Solved Serious problem: Possible rootkit eating up my disc space

October 29, 2012 at 12:22:04
Specs: Windows 7, Intel Core i3 CPU M 330 @ 2.13GHz / 3.00 GB (2.86 GB usable) RAM

Hello,

First, let me just say that I'm not a computer expert by any means, so please "dumb down" any replies so I can understand them. Thanks.

Just the other day there was a pop-up saying my disc space was getting low. I thought maybe I had downloaded a file that was larger than I had thought, so I went through and deleted almost every file off my computer. Now I only have 11.3 GB of music and 262 MB worth of documents on here.

I ran TDSSKiller and came up with 174 found threats, all of which were of medium risk. I opted to delete said risks and went through the process till it was time to reboot. Shutting down and booting back up went smoothly until I came to the Windows logo screen, which is when the BSOD promptly decided to rear its head. The only way to get the computer to even boot back up is to choose a restore point through Rollback Rx. TDSSKiller finds the threats, but apparently can't delete them.

I tried using Rollback Rx to rollback to the earliest snapshot, which was taken over a year ago, but the problem still persists. I then returned it to the latest snapshot and ran various anti-rootkit and anti-virus programs such as UnHackMe, Avira, RUBotted, ect. I managed to free up 30 GB of disk space by doing this, but it has slowly started shrinking again and I am now down to 25 GB.

Can anyone help me fix this problem? Thank you in advance to anyone who has any idea what's going on and can help me get back on the right track.


See More: Serious problem: Possible rootkit eating up my disc space

Report •


✔ Best Answer
October 30, 2012 at 11:55:17

9: Run aswMBR
http://public.avast.com/~gmerek/asw...
aswMBR is the rootkit scanner that scans for TDL4/3 and MBRoot (Sinowal) rootkits.
How to scan
#
Download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
Click the "Fix" in case of infection
Important > you need to wait for the tool to report ... Infection fixed successfully
Do not reboot the machine until it has said so.
Save the aswASW.log to the desktop


#1
October 29, 2012 at 15:58:27

Please copy & paste instructions into a text file, print steps & info. You will need them, as they are hard to remember, for when you are offline.

The badies are always ahead of the goodies, be aware, this can be a very long process, involving many different tools to clean up an infected comp.
Some infections are unremoveable.
Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc.
The use of the computer is the primary factor in the decision whether to re-format and re-install, or just disinfect.
http://www.dslreports.com/faq/10063
How to report ID theft, fraud, drive-by installs, hijacking and malware?
http://www.dslreports.com/faq/10451
Change your router password if it is not strong or still uses the default one.
Hack lets intruders sneak into home routers
http://tinyurl.com/4pz64fc
http://compnetworking.about.com/od/...

If you do decide to reinstall, make sure you delete ALL partitions & format to NTFS.
D to Delete the selected partition ( XP )
http://www.blackviper.com/os-instal...
W7 - Click on > Drive options (advanced) Then highlight each partition & hit > Delete.
http://www.blackviper.com/os-instal...
http://www.blackviper.com/os-instal...
Here are some examples of why you delete all partitions.
http://forums.spybot.info/showthrea...
http://forums.whatthetech.com/index...
http://blog.eset.com/2011/10/18/tdl...

As we dismantle the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.

If any program won't run, let me know. Post the log/logs after each run.
Screenshots ( SS ) may also requested, or if you want to illustrate a point yourself, use the uploader.
If any of the logs are too large, upload them to a site of your choosing or, all can be done with this. I use Imgur.com
Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://zenden.ws/imageuploader_ru

After each fix or change we make, let me know how the comp is running. Example: Still cannot boot into Normal mode.


Report •

#2
October 29, 2012 at 16:02:23

Ok, lets Start.

1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

2: Reboot

3: Please download and run ListParts
Please download and run ListParts by Farbar (for 32-bit system):
http://download.bleepingcomputer.co...
Please download and run ListParts64 by Farbar (for 64-bit system):
http://download.bleepingcomputer.co...
Click on the Scan button.
The scan results will open in Notepad.
Post those results in your next reply.
Click on the Scan button.
The scan results will open in Notepad.
Post those results in your next reply.


Report •

#3
October 29, 2012 at 17:03:16

I ran UnHide and rebooted my computer normally. Then I downloaded ListParts but was unable to run it. After starting the program and clicking "scan", an error message pops up.

AutoIt Error

Line 1045 (File "C:\Users\NCS Customer\Downloads\ListParts.exe"):

Error: Error parsing function call.


Report •

Related Solutions

#4
October 29, 2012 at 17:16:00

Did you download the correct version?

Try right clicking & run as Administrator.


Report •

#5
October 29, 2012 at 17:20:12

I downloaded the 32-bit version, which is what my computer is. I tried running as Administrator but still get the same error message.

Report •

#6
October 29, 2012 at 17:23:40

Ok, lets move on.

4: Run ESET & post the log please. This scan may take a very long while, so please be patient. Start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.


Report •

#7
October 29, 2012 at 21:02:30

ESET log:

# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1538 16774142 20 3 26019950 179160393 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776574 100 94 0 103102494 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=13124
# found=0
# cleaned=0
# scan_time=753
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=41473
esets_scanner_update returned -1 esets_gle=41473
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=e84e32caef342c48b10c2257aa917a0c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-10-30 04:00:22
# local_time=2012-10-30 12:00:22 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1538 16774142 20 3 26027047 179167490 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776574 100 94 0 103109591 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=107887
# found=0
# cleaned=0
# scan_time=4822


Report •

#8
October 30, 2012 at 00:38:48

Thanks for the log.

5: Post the TDSSKiller log please.

6: Also the Dump file please.

Dump Files Windows 7
http://www.petri.co.il/memory-dump-...


Report •

#9
October 30, 2012 at 00:47:22

7: Run ComboFix
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Report •

#10
October 30, 2012 at 01:44:47

"After starting the program and clicking "scan", an error message pops up"
I just downloaded the program & ran, the same message was there, but the file > Result < was put on the desktop & is good.

Report •

#11
October 30, 2012 at 08:41:02

Computer is still running the same, though my disk space is now down to 20.4 GB. will start ComboFix once I post this.

TDSSKiller Log:

https://docs.google.com/0B2oSYfAYxs...

I was unable to find "Memory.dmp" and "C:\Windows\Minidump" is empty.

ListParts results:

ListParts by Farbar Version: 28-10-2012
Ran by NCS Customer (administrator) on 29-10-2012 at 21:22:54
Windows 7 (X86)
Running From: C:\Users\NCS Customer\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 49%
Total physical RAM: 2933.14 MB
Available physical RAM: 1489.93 MB
Total Pagefile: 5864.57 MB
Available Pagefile: 4109.71 MB
Total Virtual: 2047.88 MB
Available Virtual: 1959.27 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:232.88 GB) (Free:22.03 GB) NTFS ==>[Drive with boot components (obtained from BCD)]


Report •

#12
October 30, 2012 at 09:56:48

"TDSSKiller Log:

https://docs.google.com/0B2oSYfAYxs.

Link dos'nt work.


Report •

#13
October 30, 2012 at 10:05:26

"I was unable to find "Memory.dmp" and "C:\Windows\Minidump" is empty."
Make sure you have it setup for either a Mini or a Kernel Memory dump for the next blue screen.

How to Configure Windows to Create a Dump File when you get a BSOD
http://www.sevenforums.com/tutorial...

NO KERNEL MEMORY DUMP FILES BEING PRODUCED UPON BSOD?
http://www.techsupportforum.com/for...

Windows does not save memory dump file after a crash
http://support.microsoft.com/kb/130536


Report •

#14
October 30, 2012 at 10:43:38

Disk space down to 19.4 GB free.

TDSSKiller log (new link): https://www.dropbox.com/s/x5ldxzqsi...

My computer is now configured to create a mini dump file for the next blue screen.

ComboFix log:

https://www.dropbox.com/s/3c6k1ra9b...

Please let me know if either link doesn't work.


