Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Audio ad in background virus

(In Progress)
(!)

bawse's Avatar
bawse bawse is offline
Member with 21 posts.
THREAD STARTER
 
Join Date: Feb 2012
13-Feb-2012, 07:28 AM #1
Audio ad in background virus
Basically theres an audio ad that keeps playing in the background of my desktop. ive seen some previous threads but none have helped. here are my logs. i hope i can get rid of this soon and also a way so that this never happens again.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:59:14 PM, on 2/11/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16912)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Compal\Smart Battery\SMBTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\Admin\AppData\Local\uce.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\wuauclt.exe
C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Admin\Desktop\Downloads\11111\HijackThis.exe
C:\Windows\system32\taskeng.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSour...ctid=CT2117678
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: NCH Toolbar - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files\NCH\prxtbNC0.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NCH - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files\NCH\prxtbNC0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: NCH Toolbar - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files\NCH\prxtbNC0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxExt] C:\Windows\system32\IgfxExt.exe /RegServer
O4 - HKLM\..\Run: [SMBTray] C:\Program Files\Compal\Smart Battery\SMBTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Facebook Update] "C:\Users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - HKCU\..\Run: [2c5fe66f] C:\Users\Admin\AppData\Local\uce.exe
O4 - HKCU\..\Run: [4Y3Y0C3A0F7XZA6ECWWA] C:\Recycle.Bin\B6232F3A858.exe /q
O4 - HKUS\S-1-5-18\..\RunOnce: [DeleteEngineAfterUpdate] reg DELETE HKCU\Software\AppDataLow\Software\ConduitEngine /f (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [DeleteEngineAfterUpdate] reg DELETE HKCU\Software\AppDataLow\Software\ConduitEngine /f (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofil...SystemLite.CAB
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} (RIM AxLoader) - http://mobileapps.blackberry.com/dev...e/AxLoader.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7592 bytes

___________________________________________________________________________ _________________________

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_26
Run by Admin at 21:18:59 on 2012-02-12
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1014.249 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Compal\Smart Battery\SMBTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\Admin\AppData\Local\uce.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\conhost.exe
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\taskeng.exe
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIqw3KV.com
C:\Windows\system32\EQIqw3KV.com
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\EQIQW3~1.COM
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\EQIQW3~1.COM
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2117678
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\prxtbNC0.dll
mURLSearchHooks: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\prxtbNC0.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\prxtbNC0.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\prxtbNC0.dll
uRun: [Google Update] "c:\users\admin\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Facebook Update] "c:\users\admin\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [2c5fe66f] c:\users\admin\appdata\local\uce.exe
uRun: [4Y3Y0C3A0F7XZA6ECWWA] c:\recycle.bin\B6232F3A858.exe /q
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxExt] c:\windows\system32\IgfxExt.exe /RegServer
mRun: [SMBTray] c:\program files\compal\smart battery\SMBTray.exe
mRun: [<NO NAME>]
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [DeleteEngineAfterUpdate] reg DELETE HKCU\Software\AppDataLow\Software\ConduitEngine /f
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\o nenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 64.71.255.198
TCP: Interfaces\{7D5E01AF-8A15-4DA1-B563-889B9EE95929} : DhcpNameServer = 64.71.255.198
TCP: Interfaces\{7D5E01AF-8A15-4DA1-B563-889B9EE95929}\14C696E6B60277962756C656373702E4 : DhcpNameServer = 192.168.5.1
TCP: Interfaces\{7D5E01AF-8A15-4DA1-B563-889B9EE95929}\2496371613 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{7D5E01AF-8A15-4DA1-B563-889B9EE95929}\6416D696C697 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{7D5E01AF-8A15-4DA1-B563-889B9EE95929}\75C414E4 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{7D5E01AF-8A15-4DA1-B563-889B9EE95929}\A68636F6D6075747562737 : DhcpNameServer = 192.168.10.1
TCP: Interfaces\{C2A57E67-7176-4C15-81E2-CD6579E9B66C} : DhcpNameServer = 10.254.30.254 10.254.40.245 10.201.29.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\k9z8750k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - NCH Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2117678&SearchSource=13
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\admin\appdata\local\facebook\video\skype\npFacebookVideoCalling.dl l
FF - plugin: c:\users\admin\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
.
=============== Created Last 30 ================
.
2012-02-12 02:16:01 111616 ----a-w- c:\programdata\GkCuTbve.exe
2012-02-09 11:09:41 111616 ----a-w- c:\windows\system32\EQIqw3KV.com
2012-02-06 12:31:22 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-26 17:24:37 111616 ----a-w- c:\windows\system32\EQIqw3KV.com_
2012-01-24 13:34:59 -------- d-----w- c:\program files\1ClickDownload
2012-01-18 14:00:34 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 14:00:31 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 14:00:30 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-01-18 14:00:30 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-18 14:00:30 314368 ----a-w- c:\windows\system32\webio.dll
2012-01-18 14:00:30 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-18 14:00:29 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-01-18 14:00:29 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-18 14:00:29 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 14:00:29 15360 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-16 05:28:09 -------- d-----w- c:\windows\system32\Adobe
2012-01-15 22:56:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-15 22:51:26 282624 ----a-w- c:\users\admin\appdata\local\uce.exe
2012-01-14 17:57:46 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{82080972-f2b3-42f7-af4b-2149765dfea3}\mpengine.dll
.
==================== Find3M ====================
.
2011-11-24 04:23:31 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:06:13 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-17 05:41:38 1288984 ----a-w- c:\windows\system32\ntdll.dll
.
============= FINISH: 21:22:45.63 ===============

