wtxhawkvj

System Care Spyware

12 posts in this topic

So my dad was going through his e-mail like he does every day and made the unfortunate mistake of clicking an e-mail that was linked to some malicious download of sorts for this "System Care AntiVirus".

I was reading a thread on here already about it, and I started following the instructions, but I stopped after reading a moderator post instructing users to post their own help thread instead of following directions since it is different for everybody.

So here is where I am at currently.

After getting my hands on the laptop, (it's running windows 7), I booted into safe mode and began an AVG Scan. This came up with a few things, that it says it deleted. But I went ahead and did a Spybot Search & Destroy scan which found some malware and other things.

I then booted up normally and was mildly surprised to see that it made it past those scans.

I downloaded Malwarebytes and did a scan. It came up with 7 problems, and deleted them, prompted me to reboot, and I did. Now that I rebooted, I'm getting consistent system tray messages from Malware bytes saying that it successfully blocked access to a potentially malicious website,

Type: outgoing

Port: all over the place, process: svchost.exe

I guess more or less I'm looking for someone to lend a hand in instructing me to fix this without a reformat if possible and without spending any money.

I'll be following this thread every day, 2-3 times daily. Help :(

Share this post


Link to post
Share on other sites

Hello wtx and welcome to MalwareBytes forum.

You did not state clearly your version of Windows. Do that in the next reply, and, copy > paste the contents of the last MBAM scan log.

  • Download & SAVE to your Desktop Tigzy's RogueKiller >> from here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external storage drives from the computer before you run this scan! i_arrow-l.gif
  • For Vista or Windows 7 / 8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • When prompted to accept the EULA, please do so.
  • Wait until Prescan has finished ... i_arrow-l.gif
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Do NOT press any Fix button.
  • Exit/Close RogueKiller

Download DDS and save it to your desktop from http://download.bleepingcomputer.com/sUBs/dds.com here

or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.infospyware.net/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Double click dds to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

Follow and answer the prompts as appropriate.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

Please Copy & Paste contents of the following logs in your next reply:

DDS.txt

Attach.txt

Use NOTEPAD to Copy all contents of each log, then Paste directly into main-body of reply box.

Do -not- use the attach option unless a single log is way-too-large & won't fit.

Share this post


Link to post
Share on other sites

Okay I'll do this and reply when I get home from the office.

Share this post


Link to post
Share on other sites

The laptop is running Windows 7 64-bit Home Premium.

~~~MBAM LOG~~~

Malwarebytes Anti-Malware (Trial) 1.75.0.1300

www.malwarebytes.org

Database version: v2013.05.20.08

Windows 7 x64 NTFS (Safe Mode/Networking)

Internet Explorer 8.0.7600.16385

Jim :: JIM-PC [administrator]

Protection: Disabled

5/20/2013 11:01:22 PM

mbam-log-2013-05-20 (23-01-22).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 341746

Time elapsed: 35 minute(s), 20 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|D212B4103D51B3F40000D211E201B750 (Trojan.FakeAlert.ED) -> Data: C:\ProgramData\D212B4103D51B3F40000D211E201B750\D212B4103D51B3F40000D211E201B750.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 3

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\ProgramData\D212B4103D51B3F40000D211E201B750\D212B4103D51B3F40000D211E201B750.exe (Trojan.FakeAlert.ED) -> Quarantined and deleted successfully.

C:\Users\Jim\AppData\Local\wkkenxpt.exe (Trojan.Medfos.RRE) -> Quarantined and deleted successfully.

C:\Users\Jim\Downloads\PDFCreator_Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.

(end)

-----

~~~RogueKiller Report~~~

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version

Started in : Safe mode with network support

User : Jim [Admin rights]

Mode : Scan -- Date : 05/21/2013 22:31:48

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : qebuhrkr ("C:\Users\Jim\AppData\Local\qqbhwhmk.exe") [-] -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Run : netltr ("C:\Windows\System32\rundll32.exe" "C:\Users\Jim\AppData\Roaming\netltr.dll",GetGlobals) [7] -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Run : wmapin ("C:\Windows\System32\rundll32.exe" "C:\Users\Jim\AppData\Roaming\wmapin.dll",EOFError) [7] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-334835757-2510909033-2721670664-1001[...]\Run : qebuhrkr ("C:\Users\Jim\AppData\Local\qqbhwhmk.exe") [-] -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200BPVT-22ZEST0 +++++

