Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Avast detecting multiple issues

This is a discussion on Avast detecting multiple issues within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi Avast keeps popping up saying its blocked a harmful file, some it moves to the chest, some it just


 
 
Thread Tools Search this Thread
Old 05-12-2015, 01:52 PM   #1
Registered Member
 
Join Date: Apr 2008
Posts: 115
OS: Windows XP SP2



Hi

Avast keeps popping up saying its blocked a harmful file, some it moves to the chest, some it just blocks. I have screenshotted the avast chest should you need it, one of the issues seems to be a type of windows update file in WIN32??? I run XP SP3 still.
I have run DDS.
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Dianne Fox at 21:40:58 on 2015-05-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1535.622 [GMT 1:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Update\1.3.26.9\GoogleCrashHandler.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\loggingserver.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
BHO: {10921475-03CE-4E04-90CE-E2E7EF20C814} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {95B7759C-8C7F-4BF1-B163-73684A933233} - <orphaned>
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.10.11023.1534\swg.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\dianne~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: SoftwareSASGeneration = dword:1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1375641003437
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{30DA2D19-782B-44F3-8089-367301CE92E5} : DHCPNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\18.1.0\ViProtocol.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\42.0.2311.135\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dianne fox\application data\mozilla\firefox\profiles\qo3ndag9.default-1398015338453\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\update\1.3.26.9\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_17_0_0_169.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: content.notify.ontimer - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.switch.threshold - 750000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
user_pref(extensions.autoDisableScopes,14);
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2013-12-30 49904]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2013-12-30 209048]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2015-5-8 218008]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-12-30 787760]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-12-30 427992]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-8-13 42272]
R1 RapportCerberus_1412097;RapportCerberus_1412097;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_1412097.sys [2015-5-12 528600]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2015-5-8 279800]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2015-5-8 348632]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-5-11 24144]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-12-30 74976]
R2 avast! Antivirus;Avast Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-12-30 343336]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2015-5-8 2214168]
R2 vToolbarUpdater18.1.0;vToolbarUpdater18.1.0;c:\program files\common files\avg secure search\vtoolbarupdater\18.1.0\ToolbarUpdater.exe [2014-4-29 1801240]
R4 RapportCerberus_1412095;RapportCerberus_1412095;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_1412095.sys [2015-5-10 528856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== File Associations ===============
.
ShellExec: switch.exe: open="c:\program files\nch software\switch\switch" "%L"
.
=============== Created Last 30 ================
.
2015-05-12 18:56:20 57888 ----a-w- c:\windows\system32\drivers\asw2B9.tmp
2015-05-12 18:56:16 208024 ----a-w- c:\windows\system32\drivers\asw2B8.tmp
2015-05-12 18:56:12 427736 ----a-w- c:\windows\system32\drivers\asw2B7.tmp
2015-05-12 18:56:11 49904 ----a-w- c:\windows\system32\drivers\asw2B6.tmp
2015-05-12 18:56:08 73440 ----a-w- c:\windows\system32\drivers\asw2B5.tmp
2015-05-12 18:56:06 24144 ----a-w- c:\windows\system32\drivers\asw2B4.tmp
2015-05-12 18:54:10 55200 ----a-w- c:\windows\system32\drivers\asw2B3.tmp
2015-05-12 18:53:26 788272 ----a-w- c:\windows\system32\drivers\asw2B2.tmp
2015-05-12 18:45:24 43112 ----a-w- c:\windows\avastSS.scr
2015-05-08 16:25:16 218008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2015-05-02 16:18:32 -------- d-----w- c:\documents and settings\dianne fox\local settings\application data\CDex
2015-05-02 16:17:42 -------- d-----w- c:\documents and settings\all users\application data\Package Cache
2015-05-02 16:17:14 -------- d-----w- c:\program files\CDex
2015-05-02 16:00:27 -------- d-----w- c:\documents and settings\dianne fox\application data\NCH Software
2015-05-02 15:40:46 -------- d-----w- c:\program files\NCH Software
.
==================== Find3M ====================
.
2015-05-12 18:46:26 209048 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2015-05-12 18:46:23 49904 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2015-05-12 18:46:22 74976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2015-05-12 18:46:22 24144 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2015-05-12 18:42:14 787760 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2015-05-10 12:37:21 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-04-27 20:20:29 778416 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-04-27 20:20:28 142512 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-02-17 16:04:46 1202848 ----a-w- c:\windows\system32\FM20.DLL
2014-06-29 09:46:27 6010880 ----a-w- c:\program files\GUT5.tmp
2013-10-12 11:16:22 50053120 ----a-w- c:\program files\GUT3.tmp
.
============= FINISH: 21:45:11.53 ===============
Attached Files
File Type: txt attach.txt (12.8 KB, 37 views)
whitefox723 is offline  
Sponsored Links
Advertisement
 
