Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trying to remove trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Trying to remove trojan

Unread postby swanvestas » June 19th, 2012, 1:08 pm

Hi deltalima,
Did everything as asked in safe mode but still does not respond, tried a second time after a cold reboot to safe mode but still froze the OTL box.
swanvestas
Regular Member
 
Posts: 20
Joined: June 16th, 2012, 12:28 pm
Advertisement
Register to Remove

Re: Trying to remove trojan

Unread postby swanvestas » June 19th, 2012, 1:13 pm

Hi deltalima,
Have tried in safe mode as you asked but still does not respond, I did a cold reboot on a second attempt into safe mode but the OTL box still freezes.

Think I screwed up and duplicated this post elsewhere.
swanvestas
Regular Member
 
Posts: 20
Joined: June 16th, 2012, 12:28 pm

Re: Trying to remove trojan

Unread postby deltalima » June 19th, 2012, 2:23 pm

Hi swanvestas,

Please boot into normal mode.

Download and Run ComboFix
  1. Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  2. Please disable any Antivirus and Firewall you have active, as shown in this topic. Please close all open application windows.
  3. Double click on ComboFix.exe and follow the prompts.
  4. When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix. This tool is not a toy and not for everyday use!
ComboFix SHOULD NOT be used unless requested by a forum helper.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Trying to remove trojan