--- User ---

[MBR] 79c8619ed64920bbdba36393b20cd86e

[bSP] 50b8a080780f9938c840285ffc965c21 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15000 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30722048 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 290143 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_05212013_02d2231.txt >>

RKreport[1]_S_05212013_02d2231.txt

------------

~~~Attach Log from DDS~~~

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 3/5/2011 5:34:49 PM

System Uptime: 5/21/2013 10:21:46 PM (0 hours ago)

.

Motherboard: Acer | | JE70_CP

Processor: Intel® Pentium® CPU P6200 @ 2.13GHz | CPU 1 | 2128/100mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 283 GiB total, 224.184 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: Security Processor Loader Driver

Device ID: ROOT\LEGACY_SPLDR\0000

Manufacturer:

Name: Security Processor Loader Driver

PNP Device ID: ROOT\LEGACY_SPLDR\0000

Service: spldr

.

==== System Restore Points ===================

.

RP122: 3/1/2013 7:47:49 PM - Scheduled Checkpoint

RP123: 3/10/2013 9:04:05 PM - Scheduled Checkpoint

RP124: 3/13/2013 8:08:52 PM - Installed Synctunes Desktop

RP125: 3/14/2013 8:42:48 PM - Windows Update

RP126: 3/15/2013 7:32:25 PM - Windows Update

RP127: 3/27/2013 6:50:51 PM - Scheduled Checkpoint

RP128: 4/10/2013 10:58:53 PM - Windows Update

RP129: 4/19/2013 9:12:01 PM - Scheduled Checkpoint

RP130: 4/24/2013 6:32:44 PM - Windows Update

RP131: 5/12/2013 9:11:55 PM - Scheduled Checkpoint

RP132: 5/16/2013 5:59:00 PM - Windows Update

.

==== Installed Programs ======================

.

18 Wheels of Steel - American Long Haul

Acer Backup Manager

Acer Crystal Eye webcam Ver:1.1.194.1021

Acer ePower Management

Acer eRecovery Management

Acer Game Console

Acer Games

Acer Registration

Acer ScreenSaver

Acer Updater

Acrobat.com

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9.5.4 MUI

Agatha Christie - Death on the Nile

Alcor Micro USB Card Reader

Apple Application Support

Apple Mobile Device Support

Apple Software Update

AVG 2011

Backup Manager Basic

Bejeweled 2 Deluxe

Bing Bar

Bing Rewards Client Installer

Blackhawk Striker 2

Bonjour

Broadcom Gigabit NetLink Controller

Build-a-lot 2

Chuzzle Deluxe

Coupon Printer for Windows

CyberLink PowerDVD 9

D3DX10

Diner Dash 2 Restaurant Rescue

Dora's Carnival Adventure

eBay Worldwide

eSobi v2

FATE

HP Deskjet 3050A J611 series Basic Device Software

HP Deskjet 3050A J611 series Help

HP Deskjet 3050A J611 series Product Improvement Study

HP Photo Creations

HP Update

iCloud

Identity Card

Intel® Graphics Media Accelerator Driver

Intel® Management Engine Components

Intel® Rapid Storage Technology

iTunes

Jewel Quest - Heritage

Jewel Quest Solitaire 2

John Deere Drive Green

Junk Mail filter update

Launch Manager

Malwarebytes Anti-Malware version 1.75.0.1300

Mesh Runtime

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Office 2010

Microsoft Office Click-to-Run 2010

Microsoft Office Starter 2010 - English

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

MobileMe Control Panel

Mozilla Firefox 21.0 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

MSVCRT_amd64

MyWinLocker

MyWinLocker Suite

NOOK for PC

Norton Online Backup

NTI Backup Now 5

NTI Backup Now Standard

NTI Media Maker 8

Penguins!

Plants vs. Zombies

Polar Bowler

Polar Golfer

QuickTime

Realtek High Definition Audio Driver

Safari

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Shredder

Skype™ 5.10

Spybot - Search & Destroy

Synaptics Pointing Device Driver

Synctunes Desktop

Times Reader

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Virtual Villagers 4 - The Tree of Life

Visual Studio 2008 x64 Redistributables

Welcome Center

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Language Selector

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Zuma's Revenge

.

==== Event Viewer Messages From Past Week ========

.

5/21/2013 10:31:35 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

5/21/2013 10:22:24 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

5/21/2013 10:22:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

5/21/2013 10:22:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

5/21/2013 10:22:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

5/21/2013 10:22:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

5/21/2013 10:22:10 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx64 Avgmfx64 discache mwlPSDFilter mwlPSDNServ mwlPSDVDisk spldr Wanarpv6

5/21/2013 10:22:08 PM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The dependency service or group failed to start.

5/21/2013 10:22:05 PM, Error: Service Control Manager [7001] - The SBSD Security Center Service service depends on the Security Center service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

5/20/2013 9:10:52 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

5/20/2013 9:10:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

5/20/2013 9:10:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

