Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus/ codec-c


  • This topic is locked This topic is locked
12 replies to this topic

#1 chris_83

chris_83

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 04 November 2012 - 06:51 PM

Hi there. My parents laptop picked up something a few weeks ago which redirects all google searches to arbitrary webpages and despite best efforts with Malwarebytes, TDSS killer etc. I have been unable to remove the offending virus/trojan from their computer. Although they have managed to work around the search problem, I am unable to get windows security service to start and am worried that something more malicious may be stuck on the system. Hopefully somebody can help! As requested in the prep guide, please find dds log below and attach/gmer logs attached. Many thanks for your help in advance, Chris

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_37
Run by Mike N at 21:40:58 on 2012-11-04
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3033.1781 [GMT 0:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe
C:\windows\SYSTEM32\Rezip.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\windows\system32\conhost.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\DllHost.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\windows\system32\Dwm.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\taskhost.exe
C:\windows\Explorer.EXE
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe
C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\Aware.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\Marker.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\windows\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\System32\svchost.exe -k yksvcs
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k hpdevmgmt
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\System32\svchost.exe -k HPZ12
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://search.searchonme.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: CIEDownload Object: {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - c:\program files\smart technologies inc\notebook software\NotebookPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SMART Board Service] c:\program files\smart technologies inc\smart board software\SMARTBoardService.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\miken~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\f1u201~1.lnk - c:\program files\belkin\f1u201.401\usbshare.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\smartb~1.lnk - c:\program files\smart technologies inc\smart board software\SMARTBoardTools.exe
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{271EE860-A1F3-45C0-815D-B3B4015230C3} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{271EE860-A1F3-45C0-815D-B3B4015230C3}\244564F4E4 : DHCPNameServer = 192.168.22.22 192.168.22.23
TCP: Interfaces\{271EE860-A1F3-45C0-815D-B3B4015230C3}\244584572633D235750535 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{271EE860-A1F3-45C0-815D-B3B4015230C3}\35B4956323432373 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{271EE860-A1F3-45C0-815D-B3B4015230C3}\478656E657474737 : DHCPNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\mike n\appdata\roaming\mozilla\firefox\profiles\06a0w5ko.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.searchonme.com/?l=1&q=
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\mike n\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2012-10-25 11:31; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: !HIDDEN! 2010-05-23 08:24; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-5-19 36000]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2009-9-23 10752]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-5-19 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-5-19 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-5-19 83392]
R2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\samsung casual games\gameconsole\OberonGameConsoleService.exe [2010-2-18 44312]
R2 Rezip;Rezip;c:\windows\system32\Rezip.exe [2009-9-23 311296]
R2 yksvc;Marvell Yukon Service;c:\windows\system32\svchost.exe -k yksvcs [2009-7-13 20992]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-9-23 122880]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 rtl819xp;Realtek RTL8190/RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [2010-2-1 557088]
R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\drivers\SMARTVHidMini2000x86.sys [2007-3-8 8832]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-9-23 237696]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-18 135664]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-13 250808]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-16 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-18 135664]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-2 115168]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-2 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-27 1343400]
.
=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2012-10-25 20:21:11 -------- d-----w- c:\windows\pss
2012-10-25 17:35:31 -------- d-----w- c:\users\mike n\appdata\roaming\TeamViewer
2012-10-18 18:28:43 81920 ----a-w- c:\windows\system\bivbx11.dll
2012-10-18 18:28:43 79055 ----a-w- c:\windows\blob2z.exe
2012-10-18 18:28:43 79054 ----a-w- c:\windows\blob1z.exe
2012-10-12 18:32:04 98304 --sha-r- c:\windows\system32\WpdMtpr.dll
.
==================== Find3M ====================
.
2012-10-08 22:16:36 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-08 22:16:36 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-24 14:32:24 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 14:32:20 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-14 18:28:53 2048 ----a-w- c:\windows\system32\tzres.dll
2012-08-31 17:18:09 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-08-30 17:12:02 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-24 16:57:48 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16:54 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16:46 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16:46 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16:36 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 20:12:27 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-08-21 12:01:22 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 12:01:22 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-08-20 17:40:31 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-08-20 17:40:01 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-08-20 17:37:58 271360 ----a-w- c:\windows\system32\conhost.exe
2012-08-20 15:33:28 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-08-10 23:56:14 542208 ----a-w- c:\windows\system32\kerberos.dll
.
============= FINISH: 21:42:01.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:15 PM

Posted 04 November 2012 - 07:34 PM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive. (Choose the correct version depending on which architecture operating system you are using, 32bit (x86) or 64 (x64) bit)

