Jump to content

Successfully blocked access to a potentially malicious website: 31.133.51.245 svchost.exe


Recommended Posts

I think I'm infected because Malwarebytes keeps popping up in the lower right hand of my screen saying:

Successfully blocked access to a potentially malicious website: 31.133.51.245

Type: outgoing (it alternates between incoming and outgoing)

Port: 57430, Process: svchost.exe

Here is my DDS log:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 8.0.7600.16385

Run by Andrew at 17:41:40 on 2013-02-23

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.8183.5195 [GMT -5:00]

.

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe

C:\Program Files (x86)\ASUS\USB-N53 Utility\RaRegistry.exe

C:\Program Files (x86)\ASUS\USB-N53 Utility\RaRegistry64.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\taskhost.exe

C:\Windows\system32\WLANExt.exe

C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe

C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\NETGEAR Genie\bin\genie2_tray.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\splwow64.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\ASUS\USB-N53 Utility\WlanMgr.exe

C:\Program Files (x86)\Steam\steam.exe

C:\Program Files (x86)\Common Files\Steam\SteamService.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\ProgramData\Battle.net\Agent\Agent.1637\Agent.exe

C:\Windows\system32\taskhost.exe

F:\Program Files (x86)\StarCraft II 2012 Beta\Versions\Base24764\SC2.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

mWinlogon: Userinit = userinit.exe

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

uRun: [NETGEARGenie] "C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe" -mini -redirect

uRun: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent

uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_Plugin.exe -update plugin

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{0FDEDE86-6B7A-4FE4-9696-21E6B90DF2E8} : DHCPNameServer = 192.168.1.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

SSODL: WebCheck - <orphaned>

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\0rb2u3z8.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll

.

============= SERVICES / DRIVERS ===============

.

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-9-18 202752]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-2-20 398184]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-2-20 682344]

R2 NETGEARGenieDaemon;NETGEARGenieDaemon;C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [2012-9-25 231752]

R2 RalinkRegistryWriter;RalinkRegistryWriter;C:\Program Files (x86)\ASUS\USB-N53 Utility\RaRegistry.exe [2012-2-20 375872]

R2 RalinkRegistryWriter64;RalinkRegistryWriter64;C:\Program Files (x86)\ASUS\USB-N53 Utility\RaRegistry64.exe [2012-2-20 454208]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-2-20 24176]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]

.

=============== Created Last 30 ================

.

2013-02-23 22:13:24 -------- d-----w- C:\Users\Andrew\AppData\Roaming\ParetoLogic

2013-02-23 22:13:24 -------- d-----w- C:\Users\Andrew\AppData\Roaming\DriverCure

2013-02-23 22:13:13 -------- d-----w- C:\ProgramData\ParetoLogic

2013-02-23 14:22:52 -------- d-----w- C:\Users\Andrew\AppData\Local\Google

2013-02-20 11:18:29 -------- d-----w- C:\Users\Andrew\AppData\Roaming\Malwarebytes

2013-02-20 11:18:21 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-02-20 11:18:21 -------- d-----w- C:\ProgramData\Malwarebytes

2013-02-20 11:18:21 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-02-20 11:18:02 -------- d-----w- C:\Users\Andrew\AppData\Local\Programs

2013-02-16 15:06:50 32768 ----a-w- C:\Windows\SysWow64\CMDLGFR.DLL

2013-02-16 15:06:50 152848 ----a-w- C:\Windows\SysWow64\COMDLG32.OCX

2013-02-16 15:06:50 141312 ----a-w- C:\Windows\SysWow64\MSCMCFR.DLL

2013-02-16 15:06:50 119568 ----a-w- C:\Windows\SysWow64\VB6FR.DLL

2013-02-16 15:06:50 1081616 ----a-w- C:\Windows\SysWow64\mscomctl.ocx

2013-02-16 15:06:50 101888 ----a-w- C:\Windows\SysWow64\VB6STKIT.DLL

2013-02-16 15:06:50 -------- d-----w- C:\Users\Andrew\AppData\Roaming\TFP

2013-02-16 15:05:38 -------- d-----w- C:\Users\Andrew\AppData\Local\Torch

2013-02-05 17:51:53 -------- d-----w- C:\Users\Andrew\AppData\Roaming\Dev-Cpp

2013-02-05 17:51:37 -------- d-----r- C:\Program Files (x86)\Skype

2013-02-05 14:15:35 -------- d-----w- C:\Users\Andrew\AppData\Roaming\PDF Reader

2013-02-05 14:15:31 -------- d-----w- C:\Program Files (x86)\PDF Reader

2013-02-03 19:55:22 -------- d-----w- C:\Users\Andrew\AppData\Local\NBGI

2013-02-03 19:55:07 -------- d-----w- C:\Windows\SysWow64\xlive

2013-02-03 19:55:07 -------- d-----w- C:\Program Files (x86)\Microsoft Games for Windows - LIVE

2013-02-03 19:47:29 -------- d-----w- C:\Program Files (x86)\X360ce

2013-02-02 22:04:40 -------- d-----w- C:\The_Legend_Of_Zelda_The_Wind_Waker_USA_NGC-STARCUBE

2013-02-02 14:02:18 -------- d---a-w- C:\Program Files (x86)\Dolphin-3.5-win32

2013-01-30 03:46:54 -------- d-----w- C:\Program Files\Microsoft Xbox 360 Accessories

2013-01-29 14:51:45 40960 ----a-r- C:\Users\Andrew\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe

2013-01-29 14:51:45 40960 ----a-r- C:\Users\Andrew\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe

2013-01-29 14:51:45 -------- d-----w- C:\Program Files (x86)\Project64 1.6

.