Report •

#15
October 30, 2012 at 11:00:26

"TDSSKiller log (new link)"
Run TDSSKiller again, this time Quarantine or Remove or Delete the problem files it finds.

Report •

#16
October 30, 2012 at 11:03:37

"Please let me know if either link doesn't work"
Links good, thanks. You have a lot of infection.

Report •

#17
October 30, 2012 at 11:07:10

I copied all to quarantine. New log:

https://www.dropbox.com/s/jrxys8xn7...


Report •

#18
Report •

#19
October 30, 2012 at 11:49:04

Scanned with RogueKiller, report:

RogueKiller V8.2.1 [10/29/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/file...
Website: http://tigzy.geekstogo.com/roguekil...
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : NCS Customer [Admin rights]
Mode : Scan -- Date : 10/30/2012 14:46:57

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[TASK][SUSP PATH] RunAsStdUser Task : "C:\Users\NCS Customer\AppData\Local\gigglinggamesSA\bin\1.0.6.0\GigglingGamesSA.exe" -> FOUND
[TASK][SUSP PATH] {3FE82F51-370B-4BA3-88FC-AC0DF21E81F9} : C:\Windows\System32\pcalua.exe -a "C:\Users\NCS Customer\Desktop\SimsPets\Sims3EP05Setup.exe" -d "C:\Users\NCS Customer\Desktop\SimsPets" -> FOUND
[TASK][SUSP PATH] {D15F0A1A-F331-4092-86F5-B1C9B8E7203B} : C:\Windows\System32\pcalua.exe -a "C:\Users\NCS Customer\Desktop\Unused Desktop Shortcuts\Learning the Ropes @ PA Cyber\SimsPets\Sims3EP05Setup.exe" -d "C:\Users\NCS Customer\Desktop\Unused Desktop Shortcuts\Learning the Ropes @ PA Cyber\SimsPets" -> FOUND
[STARTUP][SUSP PATH] 2YourFace_Updater.lnk @NCS Customer : C:\Users\NCS Customer\AppData\Roaming\2YourFace\Updater.exe -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK2565GSX ATA Device +++++
--- User ---
[MBR] 35ed3858e6d277ad7430732544d1cb03
[BSP] 562ba0354d0157074dce3f0688f436d5 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238471 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 35e9182188e52266a8b2ae9846c083e0
[BSP] 650c5f56da8a00d9f6e293d29021b1f1 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238471 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 35e9182188e52266a8b2ae9846c083e0
[BSP] 650c5f56da8a00d9f6e293d29021b1f1 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238471 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt


Report •

#20
October 30, 2012 at 11:55:17
✔ Best Answer

9: Run aswMBR
http://public.avast.com/~gmerek/asw...
aswMBR is the rootkit scanner that scans for TDL4/3 and MBRoot (Sinowal) rootkits.
How to scan
#
Download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
Click the "Fix" in case of infection
Important > you need to wait for the tool to report ... Infection fixed successfully
Do not reboot the machine until it has said so.
Save the aswASW.log to the desktop

Report •

#21
October 30, 2012 at 12:19:52

"Then I downloaded ListParts but was unable to run it. After starting the program and clicking "scan", an error message pops up"
I reported that error to Farbar & he has fixed it.

Report •

#22
October 30, 2012 at 13:54:40

The scan with aswMBR just completed, saved the log, I clicked "Fix", then restarted my computer once it said the infection was fixed successfully. After the reboot was complete, it appears that my computer was rolled back to the first rollback snapshot, though I did not notice rollback running. None of the programs you had me install are still on my computer, nor are any of my documents, including the aswMBR log.

There is now 215 GB free of 232 GB on my disk.

Is it safe to use rollback to return it to last snapshot, or is there something else I should do?


Report •

#23
October 30, 2012 at 15:45:10

Windows Update won't run and neither will Rollback Rx. Windows Update says:

"Windows Update cannot currently check for updates, because the service is not running. You may need to restart your computer."

