Crazy Unknown Virus/Trojan/Spyware/Malware! Help!

Hi,

I'm new to this forum but I've heard good things about you guys so here goes.

Once in a while my computer will do the following ( I hope I've got this right) :-
1) Press 'Y'
2) Alt+F4
3) Launch 'Library'
4) Launch 'Library' again
5) Press 'F1' (to launch Windows Help and Support)
6) Alt+F4
7) Alt+F4

It always does it in that specific order. I am not sure about the first two steps but am pretty sure of the rest. So far, it only happens when I am using Google Chrome, Firefox or when I play Diablo 3. It doesn't happen when I watch a movie or perform antivirus scans. I performed scans with Avast!, MalwareBytes, SpyBot and Windows Defender. It did come up with a few things which I have cleaned but the problem still occurs. I re-updated these softwares and rescanned my computer again with the same softwares and it came up clean. Most frequently, it happens every 10 minutes. When I leave my computer turned on for a day without touching it or to allow a full system scan, it doesn't happen at all. This time around it happens twice after startup and hasn't done it since.

I've tried googling this but didn't manage to come up with anything helpful. I do share my computer with 2 siblings so I'm not sure if its something they have done. We are not very savvy when it comes to these kind of things but we have kept our computer clean for quite a while now.

Please see attached OTL, Extra and Security Checks logs in the .doc file. I tried running the aswMBR but a blue screen came up. I will re-run that again.

Please help! Thank you in advance.

~Stressed!

Hi,

I got the aswMBR to work and here it is

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-03 01:51:57
-----------------------------
01:51:57.587 OS Version: Windows x64 6.1.7601 Service Pack 1
01:51:57.587 Number of processors: 4 586 0x170A
01:51:57.587 ComputerName: HANNMENG UserName:
01:51:59.757 Initialize success
01:52:03.357 AVAST engine defs: 12060200
01:52:10.473 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
01:52:10.478 Disk 0 Vendor: WDC_WD20EARS-00MVWB0 51.0AB51 Size: 1907729MB BusType: 3
01:52:10.478 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-3
01:52:10.483 Disk 1 Vendor: ST31000333AS CC1H Size: 953869MB BusType: 3
01:52:10.498 Disk 1 MBR read successfully
01:52:10.503 Disk 1 MBR scan
01:52:10.503 Disk 1 Windows 7 default MBR code
01:52:10.508 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 953867 MB offset 2048
01:52:10.533 Disk 1 scanning C:\Windows\system32\drivers
01:52:23.029 Service scanning
01:52:39.787 Modules scanning
01:52:39.792 Disk 1 trace - called modules:
01:52:39.797
01:52:41.397 AVAST engine scan C:\Windows
01:52:44.738 AVAST engine scan C:\Windows\system32
01:55:08.045 AVAST engine scan C:\Windows\system32\drivers
01:55:21.201 AVAST engine scan C:\Users\Hann Meng
02:03:18.221 Disk 1 MBR has been saved successfully to "C:\Users\Hann Meng\Desktop\MBR.dat"
02:03:18.226 The log file has been saved successfully to "C:\Users\Hann Meng\Desktop\aswMBR.txt"


Thanks again!

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

You may want to consider purchasing Malwarebytes' Anti-Malware to protect against viruses and other threats.
Additionally, purchasing an effective antivirus program is a good idea. This will protect your identity and your computer against all types of viruses and other malware. See the Cheetah Market now:
*****************************************************************
That is strange behaviour and I'm not sure what's causing it. We should run a few scans and see what turns up.

I strongly recommend that you remove Ask from your computer because it;

•Promotes its toolbars on sites targeted to kids.

•Promotes its toolbars through ads that appear to be part of other companies' sites.

•Promotes its toolbars through other companies' spyware.

•Installs without any disclosure whatsoever and without any consent whatsoever.

•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

See Here for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

•AskBarDis or anything related to Ask

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.
*****************************************************
P2P - I see you have P2P software installed on your machine. uTorrentWe are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
**************************************************
I also noticed that your free space on your harddrive is down to 20%. You should really keep an eye on this and not let it drop to below 15% and which point you will start having operation problems.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.



* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
**********************************************************
Let's run a few more scans to see what turns up.

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply.

Hi,

Thanks for your prompt reply. I managed to remove the Ask toolbar. I can't seem to find uTorrent in the list of 'Add/Remove Programs'. I'll get my brother to do it later.