==================== Find3M ====================

.

2013-01-05 03:13:42 0 ----a-w- C:\Windows\ativpsrm.bin

2013-01-04 23:01:30 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-01-04 23:01:30 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-01-04 20:06:20 96784 ----a-w- C:\Windows\SysWow64\packet.dll

2013-01-04 20:06:20 369168 ----a-w- C:\Windows\System32\wpcap.dll

2013-01-04 20:06:20 35344 ----a-w- C:\Windows\System32\drivers\npf.sys

2013-01-04 20:06:20 281104 ----a-w- C:\Windows\SysWow64\wpcap.dll

2013-01-04 20:06:20 106000 ----a-w- C:\Windows\System32\packet.dll

2013-01-04 19:19:23 792416 ----a-w- C:\Windows\System32\RaIOx64.exe

.

============= FINISH: 17:41:47.30 ===============

Here is my attach log:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 1/4/2013 7:27:07 AM

System Uptime: 2/23/2013 8:12:52 AM (9 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | SABERTOOTH X58

Processor: Intel® Core i7 CPU 930 @ 2.80GHz | LGA1366 | 2801/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 119 GiB total, 36.768 GiB free.

D: is CDROM (CDFS)

E: is FIXED (NTFS) - 0 GiB total, 0.06 GiB free.

F: is FIXED (NTFS) - 233 GiB total, 92.091 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description:

Device ID: ACPI\ATK0110\1010110

Manufacturer:

Name:

PNP Device ID: ACPI\ATK0110\1010110

Service:

.

Class GUID:

Description: Universal Serial Bus (USB) Controller

Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_84131043&REV_03\4&CF85AA7&0&0010

Manufacturer:

Name: Universal Serial Bus (USB) Controller

PNP Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_84131043&REV_03\4&CF85AA7&0&0010

Service:

.

==== System Restore Points ===================

.

RP13: 2/2/2013 8:01:20 PM - Installed DirectX

RP14: 2/3/2013 2:54:14 PM - Installed DirectX

RP15: 2/3/2013 2:55:08 PM - Installed DirectX

RP16: 2/3/2013 3:03:29 PM - Installed Microsoft Games for Windows - LIVE Redistributable

RP17: 2/11/2013 7:43:14 PM - Scheduled Checkpoint

RP18: 2/20/2013 7:56:06 AM - Scheduled Checkpoint

.

==== Installed Programs ======================

.

Adobe Flash Player 11 Plugin

ASUS USB-N53 Utility

ATI AVIVO64 Codecs

ATI Catalyst Install Manager

ATI Problem Report Wizard

Call of Duty: Black Ops II

Call of Duty: Black Ops II - Multiplayer

Call of Duty: Black Ops II - Zombies

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Common

Catalyst Control Center Graphics Previews Vista

Catalyst Control Center HydraVision Full

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-core-static

ccc-utility64

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

Cisco EAP-FAST Module

Cisco LEAP Module

Cisco PEAP Module

HydraVision

LIMBO

Malwarebytes Anti-Malware version 1.70.0.1100

Microsoft Games for Windows - LIVE Redistributable

Microsoft Games for Windows Marketplace

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft Xbox 360 Accessories 1.2

Mozilla Firefox 18.0.2 (x86 en-US)

Mozilla Maintenance Service

NETGEAR Genie

PDF Reader 2013

Project64 1.6

Skype™ 6.1

Sonic Adventure™ 2

Steam

Torch

Windows Live ID Sign-in Assistant

WinRAR 4.20 (64-bit)

.

==== Event Viewer Messages From Past Week ========

.

2/17/2013 3:43:06 PM, Error: NetBT [4321] - The name "ANDREW-PC :0" could not be registered on the interface with IP address 192.168.1.5. The computer with the IP address 192.168.1.6 did not allow the name to be claimed by this computer.

2/17/2013 3:43:05 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{0FDEDE86-6B7A-4FE4-9696-21E6B90DF2E8} because another computer on the network has the same name. The server could not start.

2/17/2013 3:43:05 PM, Error: NetBT [4321] - The name "ANDREW-PC :20" could not be registered on the interface with IP address 192.168.1.5. The computer with the IP address 192.168.1.6 did not allow the name to be claimed by this computer.

.

==== End Of File ===========================

Help is appreciated.

Link to post
Share on other sites

Please download RogueKiller from here http://tigzy.geekstogo.com/Tools/RogueKiller.exe or here http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe and save Direct to your Desktop.