Old 05-13-2015, 12:45 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

You are using an outdated version of HijackThis. Please uninstall HijackThis 1.99.1 in the Add or Remove Programs section of your Control Panel and delete your current version.

------------------------------------------------------

You have remnants of AVG still running on your machine.

Please download AVG Remover and Save it to your Desktop.
  • Close all programs and double-click avgremover.exe then click Run
  • In Vista/Win7, right-click and choose 'Run as administrator'.
  • Follow the on-screen instructions.
  • Reboot your computer if not prompted already.
  • Then delete avgremover.exe and the avgremover.log from your desktop.
------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Do NOT click the green 'Download' button(if visible).
  • Click the blue 'Download now @bleepingcomputer' button.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Cleaning
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[S#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:


  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-15-2015, 02:09 AM   #3
Registered Member
 
Join Date: Apr 2008
Posts: 115
OS: Windows XP SP2



# AdwCleaner v4.203 - Logfile created 15/05/2015 at 09:52:13
# Updated 30/04/2015 by Xplode
# Database : 2015-05-12.2 [Server]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : Dianne Fox - PCHEAVEN
# Running from : C:\Documents and Settings\Dianne Fox\My Documents\Downloads\adwcleaner_4.203.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Conduit
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Dianne Fox\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Dianne Fox\Local Settings\Application Data\NativeMessaging
Folder Deleted : C:\Documents and Settings\Dianne Fox\Application Data\DigitalSites
File Deleted : C:\END
File Deleted : C:\Documents and Settings\Dianne Fox\Application Data\Mozilla\Firefox\Profiles\qo3ndag9.default-1398015338453\invalidprefs.js
File Deleted : C:\Program Files\Mozilla Firefox\browser\searchplugins\avg-secure-search.xml
File Deleted : C:\Documents and Settings\Dianne Fox\Application Data\Mozilla\Firefox\Profiles\qo3ndag9.default-1398015338453\user.js
File Deleted : C:\Program Files\Mozilla Firefox\defaults\pref\itms.js

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F83D1872-D9FF-47F8-B5A0-49CC51E24EE8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{DB8533F9-E0FA-4F0C-8A91-3E80A673E05C}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKU\.DEFAULT\Software\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v37.0.2 (x86 en-US)


-\\ Google Chrome v42.0.2311.152


*************************

AdwCleaner[R0].txt - [4595 bytes] - [15/05/2015 09:29:01]
AdwCleaner[S0].txt - [4612 bytes] - [15/05/2015 09:52:13]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4671 bytes] ##########
I will run Combo Fix later

