I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software
HERE
** If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list
HERE
Couple of questions before we can progress:
I need to to know what your operating system is eg Windows XP 32bit. Select > start > Right click on "My Computer" or "Computer" (depending on version) > select > properties. You will get that requested information from the resultant screen.
Can you boot into "Safe mode with networking" To do this: re-boot PC as it starts up tap the F8 key continuously until you get the "Windows advance option screen" You will see several options, one will be "Safe mode with networking"
Don`t boot into Safe mode with networking yet, just let me know you can do it and give me the version of your OS.
I was hoping it wouldn`t be a 64bit system, never mind. Many of the major tools we use don`t work on 64 bit systems. OK lets try something simple first, it is an excellent program and does find and kill many of the current infections. Boot into safemode with networking then as follows:
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
If you get a successful run with malwarebytes boot into Normal mode and do another quick scan, update first. Post both logs for me if possible, there is a "Logs" tab on the main interface, select that and you`ll be able to see any relevant logs, highlight by selecting, then select open and the log will open in notepad.
I need to to know what your operating system is eg Windows XP 32bit. Select > start > Right click on "My Computer" or "Computer" (depending on version) > select > properties. You will get that requested information from the resultant screen.
Windows 7 64 bit o/s
Can you boot into "Safe mode with networking" To do this: re-boot PC as it starts up tap the F8 key continuously until you get the "Windows advance option screen" You will see several options, one will be "Safe mode with networking"
I did as you instructed and installed and ran Malwarebytes in safe mode. The scan picked up to infected files. I quarantined both files and restarted computer in normal mode. I then ran Malwarebytes' again. Nothing was detected. I posted both logs here for your review.
I take it as the virus was removed, but is it completely gone?
A small box will open, with an explanation about the tool.
When done, DDS will open two (2) logs 1. DDS.txt 2. Attach.txt
Save both reports to your desktop.
The instructions here ask you to attach the Attach.txt.
Instead of attaching, please copy/past both logs into your next reply.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control
HERE
Step 2
This scan will check your security system, Java, Adobe etc for vulnerabilities
Download Security Check by screen317 from
HERE or
HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
What i`d like in your reply :-
Both logs from DDS
Log from Security Checks
OS Review, any specific issues?
Kevin
ps, I`m in the UK, so its early evening for me... 17:45
Results of screen317's Security Check version 0.99.5 Windows 7 (UAC is enabled) Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java(TM) 6 Update 17 Out of date Java installed! Adobe Flash Player 10.0.42.34 Adobe Reader 9.1.2 Out of date Adobe Reader installed! Mozilla Firefox (3.5.11) Firefox Out of Date! ```````````````````````````````` Process Check: objlist.exe by Laurent Windows Defender MSMpEng.exe Microsoft Security Essentials msseces.exe ```````````````````````````````` DNS Vulnerability Check: Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)
DDS.txt DDS (Ver_10-03-17.01) - NTFSX64 Run by Admin at 18:16:36.71 on Sun 08/29/2010 Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4056.2362 [GMT -4:00]
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume2 Install Date: 12/24/2009 10:32:49 PM System Uptime: 8/29/2010 3:25:52 PM (3 hours ago)
Motherboard: Dell Inc. | | 0G848F Processor: Pentium(R) Dual-Core CPU T4300 @ 2.10GHz | Microprocessor | 2100/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 451 GiB total, 403.467 GiB free. D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: Description: Bluetooth Peripheral Device Device ID: BTHENUM\{426C6163-6B42-6572-7279-427970617373}_LOCALMFG&000F\8&29D3EAFA&0&2CA83560734E_C00000000 Manufacturer: Name: Bluetooth Peripheral Device PNP Device ID: BTHENUM\{426C6163-6B42-6572-7279-427970617373}_LOCALMFG&000F\8&29D3EAFA&0&2CA83560734E_C00000000 Service:
Class GUID: Description: Bluetooth Peripheral Device Device ID: BTHENUM\{426C6163-6B42-6572-7279-44736B746F70}_LOCALMFG&000F\8&29D3EAFA&0&2CA83560734E_C00000000 Manufacturer: Name: Bluetooth Peripheral Device PNP Device ID: BTHENUM\{426C6163-6B42-6572-7279-44736B746F70}_LOCALMFG&000F\8&29D3EAFA&0&2CA83560734E_C00000000 Service:
