Computer virus ran aswMBR returned a yellow item

Custom / CUSTOM
March 26, 2013 at 05:00:34
Specs: Windows Vista, 1.8 GHz / 1014 MB
I share a computer w/ my sons and they have got a virus on it. I give up on getting it off a while ago and just bought a new one. Well they tore up my new one so I am back to trying to get this one fixed. I am in college and I have to have one and this one is sooo slow. I am afraid to use it. I have ran a few different scanners such as Microsoft Security Ess. I also ran aswMBR and it had an item appear in yellow I assume that is bad. But I am not sure what to do. Since I dont have a lot of knowledge about this scanner I have choosen not to hit the fix mbr without someones help. I would also like someone to help me clean my computer up maybe advise me of what I can safely remove.Thanks in advance. Shawna

See More: Computer virus ran aswMBR returned a yellow item

Report •

#1
March 26, 2013 at 05:40:15
Please copy & paste instructions into a text file, print steps & info. You will need them, as they are hard to remember, for when you are offline.

The badies are always ahead of the goodies, be aware, this can be a very long process, involving many different tools to clean up an infected comp.

As we dismantle the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.
Removal of infected parts of the system, may cause other parts to stop working, such as your Internet connection or Services. These we then, have to repair later.

If any program won't run ( due to the infection ) let me know.

Copy & Paste the contents of the log/logs after running each program.


Report •

#2
March 26, 2013 at 05:42:15
1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
A introduction as to what this program does.
http://www.bleepingcomputer.com/for...
For those of you who no longer have the %Temp%\Smtmp folder, you will not be able to use Unhide to restore your Start Menu items. With this in mind, I have created some scripts to restore the default Start Menu for specific versions of Windows that I have access to. You can view the available versions below. I will be adding more as time goes on.
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt. Let me know if it dosn't produce a log please.

2: Reboot

3: Run Hitman Pro, then Copy & Paste the contents of the log please.
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.surfright.nl/en/HitmanPro
http://www.surfright.nl/en/hitmanpro/
Unlimited free scanning and free 30-day version to remove detected malware.
Download now (32-bit)
http://dl.surfright.nl/HitmanPro35.exe
Download now (64-bit)
http://dl.surfright.nl/HitmanPro35_...


Report •

#3
March 26, 2013 at 12:34:59
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 03/26/2013 02:48:14 PM
Windows Version: Windows Vista

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 215756 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 25014 files processed.

Processing the F:\ drive
Finished processing the F:\ drive. 0 files processed.

Processing the G:\ drive
Finished processing the G:\ drive. 0 files processed.

Processing the H:\ drive
Finished processing the H:\ drive. 0 files processed.

Processing the I:\ drive
Finished processing the I:\ drive. 0 files processed.

The C:\Users\Shawna\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Program finished at: 03/26/2013 03:06:33 PM
Execution time: 0 hours(s), 18 minute(s), and 18 seconds(s)

[code]
HitmanPro 3.7.0.185
www.hitmanpro.com

Computer name . . . . : SHAWNA-PC
Windows . . . . . . . : 6.0.2.6002.X86/2
User name . . . . . . : Shawna-PC\Shawna
UAC . . . . . . . . . : Enabled
License . . . . . . . : Trial (30 days left)

Scan date . . . . . . : 2013-03-26 15:13:00
Scan mode . . . . . . : Normal
Scan duration . . . . : 9m 58s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 2
Traces . . . . . . . : 5

Objects scanned . . . : 2,031,605
Files scanned . . . . : 56,865
Remnants scanned . . : 542,470 files / 1,432,270 keys

Malware remnants ____________________________________________________________

HKLM\SOFTWARE\Classes\Interface\{DB507187-9746-458C-97DA-C458131EEDE7}\ (Adware.MyWebSearch) -> Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}\ (Adware.MyWebSearch) -> Deleted

Potential Unwanted Programs _________________________________________________

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ (Yontoo)

Cookies _____________________________________________________________________

C:\Users\Shawna\AppData\Roaming\Microsoft\Windows\Cookies\W9F2UOZU.txt
C:\Users\Shawna\AppData\Roaming\Microsoft\Windows\Cookies\X8H6Z5PQ.txt


[/code]


Report •

Related Solutions

#4
March 26, 2013 at 12:53:03
4: Please download and run ListParts by Farbar (for 32-bit system):
http://download.bleepingcomputer.co...
Please download and run ListParts64 by Farbar (for 64-bit system):
http://download.bleepingcomputer.co...
Click on the Scan button.
The scan results will open in Notepad.
Post those contents in your next reply.

