3 days of fighting this virus!

Gateway Gateway nv57h26u laptop screen 1...
March 15, 2013 at 21:23:20
Specs: Windows 7, 4GB
Hello - I turned on my computer 3 days ago and go the message "windows cannot startup - repairing computer." It finally repaired and windows booted. As I was using my computer for a few minutes I noticed my fan spinning like crazy and the CPU usage was through the roof. I restored to a previous point multiple times, ive scanned with AVG and malwarebytes in both safe mode and regular mode several times. I've scanned with aswMBR and fix zero access. All programs find and "remove" what appears to be the same couple trojans. After rebooting my computer it works great, for about 5 minutes, until what seems like the trojan is again downloaded automatically - the fan kicks in high gear - and CPU usage skyrockets......I've since uninstalled AVG and reinstalled avast!. The fan has calmed permenantly and the CPU usage is down, but it is only because avast! is constantly blocking 3 applications.....though the computer now runs fine, the avast! software is constantly blocking the following:

1. Infection Details

URL:

http://betbetbot.com/x/

Process:

\\.\globalroot\systemroot\svchost.exe

Infection:

URL:Mal

.......................

2.Infection details
URL:

http://freedondon.com/z/

Process:

\\.\globalroot\systemroot\svchost.exe

Infection:

URL:Mal

................................

3. Infection Details

URL:

http://betbetbot.com/z/

Process:

\\.\globalroot\systemroot\svchost.exe

Infection:

URL:Mal


I've tried EVERYTHING - I don't know where to turn :(

About every 5 seconds AVAST pops up with what is either a "Malicious URL blocked" or "Trojan Horse Blocked" message...so though my computer is working ok now, it is only because AVAST is blocking what has caused my computer to go insane........if I remove AVAST I feel as though these malicious URLs and Trojan Horses will again get through - so there is something somewhere on my computer trying to again download these things...


See More: 3 days of fighting this virus!

Report •


#1
March 16, 2013 at 00:57:38
We are going to have to start with some heavy duty tools, with a bit of luck we can outsmart the infection & get them running.

1: Run ESET Online Scanner, Copy & Paste the contents of the log please. This scan may take a very long while, so please be patient. Start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
You may have to download ESET from a good computer, put it on a thumb drive & run it from there, if your comp is unbootable, or won't let you download.
Create a ESET SysRescue CD or USB drive
http://kb.eset.com/esetkb/index?pag...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...


Report •

#2
March 16, 2013 at 01:32:45
This is what I do when first encountering a infected computer. Remove what ever anti-virus is installed first.

rkill, adwcleaner, rkill, combofix, combofix /uninstall, tdsskiller, mbar, mbam, superantispyware, avira, hijackthis, ccleaner.

This will get rid of most anything. After that reset internet options, create new profile for chrome, hold shift and open firefox and rest it.

All programs can be downloaded here

http://www.bleepingcomputer.com/dow...


Report •

#3
March 16, 2013 at 10:58:51
szatryan ,Moving to Avast was a great choice....did you run a bootscan yet?
I'm thinking that these 3 fully working free trials utilities will help to remove the infection:
1- Malwarebytes
http://www.filehippo.com/download_m...
2- Trojan Remover
http://www.simplysup.com/tremover/d...
3- Hitman Pro
http://www.surfright.nl/en/downloads
Run them till they all run clean. It is not too time consuming and really effective.

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

Related Solutions

#4
March 17, 2013 at 19:32:14
thanks for all the help! I've been out of town for a couple days but am now back and will be getting hard to work on fixing my computer. I will be running ESET tonight before bed and will post the results tomorrow. Thanks again!

Report •

#5
March 18, 2013 at 12:54:27
XPUsers suggestion of the trojan trifecta seems to have done the trick! Computer is running smooth, avast! trojan alert notifications have stopped, CPU usage is down and fan is calm! Thanks for the help everyone

Report •

#6
March 18, 2013 at 16:09:21
'XPUsers suggestion of the trojan trifecta seems to have done the trick!'
Thanks, you might want to mark it as best answer so that it can help others with the same problem....thanks

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#7
March 24, 2013 at 12:24:31
@Johnw....though my computer is better and the avast! popups have stopped through the use of XPuser's trojan trifecta, I still feel like there is something on my computer. My computer fan still kicks on much more than usual and I just feel like my computer is constantly working hard. All of which is new over the past 3 weeks. Tonight, I will run ESET online scanner and post the results.

Report •

#8
March 24, 2013 at 12:35:59
try a bootscan with Avast, that usually finds problems that happen during bootup....and MOVE all it finds to the chest...DO NOT delete anything in case it is part of the OS...

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#9
March 24, 2013 at 14:54:33
"Tonight, I will run ESET online scanner and post the results"
Good one szatryan.

Can you Copy & Paste the contents of the logs on all the scans you have done please.
Malwarebytes, Trojan Remover, Hitman Pro.

