Author Topic: Can't remove virus  (Read 5698 times)

0 Members and 1 Guest are viewing this topic.

Offline johnson55

  • Full Member
  • ***
  • Posts: 142
    • View Profile
Can't remove virus
« on: November 12, 2012, 09:06:19 PM »
In Spybot search & destroy I can't fix a virus-
The virus is" win32.downloader.bltu" and I get this dialog.I click on fix and get thc:\Windows\Wininit.ini
is-
"cannot create file  access is denied"

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14735
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Can't remove virus
« Reply #1 on: November 12, 2012, 09:25:54 PM »
Hi, Johnson55. 

Please provide a copy of the logs in the Log Posting Instructions topic.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline johnson55

  • Full Member
  • ***
  • Posts: 142
    • View Profile
Re: Can't remove virus
« Reply #2 on: November 13, 2012, 05:41:37 PM »
DDS (Ver_2012-11-07.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16450  BrowserJavaVersion: 10.7.2
Run by jacobi678 at 13:06:28 on 2012-11-13
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4003.2635 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Users\jacobi678\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe
C:\Windows\System32\notepad.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutAzzyCtDyByBzy0E0CyBtDyDtByCyBtCtN0D0Tzu0CtByEyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2131799736
uURLSearchHooks: <No Name>:  - LocalServer32 - <no file>
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: {1036AD63-AEAC-460B-9060-C96005D4DC86} - <orphaned>
BHO: Shopping Assistant Plugin: {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files (x86)\PriceGong\2.6.4\PriceGongIE.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: DefaultTab Browser Helper: {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\jacobi678\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll
BHO: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Browse For Change BHO: {912C156F-05CF-4B62-851A-96E167A677B0} -
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
BHO: Wajam: {A7A6995D-6EE1-4FD1-A258-49395D5BF99C} - C:\Program Files (x86)\Wajam\IE\wajam.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Zoom Downloader: {E5C66DD8-308B-4a4f-AF0A-3D04F25B5343} -
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [Google Update] "C:\Users\jacobi678\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe -update activex
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun: [ROC_ROC_NT] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
mRun: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{AACA648C-CA36-4BFF-9259-744A8F274ACC} : DHCPNameServer = 192.168.2.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
x64-mStart Page = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutAzzyCtDyByBzy0E0CyBtDyDtByCyBtCtN0D0Tzu0CtByEyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2131799736
x64-BHO: Privacy Safeguard BHO: {1036AD63-AEAC-460B-9060-C96005D4DC86} -
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
x64-BHO: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\x64\IEBHO.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
x64-Run: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe -expressboot
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - <orphaned>
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1   www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutAzzyCtDyByBzy0E0CyBtDyDtByCyBtCtN0D0Tzu0CtByEyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2131799736
FF - prefs.js: keyword.URL - hxxp://blekko.com/?source=c6125cca&tbp=url&toolbarid=blekkotb_001&u=___userid___&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\13.2.0\npsitesafety.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\jacobi678\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2012-09-15 10:07; websitelogon@truesuite.com; C:\Program Files (x86)\Mozilla Firefox\extensions\websitelogon@truesuite.com
FF - ExtSQL: 2012-09-26 16:30; firebug@software.joehewitt.com; C:\Users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\extensions\firebug@software.joehewitt.com.xpi
FF - ExtSQL: 2012-10-02 13:39; avg@toolbar; C:\ProgramData\AVG Secure Search\FireFoxExt\13.2.0.5
FF - ExtSQL: 2012-10-11 11:02; {0153E448-190B-4987-BDE1-F256CADA672F}; C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - ExtSQL: !HIDDEN! 2012-04-08 14:15; smartwebprinting@hp.com; C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - f345d036-dd66-4a32-b9e3-08c109616990
