Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

MBAM detected "Malware.Gen.EVI". OTL won't run [Solved]

Started by UnderSiege , Oct 12 2012 01:01 PM

This topic is locked

#1
UnderSiege

Posted 12 October 2012 - 01:01 PM

Member

Member
104 posts

Hi Geeks,

In need of your assistance again. Problem first appeared yesterday evening when my inbox was full of delivery failed messages with no record of originals being sent by me. Contacted ISP who suspected my email address was being spoofed to mass mail SPAM. So, changed passwords etc and ran MBAM which quarantined "Malware.Gen.EVI" in a file "teamviewer.exe". No other detections from Avast, or a full scan by MBAM and, generally no other weird stuff happening.

However, for peace of mind I attempted to run OTL, but all 3 versions would not run. This has got me worried - should I be?

As ever, grateful for any help, thanks

UnderSiege

#2
Dakeyras

Posted 13 October 2012 - 04:33 AM

Anti-Malware Mammoth

Expert
9,773 posts

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome back to Geeks to Go.

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Next:

I would like to review the MBAM log from the scan you ran removing the infection mentioned if it is still available please.

Scan with DDS:

Please download DDS and save it to your Desktop from here.

Alternate downloads are here or here.

Disable any script blocker, and then double click on DDS to run the tool.
When done, DDS will open two logs:
DDS.txt <-- Will be opened
Attach.txt <-- Will be minimized
Save both reports to your desktop.
Please post the contents of these two Notepad files in your next reply.

When completed the above, please post back the following in the order asked for:

How is you computer performing now, any further symptoms and or problems encountered?
Requested MBAM Log(if available).
Both DDS Logs. <-- Post them individually please, IE: one Log per post/reply.

#3
UnderSiege

Posted 13 October 2012 - 08:33 AM

Member

Topic Starter
Member
104 posts

Hi Dakeyras

Thanks for picking this up. Let's hope it's a simple fix.

Here is the information in the order you requested

1. Computer behaviour. Nothing unusual, except that still can't run any version of OTL.

2. MBAM log of infection:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.11.14

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Dad :: DAD-PC [administrator]

11/10/2012 23:29:50
mbam-log-2012-10-11 (23-29-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235440
Time elapsed: 7 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Dad\AppData\Local\Temp\teamviewer.exe (Malware.Gen.EVI) -> Quarantined and deleted successfully.

(end)

3. DDS logs - first log DDS.text

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Dad at 15:16:20 on 2012-10-13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3070.1768 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Users\Dad\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=0409&m=imedia_x2416
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=0409&m=imedia_x2416
uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.7\youtubedownloaderToolbarIE.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.7\youtubedownloaderToolbarIE.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.7\youtubedownloaderToolbarIE.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Spotify Web Helper] "c:\users\dad\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [eRecoveryService]
mRun: [<NO NAME>]
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: servicaixa.com\www
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/gb/Core/Player/2020PlayerAX_IKEA_Win32.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{27FA60FB-5855-47ED-90FC-73C7DFD953D2} : DhcpNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dad\appdata\roaming\mozilla\firefox\profiles\fx6uefk1.default\
FF - component: c:\program files\mozilla firefox\extensions\[email protected]\components\qfaservices.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-7-29 65848]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-7-9 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-7-9 355632]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-9 228376]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-7-29 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-7-29 166840]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-7-9 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-7-9 58680]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-7-9 44808]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-7-14 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-7-14 497320]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-7-29 976728]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-8-13 3064000]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2012-8-28 92632]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-7-31 44576]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-28 21520]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9c12cff370f10;Google Update Service (gupdate1c9c12cff370f10);c:\program files\google\update\GoogleUpdate.exe [2009-2-1 133104]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-9 250808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-1 133104]
S3 HtcVCom32;HTC Diagnostic Port;c:\windows\system32\drivers\HtcVComV32.sys [2009-1-24 103424]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-9-27 745880]
S4 ETService;Empowering Technology Service;c:\program files\packardbell\packard bell recovery management\service\ETService.exe [2008-10-30 24576]
.
=============== File Associations ===============
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\system32\CScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-10-10 21:07:34 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 21:07:34 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 21:07:33 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 21:07:20 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-10 21:07:11 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 21:07:10 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-10-10 21:07:09 172544 ----a-w- c:\windows\system32\wintrust.dll
.
==================== Find3M ====================
.
2012-10-08 20:42:53 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-08 20:42:53 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-07 16:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-21 09:13:15 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:13:14 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-21 09:12:33 41224 ----a-w- c:\windows\avastSS.scr
2012-07-29 19:52:38 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
============= FINISH: 15:18:06.70 ===============

Second DDS log to follow in next post

#4
UnderSiege

Posted 13 October 2012 - 08:36 AM

Member

Topic Starter
Member
104 posts

2nd DDS log (Attach.txt)

