ds-any-world.ngd.ysm.yahoodns.net

[ronymaxwell]

My security software monitors my computer's ports.  It has highlighted an attempt to access a port which always happens when I log off from online banking.  The address is ds-any-world.ngd.ysm.yahoodns.net - do I need to worry?  Note: I have 'Rapport' installed, recommended by the bank, it might be this.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************

Note: I have 'Rapport' installed, recommended by the bank, it might be this.

Does it show up in your Rapport weekly report? Rapport should keep your computer safe but we should run some scans.

Please download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  
• Click on Search.
  
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
***************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[ronymaxwell]

Thanks, SuperDave.  The only thing I can see on Rapport is 'Blocked IP Address 2.21.114.234 does not match PayPal'.
This is the report from Adw Cleaner.

# AdwCleaner v2.105 - Logfile created 01/15/2013 at 09:19:42
# Updated 08/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : Ron - LAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Ron\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RZKX51KI\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\user.js
Folder Found : C:\Program Files\FreeRIP
Folder Found : C:\ProgramData\blekko toolbars
Folder Found : C:\ProgramData\FreeRIP
Folder Found : C:\ProgramData\Tarma Installer
Folder Found : C:\Users\Ron\AppData\Local\Ilivid Player
Folder Found : C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FreeRIP

***** [Registry] *****

Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\IGearSettings
Key Found : HKCU\Software\InstallCore
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Key Found : HKLM\Software\PIP
Key Found : HKU\S-1-5-21-2084100889-3578192127-2536355299-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0 (en-GB)

File : C:\Users\Ron\AppData\Roaming\Mozilla\Firefox\Profiles\nquzyw60.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2422 octets] - [15/01/2013 09:19:42]

########## EOF - C:\AdwCleaner[R1].txt - [2482 octets] ##########

[ronymaxwell]

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.15.08

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Ron :: LAPTOP [administrator]

15/01/2013 09:27:32
mbam-log-2013-01-15 (09-27-32).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 336433
Time elapsed: 1 hour(s), 54 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[ronymaxwell]

 Results of screen317's Security Check version 0.99.57 
 Windows 7 Service Pack 1 x86 (UAC is disabled!) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Disabled! 
Outpost Security Suite Pro   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````[/u]
 SUPERAntiSpyware     
 Secunia PSI (3.0.0.4001)   
 Malwarebytes Anti-Malware version 1.70.0.1100 
 CCleaner     
 Java 7 Update 11 
 Adobe Flash Player    11.5.502.146 
 Adobe Reader 10.1.5 Adobe Reader out of Date! 
 Mozilla Firefox (18.0)
````````Process Check: objlist.exe by Laurent````````[/u] 
 Malwarebytes Anti-Malware mbam.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````[/u]

[SuperDave]

The only thing I can see on Rapport is 'Blocked IP Address 2.21.114.234 does not match PayPal'.

Yes, I get that often on mine and I've never used PayPal.

Remove the Adware:

• Please close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with OK
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
  

**********************************************************
Update your Adobe Reader. get.adobe.com/reader.

Be sure to uncheck the Free McAfee Security Scan so it isn't installed.

**************************************************
Download Combofix from any of the links below, and save it to your DESKTOP. 

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

[ronymaxwell]

# AdwCleaner v2.105 - Logfile created 01/16/2013 at 00:46:43
# Updated 08/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : Ron - LAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Ron\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\user.js
Folder Deleted : C:\Program Files\FreeRIP
Folder Deleted : C:\ProgramData\blekko toolbars
Folder Deleted : C:\ProgramData\FreeRIP
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\Ron\AppData\Local\Ilivid Player
Folder Deleted : C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FreeRIP

***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Key Deleted : HKLM\Software\PIP

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0 (en-GB)

[ronymaxwell]

ComboFix 13-01-15.02 - Ron 16/01/2013   1:10.2.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.3037.1903 [GMT 0:00]
Running from: c:\users\Ron\Downloads\ComboFix.exe
AV: Outpost Security Suite Pro *Disabled/Updated* {ECEA6BCD-A007-0BC7-D5A5-0254DCBD816E}
FW: Outpost Security Suite Pro *Disabled* {D4D1EAE8-EA68-0A9F-FEFA-AB61226EC615}
SP: Outpost Security Suite Pro *Disabled/Updated* {578B8A29-863D-0449-EF15-3926A73ACBD3}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Resident AV is active
.
.
.
(((((((((((((((((((((((((   Files Created from 2012-12-16 to 2013-01-16  )))))))))))))))))))))))))))))))
.
.
2013-01-16 01:19 . 2013-01-16 01:19   --------   d-----w-   c:\users\Super Ted\AppData\Local\temp
2013-01-16 01:19 . 2013-01-16 01:19   --------   d-----w-   c:\users\Public\AppData\Local\temp
2013-01-16 01:19 . 2013-01-16 01:19   --------   d-----w-   c:\users\Default\AppData\Local\temp
2013-01-16 00:56 . 2013-01-16 00:56   --------   d-----w-   c:\program files\Common Files\Adobe
2013-01-15 20:23 . 2012-11-08 18:00   6812136   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{5DB0FC3E-C698-4F0B-8633-D4245201CEDB}\mpengine.dll
2013-01-14 14:50 . 2013-01-12 03:30   94112   ----a-w-   c:\windows\system32\WindowsAccessBridge.dll
2013-01-09 10:26 . 2012-11-01 04:47   1389568   ----a-w-   c:\windows\system32\msxml6.dll
2013-01-09 10:26 . 2012-11-09 04:43   492032   ----a-w-   c:\windows\system32\win32spl.dll
2013-01-09 10:26 . 2012-11-20 04:51   220160   ----a-w-   c:\windows\system32\ncrypt.dll
2013-01-09 10:26 . 2012-11-23 02:48   49152   ----a-w-   c:\windows\system32\taskhost.exe
2013-01-03 12:43 . 2013-01-03 12:43   --------   d-----w-   c:\users\Ron\AppData\Local\Programs
2012-12-23 22:13 . 2012-12-23 22:13   65848   ----a-w-   c:\windows\system32\drivers\RapportKELL.sys
2012-12-21 11:05 . 2012-12-16 14:13   295424   ----a-w-   c:\windows\system32\atmfd.dll
2012-12-21 11:05 . 2012-12-16 14:13   34304   ----a-w-   c:\windows\system32\atmlib.dll
2012-12-18 19:08 . 2012-12-18 19:08   209112   ----a-w-   c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-09 17:26 . 2012-04-02 20:43   697864   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2013-01-09 17:26 . 2012-03-26 10:38   74248   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-14 16:49 . 2012-06-27 11:14   21104   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-12-13 16:45 . 2012-05-27 11:48   895088   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2012-12-13 16:45 . 2012-05-27 11:48   42776   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-12-12 11:31 . 2012-05-17 23:22   895088   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-12-12 11:31 . 2012-05-17 23:22   42776   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-12-12 11:31 . 2012-05-27 11:48   710992   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-12-10 13:09 . 2012-05-17 23:21   710992   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-11-14 02:09 . 2012-12-12 22:53   1800704   ----a-w-   c:\windows\system32\jscript9.dll
2012-11-14 01:58 . 2012-12-12 22:53   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-11-14 01:57 . 2012-12-12 22:53   1129472   ----a-w-   c:\windows\system32\wininet.dll
2012-11-14 01:49 . 2012-12-12 22:53   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-11-14 01:48 . 2012-12-12 22:53   420864   ----a-w-   c:\windows\system32\vbscript.dll
2012-11-14 01:44 . 2012-12-12 22:53   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2012-11-09 04:42 . 2012-12-12 09:03   2048   ----a-w-   c:\windows\system32\tzres.dll
2012-11-08 11:29 . 2012-11-08 11:29   1402312   ----a-w-   c:\windows\system32\msxml4.dll
2012-11-02 05:11 . 2012-12-12 09:03   376832   ----a-w-   c:\windows\system32\dpnet.dll
2012-10-25 03:12 . 2012-10-25 03:12   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2012-10-25 03:12 . 2012-10-25 03:12   69632   ----a-w-   c:\windows\system32\QuickTime.qts
2013-01-05 03:44 . 2012-12-05 23:37   262704   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Outpost]
@="{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
[HKEY_CLASSES_ROOT\CLSID\{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}]
2012-02-17 10:57   246696   ----a-w-   c:\program files\Agnitum\Outpost Security Suite Pro\op_shell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-06 4763008]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2012-02-17 3266864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
c:\users\Ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2012-9-24 573536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Agnitum\OUTPOS~1\wl_hook.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys

R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe

R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys

R3 RapportKELL;RapportKELL;c:\windows\system32\Drivers\RapportKELL.sys

R3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

S0 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys

S1 afw;Agnitum Firewall Driver;c:\windows\system32\DRIVERS\afw.sys

S1 RapportCerberus_43926;RapportCerberus_43926;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus32_43926.sys

S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe

S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe

S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe

S3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys

S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll

S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys

S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys

S3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\39624\rapportiaso.sys

S3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys

S3 VBFilt;VBFilt;c:\windows\system32\Filt\VBFilt.dll

.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RAPPORTIASO
*Deregistered* - VBCoreNT.0
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup   REG_MULTI_SZ      GPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Ron\AppData\Roaming\Mozilla\Firefox\Profiles\nquzyw60.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/|http://my.ebay.co.uk/ws/eBayISAPI.dll?MyEbay&gbh=1&CurrentPage=MyeBayAllSelling&ssPageName=STRK:ME:LNLK:MESX|http://www.natwest.com/personal.ashx|https://www.paypal.com/uk/webapps/mpp/home|https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1351630588&rver=6.1.6206.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=2057&id=64855&mkt=en-gb&cbcxt=mai&snsc=1#n=1812048153&fid=5|http://s756.beta.photobucket.com/|http://www.metoffice.gov.uk/public/weather/forecast/?tab=fiveDay|http://uk.search.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{501451DE-5808-4599-B544-8BD0915B6B24}_is1 - c:\program files\FreeRIP\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5780)
c:\program files\Trusteer\Rapport\bin\rooksbas.DLL
c:\program files\Agnitum\Outpost Security Suite Pro\op_shell.dll
.
Completion time: 2013-01-16  01:23:33
ComboFix-quarantined-files.txt  2013-01-16 01:23
.
Pre-Run: 195,363,536,896 bytes free
Post-Run: 195,200,352,256 bytes free
.
- - End Of File - - FD03566DC8F4FF7856242BF54C3ECB9A

[SuperDave]

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

*******************************************************
Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply

[ronymaxwell]

An error message appeared: Error scanning SSDT hooks.

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Filt\tmp\cskxa0qs.vbt
Service Name: ---
Module Base: 9F234000
Module End: 9F3C4000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 9F71B000
Module End: 9F726000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_msahci.sys
Service Name: ---
Module Base: 9F726000
Module End: 9F730000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpfve.sys
Service Name: ---
Module Base: 9F730000
Module End: 9F741000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hidden files/folders found

[ronymaxwell]

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-01-17 12:01:19
-----------------------------
12:01:19.950    OS Version: Windows 6.1.7601 Service Pack 1
12:01:19.950    Number of processors: 2 586 0x170A
12:01:19.950    ComputerName: LAPTOP  UserName: Ron
12:01:45.496    Initialize success
12:03:26.469    AVAST engine defs: 13011700
12:03:41.984    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
12:03:41.999    Disk 0 Vendor: TOSHIBA_MK2556GSYF LJ001D Size: 238475MB BusType: 11
12:03:42.030    Disk 0 MBR read successfully
12:03:42.030    Disk 0 MBR scan
12:03:42.093    Disk 0 Windows 7 default MBR code
12:03:42.124    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       238473 MB offset 2048
12:03:42.140    Disk 0 scanning sectors +488394752
12:03:42.218    Disk 0 scanning C:\Windows\system32\drivers
12:03:58.834    Service scanning
12:04:32.297    Modules scanning
12:04:43.429    Disk 0 trace - called modules:
12:04:43.444    ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
12:04:43.460    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86a06030]
12:04:43.977    3 CLASSPNP.SYS[8b97659e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85904908]
12:04:46.567    AVAST engine scan C:\Windows
12:04:52.094    AVAST engine scan C:\Windows\system32
12:09:22.685    AVAST engine scan C:\Windows\system32\drivers
12:09:43.090    AVAST engine scan C:\Users\Ron
12:17:58.168    Disk 0 MBR has been saved successfully to "C:\Users\Ron\Documents\MBR.dat"
12:17:58.184    The log file has been saved successfully to "C:\Users\Ron\Documents\aswMBR.txt"
 

[SuperDave]

How's your computer running now?

I'd like to scan your machine with ESET OnlineScan

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

•Please go then click on the: button.

••Select the option YES, I accept the Terms of Use then click on: button.

•When prompted allow the

Add-On/Active X to install.
[/list]
•Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
•Now click on Advanced Settings and select the following:

•Scan for potentially unwanted applications
•Scan for potentially unsafe applications
•Enable Anti-Stealth Technology
[/list]
•Push the Start button.
•The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

•When completed the Online Scan will begin automatically.

•Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

•When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

•Push
•Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

•Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

[ronymaxwell]

Computer seems to be running fine. 

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6889
# api_version=3.0.2
# EOSSerial=4c0af9f755dbd34680d0f99e317a333d
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-01-17 10:31:40
# local_time=2013-01-17 10:31:40 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776573 100 94 180507 110928291 0 0
# scanned=2794
# found=0
# cleaned=0
# scan_time=747
# version=8
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6889
# api_version=3.0.2
# EOSSerial=4c0af9f755dbd34680d0f99e317a333d
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-01-18 12:40:25
# local_time=2013-01-18 12:40:25 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776573 100 94 188232 110936016 0 0
# scanned=123064
# found=0
# cleaned=0
# scan_time=7647

[SuperDave]

Good. Now we can do some cleanup.

Download this program and run it Uninstall ComboFix .It will remove ComboFix for you.

Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
************************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[ronymaxwell]

Thanks, Dave.  Brilliant, as always, from Computer Hope.  I had WOT but forgot to reinstall it when I changed my browser.  Done taht now and I'm working through your other recommendations.  All the best, mate, and thanks again.