Possible MBR rootkit infection

DR M · November 17, 2013, 06:56:32 PM

While scanning, Eset's warning appeared again. I chose no action and disabled it.

Corrine · November 17, 2013, 11:19:26 PM

Hi, Panos.

aswMBR didn't identify TDL3. As you'll recall, I mentioned earlier TDL3 is old (from 2009). However, I've been reading up on it and believe that the best action is to run ComboFix, which had been updated at that time to deal with it -- well and also knowing that you are prepared to reinstall the OS in case of problems.

Please follow these instructions carefully. Download ComboFix from the following location: Link 1

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.

Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications.
If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
Double-click ComboFix.exe on your desktop and follow the prompts.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, a log will be produced. Please copy C:\ComboFix.txt in your next reply.

DR M · November 18, 2013, 03:46:54 PM

Hi, Corrine.

Yes, you can say that I am prepared for a clean install. Again, no windows disc exists and the computer will be restored to factory settings. My question is: Where is the license of windows? There is no sticker with it on any side of the computer. Has this something to do with the fact that the version is Windows Starter?

Anyway... Hoping that computer's restore won't be neccessary, I post the Combofix log. While scanning, there was a warning that a program (I don't remember the name, but it had exe at the end) could not continue working and windows should close it.

The log:

ComboFix 13-11-16.01 - user 11/18/2013 15:04:35.1.2 - x86
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.987.176 [GMT 2:00]
Running from: c:\users\user\Desktop\ComboFix.exe
AV: ESET Smart Security 7.0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
FW: ESET Personal firewall *Enabled* {211E1E8B-C9F9-A04B-6D84-BC85190CE5F2}
SP: ESET Smart Security 7.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\PFRO.log
c:\windows\system32\FlashPlayerApp.exe
c:\windows\system32\Tasks\BackgroundContainer Startup Task
.
.
((((((((((((((((((((((((( Files Created from 2013-10-18 to 2013-11-18 )))))))))))))))))))))))))))))))
.
.
2013-11-18 14:13 . 2013-11-18 14:13   --------   d-----w-   c:\users\Default\AppData\Local\temp
2013-11-18 13:31 . 2013-11-18 13:31   62576   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{7B4CB518-7CBC-4DDA-BBCD-2555709D48C4}\offreg.dll
2013-11-15 08:12 . 2013-11-15 08:12   --------   d-----w-   C:\18be667fae7b1dce1c
2013-11-15 07:55 . 2013-11-15 07:55   --------   d-----w-   c:\program files\ESET
2013-11-15 07:52 . 2013-11-15 07:52   71048   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-15 07:00 . 2013-10-14 06:39   7796464   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{7B4CB518-7CBC-4DDA-BBCD-2555709D48C4}\mpengine.dll
2013-10-20 14:40 . 2013-09-22 23:28   817664   ----a-w-   c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-10-20 14:40 . 2013-09-22 23:54   770648   ----a-w-   c:\program files\Internet Explorer\iexplore.exe
2013-10-20 14:40 . 2013-09-22 23:28   1767936   ----a-w-   c:\windows\system32\wininet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-19 08:49 . 2013-10-19 08:49   50053120   ----a-w-   c:\program files\GUT2DF4.tmp
2013-09-17 13:17 . 2013-09-17 13:17   49240   ----a-w-   c:\windows\system32\drivers\epfwwfp.sys
2013-09-17 13:17 . 2013-09-17 13:17   37416   ----a-w-   c:\windows\system32\drivers\EpfwLWF.sys
2013-09-17 13:17 . 2013-09-17 13:17   188808   ----a-w-   c:\windows\system32\drivers\eamonm.sys
2013-09-17 13:17 . 2013-09-17 13:17   174400   ----a-w-   c:\windows\system32\drivers\epfw.sys
2013-09-17 13:17 . 2013-09-17 13:17   134248   ----a-w-   c:\windows\system32\drivers\ehdrv.sys
2013-09-14 00:48 . 2013-10-19 08:46   338944   ----a-w-   c:\windows\system32\drivers\afd.sys
2013-09-08 02:07 . 2013-10-19 08:46   1294272   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:03 . 2013-10-19 08:46   231424   ----a-w-   c:\windows\system32\mswsock.dll
2013-09-03 11:35 . 2012-02-03 17:15   238872   ------w-   c:\windows\system32\MpSigStub.exe
2013-08-29 01:51 . 2013-10-19 08:45   3969472   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2013-08-29 01:51 . 2013-10-19 08:45   3914176   ----a-w-   c:\windows\system32\ntoskrnl.exe
2013-08-29 01:50 . 2013-10-19 08:45   1289096   ----a-w-   c:\windows\system32\ntdll.dll
2013-08-29 01:50 . 2013-10-19 08:45   619520   ----a-w-   c:\windows\system32\tdh.dll
2013-08-29 01:48 . 2013-10-19 08:45   640512   ----a-w-   c:\windows\system32\advapi32.dll
2013-08-28 01:04 . 2013-10-19 08:44   2348544   ----a-w-   c:\windows\system32\win32k.sys