Report •

#5
March 26, 2013 at 15:31:21
ListParts by Farbar Version: 10-03-2013
Ran by Shawna (administrator) on 26-03-2013 at 18:30:41
Windows Vista (X86)
Running From: C:\Users\Shawna\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 81%
Total physical RAM: 1014.51 MB
Available physical RAM: 185.22 MB
Total Pagefile: 2293.35 MB
Available Pagefile: 1225.51 MB
Total Virtual: 2047.88 MB
Available Virtual: 1963.61 MB

======================= Partitions =========================

1 Drive c: (Local Disk) (Fixed) (Total:289.49 GB) (Free:186.99 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Recovery) (Fixed) (Total:8.6 GB) (Free:2.77 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B


Report •

#6
March 26, 2013 at 15:37:04

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 2 Primary 289 GB 32 KB
Partition 1 Primary 9 GB 289 GB

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Local Disk NTFS Partition 289 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Recovery NTFS Partition 9 GB Healthy

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 2A2937A6

Partition 1:
===========
Hex: 0000C1FF07FEFFFF1E8E2F24A3481301
Active: NO
Type: 07 (NTFS)
Size: 9 GB

Partition 2:
===========
Hex: 8001010007FEFFFF3F000000DF8D2F24
Active: YES
Type: 07 (NTFS)
Size: 289 GB


****** End Of Log ******


Report •

#7
March 26, 2013 at 17:10:48
"ListParts by Farbar Version: 10-03-2013
Ran by Shawna (administrator) on 26-03-2013 at 18:30:41"

Thanks, all good.

What country/town are you in please.

I'm here.
http://www.timeanddate.com/worldclo...


Report •

#8
March 26, 2013 at 17:13:10
5: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://general-changelog-team.fr/en...
http://www.raymond.cc/blog/adwclean...
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

6: Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool to your desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. http://www.bleepingcomputer.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Copy and Paste the JRT.txt log into your next message.


Report •

#9
March 27, 2013 at 03:43:15
my keyboard has stopped working so i am using the onscreen keyboard now, i live in the u s in kentucky.


# AdwCleaner v2.115 - Logfile created 03/27/2013 at 06:38:17
# Updated 17/03/2013 by Xplode
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# User : Shawna - SHAWNA-PC
# Boot Mode : Normal
# Running from : C:\Users\Shawna\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Windows\system32\conduitEngine.tmp
Folder Found : C:\Program Files\Conduit
Folder Found : C:\ProgramData\boost_interprocess
Folder Found : C:\ProgramData\WeCareReminder
Folder Found : C:\Users\Shawna\AppData\Local\Conduit
Folder Found : C:\Users\Shawna\AppData\LocalLow\Conduit
Folder Found : C:\Users\Shawna\AppData\LocalLow\PriceGong
Folder Found : C:\Users\Shawna\AppData\LocalLow\Productivity_2.1

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Software\Productivity_2.1
Key Found : HKCU\Software\AppDataLow\Toolbar
Key Found : HKCU\Software\Freeze.com
Key Found : HKCU\Software\InstallCore
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\hblitesa
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Productivity_2.1 Toolbar
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKCU\Software\Zugo
Key Found : HKLM\SOFTWARE\Classes\CLSID\{16E81DE0-B021-4639-8650-1051A5ECB471}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2857572
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2903600
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\FCTB000060459
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFCB8BD1-97D9-4EB7-8B89-576125329A35}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ECC7E50E-BBC9-41F8-A0B8-A968B91C3EF4}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{16E81DE0-B021-4639-8650-1051A5ECB471}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\Software\Productivity_2.1
Key Found : HKU\S-1-5-21-888583000-12288961-1353878118-1000\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{C44F9E21-D93F-490C-B41C-B3548BDD19FC}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{C44F9E21-D93F-490C-B41C-B3548BDD19FC}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [3965 octets] - [27/03/2013 06:32:53]
AdwCleaner[R2].txt - [3896 octets] - [27/03/2013 06:38:17]

########## EOF - C:\AdwCleaner[R2].txt - [3956 octets] ##########


Report •

#10
March 27, 2013 at 03:50:42
I am sorry I posted the results above before I hit the delete on adware. I am not sure which one you wanted so here is the results after hitting delete also.