Small steps is the way to go. Step by step & I can look at the log & go from there.


Report •

#10
March 24, 2013 at 15:02:10
szatryan try running the programs that I listed above, you will be surprised in what you find. If you need help with those programs let me know.

Report •

#11
March 24, 2013 at 18:04:25
Ok ESET complete...this is what I have

C:\Users\All Users\Microsoft\Windows\DRM\E3D9.tmp Win64/Olmarik.AY trojan
C:\ProgramData\Microsoft\Windows\DRM\E3D9.tmp Win64/Olmarik.AY trojan cleaned by deleting - quarantined
C:\Users\Ryan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\666bc497-5232dced Java/Exploit.CVE-2012-1723.II trojan cleaned by deleting - quarantined
C:\Users\Ryan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\2c39c5-36069bae Java/Exploit.CVE-2012-1723.IZ trojan cleaned by deleting - quarantined
C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\cbp6ur0s.default\extensions\okdqcvajsy@okdqcvajsy.org.xpi JS/Redirector.NCI trojan deleted - quarantined


Report •

#12
March 24, 2013 at 18:06:52
It says Infected Files: 5
Cleaned Files: 4

I haven't closed the screen...it says:

Uninstall Application on Close
Delete Quaratined Files

Its still open, which do I choose?


Report •

#13
March 24, 2013 at 18:08:06
Malware bytes, Trojan Remover, and Hitman Pro currently run clean

Report •

#14
March 24, 2013 at 18:09:57
and they did run clean PRIOR to running this ESET program right now. So although they ran clean, this ESET is still finding 5 trojans. 4 of which were cleaned....I think is what it saying....

Report •

#15
March 24, 2013 at 18:27:05
"Uninstall Application on Close"
No, it doesn't conflict with any other AV & we may need it later.

"Delete Quaratined Files"
Yes.

Post the entire contents of the ESET log please.



Report •

#16
March 24, 2013 at 18:31:00
how can I find the entire contents of the ESET log?

Report •

#17
March 24, 2013 at 18:37:30
Read my post #1, best if you print or write instructions out.

Report •

#18
March 24, 2013 at 18:38:10
When I click delete all quarantined files and then click "finish" will this pop up?

Report •

#19
March 24, 2013 at 18:44:12
I'm seeing to search this "C:\Program Files\ESET\EsetOnlineScanner\log.txt" but there is no file named that on my computer...

Report •

#20
March 24, 2013 at 18:47:13
Ok I found it, this is all the log says....

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK


Report •

#21
March 24, 2013 at 18:58:33
Still not what I want, shall have to get back to finding it, have you looked on your desktop?

Got to go out now for about an hour.

What country/town are you?

I'm here.
http://www.timeanddate.com/worldclo...

As we dismantle the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.
Removal of infected parts of the system, may cause other parts to stop working, such as your Internet connection or Services. These we then, have to repair later.

If any program won't run ( due to the infection ) let me know.

Copy & Paste the contents of the log/logs after running each program.


Report •

#22
March 24, 2013 at 18:59:55
Run ComboFix & post the contents of the log please. ComboFix's log shall be located a C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
"There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
Run Defogger
http://majorgeeks.com/Defogger_d708...
This program can enable and disable CD emulation, often required in removing difficult malware. Some CD Emulation programs use a hidden driver that may be seen as a rootkit or that will interfere with the proper operation of the anti-rootkit scanner.
If you think it's frozen look at computer clock.
If it's running Combofix is still working.
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Report •

#23
March 24, 2013 at 19:01:37
Im in Connecticut, USA

Report •

#24
March 24, 2013 at 19:07:43
My computer is warning me that Combofix is not safe....and "is not commonly downloaded and will harm my computer"

Report •

#25
March 24, 2013 at 19:09:54
Please ignore and run combofix it is a false alarm.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#26
March 24, 2013 at 19:10:57
"My computer is warning me that Combofix is not safe....and "is not commonly downloaded and will harm my computer"
False alert/false positive.

Report •

#27
March 24, 2013 at 19:12:05
Thanks MrGoodguy, now I can go out as you are there.

Report •

#28
March 24, 2013 at 19:16:09
:) I will keep an eye on this thread for you.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#29
March 24, 2013 at 19:20:16
Ok heres the combofix log...