Unread postby swanvestas » June 19th, 2012, 3:16 pm

Hi deltalima,
As requested the ComboFix Log

ComboFix 12-06-19.02 - Brian 19/06/2012 19:52:32.1.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.4094.2584 [GMT 1:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-19 to 2012-06-19 )))))))))))))))))))))))))))))))
.
.
2012-06-19 19:03 . 2012-06-19 19:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-19 19:03 . 2012-06-19 19:03 -------- d-----w- c:\users\Brian\AppData\Local\temp
2012-06-19 15:03 . 2012-06-19 15:03 -------- d-----w- C:\_OTL
2012-06-18 17:48 . 2012-06-18 17:48 -------- d-----w- c:\program files (x86)\ESET
2012-06-17 23:35 . 2012-06-17 23:35 -------- d-----w- c:\programdata\Office Genuine Advantage
2012-06-16 19:17 . 2012-02-29 13:52 16384 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-06-16 19:17 . 2012-02-29 15:37 5632 ----a-w- c:\windows\system32\wmi.dll
2012-06-16 19:17 . 2012-02-29 15:37 219136 ----a-w- c:\windows\system32\wintrust.dll
2012-06-16 19:17 . 2012-02-29 15:35 78848 ----a-w- c:\windows\system32\imagehlp.dll
2012-06-16 19:17 . 2012-02-29 15:11 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-06-16 19:17 . 2012-02-29 15:11 172032 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-06-16 19:17 . 2012-02-29 15:09 157696 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-06-16 19:15 . 2012-04-03 08:22 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-16 18:54 . 2012-05-18 02:06 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-06-16 18:50 . 2012-03-30 12:45 1423744 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-06-16 18:50 . 2012-05-15 20:15 2767360 ----a-w- c:\windows\system32\win32k.sys
2012-06-16 18:47 . 2012-03-20 23:34 72576 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-06-16 05:05 . 2012-06-16 05:08 -------- d-----w- c:\users\Brian\AppData\Roaming\AVG
2012-05-23 21:43 . 2012-05-23 21:43 -------- d-----w- c:\users\Brian\AppData\Roaming\quickclick
2012-05-23 18:41 . 2012-05-23 18:41 -------- d-----w- c:\programdata\GFI Software
2012-05-23 00:26 . 2012-05-23 02:19 -------- d-----w- c:\program files (x86)\VideoLAN
2012-05-22 23:12 . 2012-05-22 23:15 -------- d-----w- c:\users\Brian\AppData\Local\Conduit
2012-05-22 21:10 . 2012-05-22 21:10 -------- d-----w- c:\users\Brian\AppData\Roaming\NVIDIA
2012-05-22 20:33 . 2012-05-22 21:22 -------- d-----w- c:\users\UpdatusUser
2012-05-22 20:33 . 2012-05-22 20:37 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2012-05-22 20:31 . 2012-05-22 20:31 -------- d-----w- c:\programdata\NVIDIA Corporation
2012-05-20 20:30 . 2012-05-20 20:30 -------- d-----w- c:\users\Brian\AppData\Roaming\Friday's games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-15 10:48 . 2010-05-21 18:27 8105280 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2012-05-15 10:48 . 2010-05-21 18:27 68928 ----a-w- c:\windows\system32\OpenCL.dll
2012-05-15 10:48 . 2010-05-21 18:27 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll
2012-05-15 10:48 . 2009-06-26 21:01 18044224 ----a-w- c:\windows\system32\nvd3dumx.dll
2012-05-15 10:48 . 2009-06-26 21:01 15322432 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2012-05-15 10:48 . 2009-01-06 15:50 2741568 ----a-w- c:\windows\system32\nvapi64.dll
2012-05-15 09:29 . 2010-05-21 19:43 889664 ----a-w- c:\windows\system32\nvvsvc.exe
2012-05-15 09:29 . 2010-05-21 19:43 118080 ----a-w- c:\windows\system32\nvmctray.dll
2012-05-15 09:29 . 2009-06-26 17:00 63296 ----a-w- c:\windows\system32\nvshext.dll
2012-05-15 09:29 . 2010-05-21 19:43 3149632 ----a-w- c:\windows\system32\nvsvc64.dll
2012-05-15 09:28 . 2010-05-21 19:43 6151488 ----a-w- c:\windows\system32\nvcpl.dll
2012-05-15 01:21 . 2012-05-15 01:21 423744 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2012-04-19 03:50 . 2012-04-19 03:50 28480 ----a-w- c:\windows\system32\drivers\avgidsha.sys
2012-04-04 14:56 . 2011-02-13 20:21 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-27 20:25 . 2012-03-27 20:25 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-03-27 20:25 . 2012-03-27 20:25 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-03-27 20:25 . 2012-03-27 20:25 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-03-27 20:25 . 2012-03-27 20:25 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-03-27 20:25 . 2012-03-27 20:25 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-03-27 20:25 . 2012-03-27 20:25 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-03-27 20:25 . 2012-03-27 20:25 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-03-27 20:25 . 2012-03-27 20:25 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-03-27 20:25 . 2012-03-27 20:25 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-03-27 20:25 . 2012-03-27 20:25 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-03-27 20:25 . 2012-03-27 20:25 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-03-27 20:25 . 2012-03-27 20:25 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-03-27 20:25 . 2012-03-27 20:25 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-03-27 20:25 . 2012-03-27 20:25 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-03-27 20:25 . 2012-03-27 20:25 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-03-27 20:25 . 2012-03-27 20:25 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-03-27 20:25 . 2012-03-27 20:25 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-03-27 20:25 . 2012-03-27 20:25 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-03-27 20:25 . 2012-03-27 20:25 222208 ----a-w- c:\windows\system32\msls31.dll
2012-03-27 20:25 . 2012-03-27 20:25 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-03-27 20:25 . 2012-03-27 20:25 12288 ----a-w- c:\windows\system32\mshta.exe
2012-03-27 20:25 . 2012-03-27 20:25 114176 ----a-w- c:\windows\system32\admparse.dll
2012-03-27 20:25 . 2012-03-27 20:25 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-03-27 20:25 . 2012-03-27 20:25 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-03-27 20:25 . 2012-03-27 20:25 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-03-27 20:25 . 2012-03-27 20:25 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-03-27 20:25 . 2012-03-27 20:25 448512 ----a-w- c:\windows\system32\html.iec
2012-03-27 20:25 . 2012-03-27 20:25 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-03-27 20:25 . 2012-03-27 20:25 603648 ----a-w- c:\windows\system32\vbscript.dll
2012-03-27 20:25 . 2012-03-27 20:25 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-27 20:25 . 2012-03-27 20:25 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-03-27 20:25 . 2012-03-27 20:25 160256 ----a-w- c:\windows\system32\wextract.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\program files (x86)\Hewlett-Packard\KBD\KbdStub.EXE" [2008-07-21 12288]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD64.exe" [2007-02-15 119296]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-13 210216]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-10-17 1152296]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-10-17 189736]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-29 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-26 10:04]
.
2012-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-25 07:47]
.
2012-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-25 07:47]
.
2012-05-30 c:\windows\Tasks\HPCeeScheduleForBrian.job
- c:\program files (x86)\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2009-01-06 11:12]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-11-03 182808]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 2244680]
"VX3000"="c:\windows\vVX3000.exe" [2010-05-20 762736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pcworld.co.uk/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - (no file)
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2012-06-19 20:08:14
ComboFix-quarantined-files.txt 2012-06-19 19:08
.
Pre-Run: 742,522,318,848 bytes free
Post-Run: 742,930,325,504 bytes free
.
- - End Of File - - B1EB1A01CB032E1FD0CBE0DBD5836489
swanvestas
Regular Member
 
Posts: 20
Joined: June 16th, 2012, 12:28 pm

Re: Trying to remove trojan

Unread postby deltalima » June 19th, 2012, 3:39 pm

Hi swanvestas,

Rkill

Please download Rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • A notepad windows will open, please post the contents in your next reply
  • This log can also be found at C:\rkill.log
  • Please leave Rkill on the Desktop until otherwise advised.

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Run OTL Script

  • Right click OTL.exe and select: Run as Administrator.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :processes
    killallprocesses
    :otl
    O4:64bit: - HKLM..\Run: [SBRegRebootCleaner] "C:\Program Files (x86)\Ad-Aware Antivirus\SBRC.exe" File not found
    O4 - HKLM..\Run: [] File not found
    O4 - HKU\S-1-5-21-3743975870-1591617531-270475079-1001..\Run: [HPADVISOR] File not found
    :commands
    [EMPTYTEMP]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Trying to remove trojan

Unread postby swanvestas » June 19th, 2012, 4:03 pm

Hi deltalima,
As requested logs for Rkill and OTL.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 19/06/2012 at 20:48:10.
Operating System: Windows (TM) Vista Home Premium


Processes terminated by Rkill or while it was running:

C:\Windows\SysWOW64\rundll32.exe


Rkill completed on 19/06/2012 at 20:48:16.

