[Trojan] Trojan / Malware

Author	All Replies
Somersett join:2004-12-04 Scotland	[Trojan] Trojan / Malware Earlier this afternoon, I opened a pdf file on my Energy Supplier's website using Foxit at which time Malwarebytes ( Pro ) indicated that it had detected and quarantined the following files. I was using a Standard User Account at the time. 2013/03/22 16:25:48 GMT CHILLBLAST Hommin DETECTION C:\Program Files\Foxit Software\Foxit Reader\plugins\Speech.fpi Trojan.Passwords.LD QUARANTINE 2013/03/22 16:25:48 GMT CHILLBLAST Hommin DETECTION C:\Program Files\Foxit Software\Foxit Reader\plugins\Updater.fpi Trojan.Passwords.LD QUARANTINE 2013/03/22 16:26:55 GMT CHILLBLAST Hommin DETECTION c:\program files\foxit software\foxit reader\plugins\speech.fpi Trojan.Passwords.LD QUARANTINE 2013/03/22 16:26:55 GMT CHILLBLAST Hommin DETECTION c:\program files\foxit software\foxit reader\plugins\updater.fpi Trojan.Passwords.LD QUARANTINE 2013/03/22 16:26:55 GMT CHILLBLAST Hommin ERROR Quarantine failed: SDKQuarantine failed with error code 2 2013/03/22 16:26:55 GMT CHILLBLAST Hommin ERROR Quarantine failed: SDKQuarantine failed with error code 2 2013/03/22 16:28:02 GMT CHILLBLAST Hommin DETECTION c:\program files\foxit software\foxit reader\plugins\speech.fpi Trojan.Passwords.LD QUARANTINE 2013/03/22 16:28:02 GMT CHILLBLAST Hommin DETECTION c:\program files\foxit software\foxit reader\plugins\updater.fpi Trojan.Passwords.LD QUARANTINE 2013/03/22 16:28:02 GMT CHILLBLAST Hommin ERROR Quarantine failed: SDKQuarantine failed with error code 2 2013/03/22 16:28:02 GMT CHILLBLAST Hommin ERROR Quarantine failed: SDKQuarantine failed with error code 2 2013/03/22 16:56:52 GMT CHILLBLAST Admin DETECTION c:\program files\foxit software\foxit reader\plugins\speech.fpi Trojan.Passwords.LD QUARANTINE 2013/03/22 16:56:52 GMT CHILLBLAST Admin DETECTION c:\program files\foxit software\foxit reader\plugins\updater.fpi Trojan.Passwords.LD QUARANTINE 2013/03/22 16:56:52 GMT CHILLBLAST Admin ERROR Quarantine failed: SDKQuarantine failed with error code 2 2013/03/22 16:56:52 GMT CHILLBLAST Admin ERROR Quarantine failed: SDKQuarantine failed with error code 2 2013/03/22 16:57:37 GMT CHILLBLAST Admin DETECTION c:\program files\foxit software\foxit reader\plugins\updater.fpi Trojan.Passwords.LD QUARANTINE 2013/03/22 16:57:38 GMT CHILLBLAST Admin ERROR Quarantine failed: SDKQuarantine failed with error code 2 I logged onto my Admin account and ran a full scan which detected , quarantined and deleted the following file. Malwarebytes Anti-Malware (PRO) 1.70.0.1100 www.malwarebytes.org Database version: v2013.03.22.08 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 Admin :: CHILLBLAST [administrator] Protection: Enabled 22/03/2013 16:57:45 mbam-log-2013-03-22 (16-57-45).txt Scan type: Quick scan Scan options enabled: Memory \| Startup \| Registry \| File System \| Heuristics/Extra \| Heuristics/Shuriken \| PUP \| PUM \| P2P Scan options disabled: Objects scanned: 232122 Time elapsed: 1 minute(s), 53 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Users\Hommin\AppData\Local\Temp\Foxit Updater.exe (Trojan.Passwords.LD) -> Quarantined and deleted successfully. I then ran Eset Online Scanner which detected and deleted the following C:\Users\Admin\Documents\Downloads\Puran\PuranDefragSetup.exe Win32/Toolbar.Babylon application cleaned by deleting - The following is the Eset Log. ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK The computer seems to be working okay but I am a bit concerned about the 'Quarantine Failed with Error Code 2 Messages.'
	to forum · permalink · 2013-03-22 18:01:16 ·

Somersett join:2004-12-04 Scotland 1 edit	OTL logfile created on: 22/03/2013 22:03:19 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Admin\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000809 \| Country: United Kingdom \| Language: ENG \| Date Format: dd/MM/yyyy 3.25 Gb Total Physical Memory \| 2.22 Gb Available Physical Memory \| 68.20% Memory free 6.72 Gb Paging File \| 5.71 Gb Available in Paging File \| 84.91% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: \| %SystemRoot% = C:\Windows \| %ProgramFiles% = C:\Program Files Drive C: \| 465.76 Gb Total Space \| 439.14 Gb Free Space \| 94.28% Space Free \| Partition Type: NTFS Computer Name: CHILLBLAST \| User Name: Admin \| Logged in as Administrator. Boot Mode: Normal \| Scan Mode: All users Company Name Whitelist: Off \| Skip Microsoft Files: Off \| No Company Name Whitelist: On \| File Age = 30 Days [color=#E56717]========== Processes (SafeList) ==========[/color] PRC - [2013/01/31 13:49:24 \| 000,678,400 \| ---- \| M] (The Document Foundation) -- C:\Program Files\LibreOffice 4.0\program\soffice.bin PRC - [2013/01/31 13:49:24 \| 000,061,616 \| ---- \| M] (The Document Foundation) -- C:\Program Files\LibreOffice 4.0\program\swriter.exe PRC - [2013/01/31 13:49:24 \| 000,054,960 \| ---- \| M] (The Document Foundation) -- C:\Program Files\LibreOffice 4.0\program\soffice.exe PRC - [2013/01/27 11:11:46 \| 000,295,232 \| ---- \| M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\NisSrv.exe PRC - [2013/01/27 11:11:46 \| 000,020,456 \| ---- \| M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe PRC - [2013/01/27 11:11:06 \| 000,947,152 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe PRC - [2013/01/21 12:54:43 \| 000,602,112 \| ---- \| M] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe PRC - [2012/12/14 16:49:28 \| 000,682,344 \| ---- \| M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012/12/14 16:49:28 \| 000,512,360 \| ---- \| M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe PRC - [2012/12/14 16:49:28 \| 000,398,184 \| ---- \| M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe PRC - [2012/08/30 19:13:00 \| 001,258,856 \| ---- \| M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe PRC - [2012/08/30 15:57:34 \| 000,864,104 \| ---- \| M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe PRC - [2012/08/30 09:40:00 \| 000,382,312 \| ---- \| M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe PRC - [2009/04/10 22:27:38 \| 002,926,592 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2006/12/22 06:31:50 \| 000,108,712 \| ---- \| M] () -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [color=#E56717]========== Modules (No Company Name) ==========[/color] MOD - [2013/01/31 13:38:06 \| 000,289,968 \| ---- \| M] () -- C:\Program Files\LibreOffice 4.0\program\raptor.dll MOD - [2013/01/31 13:38:06 \| 000,158,384 \| ---- \| M] () -- C:\Program Files\LibreOffice 4.0\program\rasqal.dll MOD - [2013/01/31 13:38:02 \| 001,005,744 \| ---- \| M] () -- C:\Program Files\LibreOffice 4.0\program\libxml2.dll MOD - [2013/01/31 13:38:02 \| 000,175,280 \| ---- \| M] () -- C:\Program Files\LibreOffice 4.0\program\libxslt.dll MOD - [2013/01/31 13:38:02 \| 000,102,064 \| ---- \| M] () -- C:\Program Files\LibreOffice 4.0\program\librdf.dll [color=#E56717]========== Services (SafeList) ==========[/color] SRV - [2013/03/12 13:43:57 \| 000,253,656 \| ---- \| M] (Adobe Systems Incorporated) [On_Demand \| Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013/01/27 11:11:46 \| 000,295,232 \| ---- \| M] (Microsoft Corporation) [On_Demand \| Running] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv) SRV - [2013/01/27 11:11:46 \| 000,020,456 \| ---- \| M] (Microsoft Corporation) [Auto \| Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc) SRV - [2012/12/14 16:49:28 \| 000,682,344 \| ---- \| M] (Malwarebytes Corporation) [Auto \| Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012/12/14 16:49:28 \| 000,398,184 \| ---- \| M] (Malwarebytes Corporation) [Auto \| Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler) SRV - [2012/08/30 19:13:00 \| 001,258,856 \| ---- \| M] (NVIDIA Corporation) [Auto \| Running] -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService) SRV - [2012/08/30 09:40:00 \| 000,382,312 \| ---- \| M] (NVIDIA Corporation) [Auto \| Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service) SRV - [2008/01/18 22:38:26 \| 000,272,952 \| ---- \| M] (Microsoft Corporation) [Auto \| Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2006/12/22 06:31:50 \| 000,108,712 \| ---- \| M] () [Auto \| Running] -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0) [color=#E56717]========== Driver Services (SafeList) ==========[/color] DRV - File not found [Kernel \| On_Demand \| Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel \| On_Demand \| Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel \| On_Demand \| Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel \| Disabled \| Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive) DRV - [2013/01/20 15:59:04 \| 000,100,328 \| ---- \| M] (Microsoft Corporation) [Kernel \| Auto \| Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv) DRV - [2012/12/14 16:49:28 \| 000,021,104 \| ---- \| M] (Malwarebytes Corporation) [File_System \| On_Demand \| Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2012/08/30 19:13:00 \| 010,790,760 \| ---- \| M] (NVIDIA Corporation) [Kernel \| On_Demand \| Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2007/04/12 07:29:42 \| 000,048,128 \| ---- \| M] (Attansic Technology corporation.) [Kernel \| On_Demand \| Running] -- C:\Windows\System32\drivers\atl01v32.sys -- (AtcL001) DRV - [2006/10/18 13:44:48 \| 000,007,680 \| ---- \| M] () [Kernel \| On_Demand \| Running] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor) [color=#E56717]========== Standard Registry (SafeList) ==========[/color] [color=#E56717]========== Internet Explorer ==========[/color] IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = »www.bing.com/search?q={searchTer···M=IE8SRC IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = »www.zen.co.uk/ IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = »uk.msn.com/?ocid=iehp IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = »www.bing.com/search?q={searchTer···M=IE8SRC IE - HKU\S-1-5-21-994927991-3416385087-4104796439-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 [color=#E56717]========== FireFox ==========[/color] FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) O1 HOSTS File: ([2006/09/18 21:41:30 \| 000,000,761 \| ---- \| M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.) O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-21-994927991-3416385087-4104796439-1002..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O13 - gopher Prefix: missing O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} »download.eset.com/special/eos/On···nner.cab (OnlineScanner Control) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{34416A86-B8FE-4644-98BD-8965E5B86130}: DhcpNameServer = 192.168.1.1 O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img27.jpg O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img27.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006/09/18 21:43:36 \| 000,000,024 \| ---- \| M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk ) O35 - HKLM\..comfile [open] -- "%1" % O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) [color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color] [2013/03/22 21:35:15 \| 000,000,000 \| ---D \| C] -- C:\Users\Admin\Documents\Trojan [2013/03/12 17:33:43 \| 000,015,872 \| ---- \| C] (Microsoft Corporation) -- C:\Windows\System32\drivers\usb8023.sys [2013/03/12 17:28:01 \| 002,382,848 \| ---- \| C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2013/03/12 17:28:00 \| 000,176,640 \| ---- \| C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2013/03/12 17:28:00 \| 000,142,848 \| ---- \| C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe [2013/03/12 17:28:00 \| 000,065,024 \| ---- \| C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2013/03/12 17:27:59 \| 001,800,704 \| ---- \| C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll [2013/03/12 17:27:59 \| 000,607,744 \| ---- \| C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll [2013/03/12 17:27:58 \| 000,231,936 \| ---- \| C] (Microsoft Corporation) -- C:\Windows\System32\url.dll [2013/03/12 17:27:57 \| 001,427,968 \| ---- \| C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2013/03/12 13:43:57 \| 000,693,976 \| ---- \| C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe [2013/03/12 13:43:56 \| 000,073,432 \| ---- \| C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl [2013/03/05 18:32:15 \| 000,000,000 \| ---D \| C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Puran Defrag [2013/03/05 18:32:14 \| 000,000,000 \| ---D \| C] -- C:\Program Files\Puran Defrag [2013/03/05 14:52:49 \| 000,000,000 \| ---D \| C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner [2013/03/05 14:52:46 \| 000,000,000 \| ---D \| C] -- C:\Program Files\CCleaner [color=#E56717]========== Files - Modified Within 30 Days ==========[/color] [2013/03/22 21:46:55 \| 000,608,760 \| ---- \| M] () -- C:\Windows\System32\perfh009.dat [2013/03/22 21:46:55 \| 000,108,268 \| ---- \| M] () -- C:\Windows\System32\perfc009.dat [2013/03/22 21:41:43 \| 000,004,448 \| -H-- \| M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013/03/22 21:41:43 \| 000,004,448 \| -H-- \| M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013/03/22 21:41:38 \| 000,067,584 \| --S- \| M] () -- C:\Windows\bootstat.dat [2013/03/22 21:41:36 \| 3488,735,232 \| -HS- \| M] () -- C:\hiberfil.sys [2013/03/12 17:30:39 \| 000,000,830 \| ---- \| M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013/03/12 13:43:57 \| 000,693,976 \| ---- \| M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe [2013/03/12 13:43:57 \| 000,073,432 \| ---- \| M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl [2013/03/05 18:32:16 \| 000,000,862 \| ---- \| M] () -- C:\Users\Admin\Desktop\Puran Defrag.lnk [color=#E56717]========== Files Created - No Company Name ==========[/color] [2013/03/12 13:43:58 \| 000,000,830 \| ---- \| C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013/03/05 18:32:16 \| 000,000,862 \| ---- \| C] () -- C:\Users\Admin\Desktop\Puran Defrag.lnk [2012/10/07 14:14:34 \| 000,000,209 \| ---- \| C] () -- C:\Windows\ODBCINST.INI [2012/10/07 12:24:03 \| 000,117,248 \| ---- \| C] () -- C:\Windows\System32\EhStorAuthn.dll [2012/10/07 12:23:39 \| 000,107,612 \| ---- \| C] () -- C:\Windows\System32\StructuredQuerySchema.bin [2012/10/07 12:23:39 \| 000,018,904 \| ---- \| C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin [2012/10/07 11:38:42 \| 000,007,680 \| ---- \| C] () -- C:\Windows\System32\drivers\ASACPI.sys [2012/10/07 11:38:41 \| 000,012,884 \| ---- \| C] () -- C:\Windows\Ascd_tmp.ini [2012/10/07 11:38:31 \| 000,010,288 \| ---- \| C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS [2012/10/07 11:36:56 \| 000,000,680 \| ---- \| C] () -- C:\Users\Admin\AppData\Local\d3d9caps.dat [2012/08/30 09:40:14 \| 000,429,416 \| ---- \| C] () -- C:\Windows\System32\nvStreaming.exe [color=#E56717]========== ZeroAccess Check ==========[/color] [2006/11/02 12:54:22 \| 000,000,227 \| RHS- \| M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 17:47:00 \| 011,586,048 \| ---- \| M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/10 22:28:20 \| 000,614,912 \| ---- \| M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/10 22:28:26 \| 000,347,648 \| ---- \| M] (Microsoft Corporation) "ThreadingModel" = Both [color=#E56717]========== LOP Check ==========[/color] [2012/12/13 13:45:43 \| 000,000,000 \| ---D \| M] -- C:\Users\Admin\AppData\Roaming\Canneverbe Limited [2012/10/07 14:22:11 \| 000,000,000 \| ---D \| M] -- C:\Users\Admin\AppData\Roaming\Canon [2013/02/08 17:50:08 \| 000,000,000 \| ---D \| M] -- C:\Users\Admin\AppData\Roaming\Foxit Software [2013/02/08 11:17:19 \| 000,000,000 \| ---D \| M] -- C:\Users\Admin\AppData\Roaming\LibreOffice [2012/12/13 15:43:45 \| 000,000,000 \| ---D \| M] -- C:\Users\Hommin\AppData\Roaming\Canneverbe Limited [2012/10/30 16:45:46 \| 000,000,000 \| ---D \| M] -- C:\Users\Hommin\AppData\Roaming\Canon [2013/02/19 13:58:56 \| 000,000,000 \| ---D \| M] -- C:\Users\Hommin\AppData\Roaming\Foxit Software [2013/02/08 11:21:34 \| 000,000,000 \| ---D \| M] -- C:\Users\Hommin\AppData\Roaming\LibreOffice [2012/11/20 15:56:34 \| 000,000,000 \| ---D \| M] -- C:\Users\Hommin\AppData\Roaming\Opera [color=#E56717]========== Purity Check ==========[/color]
	to forum · permalink · 2013-03-22 18:11:57 ·
Somersett join:2004-12-04 Scotland	OTL Extras logfile created on: 22/03/2013 22:03:19 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Admin\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000809 \| Country: United Kingdom \| Language: ENG \| Date Format: dd/MM/yyyy 3.25 Gb Total Physical Memory \| 2.22 Gb Available Physical Memory \| 68.20% Memory free 6.72 Gb Paging File \| 5.71 Gb Available in Paging File \| 84.91% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: \| %SystemRoot% = C:\Windows \| %ProgramFiles% = C:\Program Files Drive C: \| 465.76 Gb Total Space \| 439.14 Gb Free Space \| 94.28% Space Free \| Partition Type: NTFS Computer Name: CHILLBLAST \| User Name: Admin \| Logged in as Administrator. Boot Mode: Normal \| Scan Mode: All users Company Name Whitelist: Off \| Skip Microsoft Files: Off \| No Company Name Whitelist: On \| File Age = 30 Days [color=#E56717]========== Extra Registry (SafeList) ==========[/color] [color=#E56717]========== File Associations ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) [color=#E56717]========== Shell Spawning ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) [color=#E56717]========== Security Center Settings ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found "VistaSp2" = Reg Error: Unknown registry data type -- File not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [color=#E56717]========== Firewall Settings ==========[/color] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [color=#E56717]========== Authorized Applications List ==========[/color] [color=#E56717]========== Vista Active Open Ports Exception List ==========[/color] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] [color=#E56717]========== Vista Active Application Exception List ==========[/color] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] [color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4500_series" = Canon iP4500 series "{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4805" = CanoScan 8800F "{25569723-DC5A-4467-A639-79535BF01B71}" = Adobe Help Center 2.1 "{2FDD750F-49B7-40C1-9D5E-D2955BC0E2D8}" = NVIDIA PhysX "{390DD8BB-BB57-4942-A029-2D913E4E9D74}" = Microsoft Security Client "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{6E19F210-3813-4002-B561-94D66AA182B6}" = Attansic L1 Gigabit Ethernet Driver "{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP "{8EA569F1-97AF-4C3E-A0CB-4846C2D35A81}" = LibreOffice 4.0.0.3 "{9223BBDE-693D-4B5F-A1DE-C40C7D2E4C89}" = Adobe Flash Player 11 ActiveX "{A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}" = Adobe Photoshop Elements 5.0 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 306.23 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 306.23 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 306.23 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller Driver 306.23 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.12.0604 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.10.8 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "Adobe Photoshop Elements 5" = Adobe Photoshop Elements 5.0 "Canon iP4500 series User Registration" = Canon iP4500 series User Registration "CanonMyPrinter" = Canon My Printer "CCleaner" = CCleaner "ESET Online Scanner" = ESET Online Scanner v3 "Foxit Reader_is1" = Foxit Reader "InvelosDVDProfiler_is1" = DVD Profiler Version 3.8.1 "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft Security Client" = Microsoft Security Essentials "NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver "Puran Defrag_is1" = Puran Defrag 7.6 [color=#E56717]========== Last 20 Event Log Errors ==========[/color] [ Application Events ] Error - 09/03/2013 13:41:48 \| Computer Name = ChillBlast \| Source = Windows Search Service \| ID = 3013 Description = Error - 10/03/2013 13:24:47 \| Computer Name = ChillBlast \| Source = Application Hang \| ID = 1002 Description = The program wmplayer.exe version 11.0.6002.18311 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel. Process ID: a6c Start Time: 01ce1db40e9441d0 Termination Time: 4089 Error - 12/03/2013 09:11:06 \| Computer Name = ChillBlast \| Source = Windows Search Service \| ID = 3024 Description = Error - 12/03/2013 09:49:08 \| Computer Name = ChillBlast \| Source = Windows Search Service \| ID = 3024 Description = Error - 12/03/2013 10:38:32 \| Computer Name = ChillBlast \| Source = Windows Search Service \| ID = 3024 Description = Error - 15/03/2013 11:12:58 \| Computer Name = ChillBlast \| Source = Windows Search Service \| ID = 3013 Description = Error - 18/03/2013 06:33:09 \| Computer Name = ChillBlast \| Source = Windows Search Service \| ID = 3024 Description = Error - 21/03/2013 08:05:25 \| Computer Name = ChillBlast \| Source = Application Hang \| ID = 1002 Description = The program iexplore.exe version 9.0.8112.16470 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel. Process ID: b0c Start Time: 01ce262c1b6192aa Termination Time: 0 Error - 22/03/2013 13:09:15 \| Computer Name = ChillBlast \| Source = Windows Search Service \| ID = 3024 Description = Error - 22/03/2013 17:05:36 \| Computer Name = ChillBlast \| Source = Windows Search Service \| ID = 3024 Description = [ System Events ] Error - 06/11/2012 12:47:36 \| Computer Name = ChillBlast \| Source = DCOM \| ID = 10010 Description = Error - 20/11/2012 13:50:46 \| Computer Name = ChillBlast \| Source = VDS Dynamic Provider \| ID = 16908298 Description = Error - 02/12/2012 16:38:03 \| Computer Name = ChillBlast \| Source = Service Control Manager \| ID = 7011 Description = Error - 04/12/2012 18:27:22 \| Computer Name = ChillBlast \| Source = volmgr \| ID = 262190 Description = Crash dump initialization failed! Error - 08/12/2012 10:22:04 \| Computer Name = ChillBlast \| Source = volmgr \| ID = 262190 Description = Crash dump initialization failed! Error - 21/12/2012 17:53:12 \| Computer Name = ChillBlast \| Source = volmgr \| ID = 262190 Description = Crash dump initialization failed! Error - 28/12/2012 10:47:42 \| Computer Name = ChillBlast \| Source = Print \| ID = 6161 Description = The document BTFreecom1050 - Notepad, owned by Hommin, failed to print on printer Canon iP4500 series. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 1322428. Number of bytes printed: 1032308. Total number of pages in the document: 79. Number of pages printed: 0. Client computer: \\CHILLBLAST. Win32 error code returned by the print processor: 1. Incorrect function. Error - 30/12/2012 12:33:16 \| Computer Name = ChillBlast \| Source = DCOM \| ID = 10010 Description = Error - 08/01/2013 10:31:48 \| Computer Name = ChillBlast \| Source = Service Control Manager \| ID = 7034 Description = Error - 08/01/2013 17:42:08 \| Computer Name = ChillBlast \| Source = Service Control Manager \| ID = 7034 Description =
	to forum · permalink · 2013-03-22 18:14:02 ·
Somersett join:2004-12-04 Scotland	Malwarebytes Anti-Malware (PRO) 1.70.0.1100 www.malwarebytes.org Database version: v2013.03.22.12 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 Admin :: CHILLBLAST [administrator] Protection: Enabled 22/03/2013 22:15:29 mbam-log-2013-03-22 (22-15-29).txt Scan type: Full scan (C:\\|) Scan options enabled: Memory \| Startup \| Registry \| File System \| Heuristics/Extra \| Heuristics/Shuriken \| PUP \| PUM \| P2P Scan options disabled: Objects scanned: 317589 Time elapsed: 22 minute(s), 58 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
	to forum · permalink · 2013-03-22 18:39:52 ·
Somersett join:2004-12-04 Scotland	# AdwCleaner v2.115 - Logfile created 03/22/2013 at 23:53:23 # Updated 17/03/2013 by Xplode # Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits) # User : Admin - CHILLBLAST # Boot Mode : Normal # Running from : C:\Users\Admin\Desktop\adwcleaner.exe # Option [Delete] *** [Services] * * [Files / Folders] * * [Registry] * Key Deleted : HKCU\Software\APN PIP Key Deleted : HKLM\Software\PIP * [Internet Browsers] * -\\ Internet Explorer v9.0.8112.16470 [OK] Registry is clean. *********************** AdwCleaner[S1].txt - [596 octets] - [22/03/2013 23:53:23] ########## EOF - C:\AdwCleaner[S1].txt - [655 octets] ##########
	to forum · permalink · 2013-03-22 19:58:03 ·
Somersett join:2004-12-04 Scotland	Results of screen317's Security Check version 0.99.61 Windows Vista Service Pack 2 x86 (UAC is enabled) Internet Explorer 9 [u]``````````````Antivirus/Firewall Check:``````````````[/u] Windows Firewall Enabled! Microsoft Security Essentials Antivirus up to date! [u]`````````Anti-malware/Other Utilities Check:`````````[/u] Malwarebytes Anti-Malware version 1.70.0.1100 CCleaner [u]````````Process Check: objlist.exe by Laurent````````[/u] Microsoft Security Essentials MSMpEng.exe Microsoft Security Essentials msseces.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Malwarebytes' Anti-Malware mbamscheduler.exe [u]`````````````````System Health check`````````````````[/u] Total Fragmentation on Drive C: 0 % [u]````````````````````End of Log``````````````````````[/u]
	to forum · permalink · 2013-03-22 20:02:58 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Ruckersville, VA kudos:5	Hi Somersett I don't see anything in the logs that was left behind, and MBAM no longer detects anything, I think you got it. The file that ESET deleted (unrelated to the other) was an install file that contained the Babylon Toolbar foistware. I would guess you may have opted out when you installed PuranDefrag, as if it had installed, AdwCleaner would have detected and removed it. quote: I was using a Standard User Account at the time. An excellent choice. On the MBAM error, if you're an MBAM customer, you contact the consumer help desk here. If you are in an organization or a corporate customer, you can contact Corporate Support for assistance. There's really nothing left for them to remove, but it might be good to let them know about the error message. I recommend reading Tony Klein's article So How did I get Infected in the First Place? at »Security Cleanup FAQ »How do I prevent Browser Hijacks and Spyware? Does your problem appear resolved? -- Proud ASAP member since 2005 Microsoft MVP/Consumer Security 2009-2010
	to forum · permalink · 2013-03-22 21:01:39 ·
Somersett join:2004-12-04 Scotland	I posted details of the Protection Log Error Messages on the Malwarebytes Forum. I have since been advised that these were false positives and should be restored. Not sure how I can do that as, according to the log, quarantine failed and the third file was detected, quarantined and deleted after reboot. I am not experiencing any problems with the computer at the moment so the issue would appear to be resolved. Thank you for your assistance.
	to forum · permalink · 2013-03-23 07:40:47 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Ruckersville, VA kudos:5	said by Somersett: I posted details of the Protection Log Error Messages on the Malwarebytes Forum. I have since been advised that these were false positives and should be restored. Not sure how I can do that as, according to the log, quarantine failed and the third file was detected, quarantined and deleted after reboot. The updater for it that was quarantined and deleted was in the Temp folder, so that was likely created during the update process, and no need to restore that. As long as your Foxit software works properly, I'd leave it alone. quote: I am not experiencing any problems with the computer at the moment so the issue would appear to be resolved. Excellent. -- Proud ASAP member since 2005 Microsoft MVP/Consumer Security 2009-2010
	to forum · permalink · 2013-03-23 09:33:54 ·
Somersett join:2004-12-04 Scotland	Do you have any advice / instructions re cleanup ( OTL; AdwCleaner; Screen317 Security Check which I downloaded to my Desktop? )
	to forum · permalink · 2013-03-23 09:57:04 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Ruckersville, VA kudos:5	Those can all be deleted, along with any logs they created.
	to forum · permalink · 2013-03-23 19:05:26 ·

Broadband Tech > Security > Security Cleanup > [Trojan] Trojan / Malware