ComboFix 13-03-24.03 - Ryan 03/24/2013 22:12:23.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3948.2206 [GMT -4:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Norton 360 *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Norton 360 *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\465f0191
c:\programdata\Roaming
c:\users\Ryan\AppData\Roaming\4ed25305
c:\users\Ryan\AppData\Roaming\Roaming
c:\users\Ryan\AppData\Roaming\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#konugani.com\settings.sol
c:\users\Ryan\AppData\Roaming\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
.
.
((((((((((((((((((((((((( Files Created from 2013-02-25 to 2013-03-25 )))))))))))))))))))))))))))))))
.
.
2013-03-25 02:16 . 2013-03-25 02:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-24 19:26 . 2013-03-24 19:26 -------- d-----w- c:\program files (x86)\ESET
2013-03-24 01:54 . 2013-03-25 02:14 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{51FC5988-0038-4EB2-86AE-5BFE4F599D8C}\offreg.dll
2013-03-22 17:28 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{51FC5988-0038-4EB2-86AE-5BFE4F599D8C}\mpengine.dll
2013-03-18 02:42 . 2013-03-18 02:42 -------- d-----w- c:\program files\HitmanPro
2013-03-18 02:42 . 2013-03-18 02:51 -------- d-----w- c:\programdata\HitmanPro
2013-03-18 02:33 . 2013-03-18 02:33 -------- d-----w- c:\users\Ryan\AppData\Roaming\Simply Super Software
2013-03-18 02:33 . 2013-03-18 02:33 -------- d-----w- c:\program files (x86)\Trojan Remover
2013-03-18 02:33 . 2013-03-18 02:33 -------- d-----w- c:\programdata\Simply Super Software
2013-03-16 04:32 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-16 02:35 . 2013-03-06 22:33 33400 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-03-16 02:35 . 2013-03-06 22:33 377920 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-03-16 02:34 . 2013-03-06 22:33 70992 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-03-16 02:34 . 2013-03-06 22:33 68920 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-03-16 02:34 . 2013-03-06 22:33 1025808 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-03-16 02:34 . 2013-03-06 22:33 178624 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-16 02:34 . 2013-03-06 22:33 65336 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-03-16 02:34 . 2013-03-06 22:33 80816 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-03-16 02:34 . 2013-03-06 22:32 287840 ----a-w- c:\windows\system32\aswBoot.exe
2013-03-16 02:34 . 2013-03-06 22:32 41664 ----a-w- c:\windows\avastSS.scr
2013-03-16 02:33 . 2013-03-16 02:33 -------- d-----w- c:\program files\AVAST Software
2013-03-16 02:32 . 2013-03-16 02:33 -------- d-----w- c:\programdata\AVAST Software
2013-03-16 00:08 . 2013-03-16 01:33 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2013-03-15 18:29 . 2013-03-15 18:29 -------- d-----w- c:\programdata\McAfee
2013-03-03 17:44 . 2013-03-03 17:44 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2013-03-02 21:36 . 2013-03-02 21:36 -------- d-----w- c:\users\Ryan\AppData\Local\Microsoft Help
2013-03-02 21:36 . 2013-03-14 05:11 -------- d-----w- c:\programdata\Microsoft Help
2013-02-25 22:26 . 2013-03-15 22:45 -------- d-----w- c:\program files (x86)\Common Files\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-16 04:14 . 2012-08-20 04:37 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-16 04:14 . 2011-08-19 17:42 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-15 20:35 . 2011-10-14 06:21 72013344 ----a-w- c:\windows\system32\MRT.exe
2013-02-12 05:45 . 2013-03-15 20:29 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-15 20:29 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-15 20:29 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-03-15 20:29 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48 . 2013-03-15 20:29 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-15 20:29 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-01-17 05:28 . 2010-11-21 03:27 273840 ------w- c:\windows\system32\MpSigStub.exe
2013-01-05 05:53 . 2013-02-21 03:46 5553512 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-05 05:00 . 2013-02-21 03:46 3967848 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00 . 2013-02-21 03:46 3913064 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-01-04 05:46 . 2013-02-21 03:01 215040 ----a-w- c:\windows\system32\winsrv.dll
2013-01-04 04:51 . 2013-02-21 03:01 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2013-01-04 04:43 . 2013-02-21 03:01 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-01-04 03:26 . 2013-02-21 03:02 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-01-04 02:47 . 2013-02-21 03:01 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2013-01-04 02:47 . 2013-02-21 03:01 2048 ----a-w- c:\windows\SysWow64\user.exe
2013-01-04 02:47 . 2013-02-21 03:01 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2013-01-04 02:47 . 2013-02-21 03:01 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2013-01-03 06:00 . 2013-02-21 03:46 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-03 06:00 . 2013-02-21 03:46 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"Facebook Update"="c:\users\Ryan\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-09-14 283160]
"BackupManagerTray"="c:\program files (x86)\NTI\Gateway MyBackup\BackupManagerTray.exe" [2011-02-15 290112]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2011-03-14 1081424]
"RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2011-08-24 273528]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
"TrojanScanner"="c:\program files (x86)\Trojan Remover\Trjscan.exe" [2013-02-06 1608464]
.