  • Quit all running programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • The following EULA will appear, please select accept
    RKLicence.png
  • Ensure MBR scan, Check faked and AntiRootkit are checked
  • Select Scan
    RK1A.png
  • When the scan completes select Report, copy and paste that to your reply.
    RK2A.png
  • The log should be found in RKreport[?].txt on your Desktop
  • Exit/Close RogueKiller

Kevin

Link to post
Share on other sites

Here is my report from RogueKiller:

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User : Andrew [Admin rights]

Mode : Scan -- Date : 02/23/2013 18:53:44

| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤

[sUSP PATH] Agent.exe -- C:\ProgramData\Battle.net\Agent\Agent.1637\Agent.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 3 ¤¤¤

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤

-> F:\windows\system32\config\SOFTWARE

-> F:\windows\system32\config\SYSTEM

-> F:\Users\Andy Jack Ab\NTUSER.DAT

-> F:\Users\Default\NTUSER.DAT

-> F:\Users\Default User\NTUSER.DAT

-> F:\Users\LogMeInRemoteUser\NTUSER.DAT

-> F:\Documents and Settings\Default\NTUSER.DAT

-> F:\Documents and Settings\Default User\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG SSD 830 Series ATA Device +++++

--- User ---

[MBR] ed20b546762efd360dd33afb08cb8d2a

[bSP] 9db0039252e893424bb44eba59eaeea4 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 122002 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST3250318AS ATA Device +++++

--- User ---

[MBR] e473641d337bd9d0b8b61dcb8b1b7112

[bSP] eea65c7f092f77347216ddbd8e81d8de : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 238373 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_02232013_02d1853.txt >>

RKreport[1]_S_02232013_02d1853.txt

Link to post
Share on other sites

OK, continue:

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

Link to post
Share on other sites

Here is the log from Combofix:

ComboFix 13-02-23.01 - Andrew 02/23/2013 19:25:27.1.8 - x64

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.8183.6339 [GMT -5:00]

Running from: c:\users\Andrew\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\SysWow64\Packet.dll

c:\windows\SysWow64\wpcap.dll

F:\install.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_NPF

-------\Service_NPF

.

.

((((((((((((((((((((((((( Files Created from 2013-01-24 to 2013-02-24 )))))))))))))))))))))))))))))))

.

.

2013-02-23 22:13 . 2013-02-23 22:13 -------- d-----w- c:\users\Andrew\AppData\Roaming\ParetoLogic

2013-02-23 22:13 . 2013-02-23 22:13 -------- d-----w- c:\users\Andrew\AppData\Roaming\DriverCure

2013-02-23 22:13 . 2013-02-23 22:22 -------- d-----w- c:\programdata\ParetoLogic

2013-02-23 14:22 . 2013-02-23 14:22 -------- d-----w- c:\users\Andrew\AppData\Local\Google

2013-02-20 11:18 . 2013-02-20 11:18 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes

2013-02-20 11:18 . 2013-02-20 11:18 -------- d-----w- c:\programdata\Malwarebytes

2013-02-20 11:18 . 2013-02-20 11:18 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2013-02-20 11:18 . 2012-12-14 21:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-02-20 11:18 . 2013-02-20 11:18 -------- d-----w- c:\users\Andrew\AppData\Local\Programs

2013-02-16 15:06 . 2013-02-16 15:06 -------- d-----w- c:\users\Andrew\AppData\Roaming\TFP

2013-02-16 15:06 . 2012-05-11 20:47 32768 ----a-w- c:\windows\SysWow64\CMDLGFR.DLL

2013-02-16 15:06 . 2012-05-11 20:47 152848 ----a-w- c:\windows\SysWow64\COMDLG32.OCX

2013-02-16 15:06 . 2012-05-11 20:47 141312 ----a-w- c:\windows\SysWow64\MSCMCFR.DLL

2013-02-16 15:06 . 2012-05-11 20:47 119568 ----a-w- c:\windows\SysWow64\VB6FR.DLL

2013-02-16 15:06 . 2012-05-11 20:47 1081616 ----a-w- c:\windows\SysWow64\mscomctl.ocx

2013-02-16 15:06 . 2012-05-11 20:47 101888 ----a-w- c:\windows\SysWow64\VB6STKIT.DLL

2013-02-16 15:05 . 2013-02-16 15:06 -------- d-----w- c:\users\Andrew\AppData\Local\Torch

2013-02-05 17:51 . 2013-02-05 17:53 -------- d-----w- c:\users\Andrew\AppData\Roaming\Dev-Cpp

2013-02-05 17:51 . 2013-02-05 17:51 -------- d-----w- c:\program files (x86)\Common Files\Skype

2013-02-05 17:51 . 2013-02-05 17:51 -------- d-----r- c:\program files (x86)\Skype

2013-02-05 14:15 . 2013-02-05 14:16 -------- d-----w- c:\users\Andrew\AppData\Roaming\PDF Reader

2013-02-05 14:15 . 2013-02-05 14:15 -------- d-----w- c:\program files (x86)\PDF Reader

2013-02-03 19:55 . 2013-02-03 19:55 -------- d-----w- c:\users\Andrew\AppData\Local\NBGI

2013-02-03 19:55 . 2013-02-03 19:55 -------- d-----w- c:\windows\SysWow64\xlive

2013-02-03 19:55 . 2013-02-03 19:55 -------- d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE

2013-02-03 19:47 . 2013-02-03 19:47 -------- d-----w- c:\program files (x86)\X360ce

2013-02-02 22:04 . 2013-02-02 22:08 -------- d-----w- C:\The_Legend_Of_Zelda_The_Wind_Waker_USA_NGC-STARCUBE

2013-02-02 18:46 . 2013-02-02 18:46 -------- d-----w- c:\program files\WinRAR

2013-02-02 18:34 . 2013-02-02 18:34 -------- d-----w- c:\program files (x86)\7-Zip