It still says this after a reboot. Rollback Rx will not open when selected from the start menu, nor does it appear as normal when the computer is rebooting. There is a pop-up saying:

"InitProtectSysData FAILED"

The disk space also lost 1 GB already, though I'm not sure if that is to be expected or not.


Report •

#24
October 30, 2012 at 16:31:56

" nor are any of my documents"
Do you mean important personal doc's?

Is MBR.dat on the desktop?

"Is it safe to use rollback to return it to last snapshot"
Do you mean System Restore?
http://windows.microsoft.com/en-AU/...
http://www.sevenforums.com/tutorial...


Report •

#25
October 30, 2012 at 16:34:07

Sorry, whilst I was thinking you posted.

Report •

#26
October 30, 2012 at 16:42:08

I will wait until, you answer my questions, other than about Rollback Rx.

Report •

#27
October 30, 2012 at 16:47:32

Yes, I mean my personal documents. No, MBR.dat is not on the desktop. Rollback Rx is a program that is similar to System Restore, in that it creates restore points that you can use to undo changes to your computer.

Report •

#28
October 30, 2012 at 16:53:28

"Rollback Rx is a program that is similar to System Restore"
Yep, I googled that.

"Yes, I mean my personal documents"
Are you saying you hav'nt got backups?

Try System Restore then.
You will then go back to an infected comp again, not as bad as before, but still with more work to be done.


Report •

#29
October 30, 2012 at 17:21:35

System Restore was turned off so there are no restore points to go back to even if I had wanted to. I have it turned on now, and also created a restore point

I'm not worried about getting my documents back as I have most of them backed-up on data discs and can easily copy them back to my computer. I just wasn't sure if they were supposed to have disappeared or not.

What about Windows Update and Rollback Rx no longer working though? I haven't really noticed anything else wrong yet.


Report •

#30
October 30, 2012 at 17:41:59

"What about Windows Update"

Tweaking.com - Windows Repair
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.tweaking.com/
http://www.tweaking.com/content/pag...
Malware and installed programs can modify your default settings. Tweaking.com - Windows Repair is the tool you need to restore Windows original settings.

Check/tick these when you get to > Start Repairs. Read the instructions first.

Remove Policies Set By Infections
Repair Windows Updates


Report •

#31
October 30, 2012 at 17:43:37

"Rollback Rx"
After doing above, if needed, reinstall.

Report •

#32
October 30, 2012 at 20:59:47

After running Windows Repair, Windows Update and everything else seems to be working fine. Disk space is down to 210 GB free but could that just be from installing my antivirus, ect? I changed the parameters on TDSSKiller and checked/ticked:

>Verify file digital signatires
>Detect TDLFS file system

I selected skip on all. Log:

https://www.dropbox.com/s/dxh8kf5j1...


Report •

#33
Report •

#34
October 30, 2012 at 21:53:23

"Disk space is down to 210 GB free but could that just be from installing my antivirus"
Down from what to 210 GB, I don't keep going back & rereading every post, I try & remember what I have done.

Report •

#35
October 30, 2012 at 21:57:27

Down from 216 GB. Trend Micro RootkitBuster log:

+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 5.0.0.1083
| Computer Name: PACYBER-VNXJSGV
| OS version: 6.1-7600
| User Name: NCS Customer
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

--== Service Win32 API Hook List ==--
No hidden operating system service hooks found.

--== Dump Hidden Port ==--
No hidden ports found.

--== Dump Kernel Code Patching ==--
No kernel code patching detected.

--== Dump Hidden Services ==--
No hidden services found.


Report •

#36
October 30, 2012 at 22:14:35

Looking good, nearly finished.

11: A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom.
Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://general-changelog-team.fr/en...
http://www.raymond.cc/blog/adwclean...
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.