5/20/2013 9:10:13 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx64 Avgmfx64 Avgtdia DfsC discache mwlPSDFilter mwlPSDNServ mwlPSDVDisk NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf

5/20/2013 9:10:09 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

5/20/2013 9:10:09 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

5/20/2013 9:10:09 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

5/20/2013 9:10:09 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

5/20/2013 9:10:09 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

5/20/2013 9:10:09 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.

5/20/2013 9:10:09 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

5/20/2013 9:10:09 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

5/20/2013 9:10:09 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

5/20/2013 9:10:09 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

5/20/2013 8:02:07 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect.

5/20/2013 8:02:07 PM, Error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

5/20/2013 8:01:44 PM, Error: Service Control Manager [7034] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 5 time(s).

5/20/2013 8:01:42 PM, Error: Service Control Manager [7034] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 4 time(s).

5/20/2013 8:01:42 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the BBUpdate service to connect.

5/20/2013 8:01:42 PM, Error: Service Control Manager [7000] - The BBUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

5/20/2013 8:01:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service BBUpdate with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}

5/20/2013 8:01:17 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Intel® Management and Security Application Local Management Service service to connect.

5/20/2013 8:01:17 PM, Error: Service Control Manager [7000] - The Intel® Management and Security Application Local Management Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

5/20/2013 8:01:07 PM, Error: Service Control Manager [7034] - The Skype Updater service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 8:01:07 PM, Error: Service Control Manager [7034] - The BingBar Service service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 12:20:29 PM, Error: Service Control Manager [7034] - The BBUpdate service terminated unexpectedly. It has done this 7 time(s).

5/20/2013 12:20:15 PM, Error: Service Control Manager [7034] - The BBUpdate service terminated unexpectedly. It has done this 6 time(s).

5/20/2013 12:19:45 PM, Error: Service Control Manager [7034] - The BBUpdate service terminated unexpectedly. It has done this 5 time(s).

5/20/2013 12:18:46 PM, Error: Service Control Manager [7034] - The BBUpdate service terminated unexpectedly. It has done this 4 time(s).

5/20/2013 10:30:38 PM, Error: Service Control Manager [7031] - The Intel® Management and Security Application Local Management Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

5/20/2013 10:30:22 PM, Error: Service Control Manager [7034] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 3 time(s).

5/20/2013 10:30:21 PM, Error: Service Control Manager [7034] - The BBUpdate service terminated unexpectedly. It has done this 3 time(s).

5/20/2013 10:30:18 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Live ID Sign-in Assistant service to connect.

5/20/2013 10:30:18 PM, Error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

5/20/2013 10:30:17 PM, Error: Service Control Manager [7034] - The BBUpdate service terminated unexpectedly. It has done this 2 time(s).

5/20/2013 10:29:57 PM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

5/20/2013 10:29:50 PM, Error: Service Control Manager [7034] - The Application Virtualization Client service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7034] - The Updater Service service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7034] - The SBSD Security Center Service service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7034] - The NTI IScheduleSvc service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7034] - The NTI Backup Now 5 Scheduler Service service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7034] - The Norton Online Backup service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7034] - The Intel® Management & Security Application User Notification Service service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7034] - The GREGService service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7034] - The Dritek WMI Service service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7034] - The Client Virtualization Handler service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7034] - The BBUpdate service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7034] - The Application Virtualization Service Agent service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7034] - The Acer ePower Service service terminated unexpectedly. It has done this 1 time(s).

5/20/2013 10:29:47 PM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

5/20/2013 10:29:47 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

.

==== End Of File ===========================

-----------------