___________________________________________________________________________ _____________________

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-13 06:21:31
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK8025GAL rev.BD102A
Running: 7crcpxn9.exe; Driver: C:\Users\Admin\AppData\Local\Temp\awlorpod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A5B5D9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A80092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? C:\Users\Admin\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
.text autochk.exe 003211DF 2 Bytes [80, 29]
.text autochk.exe 003211E2 1 Byte [30]
.text autochk.exe 003211E2 3 Bytes [30, 00, 31]
.text autochk.exe 003211E6 1 Byte [39]
.text autochk.exe 003211E6 3 Bytes [39, 00, 36]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtProtectVirtualMemory 774B5000 5 Bytes JMP 0092000A
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtWriteVirtualMemory 774B5B80 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!KiUserExceptionDispatcher 774B60E8 5 Bytes JMP 0087000A
? C:\Windows\system32\svchost.exe[916] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch;
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] ntdll.dll!NtProtectVirtualMemory 774B5000 5 Bytes JMP 010D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] ntdll.dll!NtWriteVirtualMemory 774B5B80 5 Bytes JMP 010E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] ntdll.dll!KiUserExceptionDispatcher 774B60E8 5 Bytes JMP 010C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] ADVAPI32.dll!RegSetValueExA 771D1B96 5 Bytes JMP 1015C600 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] ADVAPI32.dll!RegSetValueExW 771D1C82 5 Bytes JMP 1015C6C0 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] ADVAPI32.dll!RegSetValueW 771EFA72 5 Bytes JMP 1015C540 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] ADVAPI32.dll!RegSetValueA 7721F529 5 Bytes JMP 1015C480 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!CreateDialogParamW 75DB9BFF 5 Bytes JMP 1015C890 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!CreateWindowExW 75DC0E51 5 Bytes JMP 6D65810F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!CreateDialogParamA 75DD3E79 5 Bytes JMP 1015CA10 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!DialogBoxIndirectParamW 75DE4AA7 5 Bytes JMP 6D7800C8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!TrackPopupMenu 75DE4B3B 5 Bytes JMP 1015BB70 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!DialogBoxParamW 75DE564A 5 Bytes JMP 1015CBF0 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!TrackPopupMenuEx 75DE5F72 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!TrackPopupMenuEx 75DE5F72 5 Bytes JMP 1015BCD0 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!DialogBoxParamA 75DFCF6A 5 Bytes JMP 1015CB00 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!DialogBoxIndirectParamA 75DFD29C 5 Bytes JMP 6D78012B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxIndirectA 75E0E8C9 5 Bytes JMP 6D77FFFA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxIndirectW 75E0E9C3 5 Bytes JMP 6D77FF8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxExA 75E0EA29 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxExA 75E0EA29 5 Bytes JMP 6D77FF2D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxExW 75E0EA4D 5 Bytes JMP 6D77FECB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxA 75E0EA71 5 Bytes JMP 1015CD70 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxW 75E0EABF 5 Bytes JMP 1015CE50 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 8B6B4000-8B6D1000 (118784 bytes)