Thank You
whitefox723 is offline  
Sponsored Links
Advertisement
 
Old 05-15-2015, 02:54 PM   #4
Registered Member
 
Join Date: Apr 2008
Posts: 115
OS: Windows XP SP2



ComboFix 15-05-13.01 - Dianne Fox 15/05/2015 21:15:38.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1535.652 [GMT 1:00]
Running from: c:\documents and settings\Dianne Fox\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\1385207581.bdinstall.bin
c:\documents and settings\All Users\Application Data\1388410552.bdinstall.bin
c:\documents and settings\All Users\Application Data\1388410570.bdinstall.bin
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\1c1addae869a4651.fb
c:\windows\system32\Cache\1ffbc0103087c08b.fb
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\47bc95015e82c654.fb
c:\windows\system32\Cache\49d4b95ce2612308.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\919e1d1a552409a7.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c24bc2f5ced10e22.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\Cache\fd676f27537b5ede.fb
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\SET36.tmp
c:\windows\system32\SET39.tmp
c:\windows\system32\SET3F.tmp
c:\windows\system32\SET40.tmp
c:\windows\system32\SET41.tmp
c:\windows\system32\SET45.tmp
c:\windows\system32\SET46.tmp
c:\windows\system32\SET47.tmp
c:\windows\system32\SET4B.tmp
c:\windows\system32\SET4D.tmp
c:\windows\system32\SETA1.tmp
c:\windows\system32\SETA5.tmp
c:\windows\system32\SETAD.tmp
c:\windows\system32\SETF6.tmp
c:\windows\wmsysprx.prx
.
.
((((((((((((((((((((((((( Files Created from 2015-04-15 to 2015-05-15 )))))))))))))))))))))))))))))))
.
.
2015-05-15 08:28 . 2015-05-15 08:53 -------- d-----w- C:\AdwCleaner
2015-05-12 21:56 . 2015-05-12 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2015-05-12 18:55 . 2015-05-12 18:46 55200 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2015-05-12 18:48 . 2015-05-12 18:45 291312 ----a-w- c:\windows\system32\aswBoot.exe
2015-05-12 18:45 . 2015-05-12 18:45 43112 ----a-w- c:\windows\avastSS.scr
2015-05-10 10:19 . 2015-05-10 10:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trusteer
2015-05-09 12:28 . 2015-05-09 12:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2015-05-08 16:25 . 2015-05-08 16:25 218008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2015-05-02 16:40 . 2015-05-02 16:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Trusteer
2015-05-02 16:18 . 2015-05-02 16:18 -------- d-----w- c:\documents and settings\Dianne Fox\Local Settings\Application Data\CDex
2015-05-02 16:17 . 2015-05-09 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Package Cache
2015-05-02 16:17 . 2015-05-10 11:13 -------- d-----w- c:\program files\CDex
2015-05-02 16:00 . 2015-05-02 16:00 -------- d-----w- c:\documents and settings\Dianne Fox\Application Data\NCH Software
2015-05-02 15:40 . 2015-05-02 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2015-05-02 15:40 . 2015-05-02 16:00 -------- d-----w- c:\program files\NCH Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-05-12 22:01 . 2014-06-01 15:22 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-05-12 21:54 . 2014-06-01 15:22 120024 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-05-12 18:46 . 2013-12-30 14:05 57888 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2015-05-12 18:46 . 2013-12-30 14:05 209048 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2015-05-12 18:46 . 2013-12-30 14:05 427992 ----a-w- c:\windows\system32\drivers\aswSP.sys
2015-05-12 18:46 . 2013-12-30 14:05 49904 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2015-05-12 18:46 . 2014-05-11 13:50 24144 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2015-05-12 18:46 . 2013-12-30 14:05 74976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2015-05-12 18:42 . 2013-12-30 14:05 787760 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2015-04-27 20:20 . 2013-08-03 11:57 778416 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-04-27 20:20 . 2013-08-03 11:57 142512 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-02-17 16:04 . 2015-02-17 16:04 1202848 ----a-w- c:\windows\system32\FM20.DLL
2014-06-29 09:46 . 2014-06-29 09:46 6010880 ----a-w- c:\program files\GUT5.tmp
2013-10-12 11:16 . 2013-10-12 11:16 50053120 ----a-w- c:\program files\GUT3.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-05-12 18:44 645144 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-08-05 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-12 43848]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-05-12 5515496]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Dianne Fox\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Documents and Settings\\Dianne Fox\\Application Data\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [30/12/2013 15:05 49904]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [30/12/2013 15:05 209048]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [08/05/2015 17:25 218008]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [30/12/2013 15:05 787760]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [30/12/2013 15:05 427992]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [13/08/2013 18:53 42272]
R1 RapportCerberus_1412097;RapportCerberus_1412097;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_1412097.sys [12/05/2015 19:36 528600]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [08/05/2015 17:25 279800]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [08/05/2015 17:25 348632]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [11/05/2014 14:50 24144]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [30/12/2013 15:05 74976]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [08/05/2015 17:25 2214168]
S2 vToolbarUpdater18.1.0;vToolbarUpdater18.1.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-05-14 17:28 988488 ----a-w- c:\program files\Google\Chrome\Application\42.0.2311.152\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-05-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-08-03 20:20]
.
2015-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2015-05-15 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2015-05-12 18:44]
.
2015-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-08-05 18:52]
.
2015-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-08-05 18:52]
.
2015-05-15 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-25 01:59]
.
2014-03-28 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-25 01:59]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Dianne Fox\Application Data\Mozilla\Firefox\Profiles\qo3ndag9.default-1398015338453\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{10921475-03CE-4E04-90CE-E2E7EF20C814} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2015-05-15 21:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2015-05-15 21:49:36
ComboFix-quarantined-files.txt 2015-05-15 20:49
.
Pre-Run: 28,695,887,872 bytes free
Post-Run: 28,920,074,240 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - AF3A3FE35ADC88491A434B939DF50FB0
8F558EB6672622401DA993E1E865C861
whitefox723 is offline  
Old 05-16-2015, 12:49 AM   #5
Registered Member
 