==== System Restore Points ===================
RP126: 8/5/2010 10:57:43 AM - Windows Update RP127: 8/6/2010 2:22:13 PM - Windows Update RP128: 8/8/2010 1:27:35 AM - Windows Update RP129: 8/9/2010 1:28:46 AM - Windows Update RP130: 8/10/2010 2:43:06 AM - Windows Update RP131: 8/11/2010 1:56:44 AM - Windows Update RP132: 8/12/2010 6:03:50 PM - Windows Update RP133: 8/13/2010 3:00:15 AM - Windows Update RP134: 8/13/2010 8:31:15 PM - Windows Update RP135: 8/15/2010 1:24:23 AM - Windows Update RP136: 8/15/2010 3:27:49 AM - Windows Update RP137: 8/16/2010 4:02:23 AM - Windows Update RP138: 8/17/2010 6:04:57 PM - Windows Update RP139: 8/18/2010 7:40:41 PM - Windows Update RP140: 8/20/2010 12:40:18 AM - Windows Update RP141: 8/20/2010 3:27:50 AM - Windows Update RP142: 8/21/2010 5:07:18 PM - Windows Update RP143: 8/22/2010 11:06:48 PM - Windows Update RP144: 8/24/2010 12:26:34 AM - Windows Update RP145: 8/25/2010 2:01:10 AM - Windows Update RP146: 8/25/2010 3:00:11 AM - Windows Update RP147: 8/28/2010 5:41:30 AM - Installed BlackBerry Desktop Software. RP148: 8/28/2010 9:09:07 PM - Windows Update
==== Installed Programs ======================
7-Zip 4.65 Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Photoshop 7.0 Adobe Reader 9.1.2 Advanced Audio FX Engine Apple Application Support Apple Software Update Banctec Service Agreement Bingo Hall 3.2.1 BlackBerry Desktop Software 5.0.1 BlackBerry® Media Sync Cisco EAP-FAST Module Cisco LEAP Module Cisco PEAP Module Cozi Dell DataSafe Local Backup Dell DataSafe Local Backup - Support Software Dell DataSafe Online Dell Getting Started Guide Dell Support Center (Support Software) Dell Webcam Central Google Earth Plug-in Google Update Helper GoToAssist 8.0.0.514 Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282) Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040) Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308) Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540) Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789) Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127) Hotfix for Microsoft Visual Studio 2008 Remote Debugger Light (x64) - ENU (KB944899) ieSpell Java(TM) 6 Update 17 Junk Mail filter update Live! Cam Avatar Creator Loki ActiveX Control Malwarebytes' Anti-Malware Microsoft Choice Guard Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office Excel MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Standard 2007 Microsoft Office Word MUI (English) 2007 Microsoft Search Enhancement Pack Microsoft Silverlight Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft SQL Server 2008 Microsoft SQL Server 2008 Browser Microsoft SQL Server 2008 Common Files Microsoft SQL Server 2008 Database Engine Services Microsoft SQL Server 2008 Database Engine Shared Microsoft SQL Server 2008 Management Objects Microsoft SQL Server 2008 RsFx Driver Microsoft SQL Server 2008 Setup Support Files (English) Microsoft Sync Framework Runtime Native v1.0 (x86) Microsoft Sync Framework Services Native v1.0 (x86) Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Express Edition with SP1 - ENU Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual Studio 2008 Remote Debugger Light (x64) - ENU Service Pack 1 (KB945140) Move Media Player Mozilla Firefox (3.5.11) MSVCRT Octoshape add-in for Adobe Flash Player PowerDVD DX QuickTime Roxio Burn Security Update for 2007 Microsoft Office System (KB2277947) Security Update for 2007 Microsoft Office System (KB969559) Security Update for 2007 Microsoft Office System (KB976321) Security Update for 2007 Microsoft Office System (KB982312) Security Update for 2007 Microsoft Office System (KB982331) Security Update for CAPICOM (KB931906) Security Update for Microsoft Office Excel 2007 (KB982308) Security Update for Microsoft Office InfoPath 2007 (KB979441) Security Update for Microsoft Office Outlook 2007 (KB980376) Security Update for Microsoft Office PowerPoint 2007 (KB982158) Security Update for Microsoft Office system 2007 (972581) Security Update for Microsoft Office system 2007 (KB974234) Security Update for Microsoft Office Visio Viewer 2007 (KB973709) Security Update for Microsoft Office Word 2007 (KB2251419) Sql Server Customer Experience Improvement Program SQL Server System CLR Types Update for 2007 Microsoft Office System (KB967642) Update for Microsoft Office 2007 Help for Common Features (KB963673) Update for Microsoft Office Excel 2007 Help (KB963678) Update for Microsoft Office Outlook 2007 Help (KB963677) Update for Microsoft Office Powerpoint 2007 Help (KB963669) Update for Microsoft Office Script Editor Help (KB963671) Update for Microsoft Office Word 2007 Help (KB963665) Update for Outlook 2007 Junk Email Filter (kb2279264) VoiceOver Kit WildTangent Games Windows Live Call Windows Live Communications Platform Windows Live Essentials Windows Live Mail Windows Live Messenger Windows Live Movie Maker Windows Live Photo Gallery Windows Live Sign-in Assistant Windows Live Sync Windows Live Toolbar Windows Live Upload Tool Windows Live Writer