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 09/04/2009 19:21:03
System Uptime: 13/10/2012 14:10:34 (1 hours ago)
.
Motherboard: Packard Bell BV | | MCP73PVT-PM
Processor: Intel® Core™2 Quad CPU Q8200 @ 2.33GHz | CPU 1 | 2003/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 586 GiB total, 407.183 GiB free.
D: is CDROM ()
J: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&130421A5&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&130421A5&0
Service: i8042prt
.
Class GUID: {36fc9e60-c465-11cf-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_058F&PID_9360\2004888
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_058F&PID_9360\2004888
Service: USBSTOR
.
==== System Restore Points ===================
.
RP1498: 15/09/2012 10:02:12 - Scheduled Checkpoint
RP1499: 20/09/2012 19:37:58 - Scheduled Checkpoint
RP1500: 21/09/2012 08:34:43 - Scheduled Checkpoint
RP1501: 22/09/2012 07:40:46 - Scheduled Checkpoint
RP1502: 22/09/2012 14:19:27 - Windows Update
RP1503: 23/09/2012 08:46:31 - Scheduled Checkpoint
RP1504: 24/09/2012 08:28:17 - Scheduled Checkpoint
RP1505: 25/09/2012 08:30:25 - Scheduled Checkpoint
RP1506: 26/09/2012 12:09:27 - Scheduled Checkpoint
RP1507: 27/09/2012 11:18:01 - Scheduled Checkpoint
RP1508: 28/09/2012 09:09:08 - Scheduled Checkpoint
RP1509: 29/09/2012 07:29:28 - Scheduled Checkpoint
RP1510: 30/09/2012 09:28:45 - Scheduled Checkpoint
RP1511: 01/10/2012 10:39:47 - Scheduled Checkpoint
RP1512: 02/10/2012 14:56:04 - Scheduled Checkpoint
RP1513: 03/10/2012 16:47:28 - Scheduled Checkpoint
RP1514: 04/10/2012 10:21:03 - Scheduled Checkpoint
RP1515: 05/10/2012 13:41:46 - Scheduled Checkpoint
RP1516: 06/10/2012 09:01:29 - Scheduled Checkpoint
RP1517: 07/10/2012 13:02:33 - Scheduled Checkpoint
RP1518: 08/10/2012 08:38:38 - Scheduled Checkpoint
RP1519: 09/10/2012 11:53:27 - Scheduled Checkpoint
RP1520: 10/10/2012 07:41:56 - Scheduled Checkpoint
RP1521: 10/10/2012 22:09:32 - Windows Update
RP1522: 12/10/2012 01:53:25 - Scheduled Checkpoint
RP1523: 12/10/2012 19:30:09 - Scheduled Checkpoint
RP1524: 13/10/2012 14:47:41 - Scheduled Checkpoint
.
==== Installed Programs ======================
.
AC3Filter 1.63b
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Photoshop Elements 6.0
Adobe Reader X (10.1.4)
Adobe Shockwave Player 11.5
ASCE v4.0
avast! Free Antivirus
BBC iPlayer Desktop
BT Broadband Desktop Help
BT Broadband Support Tools
BTHomeHub
CCleaner
Classic FTP
Compatibility Pack for the 2007 Office system
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DHTML Editing Component
Disketch CD Label Software
Driver Sweeper version 3.2.0
Epson Easy Photo Print 2
Epson Event Manager
Epson Print CD
EPSON Printer Software
Epson Printer Software Downloader
EPSON PX710W Series Printer Uninstall
EPSON Scan
Epson Stylus Photo PX710W_PX810FW_TX710W_TX810FW Manual
EpsonNet Print
EpsonNet Setup
GOM Player
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GoToAssist Corporate
HDReg
Home Accounts 2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HTC Rome USB Driver
HTC Sync for BrewMP
Image Writer
Java Auto Updater
Java™ 6 Update 29
LCD test
Logitech Webcam Software
Malwarebytes Anti-Malware version 1.65.0.1400
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2007
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2007
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2007
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox (2.0.0.11)
MPEG2 Codec(libmpeg2/mad)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NCH Toolbox
Nero 8 Essentials
neroxml
NVIDIA Control Panel 275.33
NVIDIA Drivers
NVIDIA Graphics Driver 275.33
NVIDIA Install Application
OGA Notifier 2.0.0048.0
Packard Bell Recovery Management
PDF-XChange 3
Rapport
Realtek High Definition Audio Driver
SeaTools for Windows
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553260) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589322) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2553488) 32-Bit Edition
Setup My PC
Sibelius Scorch (ActiveX Only)
SiSoftware Sandra Lite XI.SP1a (Win64/32/CE)
Skype Click to Call
Skype™ 5.10
Speccy
SpeedFan (remove only)
Spelling Dictionaries Support For Adobe Reader 8
Spotify
Stellarium 0.10.6.1
TomTom HOME
TomTom HOME Visual Studio Merge Modules
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553272) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598289) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Updator
USB2.0 PC Camera (SN9C201&202)
Where is M13? version 2.3
WMI Tools
YouTube Downloader Toolbar v4.7
YTD YouTube Downloader & Converter 3.7
ZoneAlarm Firewall
ZoneAlarm Free Firewall
ZoneAlarm LTD Toolbar
ZoneAlarm Security
.
==== Event Viewer Messages From Past Week ========
.
12/10/2012 14:47:59, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with

arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
12/10/2012 14:40:15, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx

aswSP aswTdi i8042prt RapportKELL spldr Wanarpv6
12/10/2012 14:40:15, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to

start because of the following error: The dependency service or group failed to start.
12/10/2012 14:40:10, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with

arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
12/10/2012 14:40:07, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with

arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
12/10/2012 14:40:06, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/10/2012 14:40:00, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service

ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
11/10/2012 23:56:49, Error: Service Control Manager [7023] - The Portable Device Enumerator Service service terminated with the following

error: The specified module could not be found.
.
==== End Of File ===========================

Many thanks again for your assitance,

UnderSiege

#5
Dakeyras

Posted 13 October 2012 - 01:15 PM

Anti-Malware Mammoth

Expert
9,773 posts

Hi.

Thanks for picking this up. Let's hope it's a simple fix.

You're welcome! We shall see...

Nothing unusual, except that still can't run any version of OTL.

Acknowledged.

Trusteer Rapport Advice:

No real need for this purported security software since you have avast! Free Antivirus installed. I am surmising you use a form of online banking and they in turn advised you download/install. To be quite honest it is far from effective, a system resource hog and if you have a decent Anti-Virus application installed as you do just no need. My friendly advice would be uninstall Rapport but this is at your own discretion to do so or not.

Scan with AdwCleaner:

Please download adwcleaner from here and save to your desktop.

Alternate download is here.

Right-click on adwcleaner.exe and select Run as Administrator to launch the application.
Now click on the Search tab.
Please post the contents of the log-file created in your next post.

Note: The log can also be located at C: >> AdwCleaner[XX].txt >> XX <-- denotes the number of times the application has been ran, so in this case may be something like R1.

Scan with aswMBR:

Please download aswMBR.exe to your desktop.

Right-click on aswMBR.exe and select Run as Administrator to launch the application.
When prompted with The application can use the Avast! Free Antivirus for scanning >> select No <-- You have the Avast AV installed so would defeat the object to scan with the same database etc.
Now click on the Scan button to start scan
On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply

Note: There will also be a file on your desktop named MBR.dat(or similir) do not delete this for now it is a actual backup of the MBR(master boot record).

#6
UnderSiege

Posted 14 October 2012 - 03:16 AM

Member

Topic Starter
Member
104 posts

Good morning

Trusteer Rapport Advice:

Thanks for the advice. You are spot-on with your assessment that my on-line bank strongly urges customers to use Trusteer Rapport . Incidentally, I have suspended my internet banking pending resolution of this investigation. And, It might seem odd to them if I were uninstall their preferred security protection. But, I shall make a point of discussing it with them once this case is resolved.

Here is the AdwCleaner log:

# AdwCleaner v2.004 - Logfile created 10/13/2012 at 22:15:39
# Updated 06/10/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Dad - DAD-PC
# Boot Mode : Normal
# Running from : C:\Users\Dad\Desktop\adwcleaner.exe
# Option [Search]

***** [Services] *****

Found : Application Updater

***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla Firefox\.autoreg
Folder Found : C:\Program Files\Application Updater
Folder Found : C:\Program Files\Common Files\spigot
Folder Found : C:\Program Files\YouTube Downloader Toolbar
Folder Found : C:\Users\Dad\AppData\LocalLow\Search Settings
Folder Found : C:\Users\Dad\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Search Settings
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Found : HKLM\Software\Application Updater
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SearchSettings
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Found : HKLM\Software\Search Settings
Key Found : HKU\S-1-5-21-1981138412-3051455907-200072712-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{F3FEE66E-E034-436A-86E4-9690573BEE8A}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{F3FEE66E-E034-436A-86E4-9690573BEE8A}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://isearch.avg.com/tab?cid={33732E39-FC73-4341-AD1B-862CBE43A038}&mid=d8184301d449186af60e965ee10c5370-06f1eb580e288fab3e7c70922a03b2508731aed3&lang=en&ds=AVG&pr=fr&d=2011-10-12 18:37:37&v=8.0.0.34&sap=nt

-\\ Mozilla Firefox v2.0.0.11 (en-GB)

Profile name : default
File : C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\fx6uefk1.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Dad\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3338 octets] - [13/10/2012 22:15:39]

########## EOF - C:\AdwCleaner[R1].txt - [3398 octets] ##########

And here is the aswMBR log. I left this to run overnight, but strangely the computer had shut itself down by morning. That's not happened before - maybe unconnected? So re-ran this morning. Incidentally, I never got the prompt: "The application can use the Avast! Free Antivirus for scanning" so I hit Scan anyway.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-14 08:42:16
-----------------------------
08:42:16.284 OS Version: Windows 6.0.6002 Service Pack 2
08:42:16.285 Number of processors: 4 586 0x1707
08:42:16.286 ComputerName: DAD-PC UserName: Dad
08:42:24.849 Initialize success
08:42:24.962 AVAST engine defs: 12101301
08:42:37.611 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000058
08:42:37.613 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
08:42:37.624 Disk 0 MBR read successfully
08:42:37.627 Disk 0 MBR scan
08:42:37.630 Disk 0 Windows VISTA default MBR code
08:42:37.639 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10240 MB offset 2048
08:42:37.649 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 600238 MB offset 20973568
08:42:37.655 Disk 0 scanning sectors +1250261680
08:42:37.782 Disk 0 scanning C:\Windows\system32\drivers
08:42:46.830 Service scanning
08:43:01.599 Modules scanning
08:43:15.201 Disk 0 trace - called modules:
08:43:15.239 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
08:43:15.569 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a0d6ac8]
08:43:15.574 3 CLASSPNP.SYS[8e1bf8b3] -> nt!IofCallDriver -> [0x8964c700]
08:43:15.579 5 acpi.sys[8689a6bc] -> nt!IofCallDriver -> \Device\00000058[0x88798ad8]
08:43:16.640 AVAST engine scan C:\Windows
08:43:35.615 AVAST engine scan C:\Windows\system32
08:46:32.863 AVAST engine scan C:\Windows\system32\drivers
08:46:57.887 AVAST engine scan C:\Users\Dad
09:13:01.219 AVAST engine scan C:\ProgramData
09:21:34.120 Scan finished successfully
09:37:09.678 Disk 0 MBR has been saved successfully to "C:\Users\Dad\Desktop\MBR.dat"
09:37:09.685 The log file has been saved successfully to "C:\Users\Dad\Desktop\aswMBR.txt"

And I can confirm that MBR.dat has been saved to my desktop.

Thanks

#7
Dakeyras

Posted 14 October 2012 - 06:36 AM

Anti-Malware Mammoth

Expert
9,773 posts

Hi.

Thanks for the advice. You are spot-on with your assessment that my on-line bank strongly urges customers to use Trusteer Rapport . Incidentally, I have suspended my internet banking pending resolution of this investigation. And, It might seem odd to them if I were uninstall their preferred security protection. But, I shall make a point of discussing it with them once this case is resolved.

You're welcome and fair play.

I left this to run overnight, but strangely the computer had shut itself down by morning. That's not happened before - maybe unconnected? So re-ran this morning. Incidentally, I never got the prompt: "The application can use the Avast! Free Antivirus for scanning" so I hit Scan anyway.

Actually the scan is fairly quick without the AV component being used but it has actually been used. Not a problem either way in the great scheme of things. As for why your machine shut down...do you mean it powered down and or went into hibernate mode?

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

Please go here and download ERUNT.
ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
Right-click on erunt-setup.exe and select Run as Administrator to Install ERUNT by following the prompts.
Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder.
Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
Make sure that at least the first two check boxes are selected.
Click on OK
Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Re-scan with AdwCleaner:

Right-click on adwcleaner.exe and select Run as Administrator to launch the application.
Now click on the Delete tab >> reboot your machine if not prompted to do so.
Please post the contents of the log-file created in your next post.

Note: The log can also be located at C: >> AdwCleaner[XX].txt >> XX <-- denotes the number of times the application has been ran, so in this case should be something like S1.

#8
UnderSiege

Posted 14 October 2012 - 07:32 AM

Member

Topic Starter
Member
104 posts

Good Afternoon,

As for why your machine shut down...do you mean it powered down and or went into hibernate mode?

The computer had fully powered down. I shall leave it running tonight to see if it happens again.

Install ERUNT

All done and back-up taken.

Here is the latest AdwCleaner log:

# AdwCleaner v2.004 - Logfile created 10/14/2012 at 14:20:40
# Updated 06/10/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Dad - DAD-PC
# Boot Mode : Normal
# Running from : C:\Users\Dad\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

Stopped & Deleted : Application Updater

***** [Files / Folders] *****

File Deleted : C:\Program Files\Mozilla Firefox\.autoreg
Folder Deleted : C:\Program Files\Application Updater
Folder Deleted : C:\Program Files\Common Files\spigot
Folder Deleted : C:\Program Files\YouTube Downloader Toolbar
Folder Deleted : C:\Users\Dad\AppData\LocalLow\Search Settings
Folder Deleted : C:\Users\Dad\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Deleted : HKLM\Software\Application Updater
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SearchSettings
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Deleted : HKLM\Software\Search Settings
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{F3FEE66E-E034-436A-86E4-9690573BEE8A}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{F3FEE66E-E034-436A-86E4-9690573BEE8A}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://isearch.avg.com/tab?cid={33732E39-FC73-4341-AD1B-862CBE43A038}&mid=d8184301d449186af60e965ee10c5370-06f1eb580e288fab3e7c70922a03b2508731aed3&lang=en&ds=AVG&pr=fr&d=2011-10-12 18:37:37&v=8.0.0.34&sap=nt --> hxxp://www.google.com