2013-02-02 14:02 . 2012-12-26 13:03 -------- d---a-w- c:\program files (x86)\Dolphin-3.5-win32

2013-01-30 03:46 . 2013-01-30 03:46 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories

2013-01-29 14:51 . 2013-02-03 14:35 -------- d-----w- c:\program files (x86)\Project64 1.6

2013-01-29 14:51 . 2013-01-29 14:51 40960 ----a-r- c:\users\Andrew\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe

2013-01-29 14:51 . 2013-01-29 14:51 40960 ----a-r- c:\users\Andrew\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-03 19:57 . 2009-08-18 17:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll

2013-02-03 19:57 . 2009-08-18 16:24 19696 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2013-01-04 23:01 . 2013-01-04 22:59 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-01-04 23:01 . 2013-01-04 22:59 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-04 20:06 . 2013-01-04 20:06 369168 ----a-w- c:\windows\system32\wpcap.dll

2013-01-04 20:06 . 2013-01-04 20:06 35344 ----a-w- c:\windows\system32\drivers\npf.sys

2013-01-04 20:06 . 2013-01-04 20:06 106000 ----a-w- c:\windows\system32\packet.dll

2013-01-04 19:40 . 2013-01-04 19:40 647168 ----a-w- c:\program files (x86)\sdl.dll

2013-01-04 19:40 . 2013-01-04 19:40 8387200 ----a-w- c:\program files (x86)\steamclient64.dll

2013-01-04 19:40 . 2013-01-04 19:40 714304 ----a-w- c:\program files (x86)\GameOverlayRenderer64.dll

2013-01-04 19:40 . 2013-01-04 19:40 7020608 ----a-w- c:\program files (x86)\steamclient.dll

2013-01-04 19:40 . 2013-01-04 19:40 608320 ----a-w- c:\program files (x86)\GameOverlayRenderer.dll

2013-01-04 19:40 . 2013-01-04 19:40 570432 ----a-w- c:\program files (x86)\AppOverlay64.dll

2013-01-04 19:40 . 2013-01-04 19:40 545856 ----a-w- c:\program files (x86)\AppOverlay.dll

2013-01-04 19:40 . 2013-01-04 19:40 283200 ----a-w- c:\program files (x86)\tier0_s64.dll

2013-01-04 19:40 . 2013-01-04 19:40 282176 ----a-w- c:\program files (x86)\crashhandler.dll

2013-01-04 19:40 . 2013-01-04 19:40 252480 ----a-w- c:\program files (x86)\vstdlib_s64.dll

2013-01-04 19:40 . 2013-01-04 19:40 242240 ----a-w- c:\program files (x86)\tier0_s.dll

2013-01-04 19:40 . 2013-01-04 19:40 214080 ----a-w- c:\program files (x86)\vstdlib_s.dll

2013-01-04 19:40 . 2013-01-04 19:40 124416 ----a-w- c:\program files (x86)\avutil-51.dll

2013-01-04 19:40 . 2013-01-04 19:40 122864 ----a-w- c:\program files (x86)\CSERHelper.dll

2013-01-04 19:40 . 2013-01-04 19:40 8192576 ----a-w- c:\program files (x86)\SteamUI.dll

2013-01-04 19:40 . 2013-01-04 19:40 284456 ----a-w- c:\program files (x86)\WriteMiniDump.exe

2013-01-04 19:40 . 2013-01-04 19:40 1039192 ----a-w- c:\program files (x86)\dbghelp.dll

2013-01-04 19:19 . 2013-01-04 19:19 792416 ----a-w- c:\windows\system32\RaIOx64.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NETGEARGenie"="c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe" [2012-10-16 1041736]

"Steam"="c:\program files (x86)\Steam\Steam.exe" [2013-02-15 1597864]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-01-08 18705664]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-19 98304]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-09-19 202752]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]

S2 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [2012-09-25 231752]

S2 RalinkRegistryWriter64;RalinkRegistryWriter64;c:\program files (x86)\ASUS\USB-N53 Utility\RaRegistry64.exe [2011-03-31 454208]

S2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]

S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\NPF.sys [2013-01-04 35344]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - NPF

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-24 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-04 23:01]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 825184]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\0rb2u3z8.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\ASUS\USB-N53 Utility\RaRegistry.exe

c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

c:\program files (x86)\NETGEAR Genie\bin\genie2_tray.exe

c:\program files (x86)\Common Files\Steam\SteamService.exe

c:\program files (x86)\ASUS\USB-N53 Utility\WlanMgr.exe

.

**************************************************************************

.

Completion time: 2013-02-23 19:30:06 - machine was rebooted

ComboFix-quarantined-files.txt 2013-02-24 00:30

.

Pre-Run: 39,442,669,568 bytes free

Post-Run: 38,978,654,208 bytes free

.

- - End Of File - - 0F16D302AACF1C0EC8521F4767236590

Link to post
Share on other sites

Continue:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:


ClearJavaCache::

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next,

Run Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

If threats were found

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

close program

copy and paste the report here

Next,

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Post those three logs...

Link to post
Share on other sites

Okay, finished those 3 steps.