FF - user.js: extentions.y2layers.defaultEnableAppsList - bestvideodownloader,dropdowndeals,buzzdock,toprelatedtopics,twittube,ezlooker
FF - user.js: security.csp.enable - false
FF - user.js: extensions.softonic_i.newTab - false
FF - user.js: extensions.softonic_i.tlbrSrchUrl - hxxp://search.softonic.com/MON00005/tb_v1?SearchSource=1&cc=&q=
FF - user.js: extensions.softonic_i.id - 0a0226710000000000003860779ec705
FF - user.js: extensions.softonic_i.instlDay - 15421
FF - user.js: extensions.softonic_i.vrsn - 1.5.11.5
FF - user.js: extensions.softonic_i.vrsni - 1.5.11.5
FF - user.js: extensions.softonic_i.vrsnTs - 1.5.11.512:08:54
FF - user.js: extensions.softonic_i.prtnrId - softonic
FF - user.js: extensions.softonic_i.prdct - softonic
FF - user.js: extensions.softonic_i.aflt - SD
FF - user.js: extensions.softonic_i.smplGrp - eng7
FF - user.js: extensions.softonic_i.tlbrId - en11DECdefault
FF - user.js: extensions.softonic_i.instlRef - MON00005
FF - user.js: extensions.softonic_i.dfltLng -
FF - user.js: extensions.softonic_i.excTlbr - false
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutAzzyCtDyByBzy0E0CyBtDyDtByCyBtCtN0D0Tzu0CtByEyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2131799736
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutAzzyCtDyByBzy0E0CyBtDyDtByCyBtCtN0D0Tzu0CtByEyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2131799736
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutAzzyCtDyByBzy0E0CyBtDyDtByCyBtCtN0D0Tzu0CtByEyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2131799736&q=
FF - user.js: extensions.funmoods.id - 3860779EC7052671
FF - user.js: extensions.funmoods.instlDay - 15584
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2223:16:11
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - adknlg
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - adknlg
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
FF - user.js: extensions.autoDisableScopes - 14//Browseforchange
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-10-15 63328]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2012-9-21 225120]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2012-10-5 111456]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-9-14 40800]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2012-10-22 154464]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-10-2 185696]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-9-21 200032]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-10-2 30568]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-6 5814392]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]
R2 DefaultTabUpdate;DefaultTabUpdate;C:\Users\jacobi678\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [2012-8-27 107520]
R2 FPLService;TrueSuiteService;C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-6-9 264008]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2011-2-24 212944]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-9-9 1128952]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-2-15 1153368]
R2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [2012-11-8 711112]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-9-9 471144]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-9-9 158976]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-9-3 227232]
S3 pmxdrv;pmxdrv;C:\Windows\System32\drivers\pmxdrv.sys [2011-9-9 31152]
S3 rcmirror;rcmirror;C:\Windows\System32\drivers\rcmirror.sys [2010-1-18 4608]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-2-14 1255736]
S4 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-9-9 2656280]
S4 WajamUpdater;WajamUpdater;C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe [2012-2-10 109064]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-11-13 04:58:15   96224   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe
2012-11-13 04:58:15   157272   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\webapp-uninstaller.exe
2012-11-04 23:13:52   1658880   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\extensions\websitelogon@truesuite.com\components\FFXPCOM.dll
2012-10-22 19:02:44   154464   ----a-w-   C:\Windows\System32\drivers\avgidsdrivera.sys
2012-10-18 23:42:08   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{8B57CD95-913E-4FF3-8819-A7C68A6FFED3}
2012-10-18 20:59:50   163056   ----a-w-   C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10142.bin
2012-10-17 23:22:02   770384   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-10-17 23:22:02   73696   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-10-17 23:22:02   421200   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2012-10-15 09:48:50   63328   ----a-w-   C:\Windows\System32\drivers\avgidsha.sys