Here are the logs.
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Search the Web\ deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.42.1 log created on 06032012_114014

Here is the aswMBR log :-

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-03 11:42:34
-----------------------------
11:42:34.470 OS Version: Windows x64 6.1.7601 Service Pack 1
11:42:34.470 Number of processors: 4 586 0x170A
11:42:34.470 ComputerName: HANNMENG UserName:
11:42:40.805 Initialize success
11:42:44.377 AVAST engine defs: 12060201
11:42:46.046 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
11:42:46.046 Disk 0 Vendor: WDC_WD20EARS-00MVWB0 51.0AB51 Size: 1907729MB BusType: 3
11:42:46.046 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-3
11:42:46.062 Disk 1 Vendor: ST31000333AS CC1H Size: 953869MB BusType: 3
11:42:46.077 Disk 1 MBR read successfully
11:42:46.077 Disk 1 MBR scan
11:42:46.077 Disk 1 Windows 7 default MBR code
11:42:46.077 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 953867 MB offset 2048
11:42:46.093 Disk 1 scanning C:\Windows\system32\drivers
11:42:56.452 Service scanning
11:43:13.004 Modules scanning
11:43:13.004 Disk 1 trace - called modules:
11:43:13.035 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys
11:43:13.535 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8004ad2060]
11:43:13.535 3 CLASSPNP.SYS[fffff88001b7143f] -> nt!IofCallDriver -> [0xfffffa80047c9670]
11:43:13.535 5 ACPI.sys[fffff88000ee97a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-3[0xfffffa80047e4060]
11:43:14.876 AVAST engine scan C:\Windows
11:43:36.140 AVAST engine scan C:\Windows\system32
11:46:03.909 AVAST engine scan C:\Windows\system32\drivers
11:46:17.076 AVAST engine scan C:\Users\Hann Meng
11:46:50.914 Disk 1 MBR has been saved successfully to "C:\Users\Hann Meng\Desktop\MBR.dat"
11:46:50.914 The log file has been saved successfully to "C:\Users\Hann Meng\Desktop\aswMBR2.txt"


Thank you

Download Combofix from any of the links below, and save it to your DESKTOP.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Hi,

After ComboFix did its thing, the computer restarted and on the first restart I couldn't open any browsers and restart my antivirus but after the second restart I can relaunch my browsers.

