\program files\AskPartnerNetwork\Toolbar\Toolbar.exe.vir    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\SPCV7\Source\program files\AskPartnerNetwork\Toolbar\ToolbarPS.dll.vir    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\SPCV7\Source\program files\AskPartnerNetwork\Toolbar\toolbar_x64.dll.vir    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\SPCV7\Source\program files\AskPartnerNetwork\Toolbar\UpdateManager.exe.vir    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\SPCV7\Source\program files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe.vir    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\SPCV7\Source\program files\AskPartnerNetwork\Toolbar\{PartnerID}\Passport.dll.vir    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\SPCV7\Source\program files\AskPartnerNetwork\Toolbar\{PartnerID}\Passport_x64.dll.vir    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
C:\Users\Flore\Documents\APNSetup1.exe    a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application    deleted - quarantined
C:\Users\Flore\Downloads\cbsidlm-cbsi183-WhoCrashed-SEO-75205821.exe    a variant of Win32/CNETInstaller.B potentially unwanted application    deleted - quarantined
C:\Users\Flore\Downloads\FoxitReader514.0104_enu_Setup.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
C:\Users\Flore\Downloads\SopCast\Setup-SopCast-3.8.3-2013-6-26.exe    a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application    deleted - quarantined
C:\Users\Transparence\Downloads\CuteWriter.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
C:\Users\Transparence\Downloads\registry-defrag-setup.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
D:\Programmes Utilitaires\SetupImgBurn_2.5.7.0.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
 

[Advertisements]

And how is your machine now?

[emeraldnzl]

And how is your machine now?

[ramaflore]

The same, nothing has changed.

[emeraldnzl]

Before we move on I have a question:

 

After ComboFix removed Antispy1.4 and before we restored it did you computer have those start troubles?

 

The reason I ask is because of a possible conflict going on. Tell me when you return.

 

Meantime:

 

Please download Security Check by screen317 from here .

•    
• Save it to your Desktop.
     
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
     
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[ramaflore]

My answer is Yes, before and after those troubles didn't stop.

[emeraldnzl]

Thank you.

 

Please go ahead with the Security Check one I asked for.

[ramaflore]

Results of screen317's Security Check version 0.99.81  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 SpyShelter Premium 9.0   
 Secunia PSI (3.0.0.2004)   
 VirusTotal Uploader 2.0   
 Java 7 Update 51  
 Adobe Flash Player     12.0.0.43  
 Mozilla Firefox (28.0)
````````Process Check: objlist.exe by Laurent````````  
 Privatefirewall 6.1 pfsvc.exe  
 Malwarebytes Anti-Exploit mbae-svc.exe   
 Malwarebytes Anti-Exploit mbae.exe   
 Privacyware Privatefirewall 7.0 PFGUI.exe  
 Shadow Defender DefenderDaemon.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 

 

PS: AppGuard is missing as a security program !

Edited by ramaflore, 31 March 2014 - 04:46 PM.

[emeraldnzl]

I am beginning to think that this is not a malware issue.

Before I suggest to you to start a new topic in the Vista forum I just want to make sure of a couple of things.

First:

I don't know much about Shadow Defender but on reading about setting it up I see that if you have it in permanent mode you are always under Shadow Mode so any changes in your system will be negated at every reboot.  I guess you are aware of this and if you do have it running, you have your system set up to accomodate downloads like windows updates, anti-virus updates, software updates/changes etc. If, for some reason you are not aware of that could there be some problem happening because your system is not updating or keeping changes made?

Second:

You have used Antispy to look for rootkit activity and with the Malwarebytes scan we did check for a possible rootkit but we should check a bit further to make sure.

Please do this:

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it.

Click the "Scan" button to start scan



On completion of the scan click save log, save it to your desktop and post in your next reply

[ramaflore]

About First :

 

I don't run Shadow Defender as a shadow mode, only when I needed. This program is always on the system tray, but this not meant that it's always on the shadow mode.

 

 

About Second :

 

Here you are the log :

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-04-01 12:03:04
-----------------------------
12:03:04.451    OS Version: Windows 6.0.6002 Service Pack 2
12:03:04.451    Number of processors: 2 586 0xF02
12:03:04.451    ComputerName: PC-DE-FLORE  UserName: Flore
12:03:08.039    Initialize success
12:03:22.181    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000006c
12:03:22.181    Disk 0 Vendor: ATA_____ 0012 Size: 114473MB BusType: 11
12:03:22.649    Disk 0 MBR read successfully
12:03:22.649    Disk 0 MBR scan
12:03:22.649    Disk 0 Windows VISTA default MBR code
12:03:22.649    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        69471 MB offset 63
12:03:22.664    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        44999 MB offset 142278656
12:03:22.680    Disk 0 scanning sectors +234436608
12:03:23.366    Disk 0 scanning C:\Windows\system32\drivers
12:03:33.804    Service scanning
12:03:47.017    Service pwipf6 C:\Windows\system32\DRIVERS\pwipf6.sys **LOCKED** 32
12:03:49.560    Service Spyshelter C:\Program Files\SpyShelter Premium\SpyShelter.sys **LOCKED** 32
12:03:54.724    Modules scanning
12:04:37.686    Disk 0 trace - called modules:
12:04:37.748    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorF.sys storport.sys hal.dll iaStorA.sys tcpip.sys NETIO.SYS
12:04:37.764    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x862b6ac8]
12:04:37.764    3 CLASSPNP.SYS[875a88b3] -> nt!IofCallDriver -> [0x861b3270]
12:04:37.764    5 iaStorF.sys[875645c7] -> nt!IofCallDriver -> \Device\0000006c[0x857f5c90]
12:04:37.780    Scan finished successfully
12:05:01.913    Disk 0 MBR has been saved successfully to "C:\Users\Flore\Desktop\MBR.dat"
12:05:01.928    The log file has been saved successfully to "C:\Users\Flore\Desktop\aswMBR.txt"

 

Do I need to click on 'FixMbr' ??

As I told you on my first post, I wasn't not sure if I get or not a malware. I opened this thread to be sure that I'm safe of malwares.

[emeraldnzl]

Do I need to click on 'FixMbr' ??

Not as far as I can see, it shows as Vista default MBR code which is correct.
 

As I told you on my first post, I wasn't not sure if I get or not a malware. I opened this thread to be sure that I'm safe of malwares.

Yes, I don't think this is a malware issue. Nothing leaping out at me there.

You have already tried System File Checker and chkdsk so not much more I can suggest before sending you to the tech forums.

I guess you could try this one if you don't already know about it:

Windows Repair (All In One) from here.

It will allow you to repair common issues with your computer such as firewall, file permission, and Windows Update problems.  When using this tool you can select the particular fixes you would like to launch and start the repair process.

Please download the tool to your desktop.

It will probably come as a Zip file and you will need to right click on the Zip file and click Extract. The contents will then be extracted to a separate folder.   

Double click the folder (Tweaking dot.com - Windows Repair) then from the list that shows double click the file (about the 5th one down the list) Repair_Windows.exe to run the program.

For your situation, when the program opens I suggest you click on the tab Start Repairs and the button Start

At the list that presents put a check (tick) in the following:

• Reset Registry Permissions
• Reset File Permissions
• Register System Files
• Repair WMI
• Repair Internet Explorer
• Repair MDAC & MS Jet
• Remove Policies Set By Infections
• Repair Icons
• Unhide Non System Files
• Repair Windows Updates

Also put a check in the Restart/Shutdown System When Finished (lower right) box.

and in Restart System

Then click on the Start button if it doesn't do it automatically

If it asks you to back up your system click No and continue

When it is finished come back and tell me how it went.
 

[ramaflore]

