Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32.worm-HELP!


  • This topic is locked This topic is locked
66 replies to this topic

#1 arenee74

arenee74

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 06 March 2012 - 11:45 PM

attached are the things ive done so far.

This all started today where the threat was shown and then tonight "virus scanner" popped up and began showing me false threats.

I am unsure of what i can do at this point.

Is my computer useable at all right now?


Any help in fixing this problem is appreciated!

Thanks in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:58 PM

Posted 07 March 2012 - 12:35 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 arenee74

arenee74
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 07 March 2012 - 12:46 PM

do i do all of this from safemode? I havent been using the computer since the things i followed as directed last night.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:58 PM

Posted 07 March 2012 - 12:51 PM

Hello


do all scans in normal mode - if they need to be run in safe mode then I will ask you to



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 arenee74

arenee74
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 07 March 2012 - 01:14 PM

I have McAfee antivirus pluse and mcafee security scan plus. The security scan plus one wont open, and i dont see options for how to diable the antivirus one. I have looked at the directions on both links provided in your previous posts. Any new suggestions?

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:58 PM

Posted 07 March 2012 - 01:17 PM

go ahead and run it


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 arenee74

arenee74
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 07 March 2012 - 01:23 PM

how can i get to the combo fix if i have no access to internet. it will not allow me to open firefox or IE.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:58 PM

Posted 07 March 2012 - 06:30 PM

Hello


download it from another computer and transfer it with a pen drive


gringo9
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 arenee74

arenee74
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 07 March 2012 - 07:03 PM

i have double clicked combofix to run and it asks whether i want to allow it and i do. Then the bottom corner of the screen it pops up saying it cannot start and it is infected with w32/blaster.worm

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:58 PM

Posted 07 March 2012 - 08:36 PM

Hello

I would like you to download these programs if you don't have them yet to the desktop and have them ready to use .

RKill - exeHelper - Malwarebytes' Anti-Malware
Unhide.exe


After you have them on your desktop restart your computer and as soon as you can start with RKill

:Rkill:

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

Once the tool has run, do NOT reboot the machine,
If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.

Scan with exeHelper:

Please download exeHelper to your desktop.

  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program


Next I want you to run the unhide.exe program just double click to run it.

: Malwarebytes' Anti-Malware :

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Let me have these logs and let me know how the computer is doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 arenee74

arenee74
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 07 March 2012 - 09:15 PM

I got the programs put to my desktop.

rkill popped up asking me to allow or cancel-- when i allowed it closed that box and never opened.

exe helper ran for about a second or two and closed each time i tried. It did create a log which ill paste here. but im not sure it finished running.

exeHelper by Raktor
Build 20100414
Run at 21:01:48 on 03/07/12
exeHelper by Raktor
Build 20100414
Run at 21:01:54 on 03/07/12
Now searching...
Checking for numerical processes...
exeHelper by Raktor
Build 20100414
Run at 21:01:59 on 03/07/12
Now searching...
exeHelper by Raktor
Build 20100414
Run at 21:02:04 on 03/07/12
Now searching...
exeHelper by Raktor
Build 20100414
Run at 21:02:08 on 03/07/12
Now searching...
Checking for numerical processes...
exeHelper by Raktor
Build 20100414
Run at 21:02:13 on 03/07/12
exeHelper by Raktor
Build 20100414
Run at 21:02:17 on 03/07/12
Now searching...
exeHelper by Raktor
Build 20100414
Run at 21:02:21 on 03/07/12
Now searching...
exeHelper by Raktor
Build 20100414
Run at 21:02:25 on 03/07/12
Now searching...
exeHelper by Raktor
Build 20100414
Run at 21:02:29 on 03/07/12
exeHelper by Raktor
Build 20100414
Run at 21:02:33 on 03/07/12
Now searching...
Checking for numerical processes...
exeHelper by Raktor
Build 20100414
Run at 21:02:38 on 03/07/12
Now searching...
exeHelper by Raktor
Build 20100414
Run at 21:02:42 on 03/07/12
exeHelper by Raktor
Build 20100414
Run at 21:02:46 on 03/07/12
Now searching...
exeHelper by Raktor
Build 20100414
Run at 21:02:51 on 03/07/12
Now searching...
exeHelper by Raktor
Build 20100414
Run at 21:02:56 on 03/07/12exeHelper by Raktor
Build 20100414
Run at 21:03:00 on 03/07/12
exeHelper by Raktor
Build 20100414
Run at 21:03:04 on 03/07/12exeHelper by Raktor
Build 20100414
Run at 21:03:08 on 03/07/12
Now searching...




unhide also ran very quickly. here is the log created from that...


Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 03/07/2012 09:07:59 PM
Windows Version: Windows Vista

Please be patient while your files are made visible again.

Processing the C:\ drive





I double clicked the mbam setup but it never opened.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:58 PM

Posted 07 March 2012 - 09:46 PM

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 arenee74

arenee74
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 07 March 2012 - 10:09 PM

Here you go.

Scan result of Farbar Recovery Scan Tool Version: 07-03-2012 01
Ran by SYSTEM at 07-03-2012 22:05:51
Running from G:\
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1584184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [225816 2008-10-28] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [199704 2008-10-28] (Intel Corporation)
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [57928 2011-01-11] (LogMeIn, Inc.)
HKLM-x32\...\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [1148200 2008-09-26] (CyberLink Corp.)
HKLM-x32\...\Run: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [1152296 2008-09-25] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [189736 2008-09-25] (CyberLink)
HKLM-x32\...\Run: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [206120 2008-09-24] (CyberLink Corp.)
HKLM-x32\...\Run: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam" [210216 2008-06-13] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [210216 2008-06-13] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2008-09-26] (CyberLink Corp.)
HKLM-x32\...\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start [202032 2008-08-01] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [210216 2008-06-13] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0" [210216 2008-06-13] (CyberLink Corp.)
HKLM-x32\...\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [80896 2007-08-22] (Hewlett-Packard)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot [202256 2010-05-03] (RealNetworks, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [47904 2010-12-14] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2010-12-13] (Apple Inc.)
HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" [x]
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1666144 2011-07-13] (McAfee, Inc.)
HKU\allison\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [17351304 2011-10-13] (Skype Technologies S.A.)
HKU\allison\...\Run: [Jing] C:\Program Files (x86)\TechSmith\Jing\Jing.exe [3069192 2010-08-19] (TechSmith Corporation)
HKU\allison\...\Run: [Internet Security] C:\Users\allison\AppData\Roaming\isecurity.exe [881152 2012-03-06] ()
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-09-30] (Hewlett-Packard)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-09-30] (Hewlett-Packard)
HKU\LogMeInRemoteUser\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\LogMeInRemoteUser\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-09-30] (Hewlett-Packard)
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files (x86)\Citrix\GoToAssist Express Customer\309\g2ax_winlogonx64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 207.69.188.186 207.69.188.187

==================== Services (Whitelisted) ======

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_1e90062d\AESTSr64.exe [89088 2008-06-27] (Andrea Electronics Corporation)
2 AgereModemAudio; C:\Windows\system32\agr64svc.exe [15872 2010-10-16] (Agere Systems)
3 GoToAssist Express Customer; "C:\Program Files (x86)\Citrix\GoToAssist Express Customer\309\g2ax_service.exe" "Start=service" [161144 2011-09-16] (Citrix Online, a division of Citrix Systems, Inc.)
2 hpsrv; C:\Windows\System32\Hpservice.exe [23040 2008-03-18] (Hewlett-Packard Corporation)
2 LMIGuardianSvc; "C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe" [375176 2011-12-18] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe" [147336 2011-12-18] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe" [407424 2011-01-11] (LogMeIn, Inc.)
2 McAfee SiteAdvisor Service; "C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe" [103440 2012-01-13] (McAfee, Inc.)
2 McciCMService; "C:\Program Files (x86)\Common Files\Motive\McciCMService.exe" [303104 2008-02-12] (Motive Communications, Inc.)
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe" [227232 2010-09-02] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [501768 2011-06-23] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [199008 2011-08-19] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [208272 2011-08-19] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [158832 2011-08-19] (McAfee, Inc.)
2 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365952 2008-10-06] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [241734 2008-06-29] ()
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_1e90062d\STacSV64.exe [279040 2008-10-26] (IDT, Inc.)
2 TVCapSvc; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe" [296320 2008-09-24] ()
2 TVSched; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe" [116096 2008-09-24] ()
2 Viewpoint Manager Service; "C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)
3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]