Here are the log contents :-

ComboFix 12-06-03.05 - Hann Meng 04/06/2012 17:37:00.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.4095.2553 [GMT 10:00]
Running from: c:\users\Hann Meng\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\muzapp.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-04 to 2012-06-04 )))))))))))))))))))))))))))))))
.
.
2012-06-04 07:46 . 2012-06-04 07:46 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-06-04 07:46 . 2012-06-04 07:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-03 01:40 . 2012-06-03 01:40 -------- d-----w- C:\_OTL
2012-06-01 15:01 . 2012-06-01 15:01 -------- d--h--w- c:\programdata\Common Files
2012-06-01 00:33 . 2012-03-07 01:02 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-05-31 12:02 . 2012-05-14 15:41 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C0F09751-9E91-4F52-A92C-DF66331EDFDA}\mpengine.dll
2012-05-31 11:13 . 2012-05-31 12:12 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-05-31 11:13 . 2012-05-31 11:18 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-05-31 11:06 . 2012-05-31 11:06 -------- d-----w- c:\users\Hann Meng\AppData\Roaming\Malwarebytes
2012-05-31 11:06 . 2012-05-31 11:06 -------- d-----w- c:\programdata\Malwarebytes
2012-05-31 11:06 . 2012-04-04 05:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-31 11:05 . 2012-05-31 11:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-15 08:51 . 2012-06-01 14:29 -------- d-----w- c:\program files (x86)\Diablo III
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\SysWow64\GPhotos.scr
2012-03-07 01:15 . 2010-12-25 08:46 41184 ----a-w- c:\windows\avastSS.scr
2012-03-07 01:15 . 2010-12-25 08:46 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-03-07 01:15 . 2011-08-27 12:48 258520 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-07 01:04 . 2011-08-27 12:48 819032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-07 01:04 . 2010-12-25 08:47 337240 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-07 01:01 . 2010-12-25 08:47 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-07 01:01 . 2010-12-25 08:47 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-07 01:01 . 2010-12-25 08:47 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 163328]
"InternodeUsage"="c:\progra~2\INTERN~2\mum.exe" [2011-02-19 1361408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"B Register c:\program files (x86)\DivX\DivX Plus Player\DPXPlugins\DPXDFXAudioPlugin.dll"="c:\windows\system32\rundll32.exe" [2009-07-14 44544]
"B Register c:\program files (x86)\DivX\DivX Plus Player\DSEPlugins\DFXAudioPlugin.dll"="c:\windows\system32\rundll32.exe" [2009-07-14 44544]
"B Register c:\program files (x86)\DivX\DivX Plus Player\DPXPlugins\DPXBannerAdPlugin.dll"="c:\windows\system32\rundll32.exe" [2009-07-14 44544]
"B Register c:\program files (x86)\DivX\DivX Plus Player\DPXPlugins\DPXDownloadManagerPlugin.dll"="c:\windows\system32\rundll32.exe" [2009-07-14 44544]
"B Register c:\program files (x86)\DivX\DivX Plus Player\DPXPlugins\DPXMediaManagerPlugin.dll"="c:\windows\system32\rundll32.exe" [2009-07-14 44544]
"B Register c:\program files (x86)\DivX\DivX Plus Player\DPXPlugins\DPXPlayerPlugin.dll"="c:\windows\system32\rundll32.exe" [2009-07-14 44544]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WG311v3 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WG311v3\WG311v3.exe [2005-8-31 1691648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\setup\disabledrunkeys]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe"
.
R2 avg8emc;AVG Free8 E-mail Scanner;c:\program files (x86)\AVG\AVG8\avgemc.exe [x]
R2 avg8wd;AVG Free8 WatchDog;c:\program files (x86)\AVG\AVG8\avgwdsvc.exe [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [x]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [x]
R3 MRV6X64P;Vista 64-bits Native WiFi Driver;c:\windows\system32\DRIVERS\MRVW13C.sys [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 TunngleService;TunngleService;c:\program files (x86)\Tunngle\TnglCtrl.exe [2012-02-14 736104]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [x]
R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-14 381248]
S0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 AvgLdx64;AVG Free AVI Loader Driver x64;c:\windows\System32\Drivers\avgldx64.sys [x]
S1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;c:\windows\System32\Drivers\avgmfx64.sys [x]
S1 AvgTdiA;AVG Free8 Network Redirector x64;c:\windows\System32\Drivers\avgtdia.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2011-12-14 2984832]
S3 ALSysIO;ALSysIO;c:\users\HANNME~1\AppData\Local\Temp\ALSysIO64.sys [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 jumi;%Jumi%;c:\windows\system32\DRIVERS\jumi.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3945265486-2923517700-1054360051-1000Core.job
- c:\users\Hann Meng\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-03 09:07]
.
2012-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3945265486-2923517700-1054360051-1000UA.job
- c:\users\Hann Meng\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-03 09:07]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-07 01:15 135408 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-08-29 6477344]
"Skytel"="Skytel.exe" [2008-08-29 1833504]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-17 2191632]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-18 3036944]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.ask.com/?l=dis&o=15183
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download with Mipony - file://c:\program files (x86)\MiPony\Browser\IEContext.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D4DF5694-F52B-4C36-9D4D-B247F32B227E}: NameServer = 192.168.1.1,192.168.1.2
FF - ProfilePath - c:\users\Hann Meng\AppData\Roaming\Mozilla\Firefox\Profiles\uzpadhyz.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - www.gmail.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Download status: {9fb8c270-7124-11dd-ad8b-0800200c9a66} - %profile%\extensions\{9fb8c270-7124-11dd-ad8b-0800200c9a66}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\Alwil Software\Avast5\WebRep\FF
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-AVG8Uninstall - c:\program files (x86)\AVG\AVG8\setup.exe
AddRemove-OggDS - c:\windows\system32\OggDSuninst.exe
AddRemove-Shockwave - c:\windows\System32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-X-Men Legends II: Rise of Apocalypse - c:\users\Hann Meng\Desktop\Desktop\X-Men Legends II Rise of Apocalypse\uninstall.exe
AddRemove-{4E79A60F-15D2-4BEC-91AD-E41EC42E61B0} - c:\program files\InstallShield Installation Information\{4E79A60F-15D2-4BEC-91AD-E41EC42E61B0}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\ASUS\Six Engine\SixEngine.exe
c:\program files (x86)\TeamViewer\Version7\TeamViewer.exe
c:\program files (x86)\TeamViewer\Version7\tv_w32.exe
.
**************************************************************************
.
Completion time: 2012-06-04 17:55:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-04 07:55
.
Pre-Run: 216,519,450,624 bytes free
Post-Run: 216,158,957,568 bytes free
.
- - End Of File - - 91F491E13FA1920F2C4EA9FF592C4CF3


Thank you again!

