Need help removing rootkit file found by AVAST aswMBR

Custom / CUSTOM
March 30, 2013 at 11:15:13
Specs: Windows Vista, 1.8 GHz / 1014 MB
My desktop has a virus on it and someone on here is helping me with it. So I ran the same scanners on my sons laptop (which is this one) and it has been infected also. I dont know how to remove it. I ran aswMBR and it returned a item in red that said I had an infection. So I uploaded the file to virustotal and here is the website showing the results.
https://www.virustotal.com/en/file/...
If someone could please look at it and let me know what to do I would be grateful. Thanks

See More: Need help removing rootkit file found by AVAST aswMBR

Report •

#1
March 30, 2013 at 11:16:53
Here is the log file for aswMBR.

swMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-03-29 15:35:00
-----------------------------
15:35:00.094 OS Version: Windows 6.0.6002 Service Pack 2
15:35:00.094 Number of processors: 1 586 0x170A
15:35:00.094 ComputerName: GIBBY UserName:
15:35:22.512 Initialize success
15:35:58.267 AVAST engine defs: 13032900
15:36:02.245 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:36:02.245 Disk 0 Vendor: ST9160314AS 0003HPM1 Size: 152627MB BusType: 3
15:36:02.494 Disk 0 MBR read successfully
15:36:02.494 Disk 0 MBR scan
15:36:02.510 Disk 0 unknown MBR code
15:36:02.526 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 141441 MB offset 2048
15:36:02.572 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11182 MB offset 289673216
15:36:02.588 Disk 0 scanning sectors +312573952
15:36:02.838 Disk 0 scanning C:\Windows\system32\drivers
15:36:22.868 Service scanning
15:36:54.333 Modules scanning
15:36:59.481 Disk 0 trace - called modules:
15:36:59.497 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
15:36:59.497 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x854dda20]
15:36:59.512 3 CLASSPNP.SYS[880148b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84a1bb98]
15:37:00.807 AVAST engine scan C:\Windows
15:37:03.771 AVAST engine scan C:\Windows\system32
15:41:06.289 AVAST engine scan C:\Windows\system32\drivers
15:41:22.794 AVAST engine scan C:\Users\tabatha
15:53:44.527 File: C:\Users\tabatha\Downloads\Update.exe **INFECTED** Win32:Malware-gen
15:54:36.272 AVAST engine scan C:\ProgramData
15:57:47.450 Scan finished successfully
18:11:49.718 Disk 0 MBR has been saved successfully to "C:\Users\tabatha\Desktop\MBR.dat"
18:11:49.718 The log file has been saved successfully to "C:\Users\tabatha\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-03-30 10:51:46
-----------------------------
10:51:46.184 OS Version: Windows 6.0.6002 Service Pack 2
10:51:46.184 Number of processors: 1 586 0x170A
10:51:46.184 ComputerName: GIBBY UserName:
10:51:48.743 Initialize success
10:52:24.031 AVAST engine defs: 13032900
10:52:25.498 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
10:52:25.498 Disk 0 Vendor: ST9160314AS 0003HPM1 Size: 152627MB BusType: 3
10:52:26.044 Disk 0 MBR read successfully
10:52:26.044 Disk 0 MBR scan
10:52:26.059 Disk 0 Windows VISTA default MBR code
10:52:26.075 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 141441 MB offset 2048
10:52:26.106 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11182 MB offset 289673216
10:52:26.169 Disk 0 scanning sectors +312573952
10:52:26.481 Disk 0 scanning C:\Windows\system32\drivers
10:52:55.486 Service scanning
10:53:16.235 Service MpKsl85250510 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{36EF1316-8A32-4FFF-B25C-D52CDFB15A61}\MpKsl85250510.sys **LOCKED** 32
10:54:14.767 Modules scanning
10:54:51.396 Disk 0 trace - called modules:
10:54:51.443 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys partmgr.sys volmgr.sys ecache.sys volsnap.sys
10:54:51.458 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85d685e0]
10:54:51.458 3 CLASSPNP.SYS[826118b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84a19b98]
10:55:11.317 AVAST engine scan C:\Windows
10:55:34.561 AVAST engine scan C:\Windows\system32
11:07:05.164 AVAST engine scan C:\Windows\system32\drivers
11:08:05.821 AVAST engine scan C:\Users\tabatha
11:27:43.119 File: C:\Users\tabatha\Downloads\Update.exe **INFECTED** Win32:Malware-gen
11:28:38.968 AVAST engine scan C:\ProgramData
11:34:27.217 Scan finished successfully
12:57:39.615 File "C:\Users\tabatha\Downloads\Update.exe" has been saved successfully to:
12:57:39.662 "C:\Users\tabatha\Desktop\copy_Update.exe"
14:15:46.991 Disk 0 MBR has been saved successfully to "C:\Users\tabatha\Desktop\MBR.dat"
14:15:47.319 The log file has been saved successfully to "C:\Users\tabatha\Desktop\aswMBR.txt"