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 chris_83

chris_83
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 05 November 2012 - 03:23 PM

thanks for the prompt response!

logs as requested:

FRST

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2012 (ATTENTION: FRST version is 6 days old)
Ran by SYSTEM at 05-11-2012 20:10:42
Running from H:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [7711264 2009-08-18] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [x]
HKLM\...\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [222504 2009-05-19] (CyberLink Corp.)
HKLM\...\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [103720 2009-06-03] (CyberLink)
HKLM\...\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)
HKLM\...\Run: [UpdatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0" [222504 2008-01-03] (CyberLink Corp.)
HKLM\...\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [91432 2009-04-15] (CyberLink Corp.)
HKLM\...\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [50472 2009-04-15] (CyberLink Corp.)
HKLM\...\Run: [UpdatePPShortCut] "C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0" [218408 2008-12-03] (CyberLink Corp.)
HKLM\...\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2009-07-20] (CyberLink Corp.)
HKLM\...\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0" [218408 2009-02-25] (CyberLink Corp.)
HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM\...\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [963976 2010-12-20] (Malwarebytes Corporation)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM\...\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [1584640 2009-12-07] (Alcatel-Lucent)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM\...\Run: [SMART Board Service] C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe [1099280 2007-05-03] (SMART Technologies Inc.)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM\...\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min [348664 2012-08-11] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)
HKU\Mike N\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-09-22] (Google Inc.)
HKU\Mike N\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x]
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\F1U201.401.lnk
ShortcutTarget: F1U201.401.lnk -> C:\Program Files\Belkin\F1U201.401\usbshare.exe ()
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\SMART Board Tools.lnk
ShortcutTarget: SMART Board Tools.lnk -> C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe (SMART Technologies Inc.)
Startup: C:\Users\Mike N\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ===================

2 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-03-27] (LSI Corporation)
2 AntiVirSchedulerService; "C:\Program Files\Avira\AntiVir Desktop\sched.exe" [86224 2012-05-01] (Avira Operations GmbH & Co. KG)
2 AntiVirService; "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" [110032 2012-05-01] (Avira Operations GmbH & Co. KG)
3 MSSQL$MSSMLBIZ; "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [29293408 2010-12-10] (Microsoft Corporation)
2 OberonGameConsoleService; "C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe" [44312 2009-08-13] ()
2 Rezip; C:\windows\SYSTEM32\Rezip.exe [311296 2009-03-05] ()
2 RichVideo; "C:\Program Files\CyberLink\Shared files\RichVideo.exe" [247152 2009-07-07] ()
2 yksvc; C:\Windows\System32\yk62x86.dll [364544 2009-09-28] (Marvell)

