darren

Malware infection please help

44 posts in this topic

I ran dds as mentioned in the help forum, the command prompt crashes when this is done and only the attach report is generated (attached below)

whilst browsing the net, the thing I notice is that below any image is a sort of pop up offering to sell stuff, I have done a print screen showing the image and attached it to this forum - the special offer is from a site i have shopped at many times and I know to be legitimate, the line of items below is new and is on any site i go to as is the bit to the right hand site called Window Shopper

On top of this I am getting alot of pop ups to either a flash site (I already have Adobe) saying I have no flash, or some casino pop ups, yet I browse using google chrome and have pop up blocker activated

I am also getting a pop up on the bottom right hand side of some sites offering me coupons for the site I am on (it is even doing it for Malwarebytes) this is run by ClickToSave - which again is something new

I ran Spybots yesterday and it removed alot of items, I ran Malwarebytes yesterday and it cleared one item (log attached)

In an unrelated matter, I have noticed that my computer has not run automatic windows updates and I have been trying to get that to work without success

I would be thoroughly grateful if anyone was available to assist me in sorting this problem out

Kind regards

Darren

Attach log as requested

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 23/05/2011 22:19:37

System Uptime: 02/05/2013 18:09:29 (21 hours ago)

.

Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | RV411/RV511/E3511/S3511

Processor: Intel® Core i3 CPU M 380 @ 2.53GHz | CPU 1 | 2533/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 178 GiB total, 48.336 GiB free.

D: is FIXED (NTFS) - 266 GiB total, 186.339 GiB free.

E: is CDROM ()

F: is CDROM ()

G: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP169: 05/04/2013 02:50:44 - Scheduled Checkpoint

RP170: 13/04/2013 16:35:37 - Scheduled Checkpoint

RP171: 21/04/2013 00:00:03 - Scheduled Checkpoint

RP172: 28/04/2013 04:38:08 - Scheduled Checkpoint

.

==== Image File Execution Options =============

.

.

==== Installed Programs ======================

.

?? ??? ?? Windows Live Mesh ActiveX ???

??? ActiveX ?? Windows Live Mesh ???? ??????? ???????

???? ??? Windows Live

???? ???? ActiveX ????? ?? Windows Live Mesh ????????? ???????

???? Windows Live

????? Messenger

????? Windows Live

?????? ??????? ?? Windows Live

??????? ?????????? Windows Live Mesh ActiveX ??? ????????? ???????????

??????? Windows Live Mesh ActiveX ??(????)

??????? Windows Live Mesh ActiveX ???

???????? ?? Messenger

???????? ?????????? Windows Live

????????? ActiveX ?? Windows Live Mesh ????????????????????????? (???)

????????? Messenger

?????????? Windows Live

??????????? ?? Windows Live

64 Bit HP CIO Components Installer

Accounts

ActiveX-kontroll för fjärranslutningar för Windows Live Mesh

ActiveX ???????? ?? Windows Live Mesh ?? ?????????? ??????

