Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

still infected with smitfraud-c (i think)


  • This topic is locked This topic is locked
29 replies to this topic

#1 mr.squinter

mr.squinter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 14 November 2012 - 05:41 AM

following on from my previous post.

pc still running slow. spybot still seems to be scanning smitfraud-c, etc, but result of scan is still 'congratulations no immediate threat.' i don't get any pop-ups. just really slow pc performance.

dds and gmer logs attached.

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:00 AM

Posted 14 November 2012 - 06:04 AM

Hello mr.squinter and welcome to BC.

Please do not attach logs unless instructed.


:step1: Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" is Cure (Please click on it and change it to skip).
  • Click on Report to generate a log.
  • Please post that log when you reply.



:step2: Download OTL by OldTimer from one of the links below:

Link 1
Link 2

  • Save it to your desktop.
  • Close all open windows on the Task Bar.
  • Double click the OTL icon to run the program (run as Administrator for Windows Vista/7).
  • Put a check mark on Scan All Users.
  • Click the Run Scan button and let it run uninterrupted.
  • It will create two reports namely OTL.txt (will be opened) and Extras.txt (will be minimized).
  • Post the contents of both reports when you reply.
  • Exit OTL.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 mr.squinter

mr.squinter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 14 November 2012 - 06:33 AM

thanks for your help. firstly i must point out that i got so used to posting all the logs in a previous post, i did n't even think. my apologies.

in the previous post for this same problem i was asked to do a few checks, then submit the problem as a new post, so here i am. i already ran tdss killer as recommended in the previous post. log enclosed.

i will leave otl scan as its still running - im off to work for 4 hrs. will send log when i get home

#4 mr.squinter

mr.squinter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 14 November 2012 - 09:51 AM

as promised - otl logs attached

Attached Files



#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:00 AM

Posted 14 November 2012 - 11:05 AM

P2P Warning:

µTorrent

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes .

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


===============================


:step1: We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy



:step2: Please reopen OTL on your desktop.
  • Copy and Paste the following code into the Custom Scan/Fixes text box.

    :OTL
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.aol.co.uk/web?isinit=true&query=%s
    IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACPW
    IE - HKU\S-1-5-21-3610778765-254766384-1690516386-1000\..\SearchScopes,DefaultScope = {347C58C8-E46F-4FD6-BB64-1C0A427B2327}
    IE - HKU\S-1-5-21-3610778765-254766384-1690516386-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKU\S-1-5-21-3610778765-254766384-1690516386-1000\..\SearchScopes\{1DCA0845-D10E-4C2B-B949-1B4D1A1378AB}: "URL" = http://search.aol.co.uk/aolcom/search?query={searchTerms}&invocationType=msie70a
    IE - HKU\S-1-5-21-3610778765-254766384-1690516386-1000\..\SearchScopes\{23F2C6BE-DF6F-4513-80E4-AF52E8864443}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ACPW
    IE - HKU\S-1-5-21-3610778765-254766384-1690516386-1000\..\SearchScopes\{347C58C8-E46F-4FD6-BB64-1C0A427B2327}: "URL" = http://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=386496&p={searchTerms}
    IE - HKU\S-1-5-21-3610778765-254766384-1690516386-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKU\S-1-5-21-3610778765-254766384-1690516386-1000\..\SearchScopes\{BDA3AF4F-20DE-4903-A75F-89970E86DBF2}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=FTB&o=41648107&src=crm&q={searchTerms}&locale=&apn_ptnrs=9D&apn_dtid=YYYYYYYYGB&apn_uid=8764D9E4-CA88-452A-860F-4D81DE0C8F62&apn_sauid=8FCFF04F-0C07-415A-B9B6-F59734E9AC12
    DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Steve\AppData\Local\Temp\ugloypob.sys -- (ugloypob)
    DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\NIS\1000000.07D\SRTSPX.SYS -- (SRTSPX)
    DRV - File not found [File_System | System | Stopped] -- C:\Windows\system32\drivers\NIS\1000000.07D\SRTSP.SYS -- (SRTSP)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVEX15.SYS -- (NAVEX15)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVENG.SYS -- (NAVENG)
    O3 - HKLM\..\Toolbar: (no name) - !{E634228A-03CF-4BC8-B0AB-668257F1FD8C} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
    O3 - HKU\S-1-5-21-3610778765-254766384-1690516386-1000\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
    O4 - HKLM..\Run: []  File not found
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [EMPTYTEMP] 
    [CREATERESTOREPOINT] 
    
  • Push the Run Fix button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • A massage box "Fix complete! Click OK to open the fix log." will pop-up.
  • Click the OK button and a report will open.
  • Copy and Paste that report in your next reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 mr.squinter

mr.squinter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 14 November 2012 - 12:58 PM

did as you recomended. upon rebbot the expected log was displayed, but also, my avast is displaying this message 'click on finish to complete your avast software update' i have not yet clicked on 'finish' cos i was worried about making any changes to the pc as all the processes that the pc is using have already been logged in previous scans. dont wanna confuse things. any advice on what to do?

ots log:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}\ not found.
HKEY_USERS\S-1-5-21-3610778765-254766384-1690516386-1000\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-3610778765-254766384-1690516386-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_USERS\S-1-5-21-3610778765-254766384-1690516386-1000\Software\Microsoft\Internet Explorer\SearchScopes\{1DCA0845-D10E-4C2B-B949-1B4D1A1378AB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DCA0845-D10E-4C2B-B949-1B4D1A1378AB}\ not found.
Registry key HKEY_USERS\S-1-5-21-3610778765-254766384-1690516386-1000\Software\Microsoft\Internet Explorer\SearchScopes\{23F2C6BE-DF6F-4513-80E4-AF52E8864443}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23F2C6BE-DF6F-4513-80E4-AF52E8864443}\ not found.
Registry key HKEY_USERS\S-1-5-21-3610778765-254766384-1690516386-1000\Software\Microsoft\Internet Explorer\SearchScopes\{347C58C8-E46F-4FD6-BB64-1C0A427B2327}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{347C58C8-E46F-4FD6-BB64-1C0A427B2327}\ not found.
Registry key HKEY_USERS\S-1-5-21-3610778765-254766384-1690516386-1000\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ not found.
Registry key HKEY_USERS\S-1-5-21-3610778765-254766384-1690516386-1000\Software\Microsoft\Internet Explorer\SearchScopes\{BDA3AF4F-20DE-4903-A75F-89970E86DBF2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDA3AF4F-20DE-4903-A75F-89970E86DBF2}\ not found.
Error: No service named ugloypob was found to stop!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ugloypob deleted successfully.
File C:\Users\Steve\AppData\Local\Temp\ugloypob.sys not found.
Service SRTSPX stopped successfully!
Service SRTSPX deleted successfully!
File C:\Windows\system32\drivers\NIS\1000000.07D\SRTSPX.SYS not found.
Service SRTSP stopped successfully!
Service SRTSP deleted successfully!
File C:\Windows\system32\drivers\NIS\1000000.07D\SRTSP.SYS not found.
Service NAVEX15 stopped successfully!
Service NAVEX15 deleted successfully!
File C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVEX15.SYS not found.
Service NAVENG stopped successfully!
Service NAVENG deleted successfully!
File C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVENG.SYS not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\!{E634228A-03CF-4BC8-B0AB-668257F1FD8C} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\10 deleted successfully.
Registry value HKEY_USERS\S-1-5-21-3610778765-254766384-1690516386-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Steve\Desktop\cmd.bat deleted successfully.
C:\Users\Steve\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes

User: Lynda
->Temp folder emptied: 117034 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 956 bytes

User: Public

User: Steve
->Temp folder emptied: 109768 bytes
->Java cache emptied: 3105143 bytes
->Google Chrome cache emptied: 6099312 bytes
->Flash cache emptied: 523 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1459036 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1952 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 2317703 bytes

Total Files Cleaned = 13.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 11142012_172551

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:00 AM

Posted 14 November 2012 - 06:42 PM

Hi,

You can finish the Avast software update, we will generate a new log if needed.


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 mr.squinter

mr.squinter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 15 November 2012 - 04:18 AM

combofix did n't restart pc, but when i opened explorer, a new window appeared asking me to manage add-ons, but i cancelled it. log:

ComboFix 12-11-14.01 - Steve 15/11/2012 8:46.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.767.216 [GMT 0:00]
Running from: c:\users\Steve\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\epyks.pad
c:\users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4644.tmp
c:\users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4902.tmp
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Install.cmd
c:\windows\system32\jgaw400.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-15 to 2012-11-15 )))))))))))))))))))))))))))))))
.
.
2012-11-15 09:02 . 2012-11-15 09:03 -------- d-----w- c:\users\Steve\AppData\Local\temp
2012-11-15 09:02 . 2012-11-15 09:02 -------- d-----w- c:\users\Lynda\AppData\Local\temp
2012-11-15 09:02 . 2012-11-15 09:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-14 17:25 . 2012-11-14 17:25 -------- d-----w- C:\_OTL
2012-11-14 09:35 . 2012-11-14 09:37 -------- d-----w- c:\users\Steve\AppData\Local\Ahead
2012-11-13 07:41 . 2012-11-13 07:41 -------- d-----w- c:\program files\ESET
2012-11-12 18:25 . 2012-11-12 18:25 -------- d-----w- c:\users\Steve\AppData\Roaming\Malwarebytes
2012-11-12 18:24 . 2012-11-12 18:24 -------- d-----w- c:\programdata\Malwarebytes
2012-11-12 18:24 . 2012-11-12 18:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-11-12 18:24 . 2012-09-29 19:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-11 21:17 . 2012-11-11 21:17 -------- d-----w- C:\VundoFix Backups
2012-11-11 18:08 . 2012-11-11 18:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-11-11 10:01 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2012-11-11 10:00 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2012-11-11 10:00 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2012-11-11 10:00 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2012-11-11 10:00 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2012-11-11 10:00 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
2012-11-11 10:00 . 2009-10-09 21:55 79872 ----a-w- c:\windows\system32\wecutil.exe
2012-11-11 10:00 . 2009-10-09 21:55 54272 ----a-w- c:\windows\system32\WsmRes.dll
2012-11-11 10:00 . 2009-10-09 21:55 146944 ----a-w- c:\windows\system32\wecsvc.dll
2012-11-11 10:00 . 2009-10-09 21:55 81408 ----a-w- c:\windows\system32\wevtfwd.dll
2012-11-11 10:00 . 2009-10-09 21:55 56320 ----a-w- c:\windows\system32\wecapi.dll
2012-11-11 10:00 . 2009-10-09 21:56 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
2012-11-11 10:00 . 2009-08-01 06:27 201184 ----a-w- c:\windows\system32\winrm.vbs
2012-11-11 09:59 . 2009-10-09 21:56 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2012-11-11 09:59 . 2009-10-09 21:56 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2012-11-11 09:59 . 2009-10-09 21:56 241152 ----a-w- c:\windows\system32\winrscmd.dll
2012-11-11 09:59 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2012-11-11 09:59 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2012-11-11 09:59 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2012-11-11 09:45 . 2012-11-11 09:36 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-11-11 09:40 . 2012-11-11 09:37 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-10 16:27 . 2012-11-10 16:27 -------- d-----w- c:\users\Steve\AppData\Local\Downloaded Installations
2012-11-10 16:24 . 2012-11-10 16:25 -------- d-----w- c:\program files\adawaretb
2012-11-10 16:24 . 2012-11-10 16:24 -------- d-----w- c:\program files\Toolbar Cleaner
2012-11-10 16:23 . 2012-11-10 16:23 -------- d-----w- c:\users\Steve\AppData\Roaming\LavasoftStatistics
2012-11-10 16:20 . 2012-11-10 16:20 318 ---ha-w- C:\aaw7boot.cmd
2012-11-10 13:59 . 2012-11-10 13:59 -------- d-----w- c:\program files\Lavasoft
2012-11-09 21:23 . 2012-11-09 21:23 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-11-09 21:14 . 2012-11-09 21:14 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2012-11-09 21:14 . 2012-11-09 21:14 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2012-11-09 21:14 . 2012-11-09 21:14 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2012-11-09 21:14 . 2012-11-09 21:14 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2012-11-09 21:14 . 2012-11-09 21:14 2873344 ----a-w- c:\windows\system32\mf.dll
2012-11-09 21:14 . 2012-11-09 21:14 98816 ----a-w- c:\windows\system32\mfps.dll
2012-11-09 21:14 . 2012-11-09 21:14 209920 ----a-w- c:\windows\system32\mfplat.dll
2012-11-09 21:14 . 2012-11-09 21:14 586240 ----a-w- c:\windows\system32\stobject.dll
2012-11-09 21:13 . 2012-11-09 21:13 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2012-11-09 21:13 . 2012-11-09 21:13 478720 ----a-w- c:\windows\system32\dxgi.dll
2012-11-09 21:13 . 2012-11-09 21:13 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2012-11-09 21:13 . 2012-11-09 21:13 37376 ----a-w- c:\windows\system32\cdd.dll
2012-11-09 21:13 . 2012-11-09 21:13 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2012-11-09 21:13 . 2012-11-09 21:13 258048 ----a-w- c:\windows\system32\winspool.drv
2012-11-09 21:13 . 2012-11-09 21:13 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2012-11-09 21:13 . 2012-11-09 21:13 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2012-11-09 18:04 . 2012-11-09 18:04 -------- d-----w- c:\users\Steve\AppData\Local\Avg2013
2012-11-09 16:57 . 2012-11-09 16:58 -------- d-----w- c:\program files\CCleaner
2012-11-08 17:12 . 2012-11-08 17:12 -------- d-----w- c:\users\Steve\AppData\Roaming\TuneUp Software
2012-11-08 17:02 . 2012-11-08 17:02 -------- d-----w- c:\users\Steve\AppData\Local\MFAData
2012-11-08 16:33 . 2012-09-13 13:28 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-08 16:25 . 2012-06-02 00:02 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-11-08 16:25 . 2012-06-02 00:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-11-08 16:25 . 2012-06-02 00:02 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-11-08 16:02 . 2012-08-24 15:53 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-11-08 15:57 . 2012-11-09 18:26 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{261EAF5E-22F1-45E7-9C65-BABA9FF0F376}\offreg.dll
2012-11-08 10:49 . 2012-11-08 10:49 388096 ----a-r- c:\users\Steve\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-11-08 10:49 . 2012-11-08 10:49 -------- d-----w- c:\program files\Trend Micro
2012-11-08 10:36 . 2012-02-29 15:11 5120 ----a-w- c:\windows\system32\wmi.dll
2012-11-08 10:36 . 2012-02-29 15:09 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-11-08 10:36 . 2012-02-29 13:32 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-11-08 10:09 . 2012-05-11 15:57 623616 ----a-w- c:\windows\system32\localspl.dll
2012-11-08 10:08 . 2012-03-30 12:39 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-11-08 10:08 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2012-11-08 10:08 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2012-11-08 10:08 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2012-11-08 10:08 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2012-11-08 10:06 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-11-08 10:06 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-11-08 10:06 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-11-08 10:06 . 2011-05-02 17:16 739328 ----a-w- c:\windows\system32\inetcomm.dll
2012-11-08 10:06 . 2011-01-20 16:08 1029120 ----a-w- c:\windows\system32\d3d10.dll
2012-11-08 10:06 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2012-11-08 10:06 . 2011-01-20 16:08 189952 ----a-w- c:\windows\system32\d3d10core.dll
2012-11-08 10:06 . 2011-01-20 14:11 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2012-11-08 10:06 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2012-11-08 10:06 . 2011-01-20 14:28 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2012-11-08 10:06 . 2011-01-20 14:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2012-11-08 09:59 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2012-11-08 09:59 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2012-11-08 09:59 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2012-11-08 09:53 . 2012-07-04 14:02 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-11-08 09:53 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2012-11-08 09:53 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-11-08 09:53 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-11-08 08:55 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-11-08 08:55 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-11-08 08:55 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-11-08 08:54 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-11-08 08:52 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2012-11-08 08:52 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2012-11-08 08:52 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2012-11-08 08:52 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2012-11-08 08:45 . 2012-10-17 02:32 6918632 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{261EAF5E-22F1-45E7-9C65-BABA9FF0F376}\mpengine.dll
2012-11-08 08:41 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-11-08 08:41 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-11-08 08:41 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-11-08 08:41 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-11-08 08:41 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-11-08 08:41 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-11-08 08:40 . 2012-08-29 11:27 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-11-08 08:40 . 2012-08-29 11:27 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-11-08 08:37 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-11-08 07:46 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
2012-11-06 19:41 . 2012-11-07 12:40 691 ----a-w- c:\users\Steve\AppData\Roaming\GetValue.vbs
2012-11-06 19:41 . 2012-11-07 12:40 35 ----a-w- c:\users\Steve\AppData\Roaming\SetValue.bat
2012-10-23 10:22 . 2012-10-23 10:22 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-10-23 10:07 . 2012-10-23 10:07 -------- d-----w- c:\users\Lynda\AppData\Roaming\Motive
2012-10-22 11:42 . 2010-10-10 18:48 1439744 ----a-w- c:\windows\system32\drivers\athur.sys
2012-10-22 11:42 . 2011-07-22 09:35 21472 ----a-w- c:\windows\system32\drivers\SCMNdisP.sys
2012-10-22 11:42 . 2008-05-15 01:28 20384 ----a-w- c:\windows\system32\drivers\jswpslwf.sys
2012-10-22 11:41 . 2012-10-22 11:41 -------- d-----w- c:\program files\NETGEAR
2012-10-18 18:56 . 2012-11-04 11:05 -------- d-----w- c:\users\Steve\AppData\Roaming\Motive
2012-10-18 18:52 . 2012-11-12 17:53 -------- d-----w- c:\programdata\Motive
2012-10-18 18:52 . 2012-10-28 08:52 -------- d-----w- c:\program files\Common Files\Motive
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-02 08:09 . 2012-04-18 06:02 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-02 08:09 . 2011-08-01 05:46 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-30 22:51 . 2011-06-18 17:07 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-30 22:51 . 2009-08-22 15:38 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-30 22:51 . 2009-08-22 15:38 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-30 22:51 . 2009-08-22 15:38 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-30 22:51 . 2009-08-22 15:37 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-10-30 22:51 . 2009-08-22 15:38 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-30 22:51 . 2010-09-19 13:19 41224 ----a-w- c:\windows\avastSS.scr
2012-10-30 22:50 . 2009-08-22 15:37 227648 ----a-w- c:\windows\system32\aswBoot.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-07 6139904]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 92704]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-29 937920]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2012-10-30 4297136]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2012-09-11 1995600]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WNA1100 Genie.lnk - c:\program files\NETGEAR\WNA1100\WNA1100.exe [2012-10-22 8247264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2012-10-18 18:51 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1250935324\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-08-12 15:46 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\users\Steve\Desktop\New Folder\Run\a2ddax86.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-14 11:28]
.
2012-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-14 11:28]
.
2012-11-14 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]
.
2012-11-14 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2010-04-06 21:30]
.
2012-05-26 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.bt.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube to iPod Converter - c:\users\Steve\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetoipodconverter.htm
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
MSConfigStartUp-AVG_UI - c:\program files\AVG\AVG2013\avgui.exe
MSConfigStartUp-ROC_roc_ssl_v12 - c:\program files\AVG Secure Search\ROC_roc_ssl_v12.exe
MSConfigStartUp-vProt - c:\program files\AVG Secure Search\vprot.exe
AddRemove-FoxTab Video Converter - c:\progra~1\FOXTAB~1\Uninstall\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-15 09:03
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-11-15 09:09:06
ComboFix-quarantined-files.txt 2012-11-15 09:09
.
Pre-Run: 50,735,538,176 bytes free
Post-Run: 50,747,162,624 bytes free
.
- - End Of File - - F8E427BE84DEC4729356B1F331AD535C

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:00 AM

Posted 15 November 2012 - 08:56 AM

Please run Malwarebytes Anti-Malware. Go to update tab and download all updates and then perform a "Quick Scan".
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 mr.squinter

mr.squinter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 15 November 2012 - 10:10 AM

scan results

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.15.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Steve :: STEVE-PC [administrator]

Protection: Enabled

15/11/2012 14:22:54
mbam-log-2012-11-15 (14-22-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 224153
Time elapsed: 16 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:00 AM

Posted 15 November 2012 - 10:45 AM

How's the computer running?


:step1: ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, but make sure you copy the logfile first.
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!




:step2: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



:step3: Please run OTL and click the "Quick Scan" button, post the new report for my review.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 mr.squinter

mr.squinter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 15 November 2012 - 03:43 PM

thanx for your continuing support. here's your reward, lol. there's plenty here to get your teeth into...

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=b51c2381ed80464ab6d4d30df1e95751
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-11-13 09:29:58
# local_time=2012-11-13 09:29:58 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 424586 424586 0 0
# compatibility_mode=768 16777215 100 0 67807143 67807143 0 0
# compatibility_mode=5892 16776637 100 100 310758 190325508 0 0
# compatibility_mode=8192 67108863 100 0 3863 3863 0 0
# scanned=161957
# found=5
# cleaned=5
# scan_time=6263
C:\Program Files\FoxTabVideoConverter\VideoConverter.exe a variant of Win32/InstallCore.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Steve\Desktop\Brothersoft_downloader_For_iOpener.exe a variant of Win32/BSDownloader application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Steve\Desktop\Desktop Icons\YouTubeDownloaderSetup33.exe a variant of Win32/Toolbar.Widgi application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Steve\Desktop\Desktop Icons\YouTubeDownloaderSetup34.exe a variant of Win32/Toolbar.Widgi application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Steve\Downloads\regvissetup.exe a variant of Win32/Adware.ErrorRepairPro application (deleted - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=b51c2381ed80464ab6d4d30df1e95751
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-11-15 07:57:07
# local_time=2012-11-15 07:57:07 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 631330 631330 0 0
# compatibility_mode=768 16777215 100 0 68013887 68013887 0 0
# compatibility_mode=5892 16776638 100 100 517502 190532252 0 0
# compatibility_mode=8192 67108863 100 0 210607 210607 0 0
# scanned=160131
# found=4
# cleaned=0
# scan_time=9947
C:\Qoobox\Quarantine\C\Windows\System32\Process.exe.vir Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Steve\AppData\Roaming\Business Logic\UWC\Backup\J40223.4634724884.WCU Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Steve\Desktop\Desktop Icons\Adaware_Installer.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Windows\Installer\b8837.msi probably a variant of Win32/Toolbar.Widgi application (unable to clean) 00000000000000000000000000000000 I


-------------------------


Results of screen317's Security Check version 0.99.54
Windows Vista Service Pack 2 x86 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Firewall Disabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Out of date HijackThis installed!
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.65.1.1000
HijackThis 1.99.1
CCleaner
Java 7 Update 9
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Spybot Teatimer.exe is disabled!
Malwarebytes' Anti-Malware mbamscheduler.exe
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````


---------------------------------


OTL logfile created on: 15/11/2012 20:23:00 - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Steve\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

766.51 Mb Total Physical Memory | 102.65 Mb Available Physical Memory | 13.39% Memory free
1.76 Gb Paging File | 0.68 Gb Available in Paging File | 38.77% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.05 Gb Total Space | 46.86 Gb Free Space | 34.44% Space Free | Partition Type: NTFS

Computer Name: STEVE-PC | User Name: Steve | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/11/14 11:14:36 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Steve\Desktop\OTL.exe
PRC - [2012/10/30 22:50:59 | 004,297,136 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2012/10/30 22:50:59 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/09/11 09:10:18 | 001,995,600 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
PRC - [2012/09/11 09:10:16 | 001,258,320 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
PRC - [2012/07/29 19:52:22 | 000,976,728 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2012/07/29 19:52:20 | 001,673,048 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2012/07/05 05:58:58 | 000,332,488 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\pcControlHost.exe
PRC - [2012/03/02 21:34:26 | 000,361,472 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\pcCMService.exe
PRC - [2011/07/28 16:06:32 | 008,247,264 | ---- | M] () -- C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
PRC - [2011/07/28 16:06:20 | 000,297,440 | ---- | M] () -- C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
PRC - [2009/04/11 06:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/01/26 14:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/05/29 08:49:58 | 000,083,264 | ---- | M] (Packard Bell Services) -- C:\Windows\System32\HidService.exe
PRC - [2008/05/07 08:19:26 | 006,139,904 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008/01/21 02:32:50 | 000,215,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\wmdSync.exe
PRC - [2003/08/27 09:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\Windows\wanmpsvc.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/28 20:44:02 | 000,520,464 | ---- | M] () -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\39624\RapportMS.dll
MOD - [2012/02/01 13:43:10 | 000,557,056 | ---- | M] () -- C:\Program Files\Trusteer\Rapport\bin\js32.dll
MOD - [2011/07/28 16:06:32 | 008,247,264 | ---- | M] () -- C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
MOD - [2009/08/28 15:50:18 | 000,282,624 | ---- | M] () -- C:\Program Files\NETGEAR\WNA1100\WifiSvcLib.dll
MOD - [2009/08/16 16:06:02 | 000,141,312 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll


========== Services (SafeList) ==========

SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SBSDWSCService)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe -- (Roxio UPnP Renderer 11)
SRV - File not found [Auto | Stopped] -- -- (AOL ACS)
SRV - [2012/10/30 22:50:59 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012/10/18 18:51:24 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe -- (GoToAssist)
SRV - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/07/29 19:52:22 | 000,976,728 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2012/03/02 21:34:26 | 000,361,472 | ---- | M] (Alcatel-Lucent) [Auto | Running] -- C:\Program Files\Common Files\Motive\pcCMService.exe -- (pcCMService)
SRV - [2011/07/28 16:06:20 | 000,297,440 | ---- | M] () [Auto | Running] -- C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe -- (WSWNA1100)
SRV - [2010/03/22 19:05:40 | 000,960,992 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe -- (jswpsapi)
SRV - [2008/05/29 08:49:58 | 000,083,264 | ---- | M] (Packard Bell Services) [Auto | Running] -- C:\Windows\System32\HidService.exe -- (GenericHidService)
SRV - [2008/02/03 11:00:00 | 000,129,992 | ---- | M] (EasyBits Sofware AS) [Auto | Running] -- C:\Windows\System32\ezsvc7.dll -- (ezSharedSvc)
SRV - [2008/01/21 02:33:00 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/21 02:32:50 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2008/01/21 02:32:50 | 000,167,936 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2005/01/06 17:41:22 | 000,462,848 | ---- | M] (Lexmark International, Inc.) [On_Demand | Stopped] -- C:\Windows\System32\lxbycoms.exe -- (lxby_device)
SRV - [2003/08/27 09:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Windows\wanmpsvc.exe -- (WANMiniportService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\SBREdrv.sys -- (SBRE)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys -- (Lavasoft Kernexplorer)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Steve\AppData\Local\Temp\cpuz132\cpuz132_x32.sys -- (cpuz132)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Steve\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | System | Stopped] -- C:\Users\Steve\Desktop\New Folder\Run\a2ddax86.sys -- (A2DDA)
DRV - [2012/10/30 22:51:58 | 000,738,504 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/10/30 22:51:58 | 000,361,032 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/10/30 22:51:58 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/10/30 22:51:58 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2012/10/30 22:51:57 | 000,058,680 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2012/10/30 22:51:56 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/10/23 15:02:46 | 000,272,216 | ---- | M] () [Kernel | System | Running] -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus32_43926.sys -- (RapportCerberus_43926)
DRV - [2012/09/29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/07/29 19:52:38 | 000,166,840 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2012/07/29 19:52:38 | 000,071,480 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2012/07/29 19:52:38 | 000,065,848 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2012/07/05 05:58:02 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2012/07/05 05:57:44 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2012/05/28 20:42:48 | 000,021,520 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Running] -- c:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys -- (RapportIaso)
DRV - [2011/07/22 09:35:16 | 000,021,472 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SCMNdisP.sys -- (SCMNdisP)
DRV - [2010/10/10 18:48:00 | 001,439,744 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athur.sys -- (athur)
DRV - [2010/09/14 13:38:58 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WsAudio_DeviceS(5).sys -- (WsAudio_DeviceS(5)
DRV - [2010/09/14 13:38:58 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WsAudio_DeviceS(4).sys -- (WsAudio_DeviceS(4)
DRV - [2010/09/14 13:38:58 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WsAudio_DeviceS(3).sys -- (WsAudio_DeviceS(3)
DRV - [2010/09/14 13:38:58 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WsAudio_DeviceS(2).sys -- (WsAudio_DeviceS(2)
DRV - [2010/09/14 13:38:58 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WsAudio_DeviceS(1).sys -- (WsAudio_DeviceS(1)
DRV - [2009/08/12 15:45:55 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2009/04/11 04:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (winusb)
DRV - [2008/09/17 23:55:00 | 007,379,872 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/08/11 10:03:24 | 000,254,320 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\Windows\System32\drivers\C2SCSI.SYS -- (c2scsi)
DRV - [2008/05/15 01:28:00 | 000,020,384 | ---- | M] (Atheros Communications, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
DRV - [2007/10/31 03:23:20 | 000,115,744 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2006/11/02 07:30:56 | 000,044,544 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2003/01/10 15:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wanatw4.sys -- (wanatw)
DRV - [2002/02/22 23:08:02 | 000,214,656 | ---- | M] (Roxio) [File_System | System | Running] -- C:\Windows\System32\drivers\udfreadr.sys -- (UdfReadr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\Program Files\TVUPlayer\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)


[2010/05/13 16:09:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Steve\AppData\Roaming\Mozilla\Extensions
[2010/05/13 16:09:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Steve\AppData\Roaming\Mozilla\Extensions\[email protected]
[2012/02/11 12:02:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\extensions
[2012/02/11 12:02:21 | 000,000,000 | ---D | M] (uTorrentControl2 Community Toolbar) -- C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}

O1 HOSTS File: ([2012/11/15 09:03:41 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [avast] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Free YouTube to iPod Converter - C:\Users\Steve\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetoipodconverter.htm ()
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab (Java Plug-in 10.9.2)
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} http://support.microsoft.com/mats/DiagWebControl.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab (Java Plug-in 1.7.0_09)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab (Java Plug-in 1.7.0_09)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6E3AE754-E200-4375-97D4-BCBA6EB8FBE1}: DhcpNameServer = 192.168.1.254
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Users\Steve\Pictures\orion nebula.jpg
O24 - Desktop BackupWallPaper: C:\Users\Steve\Pictures\orion nebula.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/11/15 09:09:19 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/11/15 09:09:10 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/11/15 09:09:10 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\temp
[2012/11/15 08:43:00 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/11/15 08:43:00 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/11/15 08:43:00 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/11/15 08:42:31 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/11/15 08:41:37 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/11/15 08:25:32 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\{AE12BC92-F2AB-445F-AAF3-9708FB1D6638}
[2012/11/15 08:04:27 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\{1B60015C-B5B2-4937-9055-54735AA3175E}
[2012/11/14 17:43:48 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\{A00E735F-AC93-4EB9-A05E-E10D1716CFE0}
[2012/11/14 17:25:51 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/11/14 11:14:33 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Steve\Desktop\OTL.exe
[2012/11/14 09:49:09 | 000,688,901 | R--- | C] (Swearware) -- C:\Users\Steve\Desktop\dds.com
[2012/11/14 09:35:55 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\Ahead
[2012/11/13 21:28:45 | 000,000,000 | ---D | C] -- C:\Users\Steve\Desktop\Florence_And_The_Machine
[2012/11/13 20:53:53 | 000,000,000 | ---D | C] -- C:\Users\Steve\Desktop\Marillion-Sounds_That_Cant_Be_Made-2012
[2012/11/13 10:56:20 | 000,752,145 | ---- | C] (Farbar) -- C:\Users\Steve\Desktop\MiniToolBox.exe
[2012/11/13 10:51:50 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\{4E80485D-4E7D-4758-85AF-03CE5F74EBA5}
[2012/11/13 09:50:06 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Steve\Desktop\tdsskiller.exe
[2012/11/13 09:42:02 | 001,754,528 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Steve\Desktop\rkill.com
[2012/11/13 07:41:13 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/11/12 19:42:43 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\{B2862B03-8D92-4F31-85E8-24F9EFBC7BEE}
[2012/11/12 18:25:45 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\Malwarebytes
[2012/11/12 18:24:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/11/12 18:24:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/11/12 18:24:39 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/11/12 18:24:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/11/12 07:25:52 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\{72D0A7E3-08DF-4452-AD72-61CECD17331B}
[2012/11/11 21:17:03 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2012/11/11 18:08:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2012/11/11 17:42:13 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/11/11 08:47:16 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\{E94AD84C-5EAC-42E9-8622-56E1F79CB96D}
[2012/11/10 18:23:53 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\{9B86B04E-754A-4F50-B434-564DC3775EE6}
[2012/11/10 16:27:10 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\Downloaded Installations
[2012/11/10 16:24:48 | 000,000,000 | ---D | C] -- C:\Program Files\adawaretb
[2012/11/10 16:24:40 | 000,000,000 | ---D | C] -- C:\Program Files\Toolbar Cleaner
[2012/11/10 16:23:19 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\LavasoftStatistics
[2012/11/10 13:59:10 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2012/11/10 13:48:52 | 005,001,537 | R--- | C] (Swearware) -- C:\Users\Steve\Desktop\ComboFix.exe
[2012/11/10 13:25:14 | 000,000,000 | ---D | C] -- C:\Users\Steve\Desktop\Steve_Hackett_-_Genesis_Revisited_II (2012)
[2012/11/09 18:04:53 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\Avg2013
[2012/11/09 16:57:59 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/11/08 17:12:50 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\TuneUp Software
[2012/11/08 17:02:48 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\MFAData
[2012/11/08 10:49:18 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2012/11/08 10:49:10 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2012/10/30 17:39:35 | 000,000,000 | ---D | C] -- C:\Users\Steve\Desktop\Bat For Lashes - The Haunted Man (2012)
[2012/10/28 08:54:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BT Desktop Help
[2012/10/24 10:37:25 | 000,000,000 | ---D | C] -- C:\Users\Steve\Desktop\Jadis - See Right Through You (2012)#
[2012/10/23 10:22:58 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/10/22 12:38:16 | 000,000,000 | ---D | C] -- C:\Users\Steve\Desktop\Lucy Rose - Like I Used To 2012
[2012/10/22 11:42:25 | 001,439,744 | ---- | C] (Atheros Communications, Inc.) -- C:\Windows\System32\drivers\athur.sys
[2012/10/22 11:42:24 | 000,021,472 | ---- | C] (Windows ® Win 7 DDK provider) -- C:\Windows\System32\drivers\SCMNdisP.sys
[2012/10/22 11:42:24 | 000,020,384 | ---- | C] (Atheros Communications, Inc.) -- C:\Windows\System32\drivers\jswpslwf.sys
[2012/10/22 11:42:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NETGEAR WNA1100 Genie
[2012/10/22 11:41:56 | 000,000,000 | ---D | C] -- C:\Program Files\NETGEAR
[2012/10/20 07:17:12 | 000,000,000 | ---D | C] -- C:\Users\Steve\Desktop\Ellie Goulding - Halcyon 2012
[2012/10/19 08:17:50 | 000,000,000 | ---D | C] -- C:\Users\Steve\Desktop\Muse - The 2nd Law#
[2012/10/18 18:56:46 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\Motive
[2012/10/18 18:52:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Motive
[2012/10/18 18:52:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Motive
[2012/10/18 18:52:21 | 000,000,000 | ---D | C] -- C:\Program Files\BT Broadband Desktop Help
[2012/10/18 18:50:49 | 000,000,000 | ---D | C] -- C:\Program Files\Citrix
[2012/10/18 18:47:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BTHomeHub
[2012/10/18 18:47:32 | 000,000,000 | ---D | C] -- C:\Program Files\BTHomeHub

========== Files - Modified Within 30 Days ==========

[2012/11/15 20:10:14 | 000,881,833 | ---- | M] () -- C:\Users\Steve\Desktop\SecurityCheck.exe
[2012/11/15 19:59:08 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/11/15 19:59:08 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/11/15 18:57:07 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/11/15 18:57:06 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/11/15 18:00:03 | 000,000,444 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Registration3.job
[2012/11/15 18:00:03 | 000,000,442 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Registration.job
[2012/11/15 16:56:59 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/11/15 09:03:41 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/11/15 08:41:24 | 005,001,537 | R--- | M] (Swearware) -- C:\Users\Steve\Desktop\ComboFix.exe
[2012/11/14 11:14:36 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Steve\Desktop\OTL.exe
[2012/11/14 10:00:36 | 000,302,592 | ---- | M] () -- C:\Users\Steve\Desktop\0m1wjh70.exe
[2012/11/14 09:49:13 | 000,688,901 | R--- | M] (Swearware) -- C:\Users\Steve\Desktop\dds.com
[2012/11/14 09:46:51 | 000,050,477 | ---- | M] () -- C:\Users\Steve\Desktop\Defogger.exe
[2012/11/14 08:00:46 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012/11/13 10:56:21 | 000,752,145 | ---- | M] (Farbar) -- C:\Users\Steve\Desktop\MiniToolBox.exe
[2012/11/13 09:52:34 | 000,541,569 | ---- | M] () -- C:\Users\Steve\Desktop\AdwCleaner.exe
[2012/11/13 09:50:07 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Steve\Desktop\tdsskiller.exe
[2012/11/13 09:42:03 | 001,754,528 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\Steve\Desktop\rkill.com
[2012/11/13 08:33:10 | 000,001,441 | ---- | M] () -- C:\scu.dat
[2012/11/12 18:24:52 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/11/11 20:26:43 | 000,007,288 | ---- | M] () -- C:\Users\Steve\Documents\cc_20121111_202418.reg
[2012/11/11 18:17:23 | 000,001,057 | ---- | M] () -- C:\Users\Steve\Desktop\Spybot - Search & Destroy.lnk
[2012/11/11 17:19:29 | 000,002,523 | ---- | M] () -- C:\Users\Steve\Desktop\HiJackThis.lnk
[2012/11/11 16:22:01 | 000,381,984 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/11/11 09:11:47 | 000,012,720 | ---- | M] () -- C:\Users\Steve\Documents\cc_20121111_091119.reg
[2012/11/10 16:20:37 | 000,000,318 | -H-- | M] () -- C:\aaw7boot.cmd
[2012/11/10 11:43:15 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2012/11/10 07:45:53 | 000,000,945 | ---- | M] () -- C:\Users\Steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/11/10 07:44:51 | 000,602,846 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/11/10 07:44:51 | 000,106,292 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/11/09 21:25:22 | 000,008,798 | ---- | M] () -- C:\Windows\System32\icrav03.rat
[2012/11/09 21:25:21 | 000,001,988 | ---- | M] () -- C:\Windows\System32\ticrf.rat
[2012/11/09 21:23:51 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2012/11/09 17:33:59 | 000,438,982 | ---- | M] () -- C:\Users\Steve\Documents\ccleaner_20121109_173144.reg
[2012/11/09 16:58:16 | 000,000,806 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/11/08 07:47:11 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2012/11/07 12:40:37 | 000,000,691 | ---- | M] () -- C:\Users\Steve\AppData\Roaming\GetValue.vbs
[2012/11/07 12:40:37 | 000,000,035 | ---- | M] () -- C:\Users\Steve\AppData\Roaming\SetValue.bat
[2012/11/06 19:41:50 | 000,443,692 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20121107-121832.backup
[2012/11/02 11:50:39 | 747,323,320 | ---- | M] () -- C:\Users\Steve\Desktop\Prometheus.2012.DVDRip.XviD-PTpOWeR.avi
[2012/10/30 22:51:58 | 000,738,504 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2012/10/30 22:51:58 | 000,361,032 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2012/10/30 22:51:58 | 000,054,232 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2012/10/30 22:51:58 | 000,035,928 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2012/10/30 22:51:57 | 000,058,680 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2012/10/30 22:51:56 | 000,021,256 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2012/10/30 22:51:07 | 000,041,224 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/10/30 22:50:59 | 000,227,648 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2012/10/29 16:08:30 | 734,212,096 | ---- | M] () -- C:\Users\Steve\Desktop\the raven.avi
[2012/10/28 08:54:28 | 000,001,135 | ---- | M] () -- C:\Users\Public\Desktop\BT Desktop Help.lnk
[2012/10/23 11:02:20 | 000,000,680 | ---- | M] () -- C:\Users\Steve\AppData\Local\d3d9caps.dat
[2012/10/22 11:42:00 | 000,000,701 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNA1100 Genie.lnk
[2012/10/22 11:42:00 | 000,000,683 | ---- | M] () -- C:\Users\Public\Desktop\NETGEAR WNA1100 Genie.lnk
[2012/10/18 18:49:53 | 000,001,818 | ---- | M] () -- C:\Users\Public\Desktop\My BT.LNK
[2012/10/18 18:49:52 | 000,001,844 | ---- | M] () -- C:\Users\Public\Desktop\BT email & search.LNK

========== Files Created - No Company Name ==========

[2012/11/15 20:09:46 | 000,881,833 | ---- | C] () -- C:\Users\Steve\Desktop\SecurityCheck.exe
[2012/11/15 08:43:00 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/11/15 08:43:00 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/11/15 08:43:00 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/11/15 08:43:00 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/11/15 08:43:00 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/11/14 10:00:36 | 000,302,592 | ---- | C] () -- C:\Users\Steve\Desktop\0m1wjh70.exe
[2012/11/14 09:46:49 | 000,050,477 | ---- | C] () -- C:\Users\Steve\Desktop\Defogger.exe
[2012/11/13 09:52:31 | 000,541,569 | ---- | C] () -- C:\Users\Steve\Desktop\AdwCleaner.exe
[2012/11/13 08:00:33 | 000,001,441 | ---- | C] () -- C:\scu.dat
[2012/11/12 18:24:52 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/11/11 20:26:39 | 000,007,288 | ---- | C] () -- C:\Users\Steve\Documents\cc_20121111_202418.reg
[2012/11/11 18:17:23 | 000,001,057 | ---- | C] () -- C:\Users\Steve\Desktop\Spybot - Search & Destroy.lnk
[2012/11/11 10:00:08 | 000,002,426 | ---- | C] () -- C:\Windows\System32\WsmTxt.xsl
[2012/11/11 10:00:07 | 000,201,184 | ---- | C] () -- C:\Windows\System32\winrm.vbs
[2012/11/11 10:00:06 | 000,004,675 | ---- | C] () -- C:\Windows\System32\wsmanconfig_schema.xml
[2012/11/11 09:11:33 | 000,012,720 | ---- | C] () -- C:\Users\Steve\Documents\cc_20121111_091119.reg
[2012/11/10 16:20:37 | 000,000,318 | -H-- | C] () -- C:\aaw7boot.cmd
[2012/11/10 07:45:52 | 000,000,951 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2012/11/09 21:23:51 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2012/11/09 17:32:22 | 000,438,982 | ---- | C] () -- C:\Users\Steve\Documents\ccleaner_20121109_173144.reg
[2012/11/09 16:58:16 | 000,000,806 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/11/08 10:49:18 | 000,002,523 | ---- | C] () -- C:\Users\Steve\Desktop\HiJackThis.lnk
[2012/11/08 07:47:11 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2012/11/06 19:41:55 | 000,000,691 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\GetValue.vbs
[2012/11/06 19:41:55 | 000,000,035 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\SetValue.bat
[2012/11/02 11:38:21 | 747,323,320 | ---- | C] () -- C:\Users\Steve\Desktop\Prometheus.2012.DVDRip.XviD-PTpOWeR.avi
[2012/10/28 18:28:29 | 734,212,096 | ---- | C] () -- C:\Users\Steve\Desktop\the raven.avi
[2012/10/28 08:54:28 | 000,001,135 | ---- | C] () -- C:\Users\Public\Desktop\BT Desktop Help.lnk
[2012/10/23 11:02:20 | 000,000,680 | ---- | C] () -- C:\Users\Steve\AppData\Local\d3d9caps.dat
[2012/10/22 11:42:00 | 000,000,701 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNA1100 Genie.lnk
[2012/10/22 11:42:00 | 000,000,683 | ---- | C] () -- C:\Users\Public\Desktop\NETGEAR WNA1100 Genie.lnk
[2012/10/18 18:49:53 | 000,001,818 | ---- | C] () -- C:\Users\Public\Desktop\My BT.LNK
[2012/10/18 18:49:52 | 000,001,844 | ---- | C] () -- C:\Users\Public\Desktop\BT email & search.LNK
[2012/03/11 07:44:42 | 000,000,231 | ---- | C] () -- C:\Windows\cdplayer.ini
[2012/03/11 07:34:25 | 000,001,534 | ---- | C] () -- C:\ProgramData\ss.ini
[2012/03/09 18:24:39 | 000,000,510 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2012/01/04 06:53:19 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2012/01/04 06:53:19 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2011/04/17 08:01:48 | 000,069,632 | ---- | C] () -- C:\Windows\realbap1.dll
[2011/04/17 08:01:48 | 000,045,568 | ---- | C] () -- C:\Windows\realbsf1.dll
[2011/04/17 08:01:43 | 000,069,632 | ---- | C] () -- C:\Windows\System32\realbap1.dll
[2011/04/17 08:01:43 | 000,045,568 | ---- | C] () -- C:\Windows\System32\realbsf1.dll
[2011/04/02 09:56:34 | 000,000,073 | ---- | C] () -- C:\Windows\EurekaLog.ini
[2010/06/30 14:15:20 | 000,000,373 | ---- | C] () -- C:\Users\Steve\Documents - Shortcut.lnk
[2010/01/31 12:19:04 | 000,137,020 | ---- | C] () -- C:\Users\Steve\AppData\Local\rx_audio.Cache
[2009/12/10 13:59:09 | 000,001,024 | ---- | C] () -- C:\Users\Steve\.rnd
[2009/09/26 12:23:15 | 000,004,536 | ---- | C] () -- C:\Users\Steve\AppData\Local\rx_image32.Cache
[2009/08/15 14:51:03 | 000,000,104 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\wklnhst.dat
[2009/08/14 14:36:58 | 000,014,336 | ---- | C] () -- C:\Users\Steve\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2006/11/02 12:51:16 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 17:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 06:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 06:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2009/11/13 16:43:49 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Amazon
[2011/06/12 08:02:37 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\avidemux
[2010/02/14 11:05:52 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Business Logic
[2010/09/05 09:31:22 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Canneverbe Limited
[2009/10/02 07:51:59 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\CDRoller
[2009/12/10 14:30:35 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\DeepBurner Pro
[2009/09/19 13:01:49 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\DriverCure
[2011/11/08 07:16:56 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\DVDVideoSoft
[2011/03/13 08:15:56 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\DVDVideoSoftIEHelpers
[2010/11/16 19:06:47 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\EPSON
[2010/09/05 10:12:22 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\FinalBurner Video DVD
[2009/12/10 13:11:32 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\FoxScribe
[2009/08/29 07:47:38 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Free Audio Editor
[2010/03/13 16:44:08 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\ImTOO Software Studio
[2010/01/16 08:26:54 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\InfraRecorder
[2009/09/12 15:01:02 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\NCH Swift Sound
[2009/08/12 15:36:51 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Packard Bell
[2010/08/22 14:57:04 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Softplicity
[2011/10/10 06:01:31 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Template
[2010/05/15 11:34:02 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Trusteer
[2012/11/08 17:12:50 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\TuneUp Software
[2012/11/14 08:21:22 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\uTorrent
[2012/08/04 10:27:12 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Xilisoft
[2010/06/06 12:08:56 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Xilisoft Corporation

========== Purity Check ==========



< End of report >

#13 mr.squinter

mr.squinter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 15 November 2012 - 03:48 PM

just wanted to add something here...

i know i'm gonna sound dumb but i'm totally blind here, i'm literally following your exact instructions. there were no instructions to do anything following the otl scan, ie: delete or fix. i just closed otl so any probs have not been fixed, so i hope that's ok.

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:00 AM

Posted 15 November 2012 - 08:43 PM

Hi,

there were no instructions to do anything following the otl scan, ie: delete or fix

This is correct, the two main reasons are... First, we don't want to delete any false detection when we run the ESET scan. Second, we will script all the remaining malware remnants after I reviewed the latest OTL log together with the infections found by ESET.


:step1: Please reopen OTL on your desktop.
  • Copy and Paste the following code into the Custom Scan/Fixes text box.

    :Files
    C:\Users\Steve\AppData\Roaming\Business Logic\UWC\Backup\J40223.4634724884.WCU 
    C:\Users\Steve\Desktop\Desktop Icons\Adaware_Installer.exe 
    C:\Windows\Installer\b8837.msi 
    
    :Commands
    [EMPTYTEMP] 
    
  • Push the Run Fix button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • A massage box "Fix complete! Click OK to open the fix log." will pop-up.
  • Click the OK button and a report will open.
  • Copy and Paste that report in your next reply.


:step3: Update Adobe Reader so you will not become vulnerable for infections.
  • Uninstall your old version of Adobe Reader.
  • Download the latest version of Adobe Reader. --> HERE
  • Uncheck any optional download like Free Google Toolbar or Free McAfee® Security Scan Plus.
  • Click download to download the file and install it by following the prompts.
Adobe Download Manager FAQ | Flash Player and Reader: http://kb2.adobe.com/cps/520/cpsid_52001.html



:step3: Update Flash Player.
  • Uninstall your old version of Flash Player.
  • Download the latest version of Flash Player. --> HERE
  • Uncheck any optional download like Free Google Toolbar or Free McAfee® Security Scan Plus.
  • Click download to download the file and install it by following the prompts.

Edited by sempai, 15 November 2012 - 08:44 PM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 mr.squinter

mr.squinter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 16 November 2012 - 04:11 AM

both programmes now updated.

pc still booting up slowly. some extra things happening since last reboot... probs with explorer not responding, but usually it sorts itself. i've had 'last browsing session closed unexpectedly' on 3 occasions. also, a minor detail, but my desktop icons have got bigger.

a window appears prompting me to manage exploreer add-ons.

explorer is informing me that updates are available, shall i go ahead with those?


All processes killed
========== FILES ==========
C:\Users\Steve\AppData\Roaming\Business Logic\UWC\Backup\J40223.4634724884.WCU moved successfully.
C:\Users\Steve\Desktop\Desktop Icons\Adaware_Installer.exe moved successfully.
C:\Windows\Installer\b8837.msi moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes

User: Lynda
->Temp folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Steve
->Temp folder emptied: 68091 bytes
->Java cache emptied: 319357 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 506 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 11162012_074135

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users