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bloggie Watcher Utility.lnk - c:\program files (x86)\Sony\Bloggie Software\BGVolumeWatcher.exe [2011-6-9 746856]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2011-2-25 15776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 aswVmm;aswVmm; [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2009-10-07 327704]
R3 LVUVC64;Logitech QuickCam E3500(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2009-10-07 6379288]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-12-17 340240]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 TurboBoost;Intel(R) Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe [2010-10-08 150016]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-21 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 aswRvrt;aswRvrt; [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0604000.009\SYMDS64.SYS [2011-08-16 451192]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0604000.009\SYMEFA64.SYS [2012-05-22 1129120]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\BASHDefs\20121130.005\BHDrvx64.sys [2012-10-23 1384608]
S1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360x64\0604000.009\ccSetx64.sys [2012-06-07 167072]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\IPSDefs\20121202.001\IDSvia64.sys [2012-09-06 513184]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0604000.009\Ironx64.SYS [2011-11-17 190072]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0604000.009\SYMNETS.SYS [2011-11-17 405624]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-03-06 80816]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe [2011-03-14 352336]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2011-02-23 873064]
S2 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [2010-01-08 23584]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2013-03-18 108904]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-14 13336]
S2 Live Updater Service;Live Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2011-01-31 244624]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2010-11-08 517632]
S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\6.4.0.9\ccSvcHst.exe [2012-06-16 138272]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-05-04 503080]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe [2011-02-15 257344]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2010-10-08 19192]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-12-22 2656280]
S3 b57xdbd;Broadcom xD Picture Bus Driver Service;c:\windows\system32\DRIVERS\b57xdbd.sys [2011-01-21 67624]
S3 b57xdmp;Broadcom xD Picture vstorp client drv;c:\windows\system32\DRIVERS\b57xdmp.sys [2011-01-21 19496]
S3 bScsiMSa;bScsiMSa;c:\windows\system32\DRIVERS\bScsiMSa.sys [2011-01-20 52264]
S3 bScsiSDa;bScsiSDa;c:\windows\system32\DRIVERS\bScsiSDa.sys [2011-01-14 85544]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-10-01 138912]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-11-12 138024]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2011-01-17 412712]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys [2010-12-25 42392]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-16 02:26 1629648 ----a-w- c:\program files (x86)\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-20 04:14]
.
2013-03-24 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4113350536-1774598829-3653898560-1000Core.job
- c:\users\Ryan\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-03-02 22:03]
.
2013-03-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4113350536-1774598829-3653898560-1000UA.job
- c:\users\Ryan\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-03-02 22:03]
.
2013-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-15 07:02]
.
2013-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-15 07:02]
.
2013-03-24 c:\windows\Tasks\ReclaimerUpdateFiles_Ryan.job
- c:\users\Ryan\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-03-23 17:40]
.
2013-03-24 c:\windows\Tasks\ReclaimerUpdateXML_Ryan.job
- c:\users\Ryan\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-03-23 17:40]
.
2013-03-24 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Ryan.job
- c:\users\Ryan\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-03-23 17:40]
.
2013-01-24 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\programdata\AVG January 2013 Campaign\ROC.exe [2013-01-22 21:16]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 22:32 133840 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-30 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-30 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-30 418840]
"IntelTBRunOnce"="wscript.exe" [2009-07-14 168960]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-12-17 1933584]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-03-10 11785832]
"Power Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2011-02-23 1796200]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.bing.com/?pc=MAGW
mStart Page = hxxp://www.bing.com/?pc=MAGW
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\cbp6ur0s.default\
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{89867A4A-BDEE-4259-964A-B8E87C4892F3} - (no file)
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe
Toolbar-Locked - (no file)
WebBrowser-{EF91116F-DE92-4286-9087-093085152182} - (no file)
HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\6.4.0.9\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\6.4.0.9\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{156E5059-1974-1C21-234A49AFACAB4059}\{B90FCDFF-5527-F999-5BDD8AB8903FEB58}\{85FE2661-9FF6-1F38-3936C76FCE54F605}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-24 22:18:29
ComboFix-quarantined-files.txt 2013-03-25 02:18
.
Pre-Run: 433,010,708,480 bytes free
Post-Run: 432,895,844,352 bytes free
.
- - End Of File - - DAF56F15EA859DFE4D672B6828F68579


