Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible TDSS & Search Redirect


  • Please log in to reply
23 replies to this topic

#1 Univrsl

Univrsl

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 19 December 2011 - 09:40 PM

Hello and thank you in advance for your help. I think it's great that you provide such a resourceful tool for everyone for free.
I've spent most of the past few days trying to rid my friends computer (this computer) of a number of issues. I've tried running scans with Avast, AVG, Avira, MSERT, MSE, TDSSkiller, and Malwarebytes. I can't say at this point, since some of those scans took as long as 4 hours to complete, which ones turned up what, but some malicious infections were found and removed, which seems to have gotten rid of the actual phony virus scanner, but I'm still have a number of other issue which i will try to list giving as much detail as I can. I'm not sure if all these issues are related to the infection or not.

On boot up I'm receiving an error just before or as the log in screen comes up which reads as follows..

Microsoft Visual C++ Runtime Library
Runtime Error!
Program: C:\Windows\System32\nvvsvc.exe
This Application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

From what I understand this has something to do with the video drivers, but I'm unaware of how to remedy this. I just click ok and log in as usual.

The system is running 32bit Windows Vista with what I believe is Service Pack 2, there are 6 pending important windows updates that I've tried to install at least 3 times, each time they fail. I click update, everything seems to run fine, it prompts to restart, while shutting down it continues steps to update, upon restart and log in it notifies me that the updates have failed.

The start menu is/was completely empty, but I can add things to it, again this is a friends computer so I don't know if this is because of a virus or if it was like this prior.

In the Device Manager, under Other Devices, there are 2 instances of "Base System Device" which have yellow exclamation points next to them.

I was getting random internet explorer pop ups at one point, but they seem to have stopped. I'm still getting the Google redirects though, which is probably the biggest issue still. I don't know if it matters, but I've found that once it redirects, that if I go back and then forward in the browser that it takes me to the correct place.
Also regarding the browser, which is Mozilla Firefox, under Add-ons, there are multiple instances of "Java Console" that appear to be different versions (6.0.18 , 6.0.20 , and 6.0.30) I have disabled the older two of the three.

I believe that's it as far as anything that I think might be relevant. Sorry if I've given too much, I figured too much is better than not enough.

I regards to the initial logs requested for this post, I had a little trouble running dds.scr because of an association with AutoCad which I found a fix for on another post here on the site involving a registry fix, which got it running.

I also had an issue running gmer, upon execution I get an error.. LoadDriver("C:\Users\STEPHA~1\AppData\Local\Temp\fwdiruob.sys") error 0xC000010E: An instance of the service is already running.
When I press ok, it opens up and appears to do something briefly towards the bottom, as if it's scanning, but I don't think it is. When comparing my gmer screen to the picture in the guide, I have a number of my options grayed out.
Posted Image
I ran it as it was there.

Here is the DDS log and the Attache.txt and ark.txt are attached as requested. Just before I decided to submit here and obtained the logs requested I ran Malwarebytes and I will attach it's log as well just in case it will help expedite us to a solution. Thank you so much in advance.



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by Stephanie at 16:04:14 on 2011-12-18
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3070.1791 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\conime.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AdobeBridge]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134
TCP: Interfaces\{C36BA0B8-E078-4074-B574-FA42385B58BA} : DhcpNameServer = 68.87.72.134 68.87.77.134
TCP: Interfaces\{F2C41A80-A366-4666-9496-A0D3E1C97E8A} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\stephanie\appdata\roaming\mozilla\firefox\profiles\vekyppk0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\adobe\acrobat 10.0\acrobat\browser\wcfirefoxextn\components\WCFirefox3Extn.dll
FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Adobe Acrobat - Create PDF: web2pdfextension@web2pdf.adobedotcom - c:\program files\adobe\acrobat 10.0\acrobat\browser\WCFirefoxExtn
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\DivXHTML5
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: XUL Cache: {dd39835c-03b3-4cc6-ab92-51aecd852289} - %profile%\extensions\{dd39835c-03b3-4cc6-ab92-51aecd852289}
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKslb6328f66;MpKslb6328f66;c:\programdata\microsoft\microsoft antimalware\definition updates\{b14ed25f-71c1-4f82-8b9d-f8f9eeb18d74}\MpKslb6328f66.sys [2011-12-18 29904]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-8-28 3664384]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 135664]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-18 22:18:21 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b14ed25f-71c1-4f82-8b9d-f8f9eeb18d74}\MpKslb6328f66.sys
2011-12-18 22:18:18 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b14ed25f-71c1-4f82-8b9d-f8f9eeb18d74}\offreg.dll
2011-12-18 16:44:15 6823496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b14ed25f-71c1-4f82-8b9d-f8f9eeb18d74}\mpengine.dll
2011-12-18 07:24:13 -------- d-----w- c:\program files\CCleaner
2011-12-16 22:30:36 6823496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-12-16 03:07:48 -------- d-----w- c:\program files\ESET
2011-12-15 11:21:18 -------- d-----w- c:\windows\system32\appmgmt
2011-12-15 06:03:15 703824 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{94c684d2-8e0e-4e24-ad9f-285e2d793bc6}\gapaengine.dll
2011-12-15 05:49:35 -------- d-----w- C:\AVG2012
2011-12-15 05:35:27 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-15 05:33:44 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-12-15 05:24:52 -------- d-----w- c:\program files\AVG
2011-12-15 05:19:15 -------- d--h--w- c:\programdata\Common Files
2011-12-15 05:18:40 -------- d-----w- c:\programdata\MFAData
2011-12-15 03:50:41 -------- d-----w- c:\windows\pss
2011-12-15 02:31:05 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 01:02:52 -------- d-----w- c:\users\stephanie\appdata\roaming\Malwarebytes
2011-12-15 01:02:36 -------- d-----w- c:\programdata\Malwarebytes
2011-12-15 01:02:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-15 00:26:49 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{796e8825-5da6-476c-8c56-6a9048c31b1d}\mpengine.dll
.
==================== Find3M ====================
.
2011-11-10 12:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-20 21:02:55 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-20 13:44:04 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
.
============= FINISH: 16:11:45.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:08 AM

Posted 26 December 2011 - 03:25 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/433474 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Univrsl

Univrsl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 26 December 2011 - 02:19 PM

Nothing has changed. The machine has been off since the original post. Same issues still occurring. Still had same issue running Gmer. This time however Gmer said something about detecting no modifications and the log I saved from it is empty. I don't know if this is a result of the error I'm getting when I try to run it or not.


New Logs...

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by Stephanie at 13:24:17 on 2011-12-25
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3070.2040 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AdobeBridge]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134
TCP: Interfaces\{C36BA0B8-E078-4074-B574-FA42385B58BA} : DhcpNameServer = 68.87.72.134 68.87.77.134
TCP: Interfaces\{F2C41A80-A366-4666-9496-A0D3E1C97E8A} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\stephanie\appdata\roaming\mozilla\firefox\profiles\vekyppk0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\adobe\acrobat 10.0\acrobat\browser\wcfirefoxextn\components\WCFirefox3Extn.dll
FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Adobe Acrobat - Create PDF: web2pdfextension@web2pdf.adobedotcom - c:\program files\adobe\acrobat 10.0\acrobat\browser\WCFirefoxExtn
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\DivXHTML5
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: XUL Cache: {dd39835c-03b3-4cc6-ab92-51aecd852289} - %profile%\extensions\{dd39835c-03b3-4cc6-ab92-51aecd852289}
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl8ae2442b;MpKsl8ae2442b;c:\programdata\microsoft\microsoft antimalware\definition updates\{b14ed25f-71c1-4f82-8b9d-f8f9eeb18d74}\MpKsl8ae2442b.sys [2011-12-25 29904]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-8-28 3664384]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S1 MpKsl562dfb4a;MpKsl562dfb4a;c:\programdata\microsoft\microsoft antimalware\definition updates\{b14ed25f-71c1-4f82-8b9d-f8f9eeb18d74}\MpKsl562dfb4a.sys [2011-12-20 29904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 135664]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-25 20:21:12 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b14ed25f-71c1-4f82-8b9d-f8f9eeb18d74}\MpKsl8ae2442b.sys
2011-12-20 10:18:42 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b14ed25f-71c1-4f82-8b9d-f8f9eeb18d74}\offreg.dll
2011-12-18 16:44:15 6823496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b14ed25f-71c1-4f82-8b9d-f8f9eeb18d74}\mpengine.dll
2011-12-18 07:24:13 -------- d-----w- c:\program files\CCleaner
2011-12-16 22:30:36 6823496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-12-16 03:07:48 -------- d-----w- c:\program files\ESET
2011-12-15 11:21:18 -------- d-----w- c:\windows\system32\appmgmt
2011-12-15 06:03:15 703824 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{94c684d2-8e0e-4e24-ad9f-285e2d793bc6}\gapaengine.dll
2011-12-15 05:49:35 -------- d-----w- C:\AVG2012
2011-12-15 05:35:27 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-15 05:33:44 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-12-15 05:24:52 -------- d-----w- c:\program files\AVG
2011-12-15 05:19:15 -------- d--h--w- c:\programdata\Common Files
2011-12-15 05:18:40 -------- d-----w- c:\programdata\MFAData
2011-12-15 03:50:41 -------- d-----w- c:\windows\pss
2011-12-15 02:31:05 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 01:02:52 -------- d-----w- c:\users\stephanie\appdata\roaming\Malwarebytes
2011-12-15 01:02:36 -------- d-----w- c:\programdata\Malwarebytes
2011-12-15 01:02:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-15 00:26:49 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{796e8825-5da6-476c-8c56-6a9048c31b1d}\mpengine.dll
.
==================== Find3M ====================
.
2011-11-10 12:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 13:33:31.73 ===============

Attached Files



#4 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:08 AM

Posted 26 December 2011 - 05:53 PM

Hi,

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

unite_blue.png

Please post the final results, good or bad. We like to know!


#5 Univrsl

Univrsl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 28 December 2011 - 02:04 PM

Still getting the search redirect. I haven't seen any of the internet explorer pop ups in awhile though so I assume that is gone. Still getting the same error before the login screen. Still can't seem to get the windows updates to install correctly. I click to install, it claims success and prompts to restart. After restart it says if was unsuccessful.


Here is the combofix log....




ComboFix 11-12-26.03 - Stephanie 12/25/2011 23:15:08.1.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3070.1769 [GMT -7:00]
Running from: c:\users\Stephanie\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\programdata\EwNVkSQkVAvKGv
c:\users\Stephanie\AppData\Roaming\Mozilla\Firefox\Profiles\vekyppk0.default\extensions\{dd39835c-03b3-4cc6-ab92-51aecd852289}
c:\users\Stephanie\AppData\Roaming\Mozilla\Firefox\Profiles\vekyppk0.default\extensions\{dd39835c-03b3-4cc6-ab92-51aecd852289}\chrome\xulcache.jar
c:\users\Stephanie\AppData\Roaming\Mozilla\Firefox\Profiles\vekyppk0.default\extensions\{dd39835c-03b3-4cc6-ab92-51aecd852289}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2011-11-26 to 2011-12-26 )))))))))))))))))))))))))))))))
.
.
2011-12-26 06:48 . 2011-12-26 06:51 -------- d-----w- c:\users\Stephanie\AppData\Local\temp
2011-12-26 06:48 . 2011-12-26 06:48 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-12-26 06:48 . 2011-12-26 06:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-26 05:52 . 2011-12-26 05:52 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9A74D03A-7A4C-4B32-89E0-C8FC16CD50D5}\MpKsl7d3f9a41.sys
2011-12-26 05:52 . 2011-12-26 05:52 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9A74D03A-7A4C-4B32-89E0-C8FC16CD50D5}\offreg.dll
2011-12-26 05:41 . 2011-12-21 07:24 121816 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-26 05:41 . 2011-12-21 07:24 97240 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-12-26 05:41 . 2011-12-21 07:24 814040 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-12-26 05:41 . 2011-12-21 07:24 486360 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-12-26 05:41 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2011-12-26 05:41 . 2011-12-21 07:24 2124760 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-12-26 05:41 . 2011-12-21 07:24 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-12-26 05:41 . 2011-12-21 04:30 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-26 05:41 . 2011-12-21 04:30 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-12-26 05:41 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2011-12-26 05:41 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2011-12-26 05:41 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2011-12-25 20:32 . 2011-11-21 09:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9A74D03A-7A4C-4B32-89E0-C8FC16CD50D5}\mpengine.dll
2011-12-18 07:24 . 2011-12-18 07:24 -------- d-----w- c:\program files\CCleaner
2011-12-16 22:30 . 2011-11-21 09:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-16 03:07 . 2011-12-16 03:07 -------- d-----w- c:\program files\ESET
2011-12-15 21:06 . 2011-12-15 21:06 -------- d-----w- c:\program files\7-Zip
2011-12-15 06:03 . 2011-12-15 06:02 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{94C684D2-8E0E-4E24-AD9F-285E2D793BC6}\gapaengine.dll
2011-12-15 05:49 . 2011-12-15 05:49 -------- d-----w- C:\AVG2012
2011-12-15 05:35 . 2011-12-15 05:37 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-15 05:33 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-12-15 05:24 . 2011-12-15 05:24 -------- d-----w- c:\program files\AVG
2011-12-15 05:19 . 2011-12-15 05:19 -------- d--h--w- c:\programdata\Common Files
2011-12-15 05:18 . 2011-12-15 19:53 -------- d-----w- c:\programdata\MFAData
2011-12-15 02:35 . 2011-12-15 02:35 -------- d-----w- c:\program files\Common Files\Java
2011-12-15 02:31 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 01:30 . 2011-12-15 01:30 -------- d-----w- c:\windows\Sun
2011-12-15 01:02 . 2011-12-15 01:02 -------- d-----w- c:\users\Stephanie\AppData\Roaming\Malwarebytes
2011-12-15 01:02 . 2011-12-15 01:02 -------- d-----w- c:\programdata\Malwarebytes
2011-12-15 01:02 . 2011-12-15 01:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-15 00:26 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{796E8825-5DA6-476C-8C56-6A9048C31B1D}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-10 12:54 . 2011-07-21 04:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-21 07:24 . 2011-12-26 05:41 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-19 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-10-03 13826664]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-09-05 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-09-05 2904984]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl562dfb4a;MpKsl562dfb4a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B14ED25F-71C1-4F82-8B9D-F8F9EEB18D74}\MpKsl562dfb4a.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 135664]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 MpKsl7d3f9a41;MpKsl7d3f9a41;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9A74D03A-7A4C-4B32-89E0-C8FC16CD50D5}\MpKsl7d3f9a41.sys [2011-12-26 29904]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-08-29 3664384]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL7D3F9A41
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 11:07]
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 11:07]
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134
FF - ProfilePath - c:\users\Stephanie\AppData\Roaming\Mozilla\Firefox\Profiles\vekyppk0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
HKCU-Run-AdobeBridge - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-25 23:51
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-12-26 00:07:45
ComboFix-quarantined-files.txt 2011-12-26 07:07
.
Pre-Run: 164,493,606,912 bytes free
Post-Run: 164,926,799,872 bytes free
.
- - End Of File - - FD0FB4B12F0BC823056DA178DACBB0F5

#6 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:08 AM

Posted 28 December 2011 - 06:22 PM

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the box that says Scan All Users.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

unite_blue.png

Please post the final results, good or bad. We like to know!


#7 Univrsl

Univrsl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 29 December 2011 - 03:53 PM

OTL.txt



OTL logfile created on: 12/28/2011 3:42:16 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Stephanie\Desktop
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.86 Gb Available Physical Memory | 62.00% Memory free
6.19 Gb Paging File | 5.16 Gb Available in Paging File | 83.33% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 149.88 Gb Free Space | 50.28% Space Free | Partition Type: NTFS
Drive D: | 14.43 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: STEPHANIE-PC | User Name: Stephanie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/28 15:41:27 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Stephanie\Desktop\OTL.exe
PRC - [2011/12/21 00:24:51 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/09/05 10:04:58 | 002,904,984 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
PRC - [2011/07/28 16:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/12/21 00:24:51 | 002,124,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/07/28 16:09:42 | 000,096,112 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2011/07/28 16:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2011/06/17 21:20:01 | 006,053,536 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/02/15 18:42:14 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2008/01/20 19:21:41 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2011/12/28 03:05:49 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B3543673-3B08-479E-B037-E9CF23F30BD5}\MpKslc9bfb871.sys -- (MpKslc9bfb871)
DRV - [2011/12/27 14:01:20 | 000,029,904 | ---- | M] () [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B3543673-3B08-479E-B037-E9CF23F30BD5}\MpKslfebf18e8.sys -- (MpKslfebf18e8)
DRV - [2011/04/27 15:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/04/18 13:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2009/10/03 06:02:06 | 009,905,096 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/08/28 23:48:46 | 003,664,384 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel®
DRV - [2008/01/25 00:46:40 | 000,106,496 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2007/07/11 02:30:22 | 000,007,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqRemHid.sys -- (HpqRemHid)
DRV - [2006/11/14 17:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/02 00:41:49 | 001,010,560 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-73147703-3843051449-3486753951-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-73147703-3843051449-3486753951-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 56 CB 90 69 16 BB CC 01 [binary data]
IE - HKU\S-1-5-21-73147703-3843051449-3486753951-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-73147703-3843051449-3486753951-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: calendar-timezones@mozilla.org:0.1.2008d
FF - prefs.js..extensions.enabledItems: default-palette@celtx.com:1.0
FF - prefs.js..extensions.enabledItems: emoticons-msn-smileys@m513901.de:0.1
FF - prefs.js..extensions.enabledItems: inspector@mozilla.org:2.0.0
FF - prefs.js..extensions.enabledItems: messagestyle-blackened@addons.instantbird.org:0.9
FF - prefs.js..extensions.enabledItems: messagestyle-depth@addons.instantbird.org:1.1
FF - prefs.js..extensions.enabledItems: messagestyle-minimal20@addons.instantbird.org:1.5

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\web2pdfextension@web2pdf.adobedotcom: C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2011/12/15 04:47:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011/12/15 04:20:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/25 22:41:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/25 22:41:19 | 000,000,000 | ---D | M]

[2010/10/05 01:10:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Stephanie\AppData\Roaming\Mozilla\Extensions
[2010/08/19 01:07:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Stephanie\AppData\Roaming\Mozilla\Extensions\celtx@celtx.com
[2010/10/05 01:10:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Stephanie\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2011/12/25 23:46:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Stephanie\AppData\Roaming\Mozilla\Firefox\Profiles\vekyppk0.default\extensions
[2011/12/18 14:04:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Stephanie\AppData\Roaming\Mozilla\Firefox\Profiles\vekyppk0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/12/25 22:41:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/19 01:06:25 | 000,000,000 | ---D | M] (Timezone Definitions for Mozilla Calendar) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG
[2010/08/19 01:06:25 | 000,000,000 | ---D | M] (Default Shot Palette) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\DEFAULT-PALETTE@CELTX.COM
[2010/08/19 01:06:25 | 000,000,000 | ---D | M] (MSN-Smileys) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\EMOTICONS-MSN-SMILEYS@M513901.DE
[2010/08/19 01:06:24 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\INSPECTOR@MOZILLA.ORG
[2010/08/19 01:06:24 | 000,000,000 | ---D | M] (Blackened) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-BLACKENED@ADDONS.INSTANTBIRD.ORG
[2010/08/19 01:06:24 | 000,000,000 | ---D | M] (Depth) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-DEPTH@ADDONS.INSTANTBIRD.ORG
[2010/08/19 01:06:24 | 000,000,000 | ---D | M] (Minimal) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-MINIMAL20@ADDONS.INSTANTBIRD.ORG
[2011/12/21 00:24:52 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/12/14 22:31:20 | 000,003,739 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
[2011/12/20 21:30:41 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/12/20 21:30:41 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2011/12/25 23:50:41 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-73147703-3843051449-3486753951-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-73147703-3843051449-3486753951-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-73147703-3843051449-3486753951-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-73147703-3843051449-3486753951-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C36BA0B8-E078-4074-B574-FA42385B58BA}: DhcpNameServer = 68.87.72.134 68.87.77.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F2C41A80-A366-4666-9496-A0D3E1C97E8A}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Stephanie\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Stephanie\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/02/15 17:38:25 | 000,000,000 | ---D | M] - C:\autodesk -- [ NTFS ]
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/28 15:41:23 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Stephanie\Desktop\OTL.exe
[2011/12/26 00:08:35 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/12/26 00:08:20 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/12/26 00:08:19 | 000,000,000 | ---D | C] -- C:\Users\Stephanie\AppData\Local\temp
[2011/12/25 23:05:01 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/25 23:05:01 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/25 23:05:01 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/25 23:03:50 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/12/25 22:47:41 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/25 22:44:47 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/18 00:24:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2011/12/18 00:24:13 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/12/15 20:07:48 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/12/15 14:06:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
[2011/12/15 14:06:35 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2011/12/15 13:52:08 | 000,000,000 | ---D | C] -- C:\Users\Stephanie\Desktop\bleep All These Folders
[2011/12/15 05:00:11 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/12/15 04:21:18 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
[2011/12/14 22:49:35 | 000,000,000 | ---D | C] -- C:\AVG2012
[2011/12/14 22:35:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/12/14 22:24:52 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/12/14 22:19:15 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2011/12/14 22:18:40 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2011/12/14 20:50:41 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2011/12/14 19:35:55 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/12/14 18:30:08 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/12/14 18:02:52 | 000,000,000 | ---D | C] -- C:\Users\Stephanie\AppData\Roaming\Malwarebytes
[2011/12/14 18:02:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/14 18:02:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/12/14 18:02:32 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[1 C:\Users\Stephanie\Desktop\*.tmp files -> C:\Users\Stephanie\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/28 15:41:27 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Stephanie\Desktop\OTL.exe
[2011/12/28 15:39:50 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/28 15:05:46 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/28 15:05:46 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/28 14:52:04 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/28 03:13:18 | 000,606,602 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/28 03:13:18 | 000,105,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/28 03:05:44 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/28 03:05:12 | 3219,558,400 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/28 00:35:46 | 332,070,016 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/12/25 23:50:41 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/12/25 22:41:24 | 000,000,870 | ---- | M] () -- C:\Users\Stephanie\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/12/25 22:41:24 | 000,000,846 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/12/19 07:04:01 | 000,001,356 | ---- | M] () -- C:\Users\Stephanie\AppData\Local\d3d9caps.dat
[2011/12/19 04:00:31 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
[2011/12/18 21:24:53 | 000,030,718 | ---- | M] () -- C:\Users\Stephanie\Desktop\gmerscreen.jpg
[2011/12/18 00:24:14 | 000,000,804 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2011/12/15 04:48:26 | 000,001,899 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Acrobat X Pro.lnk
[2011/12/14 22:39:50 | 000,002,154 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/12/14 18:02:37 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/11 20:57:04 | 000,007,528 | -HS- | M] () -- C:\Users\Stephanie\AppData\Local\a87d5rd783s2gd45284xcwd08uom763nh0m2
[2011/12/11 20:57:04 | 000,007,528 | -HS- | M] () -- C:\ProgramData\a87d5rd783s2gd45284xcwd08uom763nh0m2
[2011/12/11 20:21:41 | 000,001,826 | ---- | M] () -- C:\Users\Stephanie\Desktop\Verizon V CAST Media Manager.lnk
[2011/12/01 17:11:24 | 001,462,525 | ---- | M] () -- C:\Users\Stephanie\Desktop\red.jpg
[1 C:\Users\Stephanie\Desktop\*.tmp files -> C:\Users\Stephanie\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/25 23:05:01 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/25 23:05:01 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/25 23:05:01 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/25 23:05:01 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/25 23:05:01 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/25 22:41:24 | 000,000,858 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/12/19 04:00:31 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
[2011/12/18 21:24:53 | 000,030,718 | ---- | C] () -- C:\Users\Stephanie\Desktop\gmerscreen.jpg
[2011/12/18 15:18:13 | 3219,558,400 | -HS- | C] () -- C:\hiberfil.sys
[2011/12/18 01:42:23 | 332,070,016 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/12/18 00:24:14 | 000,000,804 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2011/12/14 22:39:50 | 000,002,154 | ---- | C] () -- C:\Windows\epplauncher.mif
[2011/12/14 22:35:46 | 000,001,808 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/12/14 18:02:37 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/11 20:55:35 | 000,007,528 | -HS- | C] () -- C:\Users\Stephanie\AppData\Local\a87d5rd783s2gd45284xcwd08uom763nh0m2
[2011/12/11 20:55:35 | 000,007,528 | -HS- | C] () -- C:\ProgramData\a87d5rd783s2gd45284xcwd08uom763nh0m2
[2011/12/01 17:11:19 | 001,462,525 | ---- | C] () -- C:\Users\Stephanie\Desktop\red.jpg
[2011/11/04 10:32:17 | 000,000,000 | ---- | C] () -- C:\Users\Stephanie\AppData\Local\{227B7464-1335-4B52-8484-EFC7B6128259}
[2011/06/23 11:05:00 | 000,000,132 | ---- | C] () -- C:\Users\Stephanie\AppData\Roaming\Adobe GIF Format CS5 Prefs
[2011/01/24 15:45:58 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2010/04/18 17:04:44 | 000,022,528 | ---- | C] () -- C:\Users\Stephanie\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/27 16:06:36 | 000,166,674 | ---- | C] () -- C:\ProgramData\nvModes.001
[2010/03/27 14:25:11 | 000,166,674 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2010/03/22 10:56:40 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2010/03/22 10:56:39 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2010/03/22 10:55:53 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2010/03/20 03:35:12 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2010/03/18 19:39:17 | 000,001,356 | ---- | C] () -- C:\Users\Stephanie\AppData\Local\d3d9caps.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2008/01/20 19:23:41 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2006/11/02 05:55:52 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 05:46:27 | 003,801,552 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 05:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:33:01 | 000,606,602 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 03:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 03:33:01 | 000,105,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 03:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 03:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 01:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 01:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 00:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2005/05/06 19:06:00 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll

========== LOP Check ==========

[2011/09/28 21:13:39 | 000,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\uTorrent
[2011/03/05 21:53:35 | 000,000,000 | ---D | M] -- C:\Users\Stephanie\AppData\Roaming\Autodesk
[2010/03/18 19:54:58 | 000,000,000 | ---D | M] -- C:\Users\Stephanie\AppData\Roaming\Foxit
[2010/08/19 01:06:59 | 000,000,000 | ---D | M] -- C:\Users\Stephanie\AppData\Roaming\Greyfirst
[2011/12/28 03:04:04 | 000,032,574 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >















Extras.txt



OTL Extras logfile created on: 12/28/2011 3:42:16 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Stephanie\Desktop
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.86 Gb Available Physical Memory | 62.00% Memory free
6.19 Gb Paging File | 5.16 Gb Available in Paging File | 83.33% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 149.88 Gb Free Space | 50.28% Space Free | Partition Type: NTFS
Drive D: | 14.43 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: STEPHANIE-PC | User Name: Stephanie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-73147703-3843051449-3486753951-1000\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found
.scr [@ = scrfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0B14C022-0DA0-4399-8AE4-B3CB6960F5AC}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{5EA4E9D0-08FB-432F-BAF0-7F227512C2D6}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{DD1D6075-182A-42F8-AFFA-A0DBCAF3A6AF}" = lport=2869 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03470C45-BF0C-4509-9398-69DFBCCADCF8}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{1834B05A-C23C-4AF1-A524-DFE37A30AF1C}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{2AB59EB8-47B0-49A3-92AC-C404850FC504}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{3DF43CA2-729A-4EC6-A96D-2998ACE507B9}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{ABC0E457-1878-44B8-81B5-FC244BBF0D38}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{F1403E35-D7A0-4E91-BD3C-C91B8972D673}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{F44A09EC-95EC-433E-9A03-612C12F68C77}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 30
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3521BDBD-D453-5D9F-AA55-44B75D214629}" = Adobe Community Help
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E33D05D-76CF-5D3C-4D5D-7727530FA161}" = Adobe Content Viewer
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{5783F2D7-8001-0409-0002-0060B0CE6BBA}" = AutoCAD 2010 - English
"{5783F2D7-8001-0409-1002-0060B0CE6BBA}" = AutoCAD 2010 Language Pack - English
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{60E59A6C-7399-495A-B85C-C829F4E59602}" = Adobe Creative Suite 5.5 Design Premium
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}" = Apple Application Support
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C542173-96F0-435D-A95C-468CAAC75EA0}" = Adobe Flash Player 10 Plugin
"{A436B59A-756E-426F-A348-2BE1BE99B86F}" = AVG 2012
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-F400-7760-000000000005}" = Adobe Acrobat X Pro - English, Français, Deutsch
"{B001064C-D061-4BAE-9031-416A838D5536}" = Adobe Flash Player 10 ActiveX
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{FDF64A37-4842-48CD-A424-2C38444D36FD}" = LG Android Drivers
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 9.20
"Adobe AIR" = Adobe AIR
"AutoCAD 2010 - English" = AutoCAD 2010 - English
"CCleaner" = CCleaner
"Celtx (2.7)" = Celtx (2.7)
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"com.adobe.dmp.contentviewer" = Adobe Content Viewer
"DivX Setup" = DivX Setup
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ESET Online Scanner" = ESET Online Scanner v3
"ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
"Foxit Reader" = Foxit Reader
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
"NVIDIA Drivers" = NVIDIA Drivers
"Verizon V CAST Media Manager" = Verizon V CAST Media Manager
"WinLiveSuite_Wave3" = Windows Live Essentials

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/18/2011 8:39:45 PM | Computer Name = Stephanie-PC | Source = WinMgmt | ID = 10
Description =

Error - 12/18/2011 10:26:40 PM | Computer Name = Stephanie-PC | Source = Perflib | ID = 1010
Description =

Error - 12/19/2011 6:20:19 AM | Computer Name = Stephanie-PC | Source = WinMgmt | ID = 10
Description =

Error - 12/20/2011 6:19:47 AM | Computer Name = Stephanie-PC | Source = WinMgmt | ID = 10
Description =

Error - 12/25/2011 4:22:16 PM | Computer Name = Stephanie-PC | Source = WinMgmt | ID = 10
Description =

Error - 12/25/2011 4:41:34 PM | Computer Name = Stephanie-PC | Source = Perflib | ID = 1010
Description =

Error - 12/26/2011 1:53:44 AM | Computer Name = Stephanie-PC | Source = WinMgmt | ID = 10
Description =

Error - 12/26/2011 6:19:48 AM | Computer Name = Stephanie-PC | Source = WinMgmt | ID = 10
Description =

Error - 12/28/2011 3:37:17 AM | Computer Name = Stephanie-PC | Source = WinMgmt | ID = 10
Description =

Error - 12/28/2011 6:06:55 AM | Computer Name = Stephanie-PC | Source = WinMgmt | ID = 10
Description =

[ Media Center Events ]
Error - 9/3/2010 8:35:07 PM | Computer Name = Stephanie-PC | Source = MCUpdate | ID = 0
Description = Failed to wait on MCUpdate mutex with exception: 'The wait completed
due to an abandoned mutex.'.

Error - 11/20/2010 10:20:46 PM | Computer Name = Stephanie-PC | Source = MCUpdate | ID = 0
Description = Failed to wait on MCUpdate mutex with exception: 'The wait completed
due to an abandoned mutex.'.

Error - 11/29/2010 10:31:40 PM | Computer Name = Stephanie-PC | Source = MCUpdate | ID = 0
Description = Failed to wait on MCUpdate mutex with exception: 'The wait completed
due to an abandoned mutex.'.

Error - 1/1/2011 10:26:10 PM | Computer Name = Stephanie-PC | Source = MCUpdate | ID = 0
Description = Failed to wait on MCUpdate mutex with exception: 'The wait completed
due to an abandoned mutex.'.

[ System Events ]
Error - 12/28/2011 6:06:48 AM | Computer Name = Stephanie-PC | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 12/28/2011 6:06:49 AM | Computer Name = Stephanie-PC | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 12/28/2011 6:06:49 AM | Computer Name = Stephanie-PC | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 12/28/2011 6:06:56 AM | Computer Name = Stephanie-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 12/28/2011 6:08:48 AM | Computer Name = Stephanie-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 12/28/2011 6:08:48 AM | Computer Name = Stephanie-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 12/28/2011 6:08:48 AM | Computer Name = Stephanie-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 12/28/2011 6:08:48 AM | Computer Name = Stephanie-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 12/28/2011 6:08:48 AM | Computer Name = Stephanie-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 12/28/2011 6:08:49 AM | Computer Name = Stephanie-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =


< End of report >

#8 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:08 AM

Posted 29 December 2011 - 04:25 PM

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2011/12/11 20:57:04 | 000,007,528 | -HS- | M] () -- C:\Users\Stephanie\AppData\Local\a87d5rd783s2gd45284xcwd08uom763nh0m2
    [2011/12/11 20:57:04 | 000,007,528 | -HS- | M] () -- C:\ProgramData\a87d5rd783s2gd45284xcwd08uom763nh0m2
    [2011/11/04 10:32:17 | 000,000,000 | ---- | C] () -- C:\Users\Stephanie\AppData\Local\{227B7464-1335-4B52-8484-EFC7B6128259}
    [1 C:\Users\Stephanie\Desktop\*.tmp files -> C:\Users\Stephanie\Desktop\*.tmp -> ]
    
    :Services
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

unite_blue.png

Please post the final results, good or bad. We like to know!


#9 Univrsl

Univrsl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 30 December 2011 - 04:14 PM

Still getting redirects. Haven't tried to update again, but I assume that probably still isn't working either.






Malwarebytes Log.....


Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.29.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Stephanie :: STEPHANIE-PC [administrator]

12/28/2011 6:32:39 PM
mbam-log-2011-12-28 (18-32-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195355
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)













ESETS Log.....

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=be522ede5448e94b9393a7b2885fabf4
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-16 07:23:06
# local_time=2011-12-16 12:23:06 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776574 100 100 0 160612763 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=249404
# found=9
# cleaned=9
# scan_time=15077
C:\Users\Stephanie\AppData\Local\Mozilla\Firefox\Profiles\vekyppk0.default\Cache\6D06951Cd01 Win32/SoftonicDownloader application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Stephanie\AppData\Local\Temp\cmd.exe Win32/Olmarik.AXW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Stephanie\AppData\Local\Temp\control.exe Win32/Olmarik.AXW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Stephanie\AppData\Local\Temp\Magnify.exe Win32/Olmarik.AXW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Stephanie\AppData\Local\Temp\Narrator.exe Win32/Olmarik.AXW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Stephanie\AppData\Local\Temp\osk.exe Win32/Olmarik.AXW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Stephanie\AppData\Roaming\Mozilla\Firefox\Profiles\vekyppk0.default\extensions\{dd39835c-03b3-4cc6-ab92-51aecd852289}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Stephanie\Desktop\bleep All These Folders\registrybooster.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Stephanie\Downloads\SoftonicDownloader_for_kaspersky-tdsskiller.exe Win32/SoftonicDownloader application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=be522ede5448e94b9393a7b2885fabf4
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-29 04:46:59
# local_time=2011-12-28 09:46:59 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776574 100 100 248044 161730529 0 0
# compatibility_mode=8192 67108863 100 0 196406 196406 0 0
# scanned=229872
# found=0
# cleaned=0
# scan_time=11144

#10 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:08 AM

Posted 01 January 2012 - 09:32 AM

Delete your copy of ComboFix.exe from the Desktop.

Then..

Download the latest version of ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

unite_blue.png

Please post the final results, good or bad. We like to know!


#11 Univrsl

Univrsl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 02 January 2012 - 12:31 PM

Doesn't seem as though anything has changed. Deleted and re-downloaded and ran ComboFix. Still getting google search redirects.


Here is ComboFix log...


ComboFix 12-01-02.01 - Stephanie 01/01/2012 11:10:08.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3070.1894 [GMT -7:00]
Running from: c:\users\Stephanie\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-01 to 2012-01-01 )))))))))))))))))))))))))))))))
.
.
2012-01-01 18:40 . 2012-01-01 18:40 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-01-01 18:40 . 2012-01-01 18:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-01 10:19 . 2012-01-01 10:19 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3B5832F-798C-40A1-BEC6-9C1D4A4F7B39}\MpKsl224ae6fc.sys
2012-01-01 10:18 . 2012-01-01 10:18 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3B5832F-798C-40A1-BEC6-9C1D4A4F7B39}\offreg.dll
2012-01-01 10:18 . 2011-11-21 09:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3B5832F-798C-40A1-BEC6-9C1D4A4F7B39}\mpengine.dll
2011-12-29 01:17 . 2011-12-29 01:17 -------- d-----w- C:\_OTL
2011-12-26 07:08 . 2012-01-01 18:42 -------- d-----w- c:\users\Stephanie\AppData\Local\temp
2011-12-26 05:41 . 2011-12-21 07:24 121816 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-26 05:41 . 2011-12-21 07:24 97240 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-12-26 05:41 . 2011-12-21 07:24 814040 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-12-26 05:41 . 2011-12-21 07:24 486360 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-12-26 05:41 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2011-12-26 05:41 . 2011-12-21 07:24 2124760 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-12-26 05:41 . 2011-12-21 07:24 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-12-26 05:41 . 2011-12-21 04:30 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-26 05:41 . 2011-12-21 04:30 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-12-26 05:41 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2011-12-26 05:41 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2011-12-26 05:41 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2011-12-18 07:24 . 2011-12-18 07:24 -------- d-----w- c:\program files\CCleaner
2011-12-16 22:30 . 2011-11-21 09:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-16 03:07 . 2011-12-16 03:07 -------- d-----w- c:\program files\ESET
2011-12-15 21:06 . 2011-12-15 21:06 -------- d-----w- c:\program files\7-Zip
2011-12-15 06:03 . 2011-12-15 06:02 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{94C684D2-8E0E-4E24-AD9F-285E2D793BC6}\gapaengine.dll
2011-12-15 05:49 . 2011-12-15 05:49 -------- d-----w- C:\AVG2012
2011-12-15 05:35 . 2011-12-15 05:37 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-15 05:33 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-12-15 05:24 . 2011-12-15 05:24 -------- d-----w- c:\program files\AVG
2011-12-15 05:19 . 2011-12-15 05:19 -------- d--h--w- c:\programdata\Common Files
2011-12-15 05:18 . 2011-12-15 19:53 -------- d-----w- c:\programdata\MFAData
2011-12-15 02:35 . 2011-12-15 02:35 -------- d-----w- c:\program files\Common Files\Java
2011-12-15 02:31 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 01:30 . 2011-12-15 01:30 -------- d-----w- c:\windows\Sun
2011-12-15 01:02 . 2011-12-15 01:02 -------- d-----w- c:\users\Stephanie\AppData\Roaming\Malwarebytes
2011-12-15 01:02 . 2011-12-15 01:02 -------- d-----w- c:\programdata\Malwarebytes
2011-12-15 01:02 . 2011-12-29 01:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-15 00:26 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{796E8825-5DA6-476C-8C56-6A9048C31B1D}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-10 12:54 . 2011-07-21 04:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-21 07:24 . 2011-12-26 05:41 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-26_06.52.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:56 . 2011-12-29 22:59 43370 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:03 . 2011-12-29 22:59 82664 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2010-03-19 02:40 . 2011-12-29 22:59 9928 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-73147703-3843051449-3486753951-1000_UserData.bin
- 2011-12-26 05:52 . 2011-12-26 05:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-01 10:05 . 2012-01-01 10:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-01 10:05 . 2012-01-01 10:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-12-26 05:52 . 2011-12-26 05:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-03-19 20:26 . 2011-12-31 10:00 383512 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2012-01-01 10:13 606602 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2011-12-26 06:00 606602 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2012-01-01 10:13 105170 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2011-12-26 06:00 105170 c:\windows\System32\perfc009.dat
- 2011-02-24 18:28 . 2011-12-26 05:51 503740 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-02-24 18:28 . 2012-01-01 10:04 503740 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-12-15 05:42 . 2011-12-15 11:32 504508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-73147703-3843051449-3486753951-1000-12288.dat
+ 2011-12-15 05:42 . 2011-12-26 10:17 504508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-73147703-3843051449-3486753951-1000-12288.dat
+ 2006-11-02 10:22 . 2012-01-01 10:06 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 10:22 . 2011-12-26 05:53 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2011-08-10 10:31 . 2011-12-31 10:17 2259020 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-73147703-3843051449-3486753951-1000-8192.dat
- 2011-12-26 06:06 . 2011-12-26 06:06 6610944 c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
+ 2011-12-26 06:06 . 2012-01-01 18:05 6610944 c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
+ 2010-03-22 10:00 . 2012-01-01 16:15 237527335 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-19 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-10-03 13826664]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-09-05 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-09-05 2904984]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl562dfb4a;MpKsl562dfb4a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B14ED25F-71C1-4F82-8B9D-F8F9EEB18D74}\MpKsl562dfb4a.sys [x]
R1 MpKslfebf18e8;MpKslfebf18e8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B3543673-3B08-479E-B037-E9CF23F30BD5}\MpKslfebf18e8.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 135664]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 MpKsl224ae6fc;MpKsl224ae6fc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3B5832F-798C-40A1-BEC6-9C1D4A4F7B39}\MpKsl224ae6fc.sys [2012-01-01 29904]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-08-29 3664384]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL224AE6FC
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 11:07]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 11:07]
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134
FF - ProfilePath - c:\users\Stephanie\AppData\Roaming\Mozilla\Firefox\Profiles\vekyppk0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-01 11:42
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-01-01 11:57:08
ComboFix-quarantined-files.txt 2012-01-01 18:56
ComboFix2.txt 2011-12-26 07:08
.
Pre-Run: 146,475,544,576 bytes free
Post-Run: 146,674,163,712 bytes free
.
- - End Of File - - F10A76AFB4FB761D71CAA862F54F363E

#12 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:08 AM

Posted 02 January 2012 - 02:30 PM

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.





Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image





Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

unite_blue.png

Please post the final results, good or bad. We like to know!


#13 Univrsl

Univrsl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 03 January 2012 - 03:48 PM

I ended up having to look a lit to find the TDSS Killer, but found it here (http://support.kaspersky.com/viruses/utility)
Both TDSSKiller and aswMBR would NOT run. On each, I would be prompted with the UAC and would click allow, the window would go away and nothing would happen. I have a registry fix that I believe will fix this, but i thought I would be best to allow you to advise my next move and follow your lead. I tried renaming both files to random names with .com endings. Still no luck. MBRcheck ran just fine though, here is it's log...




MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Ultimate Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Quanta
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP Pavilion dv6700 Notebook PC
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 150):
0x81E38000 \SystemRoot\system32\ntkrnlpa.exe
0x81E05000 \SystemRoot\system32\hal.dll
0x80405000 \SystemRoot\system32\kdcom.dll
0x80407000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80477000 \SystemRoot\system32\PSHED.dll
0x80488000 \SystemRoot\system32\BOOTVID.dll
0x80490000 \SystemRoot\system32\CLFS.SYS
0x804D1000 \SystemRoot\system32\CI.dll
0x8060B000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80687000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80694000 \SystemRoot\system32\drivers\acpi.sys
0x806DA000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806E3000 \SystemRoot\system32\drivers\msisadrv.sys
0x806EB000 \SystemRoot\system32\drivers\pci.sys
0x80712000 \SystemRoot\System32\drivers\partmgr.sys
0x80721000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80724000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8072E000 \SystemRoot\system32\drivers\volmgr.sys
0x8073D000 \SystemRoot\System32\drivers\volmgrx.sys
0x80787000 \SystemRoot\system32\drivers\intelide.sys
0x8078E000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x8079C000 \SystemRoot\System32\drivers\mountmgr.sys
0x807AC000 \SystemRoot\system32\drivers\atapi.sys
0x807B4000 \SystemRoot\system32\drivers\ataport.SYS
0x807D2000 \SystemRoot\system32\drivers\msahci.sys
0x805B1000 \SystemRoot\system32\drivers\fltmgr.sys
0x807DC000 \SystemRoot\system32\drivers\fileinfo.sys
0x82407000 \SystemRoot\System32\Drivers\ksecdd.sys
0x82478000 \SystemRoot\system32\drivers\ndis.sys
0x82583000 \SystemRoot\system32\drivers\msrpc.sys
0x825AE000 \SystemRoot\system32\drivers\NETIO.SYS
0x82600000 \SystemRoot\System32\drivers\tcpip.sys
0x826ED000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8A209000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8A319000 \SystemRoot\system32\drivers\volsnap.sys
0x8A352000 \SystemRoot\System32\Drivers\spldr.sys
0x8A35A000 \SystemRoot\System32\Drivers\mup.sys
0x8A369000 \SystemRoot\System32\drivers\ecache.sys
0x8A390000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8A3B4000 \SystemRoot\system32\drivers\disk.sys
0x8A3C5000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8A3E6000 \SystemRoot\system32\drivers\crcdisk.sys
0x8272E000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8A200000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8A3FC000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x82739000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x82742000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8DE0B000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8E77C000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x82751000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8E77E000 \SystemRoot\System32\drivers\watchdog.sys
0x8E78A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8E795000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8E7D3000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8EA0E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8EC0B000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
0x8EF93000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8EFB1000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8EFC1000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8EFCF000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x8EA9B000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x8EFE9000 \SystemRoot\system32\DRIVERS\HpqRemHid.sys
0x8EFEB000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8EC00000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8EAEC000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8EAFF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8EB0A000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8EB15000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8EB2D000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8EB5C000 \SystemRoot\system32\DRIVERS\storport.sys
0x8EB9D000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8EBA8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8EBBF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8EBCA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8EBED000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8E7E2000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x825E9000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8F006000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0x8F08F000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8F09F000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8F0A1000 \SystemRoot\system32\DRIVERS\ks.sys
0x8F0CB000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8F0D5000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8F0E2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8F117000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8F120000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8F131000 \SystemRoot\system32\drivers\HdAudio.sys
0x8F170000 \SystemRoot\system32\drivers\portcls.sys
0x8F19D000 \SystemRoot\system32\drivers\drmk.sys
0x8F40C000 \SystemRoot\system32\DRIVERS\smserial.sys
0x8F503000 \SystemRoot\system32\drivers\modem.sys
0x8F510000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x8F537000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8F540000 \SystemRoot\System32\Drivers\Null.SYS
0x8F547000 \SystemRoot\System32\Drivers\Beep.SYS
0x8F54E000 \SystemRoot\System32\drivers\vga.sys
0x8F55A000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8F57B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8F583000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8F58B000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8F596000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8F5A4000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8F5AD000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8F5C3000 \SystemRoot\system32\DRIVERS\smb.sys
0x8F1C2000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8F607000 \SystemRoot\system32\drivers\afd.sys
0x8F64F000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8F665000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8F673000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8F686000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8F6C2000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8F6CC000 \SystemRoot\system32\drivers\csc.sys
0x8F727000 \SystemRoot\System32\Drivers\dfsc.sys
0x8F73E000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8F755000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8F757000 \SystemRoot\System32\Drivers\usbvideo.sys
0x8F778000 \SystemRoot\system32\DRIVERS\udfs.sys
0x8F7B3000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8F7C0000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8F7CB000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x8F7D5000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x816E0000 \SystemRoot\System32\win32k.sys
0x8F7E6000 \SystemRoot\System32\drivers\Dxapi.sys
0x8F7F0000 \SystemRoot\system32\DRIVERS\monitor.sys
0x81900000 \SystemRoot\System32\TSDDD.dll
0x81920000 \SystemRoot\System32\cdd.dll
0x81930000 \SystemRoot\System32\ATMFD.DLL
0x8F5D7000 \SystemRoot\system32\drivers\luafv.sys
0x9D609000 \SystemRoot\system32\drivers\spsys.sys
0x9D6B9000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x9D6C9000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9D6F3000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9D6FD000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9D710000 \SystemRoot\system32\drivers\HTTP.sys
0x9D77D000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9D79A000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9D7B3000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9D7C8000 \SystemRoot\system32\drivers\mrxdav.sys
0x82708000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9EE02000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9EE3B000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9EE53000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9EE7B000 \SystemRoot\System32\DRIVERS\srv.sys
0x9EEE2000 \SystemRoot\system32\drivers\peauth.sys
0x9EFC0000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9EFCA000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9EFD6000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x9EFDF000 \SystemRoot\system32\DRIVERS\MpNWMon.sys
0x9EECA000 \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0A027048-8569-4F04-A894-E1CAA0711607}\MpKslb540bb35.sys
0x77340000 \Windows\System32\ntdll.dll

Processes (total 48):
0 System Idle Process
4 System
444 C:\Windows\System32\smss.exe
524 csrss.exe
576 C:\Windows\System32\wininit.exe
588 csrss.exe
620 C:\Windows\System32\services.exe
632 C:\Windows\System32\lsass.exe
640 C:\Windows\System32\lsm.exe
728 C:\Windows\System32\winlogon.exe
852 C:\Windows\System32\svchost.exe
900 C:\Windows\System32\nvvsvc.exe
928 C:\Windows\System32\svchost.exe
988 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1072 C:\Windows\System32\svchost.exe
1120 C:\Windows\System32\svchost.exe
1168 C:\Windows\System32\svchost.exe
1236 C:\Windows\System32\audiodg.exe
1264 C:\Windows\System32\svchost.exe
1308 C:\Windows\System32\SLsvc.exe
1384 C:\Windows\System32\svchost.exe
1520 C:\Windows\System32\svchost.exe
1700 C:\Windows\System32\spoolsv.exe
1724 C:\Windows\System32\svchost.exe
1952 C:\Windows\System32\svchost.exe
2016 C:\Windows\System32\svchost.exe
452 C:\Windows\System32\svchost.exe
480 C:\Windows\System32\SearchIndexer.exe
2576 C:\Windows\System32\rundll32.exe
2964 C:\Windows\System32\taskeng.exe
3292 C:\Windows\System32\svchost.exe
2948 C:\Windows\System32\taskeng.exe
2300 C:\Windows\System32\dwm.exe
2188 C:\Windows\explorer.exe
3340 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
2768 C:\Windows\System32\rundll32.exe
4028 C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
2628 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3844 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
3620 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
284 C:\Program Files\Microsoft Security Client\msseces.exe
780 C:\Program Files\Mozilla Firefox\firefox.exe
688 C:\Program Files\Mozilla Firefox\plugin-container.exe
1924 taskeng.exe
812 C:\Windows\System32\SearchProtocolHost.exe
3004 C:\Windows\System32\SearchFilterHost.exe
3348 C:\Users\Stephanie\Desktop\MBRCheck.exe
2756 C:\Windows\System32\conime.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200BEVT-60ZCT0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#14 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:08 AM

Posted 03 January 2012 - 03:58 PM

I now know the infection. For you information: it's a difficult one to remove, and it's gonna take a few steps.


For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

unite_blue.png

Please post the final results, good or bad. We like to know!


#15 Univrsl

Univrsl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 03 January 2012 - 05:58 PM

There is no "Repair your computer" option under the "Advance Boot Options". I also have no windows CDs other than my Windows 7 Ultimate Upgrade disk, which I'm checking now to see if it will still give me the Repair option.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users