1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Audio ad in background virus

Discussion in 'Virus & Other Malware Removal' started by bawse, Feb 13, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. bawse

    bawse Thread Starter

    Joined:
    Feb 12, 2012
    Messages:
    21
    Basically theres an audio ad that keeps playing in the background of my desktop. ive seen some previous threads but none have helped. here are my logs. i hope i can get rid of this soon and also a way so that this never happens again.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:59:14 PM, on 2/11/2012
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16912)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Program Files\Compal\Smart Battery\SMBTray.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Users\Admin\AppData\Local\uce.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Windows\system32\wuauclt.exe
    C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\rundll32.exe
    C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Admin\Desktop\Downloads\11111\HijackThis.exe
    C:\Windows\system32\taskeng.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2117678
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: NCH Toolbar - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files\NCH\prxtbNC0.dll
    O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
    O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: NCH - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files\NCH\prxtbNC0.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
    O3 - Toolbar: NCH Toolbar - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files\NCH\prxtbNC0.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [IgfxExt] C:\Windows\system32\IgfxExt.exe /RegServer
    O4 - HKLM\..\Run: [SMBTray] C:\Program Files\Compal\Smart Battery\SMBTray.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Facebook Update] "C:\Users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
    O4 - HKCU\..\Run: [2c5fe66f] C:\Users\Admin\AppData\Local\uce.exe
    O4 - HKCU\..\Run: [4Y3Y0C3A0F7XZA6ECWWA] C:\Recycle.Bin\B6232F3A858.exe /q
    O4 - HKUS\S-1-5-18\..\RunOnce: [DeleteEngineAfterUpdate] reg DELETE HKCU\Software\AppDataLow\Software\ConduitEngine /f (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [DeleteEngineAfterUpdate] reg DELETE HKCU\Software\AppDataLow\Software\ConduitEngine /f (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} (RIM AxLoader) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    --
    End of file - 7592 bytes

    ____________________________________________________________________________________________________

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_26
    Run by Admin at 21:18:59 on 2012-02-12
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1014.249 [GMT -5:00]
    .
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Program Files\Compal\Smart Battery\SMBTray.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Users\Admin\AppData\Local\uce.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIqw3KV.com
    C:\Windows\system32\EQIqw3KV.com
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\EQIQW3~1.COM
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\EQIQW3~1.COM
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2117678
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\prxtbNC0.dll
    mURLSearchHooks: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\prxtbNC0.dll
    BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\prxtbNC0.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
    TB: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\prxtbNC0.dll
    uRun: [Google Update] "c:\users\admin\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [Facebook Update] "c:\users\admin\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
    uRun: [2c5fe66f] c:\users\admin\appdata\local\uce.exe
    uRun: [4Y3Y0C3A0F7XZA6ECWWA] c:\recycle.bin\B6232F3A858.exe /q
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [IgfxExt] c:\windows\system32\IgfxExt.exe /RegServer
    mRun: [SMBTray] c:\program files\compal\smart battery\SMBTray.exe
    mRun: [<NO NAME>]
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRunOnce: [DeleteEngineAfterUpdate] reg DELETE HKCU\Software\AppDataLow\Software\ConduitEngine /f
    StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 64.71.255.198
    TCP: Interfaces\{7D5E01AF-8A15-4DA1-B563-889B9EE95929} : DhcpNameServer = 64.71.255.198
    TCP: Interfaces\{7D5E01AF-8A15-4DA1-B563-889B9EE95929}\14C696E6B60277962756C656373702E4 : DhcpNameServer = 192.168.5.1
    TCP: Interfaces\{7D5E01AF-8A15-4DA1-B563-889B9EE95929}\2496371613 : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{7D5E01AF-8A15-4DA1-B563-889B9EE95929}\6416D696C697 : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{7D5E01AF-8A15-4DA1-B563-889B9EE95929}\75C414E4 : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{7D5E01AF-8A15-4DA1-B563-889B9EE95929}\A68636F6D6075747562737 : DhcpNameServer = 192.168.10.1
    TCP: Interfaces\{C2A57E67-7176-4C15-81E2-CD6579E9B66C} : DhcpNameServer = 10.254.30.254 10.254.40.245 10.201.29.254
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\k9z8750k.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - NCH Customized Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2117678&SearchSource=13
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\users\admin\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
    FF - plugin: c:\users\admin\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
    FF - plugin: c:\windows\system32\wat\npWatWeb.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    .
    =============== Created Last 30 ================
    .
    2012-02-12 02:16:01 111616 ----a-w- c:\programdata\GkCuTbve.exe
    2012-02-09 11:09:41 111616 ----a-w- c:\windows\system32\EQIqw3KV.com
    2012-02-06 12:31:22 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-01-26 17:24:37 111616 ----a-w- c:\windows\system32\EQIqw3KV.com_
    2012-01-24 13:34:59 -------- d-----w- c:\program files\1ClickDownload
    2012-01-18 14:00:34 1037312 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-18 14:00:31 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-18 14:00:30 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys

    2012-01-18 14:00:30 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-18 14:00:30 314368 ----a-w- c:\windows\system32\webio.dll
    2012-01-18 14:00:30 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-18 14:00:29 99840 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-18 14:00:29 22528 ----a-w- c:\windows\system32\lsass.exe
    2012-01-18 14:00:29 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-18 14:00:29 15360 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-16 05:28:09 -------- d-----w- c:\windows\system32\Adobe
    2012-01-15 22:56:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-15 22:51:26 282624 ----a-w- c:\users\admin\appdata\local\uce.exe
    2012-01-14 17:57:46 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{82080972-f2b3-42f7-af4b-2149765dfea3}\mpengine.dll
    .
    ==================== Find3M ====================
    .
    2011-11-24 04:23:31 2340352 ----a-w- c:\windows\system32\win32k.sys
    2011-11-19 14:06:13 67072 ----a-w- c:\windows\system32\packager.dll
    2011-11-17 05:41:38 1288984 ----a-w- c:\windows\system32\ntdll.dll
    .
    ============= FINISH: 21:22:45.63 ===============

    ________________________________________________________________________________________________

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-02-13 06:21:31
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK8025GAL rev.BD102A
    Running: 7crcpxn9.exe; Driver: C:\Users\Admin\AppData\Local\Temp\awlorpod.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A5B5D9 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A80092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    ? C:\Users\Admin\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
    .text autochk.exe 003211DF 2 Bytes [80, 29]
    .text autochk.exe 003211E2 1 Byte [30]
    .text autochk.exe 003211E2 3 Bytes [30, 00, 31]
    .text autochk.exe 003211E6 1 Byte [39]
    .text autochk.exe 003211E6 3 Bytes [39, 00, 36]
    .text ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtProtectVirtualMemory 774B5000 5 Bytes JMP 0092000A
    .text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtWriteVirtualMemory 774B5B80 5 Bytes JMP 0093000A
    .text C:\Windows\system32\svchost.exe[916] ntdll.dll!KiUserExceptionDispatcher 774B60E8 5 Bytes JMP 0087000A
    ? C:\Windows\system32\svchost.exe[916] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch;
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] ntdll.dll!NtProtectVirtualMemory 774B5000 5 Bytes JMP 010D000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] ntdll.dll!NtWriteVirtualMemory 774B5B80 5 Bytes JMP 010E000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] ntdll.dll!KiUserExceptionDispatcher 774B60E8 5 Bytes JMP 010C000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] ADVAPI32.dll!RegSetValueExA 771D1B96 5 Bytes JMP 1015C600 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] ADVAPI32.dll!RegSetValueExW 771D1C82 5 Bytes JMP 1015C6C0 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] ADVAPI32.dll!RegSetValueW 771EFA72 5 Bytes JMP 1015C540 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] ADVAPI32.dll!RegSetValueA 7721F529 5 Bytes JMP 1015C480 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!CreateDialogParamW 75DB9BFF 5 Bytes JMP 1015C890 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!CreateWindowExW 75DC0E51 5 Bytes JMP 6D65810F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!CreateDialogParamA 75DD3E79 5 Bytes JMP 1015CA10 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!DialogBoxIndirectParamW 75DE4AA7 5 Bytes JMP 6D7800C8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!TrackPopupMenu 75DE4B3B 5 Bytes JMP 1015BB70 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!DialogBoxParamW 75DE564A 5 Bytes JMP 1015CBF0 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!TrackPopupMenuEx 75DE5F72 1 Byte [E9]
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!TrackPopupMenuEx 75DE5F72 5 Bytes JMP 1015BCD0 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!DialogBoxParamA 75DFCF6A 5 Bytes JMP 1015CB00 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!DialogBoxIndirectParamA 75DFD29C 5 Bytes JMP 6D78012B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxIndirectA 75E0E8C9 5 Bytes JMP 6D77FFFA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxIndirectW 75E0E9C3 5 Bytes JMP 6D77FF8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxExA 75E0EA29 1 Byte [E9]
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxExA 75E0EA29 5 Bytes JMP 6D77FF2D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxExW 75E0EA4D 5 Bytes JMP 6D77FECB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxA 75E0EA71 5 Bytes JMP 1015CD70 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4084] USER32.dll!MessageBoxW 75E0EABF 5 Bytes JMP 1015CE50 C:\Windows\System32\config\systemprofile\AppData\LocalLow\NCH\tbNC0.dll (Conduit Toolbar/Conduit Ltd.)

    ---- Modules - GMER 1.0.15 ----

    Module (noname) (*** hidden *** ) 8B6B4000-8B6D1000 (118784 bytes)

    ---- Processes - GMER 1.0.15 ----

    Process PING.EXE (*** hidden *** ) 4432

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00234ee4ccdf
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00234ee4ccdf@f40b932fd2af 0xAB 0x8E 0x9C 0x28 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00234ee4ccdf (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00234ee4ccdf@f40b932fd2af 0xAB 0x8E 0x9C 0x28 ...

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\$NtUninstallKB17498$\1349176407 0 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959 0 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\@ 2048 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\bckfg.tmp 854 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\cfg.ini 263 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\Desktop.ini 4608 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\keywords 226 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\kwrd.dll 223744 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\L 0 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\L\xadqgnnk 338944 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\oemid 222 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\U 0 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\U\00000001.@ 2048 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\U\00000002.@ 224768 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\U\00000004.@ 1024 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\U\80000000.@ 66560 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\U\80000004.@ 12800 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\U\80000032.@ 73216 bytes
    File C:\Windows\$NtUninstallKB17498$\4006455959\version 856 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6A56751D-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6A56751E-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6A567520-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7F9AFB22-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C1E0D0B6-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C1E0D0B8-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{70B52ACE-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{70B52ACF-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{70B52AD0-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D4B0315D-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A407F3B2-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{20013330-55F7-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F60941A6-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{86A8C943-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4FDE1F59-55F7-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C8886E9C-55F6-11E1-B63D-00234EE4CCDF}.dat 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\4SB5BNH2.txt 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\O3VXFQXB.txt 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\WEVE7UY6.txt 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\G7DGQH96.txt 0 bytes

    ---- EOF - GMER 1.0.15 ----

    _______________________________________________________________________________________________________
     

    Attached Files:

  2. flavallee

    flavallee Frank Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    63,579
    Concerning some of the things that you're doing with that computer, it's probably infested with malware, spyware, etc..

    It also has NO full-time antivirus program installed and running.

    --------------------------------------------------------

    Download and save

    Microsoft Security Essentials 2.1.1116.0

    and the free version of

    Malwarebytes Anti-Malware 1.60.1.1000

    SUPERAntiSpyware 5.0.0.1144

    then close all open windows first, then install them.

    Make sure to update their definition files during the install process.

    After they've all been installed and updated, restart the computer.

    Run a quick scan with Malwarebytes Anti-Malware, then select and remove EVERYTHING it found.

    Run a quick scan with SUPERAntiSpyware, then select and remove EVERYTHING it found.

    Note: DON'T use the computer while each scan is in progress.

    -------------------------------------------------------
     
  3. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
    • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
    • Please subscribe to this topic, if you haven't already.
    • The fixes are specific to your problem and should only be used for the issues on this machine.
    • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
    • It's often worth reading through these instructions and printing them for ease of reference.
    • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    • Please reply to this thread. Do not start a new topic.

    IMPORTANT NOTE : Please do not delete anything unless instructed to.
    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
    Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.