Report •

#30
March 24, 2013 at 19:33:19
Ok that picked up some nasties :)
Just confirming you have Avast, Norton installed together? If so you will have to remove one, as running two can cause conflicts leaving your pc open to attack.

Download AdwCleaner from this link:

http://www.bleepingcomputer.com/dow...
AdwCleaner Usage Instructions:
Using AdwCleaner is very simple. Simply download the program and run it. You will then be presented with a screen that contains a Search and Delete button. The Search button will cause AdwCleaner to search your computer for unwanted programs and then display a log showing the various files, folders, and registry entries used by these programs.
To delete these unwanted programs simply click on the Delete button, which will cause AdwCleaner to reboot your computer and remove the files and registry entries associated with the various adware that you are removing. On reboot, AdwCleaner will display a log showing the files, folders, and registry entries that were removed.
Please include the log in your next reply.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#31
March 24, 2013 at 19:34:48
Norton is expired and does not run, its just still on my computer. I was going to ask anyway. Is avast! good? If not, Norton is on sale for $24.99 this weekend for 15 months, so I was going to buy it. But if avast! is just as good, probably not.

Report •

#32
March 24, 2013 at 19:38:32
Ok run the Norton Removal Tool 2013 first before we continue please.
http://www.scanwith.com/download/no...

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#33
March 24, 2013 at 19:39:33
Avast free is excellent and I use it on my own pc with no worries at all :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#34
March 24, 2013 at 19:41:56
Ok heres the latest log..

# AdwCleaner v2.115 - Logfile created 03/24/2013 at 22:38:32
# Updated 17/03/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Ryan - RYAN-PC
# Boot Mode : Normal
# Running from : C:\Users\Ryan\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\cbp6ur0s.default\searchplugins\safesearch.xml

***** [Registry] *****

Key Deleted : HKLM\Software\AVG Secure Search

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.1 (en-US)

File : C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\cbp6ur0s.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.172

File : C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1094 octets] - [24/03/2013 22:38:06]
AdwCleaner[S1].txt - [1030 octets] - [24/03/2013 22:38:32]

########## EOF - C:\AdwCleaner[S1].txt - [1090 octets] ##########


Report •

#35
March 24, 2013 at 19:44:40
Ok now the Norton Removal Tool please :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#36
March 24, 2013 at 19:49:53
Ok just ran the Norton Removal Tool

Report •

#37
March 24, 2013 at 19:51:55
Ok I would like to see some more info on whats on your pc, so could you please run HighJackThis from this link please: http://www.bleepingcomputer.com/dow...
Scan and save log, do not check anything to be fixed.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#38
March 24, 2013 at 19:53:13
Also double check manually that your Windows firewall has started after removing the Norton one.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#39
March 24, 2013 at 19:56:44
For some reason your computer denied write access to the hosts file. If any hijacked domains are in this file, HIJACK THIS may not be able to fix this.....

Report •

#40
March 24, 2013 at 19:58:03
All good please continue.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#41
March 24, 2013 at 19:59:15
Ok, its scanned, but I cant get it to copy into a log file...

Report •

#42
March 24, 2013 at 20:00:21
Just save the log to your desktop then copy and paste it from there.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#43
March 24, 2013 at 20:02:30
the log won't save to a file..."cannot find log file" do you want to create a new file? I click yes and its just a blank notebook page......I can see everythings its scanned (can take a screen shot) but its not posted in a txt form

Report •

#44
March 24, 2013 at 20:07:58
got it here ya go....

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:07:27 PM, on 3/24/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16470)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files (x86)\Sony\Bloggie Software\BGVolumeWatcher.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\NTI\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.com/?pc=MAGW
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=MAGW
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {89867A4A-BDEE-4259-964A-B8E87C4892F3} - (no file)
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [BackupManagerTray] "C:\Program Files (x86)\NTI\Gateway MyBackup\BackupManagerTray.exe" -h -k
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files (x86)\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Facebook Update] "C:\Users\Ryan\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - .DEFAULT User Startup: Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Bloggie Watcher Utility.lnk = C:\Program Files (x86)\Sony\Bloggie Software\BGVolumeWatcher.exe
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {76E72BAD-1709-4194-BE23-280221F47D1B} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eo...
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Dritek WMI Service (DsiWMIService) - Dritek System Inc. - C:\Program Files (x86)\Launch Manager\dsiwmis.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GREGService - Acer Incorporated - C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Live Updater Service - Acer Incorporated - C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
O23 - Service: McciCMService64 - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
O23 - Service: @C:\Program Files (x86)\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files (x86)\Nero\Update\NASvc.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NTI IScheduleSvc - NTI Corporation - C:\Program Files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Intel(R) Turbo Boost Technology Monitor 2.0 (TurboBoost) - Intel(R) Corporation - C:\Program Files\Intel\TurboBoost\TurboBoost.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11700 bytes


Report •

#45
March 24, 2013 at 20:12:45
It will take a wee while to go over the log.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#46
March 24, 2013 at 20:22:30
Rerun HJT again and Check mark the following for removal.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.com/?pc=MAGW

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=MAGW

O2 - BHO: (no name) - {89867A4A-BDEE-4259-964A-B8E87C4892F3} - (no file)

O9 - Extra button: (no name) - {76E72BAD-1709-4194-BE23-280221F47D1B} - (no file) (HKCU)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#47
March 24, 2013 at 20:32:10
ok

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.com/?pc=MAGW

and

O2 - BHO: (no name) - {89867A4A-BDEE-4259-964A-B8E87C4892F3} - (no file)

will not delete.........the other 2 have gone away though.



