Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

virus help and slow computer

This is a discussion on virus help and slow computer within the Resolved HJT Threads forums, part of the Tech Support Forum category. hi all, im trying to clean out my parents computer as it seems like there are a few virus on


 
 
Thread Tools Search this Thread
Old 07-29-2013, 05:52 AM   #1
Registered Member
 
Join Date: Aug 2012
Posts: 8
OS: windows 7



hi all,

im trying to clean out my parents computer as it seems like there are a few virus on there. obvious ones i can see new.net installed into browser and desktop, there are pop up surveys that appear browser doesnt have to be open, mixdjsearch homepage and toolbar i think but im sure there are many more.

Here is my dds:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by M.S.Y. Technology at 20:47:53 on 2013-07-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.679 [GMT 10:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\samsung\panelmgr\SSMMgr.exe
C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vVX6000.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\HP\HP Photosmart 7510 series\Bin\ScanToPCActivationApp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\News.net\BreakingNews\DesktopContainer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Update\1.3.21.153\GoogleCrashHandler.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\News.net\NewsNetService.exe
C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\HP\HP Photosmart 7510 series\bin\HPNetworkCommunicator.exe
C:\Program Files\HP\HP Photosmart 7510 series\Bin\HPNetworkCommunicator.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://au.search.yahoo.com?type=407453&fr=spigot-yhp-ie
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: MSS+ Identifier: {0e8a89ad-95d7-40eb-8d9d-083ef7066a01} - c:\program files\mcafee security scan\3.0.318\McAfeeMSS_IE.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: TopArcadeHits Games: {a7a9d7e7-e0c0-4202-9f13-6a06bd073cda} - c:\documents and settings\m.s.y. technology\local settings\application data\toparcadehits\Toparcadehits.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: news.net: {ba3e58f7-60c6-485e-a775-0c1fd9c0e55e} - c:\program files\news.net\ie\ScriptHost.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Media Codec Update Service] c:\program files\essentials codec pack\WECPUpdate.exe -s
uRun: [Google Update] "c:\documents and settings\m.s.y. technology\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [HP Photosmart 7510 series (NET)] "c:\program files\hp\hp photosmart 7510 series\bin\ScanToPCActivationApp.exe" -deviceID "CN22E3416W05T6:NW" -scfn "HP Photosmart 7510 series (NET)" -AutoStart 1
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [Adobe Reader Synchronizer] "c:\program files\adobe\reader 11.0\reader\AdobeCollabSync.exe"
uRun: [News.net] c:\program files\news.net\breakingnews\DesktopContainer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ErrorTeck] c:\program files\errorteck\ErrorTeck.exe /scan
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [CDAServer] c:\program files\common files\common desktop agent\CDASrv.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\msy~1.tec\startm~1\programs\startup\monito~1.lnk - c:\windows\system32\RunDll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asuswi~1.lnk - c:\program files\asus wifi-ap solo\RtWLan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.318\SSScheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: SmarThru4 Capture Selection - c:\program files\smarthru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files\smarthru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\smarthru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\smarthru 4\WebCapture.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://mcpuk1.jpmorgan.com/llclient/myatawap/winxp/AXXPEE.dll
DPF: {785F7664-AD0E-4CBA-8F28-F6C485A9E648} - hxxps://www-ap.myataw.com/ebctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sera-mtl.cgi.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9FE8F3AE-C4E9-41A2-83A8-92B29C33E2C3} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\m.s.y. technology\application data\mozilla\firefox\profiles\2vjtkdur.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://au.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=407453&p=
FF - prefs.js: browser.startup.homepage - hxxp://au.search.yahoo.com?type=407453&fr=spigot-yhp-ff