Report •

#37
October 30, 2012 at 22:34:25

AdwCleaner Log:

# AdwCleaner v2.005 - Logfile created 10/31/2012 at 01:28:38
# Updated 14/10/2012 by Xplode
# Operating system : Windows 7 Professional (32 bits)
# User : NCS Customer - PACYBER-VNXJSGV
# Boot Mode : Normal
# Running from : C:\Users\NCS Customer\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.16385

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\NCS Customer\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2033 octets] - [31/10/2012 01:28:16]
AdwCleaner[S1].txt - [1522 octets] - [31/10/2012 01:28:38]

########## EOF - C:\AdwCleaner[S1].txt - [1582 octets] ##########


Report •

#38
October 30, 2012 at 22:40:13

12: Run HijackThis ( HJT )
http://sourceforge.net/projects/hjt/
How to Use HiJackThis
http://www.wikihow.com/Use-HiJackThis
13: Run OTL by OldTimer
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://www.smokey-services.eu/forum...
http://www.smokey-services.eu/forum...
http://oldtimer.geekstogo.com/OTL.exe
http://www.geekstogo.com/1888/otl-b...
Make sure all other windows and applications are closed and to let it run uninterrupted.
Save it to your desktop.
Double click on the icon on your desktop.
# Click the "Scan All Users" checkbox.
# When the window appears, underneath Output at the top change it to Minimal Output.
# Check the boxes beside LOP Check and Purity Check.
# Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
* When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Post them please.

14: Run Malwarebytes' Anti-Malware ( MBAM ) Use Quick scan. Post log please.
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.malwarebytes.org/mbam.php
http://www.spywareinfoforum.com/ind...
http://www.bleepingcomputer.com/vir...
If your MBAM log indicates "No action taken." That's usually a result of NOT clicking the Remove Selected button after the scan.
Quick Scan versus Full Scan
http://forums.malwarebytes.org/inde...


Report •

#39
October 30, 2012 at 23:07:38

OTL logs:

https://www.dropbox.com/s/tyygptjrh...
https://www.dropbox.com/s/090qa8zvd...

MBAM log:

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.30.09

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
NCS Customer :: PACYBER-VNXJSGV [administrator]

Protection: Enabled

10/31/2012 2:01:24 AM
mbam-log-2012-10-31 (02-01-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 212095
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Report •

#40
October 30, 2012 at 23:36:34

Waiting on HJT log.

Report •

#41
October 31, 2012 at 05:44:08

HJT log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:43:12 AM, on 10/31/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16722)
Boot mode: Normal

Running processes:
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Connectify\ConnectifyService.exe
C:\Program Files\PHotkey\PVDAgent.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\InetCntrl\InetCntrl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Connectify\Connectifyd.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\NCS Customer\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myschool.pacyber.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [AmIcoSinglun] C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [M86_MC] C:\Windows\system32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [shield] C:\Program Files\shield\shieldtray.exe
O4 - HKLM\..\Run: [PSUAMain] "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAMain.exe" /LaunchSysTray
O4 - HKLM\..\Run: [Panda Security URL Filtering] "C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/get...
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\PHotkey\ASLDRSrv.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: GFNEX Service (GFNEXSrv) - Unknown owner - C:\Program Files\PHotkey\GFNEXSrv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: M86 Security Mobile Client Updater Agent (M86_MCIA) - Unknown owner - C:\Windows\system32\8e6mcu\8e6mcia.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Panda Cloud Antivirus Service (NanoServiceMain) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Panda Product Service (PSUAService) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SHDSERV - Unknown owner - C:\Program Files\shield\shdserv.exe
O23 - Service: Shield Client Service (ShieldClientService) - Unknown owner - C:\Program Files\shield\shieldclnt.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: WTouch Service (WTouchService) - Wacom Technology, Corp. - C:\Program Files\WTouch\WTouchService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10370 bytes


Report •

#42
October 31, 2012 at 06:00:08

Open HJT & put a check mark next to this & then click > Fix checked.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


Report •

#43
October 31, 2012 at 06:04:32

Run OTL

Under the Custom Scans/Fixes box at the bottom, Copy & Paste the following.

:OTL
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

Then click the Run Fix button at the top.
Let the program run unhindered, reboot the PC when it is done.
You will get a log that shows the results of the fix. Please post it.


Report •

#44
October 31, 2012 at 07:36:49

OTL log:

Error: Unable to interpret <FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found> in the current context!
Error: Unable to interpret <FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found> in the current context!
Error: Unable to interpret <FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found> in the current context!

OTL by OldTimer - Version 3.2.70.2 log created on 10312012_103155


Report •

#45
October 31, 2012 at 14:02:49

Ok Mmai, lets try a different way.

15: Run Wise Disk Cleaner ( Run the 1st three tabs, left to right. I use default settings, leave boxes that are unchecked, unchecked )
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://www.wisecleaner.com/download...


Report •

#46
October 31, 2012 at 14:29:56

Alright I ran the common cleaner, advanced cleaner, and slimming system tabs. Something was found and deleted in each of them.

Report •

#47
October 31, 2012 at 14:44:37

16: Run Wise Registry Cleaner ( Use only Registry Cleaner with default settings )
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.wisecleaner.com/wiseregi...

Report •

#48
October 31, 2012 at 15:39:52

Ran registry cleaner. 223 issues found, all solved.

Report •

#49
October 31, 2012 at 15:45:39

Trying to work out why the script in my post #43 did'nt work.

:OTL had to be included, give it another try please.

Also try OTL: instead of :OTL


Report •

#50
October 31, 2012 at 15:57:20

Ran OTL fix again. Log:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=\ deleted successfully.

OTL by OldTimer - Version 3.2.70.2 log created on 10312012_185755


Report •

#51
October 31, 2012 at 15:59:46

Ok, shall leave that for now,

17: Run Auslogics Registry Cleaner. I tick all the boxes.
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.auslogics.com/en/softwar...


Report •

#52
October 31, 2012 at 16:09:33

Scanned and repaired 594 out of 616 errors.

Report •

#53
Report •

#54
October 31, 2012 at 16:36:18

Ran MV RegClean. Found and removed 603 errors.

Report •

#55
October 31, 2012 at 16:37:56

Very good, nearly finished.

19: Run Vit Registry Fix Free Edition
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.vitsoft.org.ua/Eng/vit-r...
At the end of the scan & you have gone through the 4 steps as per the screenshots I uploaded, step 5 is offered & the cleaning is repeated. Step 5 may be offered again & again, until finally it is happy there are no more files to remove.
http://i.imgur.com/jHmE2.gif
http://i.imgur.com/nyKC9.gif
http://i.imgur.com/kiA3O.gif
http://i.imgur.com/8XIFg.gif
http://i.imgur.com/7LJ5V.gif


Report •

#56
October 31, 2012 at 16:51:51

Ran 3 times, 152 errors found and fixed.

Report •

#57
October 31, 2012 at 16:52:44

20: Run TFC
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Report •

#58
October 31, 2012 at 17:04:18

Ran and rebooted, 48 mb deleted.

Report •

#59
October 31, 2012 at 17:11:46

21: Download Security Check by screen317 from one of the following links and save it to your desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Save it to your Desktop.
* Double click SecurityCheck.exe. If you run Windows Vista or 7, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; please post the contents of that document.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Report •

#60
October 31, 2012 at 17:26:19

Security Check by screen317 log:

Results of screen317's Security Check version 0.99.54
Windows 7 x86 [color=red][b](UAC is disabled!)[/b][/color]
[url=http://windows.microsoft.com/en-US/windows7/install-windows-7-service-pack-1][color=red][b]Out of date service pack!![/color][/url][/b]
Internet Explorer 9
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
Windows Firewall Disabled!
Panda Cloud Antivirus
avast! Antivirus
[color=red][b]Antivirus out of date![/b][/color]
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
Toolbar Cleaner 1.0
Wise Disk Cleaner 7.67
Wise Registry Cleaner 7.52
Auslogics Registry Cleaner
Java(TM) 6 Update 24
[color=red][b]Java version out of Date![/b][/color]
Adobe Reader 9 [color=red][b]Adobe Reader out of Date![/b][/color]
Google Chrome 22.0.1229.96
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Panda Security Panda Cloud Antivirus PSANHost.exe
Panda Security Panda Cloud Antivirus PSUAService.exe
Panda Security Panda Cloud Antivirus PSUAMain.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 1%
[b][u]````````````````````End of Log``````````````````````[/b][/u]


Report •

#61
October 31, 2012 at 17:40:34

These are security risks & need updating.
Java(TM) 6 Update 24
Java version out of Date
Adobe Reader out of Date

Let me know which AV ( Avast or Panda ) you want to keep, you can only have one.