Report •

#48
March 24, 2013 at 20:34:19
 Download Junkware Removal Tool from these links:

http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.co.nz/20...
Download Junkware Removal Tool to your desktop.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
The tool will open and start scanning your system.
NOTE:Once the scan is complete JRT will shut down your browser with NO warning.
The scan can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Copy and Paste the JRT.txt log into your next message.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#49
March 24, 2013 at 20:44:47
It never gave me the option to right click and run as administrator...it just started on its own......heres the log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.3 (03.23.2013:1)
OS: Windows 7 Home Premium x64
Ran by Ryan on Sun 03/24/2013 at 23:35:50.24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

Successfully deleted: [File] "C:\users\default user\start menu\programs\startup\best buy pc app.lnk"

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\best buy pc app"

~~~ FireFox

Emptied folder: C:\Users\Ryan\AppData\Roaming\mozilla\firefox\profiles\cbp6ur0s.default\minidumps [44 files]

~~~ Chrome

Dumping contents of C:\Users\Ryan\appdata\local\Google\Chrome\User Data\Default\Default
C:\Users\Ryan\appdata\local\Google\Chrome\User Data\Default\Default\aadedgdgdfgggbdbdidfdgdgdegfdcde
C:\Users\Ryan\appdata\local\Google\Chrome\User Data\Default\Default\aadedgdgdfgggbdbdidfdgdgdegfdcde\manifest.json

Successfully deleted: [Folder] C:\Users\Ryan\appdata\local\Google\Chrome\User Data\Default\Default [Default Extension 1.0]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 03/24/2013 at 23:43:17.50
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#50
March 24, 2013 at 20:45:11
It didnt give me the option to right click and run as administrator....it just started on its own....heres the log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.3 (03.23.2013:1)
OS: Windows 7 Home Premium x64
Ran by Ryan on Sun 03/24/2013 at 23:35:50.24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

Successfully deleted: [File] "C:\users\default user\start menu\programs\startup\best buy pc app.lnk"

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\best buy pc app"

~~~ FireFox

Emptied folder: C:\Users\Ryan\AppData\Roaming\mozilla\firefox\profiles\cbp6ur0s.default\minidumps [44 files]

~~~ Chrome

Dumping contents of C:\Users\Ryan\appdata\local\Google\Chrome\User Data\Default\Default
C:\Users\Ryan\appdata\local\Google\Chrome\User Data\Default\Default\aadedgdgdfgggbdbdidfdgdgdegfdcde
C:\Users\Ryan\appdata\local\Google\Chrome\User Data\Default\Default\aadedgdgdfgggbdbdidfdgdgdegfdcde\manifest.json

Successfully deleted: [Folder] C:\Users\Ryan\appdata\local\Google\Chrome\User Data\Default\Default [Default Extension 1.0]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 03/24/2013 at 23:43:17.50
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#51
March 24, 2013 at 20:53:10
Ok now hows your pc running?
We will now remove combofix http://www.bleepingcomputer.com/com... removal instructions are near the bottom of the page.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#52
March 24, 2013 at 20:56:04
its ok....i can still sense the fan kicking in real hard then backing down...almost as if something is trying to rear up and then one of my virus/malware blockers is shooting it down....

Report •

#53
March 24, 2013 at 20:56:33
maybe i should remove combofix and restart my computer and then feel it out?

Report •

#54
March 24, 2013 at 21:02:00
Check your Task Manager for anything using up all the CPU?

I think we have missed some nasties still, so lets download and run Rougekiller from this link: http://www.bleepingcomputer.com/dow...
Open and run, it will do a very quick system check, then click Scan. When finished scanning click the Delete button. It will produce a log. Copy and paste here please.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#55
March 24, 2013 at 21:07:55
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Ryan [Admin rights]
Mode : Remove -- Date : 03/25/2013 00:06:41
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[TASK][SUSP PATH] ROC_REG_JAN_DELETE.job : C:\ProgramData\AVG January 2013 Campaign\ROC.exe /DELETE_FROM_SYSTEM=1 [7] -> DELETED
[TASK][SUSP PATH] ROC_REG_JAN_DELETE : C:\ProgramData\AVG January 2013 Campaign\ROC.exe /DELETE_FROM_SYSTEM=1 [7] -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS547550A9E384 +++++
--- User ---
[MBR] 1a647c1b9409387ead409b1f574286fa
[BSP] 00e36f540dba372592508c29456279b5 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31459328 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 31664128 | Size: 461478 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_03252013_02d0006.txt >>
RKreport[1]_S_03252013_02d0005.txt ; RKreport[2]_D_03252013_02d0006.txt


Report •

#56
March 24, 2013 at 21:08:43
side note - for the past 3 weeks I get alerts for "Java Update Available" literally ALL THE TIME.....I don't know if this is normal...

Report •

#57
March 24, 2013 at 21:14:30
Ok lets update and run a full malwarebytes scan, can you please go to the Settings tab, Scanner Settings tab and change the PUP to "Show in results list and check for removal"

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#58
March 24, 2013 at 21:16:48
Ok - it is running now...