Good job.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
****************************************************
Please download Rooter and Save it to your desktop.

• Double click it to start the tool.Vista and Windows7 run as administrator.
  
• Click Scan.
  
• Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
  

Hi,

Here are the contents of the Security Check:-

Results of screen317's Security Check version 0.99.41
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.61.0.1400
Java(TM) 6 Update 29
Java version out of date!
Adobe Flash Player 10 Flash Player out of date!
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (3.0.19) Firefox out of Date!
Google Chrome 19.0.1084.52
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Spybot Teatimer.exe is disabled!
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````


And the Rooter.txt :-

Rooter.exe (v1.0.2) by Eric_71
.
The token does not have the SeDebugPrivilege privilege ! (error:1300)
Can not acquire SeDebugPrivilege !
Please run the tool as administrator ..
.
Windows 7 . (6.1.7601) Service Pack 1
[32_bits] - Intel64 Family 6 Model 23 Stepping 10, GenuineIntel
.
Error OpenService (wscsvc) : 6
Error OpenSCManager : 5
Error OpenService (MpsSvc) : 6
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 9.0.8112.16421
Mozilla Firefox 3.0.19 (en-GB)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:931 Go - Free:200 Go )
D:\ [Fixed-NTFS] .. ( Total:1862 Go - Free:1007 Go )
E:\ [CD_Rom]
.
Scan : 08:51.38
Path : C:\Users\Hann Meng\Desktop\Rooter.exe
User : Hann Meng ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
Locked smss.exe??0 (424)
Locked csrss.ex??0 (556)
Locked wininit.??0 (620)
Locked csrss.ex??0 (640)
Locked winlogon??0 (684)
Locked services??0 (728)
Locked lsass.ex??0 (748)
Locked lsm.exe (756)
Locked svchost.??0 (856)
Locked nvvsvc.e??0 (928)
Locked svchost.??0 (968)
Locked svchost.??0 (572)
Locked svchost.??0 (500)
Locked svchost.??0 (952)
Locked svchost.??0 (1172)
Locked nvxdsync??0 (1276)
Locked nvvsvc.e??0 (1288)
Locked svchost.??0 (1324)
Locked AvastSvc??0 (1500)
Locked spoolsv.??0 (1700)
Locked svchost.??0 (1736)
Locked AppleMob??0 (1836)
______ ?????????? (1248)
Locked taskeng.??0 (1544)
______ ?????????? (1092)
______ ?????????? (2072)
Locked SixEngin??0 (2124)
Locked mDNSResp??0 (2532)
Locked svchost.??0 (2600)
Locked mdm.exe (2624)
Locked svchost.??0 (2712)
Locked TeamView??0 (2864)
Locked svchost.??0 (2908)
Locked WLIDSVC.??0 (2952)
Locked SDWinSec??0 (3128)
Locked WLIDSVCM??0 (3272)
______ C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe (3296)
Locked SearchIn??0 (3612)
Locked tv_w32.e??0 (3760)
Locked svchost.??0 (3840)
Locked tv_x64.e??0 (3924)
______ ?????????? (3948)
______ ?????????? (3756)
______ ?????????? (4048)
______ ?????????? (1056)
______ ?????????? (216)
______ C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\G15NetSpeed.exe (2892)
______ ?????????? (4188)
______ ?????????? (4216)
______ ?????????? (4428)
Locked wmpnetwk??0 (4548)
______ C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe (4556)
______ C:\Program Files (x86)\NETGEAR\WG311v3\WG311v3.exe (4576)
Locked svchost.??0 (4616)
______ C:\Program Files (x86)\PowerISO\PWRISOVM.EXE (4904)
______ C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (4968)
Locked dllhost.??0 (4224)
Locked mbamserv??0 (4512)
Locked daemonu.??0 (1188)
______ ?????????? (3700)
______ C:\Program Files\Alwil Software\Avast5\AvastUI.exe (4400)
Locked audiodg.??0 (5236)
______ C:\Program Files (x86)\VideoLAN\VLC\vlc.exe (5632)
______ C:\Program Files (x86)\Mozilla Firefox\firefox.exe (1676)
______ C:\Users\Hann Meng\Desktop\Rooter.exe (3056)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ GPT ]-- (Start_Offset:17408 | Length:134217728)
\Device\Harddisk0\Partition2 --[ GPT ]-- (Start_Offset:135266304 | Length:2000263577600)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3945265486-2923517700-1054360051-1000Core.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3945265486-2923517700-1054360051-1000UA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\Users\HANNME~1\Desktop\Desktop\Games\B.C.R\bionic commando rearmed\bionic commando rearmed crack.rar
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 08:52.13
.
C:\Rooter$\Rooter_1.txt - (05/06/2012 | 08:52.13).c