Join Date: Apr 2008
Posts: 115
OS: Windows XP SP2



BUMP!!!!
whitefox723 is offline  
Old 05-16-2015, 02:29 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, whitefox723. Tell us how your system is behaving.

Quote:
BUMP!!!!
That's not how we work here. If we're not going as fast as you would like, you can always take your machine to the local repair shop.

------------------------------------------------------

CCleaner

We do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner. Our colleague miekiemoes has an excellent writeup here

------------------------------------------------------

I see you have P2P software ( BitTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Add or Remove Programs.

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc delete vToolbarUpdater18.1.0

A DOS window will open and close again, this is normal.

------------------------------------------------------
  • Launch Malwarebytes' Anti-Malware
  • On the Dashboard, click the Scan Now button.
  • A check for database updates will be performed.
  • After the update check completes, a Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs
  • Double-click on the scan log which shows the Date and Time of the scan just performed.
  • Click Export
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'Run ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan. Here's how
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Once the components have downloaded, tick the option Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked:
    • Scan Archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-18-2015, 11:24 AM   #7
Registered Member
 
Join Date: Apr 2008
Posts: 115
OS: Windows XP SP2



System behaviour after dds and combo fix, a little bit speedier and no avast pop ups, Firefox a bit slow to load web pages still though? Sorry Chemist for Bumping, won't do it again :-)

Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Scan Date: 17/05/2015
Scan Time: 20:09:45
Logfile: mbam scan.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.05.17.03
Rootkit Database: v2015.05.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Dianne Fox

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 483437
Time Elapsed: 54 min, 51 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
PUP.Optional.Spigot.A, HKU\S-1-5-21-1614895754-1935655697-725345543-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{D009D6AC-F20A-4B43-A4F6-A0A2018CBF32}|URL, https://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=667671&p={searchTerms}, Quarantined, [3e796c2803877eb881182dab2cd736ca]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Eset Report