Report •

#2
March 30, 2013 at 13:28:30
Removed my response - posted in error.


Report •

#3
April 1, 2013 at 09:18:45
Here is the aswMBR log.
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-03-29 15:35:00
-----------------------------
15:35:00.094 OS Version: Windows 6.0.6002 Service Pack 2
15:35:00.094 Number of processors: 1 586 0x170A
15:35:00.094 ComputerName: GIBBY UserName:
15:35:22.512 Initialize success
15:35:58.267 AVAST engine defs: 13032900
15:36:02.245 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:36:02.245 Disk 0 Vendor: ST9160314AS 0003HPM1 Size: 152627MB BusType: 3
15:36:02.494 Disk 0 MBR read successfully
15:36:02.494 Disk 0 MBR scan
15:36:02.510 Disk 0 unknown MBR code
15:36:02.526 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 141441 MB offset 2048
15:36:02.572 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11182 MB offset 289673216
15:36:02.588 Disk 0 scanning sectors +312573952
15:36:02.838 Disk 0 scanning C:\Windows\system32\drivers
15:36:22.868 Service scanning
15:36:54.333 Modules scanning
15:36:59.481 Disk 0 trace - called modules:
15:36:59.497 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
15:36:59.497 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x854dda20]
15:36:59.512 3 CLASSPNP.SYS[880148b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84a1bb98]
15:37:00.807 AVAST engine scan C:\Windows
15:37:03.771 AVAST engine scan C:\Windows\system32
15:41:06.289 AVAST engine scan C:\Windows\system32\drivers
15:41:22.794 AVAST engine scan C:\Users\tabatha
15:53:44.527 File: C:\Users\tabatha\Downloads\Update.exe **INFECTED** Win32:Malware-gen
15:54:36.272 AVAST engine scan C:\ProgramData
15:57:47.450 Scan finished successfully
18:11:49.718 Disk 0 MBR has been saved successfully to "C:\Users\tabatha\Desktop\MBR.dat"
18:11:49.718 The log file has been saved successfully to "C:\Users\tabatha\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-03-30 10:51:46
-----------------------------
10:51:46.184 OS Version: Windows 6.0.6002 Service Pack 2
10:51:46.184 Number of processors: 1 586 0x170A
10:51:46.184 ComputerName: GIBBY UserName:
10:51:48.743 Initialize success
10:52:24.031 AVAST engine defs: 13032900
10:52:25.498 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
10:52:25.498 Disk 0 Vendor: ST9160314AS 0003HPM1 Size: 152627MB BusType: 3
10:52:26.044 Disk 0 MBR read successfully
10:52:26.044 Disk 0 MBR scan
10:52:26.059 Disk 0 Windows VISTA default MBR code
10:52:26.075 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 141441 MB offset 2048
10:52:26.106 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11182 MB offset 289673216
10:52:26.169 Disk 0 scanning sectors +312573952
10:52:26.481 Disk 0 scanning C:\Windows\system32\drivers
10:52:55.486 Service scanning
10:53:16.235 Service MpKsl85250510 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{36EF1316-8A32-4FFF-B25C-D52CDFB15A61}\MpKsl85250510.sys **LOCKED** 32
10:54:14.767 Modules scanning
10:54:51.396 Disk 0 trace - called modules:
10:54:51.443 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys partmgr.sys volmgr.sys ecache.sys volsnap.sys
10:54:51.458 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85d685e0]
10:54:51.458 3 CLASSPNP.SYS[826118b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84a19b98]
10:55:11.317 AVAST engine scan C:\Windows
10:55:34.561 AVAST engine scan C:\Windows\system32
11:07:05.164 AVAST engine scan C:\Windows\system32\drivers
11:08:05.821 AVAST engine scan C:\Users\tabatha
11:27:43.119 File: C:\Users\tabatha\Downloads\Update.exe **INFECTED** Win32:Malware-gen
11:28:38.968 AVAST engine scan C:\ProgramData
11:34:27.217 Scan finished successfully
12:57:39.615 File "C:\Users\tabatha\Downloads\Update.exe" has been saved successfully to:
12:57:39.662 "C:\Users\tabatha\Desktop\copy_Update.exe"
14:15:46.991 Disk 0 MBR has been saved successfully to "C:\Users\tabatha\Desktop\MBR.dat"
14:15:47.319 The log file has been saved successfully to "C:\Users\tabatha\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-04-01 11:23:53
-----------------------------