Combofix logs:

ComboFix 13-02-23.01 - Andrew 02/23/2013 20:04:27.2.8 - x64

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.8183.6321 [GMT -5:00]

Running from: c:\users\Andrew\Desktop\ComboFix.exe

Command switches used :: c:\users\Andrew\Desktop\CFScript.txt

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_NPF

.

.

((((((((((((((((((((((((( Files Created from 2013-01-24 to 2013-02-24 )))))))))))))))))))))))))))))))

.

.

2013-02-24 01:06 . 2013-02-24 01:06 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-02-23 22:13 . 2013-02-23 22:13 -------- d-----w- c:\users\Andrew\AppData\Roaming\ParetoLogic

2013-02-23 22:13 . 2013-02-23 22:13 -------- d-----w- c:\users\Andrew\AppData\Roaming\DriverCure

2013-02-23 22:13 . 2013-02-23 22:22 -------- d-----w- c:\programdata\ParetoLogic

2013-02-23 14:22 . 2013-02-23 14:22 -------- d-----w- c:\users\Andrew\AppData\Local\Google

2013-02-20 11:18 . 2013-02-20 11:18 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes

2013-02-20 11:18 . 2013-02-20 11:18 -------- d-----w- c:\programdata\Malwarebytes

2013-02-20 11:18 . 2013-02-20 11:18 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2013-02-20 11:18 . 2012-12-14 21:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-02-20 11:18 . 2013-02-20 11:18 -------- d-----w- c:\users\Andrew\AppData\Local\Programs

2013-02-16 15:06 . 2013-02-16 15:06 -------- d-----w- c:\users\Andrew\AppData\Roaming\TFP

2013-02-16 15:06 . 2012-05-11 20:47 32768 ----a-w- c:\windows\SysWow64\CMDLGFR.DLL

2013-02-16 15:06 . 2012-05-11 20:47 152848 ----a-w- c:\windows\SysWow64\COMDLG32.OCX

2013-02-16 15:06 . 2012-05-11 20:47 141312 ----a-w- c:\windows\SysWow64\MSCMCFR.DLL

2013-02-16 15:06 . 2012-05-11 20:47 119568 ----a-w- c:\windows\SysWow64\VB6FR.DLL

2013-02-16 15:06 . 2012-05-11 20:47 1081616 ----a-w- c:\windows\SysWow64\mscomctl.ocx

2013-02-16 15:06 . 2012-05-11 20:47 101888 ----a-w- c:\windows\SysWow64\VB6STKIT.DLL

2013-02-16 15:05 . 2013-02-16 15:06 -------- d-----w- c:\users\Andrew\AppData\Local\Torch

2013-02-05 17:51 . 2013-02-05 17:53 -------- d-----w- c:\users\Andrew\AppData\Roaming\Dev-Cpp

2013-02-05 17:51 . 2013-02-05 17:51 -------- d-----w- c:\program files (x86)\Common Files\Skype

2013-02-05 17:51 . 2013-02-05 17:51 -------- d-----r- c:\program files (x86)\Skype

2013-02-05 14:15 . 2013-02-05 14:16 -------- d-----w- c:\users\Andrew\AppData\Roaming\PDF Reader

2013-02-05 14:15 . 2013-02-05 14:15 -------- d-----w- c:\program files (x86)\PDF Reader

2013-02-03 19:55 . 2013-02-03 19:55 -------- d-----w- c:\users\Andrew\AppData\Local\NBGI

2013-02-03 19:55 . 2013-02-03 19:55 -------- d-----w- c:\windows\SysWow64\xlive

2013-02-03 19:55 . 2013-02-03 19:55 -------- d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE

2013-02-03 19:47 . 2013-02-03 19:47 -------- d-----w- c:\program files (x86)\X360ce

2013-02-02 22:04 . 2013-02-02 22:08 -------- d-----w- C:\The_Legend_Of_Zelda_The_Wind_Waker_USA_NGC-STARCUBE

2013-02-02 18:46 . 2013-02-02 18:46 -------- d-----w- c:\program files\WinRAR

2013-02-02 18:34 . 2013-02-02 18:34 -------- d-----w- c:\program files (x86)\7-Zip

2013-02-02 14:02 . 2012-12-26 13:03 -------- d---a-w- c:\program files (x86)\Dolphin-3.5-win32

2013-01-30 03:46 . 2013-01-30 03:46 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories

2013-01-29 14:51 . 2013-02-03 14:35 -------- d-----w- c:\program files (x86)\Project64 1.6

2013-01-29 14:51 . 2013-01-29 14:51 40960 ----a-r- c:\users\Andrew\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe

2013-01-29 14:51 . 2013-01-29 14:51 40960 ----a-r- c:\users\Andrew\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-03 19:57 . 2009-08-18 17:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll

2013-02-03 19:57 . 2009-08-18 16:24 19696 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2013-01-04 23:01 . 2013-01-04 22:59 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-01-04 23:01 . 2013-01-04 22:59 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-04 20:06 . 2013-01-04 20:06 369168 ----a-w- c:\windows\system32\wpcap.dll

2013-01-04 20:06 . 2013-01-04 20:06 35344 ----a-w- c:\windows\system32\drivers\npf.sys

2013-01-04 20:06 . 2013-01-04 20:06 106000 ----a-w- c:\windows\system32\packet.dll

2013-01-04 19:40 . 2013-01-04 19:40 647168 ----a-w- c:\program files (x86)\sdl.dll