C:\AdwCleaner\Quarantine\C\Documents and Settings\All Users\Application Data\Conduit\Multi\CT3306061\UninstallerUI.exe.vir a variant of Win32/Toolbar.Conduit.AJ potentially unwanted application
C:\Documents and Settings\Dianne Fox\Desktop\backups\backup-20131209-213253-350.dll Win32/Toolbar.Conduit.X potentially unwanted application
C:\Documents and Settings\Dianne Fox\Desktop\Windows 7 Ultimate (32 Bit)\File Sharing Programs\Bear-Share 9.0.exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
C:\Documents and Settings\Dianne Fox\Desktop\Windows 7 Ultimate (32 Bit)\Other Windows 7 Activation Tools\Windows 7 Loader 1.6.9\Windows 7 Loader 1.6.9.0.exe Win32/HackTool.WinActivator.I potentially unsafe application
C:\Documents and Settings\Dianne Fox\Desktop\Windows 7 Ultimate (32 Bit)\Other Windows 7 Activation Tools\Windows 7 Loader 1.7.9\Windows 7 Loader 1.7.9.0.exe Win32/HackTool.WinActivator.I potentially unsafe application
C:\Documents and Settings\Dianne Fox\Local Settings\temp\ExpressBurn-364-2\vpsetup.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application
C:\Documents and Settings\Dianne Fox\My Documents\Di's Stuff\downloads\asc-setup.exe Win32/ELEX.AH potentially unwanted application
C:\Program Files\NCH Software\Disketch\disketch.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application
C:\Program Files\NCH Software\Disketch\disketchsetup_v3.32.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application
C:\Program Files\NCH Software\ExpressBurn\expressburn.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application
C:\Program Files\NCH Software\ExpressBurn\expressburnsetup_v4.82.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application
C:\Program Files\NCH Software\Switch\switch.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application
C:\Program Files\NCH Software\Switch\switchsetup_v4.79.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application
C:\Program Files\NCH Software\VideoPad\videopad.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application
C:\Program Files\NCH Software\VideoPad\videopadsetup_v4.05.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application
C:\System Volume Information\_restore{56B8B9CC-BC43-4D72-862E-562F2316DFFF}\RP187\A0238130.exe a variant of Win32/BrowseFox.AM potentially unwanted application
C:\System Volume Information\_restore{56B8B9CC-BC43-4D72-862E-562F2316DFFF}\RP193\A0244992.exe a variant of Win32/InstallCore.ZC potentially unwanted application
C:\System Volume Information\_restore{56B8B9CC-BC43-4D72-862E-562F2316DFFF}\RP193\A0245040.exe a variant of Win32/BrowseFox.AN potentially unwanted application
C:\System Volume Information\_restore{56B8B9CC-BC43-4D72-862E-562F2316DFFF}\RP193\A0245043.exe Win32/BrowseFox.AZ potentially unwanted application
C:\System Volume Information\_restore{56B8B9CC-BC43-4D72-862E-562F2316DFFF}\RP193\A0245045.exe a variant of Win32/InstallCore.ZC potentially unwanted application
C:\System Volume Information\_restore{56B8B9CC-BC43-4D72-862E-562F2316DFFF}\RP197\A0250990.exe a variant of Win32/Toolbar.Conduit.AJ potentially unwanted application
whitefox723 is offline  
Old 05-18-2015, 04:21 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, whitefox723. Why do you have a crack for Windows7 on your desktop?

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-20-2015, 11:53 AM   #9
Registered Member
 
Join Date: Apr 2008
Posts: 115
OS: Windows XP SP2



I have no idea, it was on a hard drive I borrowed and I may have accidently sent it, I tried deleting it and it won't let me. Came up with some silly message, will try again.

Di
whitefox723 is offline  
Old 05-20-2015, 11:53 AM   #10
Registered Member
 
Join Date: Apr 2008
Posts: 115
OS: Windows XP SP2



So what did the 2 logs show? Eset and MBAM? Please
whitefox723 is offline  
Old 05-20-2015, 06:27 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, whitefox723. MBAM found 1 PUP. ESET flagged several files due to 3rd party toolbars, but nothing malicious.

