# A disturbing 'Akamai' malware or spyware ?



## oniro (Aug 23, 2003)

Hello to everybody interested to help or to learn from my case,

I got some sort of malware from an online newspaper forum.It Is an advertisement tab appearing and disappearing on the lower left bottom always I open a page. It does not happen with other online news.What I found while searching info on this isue was one script containing the *akamai.smartadserver.com*

Then I ran a HijackThis. One flag come out:


For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.

If that happens you need to edit the file yourself. To do this,click Start, Run and type:

notepad C:\windows\System32\drivers\etc\hosts

and press Enter. Find the line(s) HijackThis reports and delete them.Save the file as "hosts" (with quotes), and reboot

I followed the instructions and I got a Notepad text without too much value:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1 localhost
#	::1 localhost



However a HijackThis log showed up.( I dont know how complete it is) :

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 07:21:20, on 31/07/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16800)
Boot mode: Normal

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Hernando\AppData\Local\Google\Update\1.3.21.57\GoogleCrashHandler.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Users\Hernando\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Users\Hernando\Downloads\HijackThis.exe
C:\windows\system32\msfeedssync.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [UpdatePPShortCut] "C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Hernando\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 8079 bytes

I hope some enlighted help can come to the rescue to avoid a bigger damage.

Thank you very much,

Oniro

Tech Support Guy System Info Utility version 1.0.0.1
OS Version: Microsoft Windows 7 Home Premium , 32 bit
Processor: Pentium(R) Dual-Core CPU T4400 @ 2.20GHz, x64 Family 6 Model 23 Stepping 10
Processor Count: 2
RAM: 3004 Mb
Graphics Card: Mobile Intel(R) 4 Series Express Chipset Family, 1278 Mb
Hard Drives: C: Total - 100397 MB, Free - 59560 MB; D: Total - 355959 MB, Free - 355849 MB; 
Motherboard: SAMSUNG ELECTRONICS CO., LTD., R530/R730 , Not Applicable, 123490EN400015
Antivirus: Microsoft Security Essentials, Updated and Enabled


----------



## kevinf80 (Mar 21, 2006)

Run the following please :-








Please download *Malwarebytes* Anti-Malware and save it to your desktop.
*Alernative D/L mirror*
*Alternative D/L mirror*

Double Click mbam-setup.exe to install the application.

 Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
 If an update is found, it will download and install the latest version.
 Once the program has loaded, select "Perform Quick Scan", then click Scan.
 The scan may take some time to finish,so please be patient.
 When the scan is complete, click OK, then Show Results to view the results.
 Make sure that everything is checked, and click Remove Selected.
 When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
 Please save the log to a location you will remember.
 The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
 Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Next,

We need to see some additional information about what is happening in your machine.* 
Please perform the following scan:

Download *DDS* by sUBs from one of the following links.* Save it to your desktop.
*DDS.com*
*DDS.scr*
*DDS.pif*

Double click on the *DDS* icon, allow it to run.
A small box will open, with an explanation about the tool.* *
When done, DDS will open two (2) logs
* * * * *1. DDS.txt
* * * * *2. Attach.txt
 Save both reports to your desktop.
 The instructions here ask you to attach the Attach.txt.








*
*Instead of attaching, please copy/past both logs into your next reply.*
Close the program window, and delete the program from your desktop.
Please note:* You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection. 
Run the scan, enable your A/V and reconnect to the internet.* 
Information on A/V control *HERE*

Let me see the following in next reply


 Log from Malwarebytes
 DDS.txt
 Attach.txt

Kevin


----------



## oniro (Aug 23, 2003)

Hello Kevin, Thank you so much for being so timely supportive !!! I do appreciate your time and knowledge.

There was one Trojan and it was eliminated !!!

Here are the logs copies ( I understand it is not necessary to send any zipped attached as per your red remark):

*1-MALWAREBYTES LOG*

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7337

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

31/07/2011 15:22:22
mbam-log-2011-07-31 (15-22-22).txt

Scan type: Quick scan
Objects scanned: 154448
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\MyName\local settings\temporary internet files\silverlight.exe (Trojan.Agent) -> Quarantined and deleted successfully.

