Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search results redirecting, sluggish computer, and random Trojan alerts


  • Please log in to reply
31 replies to this topic

#1 ttpbill82

ttpbill82

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 27 May 2012 - 04:51 PM

Hi all -

I posted my issue originally HERE. Broni was very helpful and suggested that I continue my problem resolution in this forum.

To recap, my wife's laptop has been infected with a virus, and no matter what I try, I can't get rid of it. A little background:

-She's got a Dell Inspiron laptop running Windows 7
-The issues started with malware that downloaded somehow called "S.M.A.R.T. Repair" that hid all of her files... I googled the issue, ran SUPERAntispyware and Unhide to get all of her stuff back, but since then her system is running VERY slowly, and she is routinely getting AVG alerts showing viruses that won't go away. Also, when I try and use Google, any time I click on a search result it redirects me to ads.
-As I was sitting here typing this post, these two AVG alerts popped up (I'm sorry if this isn't the right way to attach these!):

Attached File  ss1.jpg   64.34KB   5 downloads

Attached File  ss2.jpg   127.36KB   5 downloads

-Also, I seem to get AVG messages when Adobe Flash tries to update, which I say "yes" to allow and then cancel before it finishes. If I say No, it keeps coming up with seemingly no way to stop it until I hit Yes.

I followed the prep guide. As this computer has a 64-bit version of Windows 7, I did not run GMER (although I did run it when Broni instructed me to, it did not find anything). Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
Run by Nouvelle at 17:23:30 on 2012-05-27
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig?hl=en
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [MilkSync for Microsoft Outlook] C:\Users\Nouvelle\AppData\Local\Remember The Milk\MilkSync for Microsoft Outlook\MilkSync.exe
uRun: [GLfkuOgqppaktU.exe] C:\ProgramData\GLfkuOgqppaktU.exe
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [sderav] rundll32.exe "C:\Users\Nouvelle\AppData\Local\Temp\sderav.dll",mpegInNew
mRun: [BTMeter] C:\Program Files (x86)\Battery Meter\BTMeter.exe
mRun: [WSED] C:\Program Files (x86)\WSED\WSED.exe
mRun: [<NO NAME>]
mRun: [CapsLKNotify] C:\Program Files (x86)\CapsLKNotify\CapsLKNotify.exe
mRun: [ODDEject] C:\Program Files (x86)\ODD Eject\ODDEject.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
mRun: [AmazonGSDownloaderTray] C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
StartupFolder: C:\Users\Nouvelle\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\CONTAC~1.LNK - C:\Program Files (x86)\Contacts Sync\Contacts Sync.exe
StartupFolder: C:\Users\Nouvelle\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Nouvelle\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Nouvelle\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\Users\Nouvelle\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Trusted Zone: samsungsetup.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{346C46A2-FBED-445D-A546-B88BABF4BAD3} : DhcpNameServer = 8.8.8.8 64.203.254.30 64.203.254.31
TCP: Interfaces\{411DCB9F-E049-466E-B77A-B7519D1FDF97} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{411DCB9F-E049-466E-B77A-B7519D1FDF97}\6627F6E64796562783532413 : DhcpNameServer = 192.168.254.254 192.168.254.254
TCP: Interfaces\{411DCB9F-E049-466E-B77A-B7519D1FDF97}\B4C696E656 : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO-X64: AVG Do Not Track - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
TB-X64: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
mRun-x64: [BTMeter] C:\Program Files (x86)\Battery Meter\BTMeter.exe
mRun-x64: [WSED] C:\Program Files (x86)\WSED\WSED.exe
mRun-x64: [(Default)]
mRun-x64: [CapsLKNotify] C:\Program Files (x86)\CapsLKNotify\CapsLKNotify.exe
mRun-x64: [ODDEject] C:\Program Files (x86)\ODD Eject\ODDEject.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun-x64: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun-x64: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
mRun-x64: [AmazonGSDownloaderTray] C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun-x64: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce-x64: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-05-27 18:18:26 -------- d-----w- C:\Users\Nouvelle\AppData\Roaming\Malwarebytes
2012-05-27 18:18:06 -------- d-----w- C:\ProgramData\Malwarebytes
2012-05-27 18:18:05 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-05-26 20:13:03 -------- d-----w- C:\Program Files (x86)\Oracle
2012-05-26 20:12:25 772504 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-05-25 14:13:48 -------- d-----w- C:\Users\Nouvelle\AppData\Roaming\PPP
2012-05-25 14:13:00 -------- d-----w- C:\Program Files (x86)\Contacts Sync
2012-05-24 00:37:20 163048 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-05-23 23:13:44 -------- d-----w- C:\Users\Nouvelle\AppData\Roaming\SUPERAntiSpyware.com
2012-05-23 23:12:57 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-05-23 23:12:57 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-05-16 00:18:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-05-16 00:18:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-05-16 00:18:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-05-16 00:18:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-05-16 00:18:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-05-16 00:18:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-05-16 00:18:47 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-05-11 17:22:40 1544704 ----a-w- C:\Windows\System32\DWrite.dll
2012-05-11 17:22:40 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-05-11 17:22:36 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-11 17:22:33 3146240 ----a-w- C:\Windows\System32\win32k.sys
2012-05-11 17:22:30 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-11 17:22:30 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-05-11 17:22:07 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2012-05-11 17:21:51 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-05-11 17:21:49 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-05-11 17:21:49 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 17:21:48 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 17:21:47 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-05-11 17:21:47 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-05-09 17:29:15 -------- d-sh--w- C:\Users\Nouvelle\wc
2012-05-09 17:28:48 -------- d-sh--w- C:\Users\Nouvelle\AppData\Roaming\wyUpdate AU
2012-05-09 17:28:09 -------- d-----w- C:\Users\Nouvelle\AppData\Local\Remember The Milk
2012-04-30 22:49:05 -------- d-----w- C:\$AVG
2012-04-30 15:33:34 -------- d-----w- C:\Users\Nouvelle\AppData\Local\Evernote
.
==================== Find3M ====================
.
2012-05-25 03:14:29 83968 ----a-w- C:\boot_cleaner.exe
2012-05-05 14:51:17 8744608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-04-19 08:50:26 28480 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
2012-04-19 00:56:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2012-04-19 00:56:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2012-04-04 22:47:02 687504 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-03-19 09:17:26 383808 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
2012-03-01 06:46:16 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-03-01 06:38:27 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-03-01 06:33:50 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-03-01 06:28:47 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-03-01 05:37:41 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-03-01 05:33:23 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-03-01 05:29:16 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 17:32:27.41 ===============

Broni also suggested that I list the ListParts by Farber log here, which is as follows:

ListParts by Farbar Version: 12-03-2012 03
Ran by Nouvelle (administrator) on 27-05-2012 at 16:56:43
Windows 7 (X64)
Running From: C:\Users\Nouvelle\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 57%
Total physical RAM: 1976.87 MB
Available physical RAM: 832.13 MB
Total Pagefile: 3953.73 MB
Available Pagefile: 2215.41 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:218.19 GB) (Free:156.3 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 218 GB 14 GB
Partition 4 Primary 1016 KB 232 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 RECOVERY NTFS Partition 14 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C OS NTFS Partition 218 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******



Thank you in advance for your help, I appreciate it!

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:36 PM

Posted 27 May 2012 - 10:30 PM

Welcome to the Malware Removal forum, ttpbill82!


First, let's see what the following short scan shows for those entries on AVG...

Please download RogueKiller

•When you get to the website, go to where it says:
(Download link) Lien de téléchargement: Posted Image
•Click the dark-blue button to download.
•Save to the Desktop

•Close all windows and browsers
•Windows Seven: Right-click and select 'Run as Administrator'
•Press: SCAN
•A report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.


~~~~
Also, to work on the Suspicious Type partition, do you have the Repair your computer option in the
Advanced Boot Options menu?

To find out:
Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Is the Repair your computer option listed?

If you do not have the option above, do you have a Windows Seven installation CD/DVD available?

And last, do you have a USB flash drive available, and do you have access to another computer?

Old duck...


#3 ttpbill82

ttpbill82
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 27 May 2012 - 11:08 PM

Thanks for responding, Aaflac. First, here is the log from the Rogue Killer (note, I did not delete anything although the program suggested that I review the tabs to delete things - let me know if I should):

RogueKiller V7.5.0 [05/24/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Nouvelle [Admin rights]
Mode: Scan -- Date: 05/27/2012 23:59:58

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 12 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : MilkSync for Microsoft Outlook (C:\Users\Nouvelle\AppData\Local\Remember The Milk\MilkSync for Microsoft Outlook\MilkSync.exe) -> FOUND
[SUSP PATH] HKCU\[...]\Run : GLfkuOgqppaktU.exe (C:\ProgramData\GLfkuOgqppaktU.exe) -> FOUND
[BLACKLIST DLL] HKCU\[...]\Run : sderav (rundll32.exe "C:\Users\Nouvelle\AppData\Local\Temp\sderav.dll",mpegInNew) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1945154171-2292283722-4012768251-1001[...]\Run : MilkSync for Microsoft Outlook (C:\Users\Nouvelle\AppData\Local\Remember The Milk\MilkSync for Microsoft Outlook\MilkSync.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1945154171-2292283722-4012768251-1001[...]\Run : GLfkuOgqppaktU.exe (C:\ProgramData\GLfkuOgqppaktU.exe) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-21-1945154171-2292283722-4012768251-1001[...]\Run : sderav (rundll32.exe "C:\Users\Nouvelle\AppData\Local\Temp\sderav.dll",mpegInNew) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 15c52d5345d25a4e816ef1e9c6510f75
[BSP] 239099191902b57edf1c74aed0be0202 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223425 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] bd0a3a0b4eb89781acb3bf34e1ead671
[BSP] 239099191902b57edf1c74aed0be0202 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223425 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 488395120 | Size: 0 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] bd0a3a0b4eb89781acb3bf34e1ead671
[BSP] 239099191902b57edf1c74aed0be0202 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223425 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 488395120 | Size: 0 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt


Second, as far as Repair Your Computer -- I did have this option at one point; however, when I tried to use it (before I posted to this forum) a progress bar that said "Windows is loading files..." came up, completed, but then froze there until I forced the computer to reboot. I have tried to hit F8 on bootup since then but I don't think I had that option every time. I do not have the Windows 7 CD, nor does this computer have a CD/DVD drive. But, I do have a USB flash drive and another computer available.

#4 ttpbill82

ttpbill82
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 27 May 2012 - 11:12 PM

Also, I just noticd that the Rogue Killer created an "RK_Quarantine" folder on my Desktop with these files in it:

MilkSync.exe.vir
PhysicalDrive0_LL1.dat
PhysicalDrive0_LL2.dat
PhysicalDrive0_User.dat
QuarantineReport.txt
sderav.dll.vir

Here is the information in QuarantineReport.txt, in case it is helpful...


Time : 27/05/2012 23:59:58
--------------------------
[MilkSync.exe.vir] -> C:\Users\Nouvelle\AppData\Local\Remember The Milk\MilkSync for Microsoft Outlook\MilkSync.exe
ERROR [GLfkuOgqppaktU.exe.vir] -> C:\ProgramData\GLfkuOgqppaktU.exe
ERROR [rundll32.exe.vir] -> rundll32.exe
[sderav.dll.vir] -> C:\Users\Nouvelle\AppData\Local\Temp\sderav.dll
[MilkSync.exe.vir] -> C:\Users\Nouvelle\AppData\Local\Remember The Milk\MilkSync for Microsoft Outlook\MilkSync.exe
ERROR [GLfkuOgqppaktU.exe.vir] -> C:\ProgramData\GLfkuOgqppaktU.exe
ERROR [rundll32.exe.vir] -> rundll32.exe
[sderav.dll.vir] -> C:\Users\Nouvelle\AppData\Local\Temp\sderav.dll

#5 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:36 PM

Posted 27 May 2012 - 11:36 PM

Let's press on with RogueKiller and get rid of what AVG is showing...

•Please quit all programs
•Right-click the RogueKiller file and select "Run as Administrator'
•Press: SCAN
•On the RogueKiller console, click the Registry tab.
•Make sure the entries there are checked.
•Then, press the [Delete] button.
An RKreport (Mode: Delete) is created on the Desktop.

Please provide the RKreport (Mode: Delete) in your reply.

Restart the computer.

After doing the above, see if you have any luck getting to the Repair your computer option.

Edited by Aaflac, 28 May 2012 - 12:20 AM.

Old duck...


#6 ttpbill82

ttpbill82
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 28 May 2012 - 07:39 AM

Here is the delete log:

RogueKiller V7.5.0 [05/24/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Nouvelle [Admin rights]
Mode: Remove -- Date: 05/28/2012 08:33:10

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 9 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : MilkSync for Microsoft Outlook (C:\Users\Nouvelle\AppData\Local\Remember The Milk\MilkSync for Microsoft Outlook\MilkSync.exe) -> DELETED
[SUSP PATH] HKCU\[...]\Run : GLfkuOgqppaktU.exe (C:\ProgramData\GLfkuOgqppaktU.exe) -> DELETED
[BLACKLIST DLL] HKCU\[...]\Run : sderav (rundll32.exe "C:\Users\Nouvelle\AppData\Local\Temp\sderav.dll",mpegInNew) -> DELETED
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 15c52d5345d25a4e816ef1e9c6510f75
[BSP] 239099191902b57edf1c74aed0be0202 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223425 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] bd0a3a0b4eb89781acb3bf34e1ead671
[BSP] 239099191902b57edf1c74aed0be0202 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223425 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 488395120 | Size: 0 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] bd0a3a0b4eb89781acb3bf34e1ead671
[BSP] 239099191902b57edf1c74aed0be0202 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223425 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 488395120 | Size: 0 Mo

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt


I am going to try and run Repair Your Computer now...

#7 ttpbill82

ttpbill82
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 28 May 2012 - 08:13 AM

I could not run Repair Your Computer -- I had the option, but it just hung at "Windows is loading files..." (I waited about 10 minutes).

Also, when I restarted my computer and waited about 5 minutes, I got another AVG popup, which is attached. I have not taken any action on this for the time being until I get more direction from you.

Attached File  ss.jpg   105.92KB   3 downloads

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:36 PM

Posted 28 May 2012 - 03:14 PM

Let's see if we can overcome the hangup at Windows is loading files.

Try making a boot CD by using the Windows 7 recdisc.exe

Note: This process works only if your machine has a type of CD/R or DVD/R optical drive installed. Also, depending on the exact type of OEM your machine has, you may be unable to actually create a SRD. However, due to your circumstances, it is worth giving it a whirl.

Please create a Windows 7 System Repair Disc (SRD) as follows:

  • Click on Start (Windows 7 Orb) > Run...( or press the 'Windows' key and 'R' together) to bring up the Run box.
    Then, copy/paste the following command into the Open box and click: OK

    recdisc.exe
  • Allow the UAC (User Account Control) prompt by selecting: Yes
  • When you see a menu like the one below:
Posted Image

  • Place a blank rewritable CD/DVD in your optical (CD/DVD) drive, and then click on Create disc.
  • If an AutoPlay window shows, just close it.
  • When the SRD is created you will see the following:
Posted Image

  • Now, click on Close > OK
  • You now have a Windows 7 System Repair Disc (SRD).

    Post back on how it goes.

Edited by Aaflac, 28 May 2012 - 03:17 PM.

Old duck...


#9 ttpbill82

ttpbill82
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 28 May 2012 - 03:22 PM

Hey Aaflac - unfortunately, this computer does not have a CD or DVD drive. Anything else we can try?

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:36 PM

Posted 28 May 2012 - 05:56 PM

Please do the following:

Download an updated version of ComboFix

Save ComboFix.exe to the Desktop!!

Make sure you temporarily disable your AVG AntiVirus, Firewall, and any other AntiSpyware applications. These programs may interfere with the running of CF.

For information on how to disable protective programs, refer to one of these:
Link 1
Link 2

Next, right-click on ComboFix.exe and select 'Run as Administrator'

Follow any prompts.
When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply.


Notes:

1. Do not mouse-click the ComboFix window while it is running. This action may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. If ComboFix detects any Rootkit/Bootkit activity it gives a warning and prompts for a reboot. Please allow it to do so.
5. If ComboFix reboots due to a rootkit, the screen may stay black for several minutes on reboot. This is normal.
6. If after running ComboFix you receive any type of warning about Registry keys listed for deletion
when trying to open certain items, reboot the system and this will fix the issue. Those items will not be deleted.

Edited by Aaflac, 28 May 2012 - 06:09 PM.

Old duck...


#11 ttpbill82

ttpbill82
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 28 May 2012 - 06:52 PM

Thanks - doing this now. Just FYI, a few different things I noticed today - I just came back to my computer, and when it 'woke up' all of the desktop icons were gone and there was an AVG alert saying that it had removed a "Blackhole Exploit" or something (I'm sorry, I was rebooting and I just quickly caught the message). Then when the computer booted back up, there are icons on my desktop that weren't there before - "Nouvelle" (the account I'm logged in on) and "Computer".

I am going to run ComboFix now, I will post once it's done.

#12 ttpbill82

ttpbill82
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 28 May 2012 - 08:38 PM

I ran ComboFix. One issue -- although I disabled AVG as instructed, it was only for 15 minutes and came back on while ComboFix was running. AVG gave me an alert that referenced ComboFix, but I just allowed it to go through and the scan continued. Let me know if there's anything I need to do differently because of that. Here is the log:

ComboFix 12-05-28.05 - Nouvelle 05/28/2012 20:09:06.1.2 - x64
Running from: c:\users\Nouvelle\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\74h12TFWIA6JT1
c:\programdata\PCDr\5907\Downloads\a0b7da8a-c390-46f6-b2b6-21325fedceac.dll
c:\users\Nouvelle\Desktop\Internet Explorer.lnk
.
.
((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-29 )))))))))))))))))))))))))))))))
.
.
2012-05-29 00:46 . 2012-05-29 00:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-27 18:18 . 2012-05-27 18:18 -------- d-----w- c:\users\Nouvelle\AppData\Roaming\Malwarebytes
2012-05-27 18:18 . 2012-05-27 18:18 -------- d-----w- c:\programdata\Malwarebytes
2012-05-27 18:18 . 2012-05-27 18:18 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-26 20:13 . 2012-05-26 20:13 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-05-26 20:13 . 2012-05-26 20:13 -------- d-----w- c:\program files (x86)\Oracle
2012-05-26 20:12 . 2012-04-04 22:47 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-05-25 14:13 . 2012-05-25 14:13 -------- d-----w- c:\users\Nouvelle\AppData\Roaming\PPP
2012-05-25 14:13 . 2012-05-25 14:13 -------- d-----w- c:\program files (x86)\Contacts Sync
2012-05-24 00:37 . 2012-05-24 00:37 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-05-23 23:13 . 2012-05-23 23:13 -------- d-----w- c:\users\Nouvelle\AppData\Roaming\SUPERAntiSpyware.com
2012-05-23 23:12 . 2012-05-23 23:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-23 23:12 . 2012-05-23 23:12 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-05-16 00:18 . 2012-05-16 00:18 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-05-16 00:18 . 2012-05-16 00:18 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-05-16 00:18 . 2012-05-16 00:18 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-05-16 00:18 . 2012-05-16 00:18 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-05-16 00:18 . 2012-05-16 00:18 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-05-16 00:18 . 2012-05-16 00:18 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-05-16 00:18 . 2012-05-16 00:18 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-05-16 00:18 . 2012-05-16 00:18 -------- d-----w- c:\program files (x86)\QuickTime
2012-05-11 17:22 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-11 17:22 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-11 17:22 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-11 17:22 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 17:22 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-11 17:22 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-11 17:22 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-11 17:21 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-11 17:21 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-11 17:21 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 17:21 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 17:21 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-11 17:21 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-09 17:29 . 2012-05-28 13:27 -------- d-sh--w- c:\users\Nouvelle\wc
2012-05-09 17:28 . 2012-05-21 13:23 -------- d-sh--w- c:\users\Nouvelle\AppData\Roaming\wyUpdate AU
2012-05-09 17:28 . 2012-05-09 17:28 -------- d-----w- c:\users\Nouvelle\AppData\Local\Remember The Milk
2012-04-30 22:49 . 2012-04-30 22:49 -------- d-----w- C:\$AVG
2012-04-30 15:33 . 2012-04-30 15:33 -------- d-----w- c:\users\Nouvelle\AppData\Local\Evernote
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-25 03:14 . 2011-09-20 07:02 83968 ----a-w- C:\boot_cleaner.exe
2012-05-05 14:51 . 2012-04-17 12:51 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-19 08:50 . 2012-04-19 08:50 28480 ----a-w- c:\windows\system32\drivers\avgidsha.sys
2012-04-19 00:56 . 2012-04-19 00:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-19 00:56 . 2012-04-19 00:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-04-04 22:47 . 2010-08-21 14:08 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-19 09:17 . 2012-03-19 09:17 383808 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2012-03-01 06:46 . 2012-04-13 07:02 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 06:38 . 2012-04-13 07:02 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 06:33 . 2012-04-13 07:02 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 06:28 . 2012-04-13 07:02 5120 ----a-w- c:\windows\system32\wmi.dll
2012-03-01 05:37 . 2012-04-13 07:02 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-03-01 05:33 . 2012-04-13 07:02 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-03-01 05:29 . 2012-04-13 07:02 5120 ----a-w- c:\windows\SysWow64\wmi.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Nouvelle\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Nouvelle\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Nouvelle\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-05-21 4786048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BTMeter"="c:\program files (x86)\Battery Meter\BTMeter.exe" [2009-09-17 632176]
"WSED"="c:\program files (x86)\WSED\WSED.exe" [2009-05-27 247080]
"CapsLKNotify"="c:\program files (x86)\CapsLKNotify\CapsLKNotify.exe" [2009-06-09 320880]
"ODDEject"="c:\program files (x86)\ODD Eject\ODDEject.exe" [2009-02-18 263464]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]
"AmazonGSDownloaderTray"="c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"CanonSolutionMenuEx"="c:\program files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-09 559616]
.
c:\users\Nouvelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Contacts Sync.lnk - c:\program files (x86)\Contacts Sync\Contacts Sync.exe [2012-4-22 434176]
Dropbox.lnk - c:\users\Nouvelle\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [N/A]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-2-4 1155432]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 16752]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2012-04-30 5106744]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPNAT
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-08 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-05-28 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Nouvelle\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Nouvelle\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Nouvelle\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Nouvelle\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-14 7970848]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig?hl=en
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105
IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files (x86)\AVG\AVG2012\avgdtiex.dll
Trusted Zone: samsungsetup.com\www
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Wow6432Node-HKLM-Run-DellSupportCenter - c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe
.
**************************************************************************
.
Completion time: 2012-05-28 21:27:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-29 01:26
.
Pre-Run: 167,193,759,744 bytes free
Post-Run: 168,445,112,320 bytes free
.
- - End Of File - - D2772DC3D7AE245AE74DDBFA4365C6E6

#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:36 PM

Posted 28 May 2012 - 08:48 PM

Once again, see if you have any luck getting to the Repair your computer option.

If not, we will press on to something else.

Old duck...


#14 ttpbill82

ttpbill82
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 28 May 2012 - 09:12 PM

No luck - still had the same problem with Repair Your Computer...just froze at the "Windows is loading files" screen.

FYI, I did notice that after running ComboFix that the icons on the desktop are now the size they were before (they were slightly bigger before), if that means anything.

#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:36 PM

Posted 28 May 2012 - 09:19 PM

Please download the latest version of: TDSSKiller.exe
Save to the Desktop.

Windows Seven: Right-click the file and select 'Run as Administrator'

In the TDSSKiller Scan prompt, click on: Change parameters
Check the box besides: Detect TDLFS file system
Click: OK

Press the button: Start Scan

The tool scans and detects two object types:
Malicious (where the malware has been identified)
Suspicious (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action (Cure or Delete) for Malicious objects. Leave the setting as it is.

It also prompts the User to select an action to apply to Suspicious objects (Skip, by default).
Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.

A Reboot Required prompt may appear after a disinfection.
Please reboot!!


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system,
normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_22.02.2012_15.31.43_log.txt

Please post the TDSSKiller log in your reply.

Also need to know whether TDSSKiller needed a reboot.



When done with the above, please run ListParts once again.
Double-click the downloaded file to run the program.
Click: Scan
When done, please post the new Result.txt in your reply.



Last, please download Security Check
Save to the Desktop.
Double-click SecurityCheck.exe and follow the onscreen instructions (on the black screen)
When done, a Notepad document opens automatically: checkup.txt

Please post the contents of checkup.txt in your reply.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users