Report •

Related Solutions

#4
April 1, 2013 at 09:19:31
Here is the unhide log.
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 03/29/2013 02:16:12 PM
Windows Version: Windows Vista

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 309655 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 325 files processed.

The C:\Users\tabatha\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Program finished at: 03/29/2013 02:24:03 PM
Execution time: 0 hours(s), 7 minute(s), and 51 seconds(s)


Report •

#5
April 1, 2013 at 09:20:19
Here is the JRT log.
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.3 (03.23.2013:1)
OS: Windows Vista (TM) Home Premium x86
Ran by tabatha on Fri 03/29/2013 at 18:18:50.31
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{cce665dd-f6dd-4808-968e-eaec971f70ef}
Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{cce665dd-f6dd-4808-968e-eaec971f70ef}

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478d38-c3f9-4efb-9b51-7695eca05670}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{74322bf9-df26-493f-b0da-6d2fc5e6429e}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{74322bf9-df26-493f-b0da-6d2fc5e6429e}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{90b49673-5506-483e-b92b-ca0265bd9ca8}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{95b7759c-8c7f-4bf1-b163-73684a933233}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ab6bd08c-db6b-4f02-8a22-4bd343e990ff}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{ab6bd08c-db6b-4f02-8a22-4bd343e990ff}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}

~~~ Files

Successfully deleted: [File] "C:\Windows\tasks\candyupdater.job"

~~~ Folders

Failed to delete: [Folder] "C:\ProgramData\boost_interprocess"
Successfully deleted: [Folder] "C:\ProgramData\free ride games"
Failed to delete: [Folder] "C:\ProgramData\application data\boost_interprocess"
Successfully deleted: [Folder] "C:\Users\tabatha\appdata\local\arcadecandy"
Successfully deleted: [Folder] "C:\Program Files\free ride games"

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 03/29/2013 at 18:22:34.98
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#6
April 1, 2013 at 10:06:51
Here is the hitmanPro log.
[code]
HitmanPro 3.7.3.192
www.hitmanpro.com

Computer name . . . . : GIBBY
Windows . . . . . . . : 6.0.2.6002.X86/1
User name . . . . . . : gibby\tabatha
UAC . . . . . . . . . : Enabled
License . . . . . . . : Trial (27 days left)

Scan date . . . . . . : 2013-04-01 12:21:58
Scan mode . . . . . . : Normal
Scan duration . . . . : 27m 9s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 0
Traces . . . . . . . : 90

Objects scanned . . . : 1,712,457
Files scanned . . . . : 28,726
Remnants scanned . . : 394,042 files / 1,289,689 keys

Cookies _____________________________________________________________________

C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:2o7.net
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.360yield.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.mlnadvertising.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.crakmedia.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.creative-serving.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.ihigh.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.llli.org
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.p161.net
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pointroll.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pubmatic.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.undertone.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.us.e-planning.net
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechus.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:adultfriendfinder.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:apmebf.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ar.atwola.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:atwola.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:br.rk.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:exoclick.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:fastclick.net
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:flirt4free.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:hearstmagazines.112.2o7.net
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:in.getclicky.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:intelligentbeauty.122.2o7.net
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:kontera.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:linksynergy.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:mediaplex.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:network.realmedia.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:overture.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:pointroll.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:porn.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:pornvine.co
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:questionmarket.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:realgfporn.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:realmedia.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:sexad.net
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:sheishorny.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:specificclick.net
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:statcounter.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:stats.sexpillguru.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:tacoda.at.atwola.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:tacoda.net
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.adform.net
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.prd.inpwrd.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:watchmygf.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.flirt4free.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.googleadservices.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.porn.com
C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Cookies:xiti.com
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\02BH9XCF.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\175LGAWK.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\4VBSLAV4.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\8VIXJWTG.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\A8MQTJLV.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\EMHM09DI.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\EZQLUATC.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\GQ54S1V5.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\IC6PKWOG.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\J4QBJ9A4.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\JBWI8TSR.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\K4QOH40J.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\KFNXY0K1.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\L7QE8XEQ.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\MBJLMG0C.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\MSWEY9XW.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\NP0U34JC.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\OCBT29NT.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\PROCPBIE.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\RGGJXZSH.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\S6YKUF00.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\SAD8FUIE.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\T7KHUN3O.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\UUHA3FG3.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\VAI66KK5.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\W5RNZ90T.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\W9TL6GP2.txt
C:\Users\tabatha\AppData\Roaming\Microsoft\Windows\Cookies\Z8EK45JI.txt


[/code]


Report •

#7
April 1, 2013 at 10:13:26
Here is listparts log.
ListParts by Farbar Version: 10-03-2013
Ran by tabatha (administrator) on 01-04-2013 at 13:07:13
Windows Vista (X86)
Running From: C:\Users\tabatha\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 58%
Total physical RAM: 1978.44 MB
Available physical RAM: 827.26 MB
Total Pagefile: 4208.16 MB
Available Pagefile: 2755.02 MB
Total Virtual: 2047.88 MB
Available Virtual: 1967.46 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:138.13 GB) (Free:81.5 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:10.92 GB) (Free:1.39 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 1024 KB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 138 GB 1024 KB
Partition 2 Primary 11 GB 138 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 138 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 11 GB Healthy

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 1A127DC8

Partition 1:
===========
Hex: 8020210007FEFFFF0008000000084411
Active: YES
Type: 07 (NTFS)
Size: 138 GB

Partition 2:
===========
Hex: 00FEFFFF07FEFFFF0010441100705D01
Active: NO
Type: 07 (NTFS)
Size: 11 GB


****** End Of Log ******


Report •

#8
April 1, 2013 at 13:33:37
Here is the eset log.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=6ce0bc2e59211d4183fe82bdbd0a2338
# engine=13525
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-04-01 12:57:37
# local_time=2013-04-01 08:57:37 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776574 100 100 21474506 201428585 0 0
# scanned=279239
# found=1
# cleaned=1
# scan_time=7648
sh=A2C31231AB8629EEF64E4354644B9DA27D5676AD ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.CVE-2013-0422.CF trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\tabatha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\366c4590-73fbd8a9"

Report •

#9
April 1, 2013 at 13:35:54
This is what was listed in the screen at the end of the eset scan.
C:\Users\tabatha\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.6.windows.exe multiple threats cleaned by deleting - quarantined
C:\Users\tabatha\Desktop\copy_Update.exe a variant of Win32/AirAdInstaller.A application cleaned by deleting - quarantined
C:\Users\tabatha\Downloads\ArcadeCandyGames (1).exe a variant of Win32/Adware.Gamevance.DD application cleaned by deleting - quarantined
C:\Users\tabatha\Downloads\ArcadeCandyGames (3).exe a variant of Win32/Adware.Gamevance.DD application cleaned by deleting - quarantined
C:\Users\tabatha\Downloads\ArcadeCandyGames.exe a variant of Win32/Adware.Gamevance.DD application cleaned by deleting - quarantined
C:\Users\tabatha\Downloads\cbsidlm-tr1_6-Horizon-75452078.exe Win32/DownloadAdmin.G application cleaned by deleting - quarantined
C:\Users\tabatha\Downloads\Update.exe a variant of Win32/AirAdInstaller.A application cleaned by deleting - quarantined