========================== Drivers (Whitelisted) =============

3 Accelerometer; C:\Windows\System32\DRIVERS\Accelerometer.sys [40296 2008-03-27] (Hewlett-Packard Corporation)
3 AgereSoftModem; C:\Windows\System32\DRIVERS\agrsm64.sys [1253376 2010-10-16] (Agere Systems)
3 cfwids; C:\Windows\System32\drivers\cfwids.sys [65128 2011-08-15] (McAfee, Inc.)
3 enecir; C:\Windows\System32\DRIVERS\enecir.sys [64000 2008-09-04] (ENE TECHNOLOGY INC.)
0 hpdskflt; C:\Windows\System32\DRIVERS\hpdskflt.sys [26984 2008-03-27] (Hewlett-Packard Corporation)
2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [15928 2011-01-11] (LogMeIn, Inc.)
3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [11552 2011-01-11] (LogMeIn, Inc.)
2 LMIRfsDriver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [72216 2011-01-11] (LogMeIn, Inc.)
3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [158584 2011-08-15] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [228752 2011-08-15] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [481504 2011-08-15] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [642824 2011-08-15] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75672 2011-08-15] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [100904 2011-08-15] (McAfee, Inc.)
3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [40904 2009-09-16] (McAfee, Inc.)
3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [49480 2009-09-16] (McAfee, Inc.)
1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [283744 2011-08-15] (McAfee, Inc.)
3 NETw3v64; C:\Windows\System32\DRIVERS\NETw3v64.sys [3154432 2008-01-20] (Intel Corporation)
3 NWADI; C:\Windows\System32\DRIVERS\NWADIenum.sys [247808 2008-06-02] (Novatel Wireless Inc)
3 NWUSBCDFIL64; C:\Windows\System32\DRIVERS\NwUsbCdFil64.sys [25600 2008-07-07] (Novatel Wireless Inc.)
3 NWUSBModem; C:\Windows\System32\DRIVERS\nwusbmdm.sys [213120 2008-05-09] (Novatel Wireless Inc.)
3 NWUSBPort; C:\Windows\System32\DRIVERS\nwusbser.sys [213120 2008-05-09] (Novatel Wireless Inc.)
3 NWUSBPort2; C:\Windows\System32\DRIVERS\nwusbser2.sys [213120 2008-05-09] (Novatel Wireless Inc.)
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh64.sys [174592 2008-08-06] (Realtek Corporation )
3 RTSTOR; C:\Windows\System32\drivers\RTSTOR64.SYS [68096 2008-09-19] (Realtek Semiconductor Corp.)
3 SMSIVZAM5X64; \??\C:\PROGRA~2\VERIZO~1\VZACCE~1\SMSIVZAM5X64.SYS [43032 2009-03-20] (Smith Micro Inc.)
3 ssrangdr; C:\Windows\System32\DRIVERS\ssrangdr.sys [4608 2008-11-11] (SupportSoft Inc.)
2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [27632 2008-09-26] (Cyberlink Corp.)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
4 LMIRfsClientNP; [x]
3 mfeavfk01; [x]
3 msiserver; C:\Windows\System32\msiexec /V [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-03-07 22:05 - 2012-03-07 22:05 - 0000000 ____D C:\FRST
2012-03-07 18:07 - 2012-03-07 18:12 - 0000802 ____A C:\Users\allison\Desktop\unhide.txt
2012-03-07 18:01 - 2012-03-07 18:03 - 0001577 ____A C:\Users\allison\Desktop\exehelperlog.txt
2012-03-07 17:53 - 2012-03-07 17:53 - 0389024 ____A (Bleeping Computer, LLC) C:\Users\allison\Desktop\unhide.exe
2012-03-07 17:52 - 2012-03-07 17:54 - 9502424 ____A (Malwarebytes Corporation ) C:\Users\allison\Desktop\mbam-setup-1.60.1.1000.exe
2012-03-07 17:51 - 2012-03-07 17:51 - 1008141 ____A C:\Users\allison\Desktop\rkill.com
2012-03-07 17:51 - 2012-03-07 17:51 - 0294400 ____A C:\Users\allison\Desktop\exeHelper.com
2012-03-07 16:03 - 2012-03-07 16:03 - 0000000 ____D C:\32788R22FWJFW
2012-03-07 10:04 - 2012-03-07 18:04 - 4222820352 __ASH C:\hiberfil.sys
2012-03-06 20:39 - 2012-03-06 20:39 - 0000407 ____A C:\Users\allison\Desktop\ark.txt
2012-03-06 20:28 - 2012-03-06 20:28 - 0000407 ____A C:\Users\allison\My Documents\ark.txt
2012-03-06 20:28 - 2012-03-06 20:28 - 0000407 ____A C:\Users\allison\Documents\ark.txt
2012-03-06 19:44 - 2012-03-06 19:44 - 0000000 ____D C:\Users\allison\Desktop\gmer
2012-03-06 19:42 - 2012-03-06 19:43 - 0294216 ____A C:\Users\allison\Desktop\gmer.zip
2012-03-06 19:41 - 2012-03-06 19:41 - 0025166 ____A C:\Users\allison\Desktop\dds.txt
2012-03-06 19:41 - 2012-03-06 19:41 - 0011944 ____A C:\Users\allison\Desktop\attach.txt
2012-03-06 19:34 - 2012-03-06 19:34 - 0607260 ____R (Swearware) C:\Users\allison\Desktop\dds.scr
2012-03-06 19:32 - 2012-03-06 19:32 - 0050477 ____A C:\Users\allison\Desktop\Defogger.exe
2012-03-06 19:32 - 2012-03-06 19:32 - 0000476 ____A C:\Users\allison\Desktop\defogger_disable.log
2012-03-06 19:32 - 2012-03-06 19:32 - 0000000 ____A C:\Users\allison\defogger_reenable
2012-03-06 19:20 - 2012-03-06 19:32 - 0156040 ____A C:\TDSSKiller.2.7.19.0_06.03.2012_22.20.07_log.txt
2012-03-06 19:16 - 2012-03-06 19:18 - 2063920 ____A (Kaspersky Lab ZAO) C:\Users\allison\Desktop\1234.com.exe
2012-03-06 19:08 - 2012-03-07 10:01 - 0261880 ____A C:\Windows\ntbtlog.txt
2012-03-06 18:51 - 2012-03-06 18:51 - 0881152 ____A C:\Users\allison\Application Data\isecurity.exe
2012-03-06 18:51 - 2012-03-06 18:51 - 0881152 ____A C:\Users\allison\AppData\Roaming\isecurity.exe
2012-03-06 18:51 - 2012-03-06 18:51 - 0000691 ____A C:\Users\allison\Desktop\Internet Security.lnk
2012-03-01 17:27 - 2012-03-01 17:28 - 2256329 ____A C:\Users\allison\Desktop\allisoncoore_2012_03_01.zip
2012-02-29 13:22 - 2012-02-29 13:22 - 0000000 ____D C:\Users\allison\Application Data\Catalina Marketing Corp
2012-02-29 13:22 - 2012-02-29 13:22 - 0000000 ____D C:\Users\allison\AppData\Roaming\Catalina Marketing Corp
2012-02-29 13:21 - 2012-02-29 13:21 - 0485576 ____A (Catalina Marketing Corp. ) C:\Users\allison\Desktop\CouponActivator.exe
2012-02-24 18:00 - 2012-02-24 18:00 - 0017764 ____A C:\Users\allison\Desktop\9.11 OL receipt.pdf
2012-02-24 17:47 - 2012-02-24 20:16 - 0014125 ____A C:\Users\allison\Desktop\2011 Web Opp tax doc (gt).xlsx
2012-02-24 16:36 - 2012-02-24 17:46 - 0013838 ____A C:\Users\allison\Desktop\2011 Web Wealth Marketing Tax for boo.xlsx
2012-02-17 10:53 - 2012-02-17 10:55 - 0065605 ____A C:\Users\allison\Desktop\Resampled952012-02-049514-36-439.jpg
2012-02-16 00:05 - 2011-12-13 22:59 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-16 00:05 - 2011-12-13 22:57 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-16 00:05 - 2011-12-13 22:57 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-16 00:05 - 2011-12-13 18:50 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-02-16 00:05 - 2011-12-13 18:50 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-02-16 00:04 - 2011-12-13 23:43 - 17790464 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-16 00:04 - 2011-12-13 23:16 - 10887168 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-16 00:04 - 2011-12-13 23:11 - 2308096 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-16 00:04 - 2011-12-13 23:04 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-16 00:04 - 2011-12-13 23:04 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-16 00:04 - 2011-12-13 23:03 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-16 00:04 - 2011-12-13 23:03 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-16 00:04 - 2011-12-13 23:01 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-16 00:04 - 2011-12-13 23:00 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-16 00:04 - 2011-12-13 22:53 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-16 00:04 - 2011-12-13 19:30 - 12282368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-02-16 00:04 - 2011-12-13 19:10 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-02-16 00:04 - 2011-12-13 19:04 - 1798656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-02-16 00:04 - 2011-12-13 18:57 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-02-16 00:04 - 2011-12-13 18:57 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-02-16 00:04 - 2011-12-13 18:56 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-02-16 00:04 - 2011-12-13 18:55 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-02-16 00:04 - 2011-12-13 18:54 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-02-16 00:04 - 2011-12-13 18:53 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-02-16 00:04 - 2011-12-13 18:52 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-02-16 00:04 - 2011-12-13 18:47 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-02-15 05:56 - 2011-12-14 08:38 - 0621056 ____A (Microsoft Corporation) C:\Windows\System32\msvcrt.dll
2012-02-15 05:56 - 2011-12-14 08:17 - 0680448 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcrt.dll
2012-02-15 05:55 - 2012-01-12 12:16 - 2765824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-02-15 05:55 - 2012-01-03 06:25 - 0404992 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2012-02-12 12:42 - 2012-02-14 12:29 - 0010412 ____A C:\Users\allison\My Documents\2011 Tax Excel Doc.xlsx
2012-02-12 12:42 - 2012-02-14 12:29 - 0010412 ____A C:\Users\allison\Documents\2011 Tax Excel Doc.xlsx

============ 3 Months Modified Files and Folders =============

2012-03-07 22:05 - 2012-03-07 22:05 - 0000000 ____D C:\FRST
2012-03-07 18:59 - 2008-12-06 03:03 - 1087009 ____A C:\Windows\WindowsUpdate.log
2012-03-07 18:59 - 2008-12-06 02:58 - 0000012 ____A C:\Windows\bthservsdp.dat
2012-03-07 18:59 - 2006-11-02 07:42 - 0032568 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-03-07 18:59 - 2006-11-02 07:42 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-03-07 18:59 - 2006-11-02 07:22 - 0003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-03-07 18:59 - 2006-11-02 07:22 - 0003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-03-07 18:31 - 2011-08-27 18:04 - 0000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-03-07 18:12 - 2012-03-07 18:07 - 0000802 ____A C:\Users\allison\Desktop\unhide.txt
2012-03-07 18:12 - 2006-11-02 04:46 - 0808612 ____A C:\Windows\System32\PerfStringBackup.INI
2012-03-07 18:05 - 2011-08-27 18:04 - 0000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-03-07 18:04 - 2012-03-07 10:04 - 4222820352 __ASH C:\hiberfil.sys
2012-03-07 18:03 - 2012-03-07 18:01 - 0001577 ____A C:\Users\allison\Desktop\exehelperlog.txt
2012-03-07 17:54 - 2012-03-07 17:52 - 9502424 ____A (Malwarebytes Corporation ) C:\Users\allison\Desktop\mbam-setup-1.60.1.1000.exe
2012-03-07 17:53 - 2012-03-07 17:53 - 0389024 ____A (Bleeping Computer, LLC) C:\Users\allison\Desktop\unhide.exe
2012-03-07 17:51 - 2012-03-07 17:51 - 1008141 ____A C:\Users\allison\Desktop\rkill.com
2012-03-07 17:51 - 2012-03-07 17:51 - 0294400 ____A C:\Users\allison\Desktop\exeHelper.com
2012-03-07 16:03 - 2012-03-07 16:03 - 0000000 ____D C:\32788R22FWJFW
2012-03-07 10:05 - 2011-01-02 10:56 - 0000189 ____A C:\Users\All Users\HPWALog.txt
2012-03-07 10:05 - 2011-01-02 10:56 - 0000189 ____A C:\Users\All Users\Application Data\HPWALog.txt
2012-03-07 10:05 - 2011-01-02 10:56 - 0000189 ____A C:\ProgramData\HPWALog.txt
2012-03-07 10:02 - 2011-08-27 18:01 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-03-07 10:01 - 2012-03-06 19:08 - 0261880 ____A C:\Windows\ntbtlog.txt
2012-03-07 09:56 - 2011-09-22 15:33 - 0000000 ____D C:\Users\All Users\LogMeIn
2012-03-07 09:56 - 2011-09-22 15:33 - 0000000 ____D C:\Users\All Users\Application Data\LogMeIn
2012-03-07 09:56 - 2011-09-22 15:33 - 0000000 ____D C:\ProgramData\LogMeIn
2012-03-06 20:39 - 2012-03-06 20:39 - 0000407 ____A C:\Users\allison\Desktop\ark.txt
2012-03-06 20:28 - 2012-03-06 20:28 - 0000407 ____A C:\Users\allison\My Documents\ark.txt
2012-03-06 20:28 - 2012-03-06 20:28 - 0000407 ____A C:\Users\allison\Documents\ark.txt
2012-03-06 19:44 - 2012-03-06 19:44 - 0000000 ____D C:\Users\allison\Desktop\gmer
2012-03-06 19:43 - 2012-03-06 19:42 - 0294216 ____A C:\Users\allison\Desktop\gmer.zip
2012-03-06 19:41 - 2012-03-06 19:41 - 0025166 ____A C:\Users\allison\Desktop\dds.txt
2012-03-06 19:41 - 2012-03-06 19:41 - 0011944 ____A C:\Users\allison\Desktop\attach.txt
2012-03-06 19:34 - 2012-03-06 19:34 - 0607260 ____R (Swearware) C:\Users\allison\Desktop\dds.scr
2012-03-06 19:32 - 2012-03-06 19:32 - 0050477 ____A C:\Users\allison\Desktop\Defogger.exe
2012-03-06 19:32 - 2012-03-06 19:32 - 0000476 ____A C:\Users\allison\Desktop\defogger_disable.log
2012-03-06 19:32 - 2012-03-06 19:32 - 0000000 ____A C:\Users\allison\defogger_reenable
2012-03-06 19:32 - 2012-03-06 19:20 - 0156040 ____A C:\TDSSKiller.2.7.19.0_06.03.2012_22.20.07_log.txt
2012-03-06 19:32 - 2009-01-10 11:38 - 0000000 ____D C:\users\allison
2012-03-06 19:18 - 2012-03-06 19:16 - 2063920 ____A (Kaspersky Lab ZAO) C:\Users\allison\Desktop\1234.com.exe
2012-03-06 18:51 - 2012-03-06 18:51 - 0881152 ____A C:\Users\allison\Application Data\isecurity.exe
2012-03-06 18:51 - 2012-03-06 18:51 - 0881152 ____A C:\Users\allison\AppData\Roaming\isecurity.exe
2012-03-06 18:51 - 2012-03-06 18:51 - 0000691 ____A C:\Users\allison\Desktop\Internet Security.lnk
2012-03-06 18:51 - 2010-12-27 17:24 - 0000000 ____D C:\Users\allison\Application Data\Skype
2012-03-06 18:51 - 2010-12-27 17:24 - 0000000 ____D C:\Users\allison\AppData\Roaming\Skype
2012-03-06 18:25 - 2010-12-28 18:25 - 0128512 ____A C:\Users\allison\Desktop\Schedule Allison.xls
2012-03-06 18:25 - 2009-10-11 17:38 - 0000000 ____D C:\Users\allison\Desktop\ALLISON
2012-03-06 17:42 - 2012-01-03 19:20 - 0020419 ____A C:\Users\allison\Desktop\notes to transfer to jd.docx
2012-03-06 05:19 - 2011-08-06 20:06 - 0000342 ____A C:\Windows\Tasks\HPCeeScheduleForallison.job