2013-08-28 00:57 . 2013-10-19 08:45   434688   ----a-w-   c:\windows\system32\scavengeui.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2009-10-29 01:18   661504   ----a-w-   c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2009-10-29 01:18   661504   ----a-w-   c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2009-10-29 01:18   661504   ----a-w-   c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2009-10-29 01:18   661504   ----a-w-   c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2009-10-29 01:18   661504   ----a-w-   c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCShield Monitor"="c:\program files\MCShield\mcshieldrtm.exe" [2012-03-12 583680]
"BackgroundContainer"="c:\users\user\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll" [2013-10-14 319264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-16 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-16 150552]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2013-09-12 5110672]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-05-18 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^user^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackgroundContainer]
2013-10-14 14:00   319264   ----a-w-   c:\users\user\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2011-03-24 07:11   167936   ----a-w-   c:\program files\Freecorder\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 16:36   30040   ----a-w-   c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP]
2009-07-14 11:54   589104   ----a-w-   c:\program files\Hewlett-Packard\HP QuickSync\QuickSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-05-10 00:41   49208   ----a-w-   c:\program files\Hp\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2009-06-05 03:03   186904   ----a-w-   c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-01-13 12:53   460872   ----a-w-   c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2009-08-20 08:46   322104   ----a-w-   c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Simplify Media]
2009-10-23 09:56   21498376   ----a-w-   c:\program files\Hp\HP MediaStream\HPMediaStream.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2010-05-27 12:31   1721640   ----a-w-   c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2009-10-12 06:51   495708   ----a-w-   c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WirelessAssistant]
2009-09-01 08:41   499768   ----a-w-   c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZumoDrive]
2012-01-31 13:17   2042   ----a-w-   c:\program files\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk
.
R2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-11-09 160944]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-02 174592]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2013-09-17 49240]
S1 DVMIO;DVMIO;c:\splash.sys\config\dvmio.sys [2009-09-30 17624]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2013-09-17 188808]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2013-09-17 134248]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys [2013-09-17 37416]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_5576240ee6baaa25\aestsrv.exe [2009-03-02 81920]
S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
S2 DvmMDES;DeviceVM Meta Data Export Service;c:\splash.sys\config\DVMExportService.exe [2009-07-09 323584]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2013-09-12 1337752]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-09-17 29472]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-10-02 204288]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ     SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-11-15 07:53]
.
2013-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-05 17:04]
.
2013-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-05 17:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&ξαγωγή στο Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.10.254
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\Freecorder\prxtbFre0.dll
BHO-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\Freecorder\prxtbFre0.dll
Toolbar-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\Freecorder\prxtbFre0.dll
WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - c:\program files\Freecorder\prxtbFre0.dll
SafeBoot-Wdf01000.sys
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-ΜΑΤΖΕΝΤΑ - Αγγλικό-Ελληνικό-Αγγλικό λεξικό όρων ~BCE23F32_is1 - c:\program files\Magenta Demo\polydemo\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2700)
c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
Completion time: 2013-11-18 16:20:46
ComboFix-quarantined-files.txt 2013-11-18 14:20
.
Pre-Run: 226,230,714,368 bytes free
Post-Run: 227,459,641,344 bytes free
.
- - End Of File - - CA03695224BC48674FF9E62195C3C734
BBCF369EC7C1AB809FFF44A0FD8090F6

Corrine · November 18, 2013, 06:53:35 PM

Hmmm, did you notice, Panos, that the ComboFix log had no mention of TDL3? Are you still getting alerts from ESET? If so, can you write down what they are and post here.

DR M · November 18, 2013, 07:02:11 PM

I tried to ... read Combofix, but I didn't understand ... the last two words ( :laughing: )

The last warning of Eset I remember was about Freecorder. But this is not a rootkit. It is an old tool-add on- for downloading youtube videos.

I don't remember the other warnings. I will start the computer and wait it for a little to see if something happen.

The absence of TDL3 from Combofix means clean install??

(Is there a license for Windows 7 Starter? )

Corrine · November 18, 2013, 08:19:19 PM

QuoteThe absence of TDL3 from Combofix means clean install??

No, Panos, it means that ComboFix didn't see TDL3 or it would have repaired it. Plus, aswMBR would have specifically pointed it out if the TDL3 rootkit was on the computer.

Let's run through the other scans, starting with AdwCleaner. Please download AdwCleaner by Xplode and save to your Desktop.

Double-click AdwCleaner.exe to run the tool.
Note: Windows Vista, Windows 7/8 users right-click and select Run As Administrator.
Click the Scan button.
AdwCleaner will begin. Be patient as the scan may take some time to complete.
After the scan has finished, click the Report button. A logfile (AdwCleaner[R0].txt) will open in Notepad for review.
The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, please let me know about it.
Copy and paste the contents of that logfile in your next reply.
A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

DR M · November 18, 2013, 08:34:06 PM

Corrine,

I was using the laptop during the last hour, and it looks fine, except from being very very slow when using IE. Ofcourse I don't know how it was before. During the last hour no Eset warning came up. I have made some updates, removed ask bar from add ons in IE, and ran MBAM. Two objects refered to freecorder were removed. I am sorry I ran MBAM without your permission. I was almost sure that you would recommend a format! But ofcourse, you are Corrine!!!

Something I see in the computer is a program called oceanis change background. I tried to use it. It changes desktop's wallpaper. I searched and some people say that perhaps a malware can occure from this. What do you think?

I will be back with adwcleaner's log.

DR M · November 18, 2013, 08:54:13 PM

Adwcleaner log

(I DIDN'T CLICK CLEAN. ONLY REPORT.)

# AdwCleaner v3.012 - Report created 18/11/2013 at 22:41:27
# Updated 11/11/2013 by Xplode
# Operating System : Windows 7 Starter Service Pack 1 (32 bits)
# Username : user - USER-PC
# Running from : C:\Users\user\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Windows\System32\Tasks\BackgroundContainer Startup Task
Folder Found C:\Program Files\Conduit
Folder Found C:\Program Files\Freecorder
Folder Found C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Freecorder
Folder Found C:\users\user\AppData\Local\Conduit
Folder Found C:\users\user\AppData\LocalLow\Conduit
Folder Found C:\users\user\AppData\LocalLow\Freecorder
Folder Found C:\users\user\AppData\LocalLow\PriceGong
Folder Found C:\users\user\Documents\Freecorder

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\Freecorder
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Software\smartbar
Key Found : HKCU\Software\AppDataLow\Toolbar
Key Found : HKCU\Software\Ask&Record
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Freecorder
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\conduit.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E113159-BD8D-4DDB-83B8-C5E5FB6A111B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2E113159-BD8D-4DDB-83B8-C5E5FB6A111B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT1060933
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\DeviceVM
Key Found : HKLM\Software\Freecorder
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{00EE85F1-BD03-434F-861C-8ADD64906CEA}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7326F7EE-B62C-4B8D-8D43-F9BE879DFA51}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\BackgroundContainer Startup Task
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{12FDD3F9-6B89-4DB1-B3C3-F6C4D061A7C1}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2E113159-BD8D-4DDB-83B8-C5E5FB6A111B}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freecorder Toolbar
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [BackgroundContainer]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{1392B8D2-5C05-419F-A8F6-B9F15A596612}]

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16736

*************************

AdwCleaner[R0].txt - [3561 octets] - [18/11/2013 22:41:27]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3621 octets] ##########

Corrine · November 18, 2013, 09:49:29 PM

According to Prevx, it is safe. From http://www.prevx.com/filenames/X1739755328300891982-X1/WALLPAPERAGENT.EXE.html

QuoteThe filename WALLPAPERAGENT.EXE is used by objects that are classified as safe. It has not yet been seen to be associated with malicious software.

Corrine · November 18, 2013, 10:36:51 PM

I understand why you ran MBAM. Yes, with AdwCleaner, I wanted to see what was in the log first before asking you to remove what was found. Let's continue with the cleanup, particularly since there are leftovers of Ask and Freecoder as well as Conduit and other files that should be removed.

1. Double-click AdwCleaner.exe to run the tool again.

Click the Scan button.
AdwCleaner will begin to scan your computer like it did before.
Note: Windows Vista, Windows 7/8 users right-click and select Run As Administrator.
After the scan has finished,
This time click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.

2. Please download Junkware Removal Tool to your desktop.

Disable your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

3. In addition, let's see a fresh DDS log.

DR M · November 19, 2013, 10:40:21 AM

Good morning, Corrine.

I think that the news are not good.

1. The logs:

# AdwCleaner v3.012 - Report created 19/11/2013 at 09:52:53
# Updated 11/11/2013 by Xplode
# Operating System : Windows 7 Starter Service Pack 1 (32 bits)
# Username : user - USER-PC
# Running from : C:\Users\user\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Freecorder
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Freecorder
Folder Deleted : C:\users\user\AppData\Local\Conduit
Folder Deleted : C:\users\user\AppData\LocalLow\Conduit
Folder Deleted : C:\users\user\AppData\LocalLow\PriceGong
Folder Deleted : C:\users\user\AppData\LocalLow\Freecorder
Folder Deleted : C:\users\user\Documents\Freecorder
File Deleted : C:\Windows\System32\Tasks\BackgroundContainer Startup Task

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E59CEE2F-AE40-47B7-889C-F79862294F5A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E59CEE2F-AE40-47B7-889C-F79862294F5A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\conduit.com
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [BackgroundContainer]
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT1060933
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2E113159-BD8D-4DDB-83B8-C5E5FB6A111B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E113159-BD8D-4DDB-83B8-C5E5FB6A111B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2E113159-BD8D-4DDB-83B8-C5E5FB6A111B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{00EE85F1-BD03-434F-861C-8ADD64906CEA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7326F7EE-B62C-4B8D-8D43-F9BE879DFA51}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{1392B8D2-5C05-419F-A8F6-B9F15A596612}]
Key Deleted : HKCU\Software\Ask&Record
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Freecorder
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\smartbar
Key Deleted : HKCU\Software\AppDataLow\Software\Freecorder
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\DeviceVM
Key Deleted : HKLM\Software\Freecorder
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freecorder Toolbar

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16736

*************************

AdwCleaner[R0].txt - [3701 octets] - [18/11/2013 22:41:27]
AdwCleaner[R1].txt - [3761 octets] - [19/11/2013 09:51:28]
AdwCleaner[S0].txt - [3796 octets] - [19/11/2013 09:52:53]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3856 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Starter x86
Ran by user on Tue 11/19/2013 at 9:58:23.09
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 11/19/2013 at 10:06:06.32
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2. DDS REPORTS