Report •

#10
April 1, 2013 at 13:49:28

Download AdwCleaner from this link:

http://www.bleepingcomputer.com/dow...
AdwCleaner Usage Instructions:
Using AdwCleaner is very simple. Simply download the program and run it. You will then be presented with a screen that contains a Search and Delete button. The Search button will cause AdwCleaner to search your computer for unwanted programs and then display a log showing the various files, folders, and registry entries used by these programs.
To delete these unwanted programs simply click on the Delete button, which will cause AdwCleaner to reboot your computer and remove the files and registry entries associated with the various adware that you are removing. On reboot, AdwCleaner will display a log showing the files, folders, and registry entries that were removed.
Please include the log in your next reply.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#11
April 2, 2013 at 07:54:48
# AdwCleaner v2.115 - Logfile created 04/02/2013 at 10:54:08
# Updated 17/03/2013 by Xplode
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# User : tabatha - GIBBY
# Boot Mode : Normal
# Running from : C:\Users\tabatha\Desktop\AdwCleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\ProgramData\boost_interprocess

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.43

File : C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [14234 octets] - [29/03/2013 15:26:25]
AdwCleaner[R2].txt - [1065 octets] - [01/04/2013 16:38:34]
AdwCleaner[R3].txt - [839 octets] - [02/04/2013 10:54:08]
AdwCleaner[S1].txt - [13905 octets] - [29/03/2013 15:26:42]
AdwCleaner[S2].txt - [1132 octets] - [01/04/2013 16:38:59]

########## EOF - C:\AdwCleaner[R3].txt - [1019 octets] ##########


Report •

#12
April 2, 2013 at 10:03:59
This is after I deleted the items.
# AdwCleaner v2.115 - Logfile created 04/02/2013 at 10:54:57
# Updated 17/03/2013 by Xplode
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# User : tabatha - GIBBY
# Boot Mode : Normal
# Running from : C:\Users\tabatha\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\ProgramData\boost_interprocess

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.43

File : C:\Users\tabatha\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [14234 octets] - [29/03/2013 15:26:25]
AdwCleaner[R2].txt - [1065 octets] - [01/04/2013 16:38:34]
AdwCleaner[R3].txt - [1088 octets] - [02/04/2013 10:54:08]
AdwCleaner[S1].txt - [13905 octets] - [29/03/2013 15:26:42]
AdwCleaner[S2].txt - [1132 octets] - [01/04/2013 16:38:59]
AdwCleaner[S3].txt - [1025 octets] - [02/04/2013 10:54:57]

########## EOF - C:\AdwCleaner[S3].txt - [1085 octets] ##########


Report •

#13
April 2, 2013 at 13:54:36
Ok, now download and run a full scan of Malwarebytes free. Here's the link:
http://www.malwarebytes.org/
Copy and paste the log in your next reply thanks.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#14
April 3, 2013 at 08:45:00

Database version: v2013.04.03.03

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
tabatha :: GIBBY [administrator]

4/3/2013 6:49:42 AM
MBAM-log-2013-04-03 (11-44-32).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 507150
Time elapsed: 2 hour(s), 44 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\tabatha\Downloads\Spam Bot.exe (Trojan.Spambot) -> No action taken.

(end)


Report •

#15
April 3, 2013 at 08:46:40
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.04.03.03

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Shawna :: SHAWNA-PC [administrator]

4/3/2013 7:21:03 AM
mbam-log-2013-04-03 (07-21-03).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 482608
Time elapsed: 1 hour(s), 45 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Report •

#16
April 3, 2013 at 13:33:25
Hows your pc running now?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#17
April 6, 2013 at 05:18:19
Its not running right. When I first turn it on it acts as though it is asleep and if I let it, it would stay that way but I usually have to tap the power button then hit FN F4. I have checked to make sure the sleep setting are still set correctly also. Once I had to use a boot disk to get it to start. I am not usually on that laptop so thats really all that I know about it. It is my sons laptop.

Report •

#18
April 6, 2013 at 16:44:10
Have you just updated Vista by any chance?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#19
April 6, 2013 at 16:52:22
Download and run Secunia Personal Software Inspector from here:
http://secunia.com/vulnerability_sc...
It will run a check of your pc checking for out of date drivers and software, once finished it will give links to each update. Do them one at a time until finished.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

Ask Question