==== Event Viewer Messages From Past Week ========
8/29/2010 6:46:22 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start. 8/29/2010 6:46:19 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start. 8/29/2010 6:45:31 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030} 8/29/2010 6:45:30 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} 8/29/2010 6:45:28 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 8/29/2010 6:45:21 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} 8/29/2010 6:45:20 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv64.dll Error Code: 21 8/29/2010 6:45:02 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache MpFilter spldr Wanarpv6 8/29/2010 6:14:09 PM, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded. 8/29/2010 6:06:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} 8/29/2010 10:47:26 AM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: D@01010004 8/28/2010 5:12:25 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {48DA6741-1BF0-4A44-8325-293086C79077} and APPID {48DA6741-1BF0-4A44-8325-293086C79077} to the user Meena-PC\Admin SID (S-1-5-21-3534458911-844441397-1182669561-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool. 8/27/2010 8:51:38 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.89.313.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6103.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 8/25/2010 3:17:27 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection. 8/22/2010 1:33:36 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Apple Mobile Device service, but this action failed with the following error: An instance of the service is already running. 8/22/2010 1:32:36 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 8/22/2010 1:32:08 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 8/22/2010 1:11:07 PM, Error: Microsoft-Windows-WMPNSS-Service [14365] - Proximity detection failed due to unknown error '0x80004004'. The best proximity time detected was -1 milliseconds.
Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): ------------------------------------------------------------------- :Processes explorer.exe :Commands [CreateRestorePoint] [EmptyFlash] [EmptyTemp] [ResetHosts] [Reboot]
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose
Yes.
If the machine reboots, the Results log can be found here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
Step 2
We need to check for proxy server settings in your browser, the following are the most common used.
Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". ok and apply.
Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
Chrome: Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
Safari
Launch Safari
Go to general settings menu
Then in Preferences/ Advanced
Then on line click Proxies change settings ...
Click Internet Options, then click the Connections tab, click Network Settings.
Disable option (uncheck) for the use of proxy server ...
Step 3
Run an online virus scan with
Kaspersky from
HERE. This scan is very thorough and may take several hours to run, please allow it to complete.
1. At the main page. Press on "
Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the
Scan icon Select
My Computer to start the scan.
4. Select
Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select
text .txt Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.
All processes killed ========== PROCESSES ========== No active process named explorer.exe was found! ========== COMMANDS ========== Restore point Set: OTM Restore Point
C:\Windows\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully
OTM by OldTimer - Version 3.1.15.0 log created on 08302010_122839
Files moved on Reboot... C:\Users\Meena\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. C:\Users\Meena\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{28521AF5-F49F-4DF5-AB10-89B71D5AB8B6}.tmp moved successfully. C:\Users\Meena\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5D3B8287-9D5C-451A-B2F7-270B8BF7E973}.tmp moved successfully. File C:\Users\Meena\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B7EBA836-289C-4843-A528-409AA8E8DEB1}.tmp not found! C:\Users\Meena\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BA97A0E4-51DA-4963-8077-8FEED99EC9E5}.tmp moved successfully.
Registry entries deleted on Reboot...
Kaspersky Log
-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Monday, August 30, 2010 Operating system: Microsoft (build 7600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Monday, August 30, 2010 19:17:29 Records in database: 4168191 --------------------------------------------------------------------------------
Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes
Kaspersky has flagged two infected files that we need to deal with, proceed as follows :-
Please download
OTM by OldTimer.
Alternative Mirror Or just use the one you downloaded previously
Save it to your desktop.
Double click
OTM.exe to start the tool.
Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): ------------------------------------------------------------------- :Processes explorer.exe
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose
Yes.
If the machine reboots, the Results log can be found here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
kevinf80_1d0ac6
1.1K Posts
0
August 29th, 2010 03:00
I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE
** If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE
Couple of questions before we can progress:
Don`t boot into Safe mode with networking yet, just let me know you can do it and give me the version of your OS.
Kevin..
kevinf80_1d0ac6
1.1K Posts
0
August 29th, 2010 04:00
Hi meenah76,
Please download Malwarebytes Anti-Malware and save it to your desktop.
I was hoping it wouldn`t be a 64bit system, never mind. Many of the major tools we use don`t work on 64 bit systems. OK lets try something simple first, it is an excellent program and does find and kill many of the current infections. Boot into safemode with networking then as follows:
Alernative D/L mirror
Alternative D/L mirror
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
If you get a successful run with malwarebytes boot into Normal mode and do another quick scan, update first. Post both logs for me if possible, there is a "Logs" tab on the main interface, select that and you`ll be able to see any relevant logs, highlight by selecting, then select open and the log will open in notepad.
Kevin.
meenah76
8 Posts
0
August 29th, 2010 04:00
Couple of questions before we can progress:
- I need to to know what your operating system is eg Windows XP 32bit. Select > start > Right click on "My Computer" or "Computer" (depending on version) > select > properties. You will get that requested information from the resultant screen.
Windows 7 64 bit o/sYes
Thank you for helping me resolve my problems.
meenah76
8 Posts
0
August 29th, 2010 09:00
Good morning Kevin.
I did as you instructed and installed and ran Malwarebytes in safe mode. The scan picked up to infected files. I quarantined both files and restarted computer in normal mode. I then ran Malwarebytes' again. Nothing was detected. I posted both logs here for your review.
I take it as the virus was removed, but is it completely gone?
Thank you
Safe Mode Log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4500
Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385
8/29/2010 10:44:16 AM
mbam-log-2010-08-29 (10-44-16).txt
Scan type: Quick scan
Objects scanned: 144270
Time elapsed: 4 minute(s), 36 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fgrpvbct (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\Meena\AppData\Local\hgrjvrtkm\pqmmvqashdw.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Normal Mode Log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4500
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
8/29/2010 10:56:53 AM
mbam-log-2010-08-29 (10-56-53).txt
Scan type: Quick scan
Objects scanned: 145308
Time elapsed: 6 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
kevinf80_1d0ac6
1.1K Posts
0
August 29th, 2010 10:00
Lets run a couple more scans to have a better look at your system, These are just diagnostic scans, nothing will be changed. Proceed as follows ;-
Step 1
We need to see some additional information about what is happening in your machine.
Please perform the following scan:
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE
Step 2
This scan will check your security system, Java, Adobe etc for vulnerabilities
Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
What i`d like in your reply :-
Kevin
ps, I`m in the UK, so its early evening for me... 17:45
meenah76
8 Posts
0
August 29th, 2010 16:00
There are no issues that I am aware. I am able to access all applications and there has been no sign of the virus.
meenah76
8 Posts
0
August 29th, 2010 16:00
Results of screen317's Security Check version 0.99.5
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 17
Out of date Java installed!
Adobe Flash Player 10.0.42.34
Adobe Reader 9.1.2
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.11) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
````````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)
``````````End of Log````````````
meenah76
8 Posts
0
August 29th, 2010 16:00
DDS.txt
DDS (Ver_10-03-17.01) - NTFSX64
Run by Admin at 18:16:36.71 on Sun 08/29/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4056.2362 [GMT -4:00]
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\SysWOW64\rpcnet.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Meena\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyOverride = www.myantispyware.com;myantispyware.com;www.malwarebytes.org;go.trendmicro.com;
uInternet Settings,ProxyServer = http=127.0.0.1:6522
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files (x86)\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Dell DataSafe Online] "c:\program files (x86)\dell datasafe online\DataSafeOnline.exe" /m
mRun: [PDVDDXSrv] "c:\program files (x86)\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Dell Webcam Central] "c:\program files (x86)\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [DellSupportCenter] "c:\program files (x86)\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Clearwire Connection Manager] "c:\program files (x86)\clearwire\connection manager\ClearwireCM.exe" -a
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [Desktop Disc Tool] "c:\program files (x86)\roxio\roxio burn\RoxioBurnLauncher.exe"
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
mRun: [BlackBerryAutoUpdate] c:\program files (x86)\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRunOnce: [STToasterLauncher] c:\program files (x86)\dell datasafe local backup\toasterLauncher.exe
StartupFolder: c:\users\meena\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files (x86)\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - c:\program files (x86)\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files (x86)\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files (x86)\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files (x86)\iespell\wikipedia.HTM
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files (x86)\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files (x86)\iespell\iespell.dll/SPELLOPTION.HTM
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office12\REFIEBAR.DLL
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\program files (x86)\cozi express\CoziProtocolHandler.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [Apoint] c:\program files\delltpad\Apoint.exe
mRun-x64: [SysTrayApp] c:\program files\idt\wdm\sttray64.exe
mRun-x64: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun-x64: [Persistence] c:\windows\system32\igfxpers.exe
mRun-x64: [Broadcom Wireless Manager UI] c:\program files\dell\dell wireless wlan card\WLTRAY.exe
mRun-x64: [QuickSet] c:\program files\dell\quickset\QuickSet.exe
mRun-x64: [IAAnotif] c:\program files (x86)\intel\intel matrix storage manager\iaanotif.exe
mRun-x64: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
================= FIREFOX ===================
FF - ProfilePath - c:\users\meena\appdata\roaming\mozilla\firefox\profiles\tnfgs3yo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files (x86)\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files (x86)\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files (x86)\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\meena\appdata\roaming\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\users\meena\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\PxHlpa64.sys [2010-8-6 55280]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 173984]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2009-6-9 155648]
R2 SftService;SoftThinks Agent Service;c:\program files (x86)\dell datasafe local backup\SftService.exe [2009-12-19 656624]
R2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files (x86)\clearwire\connection manager\DeviceLaunchSvc.exe [2009-11-9 107856]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-12-19 35104]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-12-19 172704]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 40832]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-12-19 215552]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 17920]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x64.sys [2009-12-19 393728]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google\update\GoogleUpdate.exe [2010-6-9 136176]
S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314_64.sys [2009-11-3 318336]
S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr_64.sys [2009-11-3 62976]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2010-3-29 35840]
S3 CACLEARWIRE;Clearwire Con App Svc;c:\program files (x86)\clearwire\connection manager\ConAppsSvc.exe [2009-11-9 124240]
S3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files (x86)\clearwire\connection manager\RcAppSvc.exe [2009-11-9 120144]
S3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.sys [2009-11-9 43032]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2010-4-19 50688]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-6 1255736]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files (x86)\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
=============== Created Last 30 ================
2010-08-29 10:52:16 0 d-----w- c:\users\meena\appdata\roaming\Malwarebytes
2010-08-29 10:52:08 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-29 10:52:08 0 d-----w- c:\programdata\Malwarebytes
2010-08-29 10:52:08 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-08-28 09:43:31 0 d-----w- c:\users\meena\appdata\roaming\Research In Motion
2010-08-28 09:42:54 31744 ----a-w- c:\windows\system32\drivers\RimSerial_AMD64.sys
2010-08-28 09:42:25 0 d-----w- c:\programdata\Research In Motion
2010-08-28 09:42:13 0 d-----w- c:\program files (x86)\common files\Research In Motion
2010-08-28 09:42:12 0 d-----w- c:\program files (x86)\Research In Motion
2010-08-28 07:23:48 65536 ------w- c:\windows\system32\Ikeext.etl
2010-08-24 23:06:35 861184 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-24 23:06:35 571904 ----a-w- c:\windows\syswow64\oleaut32.dll
2010-08-22 17:34:52 0 d-----w- c:\program files\iPod
2010-08-22 17:34:51 0 d-----w- c:\program files\iTunes
2010-08-22 17:31:53 0 d-----w- c:\program files\Bonjour
2010-08-22 17:31:53 0 d-----w- c:\program files (x86)\Bonjour
2010-08-06 18:12:24 55280 ------w- c:\windows\system32\drivers\PxHlpa64.sys
2010-08-06 18:12:24 10224 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-08-06 18:12:24 10224 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-08-06 18:12:22 0 d-----w- c:\program files (x86)\common files\PX Storage Engine
2010-08-06 18:12:16 0 d-----w- c:\program files (x86)\Roxio
2010-08-06 18:11:00 0 d-----w- c:\users\meena\appdata\roaming\Roxio Log Files
2010-08-03 02:50:59 12867584 ----a-w- c:\windows\syswow64\shell32.dll
==================== Find3M ====================
2010-08-29 22:14:10 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2010-08-29 14:47:13 57752 ----a-w- c:\windows\syswow64\rpcnet.dll
2010-08-29 14:47:13 17920 ----a-w- c:\windows\syswow64\rpcnetp.dll
2010-08-29 14:46:43 17920 ----a-w- c:\windows\syswow64\rpcnetp.exe
2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll
2010-06-30 07:13:46 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\syswow64\wininet.dll
2010-06-30 06:25:18 1226240 ----a-w- c:\windows\syswow64\urlmon.dll
2010-06-30 06:22:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-06-30 06:22:34 5971456 ----a-w- c:\windows\syswow64\mshtml.dll
2010-06-30 06:22:33 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-06-30 06:21:57 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-06-30 06:21:47 185856 ----a-w- c:\windows\syswow64\iepeers.dll
2010-06-30 06:21:47 176640 ----a-w- c:\windows\syswow64\ieui.dll
2010-06-30 06:21:46 10985472 ----a-w- c:\windows\syswow64\ieframe.dll
2010-06-30 06:21:44 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-06-30 06:19:16 12800 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-06-19 07:05:01 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:53:18 52224 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 06:33:29 3955080 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-06-19 06:33:29 3899784 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-06-19 06:23:50 37376 ----a-w- c:\windows\syswow64\rtutils.dll
2010-06-19 04:32:34 3122688 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 06:11:10 340992 ----a-w- c:\windows\system32\schannel.dll
2010-06-16 05:48:35 224256 ----a-w- c:\windows\syswow64\schannel.dll
2010-06-08 06:02:06 1233920 ----a-w- c:\windows\syswow64\msxml3.dll
2010-06-08 05:36:31 1877504 ----a-w- c:\windows\system32\msxml3.dll
2010-06-01 17:37:48 270208 ------w- c:\windows\system32\MpSigStub.exe
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-19 23:28:14 75 --sh--r- c:\windows\CT4CET.bin
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-03-29 21:09:21 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-22 08:17:37 245760 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
============= FINISH: 18:16:52.67 ===============
Attach.txt
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 12/24/2009 10:32:49 PM
System Uptime: 8/29/2010 3:25:52 PM (3 hours ago)
Motherboard: Dell Inc. | | 0G848F
Processor: Pentium(R) Dual-Core CPU T4300 @ 2.10GHz | Microprocessor | 2100/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 451 GiB total, 403.467 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID:
Description: Bluetooth Peripheral Device
Device ID: BTHENUM\{426C6163-6B42-6572-7279-427970617373}_LOCALMFG&000F\8&29D3EAFA&0&2CA83560734E_C00000000
Manufacturer:
Name: Bluetooth Peripheral Device
PNP Device ID: BTHENUM\{426C6163-6B42-6572-7279-427970617373}_LOCALMFG&000F\8&29D3EAFA&0&2CA83560734E_C00000000
Service:
Class GUID:
Description: Bluetooth Peripheral Device
Device ID: BTHENUM\{426C6163-6B42-6572-7279-44736B746F70}_LOCALMFG&000F\8&29D3EAFA&0&2CA83560734E_C00000000
Manufacturer:
Name: Bluetooth Peripheral Device
PNP Device ID: BTHENUM\{426C6163-6B42-6572-7279-44736B746F70}_LOCALMFG&000F\8&29D3EAFA&0&2CA83560734E_C00000000
Service:
==== System Restore Points ===================
RP126: 8/5/2010 10:57:43 AM - Windows Update
RP127: 8/6/2010 2:22:13 PM - Windows Update
RP128: 8/8/2010 1:27:35 AM - Windows Update
RP129: 8/9/2010 1:28:46 AM - Windows Update
RP130: 8/10/2010 2:43:06 AM - Windows Update
RP131: 8/11/2010 1:56:44 AM - Windows Update
RP132: 8/12/2010 6:03:50 PM - Windows Update
RP133: 8/13/2010 3:00:15 AM - Windows Update
RP134: 8/13/2010 8:31:15 PM - Windows Update
RP135: 8/15/2010 1:24:23 AM - Windows Update
RP136: 8/15/2010 3:27:49 AM - Windows Update
RP137: 8/16/2010 4:02:23 AM - Windows Update
RP138: 8/17/2010 6:04:57 PM - Windows Update
RP139: 8/18/2010 7:40:41 PM - Windows Update
RP140: 8/20/2010 12:40:18 AM - Windows Update
RP141: 8/20/2010 3:27:50 AM - Windows Update
RP142: 8/21/2010 5:07:18 PM - Windows Update
RP143: 8/22/2010 11:06:48 PM - Windows Update
RP144: 8/24/2010 12:26:34 AM - Windows Update
RP145: 8/25/2010 2:01:10 AM - Windows Update
RP146: 8/25/2010 3:00:11 AM - Windows Update
RP147: 8/28/2010 5:41:30 AM - Installed BlackBerry Desktop Software.
RP148: 8/28/2010 9:09:07 PM - Windows Update
==== Installed Programs ======================
7-Zip 4.65
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 9.1.2
Advanced Audio FX Engine
Apple Application Support
Apple Software Update
Banctec Service Agreement
Bingo Hall 3.2.1
BlackBerry Desktop Software 5.0.1
BlackBerry® Media Sync
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Cozi
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell DataSafe Online
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Webcam Central
Google Earth Plug-in
Google Update Helper
GoToAssist 8.0.0.514
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127)
Hotfix for Microsoft Visual Studio 2008 Remote Debugger Light (x64) - ENU (KB944899)
ieSpell
Java(TM) 6 Update 17
Junk Mail filter update
Live! Cam Avatar Creator
Loki ActiveX Control
Malwarebytes' Anti-Malware
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files (English)
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual Studio 2008 Remote Debugger Light (x64) - ENU Service Pack 1 (KB945140)
Move Media Player
Mozilla Firefox (3.5.11)
MSVCRT
Octoshape add-in for Adobe Flash Player
PowerDVD DX
QuickTime
Roxio Burn
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Sql Server Customer Experience Improvement Program
SQL Server System CLR Types
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb2279264)
VoiceOver Kit
WildTangent Games
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
==== Event Viewer Messages From Past Week ========
8/29/2010 6:46:22 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
8/29/2010 6:46:19 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
8/29/2010 6:45:31 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
8/29/2010 6:45:30 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
8/29/2010 6:45:28 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/29/2010 6:45:21 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
8/29/2010 6:45:20 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv64.dll Error Code: 21
8/29/2010 6:45:02 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache MpFilter spldr Wanarpv6
8/29/2010 6:14:09 PM, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.
8/29/2010 6:06:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
8/29/2010 10:47:26 AM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: D@01010004
8/28/2010 5:12:25 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {48DA6741-1BF0-4A44-8325-293086C79077} and APPID {48DA6741-1BF0-4A44-8325-293086C79077} to the user Meena-PC\Admin SID (S-1-5-21-3534458911-844441397-1182669561-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
8/27/2010 8:51:38 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.89.313.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6103.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/25/2010 3:17:27 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
8/22/2010 1:33:36 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Apple Mobile Device service, but this action failed with the following error: An instance of the service is already running.
8/22/2010 1:32:36 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/22/2010 1:32:08 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/22/2010 1:11:07 PM, Error: Microsoft-Windows-WMPNSS-Service [14365] - Proximity detection failed due to unknown error '0x80004004'. The best proximity time detected was -1 milliseconds.