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16736
Run by user at 10:07:34 on 2013-11-19
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.987.308 [GMT 2:00]
.
AV: ESET Smart Security 7.0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ESET Smart Security 7.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
FW: ESET Personal firewall *Enabled* {211E1E8B-C9F9-A04B-6D84-BC85190CE5F2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_5576240ee6baaa25\STacSV.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_5576240ee6baaa25\aestsrv.exe
C:\Program Files\Microsoft\BingBar\BBSvc.EXE
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\SPLASH.SYS\config\DVMExportService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\MCShield\MCShieldRTM.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
BHO: Windows 7 Starter Helper: {D381FF29-7CFB-4D4E-B92A-C4EDDC696614} - c:\program files\oceanis\systemsetting\StarterHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MCShield Monitor] c:\program files\mcshield\mcshieldrtm.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: E&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab
TCP: NameServer = 192.168.10.254
TCP: Interfaces\{6CA92D8C-9201-4E4A-8161-896CD2918CA2} : DHCPNameServer = 192.168.10.254
TCP: Interfaces\{C9F65FDF-BEBB-443D-AB33-A065C2955EB8} : DHCPNameServer = 192.168.10.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2013-9-17 49240]
R1 DVMIO;DVMIO;c:\splash.sys\config\dvmio.sys [2009-9-30 17624]
R1 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2013-9-17 188808]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\drivers\EpfwLWF.sys [2013-9-17 37416]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_5576240ee6baaa25\AEstSrv.exe [2012-1-31 81920]
R2 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\splash.sys\config\DVMExportService.exe [2009-7-9 323584]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2013-9-12 1337752]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2012-1-31 29472]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2012-1-31 204288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-11-9 160944]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-12-11 228408]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2012-1-31 174592]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-2-12 52224]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296]
.
=============== Created Last 30 ================
.
2013-11-19 07:58:19   --------   d-----w-   c:\windows\ERUNT
2013-11-18 20:41:19   --------   d-----w-   C:\AdwCleaner
2013-11-18 19:44:50   --------   d-----w-   c:\users\user\appdata\local\Programs
2013-11-18 14:18:10   --------   d-sh--w-   C:\$RECYCLE.BIN
2013-11-18 14:17:23   76288   ----a-w-   c:\windows\system32\drivers\usbccgp.sys
2013-11-18 14:17:22   6016   ----a-w-   c:\windows\system32\drivers\usbd.sys
2013-11-18 14:17:22   43008   ----a-w-   c:\windows\system32\drivers\usbehci.sys
2013-11-18 14:17:22   284672   ----a-w-   c:\windows\system32\drivers\usbport.sys
2013-11-18 14:17:22   258560   ----a-w-   c:\windows\system32\drivers\usbhub.sys
2013-11-18 14:17:22   24064   ----a-w-   c:\windows\system32\drivers\usbuhci.sys
2013-11-18 14:17:22   20480   ----a-w-   c:\windows\system32\drivers\usbohci.sys
2013-11-18 12:59:22   98816   ----a-w-   c:\windows\sed.exe
2013-11-18 12:59:22   256000   ----a-w-   c:\windows\PEV.exe
2013-11-18 12:59:22   208896   ----a-w-   c:\windows\MBR.exe
2013-11-18 12:56:07   2706432   ----a-w-   c:\windows\system32\mshtml.tlb
2013-11-18 12:56:05   2877952   ----a-w-   c:\windows\system32\jscript9.dll
2013-11-18 12:56:04   217600   ----a-w-   c:\program files\internet explorer\sqmapi.dll
2013-11-18 12:56:04   108032   ----a-w-   c:\program files\internet explorer\jsdebuggeride.dll
2013-11-18 12:56:02   61440   ----a-w-   c:\windows\system32\iesetup.dll
2013-11-18 12:56:01   257536   ----a-w-   c:\program files\internet explorer\ieproxy.dll
2013-11-18 12:56:00   236032   ----a-w-   c:\program files\internet explorer\IEShims.dll
2013-11-18 12:55:59   71680   ----a-w-   c:\windows\system32\RegisterIEPKEYs.exe