2013-01-04 19:40 . 2013-01-04 19:40 8387200 ----a-w- c:\program files (x86)\steamclient64.dll

2013-01-04 19:40 . 2013-01-04 19:40 714304 ----a-w- c:\program files (x86)\GameOverlayRenderer64.dll

2013-01-04 19:40 . 2013-01-04 19:40 7020608 ----a-w- c:\program files (x86)\steamclient.dll

2013-01-04 19:40 . 2013-01-04 19:40 608320 ----a-w- c:\program files (x86)\GameOverlayRenderer.dll

2013-01-04 19:40 . 2013-01-04 19:40 570432 ----a-w- c:\program files (x86)\AppOverlay64.dll

2013-01-04 19:40 . 2013-01-04 19:40 545856 ----a-w- c:\program files (x86)\AppOverlay.dll

2013-01-04 19:40 . 2013-01-04 19:40 283200 ----a-w- c:\program files (x86)\tier0_s64.dll

2013-01-04 19:40 . 2013-01-04 19:40 282176 ----a-w- c:\program files (x86)\crashhandler.dll

2013-01-04 19:40 . 2013-01-04 19:40 252480 ----a-w- c:\program files (x86)\vstdlib_s64.dll

2013-01-04 19:40 . 2013-01-04 19:40 242240 ----a-w- c:\program files (x86)\tier0_s.dll

2013-01-04 19:40 . 2013-01-04 19:40 214080 ----a-w- c:\program files (x86)\vstdlib_s.dll

2013-01-04 19:40 . 2013-01-04 19:40 124416 ----a-w- c:\program files (x86)\avutil-51.dll

2013-01-04 19:40 . 2013-01-04 19:40 122864 ----a-w- c:\program files (x86)\CSERHelper.dll

2013-01-04 19:40 . 2013-01-04 19:40 8192576 ----a-w- c:\program files (x86)\SteamUI.dll

2013-01-04 19:40 . 2013-01-04 19:40 284456 ----a-w- c:\program files (x86)\WriteMiniDump.exe

2013-01-04 19:40 . 2013-01-04 19:40 1039192 ----a-w- c:\program files (x86)\dbghelp.dll

2013-01-04 19:19 . 2013-01-04 19:19 792416 ----a-w- c:\windows\system32\RaIOx64.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NETGEARGenie"="c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe" [2012-10-16 1041736]

"Steam"="c:\program files (x86)\Steam\Steam.exe" [2013-02-15 1597864]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-01-08 18705664]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-19 98304]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-09-19 202752]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]

S2 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [2012-09-25 231752]

S2 RalinkRegistryWriter64;RalinkRegistryWriter64;c:\program files (x86)\ASUS\USB-N53 Utility\RaRegistry64.exe [2011-03-31 454208]

S2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]

S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\NPF.sys [2013-01-04 35344]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - NPF

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-24 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-04 23:01]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 825184]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\0rb2u3z8.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\ASUS\USB-N53 Utility\RaRegistry.exe

c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

c:\program files (x86)\NETGEAR Genie\bin\genie2_tray.exe

c:\program files (x86)\Common Files\Steam\SteamService.exe

c:\program files (x86)\ASUS\USB-N53 Utility\WlanMgr.exe

.

**************************************************************************

.

Completion time: 2013-02-23 20:08:59 - machine was rebooted

ComboFix-quarantined-files.txt 2013-02-24 01:08

ComboFix2.txt 2013-02-24 00:30

.

Pre-Run: 38,986,563,584 bytes free

Post-Run: 38,752,329,728 bytes free

.

- - End Of File - - 7FFE55A2FD86291547176B7AF9B85DEE

ESET SCAN (20 Threats were detected):

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite.A application

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\DnsBHO.dll a variant of Win32/Toolbar.SearchSuite application

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\IEBHO.dll a variant of Win32/Toolbar.SearchSuite application

F:\Users\Andy Jack Ab\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HIX76H1W\ezLooker-S-Setup_Suite1[1].exe Win32/Adware.Yontoo application

F:\Users\Andy Jack Ab\AppData\LocalLow\AskToolbar\setup.exe a variant of Win32/Bundled.Toolbar.Ask application

F:\Users\Andy Jack Ab\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe multiple threats

F:\Users\Andy Jack Ab\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.dll Win32/Adware.Gamevance.AO application

F:\Users\Andy Jack Ab\AppData\Roaming\Mozilla\Firefox\Profiles\p6g4tjhb.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe a variant of Win32/Bundled.Toolbar.Ask application

F:\Users\Andy Jack Ab\Desktop\Gamecube\Games\Windwaker\7Zip.exe a variant of Win32/InstallIQ application

F:\Users\Andy Jack Ab\Desktop\Gamecube\Games\Windwaker\SoftonicDownloader_for_utorrent(2).exe a variant of Win32/SoftonicDownloader.A application

F:\Users\Andy Jack Ab\Desktop\Gamecube\Games\Windwaker\SoftonicDownloader_for_utorrent.exe a variant of Win32/SoftonicDownloader.A application

F:\Users\Andy Jack Ab\Downloads\2005_-_City_of_Evil.rar.exe a variant of Win32/Adware.MediaFinder.D application

F:\Users\Andy Jack Ab\Downloads\ADLSoft_UnCompressor_v2.exe a variant of Win32/InstallCore.T application

F:\Users\Andy Jack Ab\Downloads\iLividSetupV1(1).exe Win32/Toolbar.SearchSuite application

F:\Users\Andy Jack Ab\Downloads\SaveAs.exe Win32/InstalleRex.E.Gen application

F:\Users\Andy Jack Ab\Downloads\setup(1).exe Win32/Adware.Bundlore application

F:\Users\Andy Jack Ab\Downloads\Setup(2).exe a variant of Win32/Adware.iBryte.C application

F:\Users\Andy Jack Ab\Downloads\Setup(3).exe a variant of Win32/Adware.iBryte.C application

F:\Users\Andy Jack Ab\Downloads\Someone_Like_You-Adele-www.abadboom.com.mp3.exe a variant of Win32/Adware.MediaFinder.D application

Security Check:

Results of screen317's Security Check version 0.99.59

Windows 7 x64 (UAC is enabled)

Out of date service pack!!

Internet Explorer 8 Out of date!

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

Adobe Flash Player 11.5.502.135 Flash Player out of Date!

Mozilla Firefox 18.0.2 Firefox out of Date!

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Download OTM from either of the following links and save to your Desktop:

http://oldtimer.geekstogo.com/OTM.exe.

http://www.itxassociates.com/OT-Tools/OTM.com

http://www.itxassociates.com/OT-Tools/OTM.exe

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion....

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
    ipconfig /flushdns /c
    F:\Program Files (x86)\Searchqu Toolbar
    F:\Users\Andy Jack Ab\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HIX76H1W\ezLooker-S-Setup_Suite1[1].exe
    F:\Users\Andy Jack Ab\AppData\LocalLow\AskToolbar\setup.exe
    F:\Users\Andy Jack Ab\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe
    F:\Users\Andy Jack Ab\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.dll
    F:\Users\Andy Jack Ab\AppData\Roaming\Mozilla\Firefox\Profiles\p6g4tjhb.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
    F:\Users\Andy Jack Ab\Desktop\Gamecube\Games\Windwaker\7Zip.exe
    F:\Users\Andy Jack Ab\Desktop\Gamecube\Games\Windwaker\SoftonicDownloader_for_utorrent(2).exe
    F:\Users\Andy Jack Ab\Desktop\Gamecube\Games\Windwaker\SoftonicDownloader_for_utorrent.exe
    F:\Users\Andy Jack Ab\Downloads\2005_-_City_of_Evil.rar.exe
    F:\Users\Andy Jack Ab\Downloads\ADLSoft_UnCompressor_v2.exe
    F:\Users\Andy Jack Ab\Downloads\iLividSetupV1(1).exe
    F:\Users\Andy Jack Ab\Downloads\SaveAs.exe
    F:\Users\Andy Jack Ab\Downloads\setup(1).exe
    F:\Users\Andy Jack Ab\Downloads\Setup(2).exe
    F:\Users\Andy Jack Ab\Downloads\Setup(3).exe
    F:\Users\Andy Jack Ab\Downloads\Someone_Like_You-Adele-www.abadboom.com.mp3.exe
    :Commands
    [EmptyTemp]


  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Next,

There appears to be no Anti-virus program installed, if that is true install the following:

To keep safe when online you need a good Antivirus/Antspyware/Antimalware/Anti-Rootkit combination application. Microsoft Security Essentials covers all of those bases, but better still it is free. Go here http://www.microsoft.com/security_essentials/ select your Operating System, download, install and follow the prompts. Once installed it will want to update and carry out a quick scan, allow that to happen. Let me know if it finds anything from the scan...

Next,

Go here www.adobe.com/shockwave/welcome/ and have Adobe Flashplayer checked. Accept new version if required.

There maybe an offer of Google Chrome, untick those options if offered...

Next,

The system has not been updated to Service Pack 1 (SP1) that is crucial, go here http://windows.microsoft.com/en-GB/windows7/install-windows-7-service-pack-1 and follow the instructions.

Let me know if those steps complete OK, also if there are any remaining issues or concerns...

Kevin

Link to post
Share on other sites

I just completed all the steps. Sorry for taking a while.

OTM log:

All processes killed

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Andrew\Desktop\cmd.bat deleted successfully.

C:\Users\Andrew\Desktop\cmd.txt deleted successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\x64 folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\components folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\searchbar folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\options folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\weatherbutton\panels\images folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\weatherbutton\panels folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\weatherbutton\icons folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\weatherbutton folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\uwa folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\radio\images folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\radio\css folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\radio folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels\images folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels\default\scripts folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels\default\images folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels\default\css folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels\default folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels\css folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\skin folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\content\widgets folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\content\modules folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\content\lib folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\content\data\search folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\content\data folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome\content folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\chrome folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\FirefoxExtension\content folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\FirefoxExtension\components folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr\FirefoxExtension folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar\Datamngr folder moved successfully.

F:\Program Files (x86)\Searchqu Toolbar folder moved successfully.

F:\Users\Andy Jack Ab\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HIX76H1W\ezLooker-S-Setup_Suite1[1].exe moved successfully.

F:\Users\Andy Jack Ab\AppData\LocalLow\AskToolbar\setup.exe moved successfully.

F:\Users\Andy Jack Ab\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe moved successfully.