.
==================== Find3M  ====================
.
2012-11-09 04:34:02   30568   ----a-w-   C:\Windows\System32\drivers\avgtpx64.sys
2012-10-11 16:01:51   499712   ----a-w-   C:\Windows\SysWow64\msvcp71.dll
2012-10-11 16:01:51   348160   ----a-w-   C:\Windows\SysWow64\msvcr71.dll
2012-10-08 21:52:17   73656   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-08 21:52:17   696760   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2012-10-05 09:32:50   111456   ----a-w-   C:\Windows\System32\drivers\avgmfx64.sys
2012-10-02 08:30:38   185696   ----a-w-   C:\Windows\System32\drivers\avgldx64.sys
2012-09-30 01:54:26   25928   ----a-w-   C:\Windows\System32\drivers\mbam.sys
2012-09-21 08:46:04   200032   ----a-w-   C:\Windows\System32\drivers\avgtdia.sys
2012-09-21 08:46:00   225120   ----a-w-   C:\Windows\System32\drivers\avgloga.sys
2012-09-14 19:19:29   2048   ----a-w-   C:\Windows\System32\tzres.dll
2012-09-14 18:28:53   2048   ----a-w-   C:\Windows\SysWow64\tzres.dll
2012-09-14 08:05:18   40800   ----a-w-   C:\Windows\System32\drivers\avgrkx64.sys
2012-09-07 18:49:33   95208   ----a-w-   C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-07 18:49:33   821736   ----a-w-   C:\Windows\SysWow64\npDeployJava1.dll
2012-09-07 18:49:33   746984   ----a-w-   C:\Windows\SysWow64\deployJava1.dll
2012-08-31 18:19:35   1659760   ----a-w-   C:\Windows\System32\drivers\ntfs.sys
2012-08-30 18:03:45   5559664   ----a-w-   C:\Windows\System32\ntoskrnl.exe
2012-08-30 17:12:02   3968880   ----a-w-   C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02   3914096   ----a-w-   C:\Windows\SysWow64\ntoskrnl.exe
2012-08-24 18:05:07   220160   ----a-w-   C:\Windows\System32\wintrust.dll
2012-08-24 16:57:48   172544   ----a-w-   C:\Windows\SysWow64\wintrust.dll
2012-08-24 10:31:32   2312704   ----a-w-   C:\Windows\System32\jscript9.dll
2012-08-24 10:21:18   1392128   ----a-w-   C:\Windows\System32\wininet.dll
2012-08-24 10:20:11   1494528   ----a-w-   C:\Windows\System32\inetcpl.cpl
2012-08-24 10:14:45   173056   ----a-w-   C:\Windows\System32\ieUnatt.exe
2012-08-24 10:13:29   599040   ----a-w-   C:\Windows\System32\vbscript.dll
2012-08-24 10:09:42   2382848   ----a-w-   C:\Windows\System32\mshtml.tlb
2012-08-24 06:59:17   1800704   ----a-w-   C:\Windows\SysWow64\jscript9.dll
2012-08-24 06:51:27   1129472   ----a-w-   C:\Windows\SysWow64\wininet.dll
2012-08-24 06:51:02   1427968   ----a-w-   C:\Windows\SysWow64\inetcpl.cpl
2012-08-24 06:47:26   142848   ----a-w-   C:\Windows\SysWow64\ieUnatt.exe
2012-08-24 06:47:12   420864   ----a-w-   C:\Windows\SysWow64\vbscript.dll
2012-08-24 06:43:58   2382848   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2012-08-22 18:12:50   1913200   ----a-w-   C:\Windows\System32\drivers\tcpip.sys
2012-08-22 18:12:40   950128   ----a-w-   C:\Windows\System32\drivers\ndis.sys
2012-08-22 18:12:40   376688   ----a-w-   C:\Windows\System32\drivers\netio.sys
2012-08-22 18:12:33   288624   ----a-w-   C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-08-21 21:01:00   245760   ----a-w-   C:\Windows\System32\OxpsConverter.exe
2012-08-20 18:48:44   362496   ----a-w-   C:\Windows\System32\wow64win.dll
2012-08-20 18:48:44   243200   ----a-w-   C:\Windows\System32\wow64.dll
2012-08-20 18:48:44   13312   ----a-w-   C:\Windows\System32\wow64cpu.dll
2012-08-20 18:48:43   215040   ----a-w-   C:\Windows\System32\winsrv.dll
2012-08-20 18:48:37   16384   ----a-w-   C:\Windows\System32\ntvdm64.dll
2012-08-20 18:48:35   424448   ----a-w-   C:\Windows\System32\KernelBase.dll
2012-08-20 18:46:22   338432   ----a-w-   C:\Windows\System32\conhost.exe
2012-08-20 17:40:21   14336   ----a-w-   C:\Windows\SysWow64\ntvdm64.dll
2012-08-20 17:38:44   44032   ----a-w-   C:\Windows\apppatch\acwow64.dll
2012-08-20 17:38:26   25600   ----a-w-   C:\Windows\SysWow64\setup16.exe
2012-08-20 17:37:19   5120   ----a-w-   C:\Windows\SysWow64\wow32.dll
2012-08-20 17:37:18   274944   ----a-w-   C:\Windows\SysWow64\KernelBase.dll
2012-08-20 15:38:21   7680   ----a-w-   C:\Windows\SysWow64\instnm.exe
2012-08-20 15:38:20   2048   ----a-w-   C:\Windows\SysWow64\user.exe
2012-08-20 15:33:28   6144   ---ha-w-   C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28   4608   ---ha-w-   C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28   3584   ---ha-w-   C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28   3072   ---ha-w-   C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
.
============= FINISH: 13:06:49.55 ===============


Offline johnson55

  • Full Member
  • ***
  • Posts: 142
    • View Profile
Re: Can't remove virus
« Reply #3 on: November 13, 2012, 05:47:49 PM »
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-07.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 2/10/2012 4:25:24 Eystad
System Uptime: 11/13/2012 12:42:12 Norman (13 hours ago)
.
Motherboard: PEGATRON CORPORATION |  | 2AC2
Processor: Intel(R) Core(TM) i3-2120 CPU @ 3.30GHz | CPU 1 | 3300/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 920 GiB total, 881.066 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 1.43 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP101: 10/2/2012 9:57:23 Norman - HPSF Restore Point
RP102: 10/2/2012 10:16:40 Norman - Restore Operation
RP103: 10/2/2012 11:04:55 Norman - HPSF Restore Point
RP104: 10/2/2012 11:45:23 Norman - HPSF Restore Point
RP105: 10/2/2012 1:35:58 Eystad - Installed AVG 2013
RP106: 10/2/2012 1:36:37 Eystad - Installed AVG 2013
RP107: 10/3/2012 3:00:26 Norman - Windows Update
RP108: 10/4/2012 3:00:21 Norman - Windows Update
RP109: 10/10/2012 11:34:33 Eystad - Windows Update
RP110: 10/19/2012 11:41:02 Eystad - Scheduled Checkpoint
RP111: 11/6/2012 11:35:49 Eystad - Scheduled Checkpoint
.
==== Installed Programs ======================
.
4500_G510gm_Help
4500G510gm
4500G510gm_Software_Min
64 Bit HP CIO Components Installer
7-Zip 9.21
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
ARO 2012
AuthenTec TrueAPI
AVG 2013
AVG Security Toolbar
Belarc Advisor 8.2
Browse For Change
BufferChm
CCleaner
D3DX10
DefaultTab
Destinations
DeviceDiscovery
DocMgr
DocProc
Fax
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService2
Hewlett-Packard ACLM.NET v1.1.2.0
HP Auto
HP Client Services
HP Customer Experience Enhancements
HP Customer Participation Program 13.0
HP Document Manager 2.0
HP Imaging Device Functions 13.0
HP LinkUp
HP MovieStore
HP Odometer
HP Officejet 4500 G510g-m
HP Product Detection
HP Setup
HP Setup Manager
HP SimplePass PE 2011
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Support Assistant
HP Support Information
HP Update
HP Vision Hardware Diagnostics
HPProductAssistant
HPSSupply
Intel(R) Control Center
Intel(R) Identity Protection Technology 1.1.2.0
Intel(R) Management Engine Components
Intel(R) Processor Graphics
Java 7 Update 7
Java Auto Updater
JavaFX 2.1.1
JetMP3
Junk Mail filter update
LabelPrint
Malwarebytes Anti-Malware version 1.65.1.1000
MarketResearch
McAfee Security Scan Plus
Mesh Runtime
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Mathematics
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft WSE 3.0 Runtime
Mozilla Firefox 16.0.2 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network64
OCR Software by I.R.I.S. 13.0
PDF Complete Special Edition
PlayReady PC Runtime amd64
PlayReady PC Runtime x86
PriceGong 2.6.4
Privacy SafeGuard version 1.0
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Recovery Manager
Remote Graphics Receiver
RoxioNow Player
Scan
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Shop for HP Supplies
SmartWebPrinting
SolutionCenter
Spam Free Search Bar
Spybot - Search & Destroy
SpywareBlaster 4.6
Status
Toolbox
TrayApp
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VIP Access SDK (1.0.1.4)
Visual Studio 2008 x64 Redistributables
Visual Studio 2010 x64 Redistributables
Wajam
WebReg
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinPatrol
Yahoo! Install Manager
Yontoo 1.10.02
Zoom Downloader
.
==== Event Viewer Messages From Past Week ========
.
11/9/2012 1:05:42 Eystad, Error: Service Control Manager [7031]  - The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
11/9/2012 1:05:42 Eystad, Error: Service Control Manager [7024]  - The Windows Search service terminated with service-specific error %%-1073473535.
11/9/2012 1:05:28 Eystad, Error: Service Control Manager [7006]  - The ScRegSetValueExW call failed for FailureActions with the following error:  Access is denied.
11/9/2012 1:05:26 Eystad, Error: Service Control Manager [7023]  - The Windows Defender service terminated with the following error:  The specified module could not be found.
11/9/2012 1:02:39 Eystad, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the AVGIDSAgent service to connect.
11/9/2012 1:02:39 Eystad, Error: Service Control Manager [7000]  - The AVGIDSAgent service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

Offline johnson55

  • Full Member
  • ***
  • Posts: 142
    • View Profile
Re: Can't remove virus
« Reply #4 on: November 13, 2012, 05:50:55 PM »
 Results of screen317's Security Check version 0.99.54 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Enabled! 
AVG Anti-Virus Free Edition 2013   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````[/u]
 MVPS Hosts File 
 SpywareBlaster 4.6   
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.65.1.1000 
 JavaFX 2.1.1   
 Java 7 Update 7 
 Java version out of Date!
 Adobe Flash Player 11.4.402.287 
 Mozilla Firefox (16.0.2)
 Google Chrome 21.0.1180.89 
 Google Chrome 22.0.1229.79 
 Google Chrome 22.0.1229.92 
 Google Chrome 22.0.1229.94 
 Google Chrome 23.0.1271.64 
````````Process Check: objlist.exe by Laurent````````[/u] 
 WinPatrol winpatrol.exe
 AVG avgwdsvc.exe
 BillP Studios WinPatrol WinPatrol.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````[/u]

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14735
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Can't remove virus
« Reply #5 on: November 13, 2012, 06:18:20 PM »
Hi, johnson55. 

Ah, yes, the dreaded FunMoods!  We need to start by uninstalling the following programs.  I suspect McAfee Security Scan Plus came uninvited with an Adobe update as an unnecessary pre-checked option. 

McAfee Security Scan Plus
Spam Free Search Bar
Yontoo 1.10.02
Zoom Downloader

After you have uninstalled the above, please do the following in the order provided:

1.  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  • Shutdown/restart your computer.

2.  Please follow these instructions carefully.

Download ComboFix from here.

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

3.  Please download AdwCleaner by Xplode to your Desktop.
  •   Double-click AdwCleaner.exe to run the tool.
  •   Click Search.
  •   A logfile will automatically open after the scan has finished.
  •   Please post the contents of that logfile with your next response.
Note: The log can also be found at C:\AdwCleaner[XX].txt where XX denotes the number of times the application has been run, i.e., R1

Please provide the three requested logs:  JRT.txt, ComboFix.txt and AdwCleanerR1.txt.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline johnson55

  • Full Member
  • ***
  • Posts: 142
    • View Profile
Re: Can't remove virus
« Reply #6 on: November 13, 2012, 08:11:14 PM »
--- Search result list ---
Win32.Downloader.bltu: [SBI $F553E068]  Executable (File, nothing done)
  C:\user.js
  Properties.size=295
  Properties.md5=1CCCC3458A291830BD6B8D7E3FA09128
  Properties.filedate=1332436134
  Properties.filedatetext=2012-03-22 11:08:53


--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---

Edit Note by Corrine
:  Unnecessary log removed to reduce scrolling. 

Offline johnson55

  • Full Member
  • ***
  • Posts: 142
    • View Profile
Re: Can't remove virus
« Reply #7 on: November 13, 2012, 08:14:16 PM »
Win32.Downloader.bltu: [SBI $F553E068]  Executable (File, nothing done)
  C:\user.js
  Properties.size=295
  Properties.md5=1CCCC3458A291830BD6B8D7E3FA09128
  Properties.filedate=1332436134
  Properties.filedatetext=2012-03-22 11:08:53


--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---

Edit Note by Corrine:  Unnecessary log removed to reduce scrolling. 

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14735
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Can't remove virus
« Reply #8 on: November 14, 2012, 12:44:02 AM »
Hi, johnson55.

That isn't what I asked you to do.  By not following instructions as presented, if there is a problem with something you do, it may be difficult to resolve the issue.  Please see the instructions I provided above at http://www.landzdown.com/analysis-and-malware-removal/can%27t-remove-virus/msg157942/#msg157942

Thank you!


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline johnson55

  • Full Member
  • ***
  • Posts: 142
    • View Profile
Re: Can't remove virus
« Reply #9 on: November 14, 2012, 02:41:28 PM »
Corrine, avg is my antivirus,I didn't want to remove it.
Is that what you meant?I don't know where to go to find this[McAfee Security Scan Plus
Spam Free Search Bar
Yontoo 1.10.02
Zoom Downloader.I'm alittle confused.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14735
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Can't remove virus
« Reply #10 on: November 14, 2012, 03:37:22 PM »
Hi, johnson55.

To uninstall the four items, go to Control Panel\All Control Panel Items\Programs and Features.  Wait for the list to populate.  Select the first item and click Uninstall.  Repeat for each.  If you need additional directions, please see Uninstall or change a program.

You just need to temporarily disable AVG, not uninstall it. 
  •     Right-click the AVG icon in System tray.
  •     Select Open AVG User Interface.
  •     Click Overview on the left-hand side.
  •     Double-click Resident Shield and uncheck Resident Shield active.
  •     To disable the Internet Explorer extensions, Double-click LinkScanner and uncheck the box next to Enable AVG Search-Shield and Enable AVG Active Surf-Shield.
  •     Click Save changes.

You will need to follow the same steps again before running ComboFix.

Let me know if you have additional questions.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline johnson55

  • Full Member
  • ***
  • Posts: 142
    • View Profile
Re: Can't remove virus
« Reply #11 on: November 14, 2012, 05:48:55 PM »
Corrine,
I unenabeld avg and downloaded what I thought was jrt.txt and I got 7Z on
my desktop.How do I get a log from that,Do I extract it?
How important is this trojan I have maybe It's not to important. I used malware bits
4 times and it didn't find anything.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14735
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Can't remove virus
« Reply #12 on: November 14, 2012, 09:15:59 PM »
Hi, johnson55.

How important is the trojan?  The definition of a trojan is "destructive computer program: a computer program containing a hidden function that causes damage to other programs while appearing to perform a valid function."  According to descriptions of Win32.downloader.bltu, it "always tries to allow unauthorized hackers to remotely control your computer and steal your personal info for evil targets."  The decision is yours.  It is your computer, your personal information.

As to JRT, I gave you a direct download link for the Junk Removal Tool.  When you clicked on the link, it would have taken you to this page at Bleeping Computer and the download would have been presented to you to save:  http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/.  While the tool is running, there will be a black "DOS" box displayed as shown in the example at http://www.bleepingcomputer.com/download/junkware-removal-tool/

You won't get jrt.txt until after you run the tool.  Please try again.  You should see JRT.exe on your desktop.  If not, please move on to the next step.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline johnson55

  • Full Member
  • ***
  • Posts: 142
    • View Profile
Re: Can't remove virus
« Reply #13 on: November 15, 2012, 03:27:43 AM »
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 3.0.9 (11.13.2012)
OS: Windows 7 Home Premium x64
Ran by jacobi678 on Wed 11/14/2012 at 23:15:39.23
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully stopped: [Service] DefaultTabUpdate
Successfully deleted: [Service] DefaultTabUpdate
Successfully stopped: [Service] WajamUpdater
Successfully deleted: [Service] WajamUpdater



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{977ae9cc-af83-45e8-9e03-e2798216e2d5}
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\main\\Start Page



~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\crossrider"
Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\defaulttab"
Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\pricegong"
Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\smartbar"
Successfully deleted: [Registry Key] "hkey_current_user\software\default tab"
Successfully deleted: [Registry Key] "hkey_current_user\software\defaulttab"
Successfully deleted: [Registry Key] "hkey_current_user\software\iminent"
Successfully deleted: [Registry Key] "hkey_current_user\software\wajam"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\escort.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\escortapp.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\escorteng.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\escortlbr.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\pricegongie.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\pricefactorie.pricegongbho"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\pricefactorie.pricegongbho.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\pricegongie.pricegongctrl"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\pricegongie.pricegongctrl.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\wajam.wajambho"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\wajam.wajambho.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\wajam.wajamdownloader"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\wajam.wajamdownloader.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\default tab"
Successfully deleted: [Registry Key] "hkey_local_machine\software\freeze.com"