*2- DDS*

.
DDS (Ver_2011-06-23.01) - NTFSx86 
Internet Explorer: 8.0.7600.16385
Run by Hernando at 15:31:58 on 2011-07-31
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3005.2014 [GMT 3:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskeng.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe
C:\Program Files\Google\Update\1.3.21.57\GoogleCrashHandler.exe
C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\Users\Hernando\Desktop\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Users\Hernando\Desktop\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Hernando\AppData\Local\Google\Update\1.3.21.57\GoogleCrashHandler.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\sppsvc.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\hernando\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\users\hernando\desktop\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\users\hernando\desktop\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: live.com\onecare
Trusted Zone: live.com\safety
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{5E10B9D3-FBAB-4228-B56D-2F79E07D7136} : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl912de797;MpKsl912de797;c:\programdata\microsoft\microsoft antimalware\definition updates\{02a75b28-fcee-4a91-9dcf-4d5c3a9963a2}\MpKsl912de797.sys [2011-7-31 28752]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-6-14 10752]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 MBAMService;MBAMService;c:\users\hernando\desktop\malwarebytes' anti-malware\mbamservice.exe [2011-7-31 366640]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-8 126976]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-31 22712]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-17 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-25 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-17 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-31 41272]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-18 1343400]
.
=============== Created Last 30 ================
.
2011-07-31 12:28:23	28752	----a-w-	c:\programdata\microsoft\microsoft antimalware\definition updates\{02a75b28-fcee-4a91-9dcf-4d5c3a9963a2}\MpKsl912de797.sys
2011-07-31 12:15:36	--------	d-----w-	c:\users\hernando\appdata\roaming\Malwarebytes
2011-07-31 12:15:11	41272	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-31 12:15:10	--------	d-----w-	c:\programdata\Malwarebytes
2011-07-31 12:15:07	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-07-31 09:44:12	12800	----a-w-	c:\windows\system32\drivers\sffp_sd.sys
2011-07-31 08:30:32	--------	d-----w-	c:\users\hernando\appdata\local\NPE
2011-07-31 08:30:32	--------	d-----w-	c:\programdata\Norton
2011-07-31 03:56:02	388096	----a-r-	c:\users\hernando\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-31 03:56:01	--------	d-----w-	c:\program files\Trend Micro
2011-07-30 18:18:34	6881616	----a-w-	c:\programdata\microsoft\microsoft antimalware\definition updates\{02a75b28-fcee-4a91-9dcf-4d5c3a9963a2}\mpengine.dll
2011-07-25 04:24:42	0	---ha-w-	c:\users\hernando\appdata\local\BITD7E1.tmp
2011-07-23 22:05:23	0	---ha-w-	c:\users\hernando\appdata\local\BITCF34.tmp
2011-07-23 15:13:09	--------	d-----w-	c:\users\hernando\appdata\local\Microsoft Games
2011-07-05 09:19:49	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-04 11:26:17	--------	d-----w-	c:\users\hernando\appdata\local\{9E89EBF8-E69A-490D-B43B-8672F4812B25}
2011-07-03 09:34:53	--------	d-----w-	c:\users\hernando\appdata\local\{56A5E7FB-9DED-4A7B-B2B9-3F9183EFA21B}
.
==================== Find3M ====================
.
2011-06-22 09:48:53	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-06-11 02:37:19	2332672	----a-w-	c:\windows\system32\win32k.sys
2011-06-02 05:59:55	169984	----a-w-	c:\windows\system32\winsrv.dll
2011-06-02 05:58:05	290816	----a-w-	c:\windows\system32\KernelBase.dll
2011-06-02 05:55:31	271872	----a-w-	c:\windows\system32\conhost.exe
2011-06-02 03:45:49	6144	---ha-w-	c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-06-02 03:45:49	4608	---ha-w-	c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-06-02 03:45:49	3584	---ha-w-	c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-06-02 03:45:49	3072	---ha-w-	c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-05-28 03:00:02	1638912	----a-w-	c:\windows\system32\mshtml.tlb
2011-05-24 10:35:34	294912	----a-w-	c:\windows\system32\umpnpmgr.dll
2011-05-04 04:53:10	1553920	----a-w-	c:\windows\system32\tquery.dll
2011-05-04 04:52:59	666624	----a-w-	c:\windows\system32\mssvp.dll
2011-05-04 04:52:59	59392	----a-w-	c:\windows\system32\msscntrs.dll
2011-05-04 04:52:59	337408	----a-w-	c:\windows\system32\mssph.dll
2011-05-04 04:52:59	197120	----a-w-	c:\windows\system32\mssphtb.dll
2011-05-04 04:52:59	1401856	----a-w-	c:\windows\system32\mssrch.dll
2011-05-04 04:52:12	86528	----a-w-	c:\windows\system32\SearchFilterHost.exe
2011-05-04 04:52:12	428032	----a-w-	c:\windows\system32\SearchIndexer.exe
2011-05-04 04:52:12	164352	----a-w-	c:\windows\system32\SearchProtocolHost.exe
2011-05-04 02:43:59	222720	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys
2011-05-04 02:43:48	96256	----a-w-	c:\windows\system32\drivers\mrxsmb20.sys
2011-05-04 02:43:41	123392	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-05-03 04:50:29	740864	----a-w-	c:\windows\system32\inetcomm.dll
.
============= FINISH: 15:32:56.04 ===============

*3-ATTACH*

DDS (Ver_2011-06-23.01)
.
Microsoft Windows 7 Home Premium 
Boot Device: \Device\HarddiskVolume2
Install Date: 16/11/2010 20:57:14
System Uptime: 31/07/2011 15:28:00 (0 hours ago)
.
Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | R530/R730 
Processor: Pentium(R) Dual-Core CPU T4400 @ 2.20GHz | U2E1 | 2200/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 98 GiB total, 58.108 GiB free.
D: is FIXED (NTFS) - 348 GiB total, 347.509 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MpKsl67aefdd3
Device ID: ROOT\LEGACY_MPKSL67AEFDD3\0000
Manufacturer: 
Name: MpKsl67aefdd3
PNP Device ID: ROOT\LEGACY_MPKSL67AEFDD3\0000
Service: MpKsl67aefdd3
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MpKsl0b25fe88
Device ID: ROOT\LEGACY_MPKSL0B25FE88\0000
Manufacturer: 
Name: MpKsl0b25fe88
PNP Device ID: ROOT\LEGACY_MPKSL0B25FE88\0000
Service: MpKsl0b25fe88
.
==== System Restore Points ===================
.
RP300: 25/07/2011 15:20:15 - Windows Update
RP301: 26/07/2011 15:33:01 - Windows Update
RP302: 27/07/2011 16:20:11 - Windows Update
RP303: 28/07/2011 07:25:08 - Windows Update
RP304: 29/07/2011 12:56:11 - Windows Update
RP305: 30/07/2011 21:18:17 - Windows Update
RP306: 31/07/2011 06:55:39 - Installed HiJackThis
RP307: 31/07/2011 12:42:59 - Windows Update
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.5
Alice Greenfingers
Atheros Client Installation Program
BatteryLifeExtender
Bonbon Quest
Cake Mania
Canon MP Navigator EX 1.2
Canon MP190 series MP Drivers
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
CyberLink DVD Suite
CyberLink LabelPrint
CyberLink Power2Go
CyberLink PowerDirector
CyberLink PowerDVD 8
CyberLink PowerProducer
CyberLink YouCam
D3DX10
Daycare Nightmare
Dinner Timer Lite
Easy Display Manager
Easy Network Manager
Easy SpeedUp Manager
EasyBatteryManager
Flip Words
Galapago
Game Pack
Gem Shop
Google Chrome
Google Chrome Canary
Google Talk Plugin
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Insaniquarium Deluxe
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Internet TV for Windows Media Center
Java Auto Updater
Java(TM) 6 Update 26
Junk Mail filter update
Mahjong Escape Ancient China
Malwarebytes' Anti-Malware version 1.51.1.1800
Marvell Miniport Driver
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Office 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSVCRT
Opera 11.11
Realtek High Definition Audio Driver
Samsung Recovery Solution 4
Samsung Support Center
Samsung Update Plus
SamsungMovie
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Skype Toolbars
Skype 5.3
Slingo
Spelling Dictionaries Support For Adobe Reader 9
Spotify
Synaptics Pointing Device Driver
User Guide
Video Download Capture V2.6.3
VLC media player 1.1.8
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live OneCare safety scanner
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Center Add-in for Silverlight
YouTube Downloader 2.7.1
.
==== Event Viewer Messages From Past Week ========
.
31/07/2011 15:28:39, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
29/07/2011 21:02:44, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
25/07/2011 09:57:52, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
25/07/2011 09:46:33, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
25/07/2011 09:09:40, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
24/07/2011 15:11:40, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.109.92.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7104.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
.
==== End Of File ===========================

Please keep in mind it was unnecessary to dissable any protection because the scan ran smoothly and did nothing concerning A/V

I hope I did well according your instructions and that the issue will be solved out. Lets see what do you think about.

Thank you very much again !!!! :up:

Oniro


----------



## kevinf80 (Mar 21, 2006)

Hiya Oniro,

Continue as follows please :-

*Step 1*

Please download *OTM by OldTimer*.
*Alternative Mirror 1*
*Alternative Mirror 2* 
Save it to your desktop. 
Double click *OTM.exe* to start the tool. Vista or Windows 7 users right click and select Run as Administrator

*Copy* the text between the dotted lines below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

-------------------------------------------------------------------
* 
:Files
ipconfig /flushdns /c
c:\programdata\Norton
c:\users\hernando\appdata\local\BITD7E1.tmp
c:\users\hernando\appdata\local\BITCF34.tmp
:Commands
[EmptyFlash]
[EmptyTemp]
[ResetHosts]
[ReBoot]
*
---------------------------------------------------------------------

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.

*Step 2*

*Run ESET Online Scan*

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
*ESET OnlineScan*
Click the







button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on







to download the ESET Smart Installer. *Save* it to your desktop.
Double click on the







icon on your desktop.

Check








Click the







button.
Accept any security warnings from your browser.
Check








*Leave the tick out of remove found threats*
Push the *Start* button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push








Push







, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the







button.
Push








You can refer to *this animation* by *neomage* if needed.
Frequently asked questions available *Here* *Please read them before running the scan.*

Also be aware this scan can take between one and several hours to complete depending on the size of your system.

ESET log can be found here *"C:\Program Files\ESET\EsetOnlineScanner\log.txt".*

*Step 3*

Download Security Check by screen317 from *HERE* or *HERE*.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

What i`d like in your reply :-


 Log from OTM
 Log from ESET
 Log from Security Checks
 Update on issues or concerns

Kevin


----------



## oniro (Aug 23, 2003)

Hello Kevin !!!

I guess I am through with the whole list. However I have to tell you some steps went on so fast I hardly could follow your script. Lets see:

*STEP 1*

1-OTM Old timer. When I just copied the bold text to the yellow frame, it was very frightning because the screen went empty of icons in continuos lightnings at the desktop while this process occured and at the end of it the whole OTM frame dissapeared and I don't know where the RESULTS you asked for can be found now.

I tried to use *c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log* to find the log but as I did not have the precise hour, minutes and seconds it took me nowhere.

*STEP 2*

The program did not find any dangerous thing to eliminate.

ESET log text :

[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=bbc75c79bbde7e4ab64ea41ed4715440
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=false
# utc_time=2011-07-31 07:15:26
# local_time=2011-07-31 10:15:26 (+0200, FLE Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7600 NT 
# compatibility_mode=1024 16777215 100 0 20978718 20978718 0 0
# compatibility_mode=5893 16776574 100 94 20983120 63767642 0 0
# compatibility_mode=8192 67108863 100 0 313 313 0 0
# scanned=112190
# found=0
# cleaned=0
# scan_time=3274

------------------------------------------------------------------------------

*STEP 3*

SECURITY CHECK

Results of screen317's Security Check version 0.99.7 
Windows 7 (UAC is enabled) 
Internet Explorer 8 
*`````````````````````````````` 
Antivirus/Firewall Check:* 
Windows Firewall Enabled! 
ESET Online Scanner v3 
Microsoft Security Essentials 
WMI entry may not exist for antivirus; attempting automatic update. 
*``````````````````````````````` 
Anti-malware/Other Utilities Check:* 
Malwarebytes' Anti-Malware 
Java(TM) 6 Update 26 
*Out of date Java installed!* 
Adobe Flash Player 10.3.181.26 
Adobe Reader 9.4.5 
Out of date Adobe Reader installed! 
*```````````````````````````````` 
Process Check: 
objlist.exe by Laurent* 
Windows Defender MSMpEng.exe 
Malwarebytes' Anti-Malware mbamservice.exe 
Malwarebytes' Anti-Malware mbamgui.exe 
Microsoft Security Essentials msseces.exe 
Microsoft Security Client Antimalware MsMpEng.exe 
Microsoft Security Client Antimalware NisSrv.exe 
*``````````End of Log````````````*

Well, this is about it. I am sorry I could not get the OTM log, but if you give me some hints I could try again.