Malwarebytes will not clash with either, because it is not a full AV.


Report •

#62
October 31, 2012 at 17:47:49

Opp's, missed this.

windows.microsoft.com/en-US/windows7/install-windows-7-service-pack-1
Out of date service pack!!


Report •

#63
October 31, 2012 at 18:24:37

22: Start > Run, Copy and Paste > ComboFix /uninstall and click OK.
Qoobox is a folder created by Combofix to quarantine any infected files.
Do a search to make sure no Combofix files remain.
Use this for searching, I have it open all the time.
UltraSearch
http://www.softpedia.com/get/File-m...
http://www.softpedia.com/progScreen...
http://www.jam-software.com/ultrase...

23: Download the latest version of Combofix & run again.

24: "Down from 216 GB"
Lets check your Temp file settings in your Browsers & Java. Also the Hibernate option.
Reduce your Java Cache ( I have mine set at 100mb )
http://steveshank.com/cgi-bin/artic...
Dumping Java cache improves browser performance
http://windowssecrets.com/2009/11/1...
Managing your Internet Explorer Temporary Internet Files
http://www.bleepingcomputer.com/tut...
Amount of Disk Space to Use.
This shows the amount of disk space that will be allocated for your Temporary Internet Files. By default Windows uses 10 percent of your Windows system partition. This amount can be significant if you use the 10 percent model. It is advised that you change this setting to a lower number such as 50 MB.
If your computer is NOT a laptop/notebook then you can stop Hibernate.
Hibernation, reserves disk space equal to your RAM.
How To: Enable Or Disable Hibernate Option In Windows 7
http://www.intowindows.com/how-to-e...
The only surefire method of disabling Hibernate, and thus removing hiberfil.sys, on Windows Vista and Windows 7, is through the command prompt and the following steps:
http://www.techrepublic.com/blog/it...

25: Malware Prevention
http://www.malwarevault.com/index.html
"There is no magic involved. The majority of malware is installed by the user themselves"


Report •

#64
October 31, 2012 at 19:12:40

Updated Adobe Reader, updated Java and removed old version, uninstalled Panda AV and kept Avast. Installed Windows service pack 1 and other windows security updates.

Report •

#65
October 31, 2012 at 19:22:20

22. After c/p and clicking ok, an error message pops up: "Windows cannot find 'ComboFix'. Make sure you typed the name correctly, and then try again."

Is this just because I installed ComboFix before the apparent rollback of my computer? Should I just install it again?

After downloading the .exe file for UltraSearch and selecting run, an error pops up saying: "The setup files are corrupted. Please obtain a new copy of the prgram."


Report •

#66
October 31, 2012 at 19:51:52

"After downloading the .exe file for UltraSearch and selecting run, an error pops up saying: "The setup files are corrupted. Please obtain a new copy of the prgram.""
Use Windows built in search then download the latest Combofix.

Report •

#67
October 31, 2012 at 20:27:05

Did everything in step 24 except stopping hibernate as this is a laptop.

ComboFix log:

https://www.dropbox.com/s/3c6k1ra9b...


Report •

#68
October 31, 2012 at 21:21:01

Combofix found a couple of minor files, how is the comp now?

Report •

#69
October 31, 2012 at 21:27:15

Seems to be working fine right now. Reboot is quick, no problem opening/using programs, windows update is working fine, 209 GB of disk space, and no error messages so far.

Report •

#70
October 31, 2012 at 21:34:24

Good one, to me you are clean, you now have the tools & routine of what to do in the future.
Uninstall combofix, they have new versions out daily.

All the best, John.


Report •

#71
October 31, 2012 at 21:35:46

Thank you very much for the help.

Report •


Ask Question