System Volume Information is where Windows keeps old system restore points. Those will get deleted when we uninstall ComboFix.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
File::
C:\Documents and Settings\Dianne Fox\Desktop\backups\backup-20131209-213253-350.dll
C:\Documents and Settings\Dianne Fox\My Documents\Di's Stuff\downloads\asc-setup.exe
C:\Program Files\NCH Software\Disketch\disketch.exe
C:\Program Files\NCH Software\Disketch\disketchsetup_v3.32.exe
C:\Program Files\NCH Software\ExpressBurn\expressburn.exe
C:\Program Files\NCH Software\ExpressBurn\expressburnsetup_v4.82.exe
C:\Program Files\NCH Software\Switch\switch.exe
C:\Program Files\NCH Software\Switch\switchsetup_v4.79.exe
C:\Program Files\NCH Software\VideoPad\videopad.exe
C:\Program Files\NCH Software\VideoPad\videopadsetup_v4.05.exe

ClearJavaCache::

Folder::
C:\Documents and Settings\All Users\Application Data\Conduit
C:\Documents and Settings\Dianne Fox\Desktop\Windows 7 Ultimate (32 Bit)
C:\Documents and Settings\Dianne Fox\Local Settings\temp\ExpressBurn-364-2

Driver::
avgtp
vToolbarUpdater18.1.0
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix.

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

This tool will clear all your browser caches, and may help with page loading speed:

Please download Temp File Cleaner and save it to your desktop.
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run it then click 'Run' then 'Start'.
  • Your desktop will disappear, this is normal, it will return.
  • If prompted, click "Yes" to reboot.
  • Your machine may startup slow the first time after running TFC.exe
  • You may want to reboot again, even if TFC already rebooted your machine.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-24-2015, 08:33 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Still with us, whitefox723? I generally unsubscribe from threads after 3 days of inactivity. If you do not reply within 24 hours, this thread will be closed.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-27-2015, 06:27 AM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-27-2015, 01:56 PM   #14
Registered Member
 
Join Date: Apr 2008
Posts: 115
OS: Windows XP SP2



Hi Chemist

Sorry I have been on holiday, link below to original thread, completed your last instruction.