Thank you so much Kevin for your support,

Oniro


----------



## kevinf80 (Mar 21, 2006)

Navigate to this folder *c:\_OTMoveIt\MovedFiles* inside the folder will be the log from OTM, it will be listed as date and time it was run.log.

Also do the following:

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by *Secunia*, available *Here* Before clicking the *Start* scan button, please check the box for the option *Enable thorough system inspection*. Just below the "Scan Options:" section, you'll see the status of what's currently processing....









...when the scan completes, the message "Detection completed successfully" will appear in the *Programs/Result* section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

If Secunia updates Java and/or Adobe make sure old versions are Uninstalled from your programs list.

Let me see the log from OTM and tell me what Secunia updates..

Kevin


----------



## oniro (Aug 23, 2003)

Ok Kevin. Here is the OTM log:

All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Hernando\Desktop\cmd.bat deleted successfully.
C:\Users\Hernando\Desktop\cmd.txt deleted successfully.
c:\programdata\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963} folder moved successfully.
c:\programdata\Norton\NPE folder moved successfully.
c:\programdata\Norton folder moved successfully.
c:\users\hernando\appdata\local\BITD7E1.tmp moved successfully.
c:\users\hernando\appdata\local\BITCF34.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56502 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Hernando
->Temp folder emptied: 4457382 bytes
->Temporary Internet Files folder emptied: 163699833 bytes
->Java cache emptied: 42603 bytes
->Google Chrome cache emptied: 484325600 bytes
->Opera cache emptied: 33248821 bytes
->Flash cache emptied: 101745 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 28765479 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 682.00 mb

C:\windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTM by OldTimer - Version 3.1.18.0 log created on 07312011_204713

----------------------------------------------------

The SECUNIA screening showed no risks. I am copying the results here:

Detection Statistics:
12 Applications Detected in Total
0 Insecure Versions Detected
12 Patched Versions Detected

Running For:
6 Minutes, 40 Seconds

Errors with the scan:
0 Errors Detected, scan result should be correct

Scan Options:

Enable thorough system inspection
Display only insecure programs
Status / Currently Processing:
Detection completed successfully

Programs / Result
Version Detected
Status

Congratulations, the scan that just completed of your PC did not detect any insecure programs

IThe JAVA icon now appears on the tooolbar and I was checking the version. It is the last one, 6 - 26

This completes the last instructions from you. Lets see what you say about the results of this throughful test to my computer security. Something I would like to ask you, is concerning the OTM functions. What is it moving from and to where ?. What it corrects ?

Ok Kevin, I remain attentive here for your comments.

All the best,

Oniro


----------



## kevinf80 (Mar 21, 2006)

OTM move files from where we direct to its own folder *c:\_OTMoveIt\MovedFiles* the files are contained there. If we make a mistake we can move the files back if necessary. 
When we are finished we run a cleanup procedure and OTM and all associated folders and files are deleted. Does that answer your question.

Let me know how your system is responding, also tell me of any remaining issues or concerns. I`ve got to go out and will be back in approximately 6 hours....

Kevin


----------



## oniro (Aug 23, 2003)

Thank you for your answer on OTM. Is just that at a point the screen was emptied with a sort of continuos lightning. I never had seen such a turmoil with a program like this.

In my situation where I dont have an antivirus isntalled or active, for instance I had to stop AVG because it conflicted with Windows Defender; what is your recommendation: to keep AVG or the W. Defender which is not a full antivirus program I have been told.

Indeed I would like to know which of all these antivirus and anti-malware programs is your favorite. Which one do you recommend to install permanently. Now I have in my Desktop the programs you asked me to use in order to clean my notebook. Shall I keep them for periodical check ups ? Or what do you suggest.?

Greetings,

Oniro


----------



## kevinf80 (Mar 21, 2006)

To keep safe when online you need a good *Antivirus/Antspyware/Antimalware/Anti-Rootkit* combination application. *Microsoft Security Essentials* covers all of those bases, but better still it is free. Go *Here* and hit the "Download it free today" tab, follow the prompts. Once installed it will want to update and carry out a quick scan, allow that to happen.

Go *Here* for information that will show you how to install and use MSE.

MSE will turn off Windows Defender as it has all of WD definitions included. When installed let MSE update and do a quick scan, let me know if it finds anything. It does not produce a log as such but you can check from the "History" tab in the main interface.

Also tell me how your system is responding, if no remaining issues we will clean up and remove the tools we have used...

Kevin


----------



## oniro (Aug 23, 2003)

Hello Kevin,


The system and the machine are working pretty well. The test would be to come back to the page where I got the malware to check if my current security is good enough. Let me tell you that I have had MSE installed all the time before even I asked for your help. I wonder why it did not catch the malware when the problem orignated. I always update it when I am asked to do so. It should then had caught the virus we found. Last night I ran a full scan with MSE and the result was 0 infections.

Thank you so much,

Oniro


----------



## oniro (Aug 23, 2003)

Addendum: Indeed MSE had quarantined a Trojan Windows 32 Orsam!rts on July 17th, but I don't remember seeing the alert on the issue.I am not quite shure if this Trojan is the same we found with your recommended installed software.

Oniro


----------



## kevinf80 (Mar 21, 2006)

Clean up as follows :-

*Step 1*


Download *OTC* by OldTimer and save it to your *desktop.* *Alternative mirror*
Double click







icon to start the program. 
If you are using Vista or Windows 7, please right-click and choose run as administrator
Then Click the big







button.
You will get a prompt saying "_Begining Cleanup Process_". Please select *Yes*.
Restart your computer when prompted.
This will remove tools we have used and itself. *Any tools/logs remaining on the Desktop can be deleted.*

*Step 2*

1. Click Start, type *programs and features* in the Search programs and files box, and then press ENTER.
2. Click to select *ESET Online Scanner* from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall *ESETonline Scanner*, only re-boot if prompted.

*Step 3*

Download







TFC to your desktop, from either of the following links
*Link 1*
*Link 2*

 Save any open work. TFC will close all open application windows.
 Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select "Run as Administartor"
 If prompted, click "Yes" to reboot.
Save any open work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not *Re-boot it yourself to complete cleaning process* *<---- Very Important *

Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. *Always remember to re-boot after a run*

*Step 4*

Create a new restore point:

1. Right-click on Computer and go to Properties.
2. Next click on the System Protection link.
3. The System Properties dialog screen opens up and you will want to click on Create.
4. Type in a description for the restore point which will help you remember the point at which is was created. Click on create.
5. You should see the message "The restore point was created successfully

To remove all but the most recent restore point do the following:

1. Open Disk Cleanup by clicking the Start button







. In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.
2. If prompted, select the drive that you want to clean up, and then click OK.
3. In the Disk Cleanup for (drive letter) dialog box, click Clean up system files. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
4. If prompted, select the drive that you want to clean up, and then click OK.
5. Click the More Options tab, under System Restore and Shadow Copies, click Clean up.
6. In the Disk Cleanup dialog box, click Delete.
7. Click Delete Files, and then click OK.
Create a new restore point:

1. Right-click on Computer and go to Properties.
2. Next click on the System Protection link.
3. The System Properties dialog screen opens up and you will want to click on Create.
4. Type in a description for the restore point which will help you remember the point at which is was created. Click on create.
5. You should see the message "The restore point was created successfully

Let me know if those steps completed OK, i`ll give some good tips in my closure speech that will give more protection when browsing etc.

Kevin


----------



## oniro (Aug 23, 2003)

The 4 steps are completed now. Just to bring to your attention that in System Restore there are 2 Restore points now. I am not quite sure if according your instructions, to create a new restore point as the first action in STEP 4, excludes the last instruction to create a new Restore Point. In any case I deleted all the previous Restore Points remaining only those two asked for in STEP 4 ( I have the feeling we only require one.).

They remain at the Desktop, all the icons related to the applications I dowloaded in this process, except the logs.

Now I am ready for your closing speech with 'Pomps and Circumstances' in the background


----------



## kevinf80 (Mar 21, 2006)

Apologies I double posted the system restore create instruction. No problem if you`ve created a second one, the main issue was flushing the old ones...

Here are some tips to reduce the potential for malware infection in the future:

*Make proper use of your antivirus and firewall*

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, *NEVER* turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use *WinPatrol* This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained *Here*

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by *Secunia*, available *Here* Before clicking the *Start* scan button, please check the box for the option *Enable thorough system inspection*. Just below the "Scan Options:" section, you'll see the status of what's currently processing....








...when the scan completes, the message "Detection completed successfully" will appear in the *Programs/Result* section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

*Use a safer web browser*

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

*Firefox*,

*Opera*, and

*Chrome*.

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial *HERE* which will help you to make IE *MUCH* safer.

These *browser add-ons* will help to make your browser safer:

*Web of Trust* warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for *Firefox* and *Internet Explorer*.

*Green* to go, 
*Yellow* for caution, and 
*Red* to stop.

Available for *Firefox* only. *NoScript* helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at *THIS* article.

Here a couple of links by two security experts that will give some excellent tips and advice.

*So how did I get infected in the first place by Tony Klein*

*How to prevent Malware by Miekiemoes*

Finally this link *HERE* will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

If no remaining issues hit the "Mark Solved" tab at the top of the thread...

Take care,

Kevin


----------



## oniro (Aug 23, 2003)

Well Kevin, I am impressed with the arsenal of weapons to fight evil in the Internet, you have displayed for me. I am very lucky you came accross in my help, and I remaing grateful for your good will, knowledge and time to solve my problem. I just would like to know what can I do to reciprocate your dedication. Please let me know.

Otherwise the only subject still to decide is what to do with all the icons and applications installed during the this "operation". In my desktop there are icons for Malwarebytes, Securitycheck, TFC,OTM and Esetsmart.... Shall I keep these programs or what do you suggest.

With my vows for your personal happiness,

Oniro.


----------



## kevinf80 (Mar 21, 2006)

Step 1 and 2 of Post #13 should have removed OTM and ESET, Keep TFC and Malwarebytes, any other logs/tools can be safely deleted.

Keep Malwarebytes free version for twice weekly *quick scans* and once four weekly full scans, or as required scans. Always remember to update first.
TFC is a temp file cleaner and will keep your system free of clutter. Run weekly, always remember to re-boot.

Kevin


----------



## oniro (Aug 23, 2003)

In appreciaiton for your help I will go on and make a donation to TSG. And have this case marked as SOLVED.

All the very best,


Oniro


----------



## kevinf80 (Mar 21, 2006)

Thank you for the update, my help is, and always will be free. However, sites like this do cost money to run, I`m sure the admins will be very appreciative of your donation.

Thanks once again,

Kevin


----------



## oniro (Aug 23, 2003)

Hello Kevin, 

I was very happy to put some money two days ago via PayPal to the Tech Guys who accross the years have come with invaluable help right on time, with good willing and knowledgeable persons like yourself. Thanks always !!

Oniro


----------



## kevinf80 (Mar 21, 2006)

Thanks for the kind donation, I`m sure the Admins will be very appreciative. 

Regards,

Kevin


----------



## oniro (Aug 23, 2003)

Sorry Kevin,

I forgot something. My program WINDOWS DEFENDER is not working. I have hd also installed from long ago the Microsoft Security Essentials. I dont know if one excludes the other. Always I try to activate the Windows Defender there comes a flag with "THIS PROGRAM IS TURNED OFF" I then go to the ACTION CENTER to turn on the rogram but can not find any reference at all, or command to start the WINDOWS DEFENDER. What to do ?


----------



## kevinf80 (Mar 21, 2006)

Microsoft Security Essentials turns Windows Defender OFF, MSE incorporates WD definitions....