............................................................................................

All processes killed
========== PROCESSES ==========
========== OTL ==========
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SBRegRebootCleaner not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry value HKEY_USERS\S-1-5-21-3743975870-1591617531-270475079-1001\Software\Microsoft\Windows\CurrentVersion\Run\\HPADVISOR not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: AppData
->Temp folder emptied: 0 bytes

User: Brian
->Temp folder emptied: 31832 bytes
->Temporary Internet Files folder emptied: 341581762 bytes
->Java cache emptied: 250379 bytes
->Flash cache emptied: 4446 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1090403 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 35782663 bytes
RecycleBin emptied: 353 bytes

Total Files Cleaned = 361.00 mb


OTL by OldTimer - Version 3.2.49.0 log created on 06192012_205217

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
swanvestas
Regular Member
 
Posts: 20
Joined: June 16th, 2012, 12:28 pm

Re: Trying to remove trojan

Unread postby deltalima » June 19th, 2012, 4:07 pm

Hi swanvestas,

Double click on Rkill.


Run OTL Script

  • Right click OTL.exe and select: Run as Administrator.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :commands
    [EMPTYFLASH]
    [EMPTYJAVA]
    [REBOOT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Trying to remove trojan

Unread postby swanvestas » June 19th, 2012, 4:25 pm

Hi deltalima,
Did as instructed but no notepad after the reboot
swanvestas
Regular Member
 
Posts: 20
Joined: June 16th, 2012, 12:28 pm

Re: Trying to remove trojan

Unread postby deltalima » June 19th, 2012, 4:28 pm

Hi swanvestas,

Did as instructed but no notepad after the reboot


OK, the log is not crucial, if it rebooted then OTL completed.

Please run Malwarebytes, update and then run a full scan and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Trying to remove trojan

Unread postby swanvestas » June 19th, 2012, 5:21 pm

Have logged in on my laptop,
Just to say when I am all clear I will be removing these redundant games I have collected over time. Am paying the penalty for keeping them in scan times.
swanvestas
Regular Member
 
Posts: 20
Joined: June 16th, 2012, 12:28 pm

Re: Trying to remove trojan

Unread postby deltalima » June 19th, 2012, 5:23 pm

Good idea, a clean up usually speeds the computer up.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Trying to remove trojan

Unread postby swanvestas » June 19th, 2012, 7:08 pm

Hi deltalima,
The requested Malwarebytes log, looking good.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.19.06

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Brian :: HOMEBASE [administrator]

19/06/2012 21:32:04
mbam-log-2012-06-19 (21-32-04).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 703917
Time elapsed: 2 hour(s), 28 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
swanvestas
Regular Member
 
Posts: 20
Joined: June 16th, 2012, 12:28 pm

Re: Trying to remove trojan

Unread postby deltalima » June 20th, 2012, 3:35 am

Hi swanvestas,

Run OTL Script

  • Right click OTL.exe and select: Run as Administrator.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :commands
    [CREATERESTOREPOINT]
    [CLEARALLRESTOREPOINTS]
    
  • Then click the Run Fix button at the top.
  • Click Image

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 7 Update 5.
  • Download the latest version of Java Runtime Environment (JRE) 7 Here
  • Scroll down to where it says "Java SE 7u5"
  • Click the blue Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 7 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) ) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-7u5-windows-x64.exe to install the newest version

Update Adobe Reader

  • You should Download and Install the newest version of Adobe Reader for reading pdf files.
  • Older versions may have vulnerabilities that malware can use to infect your system.
  • Go Here to download and install Adobe Reader X (10.1.1).
  • Note: remember to Uncheck Free McAfee® Security Scan Plus (optional)

Now that you are clean, please follow these steps in order to keep your computer clean and secure.

Delete the RKill icon from your desktop.

Uninstall ComboFix

  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK

Clean up with OTL

  • Double-click OTL.exe to start the program. This will remove all the tools we used to clean your pc.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.


Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.

Happy surfing and stay clean!
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Trying to remove trojan

Unread postby swanvestas » June 20th, 2012, 8:20 am

Hi deltalima,
On clicking start I dont get the run option, I get a search box.
So do I search ComboFix then delete from there?
Now were this far I don't want to screw up.
swanvestas
Regular Member
 
Posts: 20
Joined: June 16th, 2012, 12:28 pm

Re: Trying to remove trojan

Unread postby deltalima » June 20th, 2012, 8:35 am

Hi swanvestas,

Sorry, my instructions should have been clearer.

So yes, just paste Combofix /Uninstall into the search box and press enter.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware