West Yorkshire Police Virus

[Stuck Noob]

Hi!

We've got a laptop that's running Vista that has picked up a virus. There's a pop up stating it's from 'West Yorkshire Police' which covers the whole screen stating that the computer has been locked for illegal downloads and that we have to pay £100 to some moody pay site.

I can access safe mode, but there doesn't seem to be a system restore point? I've run spybot search and destroy, malware bytes and hosecall through it and it's still there when I reboot the machine. Any ideas please?

Thanks in advance 

[Dr Jay]

Hi there!

Download Farbar Recovery Scan Tool and save it to a flash drive.


Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. How do I tell?
 
Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[/list]

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
  
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button. It will do its scan and save a log on your flash drive.
  
• Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
  
  When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
  
• Type exit in the Command Prompt window and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.

[Stuck Noob]

Hi, thanks for your help so far!

Logs on my flash drive are as follows;

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 29-08-2012 03
Ran by SYSTEM at 29-08-2012 20:27:12
Running from E:\
Windows Vista (TM) Home Premium  Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" [1243088 2009-11-18] (PC Tools)
HKLM\...\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter

HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe [2339168 2012-01-17] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM\...\Run: [Anvi Smart Defender] C:\Program Files\Anvisoft\Anvi Smart Defender\ASDTray.exe [1229104 2012-08-23] (Anvisoft)
HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\Default\...\RunOnce: [BurnImage] regsvr32 /s c:\windows\IMAPIShellExt.dll [720896 2008-08-28] (Dell Inc)
HKU\Default User\...\RunOnce: [BurnImage] regsvr32 /s c:\windows\IMAPIShellExt.dll [720896 2008-08-28] (Dell Inc)
HKU\Gemma\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKU\Gemma\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Gemma\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [8704 2006-11-02] (Microsoft Corporation)
HKU\Gemma\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\Gemma\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Gemma\...\Run: [WindowsCodecsExt] C:\Users\Gemma\AppData\Local\Microsoft\Windows\228\WindowsCodecsExt.exe [75264 2012-08-27] ()
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

========================== Services (Whitelisted) ========================

2 asdsrv; C:\Program Files\Anvisoft\Anvi Smart Defender\ASDSrv.exe [686896 2012-08-23] (Anvisoft)
2 AVGIDSAgent; "C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" [7391072 2012-01-31] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files\AVG\AVG10\avgwdsvc.exe" [269520 2011-02-07] (AVG Technologies CZ, s.r.o.)
2 Browser Defender Update Service; "C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe" [112592 2010-01-21] (Threat Expert Ltd.)
2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [161048 2008-04-28] (Stardock Corporation)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
3 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
2 sdAuxService; C:\Program Files\Spyware Doctor\pctsAuxs.exe [359624 2009-10-30] (PC Tools)
2 sdCoreService; C:\Program Files\Spyware Doctor\pctsSvc.exe [1141712 2009-11-06] (PC Tools)
2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter

==================== Drivers (Whitelisted) ===================

3 alcan5wn; C:\Windows\System32\DRIVERS\alcan5wn.sys [53600 2003-12-08] (THOMSON)
3 alcaudsl; C:\Windows\System32\DRIVERS\alcaudsl.sys [70688 2003-12-08] (THOMSON)
1 asdrm; C:\Windows\System32\DRIVERS\asdrm.sys [16208 2012-08-20] (Anvisoft)
2 asdrs; \??\C:\Windows\system32\DRIVERS\asdrs.sys [22864 2012-08-20] (Anvisoft)
2 asdws; \??\C:\Windows\system32\DRIVERS\asdws.sys [14160 2012-08-20] ()
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [134480 2011-05-27] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [22992 2011-02-21] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [24144 2011-02-09] (AVG Technologies CZ, s.r.o. )
3 AVGIDSShim; C:\Windows\System32\DRIVERS\AVGIDSShim.Sys [28624 2011-02-09] (AVG Technologies CZ, s.r.o. )
1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [248656 2011-01-06] (AVG Technologies CZ, s.r.o.)
1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [34896 2011-03-01] (AVG Technologies CZ, s.r.o.)
0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [32592 2011-03-16] (AVG Technologies CZ, s.r.o.)
1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [297168 2011-04-04] (AVG Technologies CZ, s.r.o.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)
0 PCTCore; C:\Windows\System32\drivers\PCTCore.sys [207792 2009-11-09] (PC Tools)
3 s1018bus; C:\Windows\System32\DRIVERS\s1018bus.sys [86824 2009-03-25] (MCCI Corporation)
3 s1018mdfl; C:\Windows\System32\DRIVERS\s1018mdfl.sys [15016 2009-03-25] (MCCI Corporation)
3 s1018mdm; C:\Windows\System32\DRIVERS\s1018mdm.sys [114728 2009-03-25] (MCCI Corporation)
3 s1018mgmt; C:\Windows\System32\DRIVERS\s1018mgmt.sys [106208 2009-03-25] (MCCI Corporation)
3 s1018nd5; C:\Windows\System32\DRIVERS\s1018nd5.sys [26024 2009-03-25] (MCCI Corporation)
3 s1018obex; C:\Windows\System32\DRIVERS\s1018obex.sys [104744 2009-03-25] (MCCI Corporation)
3 s1018unic; C:\Windows\System32\DRIVERS\s1018unic.sys [109864 2009-03-25] (MCCI Corporation)
3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys

3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys

3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS

3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS

3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys

3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys

3 PCDSRVC{E9D79540-57D5953E-06020101}_0; \??\c:\program files\dell support center\pcdsrvc.pkms

3 SymIMMP; C:\Windows\System32\DRIVERS\SymIM.sys

==================== NetSvcs (Whitelisted) =================


============ One Month Created Files and Folders ==============

2012-08-29 20:26 - 2012-08-29 20:26 - 00000000 ____D C:\FRST
2012-08-28 15:09 - 2012-08-28 15:10 - 00000000 ____D C:\Users\Gemma\AppData\Roaming\hellomoto
2012-08-28 11:42 - 2012-08-28 11:42 - 06954184 ____A C:\Users\Gemma\Downloads\spybotsd_includes.exe
2012-08-28 11:17 - 2012-08-28 11:17 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-28 11:15 - 2012-08-28 11:15 - 10652120 ____A (Malwarebytes Corporation                                    ) C:\Users\Gemma\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-28 09:56 - 2012-08-28 10:25 - 00001458 ____A C:\Windows\System32\avgrep.txt
2012-08-28 07:11 - 2012-08-28 07:11 - 00000979 ____A C:\Users\Public\Desktop\Anvi Smart Defender.lnk
2012-08-28 07:11 - 2012-08-28 07:11 - 00000000 ____D C:\Users\Gemma\AppData\Roaming\Anvisoft
2012-08-28 07:11 - 2012-08-28 07:11 - 00000000 ____D C:\Users\All Users\Anvisoft
2012-08-28 07:11 - 2012-08-28 07:11 - 00000000 ____D C:\Program Files\Anvisoft
2012-08-28 07:11 - 2012-08-20 01:23 - 00022864 ____A (Anvisoft) C:\Windows\System32\Drivers\asdrs.sys
2012-08-28 07:11 - 2012-08-20 01:23 - 00016208 ____A (Anvisoft) C:\Windows\System32\Drivers\asdrm.sys
2012-08-28 07:11 - 2012-08-20 01:23 - 00014160 ____A C:\Windows\System32\Drivers\asdws.sys
2012-08-28 07:08 - 2012-08-28 07:08 - 16680192 ____A C:\Users\Gemma\Downloads\asdsetup_16.exe
2012-08-28 07:01 - 2012-08-28 07:01 - 02002944 ____A (Trend Micro Inc.) C:\Users\Gemma\Downloads\HousecallLauncher(9).exe
2012-08-28 01:18 - 2012-08-28 01:19 - 00000000 ____D C:\Users\Gemma\AppData\Local\{94447B95-2C31-450D-9891-0A31668D3720}
2012-08-18 13:55 - 2012-08-18 13:56 - 00000000 ____D C:\Users\Gemma\AppData\Local\{D06149FA-5C31-4A05-99A9-E589DEF82FF1}
2012-08-18 13:55 - 2012-08-18 13:55 - 00000000 ____D C:\Users\Gemma\AppData\Local\{A6A552F1-E76C-45AB-858C-F45E67BE5CC3}
2012-08-17 14:20 - 2012-08-17 14:20 - 00000000 ____D C:\Users\Gemma\AppData\Local\{91E5961A-2EC3-4DD7-99C6-0481718275CC}
2012-08-17 14:03 - 2012-06-28 16:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-17 14:03 - 2012-06-28 16:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-17 14:03 - 2012-06-28 16:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-17 14:03 - 2012-06-28 16:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-17 14:03 - 2012-06-28 15:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-17 14:02 - 2012-06-28 16:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-17 14:02 - 2012-06-28 16:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-17 14:02 - 2012-06-28 16:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-17 14:02 - 2012-06-28 16:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-17 14:02 - 2012-06-28 16:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-17 14:02 - 2012-06-28 16:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-17 14:02 - 2012-06-28 16:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-17 14:02 - 2012-06-28 16:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-17 14:02 - 2012-06-28 16:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-17 14:01 - 2012-07-04 06:02 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 11:49 - 2012-06-29 08:01 - 00467968 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 11:49 - 2012-05-11 07:57 - 00623616 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll

============ 3 Months Modified Files ========================

2012-08-29 11:00 - 2006-11-02 02:33 - 00706628 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-29 10:59 - 2009-11-22 04:01 - 00001356 ____A C:\Users\Gemma\AppData\Local\d3d9caps.dat
2012-08-28 22:16 - 2012-06-22 13:02 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-28 22:16 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-28 22:16 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-28 15:11 - 2008-08-26 11:04 - 01665058 ____A C:\Windows\WindowsUpdate.log
2012-08-28 15:06 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-28 14:58 - 2006-11-02 05:01 - 00032536 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-28 11:42 - 2012-08-28 11:42 - 06954184 ____A C:\Users\Gemma\Downloads\spybotsd_includes.exe
2012-08-28 11:17 - 2012-08-28 11:17 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-28 11:15 - 2012-08-28 11:15 - 10652120 ____A (Malwarebytes Corporation                                    ) C:\Users\Gemma\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-28 10:25 - 2012-08-28 09:56 - 00001458 ____A C:\Windows\System32\avgrep.txt
2012-08-28 07:11 - 2012-08-28 07:11 - 00000979 ____A C:\Users\Public\Desktop\Anvi Smart Defender.lnk
2012-08-28 07:10 - 2012-02-17 12:27 - 00326277 ____A C:\Users\Gemma\AppData\Local\census.cache
2012-08-28 07:10 - 2012-02-17 11:37 - 00185002 ____A C:\Users\Gemma\AppData\Local\ars.cache
2012-08-28 07:08 - 2012-08-28 07:08 - 16680192 ____A C:\Users\Gemma\Downloads\asdsetup_16.exe
2012-08-28 07:01 - 2012-08-28 07:01 - 02002944 ____A (Trend Micro Inc.) C:\Users\Gemma\Downloads\HousecallLauncher(9).exe
2012-08-28 01:13 - 2008-01-20 18:47 - 00144932 ____A C:\Windows\PFRO.log
2012-08-27 16:02 - 2010-06-14 13:12 - 00000402 ___AH C:\Windows\Tasks\Norton Security Scan for Gemma.job
2012-08-24 15:34 - 2008-09-15 11:47 - 00091648 ____A C:\Users\Gemma\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-20 01:23 - 2012-08-28 07:11 - 00022864 ____A (Anvisoft) C:\Windows\System32\Drivers\asdrs.sys
2012-08-20 01:23 - 2012-08-28 07:11 - 00016208 ____A (Anvisoft) C:\Windows\System32\Drivers\asdrm.sys
2012-08-20 01:23 - 2012-08-28 07:11 - 00014160 ____A C:\Windows\System32\Drivers\asdws.sys
2012-08-17 14:15 - 2006-11-02 04:47 - 00381896 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-17 14:04 - 2006-11-02 02:24 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-08-14 10:52 - 2012-06-22 13:02 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-14 10:52 - 2011-05-15 08:32 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-12 12:26 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini
2012-07-07 09:48 - 2011-12-18 04:07 - 00013404 ____A C:\Users\Gemma\Desktop\Ebay.xlsx
2012-07-07 09:32 - 2012-07-07 09:32 - 00812368 ____A (PortableApps.com) C:\Users\Gemma\Downloads\SkypePortable_5.10.0.115_online.paf.exe
2012-07-07 09:22 - 2012-07-07 09:22 - 00946352 ____A (Skype Technologies S.A.) C:\Users\Gemma\Downloads\SkypeSetup(1).exe
2012-07-04 06:02 - 2012-08-17 14:01 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-03 04:46 - 2011-05-14 10:41 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-29 08:01 - 2012-08-15 11:49 - 00467968 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-06-28 16:52 - 2012-08-17 14:02 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 16:27 - 2012-08-17 14:02 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 16:16 - 2012-08-17 14:02 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 16:09 - 2012-08-17 14:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 16:09 - 2012-08-17 14:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 16:08 - 2012-08-17 14:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 16:07 - 2012-08-17 14:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 16:06 - 2012-08-17 14:02 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 16:04 - 2012-08-17 14:03 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 16:04 - 2012-08-17 14:02 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 16:01 - 2012-08-17 14:03 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 16:01 - 2012-08-17 14:03 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 16:00 - 2012-08-17 14:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 15:57 - 2012-08-17 14:03 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-15 10:09 - 2012-06-15 10:09 - 02002320 ____A (Trend Micro Inc.) C:\Users\Gemma\Downloads\HousecallLauncher(.exe
2012-06-08 09:47 - 2012-07-10 16:06 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-06 11:59 - 2012-06-06 11:59 - 01070152 ____A (Microsoft Corporation) C:\Windows\System32\MSCOMCTL.OCX
2012-06-05 08:47 - 2012-07-10 16:06 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 08:47 - 2012-07-10 16:06 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 07:26 - 2012-07-10 16:06 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-21 11:34 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 11:34 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 11:34 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 11:34 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 11:34 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-21 11:34 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-21 11:34 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 06:19 - 2012-06-21 11:33 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 06:12 - 2012-06-21 11:33 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 16:04 - 2012-07-10 16:06 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:03 - 2012-07-10 16:06 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 01:53 - 2006-11-02 04:52 - 00104975 ____A C:\Windows\setupact.log

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================


==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 2037.31 MB
Available physical RAM: 1683.78 MB
Total Pagefile: 1970.94 MB
Available Pagefile: 1846.59 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.56 MB

==================== Partitions ============================

1 Drive c: (OS) (Fixed) (Total:99.19 GB) (Free:59.52 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: () (Removable) (Total:0.94 GB) (Free:0.94 GB) FAT32
4 Drive x: (RECOVERY) (Fixed) (Total:10 GB) (Free:5.15 GB) NTFS

  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
  Disk 0    Online       112 GB      0 B         
  Disk 1    Online       965 MB      0 B         

Partitions of Disk 0:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                102 MB    32 KB
  Partition 2    Primary             10 GB   102 MB
  Partition 3    Primary             99 GB    10 GB
  Partition 0    Extended          2560 MB   109 GB
  Partition 4    Logical           2559 MB   109 GB

==================================================================================

Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4                      FAT    Partition    102 MB  Healthy    Hidden 

==================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     X   RECOVERY     NTFS   Partition     10 GB  Healthy    Boot   

==================================================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition     99 GB  Healthy           

==================================================================================

Disk: 0
Partition 4
Type  : DD
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            965 MB    16 KB

==================================================================================

Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E                FAT32  Removable    965 MB  Healthy           

==================================================================================

Last Boot: 2012-08-28 15:13

==================== End Of Log =============================

Where would I find the other data log? I've searched on the laptop and can't find it?

[Dr Jay]

That's okay. Let's go to Safe Mode with Networking...

ComboFix
 
Please download ComboFix by sUBs
From BleepingComputer.com
 
Please save the file to your Desktop, but rename it first to svchost.exe
 
[SIZE=14]Important information about ComboFix[/SIZE]
 
Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
  
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.
  

[SIZE=14]Troubleshooting ComboFix[/SIZE]
 
Safe Mode:
 
If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.
 
(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")
 
Re-downloading:
 
If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.
 
Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.


NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[Stuck Noob]

Hi and thanks again, I have the following

ComboFix 12-08-30.05 - Gemma 31/08/2012  10:22:06.1.1 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2037.1433 [GMT 1:00]
Running from: c:\users\Gemma\Desktop\svchost.exe.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Gemma\AppData\Local\{42545D07-923E-4CDB-922B-2BB467D52D64}
c:\users\Gemma\AppData\Local\{42545D07-923E-4CDB-922B-2BB467D52D64}\chrome.manifest
c:\users\Gemma\AppData\Local\{42545D07-923E-4CDB-922B-2BB467D52D64}\chrome\content\_cfg.js
c:\users\Gemma\AppData\Local\{42545D07-923E-4CDB-922B-2BB467D52D64}\chrome\content\overlay.xul
c:\users\Gemma\AppData\Local\{42545D07-923E-4CDB-922B-2BB467D52D64}\install.rdf
c:\users\Gemma\AppData\Local\qrly
c:\users\Gemma\AppData\Roaming\6E3C.CA9
c:\users\Gemma\AppData\Roaming\Adobe\plugs
c:\users\Gemma\AppData\Roaming\Adobe\shed
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-28 to 2012-08-31  )))))))))))))))))))))))))))))))
.
.
2012-08-31 09:28 . 2012-08-31 09:28   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-08-31 09:28 . 2012-08-31 09:28   --------   d-----w-   c:\users\Gemma\AppData\Local\temp
2012-08-30 04:26 . 2012-08-30 04:26   --------   d-----w-   C:\FRST
2012-08-28 23:09 . 2012-08-28 23:10   --------   d-----w-   c:\users\Gemma\AppData\Roaming\hellomoto
2012-08-28 16:41 . 2012-08-28 16:41   --------   d-----w-   C:\Temp
2012-08-28 15:11 . 2012-08-31 08:36   --------   d-----w-   c:\users\Gemma\AppData\Roaming\Anvisoft
2012-08-28 15:11 . 2012-08-28 15:11   --------   d-----w-   c:\programdata\Anvisoft
2012-08-28 15:11 . 2012-08-28 15:11   --------   d-----w-   c:\program files\Anvisoft
2012-08-17 22:03 . 2012-06-29 01:00   140920   ----a-w-   c:\program files\Internet Explorer\sqmapi.dll
2012-08-17 22:03 . 2012-06-29 00:00   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2012-08-17 22:03 . 2012-06-29 00:06   194560   ----a-w-   c:\program files\Internet Explorer\ieproxy.dll
2012-08-17 22:03 . 2012-06-29 00:06   194048   ----a-w-   c:\program files\Internet Explorer\IEShims.dll
2012-08-17 22:03 . 2012-06-29 00:04   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-08-17 22:02 . 2012-06-29 00:16   1800704   ----a-w-   c:\windows\system32\jscript9.dll
2012-08-17 22:02 . 2012-06-29 00:09   1129472   ----a-w-   c:\windows\system32\wininet.dll
2012-08-17 22:02 . 2012-06-29 01:00   748664   ----a-w-   c:\program files\Internet Explorer\iexplore.exe
2012-08-17 22:02 . 2012-06-29 00:10   678912   ----a-w-   c:\program files\Internet Explorer\iedvtool.dll
2012-08-17 22:02 . 2012-06-29 00:10   387584   ----a-w-   c:\program files\Internet Explorer\jsdbgui.dll
2012-08-17 22:02 . 2012-06-29 00:08   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-08-17 22:01 . 2012-07-04 14:02   2047488   ----a-w-   c:\windows\system32\win32k.sys
2012-08-15 19:49 . 2012-05-11 15:57   623616   ----a-w-   c:\windows\system32\localspl.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-14 18:52 . 2012-06-22 21:02   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-08-14 18:52 . 2011-05-15 16:32   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 12:46 . 2011-05-14 18:41   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-06-06 19:59 . 2012-06-06 19:59   1070152   ----a-w-   c:\windows\system32\MSCOMCTL.OCX
2012-06-05 16:47 . 2012-07-11 00:06   1401856   ----a-w-   c:\windows\system32\msxml6.dll
2012-06-05 16:47 . 2012-07-11 00:06   1248768   ----a-w-   c:\windows\system32\msxml3.dll
2012-06-04 15:26 . 2012-07-11 00:06   440704   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-21 19:34   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 19:34   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 19:34   35864   ----a-w-   c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 19:34   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 19:34   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 19:34   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 19:34   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-06-02 14:19 . 2012-06-21 19:33   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-02 14:12 . 2012-06-21 19:33   33792   ----a-w-   c:\windows\system32\wuapp.exe
2012-07-18 20:15 . 2011-05-28 22:48   136672   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"WindowsCodecsExt"="c:\users\Gemma\AppData\Local\Microsoft\Windows\228\WindowsCodecsExt.exe" [2012-08-28 75264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtU
VREQ0gtNElKTUg&inst=NzctNjI0MDU1MjQ0LVRUKzEtVDUtVUNBTEwrMS1TVDErMi1
GUDkyKzYtQkFSOU8rMS1GTCs5LVhPMzYrMS1GOU 0xMEErMi1GOU0yKzEtRkwxMCsxLVhPMTArMTEtT ElDKzItRERUKzU4ODg5LUREMTBGKzEtU1
QxMEZBUFArMS1GMTBNMTJUQSsxLVUxMCsxLVZJU DEyKzEtRjEwTTEyUisxLUYxME0xMlIyKzEtQ0lE MTArMS1DSUQrMTA&prod=90&ver=10.0.1424" [?]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-10-13 18:09   16680   ----a-w-   c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Gemma^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Gemma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04   39792   ----a-w-   c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2008-05-04 09:25   167936   ----a-w-   c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2008-05-16 12:17   3444736   ----a-w-   c:\windows\System32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2009-12-07 11:50   1584640   ----a-w-   c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DACSMiniApp]
2007-07-24 11:20   197888   ----a-w-   c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08   1259376   ----a-w-   c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-29 04:18   17920   ----a-w-   c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25   125952   ----a-w-   c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 18:36   30040   ----a-w-   c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-03-06 07:58   166424   ----a-w-   c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-03-21 12:00   174872   ----a-w-   c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-03-06 07:58   141848   ----a-w-   c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-07-03 12:46   973488   ----a-w-   c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2012-03-08 17:50   4280184   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-12-21 09:58   184320   ----a-w-   c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-03-06 07:58   133656   ----a-w-   c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-11-12 11:07   405504   ----a-w-   c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 12:33   17418928   ----a-r-   c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Companion]
2009-06-18 09:04   772096   ----a-w-   c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
2004-01-26 10:38   866816   ----a-w-   c:\program files\Thomson\SpeedTouch USB\dragdiag.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07   2260480   --sha-r-   c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44   248552   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-20 22:40   202256   ----a-w-   c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31   247144   ----a-w-   c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23   1008184   ----a-w-   c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-22 18:52]
.
2012-08-28 c:\windows\Tasks\Norton Security Scan for Gemma.job
- c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-26 01:45]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:58343
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Gemma\AppData\Roaming\Mozilla\Firefox\Profiles\75cd0c58.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1&ltmpl=default&ltmplcache=2
FF - prefs.js: keyword.URL - hxxp://flvtubesearch.co/?prt=02ff&clid=&subid=&Keywords=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 58343
FF - prefs.js: network.proxy.type - 4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-BigBitmap - (no file)
Toolbar-SmallBitmap - (no file)
HKLM-Run-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-dscactivate - c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-31 10:28
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-08-31  10:32:28
ComboFix-quarantined-files.txt  2012-08-31 09:32
.
Pre-Run: 65,570,836,480 bytes free
Post-Run: 66,023,469,056 bytes free
.
- - End Of File - - 3B5C74C0FDE1CAB09C16CC280DEE2D21

[Dr Jay]

Please download aswMBR from here

• Save aswMBR.exe to your Desktop
  
• Double click aswMBR.exe to run it
  
• Click the Scan button to start the scan as illustrated below
  

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review
  

[Stuck Noob]

I've got the following

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-31 13:17:32
-----------------------------
13:17:32.961    OS Version: Windows 6.0.6002 Service Pack 2
13:17:32.961    Number of processors: 1 586 0x1601
13:17:32.961    ComputerName: GEMMA-PC  UserName: Gemma
13:17:50.433    Initialize success
13:18:08.717    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
13:18:08.717    Disk 0 Vendor: ST912081 3.AD Size: 114473MB BusType: 3
13:18:08.748    Disk 0 MBR read successfully
13:18:08.748    Disk 0 MBR scan
13:18:08.763    Disk 0 Windows VISTA default MBR code
13:18:08.779    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0      101 MB offset 63
13:18:08.795    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        10240 MB offset 208896
13:18:08.810    Disk 0 Partition 3 80 (A) 07    HPFS/NTFS NTFS       101569 MB offset 21180416
13:18:08.810    Disk 0 Partition - 00     0F Extended LBA              2560 MB offset 229195776
13:18:08.888    Disk 0 Partition 4 00     DD              MSDOS5.0     2559 MB offset 229197824
13:18:08.919    Disk 0 scanning sectors +234438656
13:18:09.044    Disk 0 scanning C:\Windows\system32\drivers
13:18:16.220    Service scanning
13:18:38.591    Modules scanning
13:18:44.300    Disk 0 trace - called modules:
13:18:44.347    ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
13:18:44.347    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b02f878]
13:18:44.363    3 CLASSPNP.SYS[8d9a78b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a5c0030]
13:18:44.363    Scan finished successfully
13:41:27.849    Disk 0 MBR has been saved successfully to "C:\Users\Gemma\Desktop\MBR.dat"
13:41:27.865    The log file has been saved successfully to "C:\Users\Gemma\Desktop\aswMBR.txt"


Thanks again, I appreciate your help!

[Dr Jay]

Excellent work!

ESET Online Scan
 
Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
• Click Start or wait for the scanner to load.
  
• Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, there are a couple of things to keep in mind:
• 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
• 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
• Open the logfile from wherever you saved it
• Copy and paste the contents in your next reply.

[Stuck Noob]

7 threats found

C:\Users\Gemma\AppData\Local\Microsoft\Windows\228\WindowsCodecsExt.exe   a variant of Win32/Kryptik.ALBD trojan   cleaned by deleting - quarantined
C:\Users\Gemma\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120217225646367.rsc_tmp   multiple threats   deleted - quarantined
C:\Users\Gemma\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120217231620925.rsc   multiple threats   deleted - quarantined
C:\Users\Gemma\AppData\Roaming\B4414EE8A7520B62EDE608ED711EDA7A\enemies-names.txt   Win32/Adware.AntimalwareDoctor.AE.Gen application   cleaned by deleting - quarantined
C:\Users\Gemma\AppData\Roaming\B4414EE8A7520B62EDE608ED711EDA7A\local.ini   Win32/Adware.AntimalwareDoctor.AE.Gen application   cleaned by deleting - quarantined
C:\Users\Gemma\Downloads\BitZipper50TrialSetupEn.exe   a variant of Win32/InstallIQ application   cleaned by deleting - quarantined
C:\Users\Gemma\Downloads\BitZipperH2010.v8326484.TrialSetupEn.exe   a variant of Win32/InstallIQ application   cleaned by deleting - quarantined

Thanks

[Dr Jay]

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

• Slow computer
• Error messages
• Fake antivirus alerts or the icon in the system tray
• svchost.exe running at 100%
• System crashes or blue screen of death

[Stuck Noob]

Sorry I was away for the weekend. All seems well thank you very much 

Is there a good free anti virus you can recommend?

Thanks again!

[Dr Jay]

Let's clean up, then you will be able to see them. This is preventative measures to make sure you don't get infected again...

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
  
• Select System
  
• On the left select Advance System Settings and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
  
• Select Performance Information and Tools
  
• On the left select Open Disk Cleanup
  
• Select Files from all users and accept the warning if you get one
  
• In the drop down box select your main drive i.e. C
• For a few moments the system will make some calculations:

• Select the More Options tab
  
  
• In the System Restore and Shadow Backups select Clean up
  
  
• Select Delete on the pop up
  
• Select OK
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.