https://www.techsupportforum.com/foru...es-993978.html

Combofix.txt log

ComboFix 15-05-25.01 - Dianne Fox 27/05/2015 20:54:41.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1535.888 [GMT 1:00]
Running from: c:\documents and settings\Dianne Fox\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dianne Fox\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
FILE ::
"c:\documents and settings\Dianne Fox\Desktop\backups\backup-20131209-213253-350.dll"
"c:\documents and settings\Dianne Fox\My Documents\Di's Stuff\downloads\asc-setup.exe"
"c:\program files\NCH Software\Disketch\disketch.exe"
"c:\program files\NCH Software\Disketch\disketchsetup_v3.32.exe"
"c:\program files\NCH Software\ExpressBurn\expressburn.exe"
"c:\program files\NCH Software\ExpressBurn\expressburnsetup_v4.82.exe"
"c:\program files\NCH Software\Switch\switch.exe"
"c:\program files\NCH Software\Switch\switchsetup_v4.79.exe"
"c:\program files\NCH Software\VideoPad\videopad.exe"
"c:\program files\NCH Software\VideoPad\videopadsetup_v4.05.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dianne Fox\Desktop\backups\backup-20131209-213253-350.dll
c:\documents and settings\Dianne Fox\My Documents\Di's Stuff\downloads\asc-setup.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AVGTP
-------\Service_avgtp
.
.
((((((((((((((((((((((((( Files Created from 2015-04-27 to 2015-05-27 )))))))))))))))))))))))))))))))
.
.
2015-05-20 19:00 . 2015-05-20 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes Anti-Exploit
2015-05-20 19:00 . 2015-05-20 19:00 -------- d-----w- c:\program files\Malwarebytes Anti-Exploit
2015-05-16 16:41 . 2015-05-16 16:43 -------- d-----w- c:\documents and settings\Dianne Fox\Application Data\uTorrent
2015-05-15 08:28 . 2015-05-15 08:53 -------- d-----w- C:\AdwCleaner
2015-05-12 21:56 . 2015-05-12 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2015-05-12 18:55 . 2015-05-12 18:46 55200 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2015-05-12 18:48 . 2015-05-12 18:45 291312 ----a-w- c:\windows\system32\aswBoot.exe
2015-05-12 18:45 . 2015-05-12 18:45 43112 ----a-w- c:\windows\avastSS.scr
2015-05-10 10:19 . 2015-05-10 10:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trusteer
2015-05-09 12:28 . 2015-05-09 12:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2015-05-08 16:25 . 2015-05-08 16:25 218008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2015-05-02 16:40 . 2015-05-02 16:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Trusteer
2015-05-02 16:18 . 2015-05-02 16:18 -------- d-----w- c:\documents and settings\Dianne Fox\Local Settings\Application Data\CDex
2015-05-02 16:17 . 2015-05-09 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Package Cache
2015-05-02 16:17 . 2015-05-10 11:13 -------- d-----w- c:\program files\CDex
2015-05-02 16:00 . 2015-05-27 19:31 -------- d-----w- c:\documents and settings\Dianne Fox\Application Data\NCH Software
2015-05-02 15:40 . 2015-05-27 19:33 -------- d-----w- c:\program files\NCH Software
2015-05-02 15:40 . 2015-05-27 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-05-20 18:57 . 2014-06-01 15:22 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-05-12 18:46 . 2013-12-30 14:05 57888 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2015-05-12 18:46 . 2013-12-30 14:05 209048 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2015-05-12 18:46 . 2013-12-30 14:05 427992 ----a-w- c:\windows\system32\drivers\aswSP.sys
2015-05-12 18:46 . 2013-12-30 14:05 49904 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2015-05-12 18:46 . 2014-05-11 13:50 24144 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2015-05-12 18:46 . 2013-12-30 14:05 74976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2015-05-12 18:42 . 2013-12-30 14:05 787760 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2015-04-27 20:20 . 2013-08-03 11:57 778416 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-04-27 20:20 . 2013-08-03 11:57 142512 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-04-14 08:37 . 2014-06-01 15:22 120024 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-04-14 08:37 . 2014-06-01 15:22 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-06-29 09:46 . 2014-06-29 09:46 6010880 ----a-w- c:\program files\GUT5.tmp
2013-10-12 11:16 . 2013-10-12 11:16 50053120 ----a-w- c:\program files\GUT3.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-05-12 18:44 645144 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-08-05 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-12 43848]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-05-12 5515496]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392]
"Malwarebytes Anti-Exploit"="c:\program files\Malwarebytes Anti-Exploit\mbae.exe" [2015-04-08 2618680]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Dianne Fox\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Documents and Settings\\Dianne Fox\\Application Data\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [30/12/2013 15:05 49904]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [30/12/2013 15:05 209048]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [08/05/2015 17:25 218008]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [30/12/2013 15:05 787760]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [30/12/2013 15:05 427992]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\Malwarebytes Anti-Exploit\mbae.sys [20/05/2015 20:00 47928]
R1 RapportCerberus_1412097;RapportCerberus_1412097;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_1412097.sys [12/05/2015 19:36 528600]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [08/05/2015 17:25 279800]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [08/05/2015 17:25 348632]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [11/05/2014 14:50 24144]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [30/12/2013 15:05 74976]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\Malwarebytes Anti-Exploit\mbae-svc.exe [20/05/2015 20:00 656184]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [08/05/2015 17:25 2214168]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [01/06/2014 16:22 23256]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [01/06/2014 16:22 1080120]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [01/06/2014 16:22 119512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-05-27 19:35 986440 ----a-w- c:\program files\Google\Chrome\Application\43.0.2357.81\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-05-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-08-03 20:20]
.
2015-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2015-05-27 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2015-05-12 18:44]
.
2015-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-08-05 18:52]
.
2015-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-08-05 18:52]
.
2015-05-27 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-25 01:59]
.
2014-03-28 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-25 01:59]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Dianne Fox\Application Data\Mozilla\Firefox\Profiles\qo3ndag9.default-1398015338453\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2015-05-27 21:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(892)
c:\program files\trusteer\rapport\bin\rooksbas.dll
.
- - - - - - - > 'lsass.exe'(964)
c:\program files\trusteer\rapport\bin\rooksbas.dll
.
- - - - - - - > 'explorer.exe'(3992)
c:\program files\trusteer\rapport\bin\rooksbas.dll
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Google\Update\1.3.27.5\GoogleCrashHandler.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Microsoft Office\Office12\ONENOTEM.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2015-05-27 21:47:48 - machine was rebooted
ComboFix-quarantined-files.txt 2015-05-27 20:47
ComboFix2.txt 2015-05-15 20:49
.
Pre-Run: 29,327,253,504 bytes free
Post-Run: 29,478,494,208 bytes free
.
- - End Of File - - 65D2A4B1FC390106F07B4AC04B2CE8C6
8F558EB6672622401DA993E1E865C861
whitefox723 is offline  
Old 05-28-2015, 08:18 AM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, whitefox723. How is the machine behaving? Is FF loading up any faster since running TFC?