-\\ Mozilla Firefox v2.0.0.11 (en-GB)

Profile name : default
File : C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\fx6uefk1.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Dad\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3467 octets] - [13/10/2012 22:15:39]
AdwCleaner[S1].txt - [3345 octets] - [14/10/2012 14:20:40]

########## EOF - C:\AdwCleaner[S1].txt - [3405 octets] ##########

I think we are making progress, and I have also figured out how to use the quote box

#9
Dakeyras

Posted 14 October 2012 - 01:31 PM

Anti-Malware Mammoth

Expert
9,773 posts

Hi.

The computer had fully powered down. I shall leave it running tonight to see if it happens again.

OK, what exact make and modal is the machine please.

I think we are making progress, and I have also figured out how to use the quote box

Aye indeed and good, lets proceed as follows shall we...

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

How to use ComboFix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How To Temporarily Disable Your Anti-virus, Firewall and Anti-malware Programs <-- Click on this link.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activity and asks to reboot the system, please allow this to be done.

If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a trained Anti-Malware helper.

When completed the above, please post back the following in the order asked for:

How is your computer performing now, any other symptoms and or problems encountered?
Answer to my computer make/modal query.
ComboFix Log.
A new DDS Log. <-- I do not need to review a new Attach.txt, just the DDS.txt

#10
UnderSiege

Posted 14 October 2012 - 02:46 PM

Member

Topic Starter
Member
104 posts

Good Evening Dakeyras

How is your computer performing now, any other symptoms and or problems encountered?

OTL still won't run, but everything else seems normal.
<LI>

Answer to my computer make/modal query

.

Make: Packard Bell
Model: IMEDIA X2416
<LI>

ComboFix Log.

ComboFix 12-10-14.03 - Dad 14/10/2012 20:52:56.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3070.1897 [GMT 1:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: ZoneAlarm Free Firewall Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\xml3E87.tmp
c:\programdata\xml401E.tmp
c:\users\Dad\GoToAssistDownloadHelper.exe
c:\users\Guest\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A61A7C20-0E14-4124-A755-51D7929ABA07}.xps
c:\windows\system32\Install.cmd
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_nvsvc
.
.
((((((((((((((((((((((((( Files Created from 2012-09-14 to 2012-10-14 )))))))))))))))))))))))))))))))
.
.
2012-10-14 13:18 . 2012-10-14 13:18 -------- d-----w- c:\program files\ERUNT
2012-10-10 21:07 . 2012-06-02 00:02 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 21:07 . 2012-06-02 00:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 21:07 . 2012-06-02 00:02 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 21:07 . 2012-09-13 13:28 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-10 21:07 . 2012-08-29 11:27 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 21:07 . 2012-08-29 11:27 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-10-10 21:07 . 2012-08-24 15:53 172544 ----a-w- c:\windows\system32\wintrust.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-08 20:42 . 2012-07-09 16:27 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-08 20:42 . 2012-07-09 16:27 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-07 16:04 . 2011-11-14 11:14 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-21 09:13 . 2012-07-09 16:48 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-21 09:13 . 2012-07-09 16:48 355632 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-21 09:13 . 2012-07-09 16:48 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:13 . 2012-07-09 16:48 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-08-21 09:13 . 2012-07-09 16:48 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-21 09:13 . 2012-07-09 16:48 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-21 09:12 . 2011-10-16 10:42 41224 ----a-w- c:\windows\avastSS.scr
2012-08-21 09:12 . 2012-07-09 16:47 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-07-29 19:52 . 2012-07-29 19:52 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2007-11-28 19:31 . 2008-08-21 21:10 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 19:31 . 2008-08-21 21:10 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 19:31 . 2008-08-21 21:10 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 19:31 . 2008-08-21 21:10 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 19:31 . 2008-08-21 21:10 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"="c:\users\Dad\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-08-21 1193176]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-03 73392]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-07-09 20:48 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKLM\~\startupfolder\C:^Users^Dad^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-09-10 23:43 67488 ----a-w- c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-27 20:51 35768 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 13:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2009-12-07 11:50 1584640 ----a-w- c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2009-04-07 09:13 673616 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON PX710W Series]
2009-02-23 15:00 199680 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIFSE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync]
2010-04-16 11:55 180224 ----a-w- c:\program files\HTC\HTC Sync for BrewMP\AutoDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 13:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-05-21 06:01 3693672 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-05-21 06:01 111208 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]
2009-06-05 11:38 468408 ----a-w- c:\windows\System32\Adobe\Shockwave 11\SwHelper_1150600.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmpcSys]
2008-07-07 15:26 1038136 ----a-w- c:\program files\PACKARD BELL\SetUpMyPC\SmpSys.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-08-21 15:47 1193176 ----a-w- c:\users\Dad\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 12:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-19 20:22 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2012-08-28 06:41 247768 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
2009-03-10 18:28 258048 ----a-w- c:\windows\tsnp2std.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-09 21:03]
.
2012-10-14 c:\windows\Tasks\Epson Printer Software Downloader.job
- c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-05-26 11:43]
.
2011-10-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-19 12:39]
.
2012-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc6ffe48569470.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-01 12:42]
.
2012-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc6ffe48a88500.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-01 12:42]
.
2012-10-14 c:\windows\Tasks\Recovery DVD Creator-Dad.job
- c:\program files\Packard Bell\SetupMyPc\MCDCheck.exe [2008-08-21 15:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=0409&m=imedia_x2416
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: servicaixa.com\www
TCP: DhcpNameServer = 192.168.1.254
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/gb/Core/Player/2020PlayerAX_IKEA_Win32.cab
FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\fx6uefk1.default\
.
.
------- File Associations -------
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-ISW - (no file)
MSConfigStartUp-MMReminderService - c:\program files\Mindjet\MindManager 10\MMReminderService.exe
MSConfigStartUp-RemoteControl11 - c:\program files\CyberLink\PowerDVD11\PDVD11Serv.exe
MSConfigStartUp-RtHDVCpl - RtHDVCpl.exe
MSConfigStartUp-Skytel - Skytel.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-14 21:05
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\CheckPoint\ZAForceField\IswSvc.exe
c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-10-14 21:09:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-14 20:09
.
Pre-Run: 438,874,419,200 bytes free
Post-Run: 438,207,954,944 bytes free
.
- - End Of File - - EB23C9759FEAFB569D112931FEC71815

<LI>

A new DDS Log. <-- I do not need to review a new Attach.txt, just the DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Dad at 21:32:59 on 2012-10-14
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3070.1760 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ZoneAlarm Free Firewall Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Explorer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=0409&m=imedia_x2416
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Spotify Web Helper] "c:\users\dad\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: servicaixa.com\www
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/gb/Core/Player/2020PlayerAX_IKEA_Win32.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{27FA60FB-5855-47ED-90FC-73C7DFD953D2} : DhcpNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dad\appdata\roaming\mozilla\firefox\profiles\fx6uefk1.default\
FF - component: c:\program files\mozilla firefox\extensions\[email protected]\components\qfaservices.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-7-29 65848]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-7-9 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-7-9 355632]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-9 228376]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-7-29 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-7-29 166840]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-7-9 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-7-9 58680]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-7-9 44808]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-7-14 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-7-14 497320]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-7-29 976728]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-8-13 3064000]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2012-8-28 92632]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-7-31 44576]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9c12cff370f10;Google Update Service (gupdate1c9c12cff370f10);c:\program files\google\update\GoogleUpdate.exe [2009-2-1 133104]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-9 250808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-1 133104]
S3 HtcVCom32;HTC Diagnostic Port;c:\windows\system32\drivers\HtcVComV32.sys [2009-1-24 103424]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-28 21520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 ETService;Empowering Technology Service;c:\program files\packardbell\packard bell recovery management\service\ETService.exe [2008-10-30 24576]
.
=============== File Associations ===============
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\system32\CScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-10-14 20:09:15 -------- d-----w- c:\users\dad\appdata\local\temp
2012-10-14 20:04:54 -------- d-----w- C:\$RECYCLE.BIN
2012-10-14 19:51:01 98816 ----a-w- c:\windows\sed.exe
2012-10-14 19:51:01 518144 ----a-w- c:\windows\SWREG.exe
2012-10-14 19:51:01 256000 ----a-w- c:\windows\PEV.exe
2012-10-14 19:51:01 208896 ----a-w- c:\windows\MBR.exe
2012-10-10 21:07:34 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 21:07:34 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 21:07:33 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 21:07:20 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-10 21:07:11 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 21:07:10 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-10-10 21:07:09 172544 ----a-w- c:\windows\system32\wintrust.dll
.
==================== Find3M ====================
.
2012-10-08 20:42:53 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-08 20:42:53 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-07 16:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-21 09:13:15 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:13:14 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-21 09:12:33 41224 ----a-w- c:\windows\avastSS.scr
2012-07-29 19:52:38 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
============= FINISH: 21:33:27.18 ===============

I notice that on rebooting none of my security software (Avast, Zone Alarms and Trusteer Rapport) has started. Should I start these manually?

#11
Dakeyras

Posted 15 October 2012 - 05:52 AM

Anti-Malware Mammoth

Expert
9,773 posts

Hi.

I notice that on rebooting none of my security software (Avast, Zone Alarms and Trusteer Rapport) has started. Should I start these manually?

In theory all should restart again, if not doing so manually is fine. I will be advising temp' disabling again for the duration of the custom ComboFix script below, plus it appears that by the time DDS was re-run all had started apart from ZoneAlarm and Windows Defender, the latter has no need to be enabled anyway.