2013-11-18 12:55:59   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2013-11-18 12:55:55   817664   ----a-w-   c:\program files\common files\microsoft shared\vgx\VGX.dll
2013-11-18 12:55:53   1767936   ----a-w-   c:\windows\system32\wininet.dll
2013-11-18 12:55:51   770736   ----a-w-   c:\program files\internet explorer\iexplore.exe
2013-11-15 08:12:51   --------   d-----w-   C:\18be667fae7b1dce1c
2013-11-15 07:55:06   --------   d-----w-   c:\program files\ESET
2013-11-15 07:52:57   71048   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-15 07:05:22   1796096   ----a-w-   c:\windows\system32\authui.dll
2013-11-15 07:05:21   168960   ----a-w-   c:\windows\system32\credui.dll
2013-11-15 07:05:21   152576   ----a-w-   c:\windows\system32\SmartcardCredentialProvider.dll
2013-11-15 07:04:49   247808   ----a-w-   c:\windows\system32\schannel.dll
2013-11-15 07:04:48   369848   ----a-w-   c:\windows\system32\drivers\cng.sys
2013-11-15 07:04:48   136640   ----a-w-   c:\windows\system32\drivers\ksecpkg.sys
2013-11-15 07:04:47   67520   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2013-11-15 07:04:46   1038848   ----a-w-   c:\windows\system32\lsasrv.dll
2013-11-15 07:04:45   99840   ----a-w-   c:\windows\system32\sspicli.dll
2013-11-15 07:04:45   220160   ----a-w-   c:\windows\system32\ncrypt.dll
2013-11-15 07:04:44   22016   ----a-w-   c:\windows\system32\lsass.exe
2013-11-15 07:04:43   22016   ----a-w-   c:\windows\system32\secur32.dll
2013-11-15 07:04:43   15872   ----a-w-   c:\windows\system32\sspisrv.dll
2013-11-15 07:03:52   305152   ----a-w-   c:\windows\system32\gdi32.dll
2013-11-15 07:03:45   679424   ----a-w-   c:\windows\system32\IKEEXT.DLL
2013-11-15 07:03:44   216576   ----a-w-   c:\windows\system32\FWPUCLNT.DLL
2013-11-15 07:03:43   656896   ----a-w-   c:\windows\system32\nshwfp.dll
2013-11-15 07:03:31   1168384   ----a-w-   c:\windows\system32\crypt32.dll
2013-11-15 07:00:54   7796464   ----a-w-   c:\programdata\microsoft\windows defender\definition updates\{7b4cb518-7cbc-4dda-bbcd-2555709d48c4}\mpengine.dll
.
==================== Find3M ====================
.
2013-10-19 08:49:44   50053120   ----a-w-   c:\program files\GUT2DF4.tmp
2013-09-17 13:17:38   49240   ----a-w-   c:\windows\system32\drivers\epfwwfp.sys
2013-09-17 13:17:38   37416   ----a-w-   c:\windows\system32\drivers\EpfwLWF.sys
2013-09-17 13:17:38   188808   ----a-w-   c:\windows\system32\drivers\eamonm.sys
2013-09-17 13:17:38   174400   ----a-w-   c:\windows\system32\drivers\epfw.sys
2013-09-17 13:17:38   134248   ----a-w-   c:\windows\system32\drivers\ehdrv.sys
2013-09-14 00:48:58   338944   ----a-w-   c:\windows\system32\drivers\afd.sys
2013-09-08 02:07:12   1294272   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:03:58   231424   ----a-w-   c:\windows\system32\mswsock.dll
2013-09-03 11:35:12   238872   ------w-   c:\windows\system32\MpSigStub.exe
2013-08-29 01:51:45   3969472   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2013-08-29 01:51:45   3914176   ----a-w-   c:\windows\system32\ntoskrnl.exe
2013-08-29 01:50:30   1289096   ----a-w-   c:\windows\system32\ntdll.dll
2013-08-29 01:50:16   619520   ----a-w-   c:\windows\system32\tdh.dll
2013-08-29 01:48:17   640512   ----a-w-   c:\windows\system32\advapi32.dll
2013-08-28 01:04:30   2348544   ----a-w-   c:\windows\system32\win32k.sys
2013-08-28 00:57:20   434688   ----a-w-   c:\windows\system32\scavengeui.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: TOSHIBA_ rev.MH00 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x81A19000]<< >>UNKNOWN [0x86A10000]<< >>UNKNOWN [0x877C4000]<< >>UNKNOWN [0x868BA000]<< >>UNKNOWN [0x81E2C000]<< >>UNKNOWN [0x86B1F000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x81A4FBBA] -> \Device\Harddisk0\DR0[0x8506D3E8]
\Driver\Disk[0x8506C138] -> IRP_MJ_CREATE -> 0x86A1439F
3 [0x86A1459E] -> ntkrnlpa!IofCallDriver[0x81A4FBBA] -> [0x8462C700]
\Driver\ACPI[0x83979030] -> IRP_MJ_CREATE -> 0x868C34CC
5 [0x868C33D4] -> ntkrnlpa!IofCallDriver[0x81A4FBBA] -> \Device\Ide\IAAStorageDevice-0[0x845FB028]
\Driver\iaStor[0x84602CB8] -> IRP_MJ_CREATE -> 0x86B6392E
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV ES, AX; MOV DS, AX; MOV SI, SP; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; JMP FAR 0x0:0x660; }
user & kernel MBR OK
copy of MBR has been found in sector 2 !
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:09:07.18 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Starter
Boot Device: \Device\HarddiskVolume1
Install Date: 1/31/2012 3:16:27 PM
System Uptime: 11/19/2013 9:53:41 AM (1 hours ago)
.
Motherboard: Hewlett-Packard | | 3660
Processor: Intel(R) Atom(TM) CPU N450 @ 1.66GHz | CPU | 1666/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 286 GiB total, 211.471 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 1.934 GiB free.
E: is FIXED (FAT32) - 0 GiB total, 0.091 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP198: 9/3/2013 11:03:44 AM - Windows Update
RP199: 9/6/2013 1:40:11 PM - Windows Update
RP200: 10/3/2013 4:07:01 PM - Windows Update
RP201: 10/11/2013 7:57:33 PM - Windows Update
RP202: 10/19/2013 11:07:02 AM - Windows Update
RP203: 10/20/2013 5:22:56 PM - Windows Update
RP204: 10/26/2013 9:43:12 AM - Windows Update
RP205: 11/15/2013 8:59:17 AM - Windows Update
RP206: 11/15/2013 9:32:08 AM - Removed Acrobat.com
RP207: 11/15/2013 9:33:36 AM - Removed Adobe Reader 9.1 MUI.
RP208: 11/15/2013 9:38:57 AM - Removed Java(TM) 6 Update 15
RP210: 11/15/2013 9:41:12 AM - Windows Live Essentials
RP211: 11/15/2013 9:42:00 AM - WLSetup
RP212: 11/15/2013 9:52:00 AM - Installed ESET Smart Security
RP213: 11/15/2013 10:11:29 AM - Windows Update
RP214: 11/18/2013 2:54:47 PM - Windows Update
RP215: 11/18/2013 9:42:28 PM - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
ΜΑΤΖΕΝΤΑ - Αγγλικό-Ελληνικό-Αγγλικό λεξικό όρων ιατρικών επιστη
ActiveCheck component for HP Active Support Library
Adobe Flash Player 11 ActiveX
Adobe Shockwave Player
ArcSoft WebCam Companion 3
Bing Bar
Broadcom 802.11 Wireless LAN Adapter
CyberLink DVD Suite
ESET Smart Security
ESU for Microsoft Windows 7
Finale 2009
Freecorder 5
Google Toolbar for Internet Explorer
Google Update Helper
Hewlett-Packard ACLM.NET v1.1.0.0
HP CloudDrive
HP Customer Experience Enhancements
HP Games
HP Integrated Module with Bluetooth wireless technology
HP MediaStream
HP Product Detection
HP Quick Launch Buttons
HP QuickSync
HP QuickWeb
HP Setup
HP Support Assistant
HP Update
HP User Guides 0169
HP Wireless Assistant
HPAsset component for HP Active Support Library
IDT Audio
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
K-Lite Codec Pack 7.6.0 (Full)
Malwarebytes Anti-Malware version 1.75.0.1300
MCShield ::Anti-Malware Tool::
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Oceanis Change Background Windows 7
Power2Go
QLBCASL
Realtek Ethernet Controller Driver For Windows Vista and Later
Realtek USB 2.0 Card Reader
Recovery Manager
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596825) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597973) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760411) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760415) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760585) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760591) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2827326) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2827329) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2827324) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office Outlook 2007 (KB2825644) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2827330) 32-Bit Edition
Skype Toolbars
Skype™ 6.0
Synaptics Pointing Device Driver
Times Reader
Total Uninstall 5.2.0
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2825642) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VLC media player 1.1.11
Windows Driver Package - Broadcom Bluetooth (06/15/2009 6.2.0.9000)
Windows Driver Package - Broadcom Bluetooth (07/30/2009 6.2.0.9405)
Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800)
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Sync
WinRAR 4.10 (32-bit)
.
==== End Of File ===========================

3.LICENSE WINDOWS 7 STARTER ON HP MINI

I found it. I took off the back cover and it is in there.

Corrine · November 19, 2013, 07:52:52 PM

Hi, Panos.

Going back over your logs, note that TDSSKiller showed "user & kernel MBR OK". When both the user & kernel MBR are OK, it is not considered an active MBR infection even if it indicates detected hooks/malicious code, which the log for your nephew's computer does not indicate. TDSSKiller did not find any signs of TDL3 or TDL4, nor did ComboFix or aswMBR. Both Dell and HP have a custom MBR for the recovery partition, which is likely why the MBR is identified as unknown.

The three files shown in TDSSKiller as "detected UnsignedFile.Multi.Generic" are all legitimate:

DvmMDES = What is DVMExportService.exe ? DVMExportService.exe info
Health Check Service = Process and file information for HPHC_Service.exe (HP Health Check Service)
MBAMProtector = SystemLookup - MBAMProtector

If you'd like to take it one step further, upload the MBR.dat [a copy of your MBR code created by aswMBR] here: www.virustotal.com.
The file is located here: C:\Users\user\Desktop\MBR.dat

DR M · November 19, 2013, 08:07:48 PM

The file is located here: C:\Users\user\Desktop\MBR.dat

I didn't understand which file is this, Corrine.

You mean the aswMBR log?

I don't know if it is something I deleted in my effort to make some space on the desktop. Nevertheless, I have all the logs in the usb stick.

DR M · November 19, 2013, 08:26:59 PM

Sorry I' m asking another stupid question: why the computer has 4 partitions (volumes)? :D

It has:

C (NTFS)
HP TOOLS E (FAT32)
RECOVERY D (NTFS)
SYSTEM (NTFS)

What if I deleted them, leaving only C?

Corrine · November 19, 2013, 08:46:36 PM

The file with the .dat extension, C:\Users\user\Desktop\MBR.dat.

No, no, no! Do not delete the partitions!!!

C: is FIXED (NTFS) - 286 GiB total, 211.471 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 1.934 GiB free. = Recovery Partition
E: is FIXED (FAT32) - 0 GiB total, 0.091 GiB free. = HP Tools