Report •

#59
March 24, 2013 at 21:19:12
After the Malwarebytes scan download Wise Disk Cleaner from this link:
http://www.wisecleaner.com/download...
While running Wise Disk Cleaner, It will ask you to also download Wise Registry Cleaner, please allow this.
Run them both left to right first two tabs only, this will clean up any infection leftovers and you should get a performance improvement.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#60
March 24, 2013 at 21:24:31
Ok do I need to post anything from the malware bytes scan? What if it comes up clean?

Report •

#61
March 24, 2013 at 21:25:53
No not if its clean :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#62
March 24, 2013 at 21:29:38
ok should be done in about 10 - 20 minutes

Report •

#63
March 24, 2013 at 21:30:56
All good, will go have a coffee why waiting :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#64
March 24, 2013 at 21:40:06
just curious - while it is running. What have we removed thus far from my computer? What were these things doing on my computer and what benefit do people who make these things get from these things being on my computer?

Report •

#65
March 24, 2013 at 21:54:59
Most are redirections, through similar website that you want to use. Then they will get you to look at their websites instead of the real site getting revenue from you watching the ads or buying stuff from these redirected websites. And you had loads of adware which targets you by giving your browsing habit details to anyone who pays for it :(
You also had a few desktop highjacks which stop your pc from doing certain things.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#66
March 24, 2013 at 21:57:13
malwarebytes ran clean.....onto that last program..

Report •

#67
March 24, 2013 at 22:00:05
ok after the first scan it says it has found 12 traces, should i click clean?

Report •

#68
March 24, 2013 at 22:00:28
Last two programs :) Wise Disk Cleaner and Wise Registry Cleaner

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#69
March 24, 2013 at 22:01:38
Yes please click clean, these are two very easy safe to use tools.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#70
March 24, 2013 at 22:02:10
ok cleaned the first 12 traces....clicked 2nd tab and it found 218 files........should I click "start cleaning" again?

Report •

#71
March 24, 2013 at 22:04:37
Yes continue cleaning :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#72
March 24, 2013 at 22:06:21
490 files removed from registry cleaner - failed to remove 3 files it says...

Report •

#73
March 24, 2013 at 22:09:49
All good, don't worry about the three left behind. So you have run both now?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#74
March 24, 2013 at 22:12:22
yes, run both.....I think my computer is better....thanks for all the help! ill post updates over the next couple days to make sure its all good

I've downloaded about 20 different programs as directed to fix up my computer and tomorrow I will uninstall all of these except malwarebytes, my avast! antivirus, and CCleaner. Are any of the others worth keeping? Also should I run the system tuneup/registry defrag in registry cleaner and sliming system/disk defrag of the disk cleaner sometime?


Report •

#75
March 24, 2013 at 22:14:23
Nice work folks, szatryan I have few more things for you to do. Won't take long, if you want to go to bed, I can finish off tomorrow.

Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt. Let me know if it dosn't produce a log please.

Reboot

Run TDSSKiller & post the contents of the log.
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://support.kaspersky.com/faq/?q...
http://support.kaspersky.com/viruse...


Report •

#76
March 24, 2013 at 22:15:52
Excellent Johnw is back to double check our work :)
Keep the two Wise cleaners and the others you mentioned.
And install Web Of Trust onto your browsers, it will help you browse more safely :)
http://www.computing.net/howtos/sho...

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#77
March 24, 2013 at 22:18:36
Glad things are running better, I will leave you with Johnw.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#78
March 24, 2013 at 22:19:16
great thanks for the help! johnw it is late here on the east coast - I will run those two programs tomorrow and post the logs after work.......does that work?

Report •

#79
March 24, 2013 at 22:20:52
LOL....reminds me of Batman and Robin...szatryan , did you run the bootscan with Avast yet?

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#80
March 24, 2013 at 22:24:32
Very funny xpuserareu4real lol :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#81
March 24, 2013 at 22:25:05
ok thanks for the help all - will be back tomorrow to run those last two programs.....xpuser can you please post instructions on how to run a boot scan? I couldn't figure it out! goodnight everyone thanks again

Report •

#82
March 24, 2013 at 22:30:46
"sliming system"
I do, I use default settings, leave boxes that are unchecked, unchecked )

"disk defrag of the disk cleaner sometime?"
"registry defrag in registry cleaner"
Won't hurt.

"Also should I run the system tuneup"
System Tuneup, is for Experts, you really have to know what you are doing. Probably best if you don't use it.


Report •

#83
March 24, 2013 at 22:36:05
" I will run those two programs tomorrow and post the logs after work.......does that work?"
That's fine szatryan.

Report •

#84
March 25, 2013 at 05:22:36
http://www.schmahl.net/avastbootsca...
The above is how to do a bootscan on your PC...

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#85
March 25, 2013 at 12:56:42
Unhide Log:

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 03/25/2013 03:44:57 PM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 152517 files processed.