---- Processes - GMER 1.0.15 ----

Process PING.EXE (*** hidden *** ) 4432

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00234ee4ccdf
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00234ee4ccdf @f40b932fd2af 0xAB 0x8E 0x9C 0x28 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00234ee4ccdf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00234ee4ccdf@f40 b932fd2af 0xAB 0x8E 0x9C 0x28 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB17498$\1349176407 0 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959 0 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\@ 2048 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\bckfg.tmp 854 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\cfg.ini 263 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\keywords 226 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\L 0 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\L\xadqgnnk 338944 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\oemid 222 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\U 0 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\U\80000000.@ 66560 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\U\80000032.@ 73216 bytes
File C:\Windows\$NtUninstallKB17498$\4006455959\version 856 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6A56751D-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6A56751E-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6A567520-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7F9AFB22-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C1E0D0B6-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C1E0D0B8-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{70B52ACE-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{70B52ACF-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{70B52AD0-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D4B0315D-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A407F3B2-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{20013330-55F7-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F60941A6-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{86A8C943-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4FDE1F59-55F7-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C8886E9C-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\4SB5BNH2.txt 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\O3VXFQXB.txt 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\WEVE7UY6.txt 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\G7DGQH96.txt 0 bytes

---- EOF - GMER 1.0.15 ----

___________________________________________________________________________ ____________________________
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
flavallee's Avatar
flavallee   (Frank) flavallee is offline flavallee is a Trusted Advisor with special permissions. flavallee has a Profile Picture
Computer Specs
Trusted Advisor with 57,376 posts.
 
Join Date: May 2002
Location: Hillsborough county, Florida
Experience: Advanced
13-Feb-2012, 01:10 PM #2
Concerning some of the things that you're doing with that computer, it's probably infested with malware, spyware, etc..

It also has NO full-time antivirus program installed and running.

--------------------------------------------------------

Download and save

Microsoft Security Essentials 2.1.1116.0

and the free version of

Malwarebytes Anti-Malware 1.60.1.1000

SUPERAntiSpyware 5.0.0.1144

then close all open windows first, then install them.

Make sure to update their definition files during the install process.

After they've all been installed and updated, restart the computer.

Run a quick scan with Malwarebytes Anti-Malware, then select and remove EVERYTHING it found.

Run a quick scan with SUPERAntiSpyware, then select and remove EVERYTHING it found.

Note: DON'T use the computer while each scan is in progress.

-------------------------------------------------------
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
13-Feb-2012, 10:01 PM #3
Hi and Welcome!! My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • Please subscribe to this topic, if you haven't already.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.


Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")


Stay with this topic until I give you the all clean post.
----------

First we need to make all files and folders VISIBLE:
  • Go to Start >> Control Panel >> Folder Options >> View
  • Choose to "show hidden files and folders,"
  • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
  • Close the window with ok
----------

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.
----------

Download CKScanner by askey127 from Here & save it to your Desktop.
  • Right-click and Run as Administrator CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
----------

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Right-click and Run as Administrator TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)
----------

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
----------
bawse's Avatar
bawse bawse is offline
Member with 21 posts.
THREAD STARTER
 