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9.1

Agatha Christie - Death on the Nile

„Messenger“ pagalbine priemone

Atheros Client Installation Program

µTorrent

Avery Wizard 4.0

AVG 2013

AVS Audio Converter version 6.3

„Windows Live Essentials“

„Windows Live Mail“

„Windows Live Mesh ActiveX“ nuotoliniu ryšiu valdiklis

„Windows Live Messenger“

„Windows Live“ fotogalerija

BatteryLifeExtender

Beatport Downloader

Behringer BCD3000 Driver v1.3.4

Bejeweled 2 Deluxe

blinkx beat

Broadcom 802.11 Network Adapter

BufferChm

Build-a-lot

Bullzip PDF Printer 9.3.0.1516

Chuzzle Deluxe

Common Desktop Agent

Complemento Messenger

Complément Messenger

continuetosave

ContinueToSave 1.74

Contrôle ActiveX Windows Live Mesh pour connexions à distance

Control ActiveX de Windows Live Mesh para conexiones remotas

Control ActiveX Windows Live Mesh pentru conexiuni la distan?a

Controle ActiveX do Windows Live Mesh para Conexões Remotas

Controlo ActiveX do Windows Live Mesh para Ligações Remotas

CyberLink Media Suite

CyberLink Media+ Player10

CyberLink MediaShow

CyberLink Power2Go

CyberLink PowerDirector

CyberLink YouCam

D3DX10

DAEMON Tools Pro

Diner Dash 2 Restaurant Rescue

DivX Setup

Doplnok programu Messenger

Download and Sa

DYMO Label v.8

Easy Content Share

Easy Display Manager

Easy Migration

Easy Network Manager

Easy SpeedUp Manager

EasyBatteryManager

EasyFileShare

ETDWare PS/2-X64 8.0.7.1_WHQL

Facebook Video Calling 1.2.0.287

Farm Frenzy

Fast Start

Formant ActiveX programu Windows Live Mesh odpowiedzialny za obsluge polaczen zdalnych

Fotogalerija Windows Live

Galeria de Fotografias do Windows Live

Galeria fotografii uslugi Windows Live

Galerie de photos Windows Live

Galerie foto Windows Live

Galería fotográfica de Windows Live

Google Chrome

HP Officejet 100 Mobile L411

HPSSupply

HTC BMP USB Driver

HTC Driver Installer

HTC Sync

Insaniquarium Deluxe

Intel® Control Center

Intel® Graphics Media Accelerator Driver

Intel® Management Engine Components

Intel® Rapid Storage Technology

John Deere Drive Green

Junk Mail filter update

Kontrola Windows Live Mesh ActiveX za daljinske veze

Kontrolnik Windows Live Mesh ActiveX za oddaljene povezave

L411

L411_Help

L411_Software_Min

Macromedia Fireworks 8

Malwarebytes Anti-Malware version 1.75.0.1300

Mesh Runtime

Messenger-kumppani

Messenger ??? ??

Messenger ????

Messenger ?????

Messenger Assistent

Messenger Companion

Messenger kíséro

Messenger Pratilac

Messenger Suradnik

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft IntelliPoint 8.2

Microsoft Office 2010

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office Office 32-bit Components 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared 32-bit MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Outlook Hotmail Connector 64-bit

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Movie Color Enhancer

MP3 Cutter 1.1.1

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP3 Parser

Native Instruments Audio 8 DJ

Native Instruments Audio 8 DJ Driver

Native Instruments Controller Editor

Native Instruments Service Center

Native Instruments Traktor

Native Instruments Traktor 2

Native Instruments Traktor Audio 10 Driver

Native Instruments Traktor Audio 6 Driver

Native Instruments Traktor Kontrol F1 Driver

Native Instruments Traktor Kontrol S2 Driver

Native Instruments Traktor Kontrol S4 Driver

Native Instruments Traktor Kontrol X1 Driver

Native Instruments Traktor Kontrol Z2 Driver

OptimizerPro1

Ovládací prvek ActiveX platformy Windows Live Mesh pro vzdálená pripojení

Ovládací prvok ActiveX programu Windows Live Mesh pre vzdialené pripojenia

Peggle

Penguins!

Philips Media Converter

Philips Songbird

PhoneShare

Plants vs. Zombies

Poczta uslugi Windows Live

Podstawowe programy Windows Live

Polar Golfer

Pomocnik Messenger

Pošta Windows Live

Professionalteam Limited DVD 2012

Raccolta foto di Windows Live

RealNetworks - Microsoft Visual C++ 2008 Runtime

RealPlayer

Realtek Ethernet Controller Driver

Realtek High Definition Audio Driver

RealUpgrade 1.1

S?????? f?t???af??? t?? Windows Live

Sage 50 Accounts 2008

Samsung AnyWeb Print

Samsung Easy Printer Manager

Samsung ML-2160 Series

Samsung Printer Live Update

Samsung Recovery Solution 5

Samsung Support Center

Samsung Universal Print Driver

Samsung Universal Scan Driver

Samsung Update Plus

SamsungMovie

Search Assistant SimpleSpeedy 1.74

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Shop for HP Supplies

SHOUTcast DNAS Server v2

SimCity 4 Deluxe

Skype™ 4.2

SopCast 3.4.0

Spremljevalec Messenger

Spybot - Search & Destroy

Spybot - Search & Destroy 2

SRS Premium Sound Control Panel

St???e?? e?????? ActiveX t?? Windows Live Mesh ??a ap?µa???sµ??e? s??d?se??

TagScanner 5.1.625

Toolbox

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

User Guide

Uzak Baglantilar Için Windows Live Mesh ActiveX Denetimi

Vaillant Technical Download Service

VC80CRTRedist - 8.0.50727.6195

Visual Studio 2008 x64 Redistributables

Visual Studio 2010 x64 Redistributables

VLC media player 2.0.1

WAV To MP3 Converter version 1.0 r1

WEB Partner

WebReg

WIDCOMM Bluetooth Software

WildTangent Games

WildTangent ORB Game Console

Winamp

Winamp Detector Plug-in

Windows Driver Package - Google, Inc. (WinUSB) AndroidUsbDeviceClass (08/11/2009 2.0.0010.00002)

Windows Live

Windows Live ??

Windows Live ?? ???

Windows Live ???

Windows Live ????

Windows Live Communications Platform

Windows Live Essentials

Windows Live Fotótár

Windows Live Foto-galerija

Windows Live fotoattelu galerija

Windows Live Fotogalerie

Windows Live Fotogalleri

Windows Live Fotogaléria

Windows Live Fotograf Galerisi

Windows Live Galeria de Fotos

Windows Live Galerija fotografija

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Language Selector

Windows Live Mail

Windows Live Mesh

Windows Live Mesh - ActiveX-besturingselement voor externe verbindingen

Windows Live Mesh ActiveX-kontroll for eksterne tilkoblinger

Windows Live Mesh ActiveX-objekt til fjernforbindelser

Windows Live Mesh ActiveX-vezérlo távoli kapcsolatokhoz

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Mesh ActiveX kontrola za daljinske veze

Windows Live Mesh ActiveX vadikla attalajiem savienojumiem

Windows Live Meshin etäyhteyksien ActiveX-komponentti

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Pošta

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Temel Parçalar

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Windows Liven asennustyökalu

Windows Liven sähköposti

Windows Liven valokuvavalikoima

Windows Media Player Firefox Plugin

WinRAR 4.01 (32-bit)

Zuma Deluxe

.

==== Event Viewer Messages From Past Week ========

.

02/05/2013 18:10:10, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Updating Service service to connect.

02/05/2013 18:10:10, Error: Service Control Manager [7000] - The Spybot-S&D 2 Updating Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

02/05/2013 18:10:08, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

02/05/2013 18:10:08, Error: Service Control Manager [7000] - The Spybot-S&D 2 Scanner Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

02/05/2013 18:09:43, Error: Application Popup [1060] - \SystemRoot\SysWow64\Drivers\GEARAspiWDM.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

02/05/2013 18:09:05, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.

.

==== End Of File ===========================

malware.pdf

mbam-log-2013-05-02 (11-40-03).txt

Share this post


Link to post
Share on other sites

Also to further update the notes, I know that facebook normally has a few ads on the sides, but the page is now stuffed full of adverts for steroids or weight loss titled "TOP STORY" this was never there prior to this malware

Share this post


Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Make sure you're subscribed to this topic:
Click on the
Follow This Topic Button
(at the top right of this page), make sure that the
Receive notification
box is checked and that it is set to
Instantly

Removing malware can be unpredictable
...things can go very wrong!
Backup
any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>
Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>
Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Share this post


Link to post
Share on other sites

Thank you for viewing my post, details of rogue killer below

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : User [Admin rights]

Mode : Scan -- Date : 05/03/2013 17:21:32

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : Z1 (cmd /c "C:\Users\User\AppData\Local\Temp\Rar$EX21.672\mbar\mbar.exe" /cleanup /s) [x] -> FOUND

[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (192.168.89.200:8080) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

127.0.0.1 www.100sexlinks.com

127.0.0.1 100sexlinks.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545050B9A300 +++++

--- User ---

[MBR] 00da159940b434e9a20a3932fb0fc61b

[bSP] eeb77b14c286f3a4066d1e950dea54f8 : KIWI Image system MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 182272 Mo

2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 373499904 | Size: 272824 Mo

3 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 932243456 | Size: 21741 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_05032013_02d1721.txt >>

RKreport[1]_S_05032013_02d1721.txt

Share this post


Link to post
Share on other sites

Looks like you already ran MBAR, can you post/attach all the logs.

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : Z1 (cmd /c "C:\Users\User\AppData\Local\Temp\Rar$EX21.672\mbar\mbar.exe" /cleanup /s) [x] -> FOUND

Now click Delete on the right hand column under Options

-------------

MrC

Share this post


Link to post
Share on other sites

Hi there - MBAR I did attach the log report on the initial post would you like me to add it again???

Rescanned & deleted (I hope I did it right?!??!) log below

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : User [Admin rights]

Mode : Scan -- Date : 05/03/2013 17:31:00

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤

[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (192.168.89.200:8080) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

127.0.0.1 www.100sexlinks.com

127.0.0.1 100sexlinks.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545050B9A300 +++++

--- User ---

[MBR] 00da159940b434e9a20a3932fb0fc61b

[bSP] eeb77b14c286f3a4066d1e950dea54f8 : KIWI Image system MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 182272 Mo

2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 373499904 | Size: 272824 Mo

3 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 932243456 | Size: 21741 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[4]_S_05032013_02d1731.txt >>

RKreport[1]_S_05032013_02d1721.txt ; RKreport[2]_S_05032013_02d1728.txt ; RKreport[3]_D_05032013_02d1729.txt ; RKreport[4]_S_05032013_02d1731.txt

Share this post


Link to post
Share on other sites

To attach a log:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Share this post


Link to post
Share on other sites

Did MBAR find anything when you ran it??? Any Rootkits???

--------------------------------------------

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

I have downloaded it to the desktop and run as administrator, it goes through the sequence and then opens windows command processor, which then fails bringing up the stopped working window the problem details are listed below, i have run this a couple of times and it does the same thing each time

Problem signature:

Problem Event Name: BEX64

Application Name: CF6018.3XE

Application Version: 6.1.7601.17514

Application Timestamp: 4ce798e5

Fault Module Name: SDHook64.dll

Fault Module Version: 2.0.5.1

Fault Module Timestamp: 4e36cc5e

Exception Offset: 0000000000033930

Exception Code: c0000417

Exception Data: 0000000000000000

OS Version: 6.1.7601.2.1.0.768.3

Locale ID: 2057

Additional Information 1: 7419

Additional Information 2: 741901578398a307e6a837269f6111fd

Additional Information 3: d203

Additional Information 4: d2030bb92a142dc528dfb3bf392c2954

Read our privacy statement online:

http://go.microsoft....88&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:

C:\Windows\system32\en-US\erofflps.txt

Share this post


Link to post
Share on other sites

Try it in safe mode, MrC

Share this post


Link to post
Share on other sites

had to uninstall AVG to run it in safe mode, which i have done

report is attached

combofix log.txt

Share this post


Link to post
Share on other sites

Next:

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion method. It can be easily uninstalled using the "Uninstall" mode.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Note:

Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner.

You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below:

/DisableAskDetection - This option disables Ask Toolbar detection.

MrC

Share this post


Link to post
Share on other sites

Hi MrC

attached is the log file as requested

looking through the log file a few things make sense, when I ran spybots yesterday one of the things it cleared was Wajam, I think Malwarebytes mentioned websearch.simplespeedy.info oh and this keeps setting itself as the home page on IE (not that I use IE I run google chrome)

Darren

AdwCleanerR1.txt

Share this post


Link to post
Share on other sites

Some of adware found....lets clear it out.....

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Then......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Share this post


Link to post
Share on other sites

Adware after delete

# AdwCleaner v2.300 - Logfile created 05/03/2013 at 23:26:22

# Updated 28/04/2013 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : User - USER-PC

# Boot Mode : Normal

# Running from : C:\Users\User\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\END

Folder Deleted : C:\Program Files (x86)\continuetosave

Folder Deleted : C:\ProgramData\InstallMate

Folder Deleted : C:\ProgramData\Premium

Folder Deleted : C:\ProgramData\RightClick

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit

Key Deleted : HKCU\Software\AppDataLow\Software\ShoppingReport2

Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar

Key Deleted : HKCU\Software\AppDataLow\SProtector

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}

Key Deleted : HKLM\Software\AVG Secure Search

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASMANCS

Key Deleted : HKLM\Software\SP Global

Key Deleted : HKLM\Software\SProtector

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{20E7BC40-33F6-4A81-9D52-B58349326206}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [internet Browsers] *****

Check up

Results of screen317's Security Check version 0.99.63

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 8 Out of date!

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Spybot - Search & Destroy

Spybot - Search & Destroy 2

Malwarebytes Anti-Malware version 1.75.0.1300

Adobe Flash Player 11.6.602.171

Adobe Reader 9 Adobe Reader out of Date!

Google Chrome 26.0.1410.43

Google Chrome 26.0.1410.64

````````Process Check: objlist.exe by Laurent````````

Spybot Teatimer.exe is disabled!

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

Share this post


Link to post
Share on other sites

How's the computer now???

MrC

Share this post


Link to post
Share on other sites

it still has the annoying pop ups

Share this post


Link to post
Share on other sites

What browsers are affected?

------------------------------

@Download and run Avast Browser Cleanup, see if it detects any bad items. If so have the program

delete them.

--------------------------

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

MrC

Share this post


Link to post
Share on other sites

Hi There sorry for not replying for a couple of days - been ill :wacko:

Those last two fixes appear to have got it off of both browsers

JRT log below

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.9.3 (04.29.2013:2)

OS: Windows 7 Home Premium x64

Ran by User on 05/05/2013 at 0:23:42.49

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BF83B08C-F372-458E-B135-2245115FEC70}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Users\User\appdata\locallow\boost_interprocess"

Successfully deleted: [Folder] "C:\Users\User\appdata\locallow\conduit"

Successfully deleted: [Folder] "C:\Users\User\appdata\locallow\continuetosave"

Successfully deleted: [Folder] "C:\Users\User\appdata\locallow\shoppingreport2"

Successfully deleted: [Folder] "C:\Program Files (x86)\SimpleSpeedy"

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{02837976-853D-4018-A318-E976B5311F54}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{02F46F90-91C4-4116-96DC-D61A6AD97018}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{05AAC0CF-FB4F-4706-8086-F26FBC80B971}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{05CC1DAC-76A5-46A9-84AD-2AE0F807E834}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{05FC1A09-F50A-40F2-BC76-B31873021F7B}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{0E751AD5-94DE-41FC-B351-92CFC0487AFD}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{0F081E6A-5A45-4399-8A0A-2A12615767B5}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{19787900-2803-4030-A711-924BF90B50AC}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{21DBE27B-5165-463B-90EB-E12531D9D26A}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{24805D48-B458-485A-B657-2DD740E3ADF5}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{25CAF0D3-CEB2-467E-87D2-BA10E3D09982}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{260A67A7-6C29-4D38-B7C0-034CBFEF803D}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{262E8249-8EB7-4B96-B134-4DE4D22B88F0}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{2721B8E4-8568-40FD-ABA6-82AB3D23ED65}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{2D6EB756-91E4-4268-A9C7-ACE163A518BC}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{322C1FA0-3D65-4814-8495-A28855757793}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{33BD6388-EA69-41BD-B1F7-1A851F608A06}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{34F1D11E-3220-417E-B99D-0B03A9F060DA}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{366A6987-D124-4490-A23F-539E69201579}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{3812611D-3FA4-492D-A610-72B6E0DC6516}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{3B54F1AE-FBDF-4913-BF58-BB53BACC2AE6}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{463009E6-7165-435C-86CB-EFD9C8085356}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{4749BF6C-FAEB-44E4-92D6-7AB53DD16120}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{479475FA-F26A-4F17-A762-7B08FBFBE187}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{4AFF69BB-057D-450D-BA01-7A5668EAC12F}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{4BB7B32A-6F95-4F21-9A40-9C5469D01D2B}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{4F856C7B-CCB3-430A-9F00-463C40CBA896}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{52E73BF2-7B80-4038-8771-5C2EB805FDBB}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{582745E6-7B61-4DF0-8F48-AD9176B8AB5C}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{5EB2AA39-D81C-4919-B1CF-40F659DD08E7}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{6925EED6-58AE-42B4-9D14-1A03CD6E0E06}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{6EE65369-7E89-419D-9BAA-5F7ED254B637}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{70758432-CD12-4FAB-AC46-80D5EDDD63E0}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{7297F7FB-7724-4A28-BC50-274A8A3F0457}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{72BD5CE1-13BA-4A1D-B23C-F0EC542D511E}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{72BED78F-6F2E-420A-9863-C9E73F14E46C}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{7343ABBB-172D-42E6-9E3A-D0A5A5EF917B}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{7366B364-FF79-4935-B770-E87063A2B7C8}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{7559AD3A-4F79-4210-833A-C446BF0B0E88}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{79349081-8138-4DE2-97C2-4B436CFFFB7F}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{8456600C-73F5-40D1-9DD2-EB212E54174F}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{8DB209C7-1CB9-4897-AE51-9D266AFC485F}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{8EA9D5F0-D00B-4C2F-821B-AEFEE01D0286}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{8ED30CD9-6CCB-46DC-BC39-AC907FD14C43}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{8F831D90-55A6-4430-8CCF-C45943E8C934}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{908AC0DF-840A-417E-9811-B2C0369ED31D}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{97EF80C4-54DF-4D2E-ABEE-DD32F4C32139}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{A111C83F-1A7D-4469-B2CF-59FF150378B9}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{A1302FB5-7A40-4F25-912F-847A614A2817}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{A2610535-1C9B-40DD-80DF-267CAE542013}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{A3131FCF-BC87-4840-92B2-213D6E7B07F9}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{A61D69A8-1FCE-4EF8-AC85-D4D5D7A9F24D}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{A6821119-3525-4226-B635-A8DA4CE453DB}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{AAF2B197-3998-4B2D-AE53-67A4F22546C8}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{AC7FB308-36E7-4E35-9875-AA62167EFB0C}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{ACE89BA5-0F87-4426-8E8B-1A4E73B712D4}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{B4FE4C32-F916-441A-BF33-4F29EDC0AE3F}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{B632D2C7-4917-452B-8CDA-EE63D6CE7E12}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{B6C03CD5-5513-47C8-B40A-F945E65B92DF}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{BBD060A8-ADF2-42DA-8851-B8C25F3FA976}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{BD19501A-EA4B-4ED2-8C1F-990E980D986F}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{BEDD21CC-5710-4535-B25B-CC98CED5A5FC}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{C1EA48AA-40BF-4C3C-B14D-DF9CB388E5A8}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{C6356F08-60E3-48DC-955E-9DAFBD7C618A}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{C9D813DE-637A-4DE6-8429-BC234B51051F}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{CA427355-7120-45DB-ABB0-9B0DB09556E2}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{D282D0B7-6167-4743-8600-3F4413CEA2AF}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{D30FB867-D852-48C9-A7DA-9C2CD01BDACB}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{D3E71552-3183-427C-B24C-569B5B0589AF}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{D6628AA4-43A3-4895-8507-1EA9686010EF}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{D8BBE76B-DB59-4984-8587-F45E5A3B0230}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{D8C438FB-79FB-49F6-86D0-EA1AD85AE32F}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{DDDDA282-C0CB-4B2A-B83D-3B146922E04B}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{E3A2246F-33D4-4E26-8ED8-7E15EADD0683}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{E435BFF4-DA0B-4797-8E2C-3A0A5FEAF2F0}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{E96B0285-3CE0-409E-9D3D-ADD8B6C48DEA}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{EA24528B-74D3-4084-B3F3-D9A8ECA012C6}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{ED588E9A-F984-44D8-B979-EEAB7DEFD835}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{F010EC73-E122-4D43-8A0A-37A20857F0E4}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{F60F8C94-7945-442B-8C75-ABCAC9AC4B6D}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{FB8DB390-4BE9-4BBA-B3D7-3DBB0EC9F912}

Successfully deleted: [Empty Folder] C:\Users\User\appdata\local\{FCE16405-E932-4ADB-B882-2DAEB93AAA7C}

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on 05/05/2013 at 0:28:50.42

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Share this post


Link to post
Share on other sites

Thank you for your help in removing this malware

any ideas how i can get the computer to do auto updates as it hasnt updated since i first got it

Kind regards

darren

Share this post


Link to post
Share on other sites

Good.....

Are you talking about Windows Update???

What seems to be the problem???

MrC

Share this post


Link to post
Share on other sites

Yes windows update

I have the flag up and have followed the instructions given by microsoft, but have had no luck in getting it sorted

Share this post


Link to post
Share on other sites

When you ran MBAR, did you run the fixdamage tool??

MrC

Share this post


Link to post
Share on other sites

I think so, how do i tell?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.