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\m.s.y. technology\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\m.s.y. technology\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\m.s.y. technology\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\m.s.y. technology\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.mixidj.tlbrSrchUrl -
FF - user.js: extensions.mixidj.id - 38c5c69b0000000000000015af519411
FF - user.js: extensions.mixidj.appId - {A2773ED4-83BD-488A-A186-73590706C916}
FF - user.js: extensions.mixidj.instlDay - 15863
FF - user.js: extensions.mixidj.vrsn - 1.8.18.8
FF - user.js: extensions.mixidj.vrsni - 1.8.18.8
FF - user.js: extensions.mixidj.vrsnTs - 1.8.18.812:37:52
FF - user.js: extensions.mixidj.prtnrId - mixidj
FF - user.js: extensions.mixidj.prdct - mixidj
FF - user.js: extensions.mixidj.aflt - babsst
FF - user.js: extensions.mixidj.smplGrp - none
FF - user.js: extensions.mixidj.tlbrId - baseyh
FF - user.js: extensions.mixidj.instlRef - sst
FF - user.js: extensions.mixidj.dfltLng - en
FF - user.js: extensions.mixidj.excTlbr - false
FF - user.js: extensions.mixidj.ffxUnstlRst - false
FF - user.js: extensions.mixidj.admin - false
FF - user.js: extensions.mixidj.autoRvrt - false
FF - user.js: extensions.mixidj.rvrt - false
FF - user.js: extensions.mixidj.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R1 NEOFLTR_640_16949;Juniper Networks TDI Filter Driver (NEOFLTR_640_16949);c:\windows\system32\drivers\NEOFLTR_640_16949.sys [2010-10-28 85360]
R2 NewsNetService;NewsNetService;c:\program files\news.net\NewsNetService.exe [2013-7-18 248976]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2013-5-14 3289208]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.sys [2010-10-15 5120]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-4-3 176128]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-4-3 13532]
S1 NEOFLTR_550_12415;Juniper Networks TDI Filter Driver (NEOFLTR_550_12415);\??\c:\windows\system32\drivers\neofltr_550_12415.sys --> c:\windows\system32\drivers\NEOFLTR_550_12415.SYS [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-21 162408]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2013-2-24 256904]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-12-3 30192]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.318\McCHSvc.exe [2013-2-6 235216]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2007-7-27 14336]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2010-1-29 2074480]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [2011-9-3 105216]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [2011-9-3 105216]
.
=============== Created Last 30 ================
.
2013-07-28 10:47:38 -------- d--h--w- c:\windows\PIF
2013-07-27 07:08:23 -------- d-----w- c:\documents and settings\m.s.y. technology\local settings\application data\etax2013
2013-07-27 06:54:31 -------- d-----w- c:\program files\etax2013
2013-07-25 0240 -------- d-----w- c:\documents and settings\all users\application data\YTD Video Downloader
2013-07-25 0224 -------- d-----w- c:\program files\GreenTree Applications
2013-07-25 0211 -------- d-----w- c:\documents and settings\m.s.y. technology\local settings\application data\TopArcadeHits
2013-07-25 0203 -------- d-----w- c:\program files\News.net
2013-07-13 03:05:16 0 ----a-w- c:\program files\GUM6F.tmp
2013-07-12 13:20:43 -------- d-----w- c:\windows\system32\MRT
2013-07-10 05:21:57 -------- d-----w- C:\Henry trip France
2013-07-10 05:21:33 -------- d-----w- C:\Henry trip Swiss
2013-07-09 07:29:00 -------- d-----w- C:\Henry trip Eu
2013-07-09 07:28:15 -------- d-----w- C:\Henry trip Sarawak
2013-07-08 19:21:04 -------- d-----w- C:\Henry trip cebu
.
==================== Find3M ====================
.
2013-06-13 02:25:21 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-13 02:25:20 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-07 21:56:06 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56:06 43520 ------w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-07 13:55:44 385024 ------w- c:\windows\system32\html.iec
2013-06-04 07:23:02 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40:45 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-08 14:28:02 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-05-03 01:30:20 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:17 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 20:49:02.89 ===============
Attached Files
File Type: zip attach.zip (12.8 KB, 8 views)

__________________
Morericewong is offline  
Old 07-31-2013, 01:00 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,654
OS: XP SP3; Win7 32/64-bit



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please explain why this computer has no antivirus program installed and running. This is an open invitation for infection.

It can take as little as eight seconds to infect an unprotected computer.

Please keep this computer offline except when downloading tools and posting in the forum until we get one installed.

Let me know your intentions for an antivirus program, and/or if you need a suggestion.

------------------------------------------------------

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if it still exists:

News.net

This program is rogueware. Rogue or Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Please delete the following Folder if it still exists:

C:\Program Files\News.net

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner[S#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 08-08-2013, 07:41 AM   #3
Registered Member
 
Join Date: Aug 2012
Posts: 8
OS: windows 7



Hi Chemist,

thanks for your reply sorry I have been on holidays and didnt have the affected computer to work with.

Sorry didnt realise there was no anti-virus installed. I installed AVG Free edition. would you suggest another instead?

I deleted the news.net and here is the adwcleaner[s2].txt

# AdwCleaner v2.306 - Logfile created 08/09/2013 at 00:15:17
# Updated 19/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : M.S.Y. Technology - M-471B26955DEA4
# Boot Mode : Normal
# Running from : C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\AdwCleaner (1).exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search
File Deleted : C:\Documents and Settings\M.S.Y. Technology\Application Data\Mozilla\Firefox\Profiles\2vjtkdur.default\bProtector_extensions.rdf
File Deleted : C:\Documents and Settings\M.S.Y. Technology\Application Data\Mozilla\Firefox\Profiles\2vjtkdur.default\bprotector_prefs.js
File Deleted : C:\Documents and Settings\M.S.Y. Technology\Application Data\Mozilla\Firefox\Profiles\2vjtkdur.default\searchplugins\Babylon.xml
File Deleted : C:\Documents and Settings\M.S.Y. Technology\Application Data\Mozilla\Firefox\Profiles\2vjtkdur.default\searchplugins\mixidj.xml
File Deleted : C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\User Data\Default\bProtector Web Data
File Deleted : C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\User Data\Default\bprotectorpreferences
File Deleted : C:\Program Files\Mozilla Firefox\.autoreg
File Deleted : C:\WINDOWS\Tasks\BrowserDefendert.job
File Deleted : C:\WINDOWS\Tasks\EPUpdater.job
Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\All Users\Application Data\BrowserDefender
Folder Deleted : C:\Documents and Settings\M.S.Y. Technology\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\M.S.Y. Technology\Application Data\BabSolution
Folder Deleted : C:\Documents and Settings\M.S.Y. Technology\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\M.S.Y. Technology\Application Data\Mozilla\Firefox\Profiles\2vjtkdur.default\extensions\ffxtlbr@babylon.com
Folder Deleted : C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\AVG Secure Search
Folder Deleted : C:\Program Files\AVG Secure Search

***** [Registry] *****

Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{18B9B16E-716F-43DF-A6AD-512C7D2EB983}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\PropertySync.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v3.6 (en-GB)

File : C:\Documents and Settings\M.S.Y. Technology\Application Data\Mozilla\Firefox\Profiles\2vjtkdur.default\prefs.js

C:\Documents and Settings\M.S.Y. Technology\Application Data\Mozilla\Firefox\Profiles\2vjtkdur.default\user.js ... Deleted !

Deleted : user_pref("browser.newtab.url", "hxxp://mixidj.delta-search.com/?affID=121136&babsrc=NT_ss&mntrId=38[...]
Deleted : user_pref("extensions.crossriderapp26276.adsOldValue", -1);

-\\ Google Chrome v28.0.1500.95

File : C:\Documents and Settings\M.S.Y. Technology\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.3608] : urls_to_restore_on_startup = [ "hxxp://au.search.yahoo.com?type=407453&fr=spigot-yhp-ch", "ht[...]

*************************

AdwCleaner[S1].txt - [414 octets] - [08/08/2013 21:00:22]
AdwCleaner[S2].txt - [7545 octets] - [09/08/2013 00:15:17]

########## EOF - C:\AdwCleaner[S2].txt - [7605 octets] ##########



Thank you for your help! :)
__________________
Morericewong is offline  
Old 08-08-2013, 02:32 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,654
OS: XP SP3; Win7 32/64-bit



Hello Morericewong. You're very welcome.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:


  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 08-09-2013, 08:13 AM   #5
Registered Member
 
Join Date: Aug 2012
Posts: 8
OS: windows 7



hi Chemist

here is the combofix log

ComboFix 13-08-07.01 - M.S.Y. Technology 10/08/2013 0:43.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1190 [GMT 10:00]
Running from: c:\documents and settings\M.S.Y. Technology\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\windows\system32\SET98.tmp
.
.
((((((((((((((((((((((((( Files Created from 2013-07-09 to 2013-08-09 )))))))))))))))))))))))))))))))
.
.
2013-08-08 11:32 . 2013-08-08 11:32 -------- d-----w- c:\documents and settings\M.S.Y. Technology\Application Data\AVG2013
2013-08-08 11:30 . 2013-08-08 11:30 -------- d-----w- c:\documents and settings\M.S.Y. Technology\Application Data\TuneUp Software
2013-08-08 11:30 . 2013-08-08 11:29 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-08-08 11:30 . 2013-08-08 14:26 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2013-08-08 11:27 . 2013-08-08 11:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2013
2013-08-08 11:27 . 2013-08-08 11:27 -------- d-----w- C:\$AVG
2013-08-08 10:50 . 2013-08-08 10:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2013-08-08 10:50 . 2013-08-08 11:49 -------- d-----w- c:\documents and settings\M.S.Y. Technology\Local Settings\Application Data\Avg2013
2013-08-08 10:50 . 2013-08-08 10:50 -------- d-----w- c:\documents and settings\M.S.Y. Technology\Local Settings\Application Data\MFAData
2013-07-28 10:47 . 2013-07-28 10:47 -------- d--h--w- c:\windows\PIF
2013-07-27 07:08 . 2013-07-27 07:08 -------- d-----w- c:\documents and settings\M.S.Y. Technology\Local Settings\Application Data\etax2013
2013-07-27 06:54 . 2013-07-27 06:54 -------- d-----w- c:\program files\etax2013
2013-07-25 02:06 . 2013-07-25 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\YTD Video Downloader
2013-07-25 02:06 . 2013-07-25 02:06 -------- d-----w- c:\program files\GreenTree Applications
2013-07-19 15:51 . 2013-07-19 15:51 246072 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-07-19 15:50 . 2013-07-19 15:50 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-07-19 15:50 . 2013-07-19 15:50 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-07-19 15:50 . 2013-07-19 15:50 171320 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-07-13 03:05 . 2013-07-13 03:05 0 ----a-w- c:\program files\GUM6F.tmp
2013-07-12 13:20 . 2013-07-12 13:23 -------- d-----w- c:\windows\system32\MRT
2013-07-12 04:42 . 2013-07-12 04:42 6129024 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-07-12 04:42 . 2013-07-12 04:42 6129024 ----a-w- c:\program files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-09 15:32 . 2013-07-09 15:32 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-06-30 15:45 . 2013-06-30 15:45 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2013-06-13 02:25 . 2013-02-24 00:11 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-13 02:25 . 2013-02-24 00:11 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-07 21:56 . 2007-07-27 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2007-07-27 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2007-07-27 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-07 13:55 . 2007-07-27 12:00 385024 ------w- c:\windows\system32\html.iec
2013-06-04 07:23 . 2007-07-27 12:00 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2007-07-27 12:00 1876736 ----a-w- c:\windows\system32\win32k.sys
2010-06-26 03:48 . 2009-12-02 23:50 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"
[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]
2009-12-22 12:47 77824 ----a-w- c:\windows\system32\VirtualExpander\VEShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\WECPUpdate.exe" [2009-04-19 221184]
"HP Photosmart 7510 series (NET)"="c:\program files\HP\HP Photosmart 7510 series\Bin\ScanToPCActivationApp.exe" [2011-08-31 1804648]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-06-20 19875432]
"Adobe Reader Synchronizer"="c:\program files\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe" [2013-05-11 694352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-05 8491008]
"nwiz"="nwiz.exe" [2007-10-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-05 81920]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-26 30192]
"ErrorTeck"="c:\program files\ErrorTeck\ErrorTeck.exe" [2010-04-07 4804336]
"Samsung PanelMgr"="c:\windows\samsung\panelmgr\SSMMgr.exe" [2010-12-07 684032]
"CDAServer"="c:\program files\Common Files\Common Desktop Agent\CDASrv.exe" [2010-11-26 331264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-09 49208]
"VX6000"="c:\windows\vVX6000.exe" [2010-01-28 764784]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-06-30 4411440]
.
c:\documents and settings\M.S.Y. Technology\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Photosmart 7510 series (Network).lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Photosmart 7510 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN22E3416W05T6;CONNECTION=NW;MONITOR=1; [2007-7-27 33280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe /H [2008-4-3 987136]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-6 272248]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\M.S.Y. Technology\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Common Files\\Common Desktop Agent\\CDASrv.exe"=
"c:\\Program Files\\SAMSUNG\\Easy Printer Manager\\IDS.Application.exe"=
"c:\\Program Files\\SAMSUNG\\Easy Printer Manager\\OrderSupplies.exe"=
"c:\\Program Files\\SAMSUNG\\Easy Printer Manager\\IDSAlert.exe"=
"c:\\Program Files\\SAMSUNG\\Easy Printer Manager\\CDAS2PC\\CDAS2PC.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [20/07/2013 1:50 AM 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [20/07/2013 1:51 AM 246072]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [10/07/2013 1:32 AM 39224]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/07/2008 1:08 PM 717296]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [20/07/2013 1:50 AM 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [1/03/2013 10:32 AM 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [20/07/2013 1:50 AM 171320]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [21/03/2013 3:08 AM 182072]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [8/08/2013 9:30 PM 37664]
R1 NEOFLTR_640_16949;Juniper Networks TDI Filter Driver (NEOFLTR_640_16949);c:\windows\system32\drivers\NEOFLTR_640_16949.sys [28/10/2010 8:16 PM 85360]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [23/07/2013 7:09 PM 283136]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [12/07/2013 2:37 PM 3289472]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.sys [15/10/2010 11:41 AM 5120]
R2 vToolbarUpdater15.4.0;vToolbarUpdater15.4.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe [8/08/2013 9:30 PM 1616048]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [3/04/2008 4:05 AM 176128]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [3/04/2008 4:05 AM 13532]
S1 NEOFLTR_550_12415;Juniper Networks TDI Filter Driver (NEOFLTR_550_12415);\??\c:\windows\system32\Drivers\NEOFLTR_550_12415.SYS --> c:\windows\system32\Drivers\NEOFLTR_550_12415.SYS [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [4/07/2013 3:53 PM 4939312]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [21/06/2013 9:53 AM 162408]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/12/2009 9:49 AM 30192]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.318\McCHSvc.exe [6/02/2013 1:48 AM 235216]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [27/07/2007 10:00 PM 14336]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [29/01/2010 1:04 AM 2074480]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [3/09/2011 12:38 PM 105216]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [3/09/2011 12:35 PM 105216]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-24 02:25]
.
2013-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 06:57]
.
2013-08-09 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Photosmart 7510 series\Bin\HPCustPartic.exe [2011-08-31 08:07]
.
2013-08-09 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Photosmart 7510 series\Bin\HPCustPartic.exe [2011-08-31 08:07]
.
2013-08-04 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Photosmart 7510 series\Bin\HPCustPartic.exe [2011-08-31 08:07]
.
2013-08-09 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Photosmart 7510 series\Bin\HPCustPartic.exe [2011-08-31 08:07]
.
2013-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-823518204-839522115-1003Core.job
- c:\documents and settings\M.S.Y. Technology\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-02 23:39]
.
2013-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-823518204-839522115-1003UA.job
- c:\documents and settings\M.S.Y. Technology\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-02 23:39]
.
2013-08-09 c:\windows\Tasks\HP Photo Creations Messager.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://au.search.yahoo.com?type=407453&fr=spigot-yhp-ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: SmarThru4 Capture Selection - c:\program files\SmarThru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files\SmarThru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\SmarThru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\SmarThru 4\WebCapture.dll
TCP: DhcpNameServer = 192.168.1.1
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://mcpuk1.jpmorgan.com/llclient/myatawap/winxp/AXXPEE.dll
DPF: {785F7664-AD0E-4CBA-8F28-F6C485A9E648} - hxxps://www-ap.myataw.com/ebctrl.cab
FF - ProfilePath - c:\documents and settings\M.S.Y. Technology\Application Data\Mozilla\Firefox\Profiles\2vjtkdur.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://au.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=407453&p=
FF - prefs.js: browser.startup.homepage - hxxp://au.search.yahoo.com?type=407453&fr=spigot-yhp-ff
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-News.net - c:\program files\News.net\BreakingNews\DesktopContainer.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2013-08-10 01:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,bd,39,0f,72,63,41,4d,ad,d1,97,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,bd,39,0f,72,63,41,4d,ad,d1,97,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c510\6&19d95498&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(592)
c:\windows\system32\WININET.dll
c:\windows\system32\VirtualExpander\VEShellExt.dll
c:\program files\Portrait Displays\Pivot Software\winphook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Portrait Displays\Pivot Software\floater.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\ASUS WiFi-AP Solo\RtWLan.exe
c:\windows\system32\RunDll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2013-08-10 01:12:00 - machine was rebooted
ComboFix-quarantined-files.txt 2013-08-09 15:11
.
Pre-Run: 325,385,265,152 bytes free
Post-Run: 326,835,957,760 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut
.
- - End Of File - - 199256EF9B9A1D84E1422A07C78255CC
8F558EB6672622401DA993E1E865C861
__________________
Morericewong is offline  
Old 08-09-2013, 11:28 AM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,654
OS: XP SP3; Win7 32/64-bit



Hello again, Morericewong. Please tell us how your system is behaving.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard] 
"ShellNext"=-
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Under the Scanner tab, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

Java(TM) 6 Update 26

These are all outdated, and security risks by having them installed still. Reboot your computer once all those Java components are removed.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

Go here and follow the prompts to install the latest Java > java.com: Java + You

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Cached Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Cached Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish, then click 'Finish'.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 08-13-2013, 05:04 AM   #7
Registered Member
 
Join Date: Aug 2012
Posts: 8
OS: windows 7



Hi Chemist,

thanks for all your help so far, its looking better from what I see but im not the primary user.

I noticed in chrome settings for default search engine there is something called mixidjsearch which im pretty sure is adware but I believe i deleted it a while ago. is it still on the computer? also the user said a pop-up displayed unsure if this is website related tho. they have also have a email account with mail.com is this a known website to contain virus or install adware?

Malwarebytes Anti-Malware 1.75.0.1300
Malwarebytes : Free anti-malware download

Database version: v2013.08.09.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
M.S.Y. Technology :: M-471B26955DEA4 [administrator]

10/08/2013 10:48:19 AM
mbam-log-2013-08-10 (10-48-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214423
Time elapsed: 35 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\plugin_why_auto_documentaries.zip (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\iLividSetup-r565-n-bc.exe (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.
C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\MapsSetup.exe (PUP.Optional.Inbox) -> Quarantined and deleted successfully.

(end)



ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=dd152c3581ba4a4ba186e0ef5da721af
# engine=14743
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-08-12 05:57:24
# local_time=2013-08-13 03:57:24 (+1000, AUS Eastern Standard Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1039 16777213 100 92 0 63496628 0 0
# scanned=99302
# found=15
# cleaned=0
# scan_time=28694
sh=517640B10ED2419D73C0339A07AA9FDDB1F8D8DF ft=1 fh=68424b3061f9512a vn="probably a variant of Win32/CNETInstaller.A application" ac=I fn="C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\cbsidlm-cbsi127-YTD_Video_Downloader-SEO-10647340.exe"
sh=8A893FE3C1376F3C1B0F67A9514CBE621B717D98 ft=1 fh=667b25980f774106 vn="Win32/DownloadAdmin.G application" ac=I fn="C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\cbsidlm-tr1_13-SoundMAX_Integrated_Digital_Audio-SEO-170204 (1).exe"
sh=8A893FE3C1376F3C1B0F67A9514CBE621B717D98 ft=1 fh=667b25980f774106 vn="Win32/DownloadAdmin.G application" ac=I fn="C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\cbsidlm-tr1_13-SoundMAX_Integrated_Digital_Audio-SEO-170204 (2).exe"
sh=8A893FE3C1376F3C1B0F67A9514CBE621B717D98 ft=1 fh=667b25980f774106 vn="Win32/DownloadAdmin.G application" ac=I fn="C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\cbsidlm-tr1_13-SoundMAX_Integrated_Digital_Audio-SEO-170204.exe"
sh=91EC186153FB33A4562204E4BE5631168C2BA206 ft=1 fh=eb969c333e6297d9 vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\CuteWriter.exe"
sh=7AE7680921A23FD97A67FC8E30341F16D164631B ft=1 fh=e3017d2cb5714609 vn="Win32/Adware.Toolbar.Shopper application" ac=I fn="C:\Program Files\DAEMON Tools Lite\uninst.exe"
sh=A707288411DB1F2CB1191978F6EAC972D8C03DFD ft=1 fh=e276d0615cbfab36 vn="a variant of Win32/Toolbar.CrossRider.C application" ac=I fn="C:\System Volume Information\_restore{362EF9AA-0976-4362-A007-FF4C4EFE0ABD}\RP1627\A0163481.exe"
sh=94B7BFB0B1C0C395BDE275F417656901F4FC5E9E ft=1 fh=18fc8905dbbe4f44 vn="multiple threats" ac=I fn="C:\System Volume Information\_restore{362EF9AA-0976-4362-A007-FF4C4EFE0ABD}\RP1627\A0163483.exe"
sh=517EB880B36814A068861856C99F3BD71DF09D3E ft=1 fh=c461885b725a53fd vn="a variant of Win32/Toolbar.CrossRider.A application" ac=I fn="C:\System Volume Information\_restore{362EF9AA-0976-4362-A007-FF4C4EFE0ABD}\RP1627\A0163486.dll"
sh=B303CF03F70D7C13C201577DF104198368F38FF3 ft=1 fh=d0db9656bd1efe30 vn="probably a variant of Win32/Toolbar.CrossRider.A application" ac=I fn="C:\System Volume Information\_restore{362EF9AA-0976-4362-A007-FF4C4EFE0ABD}\RP1627\A0163490.exe"
sh=B303CF03F70D7C13C201577DF104198368F38FF3 ft=1 fh=d0db9656bd1efe30 vn="probably a variant of Win32/Toolbar.CrossRider.A application" ac=I fn="C:\System Volume Information\_restore{362EF9AA-0976-4362-A007-FF4C4EFE0ABD}\RP1627\A0163491.exe"
sh=3C2247ADDEB32EDA2F816DE908C23F2029851036 ft=1 fh=9e38ef1c5dbb6b06 vn="Win32/Toolbar.Tuvaro.A application" ac=I fn="C:\System Volume Information\_restore{362EF9AA-0976-4362-A007-FF4C4EFE0ABD}\RP1627\A0163502.exe"
sh=9C1F62B0654C2E3193F608EF490DE5495708A583 ft=1 fh=33f2ea3bb7a73bb8 vn="a variant of Win32/bProtector.A application" ac=I fn="C:\System Volume Information\_restore{362EF9AA-0976-4362-A007-FF4C4EFE0ABD}\RP1627\A0163560.exe"
sh=267B0AECB953B2FDE043FBE6D3EB2BAC80CF9A8F ft=1 fh=ba018e00eaeea0ed vn="a variant of Win32/bProtector.A application" ac=I fn="C:\System Volume Information\_restore{362EF9AA-0976-4362-A007-FF4C4EFE0ABD}\RP1627\A0163561.dll"
sh=9C1F62B0654C2E3193F608EF490DE5495708A583 ft=1 fh=33f2ea3bb7a73bb8 vn="a variant of Win32/bProtector.A application" ac=I fn="C:\System Volume Information\_restore{362EF9AA-0976-4362-A007-FF4C4EFE0ABD}\RP1627\A0163562.exe"
__________________
Morericewong is offline  
Old 08-13-2013, 07:06 AM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,654
OS: XP SP3; Win7 32/64-bit