2012-03-03 09:51 - 2009-01-16 14:21 - 0000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-03-01 17:28 - 2012-03-01 17:27 - 2256329 ____A C:\Users\allison\Desktop\allisoncoore_2012_03_01.zip
2012-03-01 13:45 - 2011-01-14 10:58 - 0000000 ____D C:\Users\allison\My Documents\Activities
2012-03-01 13:45 - 2011-01-14 10:58 - 0000000 ____D C:\Users\allison\Documents\Activities
2012-02-29 13:22 - 2012-02-29 13:22 - 0000000 ____D C:\Users\allison\Application Data\Catalina Marketing Corp
2012-02-29 13:22 - 2012-02-29 13:22 - 0000000 ____D C:\Users\allison\AppData\Roaming\Catalina Marketing Corp
2012-02-29 13:21 - 2012-02-29 13:21 - 0485576 ____A (Catalina Marketing Corp. ) C:\Users\allison\Desktop\CouponActivator.exe
2012-02-24 20:16 - 2012-02-24 17:47 - 0014125 ____A C:\Users\allison\Desktop\2011 Web Opp tax doc (gt).xlsx
2012-02-24 18:00 - 2012-02-24 18:00 - 0017764 ____A C:\Users\allison\Desktop\9.11 OL receipt.pdf
2012-02-24 17:46 - 2012-02-24 16:36 - 0013838 ____A C:\Users\allison\Desktop\2011 Web Wealth Marketing Tax for boo.xlsx
2012-02-23 17:28 - 2009-01-10 13:28 - 0000000 ____D C:\Program Files (x86)\McAfee
2012-02-23 17:27 - 2008-01-20 19:26 - 0056770 ____A C:\Windows\PFRO.log
2012-02-17 10:55 - 2012-02-17 10:53 - 0065605 ____A C:\Users\allison\Desktop\Resampled952012-02-049514-36-439.jpg
2012-02-16 00:45 - 2006-11-02 07:21 - 0316256 ____A C:\Windows\System32\FNTCACHE.DAT
2012-02-16 00:44 - 2008-11-11 03:33 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-02-16 00:07 - 2006-11-02 04:35 - 54585368 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-02-15 19:00 - 2010-12-28 19:03 - 0001445 ____A C:\Users\allison\Desktop\allisoncoore_swipe.txt
2012-02-14 12:29 - 2012-02-12 12:42 - 0010412 ____A C:\Users\allison\My Documents\2011 Tax Excel Doc.xlsx
2012-02-14 12:29 - 2012-02-12 12:42 - 0010412 ____A C:\Users\allison\Documents\2011 Tax Excel Doc.xlsx
2012-02-09 17:12 - 2010-09-07 06:43 - 0015488 ____A C:\Windows\setupact.log
2012-01-24 06:57 - 2012-01-24 06:57 - 0033670 ____A C:\Users\allison\Desktop\PHC SVCS PRTF applic.pdf
2012-01-24 06:23 - 2012-01-24 06:23 - 0302559 ____A C:\Users\allison\Desktop\depression.pdf
2012-01-23 14:18 - 2012-01-23 14:18 - 0010357 ____A C:\Users\allison\Desktop\activity.docx
2012-01-23 13:00 - 2012-01-23 13:00 - 0179495 ____A C:\Users\allison\Desktop\DISCIPLINE.PUNISHMT.pdf
2012-01-23 12:58 - 2012-01-23 12:58 - 0008369 ____A C:\Users\allison\Desktop\RELATIONSHIPS.pdf
2012-01-23 12:52 - 2012-01-23 12:52 - 0012503 ____A C:\Users\allison\Desktop\ACCOUNTABILITY.pdf
2012-01-19 17:36 - 2012-01-19 15:51 - 0221184 ____A C:\Users\allison\Desktop\PRTF_Admission_App.doc
2012-01-17 13:11 - 2012-01-17 13:11 - 0023040 ____A C:\Users\allison\Desktop\whitakeradmissionprocedures.doc
2012-01-12 12:16 - 2012-02-15 05:55 - 2765824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-01-10 18:48 - 2011-04-03 15:10 - 0000000 ____D C:\Program Files (x86)\Coupons
2012-01-10 18:46 - 2012-01-10 18:45 - 1284008 ____A (Coupons.com Incorporated) C:\Users\allison\Desktop\CouponPrinter.exe
2012-01-07 17:39 - 2012-01-07 17:39 - 0001877 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-01-07 17:39 - 2012-01-07 17:39 - 0001877 ____A C:\Users\All Users\Desktop\Adobe Reader 9.lnk
2012-01-04 17:39 - 2012-01-04 17:34 - 2063040 ____A (Bandoo Media Inc. ) C:\Users\allison\Desktop\iLividSetupV1.exe
2012-01-03 06:25 - 2012-02-15 05:55 - 0404992 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2012-01-01 18:37 - 2012-01-01 18:37 - 0000000 ____D C:\Users\allison\Local Settings\TechSmith
2012-01-01 18:37 - 2012-01-01 18:37 - 0000000 ____D C:\Users\allison\Local Settings\Application Data\TechSmith
2012-01-01 18:37 - 2012-01-01 18:37 - 0000000 ____D C:\Users\allison\AppData\Local\TechSmith
2012-01-01 18:34 - 2012-01-01 18:34 - 0000000 ____D C:\Program Files (x86)\TechSmith
2011-12-31 11:53 - 2008-12-06 03:04 - 0040606 ____A C:\Windows\DPINST.LOG
2011-12-31 11:48 - 2011-12-31 11:48 - 0359306 ____A C:\Users\allison\Local Settings\dd_vcredistMSI1F9B.txt
2011-12-31 11:48 - 2011-12-31 11:48 - 0359306 ____A C:\Users\allison\Local Settings\Application Data\dd_vcredistMSI1F9B.txt
2011-12-31 11:48 - 2011-12-31 11:48 - 0359306 ____A C:\Users\allison\AppData\Local\dd_vcredistMSI1F9B.txt
2011-12-31 11:48 - 2011-12-31 11:48 - 0013284 ____A C:\Users\allison\Local Settings\dd_vcredistUI1F9B.txt
2011-12-31 11:48 - 2011-12-31 11:48 - 0013284 ____A C:\Users\allison\Local Settings\Application Data\dd_vcredistUI1F9B.txt
2011-12-31 11:48 - 2011-12-31 11:48 - 0013284 ____A C:\Users\allison\AppData\Local\dd_vcredistUI1F9B.txt
2011-12-31 11:48 - 2011-12-31 11:48 - 0000000 ____D C:\Users\All Users\Application Data\{A0559A84-0A11-425F-BFFC-532378694B25}
2011-12-31 11:48 - 2011-12-31 11:48 - 0000000 ____D C:\Users\All Users\{A0559A84-0A11-425F-BFFC-532378694B25}
2011-12-31 11:48 - 2011-12-31 11:48 - 0000000 ____D C:\ProgramData\{A0559A84-0A11-425F-BFFC-532378694B25}
2011-12-29 16:18 - 2009-01-10 13:28 - 0000000 ____D C:\Program Files\McAfee
2011-12-20 19:18 - 2011-09-22 15:33 - 0000000 ____D C:\Program Files (x86)\LogMeIn
2011-12-18 19:09 - 2011-09-22 15:33 - 0087456 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll
2011-12-18 19:09 - 2011-09-22 15:33 - 0080768 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
2011-12-18 19:09 - 2011-09-22 15:33 - 0034688 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
2011-12-15 00:51 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\rescache
2011-12-15 00:11 - 2008-11-11 03:11 - 0000000 ____D C:\Users\All Users\Microsoft Help
2011-12-15 00:11 - 2008-11-11 03:11 - 0000000 ____D C:\Users\All Users\Application Data\Microsoft Help
2011-12-15 00:11 - 2008-11-11 03:11 - 0000000 ____D C:\ProgramData\Microsoft Help
2011-12-14 08:38 - 2012-02-15 05:56 - 0621056 ____A (Microsoft Corporation) C:\Windows\System32\msvcrt.dll
2011-12-14 08:17 - 2012-02-15 05:56 - 0680448 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcrt.dll
2011-12-13 23:43 - 2012-02-16 00:04 - 17790464 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-12-13 23:16 - 2012-02-16 00:04 - 10887168 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-12-13 23:11 - 2012-02-16 00:04 - 2308096 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2011-12-13 23:04 - 2012-02-16 00:04 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-12-13 23:04 - 2012-02-16 00:04 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-12-13 23:03 - 2012-02-16 00:04 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2011-12-13 23:03 - 2012-02-16 00:04 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-12-13 23:01 - 2012-02-16 00:04 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-12-13 23:00 - 2012-02-16 00:04 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2011-12-13 22:59 - 2012-02-16 00:05 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-12-13 22:57 - 2012-02-16 00:05 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-12-13 22:57 - 2012-02-16 00:05 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-12-13 22:53 - 2012-02-16 00:04 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-12-13 19:30 - 2012-02-16 00:04 - 12282368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2011-12-13 19:10 - 2012-02-16 00:04 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2011-12-13 19:04 - 2012-02-16 00:04 - 1798656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2011-12-13 18:57 - 2012-02-16 00:04 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2011-12-13 18:57 - 2012-02-16 00:04 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2011-12-13 18:56 - 2012-02-16 00:04 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2011-12-13 18:55 - 2012-02-16 00:04 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2011-12-13 18:54 - 2012-02-16 00:04 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2011-12-13 18:53 - 2012-02-16 00:04 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2011-12-13 18:52 - 2012-02-16 00:04 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2011-12-13 18:50 - 2012-02-16 00:05 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2011-12-13 18:50 - 2012-02-16 00:05 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2011-12-13 18:47 - 2012-02-16 00:04 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 4026.25 MB
Available physical RAM: 3349.23 MB
Total Pagefile: 3703.46 MB
Available Pagefile: 3322.66 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:285.62 GB) (Free:163.11 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:12.47 GB) (Free:1.98 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive g: () (Removable) (Total:0.96 GB) (Free:0.9 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 1024 KB
Disk 1 No Media 0 B 0 B
Disk 2 Online 983 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 286 GB 1024 KB
Partition 2 Primary 12 GB 286 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 286 GB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 12 GB Healthy

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 983 MB 16 KB

======================================================================================================

Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 983 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-03-07 18:12

======================= End Of Log ==========================

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:58 PM

Posted 07 March 2012 - 10:25 PM

Hello

I would like you to run the fix below and when it is complete I need you to rerun combofix and send me the report.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKU\allison\...\Run: [Internet Security] C:\Users\allison\AppData\Roaming\isecurity.exe [881152 2012-03-06] ()
C:\Users\allison\AppData\Roaming\isecurity.exe
2012-03-06 18:51 - 2012-03-06 18:51 - 0881152 ____A C:\Users\allison\Application Data\isecurity.exe
2012-03-06 18:51 - 2012-03-06 18:51 - 0881152 ____A C:\Users\allison\AppData\Roaming\isecurity.exe
2012-03-06 18:51 - 2012-03-06 18:51 - 0000691 ____A C:\Users\allison\Desktop\Internet Security.lnk
2012-01-04 17:39 - 2012-01-04 17:34 - 2063040 ____A (Bandoo Media Inc. ) C:\Users\allison\Desktop\iLividSetupV1.exe 


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 arenee74

arenee74
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 07 March 2012 - 10:38 PM

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 07-03-2012 01
Ran by SYSTEM at 2012-03-07 22:37:06 R:1
Running from G:\

==============================================

HKEY_USERS\allison\Software\Microsoft\Windows\CurrentVersion\Run\\Internet Security Value deleted successfully.
C:\Users\allison\AppData\Roaming\isecurity.exe moved successfully.
C:\Users\allison\Application Data\isecurity.exe not found.
C:\Users\allison\AppData\Roaming\isecurity.exe not found.
C:\Users\allison\Desktop\Internet Security.lnk moved successfully.
C:\Users\allison\Desktop\iLividSetupV1.exe moved successfully.

==== End of Fixlog ====




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users