# AdwCleaner v2.115 - Logfile created 03/27/2013 at 06:44:50
# Updated 17/03/2013 by Xplode
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# User : Shawna - SHAWNA-PC
# Boot Mode : Normal
# Running from : C:\Users\Shawna\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Windows\system32\conduitEngine.tmp
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\ProgramData\WeCareReminder
Folder Deleted : C:\Users\Shawna\AppData\Local\Conduit
Folder Deleted : C:\Users\Shawna\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Shawna\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Shawna\AppData\LocalLow\Productivity_2.1

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\Productivity_2.1
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\Freeze.com
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\hblitesa
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Productivity_2.1 Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{16E81DE0-B021-4639-8650-1051A5ECB471}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2857572
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2903600
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\FCTB000060459
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFCB8BD1-97D9-4EB7-8B89-576125329A35}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ECC7E50E-BBC9-41F8-A0B8-A968B91C3EF4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{16E81DE0-B021-4639-8650-1051A5ECB471}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\Productivity_2.1
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{C44F9E21-D93F-490C-B41C-B3548BDD19FC}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{C44F9E21-D93F-490C-B41C-B3548BDD19FC}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [3965 octets] - [27/03/2013 06:32:53]
AdwCleaner[R2].txt - [4025 octets] - [27/03/2013 06:38:17]
AdwCleaner[S1].txt - [3890 octets] - [27/03/2013 06:44:50]

########## EOF - C:\AdwCleaner[S1].txt - [3950 octets] ##########


Report •

#11
March 27, 2013 at 04:14:13
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.3 (03.23.2013:1)
OS: Windows Vista (TM) Home Premium x86
Ran by Shawna on Wed 03/27/2013 at 6:52:58.67
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\pc optimizer pro
Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\utorrentbar

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 03/27/2013 at 6:59:05.47
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#12
March 27, 2013 at 04:24:04
have tried multiple times to get the JRT results to post but have been unsuccessful. Each time I try it will ask me to log in with facebook or create an account even tho I am already logged in. I have tried logging out and back in but still doesnt work. The last time I tried to post the results it said that posting the same post more than once is prohibited. So I refreshed the page and it is still not showing up. I have no idea what to do now. Can you see it? Thanks Shawna

Report •

#13
March 27, 2013 at 04:29:27
"Can you see it? Thanks Shawna"
Yes, both programs removed heaps of problems.

Give me a little time to think of what to do next.

Where are you?


Report •

#14
March 27, 2013 at 04:38:00
Run Malwarebytes' Anti-Malware ( MBAM ) Use Quick scan. Copy & Paste the contents of the log please.
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.malwarebytes.org/mbam.php
http://www.spywareinfoforum.com/ind...
http://www.bleepingcomputer.com/vir...
If your MBAM log indicates "No action taken." That's usually a result of NOT clicking the Remove Selected button after the scan.
Quick Scan versus Full Scan
http://forums.malwarebytes.org/inde...

Report •

#15
March 27, 2013 at 05:24:08
After posting the MBAM log, run aswMBR again & follow these instructions.
http://public.avast.com/~gmerek/asw...
aswMBR is the rootkit scanner that scans for TDL4/3 and MBRoot (Sinowal) rootkits.
Please download aswMBR and save it to your Desktop.
Windows 7: Right-click the file and select 'Run as Administrator'
When promped with: This Application can use the Avast! Free AntiVirus for scanning...etc.
Select: Yes
The last line of the run in progress will provide the status of the Avast! scan.
It will say: Downloading Avast! virus definitiond database, etc.
When the Avast! scan is done, the last line changes to: Avast Engine definitions #####
At this point, click the Scan button on the lower left of the aswMBR screen.
The last line will now say "Scanning" while in progress.
Upon completion of the scan, click > Save log< and save it to the Desktop.
>>Please do NOT attempt to fix anything!!<<
Exit the program.
Please post the new aswMBR log in your reply.
Note that a file named MBR.dat is also created on the Desktop.
Please submit MBR.dat for analysis to VirusTotal
VirusTotalScanner
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://securityxploded.com/virus-to...
When you get to the website, use the Browse button to navigate to the location of MBR.dat
Click on the file, then, click the Open button.
The file is now displayed in the Submit Box.
Scroll down and click Send File, and wait for the results.
If you get a message saying: 'File has already been analyzed', click: 'Reanalyze file now'
Once scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\etc. address there.
Then, provide the http:\\ address to the results page in your reply.