Hello again, Morericewong. Can you delete the mixidjsearch search engine from within Chrome?

Mail.com - Free Email Service Review - About Email

------------------------------------------------------

System Volume Information is where Windows keeps old system restore points. Those will get deleted when we uninstall ComboFix.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\cbsidlm-cbsi127-YTD_Video_Downloader-SEO-10647340.exe"
"C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\cbsidlm-tr1_13-SoundMAX_Integrated_Digital_Audio-SEO-170204 (1).exe"
"C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\cbsidlm-tr1_13-SoundMAX_Integrated_Digital_Audio-SEO-170204 (2).exe"
"C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\cbsidlm-tr1_13-SoundMAX_Integrated_Digital_Audio-SEO-170204.exe"
"C:\Documents and Settings\M.S.Y. Technology\My Documents\Downloads\CuteWriter.exe"
"C:\Program Files\DAEMON Tools Lite\uninst.exe"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files to your desktop then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 08-14-2013, 05:02 AM   #9
Registered Member
 
Join Date: Aug 2012
Posts: 8
OS: windows 7



Hi Chemist,

it said delete successful, plus i deleted the mixidj search engine :)

is the computer clean now?


Cheers :)
__________________
Morericewong is offline  
Old 08-14-2013, 05:05 AM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,654
OS: XP SP3; Win7 32/64-bit



Hello again, Morericewong. If there are no other problems...

Congratulations. Well done! Your logs appear clean. You should be good to go.

As far as those infected objects listed in the ESET report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Please disable AVG before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.
  • Run AdwCleaner and select Uninstall
  • Confirm by clicking Yes
------------------------------------------------------

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Also, support is ending for some versions of Windows > Support is ending for Windows XP - Microsoft Windows Help

------------------------------------------------------

Make sure all your applications and browsers are up-to-date by visiting Secunia Online Software Inspector here:

Free Online Computer Scan - Online Software Inspector (OSI) - Secunia
  • Click 'Start Scanner'
  • Wait for Status/Currently Processing: at the lower left to say 'Java Applet loaded successfully. Press "Start" to begin.'
  • Click 'Start'.
  • The scan should take less than a minute or so.
  • When done, download and install all the recommended updates.
  • This will help ensure the malware writers cannot use exploits(bugs) in older versions of your applications to infect your computer in the future.
------------------------------------------------------

Important

Due to continued exploits of zero-day vulnerabilities in Oracle's Java application, it is the recommendation of many security experts, as well as the TSF Security Team, that you disable Java in your web browsers.

Java

US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability

We recommend disabling Java in your browsers, and enabling it only when needed by certain websites.

Please disable Java in your browser(s) by following these instructions:

How do I disable Java in my web browser?

If none of your websites(banks, online games, OpenOffice, etc.) use Java, you can uninstall it via your Control Panel:

How do I uninstall Java on my Windows computer?

------------------------------------------------------

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 08-20-2013, 02:27 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,654
OS: XP SP3; Win7 32/64-bit



As this topic appears to be resolved, this thread will be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 05:07 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts