Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Respawning Trojan.Generic13, Trojan.Generic25, and IRP hook rootkit.


  • This topic is locked This topic is locked
31 replies to this topic

#1 RahRahRocky

RahRahRocky

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 13 September 2012 - 05:38 PM

I recently noticed that my computer began to start up and browse slowly, and that my hibernate function had stopped working. In addition to this, I received an email from Google saying that there was suspicious sign-in activity in my account.
My McAffe subscription had recently run out (its final scan detected no threats), so I installed AVG Free 2013, which upon its first scan detected 3 threats. These were "Trojan horse Downloader.Generic13.CAM", "Trojan horse Generic.25.BCBS", both of which were found in the location "C:\Windows\System32\svchost.exe". There was also found a rootkit titled "IRP hook, \Driver\atapi IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xFFFFFA8004BEE334" in location "<unknown>".
AVG gave me the option to remove these threats after the scan was completed so I did so, only to notice that the symptoms did not go away. Additional scans showed that the threats had not been removed at all. Scanning in Safe Mode with both AVG and MBAM were also ineffective in removing them.
Here's the DDS report, which also took about 15 minutes to complete, rather than the usual 3 minutes:


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_35
Run by Heather at 19:14:46 on 2012-09-13
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.4061.2698 [GMT -2.5:30]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.plusnetwork.com
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\PROGRA~2\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
uRun: [Spyware Doctor] C:\Users\Heather\Desktop\sdsetup_revwire207.exe -min
uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [Adobe Reader Speed Launcher] "c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r
mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [<NO NAME>]
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [PlusService] C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
StartupFolder: C:\Users\Heather\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{060C0A99-6109-40C1-824B-EDC765B7C847} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{53A6278E-72CF-4CEF-B455-EB991B3DC37D} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{53A6278E-72CF-4CEF-B455-EB991B3DC37D}\7586964756 : DhcpNameServer = 192.168.1.1
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~2\mcafee\msk\mskapbho.dll
BHO-X64: McAfee Phishing Filter - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [Adobe Reader Speed Launcher] "c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [UpdReg] C:\Windows\UpdReg.EXE
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r
mRun-x64: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [(Default)]
mRun-x64: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun-x64: [PlusService] C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mRunOnce-x64: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\hlfjb4k1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NOS\bin\np_gp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
R0 Avgloga;AVG Logging Driver;C:\Windows\system32\DRIVERS\avgloga.sys --> C:\Windows\system32\DRIVERS\avgloga.sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2012/08/08 15:38:13];C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl [2012-8-8 146928]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\AESTSr64.exe [2009-11-28 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2012-8-20 5751928]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-8-20 184304]
R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2009-9-1 648432]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;C:\Windows\system32\DRIVERS\OA008Ufd.sys --> C:\Windows\system32\DRIVERS\OA008Ufd.sys [?]
R3 OA008Vid;Creative Camera OA008 Function Driver;C:\Windows\system32\DRIVERS\OA008Vid.sys --> C:\Windows\system32\DRIVERS\OA008Vid.sys [?]
S2 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-11 250568]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-9-1 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-9-1 79360]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-3 114144]
S3 nosGetPlusHelper;getPlus® Helper 3004;C:\Windows\System32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [2009-9-1 79360]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-09-12 00:01:34 574464 ----a-w- C:\Windows\System32\d3d10level9.dll
2012-09-12 00:01:34 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2012-09-11 21:16:44 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-11 21:04:54 -------- d--h--w- C:\$AVG
2012-09-11 13:19:33 -------- d-----w- C:\Users\Heather\AppData\Roaming\McAfee
2012-09-11 12:43:52 -------- d-----w- C:\Program Files\CCleaner
2012-09-11 10:38:42 -------- d-----w- C:\Users\Heather\AppData\Roaming\AVG2013
2012-09-11 10:37:30 -------- d-----w- C:\Users\Heather\AppData\Roaming\TuneUp Software
2012-09-11 10:36:05 -------- d-----w- C:\ProgramData\AVG2013
2012-09-11 10:34:51 -------- d-----w- C:\Program Files (x86)\AVG
2012-09-11 10:31:42 -------- d--h--w- C:\ProgramData\Common Files
2012-09-11 10:31:41 -------- d-----w- C:\Users\Heather\AppData\Local\MFAData
2012-09-11 10:31:41 -------- d-----w- C:\Users\Heather\AppData\Local\Avg2013
2012-09-11 10:31:41 -------- d-----w- C:\ProgramData\MFAData
2012-09-07 22:43:35 73696 ----a-w- C:\Program Files (x86)\Mozilla Firefox\updated\breakpadinjector.dll
2012-09-07 22:43:35 266720 ----a-w- C:\Program Files (x86)\Mozilla Firefox\updated\components\browsercomps.dll
2012-09-07 22:43:35 18912 ----a-w- C:\Program Files (x86)\Mozilla Firefox\updated\AccessibleMarshal.dll
2012-08-30 23:43:43 73696 ----a-w- C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-08-16 01:34:27 503808 ----a-w- C:\Windows\System32\srcore.dll
2012-08-16 01:34:26 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2012-08-16 01:34:18 751104 ----a-w- C:\Windows\System32\win32spl.dll
2012-08-16 01:34:18 67584 ----a-w- C:\Windows\splwow64.exe
2012-08-16 01:34:17 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2012-08-16 01:34:16 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2012-08-16 01:34:09 41472 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-08-16 01:34:08 58880 ----a-w- C:\Windows\System32\browcli.dll
2012-08-16 01:34:07 136704 ----a-w- C:\Windows\System32\browser.dll
2012-08-16 01:33:59 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-08-16 01:33:54 956416 ----a-w- C:\Windows\System32\localspl.dll
.
==================== Find3M ====================
.
2012-08-28 22:54:56 477168 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-08-28 22:54:53 473072 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-08-26 19:33:08 73416 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-26 19:33:08 696520 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-08-13 19:10:52 150880 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
2012-08-10 07:22:38 199520 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
2012-08-10 07:22:34 105312 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2012-08-10 07:22:16 40288 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
2012-08-09 16:26:42 230240 ----a-w- C:\Windows\System32\drivers\avgloga.sys
2012-08-09 16:26:34 60768 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
2012-08-09 16:26:20 175968 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 19:23:12.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:15 AM

Posted 13 September 2012 - 08:16 PM

Hello RahRahRocky,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.


Do you have a USB Flash Drive you can use?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 RahRahRocky

RahRahRocky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 13 September 2012 - 08:44 PM

Thanks a lot for taking the time to help me! I do have a USB drive I can use.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:15 AM

Posted 13 September 2012 - 09:04 PM

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list][/quote]

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 RahRahRocky

RahRahRocky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 14 September 2012 - 09:40 AM

After pressing "Repair my computer", the screen freezes at "Windows is loading files..." (no progress for an hour). Should it normally take this long?

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:15 AM

Posted 14 September 2012 - 01:33 PM

1.
Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.



Things to include in your next reply:;
TDssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 RahRahRocky

RahRahRocky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 14 September 2012 - 02:09 PM

TDSSkiller refuses to open at all, even with administrator permission. Should I still use ComboFix?

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:15 AM

Posted 14 September 2012 - 02:12 PM

Go ahead with Combofix

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 RahRahRocky

RahRahRocky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 14 September 2012 - 04:06 PM

ComboFix 12-09-14.03 - Heather 14/09/2012 17:22:10.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.4061.2575 [GMT -2.5:30]
Running from: c:\users\Heather\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\7ymgkmprKUIUSz
c:\users\Heather\AppData\Local\cgj.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-14 to 2012-09-14 )))))))))))))))))))))))))))))))
.
.
2012-09-14 20:22 . 2012-09-14 20:22 -------- d-----w- c:\users\Mcx1-HEATHERSLAPTOP\AppData\Local\temp
2012-09-14 20:22 . 2012-09-14 20:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-13 18:57 . 2012-08-31 03:13 64462936 ----a-w- c:\windows\system32\MRT.exe
2012-09-12 00:01 . 2012-08-02 17:55 574464 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-12 00:01 . 2012-08-02 17:05 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2012-09-11 21:16 . 2012-09-11 21:18 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-11 21:04 . 2012-09-11 21:04 -------- d-----w- C:\$AVG
2012-09-11 13:19 . 2012-09-11 13:19 -------- d-----w- c:\users\Heather\AppData\Roaming\McAfee
2012-09-11 12:43 . 2012-09-11 12:43 -------- d-----w- c:\program files\CCleaner
2012-09-11 10:38 . 2012-09-11 20:54 -------- d-----w- c:\users\Heather\AppData\Roaming\AVG2013
2012-09-11 10:37 . 2012-09-11 10:37 -------- d-----w- c:\users\Heather\AppData\Roaming\TuneUp Software
2012-09-11 10:36 . 2012-09-11 21:45 -------- d-----w- c:\programdata\AVG2013
2012-09-11 10:34 . 2012-09-11 20:54 -------- d-----w- c:\program files (x86)\AVG
2012-09-11 10:31 . 2012-09-11 10:31 -------- d--h--w- c:\programdata\Common Files
2012-09-11 10:31 . 2012-09-14 20:28 -------- d-----w- c:\programdata\MFAData
2012-09-11 10:31 . 2012-09-13 16:52 -------- d-----w- c:\users\Heather\AppData\Local\Avg2013
2012-09-11 10:31 . 2012-09-11 10:31 -------- d-----w- c:\users\Heather\AppData\Local\MFAData
2012-09-07 22:43 . 2012-08-30 23:43 73696 ----a-w- c:\program files (x86)\Mozilla Firefox\updated\breakpadinjector.dll
2012-09-07 22:43 . 2012-08-30 23:43 266720 ----a-w- c:\program files (x86)\Mozilla Firefox\updated\components\browsercomps.dll
2012-09-07 22:43 . 2012-08-30 23:43 18912 ----a-w- c:\program files (x86)\Mozilla Firefox\updated\AccessibleMarshal.dll
2012-08-30 23:43 . 2012-09-08 01:34 73696 ----a-w- c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-08-16 01:34 . 2012-05-05 08:30 503808 ----a-w- c:\windows\system32\srcore.dll
2012-08-16 01:34 . 2012-05-05 07:44 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-08-16 01:34 . 2012-02-11 06:36 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-08-16 01:34 . 2012-02-11 06:29 67584 ----a-w- c:\windows\splwow64.exe
2012-08-16 01:34 . 2012-02-11 05:44 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-08-16 01:34 . 2012-02-11 06:29 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-16 01:34 . 2012-07-04 21:23 41472 ----a-w- c:\windows\SysWow64\browcli.dll
2012-08-16 01:34 . 2012-07-04 22:04 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-08-16 01:34 . 2012-07-04 22:01 58880 ----a-w- c:\windows\system32\browcli.dll
2012-08-16 01:34 . 2012-07-04 22:01 136704 ----a-w- c:\windows\system32\browser.dll
2012-08-16 01:33 . 2012-07-18 17:31 3146752 ----a-w- c:\windows\system32\win32k.sys
2012-08-16 01:33 . 2012-05-14 05:20 956416 ----a-w- c:\windows\system32\localspl.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-28 22:54 . 2012-05-19 22:18 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-08-28 22:54 . 2011-01-25 20:19 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-26 19:33 . 2012-04-11 23:43 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-26 19:33 . 2011-05-21 22:11 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-13 19:10 . 2012-08-13 19:10 150880 ----a-w- c:\windows\system32\drivers\avgidsdrivera.sys
2012-08-10 07:22 . 2012-08-10 07:22 199520 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2012-08-10 07:22 . 2012-08-10 07:22 105312 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