For future reference if not aware Windows Defender cannot be uninstalled because it is a integral part of the Vista operating system. A graphical tutorial explaining how to to disable correctly can be viewed here.

OTL still won't run, but everything else seems normal.

A good sign apart from OTL. We have not completed the malware removal process yet though.

Did your machine power itself down again ?

Java Advice:

The version installed is out of date and deemed a security risk, so uninstall both Java™ 6 Update 29 and Java Auto Updater.

Regarding a new Java installation, I strongly advise against re-installing a updated version at present because the software as a whole has been severely exploited of late and your machine could end up seriously infected. Even though this exploit has been reportedly fixed there is still a vulnerability with the software.

Your choice if you wish to go ahead and reinstall but as mentioned I advise against it and for the present I do not even have anything Java related installed on my machines.

So let myself know what you wish to do about this in your next reply please.

MSConfig Advice:

Personally I do not think it wise to use the System Configuration Utility unless you know exactly what your are doing as otherwise serious problems may arise.

I advise you consider this application to use instead, it will also provide a extra layer of system protection via its monitoring activities.

WinPatrol:

Download it from here

You can find information about how WinPatrol works here

Note: Do not download/install just yet as it may hinder the malware removal process but by all means do so when I give the all clear if you so wish.

Custom ComboFix Script:

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote-box(do not copy the word quote) below:

DDS::
mURLSearchHooks: H - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
Trusted Zone: servicaixa.com\www

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
[-HKEY_CLASSES_ROOT\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}]
[-HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
[-HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON PX710W Series]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmpcSys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

ReBoot::

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Caution: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Malwarebytes Anti-Malware:

Note: Remember to right click MBAM's excutible and select Run As Administrator.

Launch the application, Check for Updates >> Perform quick scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following in the order asked for:

How is your computer performing now, any further symptoms and or problems encountered?
Has your machine powered itself down again ?
Do you wish to install a updated version of Java ?
New ComboFix Log.
Malwarebytes Anti-Malware Log.

#12
UnderSiege

Posted 15 October 2012 - 01:59 PM

Member

Topic Starter
Member
104 posts

Good Evening

Sorry for the delayed response - lots to do and think about...............

How is your computer performing now, any further symptoms and or problems encountered?

Computer seems fine, except that OTL still won't run

Has your machine powered itself down again ?

I powered down the machine myself last night, as I was reluctant to leave it running with no anti-virus or firewall protection following the 1st run of ComboFix. I shall leave it on tonight with the usual security protections in place.

The version installed is out of date and deemed a security risk, so uninstall both Java™ 6 Update 29 and Java Auto Updater

Java 6 Update uninstalled, but unable to find the Java Auto Updater program - it did not show in the Program list in Control Panel

Do you wish to install a updated version of Java ?

Your advice about Java is very useful - thank you. But, can you tell me what functionality I would lose, if I choose not to re-install Java?.

New ComboFix Log

.

ComboFix 12-10-14.03 - Dad 15/10/2012 20:02:08.2.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3070.1713 [GMT 1:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
Command switches used :: c:\users\Dad\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: ZoneAlarm Free Firewall Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-15 to 2012-10-15 )))))))))))))))))))))))))))))))
.
.
2012-10-15 19:11 . 2012-10-15 19:11 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-10-15 19:11 . 2012-10-15 19:11 -------- d-----w- c:\users\UpdatusUser.Dad-PC\AppData\Local\temp
2012-10-15 19:11 . 2012-10-15 19:11 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2012-10-15 19:11 . 2012-10-15 19:11 -------- d-----w- c:\users\TEMP.Dad-PC\AppData\Local\temp
2012-10-15 19:11 . 2012-10-15 19:11 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-10-15 19:11 . 2012-10-15 19:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-14 20:09 . 2012-10-15 19:13 -------- d-----w- c:\users\Dad\AppData\Local\temp
2012-10-14 13:18 . 2012-10-14 13:18 -------- d-----w- c:\program files\ERUNT
2012-10-10 21:07 . 2012-06-02 00:02 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 21:07 . 2012-06-02 00:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 21:07 . 2012-06-02 00:02 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 21:07 . 2012-09-13 13:28 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-10 21:07 . 2012-08-29 11:27 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 21:07 . 2012-08-29 11:27 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-10-10 21:07 . 2012-08-24 15:53 172544 ----a-w- c:\windows\system32\wintrust.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-08 20:42 . 2012-07-09 16:27 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-08 20:42 . 2012-07-09 16:27 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-07 16:04 . 2011-11-14 11:14 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-21 09:13 . 2012-07-09 16:48 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-21 09:13 . 2012-07-09 16:48 355632 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-21 09:13 . 2012-07-09 16:48 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:13 . 2012-07-09 16:48 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-08-21 09:13 . 2012-07-09 16:48 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-21 09:13 . 2012-07-09 16:48 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-21 09:12 . 2011-10-16 10:42 41224 ----a-w- c:\windows\avastSS.scr
2012-08-21 09:12 . 2012-07-09 16:47 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-07-29 19:52 . 2012-07-29 19:52 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2007-11-28 19:31 . 2008-08-21 21:10 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 19:31 . 2008-08-21 21:10 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 19:31 . 2008-08-21 21:10 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 19:31 . 2008-08-21 21:10 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 19:31 . 2008-08-21 21:10 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"="c:\users\Dad\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-08-21 1193176]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-03 73392]
"ISW"="" [BU]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jaureg.exe" [2011-06-09 239336]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-07-09 20:48 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKLM\~\startupfolder\C:^Users^Dad^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-09 21:03]
.
2012-10-15 c:\windows\Tasks\Epson Printer Software Downloader.job
- c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-05-26 11:43]
.
2011-10-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-19 12:39]
.
2012-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc6ffe48569470.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-01 12:42]
.
2012-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc6ffe48a88500.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-01 12:42]
.
2012-10-15 c:\windows\Tasks\Recovery DVD Creator-Dad.job
- c:\program files\Packard Bell\SetupMyPc\MCDCheck.exe [2008-08-21 15:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=0409&m=imedia_x2416
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/gb/Core/Player/2020PlayerAX_IKEA_Win32.cab
FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\fx6uefk1.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-15 20:13
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\CheckPoint\ZAForceField\IswSvc.exe
c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-10-15 20:16:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-15 19:16
ComboFix2.txt 2012-10-14 20:09
.
Pre-Run: 436,920,274,944 bytes free
Post-Run: 437,518,647,296 bytes free
.
- - End Of File - - 8A97D466B5E5CB09F375A3B4C8866AFD

