dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
2336
share rss forum feed

Somersett

join:2004-12-04
Scotland

[Trojan] Trojan / Malware

Earlier this afternoon, I opened a pdf file on my Energy Supplier's website using Foxit at which time Malwarebytes ( Pro ) indicated that it had detected and quarantined the following files. I was using a Standard User Account at the time.

2013/03/22 16:25:48 GMT CHILLBLAST Hommin DETECTION C:\Program Files\Foxit Software\Foxit Reader\plugins\Speech.fpi Trojan.Passwords.LD QUARANTINE
2013/03/22 16:25:48 GMT CHILLBLAST Hommin DETECTION C:\Program Files\Foxit Software\Foxit Reader\plugins\Updater.fpi Trojan.Passwords.LD QUARANTINE
2013/03/22 16:26:55 GMT CHILLBLAST Hommin DETECTION c:\program files\foxit software\foxit reader\plugins\speech.fpi Trojan.Passwords.LD QUARANTINE
2013/03/22 16:26:55 GMT CHILLBLAST Hommin DETECTION c:\program files\foxit software\foxit reader\plugins\updater.fpi Trojan.Passwords.LD QUARANTINE
2013/03/22 16:26:55 GMT CHILLBLAST Hommin ERROR Quarantine failed: SDKQuarantine failed with error code 2
2013/03/22 16:26:55 GMT CHILLBLAST Hommin ERROR Quarantine failed: SDKQuarantine failed with error code 2
2013/03/22 16:28:02 GMT CHILLBLAST Hommin DETECTION c:\program files\foxit software\foxit reader\plugins\speech.fpi Trojan.Passwords.LD QUARANTINE
2013/03/22 16:28:02 GMT CHILLBLAST Hommin DETECTION c:\program files\foxit software\foxit reader\plugins\updater.fpi Trojan.Passwords.LD QUARANTINE
2013/03/22 16:28:02 GMT CHILLBLAST Hommin ERROR Quarantine failed: SDKQuarantine failed with error code 2
2013/03/22 16:28:02 GMT CHILLBLAST Hommin ERROR Quarantine failed: SDKQuarantine failed with error code 2
2013/03/22 16:56:52 GMT CHILLBLAST Admin DETECTION c:\program files\foxit software\foxit reader\plugins\speech.fpi Trojan.Passwords.LD QUARANTINE
2013/03/22 16:56:52 GMT CHILLBLAST Admin DETECTION c:\program files\foxit software\foxit reader\plugins\updater.fpi Trojan.Passwords.LD QUARANTINE
2013/03/22 16:56:52 GMT CHILLBLAST Admin ERROR Quarantine failed: SDKQuarantine failed with error code 2
2013/03/22 16:56:52 GMT CHILLBLAST Admin ERROR Quarantine failed: SDKQuarantine failed with error code 2
2013/03/22 16:57:37 GMT CHILLBLAST Admin DETECTION c:\program files\foxit software\foxit reader\plugins\updater.fpi Trojan.Passwords.LD QUARANTINE
2013/03/22 16:57:38 GMT CHILLBLAST Admin ERROR Quarantine failed: SDKQuarantine failed with error code 2

I logged onto my Admin account and ran a full scan which detected , quarantined and deleted the following file.

Malwarebytes Anti-Malware (PRO) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.22.08

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Admin :: CHILLBLAST [administrator]

Protection: Enabled

22/03/2013 16:57:45
mbam-log-2013-03-22 (16-57-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 232122
Time elapsed: 1 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Hommin\AppData\Local\Temp\Foxit Updater.exe (Trojan.Passwords.LD) -> Quarantined and deleted successfully.

I then ran Eset Online Scanner which detected and deleted the following

C:\Users\Admin\Documents\Downloads\Puran\PuranDefragSetup.exe Win32/Toolbar.Babylon application cleaned by deleting -

The following is the Eset Log.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

The computer seems to be working okay but I am a bit concerned about the 'Quarantine Failed with Error Code 2 Messages.'

Somersett

join:2004-12-04
Scotland

1 edit
OTL logfile created on: 22/03/2013 22:03:19 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Admin\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.25 Gb Total Physical Memory | 2.22 Gb Available Physical Memory | 68.20% Memory free
6.72 Gb Paging File | 5.71 Gb Available in Paging File | 84.91% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 439.14 Gb Free Space | 94.28% Space Free | Partition Type: NTFS

Computer Name: CHILLBLAST | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2013/01/31 13:49:24 | 000,678,400 | ---- | M] (The Document Foundation) -- C:\Program Files\LibreOffice 4.0\program\soffice.bin
PRC - [2013/01/31 13:49:24 | 000,061,616 | ---- | M] (The Document Foundation) -- C:\Program Files\LibreOffice 4.0\program\swriter.exe
PRC - [2013/01/31 13:49:24 | 000,054,960 | ---- | M] (The Document Foundation) -- C:\Program Files\LibreOffice 4.0\program\soffice.exe
PRC - [2013/01/27 11:11:46 | 000,295,232 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\NisSrv.exe
PRC - [2013/01/27 11:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/01/27 11:11:06 | 000,947,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2013/01/21 12:54:43 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe
PRC - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/12/14 16:49:28 | 000,512,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/08/30 19:13:00 | 001,258,856 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
PRC - [2012/08/30 15:57:34 | 000,864,104 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
PRC - [2012/08/30 09:40:00 | 000,382,312 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/04/10 22:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2006/12/22 06:31:50 | 000,108,712 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

[color=#E56717]========== Modules (No Company Name) ==========[/color]

MOD - [2013/01/31 13:38:06 | 000,289,968 | ---- | M] () -- C:\Program Files\LibreOffice 4.0\program\raptor.dll
MOD - [2013/01/31 13:38:06 | 000,158,384 | ---- | M] () -- C:\Program Files\LibreOffice 4.0\program\rasqal.dll
MOD - [2013/01/31 13:38:02 | 001,005,744 | ---- | M] () -- C:\Program Files\LibreOffice 4.0\program\libxml2.dll
MOD - [2013/01/31 13:38:02 | 000,175,280 | ---- | M] () -- C:\Program Files\LibreOffice 4.0\program\libxslt.dll
MOD - [2013/01/31 13:38:02 | 000,102,064 | ---- | M] () -- C:\Program Files\LibreOffice 4.0\program\librdf.dll

[color=#E56717]========== Services (SafeList) ==========[/color]

SRV - [2013/03/12 13:43:57 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/01/27 11:11:46 | 000,295,232 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2013/01/27 11:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/08/30 19:13:00 | 001,258,856 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2012/08/30 09:40:00 | 000,382,312 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2008/01/18 22:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2006/12/22 06:31:50 | 000,108,712 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0)

[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2013/01/20 15:59:04 | 000,100,328 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/08/30 19:13:00 | 010,790,760 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/04/12 07:29:42 | 000,048,128 | ---- | M] (Attansic Technology corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atl01v32.sys -- (AtcL001)
DRV - [2006/10/18 13:44:48 | 000,007,680 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)

[color=#E56717]========== Standard Registry (SafeList) ==========[/color]

[color=#E56717]========== Internet Explorer ==========[/color]

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.zen.co.uk/
IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[color=#E56717]========== FireFox ==========[/color]

FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)

O1 HOSTS File: ([2006/09/18 21:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-994927991-3416385087-4104796439-1002..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{34416A86-B8FE-4644-98BD-8965E5B86130}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img27.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img27.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2013/03/22 21:35:15 | 000,000,000 | ---D | C] -- C:\Users\Admin\Documents\Trojan
[2013/03/12 17:33:43 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\usb8023.sys
[2013/03/12 17:28:01 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/03/12 17:28:00 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/03/12 17:28:00 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/03/12 17:28:00 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/03/12 17:27:59 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/03/12 17:27:59 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/03/12 17:27:58 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/03/12 17:27:57 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/03/12 13:43:57 | 000,693,976 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/03/12 13:43:56 | 000,073,432 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/03/05 18:32:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Puran Defrag
[2013/03/05 18:32:14 | 000,000,000 | ---D | C] -- C:\Program Files\Puran Defrag
[2013/03/05 14:52:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2013/03/05 14:52:46 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2013/03/22 21:46:55 | 000,608,760 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/03/22 21:46:55 | 000,108,268 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/03/22 21:41:43 | 000,004,448 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/03/22 21:41:43 | 000,004,448 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/03/22 21:41:38 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/03/22 21:41:36 | 3488,735,232 | -HS- | M] () -- C:\hiberfil.sys
[2013/03/12 17:30:39 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/03/12 13:43:57 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/03/12 13:43:57 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/03/05 18:32:16 | 000,000,862 | ---- | M] () -- C:\Users\Admin\Desktop\Puran Defrag.lnk

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2013/03/12 13:43:58 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/03/05 18:32:16 | 000,000,862 | ---- | C] () -- C:\Users\Admin\Desktop\Puran Defrag.lnk
[2012/10/07 14:14:34 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2012/10/07 12:24:03 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2012/10/07 12:23:39 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2012/10/07 12:23:39 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2012/10/07 11:38:42 | 000,007,680 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
[2012/10/07 11:38:41 | 000,012,884 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2012/10/07 11:38:31 | 000,010,288 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
[2012/10/07 11:36:56 | 000,000,680 | ---- | C] () -- C:\Users\Admin\AppData\Local\d3d9caps.dat
[2012/08/30 09:40:14 | 000,429,416 | ---- | C] () -- C:\Windows\System32\nvStreaming.exe

[color=#E56717]========== ZeroAccess Check ==========[/color]

[2006/11/02 12:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 17:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/10 22:28:20 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/10 22:28:26 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[color=#E56717]========== LOP Check ==========[/color]

[2012/12/13 13:45:43 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Canneverbe Limited
[2012/10/07 14:22:11 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Canon
[2013/02/08 17:50:08 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Foxit Software
[2013/02/08 11:17:19 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\LibreOffice
[2012/12/13 15:43:45 | 000,000,000 | ---D | M] -- C:\Users\Hommin\AppData\Roaming\Canneverbe Limited
[2012/10/30 16:45:46 | 000,000,000 | ---D | M] -- C:\Users\Hommin\AppData\Roaming\Canon
[2013/02/19 13:58:56 | 000,000,000 | ---D | M] -- C:\Users\Hommin\AppData\Roaming\Foxit Software
[2013/02/08 11:21:34 | 000,000,000 | ---D | M] -- C:\Users\Hommin\AppData\Roaming\LibreOffice
[2012/11/20 15:56:34 | 000,000,000 | ---D | M] -- C:\Users\Hommin\AppData\Roaming\Opera

[color=#E56717]========== Purity Check ==========[/color]

Somersett

join:2004-12-04
Scotland
OTL Extras logfile created on: 22/03/2013 22:03:19 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Admin\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.25 Gb Total Physical Memory | 2.22 Gb Available Physical Memory | 68.20% Memory free
6.72 Gb Paging File | 5.71 Gb Available in Paging File | 84.91% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 439.14 Gb Free Space | 94.28% Space Free | Partition Type: NTFS

Computer Name: CHILLBLAST | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Extra Registry (SafeList) ==========[/color]

[color=#E56717]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[color=#E56717]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[color=#E56717]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[color=#E56717]========== Firewall Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[color=#E56717]========== Authorized Applications List ==========[/color]

[color=#E56717]========== Vista Active Open Ports Exception List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

[color=#E56717]========== Vista Active Application Exception List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4500_series" = Canon iP4500 series
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4805" = CanoScan 8800F
"{25569723-DC5A-4467-A639-79535BF01B71}" = Adobe Help Center 2.1
"{2FDD750F-49B7-40C1-9D5E-D2955BC0E2D8}" = NVIDIA PhysX
"{390DD8BB-BB57-4942-A029-2D913E4E9D74}" = Microsoft Security Client
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{6E19F210-3813-4002-B561-94D66AA182B6}" = Attansic L1 Gigabit Ethernet Driver
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{8EA569F1-97AF-4C3E-A0CB-4846C2D35A81}" = LibreOffice 4.0.0.3
"{9223BBDE-693D-4B5F-A1DE-C40C7D2E4C89}" = Adobe Flash Player 11 ActiveX
"{A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}" = Adobe Photoshop Elements 5.0
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 306.23
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 306.23
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 306.23
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller Driver 306.23
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.12.0604
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.10.8
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"Adobe Photoshop Elements 5" = Adobe Photoshop Elements 5.0
"Canon iP4500 series User Registration" = Canon iP4500 series User Registration
"CanonMyPrinter" = Canon My Printer
"CCleaner" = CCleaner
"ESET Online Scanner" = ESET Online Scanner v3
"Foxit Reader_is1" = Foxit Reader
"InvelosDVDProfiler_is1" = DVD Profiler Version 3.8.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Puran Defrag_is1" = Puran Defrag 7.6

[color=#E56717]========== Last 20 Event Log Errors ==========[/color]

[ Application Events ]
Error - 09/03/2013 13:41:48 | Computer Name = ChillBlast | Source = Windows Search Service | ID = 3013
Description =

Error - 10/03/2013 13:24:47 | Computer Name = ChillBlast | Source = Application Hang | ID = 1002
Description = The program wmplayer.exe version 11.0.6002.18311 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: a6c Start Time: 01ce1db40e9441d0 Termination Time: 4089

Error - 12/03/2013 09:11:06 | Computer Name = ChillBlast | Source = Windows Search Service | ID = 3024
Description =

Error - 12/03/2013 09:49:08 | Computer Name = ChillBlast | Source = Windows Search Service | ID = 3024
Description =

Error - 12/03/2013 10:38:32 | Computer Name = ChillBlast | Source = Windows Search Service | ID = 3024
Description =

Error - 15/03/2013 11:12:58 | Computer Name = ChillBlast | Source = Windows Search Service | ID = 3013
Description =

Error - 18/03/2013 06:33:09 | Computer Name = ChillBlast | Source = Windows Search Service | ID = 3024
Description =

Error - 21/03/2013 08:05:25 | Computer Name = ChillBlast | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 9.0.8112.16470 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: b0c Start Time: 01ce262c1b6192aa Termination Time: 0

Error - 22/03/2013 13:09:15 | Computer Name = ChillBlast | Source = Windows Search Service | ID = 3024
Description =

Error - 22/03/2013 17:05:36 | Computer Name = ChillBlast | Source = Windows Search Service | ID = 3024
Description =

[ System Events ]
Error - 06/11/2012 12:47:36 | Computer Name = ChillBlast | Source = DCOM | ID = 10010
Description =

Error - 20/11/2012 13:50:46 | Computer Name = ChillBlast | Source = VDS Dynamic Provider | ID = 16908298
Description =

Error - 02/12/2012 16:38:03 | Computer Name = ChillBlast | Source = Service Control Manager | ID = 7011
Description =

Error - 04/12/2012 18:27:22 | Computer Name = ChillBlast | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 08/12/2012 10:22:04 | Computer Name = ChillBlast | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 21/12/2012 17:53:12 | Computer Name = ChillBlast | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 28/12/2012 10:47:42 | Computer Name = ChillBlast | Source = Print | ID = 6161
Description = The document BTFreecom1050 - Notepad, owned by Hommin, failed to print
on printer Canon iP4500 series. Try to print the document again, or restart the
print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 1322428.
Number of bytes printed: 1032308. Total number of pages in the document: 79. Number
of pages printed: 0. Client computer: \\CHILLBLAST. Win32 error code returned by
the print processor: 1. Incorrect function.

Error - 30/12/2012 12:33:16 | Computer Name = ChillBlast | Source = DCOM | ID = 10010
Description =

Error - 08/01/2013 10:31:48 | Computer Name = ChillBlast | Source = Service Control Manager | ID = 7034
Description =

Error - 08/01/2013 17:42:08 | Computer Name = ChillBlast | Source = Service Control Manager | ID = 7034
Description =

Somersett

join:2004-12-04
Scotland
Malwarebytes Anti-Malware (PRO) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.22.12

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Admin :: CHILLBLAST [administrator]

Protection: Enabled

22/03/2013 22:15:29
mbam-log-2013-03-22 (22-15-29).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 317589
Time elapsed: 22 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Somersett

join:2004-12-04
Scotland
# AdwCleaner v2.115 - Logfile created 03/22/2013 at 23:53:23
# Updated 17/03/2013 by Xplode
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# User : Admin - CHILLBLAST
# Boot Mode : Normal
# Running from : C:\Users\Admin\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKLM\Software\PIP

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [596 octets] - [22/03/2013 23:53:23]

########## EOF - C:\AdwCleaner[S1].txt - [655 octets] ##########

Somersett

join:2004-12-04
Scotland
Results of screen317's Security Check version 0.99.61
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
[u]``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
[u]`````````Anti-malware/Other Utilities Check:`````````[/u]
Malwarebytes Anti-Malware version 1.70.0.1100
CCleaner
[u]````````Process Check: objlist.exe by Laurent````````[/u]
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
[u]`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C: 0 %
[u]````````````````````End of Log``````````````````````[/u]


TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:5

1 recommendation

Hi Somersett

I don't see anything in the logs that was left behind, and MBAM no longer detects anything, I think you got it.

The file that ESET deleted (unrelated to the other) was an install file that contained the Babylon Toolbar foistware. I would guess you may have opted out when you installed PuranDefrag, as if it had installed, AdwCleaner would have detected and removed it.

quote:
I was using a Standard User Account at the time.
An excellent choice.

On the MBAM error, if you're an MBAM customer, you contact the consumer help desk here.
If you are in an organization or a corporate customer, you can contact Corporate Support for assistance.

There's really nothing left for them to remove, but it might be good to let them know about the error message.

I recommend reading Tony Klein's article So How did I get Infected in the First Place? at »Security Cleanup FAQ »How do I prevent Browser Hijacks and Spyware?

Does your problem appear resolved?
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010

Somersett

join:2004-12-04
Scotland
I posted details of the Protection Log Error Messages on the Malwarebytes Forum. I have since been advised that these were false positives and should be restored. Not sure how I can do that as, according to the log, quarantine failed and the third file was detected, quarantined and deleted after reboot.

I am not experiencing any problems with the computer at the moment so the issue would appear to be resolved.

Thank you for your assistance.



TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:5
said by Somersett:

I posted details of the Protection Log Error Messages on the Malwarebytes Forum. I have since been advised that these were false positives and should be restored. Not sure how I can do that as, according to the log, quarantine failed and the third file was detected, quarantined and deleted after reboot.

The updater for it that was quarantined and deleted was in the Temp folder, so that was likely created during the update process, and no need to restore that. As long as your Foxit software works properly, I'd leave it alone.

quote:
I am not experiencing any problems with the computer at the moment so the issue would appear to be resolved.
Excellent.
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010

Somersett

join:2004-12-04
Scotland
Do you have any advice / instructions re cleanup ( OTL; AdwCleaner; Screen317 Security Check which I downloaded to my Desktop? )


TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:5
Those can all be deleted, along with any logs they created.