    Vista and Windows 7 users:
    These tools MUST be run from the executable (.exe) every time you run them
    with Admin Rights (Right click, choose "Run as Administrator")


    Stay with this topic until I give you the all clean post.
    ----------

    First we need to make all files and folders VISIBLE:

    • Go to Start >> Control Panel >> Folder Options >> View
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
    ----------

    **WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

    Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

    If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

    If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. :)
    ----------

    Download CKScanner by askey127 from Here & save it to your Desktop.
    • Right-click and Run as Administrator CKScanner.exe then click Search For Files
    • When the cursor hourglass disappears, click Save List To File
    • A message box will verify the file saved
    • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
    ----------

    Please download TDSSKiller.zip
    • Extract it to your desktop
    • Right-click and Run as Administrator TDSSKiller.exe
    • Press Start Scan
      • Only if Malicious objects are found then ensure Cure is selected
      • Then click Continue > Reboot now
    • Copy and paste the log in your next reply
      • A copy of the log will be saved automatically to the root of the drive (typically C:\)
    ----------

    Download Combofix from either of the links below, and save it to your desktop.
    Link 1
    Link 2

    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    --------------------------------------------------------------------

    Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt for further review.
    ----------
     
  4. bawse

    bawse Thread Starter

    Joined:
    Feb 12, 2012
    Messages:
    21
    Here comes another problem. I cant open my control panel. When i try to do so my computer stalls then freezes. The cp window opens, appears to be loading and then disappers. This is after the stalling and freezing
     
  5. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Ok...thanks for letting me know. For the time being disregard making the hidden files able to be viewed and CKScanner. Just run TDSSKiller and ComboFix. If needed, you may run them in Safe Mode if you can not run it in Normal Mode.
     
  6. flavallee

    flavallee Frank Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    63,579
    It's all yours, Jeff. Good luck. (y)

    -------------------------------------------------------
     
  7. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    :D Thanks!
     
  8. bawse

    bawse Thread Starter

    Joined:
    Feb 12, 2012
    Messages:
    21
    Alright combofix seems to be taking forever. Its been 30 mins and it still says its scanning. Is there anything else i can do or should i keep waiting? Same problem in safemode
     
  9. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi bawse,

    Sometimes ComboFix can take quite some time to run depending on the infections that are on your system. Unfortunately the infection that you have on your system is one of the worst ones out here right now. Give it some time and just let it run. If you still have problems let me know. With this infection the way to fix it is normally different every time so we may need to try different routes until we bust it.
     
  10. bawse

    bawse Thread Starter

    Joined:
    Feb 12, 2012
    Messages:
    21
    Well its done now. The only problem os that my computer restarted then when it gets to the windows login screen, it restarts and then the process is repeated
     
  11. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Yep that is the ZeroAccess rootkit doing this.

    Can you get access to a USB drive (thumb drive)? If so please do the following...
    ----------

    Download from a clean computer preferably Combofix from any of the links below but rename it to vageta.com before saving it to your USB drive. Once on the USB drive transfer it to the infected system and then place it in the C:\ folder and run the program.

    Link 1
    Link 2


    ==================================

    Right-click and Run as Administrator on the renamed ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt so we can continue cleaning the system.


    Disregard This
     
  12. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    I don't want to cross post so be sure to disregard what I posted previously about renaming ComboFix.

    Try to boot to Safe Mode with networking. Once there see if the ComboFix log was saved in the C:\ folder. If it was please post that.
     
  13. bawse

    bawse Thread Starter

    Joined:
    Feb 12, 2012
    Messages:
    21
    It shows a combofix file with the mycomputer icon so when i click it, it shows me the c:/ file again but when i click on properties it says there are two folders with 638 filea
     
  14. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi bawse,

    Ok...delete all copies of ComboFix on your system using right-click >> delete and then follow my instructions in post #11 but do all of this in Safe Mode with Networking. If a log is produced post it...if you still have problems let me know.

    Sorry...post #11
     
  15. bawse

    bawse Thread Starter

    Joined:
    Feb 12, 2012
    Messages:
    21
    Where can i find the log? Whts it called. It created a "vageta" folder with all these different files including two folders called "en-US" and "N_" it also created a file in tr c:/ drive called windows
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1040795