Let me know and I will give you some final instructions.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-28-2015, 12:24 PM   #16
Registered Member
 
Join Date: Apr 2008
Posts: 115
OS: Windows XP SP2



Firefox loading brilliantly thanks, system seems pretty much okay now.Thanks for your help

Di
whitefox723 is offline  
Old 05-28-2015, 01:15 PM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Di. You're very welcome!

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

Please disable avast! before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.
  • Run AdwCleaner and select Uninstall
  • Confirm by clicking Yes
------------------------------------------------------

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Also, support is ending for some versions of Windows > Windows XP support has ended - Microsoft Windows

------------------------------------------------------

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-28-2015, 01:53 PM   #18
Registered Member
 
Join Date: Apr 2008
Posts: 115
OS: Windows XP SP2



Hi

Done all that except ad aware not present on my machine to uninstall, strange??? Thank you for all your help, greatly appreciated.AGAIN :-)

Di
whitefox723 is offline  
Old 05-28-2015, 08:39 PM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're very welcome, Di!

Not Ad-Aware, but AdwCleaner, which you ran on 5/15 from your Downloads folder?

Quote:
# Running from : C:\Documents and Settings\Dianne Fox\My Documents\Downloads\adwcleaner_4.203.exe
You won't find AdwCleaner in Add or Remove Programs. Just uninstall it using the previous instructions. Let me know.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-03-2015, 06:53 PM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



As this topic appears to be resolved, this thread will be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Chrome and some websites won't open
Hi. My laptop is showing a connectivity error when I try to go to many, but weirdly not all, websites. I can only use Explorer; Chrome won't open at all. Help please? Thank you. I don't have access to my Window Install disc. It's somewhere, but I don't know where. DDS (Ver_2012-11-20.01) -...
kategluck Virus/Trojan/Spyware Help 28 10-31-2014 05:57 AM
post-malware removal multiple windows issues
Hello I posted a request for help resolving what I believe are corrupt system files caused by a malware infection. The malware was found and "removed" about three months ago but many problems remain. Kaspersky Internet Security 2013 full scan advises no threats found. Antimalwarebytes...
boreal Virus/Trojan/Spyware Help 12 09-07-2014 06:37 PM
System Repair has taken over
System Repair has taken over my computer since Thursday night. I downloaded Avast and Malware Bytes and ran them. They found infected objects and are supposed to have taken care of them. Yet, I am still missing have my programs (they show as empty when I try to access them). Half of my desktop...
KnitsByNat Resolved HJT Threads 72 09-08-2011 06:36 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:50 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts