Boards.ie uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Click here to find out more x
Post Reply  
 
 
Thread Tools Search this Thread
31-12-2013, 19:12   #16
jsa112
Registered User
 
Join Date: Aug 2013
Posts: 402
open OTL click the none button at the very top, then copy and paste this into the box


netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
SaveMBR:0
createrestorepoint
%systemroot%\*. /mp /s
C:\*.*
showhidden
c:\Users\Laptop\AppData\Roaming\*.*
C:\Program Files\Internet Explorer\iexplore.exe /md5
/md5start
svchost.exe
/md5stop


click run scan post the log it gives
jsa112 is offline  
Advertisement
31-12-2013, 21:20   #17
sandra_b
Registered User
 
Join Date: Sep 2010
Posts: 141
Ok, I'll do that now.
I have just run adwcleaner, do you want to see logs from scan and clean?
I noticed it removed AVG secure search from Firefox. Why is that? I thought AVG is "safe" (although I can't remember how I installed it, it was probably always there )
sandra_b is offline  
31-12-2013, 21:28   #18
jsa112
Registered User
 
Join Date: Aug 2013
Posts: 402
yeah post all logs I ask for. AVG installed some crap toolbar thats why it got removed.
jsa112 is offline  
31-12-2013, 22:31   #19
sandra_b
Registered User
 
Join Date: Sep 2010
Posts: 141
Hi Jsa112,

during OTL scan AVG has detected trojan again and I clicked an option to remove it. Is it OK, should I have ignored it? What does it mean, is it "false" alarm?

I am posting 3 logs in the bext 3 posts - adwcleaner scan, adwcleaner clean and the latest OTL scan.

Here is report from AVG when it found Trojan during otl.exe:

Resident Shield Results
"Threat Name" "Result" "Detection Time" "Object Type" "Process"
"Trojan horse Dropper.Generic9.JDV, c:\Users\Laptop\AppData\Roaming\tfoqktardtf.exe" "Secured" "29/12/2013, 22:49:18" "File or Directory" "C:\Program Files\Internet Explorer\iexplore.exe"
"Trojan horse Dropper.Generic9.JDV, c:\Users\Laptop\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJZK9F39\svchost[1].exe" "Secured" "29/12/2013, 22:49:41" "File or Directory" "C:\Program Files\Internet Explorer\iexplore.exe"
"Trojan horse Dropper.Generic9.JDV, c:\Users\Laptop\AppData\Roaming\mwpyvtnsdug.exe" "Secured" "30/12/2013, 22:02:05" "File or Directory" "C:\Program Files\Internet Explorer\iexplore.exe"
"Trojan horse Dropper.Generic9.JDV, c:\Users\Laptop\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TBQQNC7\svchost[1].exe" "Secured" "30/12/2013, 22:02:31" "File or Directory" "C:\Program Files\Internet Explorer\iexplore.exe"
"Trojan horse BackDoor.Generic18.ENR, c:\_OTL\MovedFiles\12312013_173650\C_Users\Laptop\AppData\Roaming\bjrwzmzisvc.exe" "Secured" "31/12/2013, 22:02:08" "File or Directory" "C:\Users\Laptop\Downloads\OTL.exe"
sandra_b is offline  
31-12-2013, 22:32   #20
sandra_b
Registered User
 
Join Date: Sep 2010
Posts: 141
adwcleaner scan log:

# AdwCleaner v3.016 - Report created 31/12/2013 at 20:40:05
# Updated 23/12/2013 by Xplode
# Operating System : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Username : Laptop - LAPTOP-PC
# Running from : C:\Users\Laptop\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526


-\\ Mozilla Firefox v26.0 (en-GB)

[ File : C:\Users\Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\8bfdnkt5.default\prefs.js ]

Line Found : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Line Found : user_pref("browser.search.selectedEngine", "AVG Secure Search");

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\Laptop\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [1071 octets] - [31/12/2013 17:23:08]
AdwCleaner[R1].txt - [993 octets] - [31/12/2013 20:40:05]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [1052 octets] ##########
sandra_b is offline  
Advertisement
31-12-2013, 22:33   #21
sandra_b
Registered User
 
Join Date: Sep 2010
Posts: 141
adwcleaner clean log:

# AdwCleaner v3.016 - Report created 31/12/2013 at 20:42:30
# Updated 23/12/2013 by Xplode
# Operating System : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Username : Laptop - LAPTOP-PC
# Running from : C:\Users\Laptop\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\PriceGong
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Users\Laptop\AppData\Local\AVG Secure Search
Folder Deleted : C:\Users\Laptop\AppData\LocalLow\AVG Secure Search
Folder Deleted : C:\Users\Laptop\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\Laptop\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Deleted : C:\Program Files\Mozilla Firefox\browser\searchplugins\avg-secure-search.xml

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\alot
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\alotToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PriceGong
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\alotToolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\PriceGong

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526


-\\ Mozilla Firefox v26.0 (en-GB)

[ File : C:\Users\Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\8bfdnkt5.default\prefs.js ]

Line Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Line Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\Laptop\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [1071 octets] - [31/12/2013 17:23:08]
AdwCleaner[R1].txt - [1132 octets] - [31/12/2013 20:40:05]
AdwCleaner[S0].txt - [7855 octets] - [31/12/2013 20:42:30]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7915 octets] ##########
sandra_b is offline  
31-12-2013, 22:34   #22
sandra_b
Registered User
 
Join Date: Sep 2010
Posts: 141
OTL log:

OTL logfile created on: 31/12/2013 21:40:04 - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Laptop\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

984.18 Mb Total Physical Memory | 75.26 Mb Available Physical Memory | 7.65% Memory free
2.18 Gb Paging File | 1.07 Gb Available in Paging File | 49.01% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.31 Gb Total Space | 82.60 Gb Free Space | 59.72% Space Free | Partition Type: NTFS
Drive D: | 25.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive S: | 1.46 Gb Total Space | 1.30 Gb Free Space | 88.83% Space Free | Partition Type: NTFS

Computer Name: LAPTOP-PC | User Name: Laptop | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk - - File not found
MsConfig - StartUpFolder: C:^Users^Laptop^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk - - File not found
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Google EULA Launcher - hkey= - key= - c:\Program Files\Google\Google EULA\GoogleEULALauncher.exe (Google)
MsConfig - StartUpReg: Skytel - hkey= - key= - C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
MsConfig - StartUpReg: swg - hkey= - key= - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
MsConfig - StartUpReg: UCam_Menu - hkey= - key= - C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
MsConfig - StartUpReg: UpdateP2GShortCut - hkey= - key= - C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - Service
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet: AppMgmt - Service
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - Service
SafeBootNet: Messenger - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: NTDS - File not found
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdsessmgr - Service
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootNet: WudfUsbccidDriver - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.clmp3enc - C:\Program Files\CyberLink\Power2Go\CLMP3Enc.ACM (CyberLink Corp.)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codecp - C:\Windows\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
PhysicalDisk0 MBR saved to C:\PhysicalMBR.bin

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Custom Scans ==========

< %systemroot%\*. /mp /s >

< C:\*.* >
[2006/09/18 21:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2008/01/21 02:24:42 | 000,333,203 | RHS- | M] () -- C:\bootmgr
[2008/02/06 16:51:27 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2006/09/18 21:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2013/12/31 21:31:26 | 1032,740,864 | -HS- | M] () -- C:\hiberfil.sys
[2013/12/31 21:31:23 | 1346,555,904 | -HS- | M] () -- C:\pagefile.sys
[2013/12/31 21:42:16 | 000,000,512 | ---- | M] () -- C:\PhysicalMBR.bin
[2010/12/18 23:40:02 | 000,005,892 | ---- | M] () -- C:\scramble.log
[2010/10/15 18:16:05 | 000,000,000 | RH-D | M] -- C:\MSOCache
[2013/12/31 20:44:33 | 000,000,000 | -H-D | M] -- C:\ProgramData
[2010/09/19 17:33:28 | 000,000,000 | -H-D | M] -- C:\Applications\OEM
[2011/04/11 23:42:05 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/10/24 09:25:15 | 000,000,000 | -H-D | M] -- C:\ProgramData\Common Files
[2010/10/30 15:14:15 | 000,000,000 | -H-D | M] -- C:\ProgramData\CyberLink\EvoParser
[2010/10/30 15:14:18 | 000,000,000 | -H-D | M] -- C:\ProgramData\CyberLink\CLUpdater\YouCam\1.00
[2010/10/30 15:14:15 | 000,000,000 | -H-D | M] -- C:\ProgramData\CyberLink\EvoParser\YouCam\1.00
[2006/11/02 12:37:34 | 000,000,000 | RH-D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tablet PC
[2006/11/02 13:02:03 | 000,000,000 | RH-D | M] -- C:\Users\Default
[2006/11/02 11:18:34 | 000,000,000 | -H-D | M] -- C:\Users\Default\AppData
[2010/09/19 17:33:44 | 000,000,000 | -H-D | M] -- C:\Users\Laptop\AppData
[2010/10/04 12:35:32 | 000,000,000 | -H-D | M] -- C:\Users\Laptop\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
[2010/10/04 12:39:36 | 000,000,000 | -H-D | M] -- C:\Users\Laptop\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
[2010/09/23 17:07:13 | 000,000,000 | -H-D | M] -- C:\Users\Laptop\AppData\Local\Microsoft\Media Player\Art Cache
[2010/09/19 17:34:33 | 000,000,000 | RH-D | M] -- C:\Users\Laptop\AppData\Local\Microsoft\Windows\Burn\Burn
[2010/10/15 11:42:25 | 000,000,000 | RH-D | M] -- C:\Users\Laptop\AppData\Local\Microsoft\Windows\Burn\Burn1
[2011/01/13 01:29:34 | 000,000,000 | RH-D | M] -- C:\Users\Laptop\AppData\Local\Microsoft\Windows\Burn\Burn2
[2010/11/09 00:18:17 | 000,000,000 | -H-D | M] -- C:\Users\Laptop\AppData\Roaming\CyberLink\MediaCache
[2010/09/23 18:53:21 | 000,000,000 | -H-D | M] -- C:\Users\Laptop\AppData\Roaming\CyberLink\MediaCache\Power2Go
[2011/05/27 22:14:25 | 000,000,000 | -H-D | M] -- C:\Users\Laptop\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
[2010/10/04 12:38:51 | 000,000,000 | -H-D | M] -- C:\Users\Laptop\AppData\Roaming\Microsoft\Windows\IETldCache\Low
[2010/10/04 12:39:17 | 000,000,000 | -H-D | M] -- C:\Users\Laptop\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
[2013/12/30 00:13:30 | 000,000,000 | RH-D | M] -- C:\Users\Public\Desktop
[2006/11/02 10:23:35 | 000,000,000 | RH-D | M] -- C:\Users\Public\Favorites
[2008/09/12 17:47:27 | 000,000,000 | -H-D | M] -- C:\Users\Public\CyberLink\OLReg
[2008/09/12 17:47:27 | 000,000,000 | -H-D | M] -- C:\Users\Public\CyberLink\Power2Go
[2008/09/12 17:47:27 | 000,000,000 | -H-D | M] -- C:\Users\Public\CyberLink\OLReg\HKEY_CLASS_ROOT\CLSID\{397A21FB-EADF-4116-9027-32B8FA04C3E2}\Version\5.50
[2010/09/23 18:53:05 | 000,000,000 | -H-D | M] -- C:\Users\Public\CyberLink\OLReg\HKEY_CLASS_ROOT\CLSID\{E303BA32-9368-4a3c-AE3A-AFDADCBDE48B}\Version\1.00
[2012/12/26 20:47:54 | 000,000,000 | -H-D | M] -- C:\Users\Public\Recorded TV\TempRec
[2006/11/02 11:18:34 | 000,000,000 | -H-D | M] -- C:\Windows\ServiceProfiles\LocalService\AppData
[2008/09/12 17:37:58 | 000,000,000 | -H-D | M] -- C:\Windows\ServiceProfiles\NetworkService\AppData

< c:\Users\Laptop\AppData\Roaming\*.* >
[2010/09/29 00:18:18 | 000,000,132 | ---- | M] () -- c:\Users\Laptop\AppData\Roaming\wklnhst.dat

< C:\Program Files\Internet Explorer\iexplore.exe /md5 >
[2013/11/14 23:18:24 | 000,757,488 | ---- | M] (Microsoft Corporation) MD5=43E6F2A7FB182F2D7CB0CE5B8F1005CF -- C:\Program Files\Internet Explorer\iexplore.exe

< MD5 for: SVCHOST.EXE >
[2008/01/21 02:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
[2008/01/21 02:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe
[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< End of report >
sandra_b is offline  
31-12-2013, 23:19   #23
jsa112
Registered User
 
Join Date: Aug 2013
Posts: 402
it means the infection is respawning, going to need to bring out the big guns


download and run combofix

http://www.bleepingcomputer.com/comb...o-use-combofix

post the log it gives
jsa112 is offline  
Thanks from:
31-12-2013, 23:36   #24
sandra_b
Registered User
 
Join Date: Sep 2010
Posts: 141
Uhhhh It looks very scary.
Can I keep my browser(s) open while it is running (I want to have that page you posted open)?
It looks from the manual that it can take a while, is it dangerous of I leave it for tomorrow? I still didn't log to my internet banking, but need to to this evening, is it safe?

You are so nice for helping me with this, God bless you
sandra_b is offline  
Advertisement
31-12-2013, 23:49   #25
sandra_b
Registered User
 
Join Date: Sep 2010
Posts: 141
Oh I read the guide again now - it states I should close my browser as well and print the guide.
I don't have access to printer before Friday, do you think I can leave for 2 days?
sandra_b is offline  
31-12-2013, 23:53   #26
jsa112
Registered User
 
Join Date: Aug 2013
Posts: 402
you can leave the browser open if ya need to, shouldn't matter too much, no need to print the guide if its too much hassle.

it should be safe to do internet banking.

don't worry bout all those guidelines, better to run it now than in 2 days to be honest. should only take 20mins to run it, and is safe
jsa112 is offline  
Thanks from:
31-12-2013, 23:58   #27
sandra_b
Registered User
 
Join Date: Sep 2010
Posts: 141
Ok
sandra_b is offline  
Thanks from:
01-01-2014, 00:02   #28
jsa112
Registered User
 
Join Date: Aug 2013
Posts: 402
Celebrate New Years instead of talking to me
jsa112 is offline  
Thanks from:
01-01-2014, 00:08   #29
sandra_b
Registered User
 
Join Date: Sep 2010
Posts: 141
Hahha, I was thinking the same about you. I have very bad flu, not in celebration mood at all. It is not only laptop that is infected

I wish you very Happy New Year, you have earned a lot of good karma helping others
sandra_b is offline  
Thanks from:
01-01-2014, 00:53   #30
sandra_b
Registered User
 
Join Date: Sep 2010
Posts: 141
Hi Jsa112,

if you are stil awake I am sending combofix log in the next post

One thing - when it started it asked me to stop AVG. I couldn't find how to do it at the moment (when I am in panic mode my brain stops working).
Then, when it was at stage 3 I disabled AVG. I hope it is OK and did not ruin anything?
sandra_b is offline  
Post Reply

Quick Reply
Message:
Remove Text Formatting
Bold
Italic
Underline

Insert Image
Wrap [QUOTE] tags around selected text
 
Decrease Size
Increase Size
Please sign up or log in to join the discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search



Share Tweet