~~~DDS Log~~~

DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK

Internet Explorer: 8.0.7600.17267

Run by Jim at 22:33:34 on 2013-05-21

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3764.3049 [GMT -5:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://acer.msn.com

uDefault_Page_URL = hxxp://acer.msn.com

mStart Page = hxxp://acer.msn.com

mDefault_Page_URL = hxxp://acer.msn.com

mWinlogon: Userinit = userinit.exe,

BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BingExt.dll

BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} -

uRun: [HP Deskjet 3050A J611 series (NET)] "C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN1774B32405PJ:NW" -scfn "HP Deskjet 3050A J611 series (NET)" -AutoStart 1

uRun: [qebuhrkr] "C:\Users\Jim\AppData\Local\qqbhwhmk.exe"

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k

mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe

mRun: [suiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"

mRun: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d

mRun: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"

mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

StartupFolder: C:\Users\Jim\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MONITO~1.LNK - C:\Windows\System32\RunDll32.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

uPolicies-Explorer: HideSCAHealth = dword:1

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

TCP: NameServer = 192.168.1.1 209.18.47.61 209.18.47.62

TCP: Interfaces\{34B45880-1779-409D-AD12-EBFCAAF79A06} : DHCPNameServer = 192.168.1.1 209.18.47.61 209.18.47.62

TCP: Interfaces\{34B45880-1779-409D-AD12-EBFCAAF79A06}\175796C647562713 : DHCPNameServer = 67.142.170.10 67.142.170.11

TCP: Interfaces\{34B45880-1779-409D-AD12-EBFCAAF79A06}\2456C6B696E6F5E4F575962756C6563737F5332324145373 : DHCPNameServer = 192.168.2.1

TCP: Interfaces\{34B45880-1779-409D-AD12-EBFCAAF79A06}\54E67456E696573713 : DHCPNameServer = 10.10.10.133 10.10.10.150

TCP: Interfaces\{34B45880-1779-409D-AD12-EBFCAAF79A06}\84162726F627C496E6B602D202055726C69636027556C636F6D656 : DHCPNameServer = 66.82.4.8 66.82.4.12 4.2.2.3

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

x64-mStart Page = hxxp://acer.msn.com

x64-mDefault_Page_URL = hxxp://acer.msn.com

x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-Run: [mwlDaemon] C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe

x64-Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe

x64-Run: [netltr] "C:\Windows\System32\rundll32.exe" "C:\Users\Jim\AppData\Roaming\netltr.dll",GetGlobals

x64-Run: [wmapin] "C:\Windows\System32\rundll32.exe" "C:\Users\Jim\AppData\Roaming\wmapin.dll",EOFError

x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgppa.dll

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Jim\AppData\Roaming\Mozilla\Firefox\Profiles\hvsio9zw.default\

FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/.

FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox4\components\avgssff4.dll

FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\McAfee Security Scan\3.0.318\npMcAfeeMSS.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll

FF - ExtSQL: 2013-05-20 23:39; {9b781230-c16e-11e2-8275-b8ac6f996f26}; C:\Users\Jim\AppData\Roaming\Mozilla\Firefox\Profiles\hvsio9zw.default\extensions\{9b781230-c16e-11e2-8275-b8ac6f996f26}.xpi

.