Report •

#16
March 27, 2013 at 05:40:12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.3 (03.23.2013:1)
OS: Windows Vista (TM) Home Premium x86
Ran by Shawna on Wed 03/27/2013 at 6:52:58.67
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\pc optimizer pro
Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\utorrentbar

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 03/27/2013 at 6:59:05.47
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#17
March 27, 2013 at 05:43:03
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.3 (03.23.2013:1)
OS: Windows Vista (TM) Home Premium x86
Ran by Shawna on Wed 03/27/2013 at 6:52:58.67
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

i cant get jrt results topost.

~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\pc optimizer pro
Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\utorrentbar

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 03/27/2013 at 6:59:05.47
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#18
March 27, 2013 at 09:45:11
I am in the U. S.( Kentucky)

Report •

#19
March 27, 2013 at 18:40:05
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2013-03-27 20:39:06
-----------------------------
20:39:06.072 OS Version: Windows 6.0.6002 Service Pack 2
20:39:06.072 Number of processors: 2 586 0xF0D
20:39:06.072 ComputerName: SHAWNA-PC UserName: Shawna
20:39:09.192 Initialize success
20:44:31.998 AVAST engine defs: 13032700
20:44:36.100 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
20:44:36.116 Disk 0 Vendor: Hitachi_HDT725032VLA360 V54OA7EA Size: 305245MB BusType: 3
20:44:36.163 Disk 0 MBR read successfully
20:44:36.163 Disk 0 MBR scan
20:44:36.397 Disk 0 unknown MBR code
20:44:36.428 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 8809 MB offset 607096350
20:44:36.553 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 296433 MB offset 63
20:44:36.600 Disk 0 scanning sectors +625137345
20:44:36.974 Disk 0 scanning C:\Windows\system32\drivers
20:45:05.631 Service scanning
20:45:30.700 Service MpKsl9fffa534 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9AE40679-7957-4922-978C-5C2F8D5AB352}\MpKsl9fffa534.sys **LOCKED** 32
20:46:00.169 Modules scanning
20:46:05.722 Disk 0 trace - called modules:
20:46:05.785 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
20:46:05.785 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84b64aa0]
20:46:05.800 3 CLASSPNP.SYS[863a58b3] -> nt!IofCallDriver -> [0x84501c10]
20:46:05.816 5 acpi.sys[8069d6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x845008a0]
20:46:07.953 AVAST engine scan C:\Windows
20:46:13.320 AVAST engine scan C:\Windows\system32
20:52:02.838 AVAST engine scan C:\Windows\system32\drivers
20:52:34.162 AVAST engine scan C:\Users\Shawna
21:20:08.137 File: C:\Users\Shawna\Downloads\dds.com **INFECTED** Win32:Malware-gen
21:24:58.063 AVAST engine scan C:\ProgramData
21:27:12.129 Scan finished successfully
21:38:50.432 Disk 0 MBR has been saved successfully to "C:\Users\Shawna\Desktop\MBR.dat"
21:38:50.463 The log file has been saved successfully to "C:\Users\Shawna\Desktop\aswMBR.txt"

Report •

#20
March 27, 2013 at 18:59:47
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.25.13

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Shawna :: SHAWNA-PC [administrator]

3/27/2013 9:46:56 PM
mbam-log-2013-03-27 (21-46-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 297669
Time elapsed: 12 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Report •

#21
Report •

#22
March 29, 2013 at 05:10:14
I noticed after I ran aswMBR the last time a new infection had appeared. Also, why is the one item yellow and locked while the other is red? What does that mean and are they both infections? Thanks Shawna

Report •

#23
March 29, 2013 at 06:16:21
"Also, why is the one item yellow and locked while the other is red"

Follow this link.

http://public.avast.com/~gmerek/asw...