Processing the Q:\ drive
Finished processing the Q:\ drive. 0 files processed.

The C:\Users\Ryan\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Program finished at: 03/25/2013 03:50:22 PM
Execution time: 0 hours(s), 5 minute(s), and 24 seconds(s)


There were zero threats found with TDSKiller


Report •

#86
March 25, 2013 at 13:00:16
In terms of a bootscan, I would like to run one. But the instructions on how to do so you posted are using the template from the Avast! paid version. The avast! free version does not have that same template and I can't find anything about a boot scan...

Report •

#87
March 25, 2013 at 13:07:16
Just found the bootscan.....running now

Report •

#88
March 25, 2013 at 15:31:10
"No registry changes detected"
"There were zero threats found with TDSKiller"

Thanks szatryan

Run TFC
http://www.geekstogo.com/forum/file...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

System Restore will have infected files in it, turning System Restore OFF & then ON will remove them.
How to Turn On and Turn Off System Restore in Windows 7
http://www.recipester.org/Recipe:Di...

Download Security Check by screen317 from one of the following links and save it to your desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Save it to your Desktop.
* Double click SecurityCheck.exe. If you run Windows Vista or 7, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; please post the contents of that document.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

For a final check, run ESET again. We run programs multi times, to make sure all the deletions stuck.


Report •

#89
March 25, 2013 at 16:18:06
Results of screen317's Security Check version 0.99.61

Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
avast! Antivirus
[color=red][b]Antivirus out of date![/b][/color]
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
Trojan Remover 6.8.5
Malwarebytes Anti-Malware version 1.70.0.1100
Wise Disk Cleaner 7.78
Wise Registry Cleaner 7.66
Java(TM) 6 Update 22
Java(TM) 6 Update 27
[color=red][b]Java version out of Date![/b][/color]
Adobe Flash Player 11.6.602.180
Adobe Reader XI
Mozilla Firefox 18.0.1 [color=red][b]Firefox out of Date![/b][/color]
Google Chrome 25.0.1364.172
Google Chrome 25.0.1364.97
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 3%
[b][u]````````````````````End of Log``````````````````````[/b][/u]

Report •

#90
March 25, 2013 at 16:25:42
To improve your security, these need updating.

avast! Antivirus
[color=red][b]Antivirus out of date![/b][/color]

Java(TM) 6 Update 27
[color=red][b]Java version out of Date![/b][/color]

Mozilla Firefox 18.0.1 [color=red][b]Firefox out of Date![/b][/color]

Once you have updated Java, uninstall the old versions.


Report •

#91
March 25, 2013 at 16:31:45
To block tracking cookies, I use Mozilla Labs: Prospector - about:trackers

http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
https://blog.mozilla.org/labs/2012/...
Mozilla Labs: Prospector - about:trackers is a handy and reliable Firefox extension designed to block known trackers.
The addon will prevent companies from tracking your browsing habbits by blocking cookies or connections from suspicious websites. The Options window includes a predefined list of trackers that can be further populated with items that you suspect are dangerous.

After installing Mozilla Labs: Prospector - about:trackers, run SuperantiSpyware to remove the cookies that were already installed.

SUPERAntiSpyware
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.superantispyware.com/ind...


Report •

#92
March 25, 2013 at 18:18:46
Eset online scanner - 0 threats!

Report •

#93
March 25, 2013 at 18:25:49
"Eset online scanner - 0 threats!"
Good news.

I keep ESET & as you know, when you use it again, it updates first. Always handy to have for a second opinion.


Report •

#94
March 25, 2013 at 18:30:32
running superantispyware now....so far 40 threats found (tracking cookies)

Report •

#95
March 25, 2013 at 18:38:21
Did you install Mozilla Labs: Prospector - about:trackers?

And did you do it first?


Report •

#96
March 25, 2013 at 18:41:44
yes, did that first...just showed up as a little blue puzzle piece in firefox

Report •

#97
March 25, 2013 at 18:51:37
Once you have finished all of the above, you should be Ok.

Any glitches, slowness or unusual things going on?


Report •

#98
March 25, 2013 at 18:59:43
just waitin on superantispyware to finish up......things seem good! Now just to uninstall these 20+ programs required to fix my computer. Thanks for the help!

Report •

#99
March 25, 2013 at 19:05:06
Sounds good, perhaps you can have an earlier night to bed tonight.

Report •

#100
March 25, 2013 at 19:10:26
last program just finsihed. We should be all good. Thanks!

Report •

#101
March 25, 2013 at 19:31:49
szatryan ,
How did the bootscan go? Avast is one of the best....I just noticed...101 posts is pretty gruelling to say the least...YIKES

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#102
March 25, 2013 at 20:38:57
I was able to run a bootscan...it took a very long time...abotu 1 1/2 hour....no threats found

Report •

#103
March 25, 2013 at 20:39:24
and ya downloaded so many programs! But computer seems to be better

Report •

Ask Question