Join Date: Feb 2012
14-Feb-2012, 12:20 AM #4
Here comes another problem. I cant open my control panel. When i try to do so my computer stalls then freezes. The cp window opens, appears to be loading and then disappers. This is after the stalling and freezing

Last edited by bawse; 14-Feb-2012 at 12:58 AM..
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
14-Feb-2012, 08:35 AM #5
Hi,

Ok...thanks for letting me know. For the time being disregard making the hidden files able to be viewed and CKScanner. Just run TDSSKiller and ComboFix. If needed, you may run them in Safe Mode if you can not run it in Normal Mode.
flavallee's Avatar
flavallee   (Frank) flavallee is offline flavallee is a Trusted Advisor with special permissions. flavallee has a Profile Picture
Computer Specs
Trusted Advisor with 57,376 posts.
 
Join Date: May 2002
Location: Hillsborough county, Florida
Experience: Advanced
14-Feb-2012, 09:37 AM #6
It's all yours, Jeff. Good luck.

-------------------------------------------------------
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
14-Feb-2012, 11:21 AM #7
Thanks!
bawse's Avatar
bawse bawse is offline
Member with 21 posts.
THREAD STARTER
 
Join Date: Feb 2012
14-Feb-2012, 11:38 PM #8
Alright combofix seems to be taking forever. Its been 30 mins and it still says its scanning. Is there anything else i can do or should i keep waiting? Same problem in safemode
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
15-Feb-2012, 09:08 AM #9
Hi bawse,

Sometimes ComboFix can take quite some time to run depending on the infections that are on your system. Unfortunately the infection that you have on your system is one of the worst ones out here right now. Give it some time and just let it run. If you still have problems let me know. With this infection the way to fix it is normally different every time so we may need to try different routes until we bust it.
bawse's Avatar
bawse bawse is offline
Member with 21 posts.
THREAD STARTER
 
Join Date: Feb 2012
15-Feb-2012, 12:34 PM #10
Well its done now. The only problem os that my computer restarted then when it gets to the windows login screen, it restarts and then the process is repeated

Last edited by bawse; 15-Feb-2012 at 12:51 PM..
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
15-Feb-2012, 12:52 PM #11
Hi,

Yep that is the ZeroAccess rootkit doing this.

Can you get access to a USB drive (thumb drive)? If so please do the following...
----------

Download from a clean computer preferably Combofix from any of the links below but rename it to vageta.com before saving it to your USB drive. Once on the USB drive transfer it to the infected system and then place it in the C:\ folder and run the program.

Link 1
Link 2


==================================

Right-click and Run as Administrator on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.


Disregard This
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
15-Feb-2012, 12:55 PM #12
I don't want to cross post so be sure to disregard what I posted previously about renaming ComboFix.

Try to boot to Safe Mode with networking. Once there see if the ComboFix log was saved in the C:\ folder. If it was please post that.
bawse's Avatar
bawse bawse is offline
Member with 21 posts.
THREAD STARTER
 
Join Date: Feb 2012
15-Feb-2012, 01:47 PM #13
It shows a combofix file with the mycomputer icon so when i click it, it shows me the c:/ file again but when i click on properties it says there are two folders with 638 filea
jeffce's Avatar
jeffce   (Jeff) jeffce is offline jeffce is authorized to help remove malware.
jeffce has a Photo Album
Malware Removal Specialist with 1,727 posts.
 
Join Date: May 2011
15-Feb-2012, 02:29 PM #14
Hi bawse,

Ok...delete all copies of ComboFix on your system using right-click >> delete and then follow my instructions in post #11 but do all of this in Safe Mode with Networking. If a log is produced post it...if you still have problems let me know.

Sorry...post #11
bawse's Avatar
bawse bawse is offline
Member with 21 posts.
THREAD STARTER
 
Join Date: Feb 2012
15-Feb-2012, 03:51 PM #15
Where can i find the log? Whts it called. It created a "vageta" folder with all these different files including two folders called "en-US" and "N_" it also created a file in tr c:/ drive called windows
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