Successfully deleted: [Registry Key] "hkey_local_machine\software\iminent"
Successfully deleted: [Registry Key] "hkey_local_machine\software\wajam"
Successfully deleted: [Registry Key] "hkey_local_machine\software\wow6432node\microsoft\tracing\mybabylontb_rasapi32"
Successfully deleted: [Registry Key] "hkey_local_machine\software\wow6432node\microsoft\tracing\mybabylontb_rasmancs"
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0ecdf796-c2dc-4d79-a620-cce0c0a66cc9}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{1036ad63-aeac-460b-9060-c96005d4dc86}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{1631550f-191d-4826-b069-d9439253d926}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{1631550f-191d-4826-b069-d9439253d926}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{20a0be68-8fd9-4539-8712-ce3d1c1fdfc6}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{3bd44f0e-0596-4008-aee0-45d47e3a8f0e}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{7f6afbf1-e065-4627-a2fd-810366367d01}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{7f6afbf1-e065-4627-a2fd-810366367d01}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{a7a6995d-6ee1-4fd1-a258-49395d5bf99c}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{a7a6995d-6ee1-4fd1-a258-49395d5bf99c}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d2a2595c-4fe4-4315-aa9b-19dbd6271b71}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d824f0de-3d60-4f57-9eb1-66033ecd8abb}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{d824f0de-3d60-4f57-9eb1-66033ecd8abb}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{e5c66dd8-308b-4a4f-af0a-3d04f25b5343}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{e5c66dd8-308b-4a4f-af0a-3d04f25b5343}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{2fa28606-de77-4029-af96-b231e3b8f827}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{2fa28606-de77-4029-af96-b231e3b8f827}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\anti-phishing domain advisor"
Successfully deleted: [Folder] "C:\ProgramData\installmate"
Successfully deleted: [Folder] "C:\ProgramData\wecarereminder"
Successfully deleted: [Folder] "C:\Users\jacobi678\AppData\Roaming\defaulttab"
Successfully deleted: [Folder] "C:\Users\jacobi678\appdata\local\jetmp3"
Successfully deleted: [Folder] "C:\Users\jacobi678\appdata\local\wajam"
Successfully deleted: [Folder] "C:\Users\jacobi678\appdata\locallow\babylontoolbar"
Successfully deleted: [Folder] "C:\Users\jacobi678\appdata\locallow\blekkotb"
Successfully deleted: [Folder] "C:\Users\jacobi678\appdata\locallow\funmoods"
Successfully deleted: [Folder] "C:\Users\jacobi678\appdata\locallow\pricegong"
Successfully deleted: [Folder] "C:\Users\jacobi678\appdata\locallow\toolbar4"
Successfully deleted: [Folder] "C:\Program Files (x86)\blekkotb"
Successfully deleted: [Folder] "C:\Program Files (x86)\playready"
Successfully deleted: [Folder] "C:\Program Files (x86)\pricegong"
Successfully deleted: [Folder] "C:\Program Files (x86)\wajam"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\privacy safeguard"



~~~ FireFox

Successfully deleted: [File] C:\Users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\user.js
Successfully deleted: [File] C:\user.js
Successfully deleted: [Folder] C:\Users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\extensions\ffxtlbra@softonic.com
Successfully deleted: [Folder] C:\Users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\extensions\jetmp3@jetpack
Successfully deleted: [Folder] C:\Users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\extensions\plugin@yontoo.com
Successfully deleted: [Folder] C:\Users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\extensions\wecarereminder@bryan
Successfully deleted: [Folder] C:\Users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\extensions\{00f12770-e60e-4dc6-9105-425bface7c73}
Successfully deleted: [Folder] C:\Users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\extensions\{c9b68337-e93a-44ea-94dc-cb300ec06444}
Successfully deleted: [File] C:\Users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\searchplugins\search-here.xml
Successfully deleted: [File] C:\Users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\searchplugins\search.xml
Successfully deleted: [addon@defaulttab.com.xpi] from C:\Users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\extensions



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 11/14/2012 at 23:18:35.11
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14735
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Can't remove virus
« Reply #14 on: November 15, 2012, 12:55:42 PM »
Good job, johnson55.  Now please move on to the next step.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.