---- FIREFOX POLICIES ----

FF - user.js: general.useragent.extra.brc - BRI/1

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;C:\Windows\System32\drivers\AVGIDSEH.sys [2011-2-22 26704]

R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2011-3-16 37456]

R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2011-4-4 377936]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-12-21 56344]

R3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2010-6-8 406056]

S1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2011-1-7 304720]

S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2011-3-1 41552]

S1 mwlPSDFilter;mwlPSDFilter;C:\Windows\System32\drivers\mwlPSDFilter.sys [2009-6-2 22576]

S1 mwlPSDNServ;mwlPSDNServ;C:\Windows\System32\drivers\mwlPSDNserv.sys [2009-6-2 20016]

S1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\System32\drivers\mwlPSDVDisk.sys [2009-6-2 60464]

S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]

S2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-12-21 321104]

S2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2010-12-21 868896]

S2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-1-8 23584]

S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-5-20 418376]

S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-5-20 701512]

S2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]

S2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2010-6-28 255744]

S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2010-4-16 144640]

S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2013-5-20 1153368]

S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]

S2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-21 2320920]

S2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2010-11-19 243232]

S3 AmUStor;AM USB Stroage Driver;C:\Windows\System32\drivers\AmUStor.sys [2010-6-10 40448]

S3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\AVGIDSDriver.sys [2011-4-14 118864]

S3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\AVGIDSFilter.sys [2011-2-10 29264]

S3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]

S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-12-21 158976]

S3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-12-21 271872]

S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-5-20 25928]

S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [2013-2-5 235216]

S3 MWLService;MyWinLocker Service;C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [2010-5-26 305520]

S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2010-4-16 50432]

S3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]

S3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]

S3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]

S3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]

S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-3-7 1255736]

S4 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-4-18 7398752]

S4 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2011-2-8 269520]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2013-05-21 04:00:10 -------- d-----w- C:\Users\Jim\AppData\Roaming\Malwarebytes

2013-05-21 04:00:02 -------- d-----w- C:\ProgramData\Malwarebytes

2013-05-21 04:00:01 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-05-21 04:00:01 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-05-21 03:59:47 -------- d-----w- C:\Users\Jim\AppData\Local\Programs

2013-05-21 02:03:32 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy

2013-05-21 02:03:32 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy

2013-05-21 01:15:19 -------- d--h--w- C:\$AVG

2013-05-20 17:11:13 -------- d-----w- C:\ProgramData\D212B4103D51B3F40000D211E201B750

2013-05-20 16:59:28 376832 ----a-w- C:\Users\Jim\AppData\Roaming\wmapin.dll

2013-05-20 16:59:22 585728 ----a-w- C:\Users\Jim\AppData\Roaming\netltr.dll

2013-05-20 16:16:40 53248 ----a-w- C:\Users\Jim\AppData\Local\qqbhwhmk.exe

2013-04-24 00:01:54 1653096 ----a-w- C:\Windows\System32\drivers\ntfs.sys

.

==================== Find3M ====================

.

2013-05-16 01:24:52 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-05-16 01:24:52 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-03-19 06:19:35 5497688 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-03-19 05:54:37 43520 ----a-w- C:\Windows\System32\csrsrv.dll

2013-03-19 05:06:09 3958120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-03-19 05:06:09 3902312 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-03-19 04:53:45 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll

2013-03-19 03:19:03 112640 ----a-w- C:\Windows\System32\smss.exe

2013-03-02 05:49:19 1198080 ----a-w- C:\Windows\System32\wininet.dll

2013-03-02 05:43:16 57856 ----a-w- C:\Windows\System32\licmgr10.dll

2013-03-02 05:06:05 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2013-03-02 04:38:33 482816 ----a-w- C:\Windows\System32\html.iec

2013-03-02 04:03:34 386048 ----a-w- C:\Windows\SysWow64\html.iec

2013-03-02 03:56:13 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2013-03-02 03:30:45 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2013-03-02 03:29:26 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2013-03-01 03:32:29 3150848 ----a-w- C:\Windows\System32\win32k.sys

.

============= FINISH: 22:34:22.76 ===============

Share this post


Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member wtxhawkvj only. If you are a casual viewer, do NOT try this on your system!