==== End Of File ===========================
kevinf80_1d0ac6
1.1K Posts
0
August 30th, 2010 02:00
The logs dont show any malware as such, there is however a proxy running that looks malicious. Proceed as follows please :-
Step 1
Please download OTM by OldTimer.
Alternative Mirror
Save it to your desktop.
Double click OTM.exe to start the tool.
-------------------------------------------------------------------
:Processes
explorer.exe
:Commands
[CreateRestorePoint]
[EmptyFlash]
[EmptyTemp]
[ResetHosts]
[Reboot]
---------------------------------------------------------------------
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If the machine reboots, the Results log can be found here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
Step 2
We need to check for proxy server settings in your browser, the following are the most common used.
Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". ok and apply.
Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
Safari
Step 3
Run an online virus scan with Kaspersky from HERE. This scan is very thorough and may take several hours to run, please allow it to complete.
1. At the main page. Press on " Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.
The following animation may help.
Kaspersky Gif
What i`d like in your reply :-
Kevin.
meenah76
8 Posts
0
August 30th, 2010 18:00
There are no issues that I am aware of. I am able to access all applications and there has been no sign of the virus.
meenah76
8 Posts
0
August 30th, 2010 18:00
OTM Log
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== COMMANDS ==========
Restore point Set: OTM Restore Point
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: HomeGuest
->Temp folder emptied: 7648219 bytes
->Temporary Internet Files folder emptied: 46064462 bytes
->Java cache emptied: 119853 bytes
->Flash cache emptied: 13575 bytes
User: Meena
->Temp folder emptied: 124622368 bytes
->Temporary Internet Files folder emptied: 66824078 bytes
->Java cache emptied: 43997396 bytes
->FireFox cache emptied: 37732126 bytes
->Flash cache emptied: 1097562 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 11135995 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 84793 bytes
RecycleBin emptied: 1598956 bytes
Total Files Cleaned = 325.00 mb
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
OTM by OldTimer - Version 3.1.15.0 log created on 08302010_122839
Files moved on Reboot...
C:\Users\Meena\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Meena\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{28521AF5-F49F-4DF5-AB10-89B71D5AB8B6}.tmp moved successfully.
C:\Users\Meena\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5D3B8287-9D5C-451A-B2F7-270B8BF7E973}.tmp moved successfully.
File C:\Users\Meena\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B7EBA836-289C-4843-A528-409AA8E8DEB1}.tmp not found!
C:\Users\Meena\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BA97A0E4-51DA-4963-8077-8FEED99EC9E5}.tmp moved successfully.
Registry entries deleted on Reboot...
Kaspersky Log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, August 30, 2010
Operating system: Microsoft (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 30, 2010 19:17:29
Records in database: 4168191
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Objects scanned: 130417
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:13:40
File name / Threat / Threats count
C:\Users\Meena\Documents\Classes\Spring - 2010\CSC 234\C++ Source Code Files\chapter_2\debug\chapter_2.exe Infected: VirTool.Win32.MS04-028.bq 1
C:\Users\Meena\Documents\Classes\Spring - 2010\CSC 234\C++ Source Code Files\Hello_World2\debug\Hello_World2.exe Infected: VirTool.Win32.MS04-028.bq 1
Selected area has been scanned.
kevinf80_1d0ac6
1.1K Posts
0
August 31st, 2010 00:00
Kaspersky has flagged two infected files that we need to deal with, proceed as follows :-
Please download OTM by OldTimer.
Alternative Mirror Or just use the one you downloaded previously
Save it to your desktop.
Double click OTM.exe to start the tool.
-------------------------------------------------------------------
:Processes
explorer.exe
:Files
C:\Users\Meena\Documents\Classes\Spring - 2010\CSC 234\C++ Source Code Files\chapter_2\debug\chapter_2.exe
C:\Users\Meena\Documents\Classes\Spring - 2010\CSC 234\C++ Source Code Files\Hello_World2\debug\Hello_World2.exe
:Commands
[Reboot]
---------------------------------------------------------------------
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If the machine reboots, the Results log can be found here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
Post that log for me please, also any issues?
Kevin..