2012-08-10 07:22 . 2012-08-10 07:22 40288 ----a-w- c:\windows\system32\drivers\avgrkx64.sys
2012-08-09 16:26 . 2012-08-09 16:26 230240 ----a-w- c:\windows\system32\drivers\avgloga.sys
2012-08-09 16:26 . 2012-08-09 16:26 60768 ----a-w- c:\windows\system32\drivers\avgidsha.sys
2012-08-09 16:26 . 2012-08-09 16:26 175968 ----a-w- c:\windows\system32\drivers\avgldx64.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 15:59 1490312 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 163328]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2008-12-09 237693]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2010-01-07 140520]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-30 98304]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
"PlusService"="c:\program files (x86)\Yuna Software\Messenger Plus!\PlusService.exe" [2012-02-07 801792]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2012-08-29 3039352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2010-09-29 560128]
.
c:\users\Heather\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2013\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [2012-08-20 5751928]
R2 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-26 250568]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-09-01 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-09-01 79360]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-08 114144]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [2009-09-01 79360]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1255736]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-08-09 60768]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys [2012-08-09 230240]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-08-10 40288]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2007-11-14 53488]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2012-08-13 150880]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-08-09 175968]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2012-08-10 105312]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-08-10 199520]
S2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2012/08/08 15:38];c:\program files (x86)\CyberLink\PowerDVD DX\000.fcl [2010-01-07 19:41 146928]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\AESTSr64.exe [2009-03-02 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-30 203264]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-08-20 184304]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\SftService.exe [2009-07-16 648432]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-10 270848]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
S3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\DRIVERS\OA008Ufd.sys [2009-03-06 159840]
S3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\DRIVERS\OA008Vid.sys [2009-05-06 313696]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 19:33]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-11-25 1657128]
"RunDLLEntry"="c:\windows\system32\AmbRunE.dll" [2008-12-17 17920]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-29 444416]
"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2009-08-07 3179088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.plusnetwork.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\hlfjb4k1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Spyware Doctor - c:\users\Heather\Desktop\sdsetup_revwire207.exe
Wow6432Node-HKCU-Run-EA Core - c:\program files (x86)\Electronic Arts\EADM\Core.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-BK_Screensaver_Characters - c:\windows\system32\BK_Screensaver_Characters.scr
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\AVG\AVG2013\avgcfgex.exe
.
**************************************************************************
.
Completion time: 2012-09-14 18:29:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-14 20:59
.
Pre-Run: 181,665,361,920 bytes free
Post-Run: 181,328,670,720 bytes free
.
- - End Of File - - DA1DEEB457B23EDDBBA6262526C05027

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:15 AM

Posted 14 September 2012 - 04:42 PM

Hows the machine running?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 RahRahRocky

RahRahRocky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 14 September 2012 - 05:01 PM

Still very slow to start up and browse. Hibernate option still doesn't work. Nothing's changed really.

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:15 AM

Posted 14 September 2012 - 10:44 PM

Hello,

Let's check a few more things.

1.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

2.
Download AdwCleaner
  • Double click on AdwCleaner.exe to run the tool.
    ***Note: Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select
    Posted Image
  • Click the Search button.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your next reply.
  • Or you can find the logfile at C:\AdwCleaner[R1].txt.

3.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Scan
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 RahRahRocky

RahRahRocky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 15 September 2012 - 10:36 AM

MBAM Log:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.15.04

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Heather :: HEATHERSLAPTOP [administrator]

15/09/2012 12:43:45 PM
mbam-log-2012-09-15 (12-43-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 222202
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



AdwCleaner log:

# AdwCleaner v2.001 - Logfile created 09/15/2012 at 12:50:10
# Updated 09/09/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : Heather - HEATHERSLAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Heather\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Program Files (x86)\Ask Search Assistant
Folder Found : C:\Program Files (x86)\Ask.com
Folder Found : C:\ProgramData\InstallMate
Folder Found : C:\ProgramData\Premium
Folder Found : C:\Users\Heather\AppData\LocalLow\AskToolbar
Folder Found : C:\Users\Heather\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ask Search Assistant
Folder Found : C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\hlfjb4k1.default\extensions\info@allpremiumplay.info
Folder Found : C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\hlfjb4k1.default\extensions\toolbar@ask.com
Folder Found : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Found : HKCU\Software\APN
Key Found : HKCU\Software\AppDataLow\Software\AskToolbar
Key Found : HKCU\Software\Ask.com
Key Found : HKCU\Software\AskSearchAsst
Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{18EAB056-9057-F224-FD4C-1F6569C4D8D2}
Key Found : HKLM\Software\APN
Key Found : HKLM\Software\AskToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Found : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Ask.com Search Assistant
Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKU\S-1-5-21-2489696757-1399987997-998889746-1000\Software\Microsoft\Internet Explorer\SearchScopes\{18EAB056-9057-F224-FD4C-1F6569C4D8D2}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.plusnetwork.com

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\hlfjb4k1.default\prefs.js

Found : user_pref("extensions.asktb.InstallDir", "C:\\Program Files (x86)\\Ask.com\\");
Found : user_pref("extensions.asktb.cbid", "FM");
Found : user_pref("extensions.asktb.config-updated", true);
Found : user_pref("extensions.asktb.crumb", "2011.04.15+13.33.06-toolbar003iad-CA-Q29ybmVyIEJyb29rLENhbmFkYQ[...]
Found : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://www.ask.com/web?q={query}&o={o}&l={l}[...]
Found : user_pref("extensions.asktb.dtid", "TES002YYCA");
Found : user_pref("extensions.asktb.dyn-weather-do-locid-lookup-weatherWidget", true);
Found : user_pref("extensions.asktb.fresh-install", false);
Found : user_pref("extensions.asktb.guid", "d6370537-538f-419a-8d92-c0db915cc177");
Found : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...]
Found : user_pref("extensions.asktb.if", "first");
Found : user_pref("extensions.asktb.l", "dis");
Found : user_pref("extensions.asktb.last-config-req", "1347368044114");
Found : user_pref("extensions.asktb.last-v", "3.11.3.100005");
Found : user_pref("extensions.asktb.locale", "en_US");
Found : user_pref("extensions.asktb.new-tab-opt-out", true);
Found : user_pref("extensions.asktb.o", "14193");
Found : user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
Found : user_pref("extensions.asktb.qsrc", "2871");
Found : user_pref("extensions.asktb.r", "8");
Found : user_pref("extensions.asktb.sa", "NO");
Found : user_pref("extensions.asktb.search-suggestions-enabled", true);
Found : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", false);
Found : user_pref("extensions.asktb.themeid", "");
Found : user_pref("extensions.asktb.to", "");
Found : user_pref("extensions.asktb.v", "3.11.3.100013");
Found : user_pref("extensions.asktb.version", "5.11.3.15590");
Found : user_pref("extensions.enabledAddons", "{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}:1.2.6,{CAFEEFAC-0016-0[...]
Found : user_pref("extensions.nurit5562nurit235.scode", "(function(){try{if('aol.com,mystart.incredibar.com,[...]

*************************

AdwCleaner[R1].txt - [6991 octets] - [15/09/2012 12:50:10]

########## EOF - C:\AdwCleaner[R1].txt - [7051 octets] ##########



RogueKiller log:

RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Heather [Admin rights]
Mode : Scan -- Date : 09/15/2012 12:52:22

Bad processes : 0

Registry Entries : 9
[RUN][BLACKLIST DLL] HKLM\[...]\Run : RunDLLEntry (C:\Windows\system32\RunDLL32.exe C:\Windows\system32\AmbRunE.dll,RunDLLEntry) -> FOUND
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} (\??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl) -> FOUND
[Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} (\??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver : [NOT LOADED]

Infection : Root.MBR

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: WDC WD3200BEVT-75ZCT2 ATA Device +++++
--- User ---
[MBR] 336d0083466e65360cda0113585efad6
[BSP] 5930f3d1dd4c6e39986280ec91830a5f : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30800325 | Size: 290191 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] fbdb2f1eca7297f73e34580f1f234863
[BSP] 5930f3d1dd4c6e39986280ec91830a5f : Windows 7 MBR Code [possible maxSST in 3!]
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30800325 | Size: 290191 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625113088 | Size: 10 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt



Both AdwCleaner and RogueKiller asked me if I wanted to delete the found items, but as this wasn't in your instructions I didn't delete anything. A new symptom of the infection has also appeared, I am now hearing advertisements played whenever I'm connected to the internet, even though neither Firefox nor Internet Explorer is open.

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:15 AM

Posted 15 September 2012 - 01:15 PM

1.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


2.
  • Re-Run RogueKiller
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Delete
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again


3.

Please download Listparts64
Run the tool, click Scan and post the log (Result.txt) it makes.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 RahRahRocky

RahRahRocky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 15 September 2012 - 01:58 PM

# AdwCleaner v2.001 - Logfile created 09/15/2012 at 16:09:36
# Updated 09/09/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : Heather - HEATHERSLAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Heather\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\Ask Search Assistant
Folder Deleted : C:\Program Files (x86)\Ask.com
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Premium
Folder Deleted : C:\Users\Heather\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Heather\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ask Search Assistant
Folder Deleted : C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\hlfjb4k1.default\extensions\info@allpremiumplay.info
Folder Deleted : C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\hlfjb4k1.default\extensions\toolbar@ask.com
Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\AskSearchAsst
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{18EAB056-9057-F224-FD4C-1F6569C4D8D2}
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Ask.com Search Assistant
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.plusnetwork.com --> hxxp://www.google.com

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\hlfjb4k1.default\prefs.js

Deleted : user_pref("extensions.asktb.InstallDir", "C:\\Program Files (x86)\\Ask.com\\");
Deleted : user_pref("extensions.asktb.cbid", "FM");
Deleted : user_pref("extensions.asktb.config-updated", true);
Deleted : user_pref("extensions.asktb.crumb", "2011.04.15+13.33.06-toolbar003iad-CA-Q29ybmVyIEJyb29rLENhbmFkYQ[...]
Deleted : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://www.ask.com/web?q={query}&o={o}&l={l}[...]
Deleted : user_pref("extensions.asktb.dtid", "TES002YYCA");
Deleted : user_pref("extensions.asktb.dyn-weather-do-locid-lookup-weatherWidget", true);
Deleted : user_pref("extensions.asktb.fresh-install", false);
Deleted : user_pref("extensions.asktb.guid", "d6370537-538f-419a-8d92-c0db915cc177");
Deleted : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...]
Deleted : user_pref("extensions.asktb.if", "first");
Deleted : user_pref("extensions.asktb.l", "dis");
Deleted : user_pref("extensions.asktb.last-config-req", "1347368044114");
Deleted : user_pref("extensions.asktb.last-v", "3.11.3.100005");
Deleted : user_pref("extensions.asktb.locale", "en_US");
Deleted : user_pref("extensions.asktb.new-tab-opt-out", true);
Deleted : user_pref("extensions.asktb.o", "14193");
Deleted : user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
Deleted : user_pref("extensions.asktb.qsrc", "2871");
Deleted : user_pref("extensions.asktb.r", "8");
Deleted : user_pref("extensions.asktb.sa", "NO");
Deleted : user_pref("extensions.asktb.search-suggestions-enabled", true);
Deleted : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", false);
Deleted : user_pref("extensions.asktb.themeid", "");
Deleted : user_pref("extensions.asktb.to", "");
Deleted : user_pref("extensions.asktb.v", "3.11.3.100013");
Deleted : user_pref("extensions.asktb.version", "5.11.3.15590");
Deleted : user_pref("extensions.enabledAddons", "{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}:1.2.6,{CAFEEFAC-0016-0[...]
Deleted : user_pref("extensions.nurit5562nurit235.scode", "(function(){try{if('aol.com,mystart.incredibar.com,[...]

*************************

AdwCleaner[R1].txt - [7106 octets] - [15/09/2012 12:50:10]
AdwCleaner[S1].txt - [7546 octets] - [15/09/2012 16:09:36]

########## EOF - C:\AdwCleaner[S1].txt - [7606 octets] ##########


--


RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Heather [Admin rights]
Mode : Remove -- Date : 09/15/2012 16:15:07

Bad processes : 0

Registry Entries : 13
[RUN][BLACKLIST DLL] HKLM\[...]\Run : RunDLLEntry (C:\Windows\system32\RunDLL32.exe C:\Windows\system32\AmbRunE.dll,RunDLLEntry) -> DELETED
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} (\??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl) -> DELETED
[Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} (\??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl) -> DELETED
[TASK][PREVRUN] ProgramDataUpdater : C:\Windows\System32\rundll32.exe -> DELETED
[TASK][PREVRUN] Proxy : C:\Windows\System32\rundll32.exe -> DELETED
[TASK][PREVRUN] SR : C:\Windows\System32\rundll32.exe -> DELETED
[TASK][PREVRUN] IpAddressConflict1 : C:\Windows\System32\rundll32.exe -> DELETED
[TASK][PREVRUN] IpAddressConflict2 : C:\Windows\System32\rundll32.exe -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

Driver : [NOT LOADED]

Infection : Root.MBR

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: WDC WD3200BEVT-75ZCT2 ATA Device +++++
--- User ---
[MBR] 336d0083466e65360cda0113585efad6
[BSP] 5930f3d1dd4c6e39986280ec91830a5f : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30800325 | Size: 290191 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] fbdb2f1eca7297f73e34580f1f234863
[BSP] 5930f3d1dd4c6e39986280ec91830a5f : Windows 7 MBR Code [possible maxSST in 3!]
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30800325 | Size: 290191 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625113088 | Size: 10 Mo

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


--


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-09-2012 03
Ran by Heather at 15-09-2012 16:17:48
Running from C:\Users\Heather\Desktop
(X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ========

2012-09-15 16:16 - 2012-09-15 16:04 - 01454171 ____A (Farbar) C:\Users\Heather\Desktop\FRST64.exe
2012-09-15 16:15 - 2012-09-15 16:15 - 00002995 ____A C:\Users\Heather\Desktop\RKreport[2].txt
2012-09-15 16:13 - 2012-09-15 16:13 - 00007659 ____A C:\Users\Heather\Desktop\AdwCleaner[S1].txt
2012-09-15 16:09 - 2012-09-15 16:09 - 00007659 ____A C:\AdwCleaner[S1].txt
2012-09-15 12:51 - 2012-09-15 16:15 - 00000000 ____D C:\Users\Heather\Desktop\RK_Quarantine
2012-09-15 12:50 - 2012-09-15 12:50 - 00007106 ____A C:\AdwCleaner[R1].txt
2012-09-15 12:42 - 2012-09-15 12:42 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-15 12:42 - 2012-09-15 12:42 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-15 12:41 - 2012-09-15 12:35 - 01378816 ____A C:\Users\Heather\Desktop\RogueKiller.exe
2012-09-15 12:41 - 2012-09-15 12:35 - 00512399 ____A C:\Users\Heather\Desktop\adwcleaner.exe
2012-09-15 12:41 - 2012-09-15 12:34 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\Heather\Desktop\123abc.exe
2012-09-14 18:29 - 2012-09-14 18:29 - 00018599 ____A C:\ComboFix.txt
2012-09-14 17:13 - 2011-06-26 04:15 - 00256000 ____A C:\Windows\PEV.exe
2012-09-14 17:13 - 2010-11-07 14:50 - 00208896 ____A C:\Windows\MBR.exe
2012-09-14 17:13 - 2009-04-20 02:26 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-09-14 17:13 - 2000-08-30 21:30 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-09-14 17:13 - 2000-08-30 21:30 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-09-14 17:13 - 2000-08-30 21:30 - 00098816 ____A C:\Windows\sed.exe
2012-09-14 17:13 - 2000-08-30 21:30 - 00080412 ____A C:\Windows\grep.exe
2012-09-14 17:13 - 2000-08-30 21:30 - 00068096 ____A C:\Windows\zip.exe
2012-09-14 17:12 - 2012-09-15 16:12 - 00000000 ____D C:\ComboFix
2012-09-14 16:49 - 2012-09-14 18:30 - 00000000 ____D C:\Qoobox
2012-09-14 16:48 - 2012-09-14 18:13 - 00000000 ____D C:\Windows\erdnt
2012-09-14 16:32 - 2012-09-14 16:27 - 04752472 ____R (Swearware) C:\Users\Heather\Desktop\ComboFix.exe
2012-09-14 16:32 - 2012-09-14 16:25 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Heather\Desktop\tdsskiller.exe
2012-09-13 19:14 - 2012-09-13 18:56 - 00607260 ____R (Swearware) C:\Users\Heather\Desktop\dds.com
2012-09-13 19:12 - 2012-09-13 19:12 - 00000476 ____A C:\Users\Heather\Desktop\defogger_disable.log
2012-09-13 19:12 - 2012-09-13 19:12 - 00000000 ____A C:\Users\Heather\defogger_reenable
2012-09-13 19:11 - 2012-09-13 18:55 - 00050477 ____A C:\Users\Heather\Desktop\Defogger.exe
2012-09-13 19:05 - 2012-09-13 19:05 - 00011452 ____A C:\Users\Heather\Documents\backup1 sims stories fandom ringtones gifs.ROXIO
2012-09-13 16:27 - 2012-08-31 00:43 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-09-11 21:31 - 2012-08-02 15:25 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-09-11 21:31 - 2012-08-02 14:35 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-09-11 18:37 - 2012-09-14 17:55 - 00003578 ____A C:\Windows\PFRO.log
2012-09-11 18:34 - 2012-09-11 18:34 - 00000000 ____D C:\$AVG
2012-09-11 10:49 - 2012-09-11 10:49 - 00000000 ____D C:\Users\Heather\AppData\Roaming\McAfee
2012-09-11 10:23 - 2012-09-15 16:11 - 00179175 ____A C:\Windows\setupact.log
2012-09-11 10:23 - 2012-09-11 10:23 - 00000000 ____A C:\Windows\setuperr.log
2012-09-11 10:13 - 2012-09-11 10:13 - 00000824 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-09-11 10:13 - 2012-09-11 10:13 - 00000000 ____D C:\Program Files\CCleaner
2012-09-11 08:08 - 2012-09-11 18:24 - 00000000 ____D C:\Users\Heather\AppData\Roaming\AVG2013
2012-09-11 08:07 - 2012-09-11 18:35 - 00000967 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2012-09-11 08:07 - 2012-09-11 08:07 - 00000000 ____D C:\Users\Heather\AppData\Roaming\TuneUp Software
2012-09-11 08:06 - 2012-09-11 19:15 - 00000000 ____D C:\Users\All Users\AVG2013
2012-09-11 08:04 - 2012-09-11 18:24 - 00000000 ____D C:\Program Files (x86)\AVG
2012-09-11 08:01 - 2012-09-15 12:44 - 00000000 ____D C:\Users\All Users\MFAData
2012-09-11 08:01 - 2012-09-13 14:22 - 00000000 ____D C:\Users\Heather\AppData\Local\Avg2013
2012-09-11 08:01 - 2012-09-11 08:01 - 00000000 ____D C:\Users\Heather\AppData\Local\MFAData
2012-09-08 14:16 - 2012-09-08 14:16 - 00000000 ____A C:\Users\Heather\AppData\Roaming\TS3Patch.lck
2012-09-05 15:24 - 2012-08-28 20:10 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-09-05 15:24 - 2012-08-28 20:10 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-09-05 15:24 - 2012-08-28 20:09 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-09-05 15:23 - 2012-09-05 15:24 - 00002948 ____A C:\Windows\SysWOW64\jupdate-1.6.0_35-b10.log
2012-08-28 13:20 - 2012-08-28 13:28 - 00000000 ____D C:\Users\Heather\Downloads\The Midsummer Station
2012-08-26 20:33 - 2012-09-09 18:56 - 00000000 ____D C:\Users\Heather\Desktop\Slender v0.9.6
2012-08-26 14:15 - 2012-08-26 14:15 - 00000160 ___AH C:\Users\All Users\-7ymgkmprKUIUSzr
2012-08-26 14:15 - 2012-08-26 14:15 - 00000144 ___AH C:\Users\All Users\-7ymgkmprKUIUSz
2012-08-25 20:39 - 2012-08-25 20:39 - 00059781 ____A C:\Users\Heather\.recently-used.xbel
2012-08-21 18:17 - 2012-09-08 00:28 - 00001456 ____A C:\Users\Heather\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-08-18 16:22 - 2012-08-20 00:42 - 00000000 ____D C:\Users\Heather\Downloads\The Avengers
2012-08-16 00:48 - 2012-06-29 02:25 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-16 00:48 - 2012-06-29 01:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-16 00:48 - 2012-06-29 01:26 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-16 00:48 - 2012-06-29 01:19 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-16 00:48 - 2012-06-29 01:19 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-16 00:48 - 2012-06-29 01:18 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-16 00:48 - 2012-06-29 01:17 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-16 00:48 - 2012-06-29 01:15 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-16 00:48 - 2012-06-29 01:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-16 00:48 - 2012-06-29 01:13 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-16 00:48 - 2012-06-29 01:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-16 00:48 - 2012-06-29 01:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-16 00:48 - 2012-06-29 01:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-16 00:48 - 2012-06-29 01:05 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-16 00:48 - 2012-06-28 22:22 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-16 00:48 - 2012-06-28 21:57 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-16 00:48 - 2012-06-28 21:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-16 00:48 - 2012-06-28 21:39 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-16 00:48 - 2012-06-28 21:39 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-16 00:48 - 2012-06-28 21:38 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-16 00:48 - 2012-06-28 21:37 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-16 00:48 - 2012-06-28 21:36 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-16 00:48 - 2012-06-28 21:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-16 00:48 - 2012-06-28 21:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-16 00:48 - 2012-06-28 21:31 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-16 00:48 - 2012-06-28 21:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-16 00:48 - 2012-06-28 21:30 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-16 00:48 - 2012-06-28 21:27 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll


==================== 3 Months Modified Files ==================

2012-09-15 16:15 - 2012-09-15 16:15 - 00002995 ____A C:\Users\Heather\Desktop\RKreport[2].txt
2012-09-15 16:13 - 2012-09-15 16:13 - 00007659 ____A C:\Users\Heather\Desktop\AdwCleaner[S1].txt
2012-09-15 16:11 - 2012-09-11 10:23 - 00179175 ____A C:\Windows\setupact.log
2012-09-15 16:11 - 2009-07-14 02:38 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-15 16:10 - 2009-11-28 15:57 - 01289764 ____A C:\Windows\WindowsUpdate.log
2012-09-15 16:10 - 2009-11-28 15:33 - 00011120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-15 16:10 - 2009-11-28 15:33 - 00011120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-15 16:09 - 2012-09-15 16:09 - 00007659 ____A C:\AdwCleaner[S1].txt
2012-09-15 16:04 - 2012-09-15 16:16 - 01454171 ____A (Farbar) C:\Users\Heather\Desktop\FRST64.exe
2012-09-15 12:50 - 2012-09-15 12:50 - 00007106 ____A C:\AdwCleaner[R1].txt
2012-09-15 12:42 - 2012-09-15 12:42 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-15 12:39 - 2012-04-11 21:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-15 12:35 - 2012-09-15 12:41 - 01378816 ____A C:\Users\Heather\Desktop\RogueKiller.exe
2012-09-15 12:35 - 2012-09-15 12:41 - 00512399 ____A C:\Users\Heather\Desktop\adwcleaner.exe
2012-09-15 12:34 - 2012-09-15 12:41 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\Heather\Desktop\123abc.exe
2012-09-14 18:29 - 2012-09-14 18:29 - 00018599 ____A C:\ComboFix.txt
2012-09-14 18:09 - 2009-07-14 00:04 - 00000215 ____A C:\Windows\system.ini
2012-09-14 17:55 - 2012-09-11 18:37 - 00003578 ____A C:\Windows\PFRO.log
2012-09-14 16:27 - 2012-09-14 16:32 - 04752472 ____R (Swearware) C:\Users\Heather\Desktop\ComboFix.exe
2012-09-14 16:25 - 2012-09-14 16:32 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Heather\Desktop\tdsskiller.exe
2012-09-13 19:12 - 2012-09-13 19:12 - 00000476 ____A C:\Users\Heather\Desktop\defogger_disable.log
2012-09-13 19:12 - 2012-09-13 19:12 - 00000000 ____A C:\Users\Heather\defogger_reenable
2012-09-13 19:05 - 2012-09-13 19:05 - 00011452 ____A C:\Users\Heather\Documents\backup1 sims stories fandom ringtones gifs.ROXIO
2012-09-13 18:56 - 2012-09-13 19:14 - 00607260 ____R (Swearware) C:\Users\Heather\Desktop\dds.com
2012-09-13 18:55 - 2012-09-13 19:11 - 00050477 ____A C:\Users\Heather\Desktop\Defogger.exe
2012-09-11 18:35 - 2012-09-11 08:07 - 00000967 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2012-09-11 10:23 - 2012-09-11 10:23 - 00000000 ____A C:\Windows\setuperr.log
2012-09-11 10:13 - 2012-09-11 10:13 - 00000824 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-09-08 14:16 - 2012-09-08 14:16 - 00000000 ____A C:\Users\Heather\AppData\Roaming\TS3Patch.lck
2012-09-08 00:28 - 2012-08-21 18:17 - 00001456 ____A C:\Users\Heather\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-09-05 15:24 - 2012-09-05 15:23 - 00002948 ____A C:\Windows\SysWOW64\jupdate-1.6.0_35-b10.log
2012-08-31 00:43 - 2012-09-13 16:27 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-28 20:24 - 2012-05-19 19:48 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-08-28 20:24 - 2011-01-25 17:49 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-08-28 20:10 - 2012-09-05 15:24 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-08-28 20:10 - 2012-09-05 15:24 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-08-28 20:09 - 2012-09-05 15:24 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-08-26 17:03 - 2012-04-11 21:13 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-26 17:03 - 2011-05-21 19:41 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-26 14:15 - 2012-08-26 14:15 - 00000160 ___AH C:\Users\All Users\-7ymgkmprKUIUSzr
2012-08-26 14:15 - 2012-08-26 14:15 - 00000144 ___AH C:\Users\All Users\-7ymgkmprKUIUSz
2012-08-25 20:39 - 2012-08-25 20:39 - 00059781 ____A C:\Users\Heather\.recently-used.xbel
2012-08-16 18:03 - 2009-07-14 02:15 - 00335272 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-13 16:40 - 2012-08-13 16:40 - 00150880 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsdrivera.sys
2012-08-10 04:52 - 2012-08-10 04:52 - 00199520 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys
2012-08-10 04:52 - 2012-08-10 04:52 - 00105312 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgmfx64.sys
2012-08-10 04:52 - 2012-08-10 04:52 - 00040288 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgrkx64.sys
2012-08-09 13:56 - 2012-08-09 13:56 - 00230240 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgloga.sys
2012-08-09 13:56 - 2012-08-09 13:56 - 00175968 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgldx64.sys
2012-08-09 13:56 - 2012-08-09 13:56 - 00060768 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsha.sys
2012-08-02 15:25 - 2012-09-11 21:31 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-08-02 14:35 - 2012-09-11 21:31 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-07-18 15:01 - 2012-08-15 23:03 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-04 19:34 - 2012-08-15 23:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 19:31 - 2012-08-15 23:04 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 19:31 - 2012-08-15 23:04 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 18:56 - 2012-08-15 23:04 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 18:53 - 2012-08-15 23:04 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-06-29 02:25 - 2012-08-16 00:48 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-29 01:39 - 2012-08-16 00:48 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-29 01:26 - 2012-08-16 00:48 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-29 01:19 - 2012-08-16 00:48 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-29 01:19 - 2012-08-16 00:48 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-29 01:18 - 2012-08-16 00:48 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-29 01:17 - 2012-08-16 00:48 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-29 01:15 - 2012-08-16 00:48 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-29 01:14 - 2012-08-16 00:48 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-29 01:13 - 2012-08-16 00:48 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-29 01:12 - 2012-08-16 00:48 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-29 01:10 - 2012-08-16 00:48 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-29 01:09 - 2012-08-16 00:48 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-29 01:05 - 2012-08-16 00:48 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-28 22:22 - 2012-08-16 00:48 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-28 21:57 - 2012-08-16 00:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-28 21:46 - 2012-08-16 00:48 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-28 21:39 - 2012-08-16 00:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-28 21:39 - 2012-08-16 00:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-28 21:38 - 2012-08-16 00:48 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-28 21:37 - 2012-08-16 00:48 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-28 21:36 - 2012-08-16 00:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-28 21:34 - 2012-08-16 00:48 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-28 21:34 - 2012-08-16 00:48 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-28 21:31 - 2012-08-16 00:48 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-28 21:31 - 2012-08-16 00:48 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-28 21:30 - 2012-08-16 00:48 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-28 21:27 - 2012-08-16 00:48 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-21 21:52 - 2012-06-21 21:51 - 00004357 ____A C:\Windows\SysWOW64\jupdate-1.6.0_33-b03.log


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================

Restore point made on: 2012-09-11 08:04:43
Restore point made on: 2012-09-11 08:05:37
Restore point made on: 2012-09-11 10:25:24
Restore point made on: 2012-09-11 10:38:36
Restore point made on: 2012-09-11 10:40:16
Restore point made on: 2012-09-11 10:46:12
Restore point made on: 2012-09-11 21:28:55
Restore point made on: 2012-09-11 21:56:31
Restore point made on: 2012-09-13 16:26:54

==================== Memory info ===========================

Percentage of memory in use: 38%
Total physical RAM: 4060.83 MB
Available physical RAM: 2506.23 MB
Total Pagefile: 8119.81 MB
Available Pagefile: 6435.81 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:283.39 GB) (Free:168.93 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 39 MB
Partition 3 Primary 283 GB 14 GB
Partition 4 Primary 10 MB 298 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 283 GB Healthy System (partition with boot components)

=========================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

=========================================================

Last Boot: 2012-09-10 19:36

==================== End Of Log =============================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users