DllUnregisterServer procedure not found in F:\Users\Andy Jack Ab\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.dll

F:\Users\Andy Jack Ab\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.dll moved successfully.

F:\Users\Andy Jack Ab\AppData\Roaming\Mozilla\Firefox\Profiles\p6g4tjhb.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe moved successfully.

F:\Users\Andy Jack Ab\Desktop\Gamecube\Games\Windwaker\7Zip.exe moved successfully.

F:\Users\Andy Jack Ab\Desktop\Gamecube\Games\Windwaker\SoftonicDownloader_for_utorrent(2).exe moved successfully.

F:\Users\Andy Jack Ab\Desktop\Gamecube\Games\Windwaker\SoftonicDownloader_for_utorrent.exe moved successfully.

F:\Users\Andy Jack Ab\Downloads\2005_-_City_of_Evil.rar.exe moved successfully.

F:\Users\Andy Jack Ab\Downloads\ADLSoft_UnCompressor_v2.exe moved successfully.

F:\Users\Andy Jack Ab\Downloads\iLividSetupV1(1).exe moved successfully.

F:\Users\Andy Jack Ab\Downloads\SaveAs.exe moved successfully.

F:\Users\Andy Jack Ab\Downloads\setup(1).exe moved successfully.

F:\Users\Andy Jack Ab\Downloads\Setup(2).exe moved successfully.

F:\Users\Andy Jack Ab\Downloads\Setup(3).exe moved successfully.

F:\Users\Andy Jack Ab\Downloads\Someone_Like_You-Adele-www.abadboom.com.mp3.exe moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Andrew

->Temp folder emptied: 1020460 bytes

->Temporary Internet Files folder emptied: 40497948 bytes

->FireFox cache emptied: 361353626 bytes

->Flash cache emptied: 4654 bytes

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Public

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 882 bytes

%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 46450468 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 429.00 mb

OTM by OldTimer - Version 3.1.21.0 log created on 02242013_075738

Files moved on Reboot...

C:\Users\Andrew\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

Also, I installed Microsoft Security Essentials, and did the scan, and it did not find anything (No threats were detected on your PC during this scan).

I updated Flash player, and upgraded to Service Pack 1 like you said.

So I should be virus-free now, correct?

I really appreciate all the help.

Link to post
Share on other sites

My system appears to be fine now. I stopped getting the message (successfully blocked svchost.exe) at some point after we started, not sure after which step, and I don't appear to have any other issues currently.

I don't have any concerns for now. Unless you think there is something else that I should do?

Link to post
Share on other sites

Run this final scan, post its log... I`ll give clean up instruction after that...

Download http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner by Xplode onto your Desktop.

  • Please close all open programs and internet browsers.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Kevin...

Link to post
Share on other sites

Here is the logfile:

# AdwCleaner v2.113 - Logfile created 02/24/2013 at 18:02:36

# Updated 23/02/2013 by Xplode

# Operating system : Windows 7 Professional Service Pack 1 (64 bits)

# User : Andrew - ANDREW-PC

# Boot Mode : Normal

# Running from : C:\Users\Andrew\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.2 (en-US)

File : C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\0rb2u3z8.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [673 octets] - [24/02/2013 18:02:36]

########## EOF - C:\AdwCleaner[s1].txt - [732 octets] ##########

Link to post
Share on other sites

Delete the following from your Desktop :-

RogueKiller plus its folder RK_Quarantine

Security Checks plus any logs

Next,

Uninstall adwcleaner.exe

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall
  • Click Yes at Would you like to Uninstall Adwcleaner

Next,

Remove ESET online scanner (Only If installed):

  • Click Start, type Uninstall a Program into the Search programs and files box, and then press ENTER.
  • Click to select ESET Online Scanner from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall ESETonline Scanner, only re-boot if prompted.

Next,

Remove Combofix now that we're done with it

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:

  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

Next,

  • Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.
  • Double click OTC_Icon.jpg icon to start the program.
    If you are using Vista or Windows 7 accept UAC
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself.

Any tools/logs remaining on the Desktop can be deleted.

Let me know if those steps complete OK, also if any remaining issues or concerns...

Thanks,

Kevin

Link to post
Share on other sites

No Sir, you should be good to go. If all is ok with no issues here are some tips to reduce the potential for malware infection in the future:

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use WinPatrol from here http://www.winpatrol.com/download.html This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained here http://www.winpatrol.com/features.html

Go here http://www.filehippo.com/updatechecker/ run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates. (Use stand alone version, not a full install)

If Java or Adobe are updated please check under Start > Control Panel > Add/Remove Programs, ensure any old versions are removed. <--- Very important

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

FireFox http://www.mozilla.com/en-US/,

Opera http://www.opera.com/, and

Chrome http://www.google.com/chrome.

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here http://www.bleepingcomputer.com/tutorials/tutorial102.html which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,

Yellow for caution, and

Red to stop.

Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at this article:

http://browsers.about.com/od/addonsplugi2/tp/browser_security_privacy.htm

Here a couple of links by two security experts that will give some excellent tips and advice.

So how did I get infected in the first place by Tony Klein

How to prevent Malware by Miekiemoes

Finally this link http://www.geekstogo.com/forum/topic/38-free-antivirus-and-antispyware-software will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

Let me know when its OK to close out your thread....

Take care,

Kevin

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.