Malwarebytes Anti-Malware Log.

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.15.10

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Dad :: DAD-PC [administrator]

15/10/2012 20:23:29
mbam-log-2012-10-15 (20-23-29).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 246360
Time elapsed: 4 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

General:

From my untrained eye, it looks like we are making positive progress. I can see that ComboFix is indeed a powerful tool that must only be used under trained supervision. I was impressed with the use of bespoke command line switches from the script txt file you gave me.

Are you yet able to provide a diagnosis? I am curious that's all

#13
UnderSiege

Posted 15 October 2012 - 02:05 PM

Member

Topic Starter
Member
104 posts

Oh - forgot to add when ComboFix started a dialogue box opened asking whether I wanted to use a newer version. I chose "No" as I wasn't sure how an update might affect things.

#14
UnderSiege

Posted 16 October 2012 - 12:23 AM

Member

Topic Starter
Member
104 posts

Hi,

Did your machine power itself down again ?

No - it was still on this morning

#15
Dakeyras

Posted 16 October 2012 - 05:30 AM

Anti-Malware Mammoth

Expert
9,773 posts

Hi.

except that OTL still won't run

Can you inform myself what exactly happens when you attempt run OTL(you mentioned prior occurs with all three versions), are any error messages displayed ?

unable to find the Java Auto Updater program - it did not show in the Program list in Control Panel

Not a problem, it may have been uninstalled along with the main Java installation.

Your advice about Java is very useful - thank you. But, can you tell me what functionality I would lose, if I choose not to re-install Java?.

You're welcome! As for functionality, nothing really from day to day use of the machine. As for online not that much either, I use all of my machines extensively online and have not noticed anything mentioned about you do not have Java installed/you require Java etc.

Oh - forgot to add when ComboFix started a dialogue box opened asking whether I wanted to use a newer version. I chose "No" as I wasn't sure how an update might affect things.

Technically you could have allowed the update but since what has been updated has not been a issue with your machine, not a problem in the least. Either way being unsure, you undertook the correct course of action by informing myself. If all I assist did as you, it would make things a lot easier for myself.

From my untrained eye, it looks like we are making positive progress. I can see that ComboFix is indeed a powerful tool that must only be used under trained supervision. I was impressed with the use of bespoke command line switches from the script txt file you gave me.

Indeed we are. Aye ComboFix is a very useful tool but does take specific training to use it both correctly and safely.

Are you yet able to provide a diagnosis? I am curious that's all

So far the actual outcome of the malware removal process is most favourable and just one more scan to err on the side of caution.

No - it was still on this morning

OK. Strange occurrence, maybe some one else powered down the machine and neglected to inform you ? As never heard(seen) of malware doing such as would defeat the object there. Feasible it may be due to some faulting hardware but seen no indication of that. If it happens again my best advice would be post a topic in this part of the forum:-

Hardware, Components and Peripherals

Though it may be just one of those things, gremlins in the machine as they say...

Update Mozilla Firefox:

The version you have installed is very old, 2.0.0.11 so the in-built updater will probably be unable to update too the current version.

So merely uninstall the version installed now and re-download/install from here. Or if you actually do not use Mozilla Firefox, just uninstall as having out of date software installed is deemed a security risk.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Please go here to run the scan...

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then right-click on it select Run as Administrator to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is Not checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
Now click on:
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on:
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.