Kevin


----------



## oniro (Aug 23, 2003)

Sorry to continue with my case. Last night I was running a video interview from a news service originated abroad and suddenly after 30 seconds, a local video clip with an advertisement in Finnish language broke in and overimposed on the image and took over control on my Media Player. I could not stopped it, by any means, I could not mute it, I could not Scape because no command answered. I had to watch the full 1 minute advertisement clip complete to continue with the interview. Those interviews I watch never include any advertisement, ever !!!! I ran ALL the anti-malware available and no virus, or malware was found. Do you have a way to stop that ? 

Thanks again,


Oniro


----------



## kevinf80 (Mar 21, 2006)

It would appear the the site you visited is hacked, not much you can do when that occurs. Use Firefox as your browser, also from the tips I gave in closure speech.... use Web of Trust and ScriptBlocker addons.

Run a quick scan with Malwarebytes, remember to update first. If you have a spare $30 i`d upgrade Malwarebytes to the Pro version, it will run with MSE and you will get the all important realtime protection and auto updates. It is one of the best in class Anti-Malware programs available......

Kevin


----------



## oniro (Aug 23, 2003)

Thank you very much for answering Kevin. From the very first moment I ran HJT during this attempt to fix my problem, I noticed HJT could not run completely and this is why I posted with the first HJT log my comment "However a HigJackThis flag showed up" But I did not have the pracaution to post it along. Indeed it was_:"For some reason your system denied write acces to the Hosts file. If any hijacked domains are in this file, HiJackThis may not be able to fix this"_. I dont know if this brings some use info on what to do.

Oniro


----------



## kevinf80 (Mar 21, 2006)

HJT doe not have access to the "Hosts" file in your version of windows, hence the alert from HJT. That is not unusual and is not a concern to you.
What exactly is wrong with your system now, tell me all issues and concerns and i`ll do my best to address them...

Kevin


----------



## oniro (Aug 23, 2003)

Hello Kevin,

I ran the MalwareBytes and it shows nothing. Again I tried to watch the video last night and the malware stroke again overpowering my Media Player while the advertisement ran. I also ran a complete 2 hours or full MalwareBytes scan an did not show infection at all.

The computer is working fine. The only issue is that malware taking control of my machine while it runs. I can not mute the audio, I cant stop the video while it plays, I can not operate SCAPE to leave the page. All freezes when that thing takes control of the video I attempt to see. I tried with YouTube videos and there is not problem at all. Because that video I was watching is an interview with president Chavez from Venezuela, I started to guess if somebody has planted some malware to sabotage the viewing, but it only works for one minute and then after, the video runs normally to the end. As the inteview was split in 3 or 4 clips, every clip when it starts suddenly stops to allow an overlayed video with a painkiller advertisement in Finnish language.

Indeed this is the only issue concerning the operation of my computer that is otherwise normal in every possible sense. This scan I made today. as you can see it shows no infeccion.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7416

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

09/08/2011 13:30:12
mbam-log-2011-08-09 (13-30-12).txt

Scan type: Quick scan
Objects scanned: 156379
Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Sorry Kevin you now might be tired with this stuff. If you still want to put your brains on this matter I consider very kind of you.

All the best,

Oniro


----------



## kevinf80 (Mar 21, 2006)

You have no malware on your system, the problem is the site you are visiting. Do you have Popup blocker engaged, do you really need to visit that particular site?


----------



## oniro (Aug 23, 2003)

Yes I have the pop blocker installed and on. And no, I don't need to visit that site anymore. Actualy I had not visited it for months, till last week-end, and never happened anything like this But I am in wonder why, while my system gets blocked visiting that site located in Latin America, I get frozen with an advertisement from here, in Finland where I live.

Is a huge relief if you say I don't have malware. However I am going to check again everything related with pop-ups. My browser is Chrome which I use 99% of the time. The other is Opera. Very seldom I use EXplorer. My visit to that site was with Chrome and I had been recently checking the pop-up check mark.

Is it usefull for you to know the link where the problem started ?


Please let me know.


Greetings,


Oniro


----------



## kevinf80 (Mar 21, 2006)

Hiya Oniro

Send me the link to that site in a private message, do not post here. I`ll check it out and let you know what I find out...

Kevin...


----------



## oniro (Aug 23, 2003)

Hi Kevin,

I have already sent the link to your prived mail.


Ciao,

Oniro


----------



## kevinf80 (Mar 21, 2006)

I have not received your PM, can you resend...


----------