I have a few questions :

 

"Reset Registry Permissions" will don't delete any customizable keys I added in the past for boosting performance ? This is my first question.

 

On the Reset Registry Permissions and Reset File Permissions, I saw a few failed keys and system files while doing reset.

 

Do you need the logs files to have a look ? I can zip it for you.

[emeraldnzl]

will don't delete any customizable keys I added in the past for boosting performance ? This is my first question.

You really need a techie for those questions.

Having said that, as I understand it the tool returns system keys to default so yes would be the answer if they are to do with modified system keys. If not, I don't think so but can't be sure.
 
 

On the Reset Registry Permissions and Reset File Permissions, I saw a few failed keys and system files while doing reset.
Do you need the logs files to have a look ? I can zip it for you.

Hmm... for now please do this:

Please download Farbar Service Scanner and run.

• Make sure all the following options are checked:
  
   
• Internet Services
• Windows Firewall
• System Restore
• Security Center/Action Center
• Windows Update
• Windows Defender
• Other Services

• Press Scan
• A log (FSS.txt) will be created in the same directory the tool is run.
• Copy and paste the log back here.

[ramaflore]

Hi Emerald,

 

I won't go further as I'm know that it's not a malware issue. After running the Repair Windows on yesterday night, I started my laptop this morning and it couldn't fix my troubles. I gave up.

 

I don't know if a techie will help me. According to my research, it could be a HDD failure, motherboard failure or cmos battery down.

Edited by ramaflore, 02 April 2014 - 04:28 AM.

[emeraldnzl]

Hello ramaflore,

Yes I don't think it is a malware issue.

That last scan was just to check some services on your machine but as, you say, I am not sure that we would find anything that would make a difference.

I will give you some instructions for removing the tools we have been using and then, if you think it will help, you can open a topic in the Vista forum.

Follow these steps to uninstall Combofix and some tools used in the removal of malware. This will also clean out and reset your Restore Points
 

• Click START then RUN
• Now type Combofix /Uninstall in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.
  
  

After that please go here to download OTC.

Run this program to remove most of the remaining tools we have been using.

If you are asked to reboot the machine to finish the Cleanup process choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep.

Any other tools remaining may be deleted.

-------------------------------------------------------------------------------------------------------------------

A reminder:  Remember to (re-install if uninstalled during cleaning) update and turn back on any anti-malware programs you may have turned off during the cleaning process.
-------------------------------------------------------------------------------------------------------------------

Here are some things that I think are worth having a look at if you don't already know about them:

---------------------------------------------------------------------------------------------------------------------

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article Strong passwords: How to create and use them.

----------------------------------------------------------------------------------------------------------------------

Java warning

Java is a popular point of entry to your computer for malicous programs. The United States Department of Homeland Security recommends that computer users disable Java, see here. Unless you need it to run an important software the safest approach is to completely uninstall Java. Where you do require it, then the next safest option is to disable it in your browsers until you need it, then enable it.

How to disable Java in your web browser and How to unplug Java from the browser

If you do still need Java then regularly check that it is up to date. Older versions are the most vulnerable to malicious attack.
 

• Download Java for Windows
  
  Reboot your computer.
  You also need to unininstall older versions of Java.
  
     
• Click Start > Control Panel > Add or Remove Programs
     
• Remove all Java updates except the latest one you have just installed.

----------------------------------------------------------------------------------------------------------------------
CryptoLocker Warning

There is a particularly nasty infection out there at the moment.

Go here for information about CryptoLocker Ransomeware

Download CryptoPrevent free for home use.

--------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future:



If you do not already have automatic updates set then it is recommended that you do set Windows to check, download and install your updates automatically.

    * Click Start > Control Panel > System and Security > Windows Update
    * Under Windows Update click on Turn automatic updating on or off
    * Check items shown to ensure you receive updates automatically. Click OK.

 Be aware of what emails you open and websites you visit.

Go here for some good advice about how to prevent infection.

A fun way to check your online safety literacy.

Quiz - getsafeonline

Have a safe and happy computing day!

 

[ramaflore]

Farbar Service Scanner Version: 25-02-2014
Ran by Flore (administrator) on 03-04-2014 at 00:51:05
Running from "C:\Users\Flore\Desktop"
Microsoft® Windows Vista™ Professionnel  Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Demand. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\Windows\system32\wuaueng.dll".


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-04-20 10:24] - [2013-01-04 13:28] - 0905576 ____A (Microsoft Corporation) 74E2D020C47BB2B2FCCBA29A518A7EB4

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****