Thank you.

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
****************************************************
Update your Adobe Reader. get.adobe.com/reader.

Be sure to uncheck the Free McAfee Security Scan so it isn't installed.

Please tell me how your computer is working now.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Hi,

I've only used my computer for a while tonight but so far nothing has happened after the ESET scan. I'll let it go for a while more. In the meantime, here is the log :-


C:\Program Files (x86)\Black_Box\Syndicate\System\Win32_x86_Release\Syndicate.exe a variant of Win32/Packed.VMProtect.AAM trojan cleaned by deleting - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM129.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM42.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM58.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Users\Hann Meng\Desktop\Desktop\Games\Prototype\Proto\Prototype\TPTB.exe probably a variant of Win32/Obfuscated.NIAEVPN trojan cleaned by deleting - quarantined
C:\Users\Hann Meng\Desktop\Desktop\prototype 2\TPTB.exe probably a variant of Win32/Obfuscated.NIAEVPN trojan cleaned by deleting - quarantined
C:\Users\Hann Meng\Downloads\cnet2_antikey_zip.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Users\Hann Meng\Videos\Veoh\VeohWebPlayerSetup_eng.exe a variant of Win32/Toolbar.Zugo application deleted - quarantined


Thanks again.

That sounds good. In the meantime, we can do some cleanup.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

*****************************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
*******************************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
*************************************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Hi,

I installed the firewall, WOT and performed the cleanup. I was hopeful until 5 minutes ago when it happened again. It seems to only happen when I access the internet. Either browsing or playing an online game triggers it. I watched a full movie last night and it was fine.

=C

Thanks for your help.

Please refresh my memory. What happened again?

Hi,

Once in a while my computer will do the following ( I hope I've got this right) :-
1) Press 'Y'
2) Alt+F4
3) Launch 'My Computer'
4) Launch 'My Computer' again
5) Press 'F1' (to launch Windows Help and Support)
6) Alt+F4
7) Alt+F4

It always does it in that specific order. I am not sure about the first two steps but am pretty sure of the rest. So far, it only happens when I am using Google Chrome, Firefox or when I play Diablo 3 (i.e when I access the internet). It doesn't happen when I watch a movie or perform antivirus scans. I performed scans with Avast!, MalwareBytes, SpyBot and Windows Defender. It did come up with a few things which I have cleaned but the problem still occurs. I re-updated these softwares and rescanned my computer again with the same softwares and it came up clean. Most frequently, it happens every 10 minutes. When I leave my computer turned on for a day without touching it or to allow a full system scan or while watching a movie, it doesn't happen at all.

Things that we have done so far are :-
- Remove a few softwares
- ComboFix
- aswMBR.exe
- Security Check by screen317
- Updated Java and Adobe
- ESET online Scanner
- Disk Cleanup
- Install Comodo and WOT

Thanks.

Hi,

Please see here





If nothing is open, the first 3 screenshots always occur in that order. If my browser is open, screenshot 4 happens. The virus/script seems to press the same order of buttons every time so depending on what I have open, the screenshot would be different.

Thanks

Sorry the last post didnt work. See below :-

I'm sorry but I can't see what the problem is from the screenshots but I'm quite certain it's not a malware problem. Perhaps you could get help from another forum on this site.

Hi,

Thanks for trying. I'll probably reformat.

You're welcome. Good luck.