Report •

#24
Report •

#25
March 30, 2013 at 13:33:06
Response removed - it was associated with the log from another computer.

This is the other post:
http://www.computing.net/answers/se...


Report •

#26
March 30, 2013 at 14:19:30
#24
Thanks bs27shawna, yes you are still infected,

#25
Thanks Derek.

7: Run ESET Online Scanner, Copy & Paste the contents of the log please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
You may have to download ESET from a good computer, put it on a thumb drive & run it from there, if your comp is unbootable, or won't let you download.
Create a ESET SysRescue CD or USB drive
http://kb.eset.com/esetkb/index?pag...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...



Report •

#27
March 31, 2013 at 05:08:10
I started the new thread becuase I ran the same scanners on my sons laptop and it was infected to. It is a different computer than the one we have been working on. I
didn't want to get them confused. I thought that is what I was supposed to do. It wasnt anything to do with you or your help and I hope you dont take it that way. But I would like some help getting the virus of his laptop to.


The post 26 is that for the desktop or the laptop? Should I do it to both?


Report •

#28
March 31, 2013 at 06:55:19
"I started the new thread becuase I ran the same scanners on my sons laptop and it was infected to. It is a different computer than the one we have been working on. I
didn't want to get them confused'

You did the right thing bs27shawna, post all logs that you have run on your son's laptop & yes include a scan log for ESET.


Report •

#29
March 31, 2013 at 12:12:25
Clearly I was wrong for which I apologise. I have edited my #25 here and also my response on the other thread.

"Generally" when starting a new thread it is advisable to let the helper suggest what is necessary because another computer and situation could make a difference to the best way forward.

The post is still there so it should be fine.



Report •

#30
April 1, 2013 at 12:11:17
Ok, I didnt know how I should do it so I thought it was best that I start a different thread since it was a different computer. Thanks

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

This is all that was listed under "C:\Program Files\EsetOnlineScanner\log.txt".


Report •

#31
April 1, 2013 at 15:29:53
Please download and run Rougekiller from this link:
http://www.bleepingcomputer.com/dow...
Download to desktop, run it, it will do a very quick system pre scan, then click Run, when the scan is finished click Delete.
A log will be saved please copy and paste in your reply.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#32
April 2, 2013 at 07:26:25
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Shawna [Admin rights]
Mode : Remove -- Date : 04/02/2013 10:26:04
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[TASK][SUSP PATH] RunAsStdUser Task : C:\Users\Shawna\AppData\Local\Temp\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\RunIE.exe -secondattempt hxxp://sp.ask.com/toolbar/toolbarS/toolbar.php?tb=CDS&browser=IE&success=1 [x] -> DELETED
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
_INLINE_ : NtClose -> HOOKED (\SystemRoot\system32\DRIVERS\css-dvp.sys @ 0xA88FFB50)
_INLINE_ : NtCreateSection -> HOOKED (\SystemRoot\system32\DRIVERS\css-dvp.sys @ 0xA88FFDBB)
_INLINE_ : NtSetInformationFile -> HOOKED (\SystemRoot\system32\DRIVERS\css-dvp.sys @ 0xA88FF239)
_INLINE_ : NtWriteFile -> HOOKED (\SystemRoot\system32\DRIVERS\css-dvp.sys @ 0xA88FEE85)

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDT725032VLA360 ATA Device +++++
--- User ---
[MBR] 5e0fee256d838e8541e2a3df6bd649d0
[BSP] 7b2750bc94f551dbba2a03ea6d1d1cf5 : Legit.B MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 607096350 | Size: 8809 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 296433 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_04022013_02d1026.txt >>
RKreport[1]_S_04022013_02d1024.txt ; RKreport[2]_D_04022013_02d1026.txt


Report •

#33
April 2, 2013 at 13:51:45
Ok next update and run a full Malwarebytes scan please.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#34
May 16, 2013 at 06:55:32
Please download Norton Power Eraser and run a full scan! http://us.norton.com/support/DIY/

Report •

Ask Question