If you are not wtxhawkvj and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

  • Disable your anti-virus program, How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Please disconnect any USB or external storage drives from the computer before you run this scan! i_arrow-l.gif
  • For Vista or Windows 7 / 8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan finishes. i_arrow-l.gif
  • On the RogueKiller console, click the Registry tab.
    Put a check next to all 8of these and uncheck the rest: (if found)
    [RUN][sUSP PATH] HKCU\[...]\Run : qebuhrkr ("C:\Users\Jim\AppData\Local\qqbhwhmk.exe") [-] -> FOUND
    [RUN][sUSP PATH] HKLM\[...]\Run : netltr ("C:\Windows\System32\rundll32.exe" "C:\Users\Jim\AppData\Roaming\netltr.dll",GetGlobals) [7] -> FOUND
    [RUN][sUSP PATH] HKLM\[...]\Run : wmapin ("C:\Windows\System32\rundll32.exe" "C:\Users\Jim\AppData\Roaming\wmapin.dll",EOFError) [7] -> FOUND
    [RUN][sUSP PATH] HKUS\S-1-5-21-334835757-2510909033-2721670664-1001[...]\Run : qebuhrkr ("C:\Users\Jim\AppData\Local\qqbhwhmk.exe") [-] -> FOUND
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

    UN-check any -other - lines shown on your screen that are not listed in the above list.
  • Then click on Delete on the right hand column under Options.
  • The log will be found as RKreport
    Copy & Paste the contents into next reply.

Task 2

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4
Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

When all done, rkill.txt log file will be on your desktop. Copy & Paste contents of Rkill.txt into a reply.

More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html

Task 3

We Need to Run a Batch Script

  1. Press the Windows-key on keyboard.
  2. In the 10-16-2011%204-33-46%20PM.png box, type notepad and press Enter.
  3. Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.
    net stop qebuhrkr
    del /f /q C:\Users\Jim\AppData\Local\qqbhwhmk.exe
    sc delete qebuhrkr
    del /f /q C:\Users\Jim\AppData\Roaming\netltr.dll
    del /f /q C:\Users\Jim\AppData\Roaming\wmapin.dll
    del /f /q "%~f0"


  4. Select File -> Save AS.
  5. Press the Desktop button on the left side of the save dialog.
  6. In the 10-16-2011%204-37-58%20PM.png box, type in Fix.bat.
  7. Press 10-16-2011%204-36-39%20PM.png.
  8. Close Notepad.
  9. Right click 10-16-2011%204-34-34%20PM.png on your desktop, and choose 10-16-2011%204-40-48%20PM.png.
  10. Press Yes if prompted by User Account Control.

Task 4

Now, Restart the pc and allow the restart into normal mode of Windows. NORMAL mode so that Windows is running with normal Windows servies, etc.

DO -not- start any programs or applications on your own. We still need to run special tools to hunt for remaining malwares.

Save and close any work documents, close any apps that you started.

Temporarily turn off (disable) your antivirus program

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Full Scan. i_arrow-l.gif

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy & paste the MBAM scan log into a new reply.

Task 5

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop cf-icon.jpg and select "Run as Administrator".

  • A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.

Notes:

[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh :excl:

Reply & Copy & Paste contents of the C:\Combofix.txt log

and tell me, How is the system now icon_question.gif

Re-enable your antivirus program.

Share this post


Link to post
Share on other sites

I will do this when I get home from the office today.

Share this post


Link to post
Share on other sites

Step 3 actually wiped it out entirely. I did follow through with the other two steps but I read through the logs and there is nothing eventful. It is gone. How many times have you dealt with this in the past that you knew exactly what to do? Who developed this, the "companies" that provide support? It doesn't seem to be a very damaging bit of spyware/malware, just an absolute nuisance that attaches itself to the registry.

Share this post


Link to post
Share on other sites

Please get me the RKreport log & the Rkill.txt log and copy & paste into a new reply for my review.

And I am urging you to please DO Task 4 & Task 5 and post those logs as well.

We need to be sure there are no remainders.

The task 3 "batch" is my own, based upon reading your original logs. Those "malwares" are obvious based upon much extensive experience.

Share this post


Link to post
Share on other sites

How is it going? Are you still with us ?

Share this post


Link to post
Share on other sites

I finished the rest, and reviewed the logs. I made the determination myself based on cleans final logs that it was completed, thanks for the help.

Share this post


Link to post
Share on other sites

We can wrap this up now.

The following few steps will remove tools we used. Advise me after you have completed the cleanups.

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

ERUNT you should keep and use periodically to backup Windows registry.

Safer practices & malware prevention

We are finished here. Best regards. cool.gif

Share this post


Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.