==================== Drivers (Whitelisted) ====================

2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [83392 2012-04-24] (Avira GmbH)
1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [137928 2012-04-27] (Avira GmbH)
1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [36000 2012-04-16] (Avira GmbH)
3 rtl819xp; C:\Windows\System32\DRIVERS\rtl819xp.sys [557088 2010-02-01] (Realtek Semiconductor Corporation )
3 SMARTVHidMini2000x86; C:\Windows\System32\DRIVERS\SMARTVHidMini2000x86.sys [8832 2007-03-08] (SMART Technologies Inc.)
1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2010-06-17] (Avira GmbH)
3 VMC326; C:\Windows\System32\Drivers\VMC326.sys [237696 2009-08-10] (Vimicro Corporation)
3 yukonw7; C:\Windows\System32\DRIVERS\yk62x86.sys [315392 2009-09-28] ()
3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [x]
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-11-05 20:10 - 2012-11-05 20:10 - 00000000 ____D C:\FRST
2012-11-04 14:39 - 2012-11-04 14:39 - 00035310 ____A C:\Users\Mike N\Desktop\ark.txt
2012-11-04 13:47 - 2012-11-04 13:47 - 00302592 ____A C:\Users\Mike N\Downloads\hr6z42vu.exe
2012-11-04 13:42 - 2012-11-04 13:45 - 00009172 ____A C:\Users\Mike N\Desktop\attach.txt
2012-11-04 13:42 - 2012-11-04 13:42 - 00022188 ____A C:\Users\Mike N\Desktop\dds.txt
2012-11-04 13:39 - 2012-11-04 13:40 - 00687724 ____R (Swearware) C:\Users\Mike N\Downloads\dds.com
2012-11-04 02:25 - 2012-11-04 02:25 - 00000505 ____A C:\Users\Mike N\Desktop\Devices and Printers - Shortcut.lnk
2012-10-31 12:18 - 2012-10-31 12:41 - 00032026 ____A C:\Users\Mike N\Documents\intervention group grid.xlsx
2012-10-29 09:29 - 2012-10-29 09:29 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-10-25 12:55 - 2012-10-25 12:55 - 00002748 ____A C:\AdwCleaner[S2].txt
2012-10-25 12:43 - 2012-10-25 12:43 - 00002853 ____A C:\AdwCleaner[R1].txt
2012-10-25 12:43 - 2012-10-25 12:42 - 00538941 ____A C:\Users\Mike N\Desktop\adwcleaner.exe
2012-10-25 12:31 - 2012-10-25 12:30 - 00302592 ____A C:\Users\Mike N\Desktop\qde56efn.exe
2012-10-25 12:21 - 2012-10-25 12:21 - 00000000 ____D C:\Windows\pss
2012-10-25 12:07 - 2012-10-25 10:10 - 02213464 ____A (Kaspersky Lab ZAO) C:\Users\Mike N\Desktop\tdk.com.exe
2012-10-25 11:18 - 2012-11-04 15:31 - 00001058 ____A C:\Users\Mike N\Desktop\Rkill.txt
2012-10-25 11:17 - 2012-10-25 11:16 - 01678240 ____A (Bleeping Computer, LLC) C:\Users\Mike N\Desktop\rkill.exe
2012-10-25 09:35 - 2012-10-25 09:35 - 03164248 ____A (TeamViewer) C:\Users\Mike N\Downloads\TeamViewerQS_en(1).exe
2012-10-25 09:35 - 2012-10-25 09:35 - 00000000 ____D C:\Users\Mike N\AppData\Roaming\TeamViewer
2012-10-25 09:34 - 2012-10-25 09:34 - 03164248 ____A (TeamViewer) C:\Users\Mike N\Desktop\TeamViewerQS_en.exe
2012-10-25 08:23 - 2012-10-26 11:02 - 00000000 ____D C:\Users\Mike N\Documents\Williams & Cox family tree
2012-10-25 02:31 - 2012-10-25 02:31 - 00003007 ____A C:\Windows\System32\jupdate-1.6.0_37-b06.log
2012-10-25 02:31 - 2012-10-25 02:31 - 00000000 ____D C:\Program Files\Common Files\Java
2012-10-25 02:31 - 2012-09-24 06:23 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-10-25 02:31 - 2012-09-24 06:23 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-10-25 02:31 - 2012-09-24 06:23 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-10-18 10:28 - 2012-10-18 10:28 - 00000000 _RASH C:\MSDOS.SYS
2012-10-18 10:28 - 2012-10-18 10:28 - 00000000 _RASH C:\IO.SYS
2012-10-18 10:28 - 1997-12-19 01:10 - 00079055 ____A C:\Windows\blob2z.exe
2012-10-18 10:28 - 1997-12-19 01:10 - 00079054 ____A C:\Windows\blob1z.exe
2012-10-12 10:32 - 2012-11-05 11:35 - 00000316 ____A C:\Windows\Tasks\AQEDABM.job
2012-10-12 10:32 - 2012-10-12 10:32 - 00098304 _RASH C:\Windows\System32\WpdMtpr.dll
2012-10-11 00:58 - 2012-09-14 10:28 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-10-11 00:58 - 2012-08-31 09:18 - 01211760 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2012-10-11 00:58 - 2012-08-30 09:12 - 03968880 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-10-11 00:58 - 2012-08-30 09:12 - 03914096 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-10-11 00:58 - 2012-08-24 08:57 - 00172544 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-10-11 00:58 - 2012-08-20 09:40 - 00868352 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-10-11 00:58 - 2012-08-20 09:40 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-10-11 00:58 - 2012-08-20 09:40 - 00169984 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-10-11 00:58 - 2012-08-20 09:37 - 00271360 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-10-11 00:58 - 2012-08-20 09:32 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 07:33 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 07:33 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 07:33 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-10-11 00:58 - 2012-08-20 07:33 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-10-11 00:58 - 2012-08-10 15:56 - 00542208 ____A (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2012-10-11 00:58 - 2012-06-01 20:36 - 01159680 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-10-11 00:58 - 2012-06-01 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-10-11 00:58 - 2012-06-01 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

==================== 3 Months Modified Files ==================

2012-11-05 12:06 - 2009-09-22 20:27 - 01699401 ____A C:\Windows\WindowsUpdate.log
2012-11-05 11:54 - 2012-04-13 14:02 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-11-05 11:44 - 2009-07-26 12:06 - 00792128 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-05 11:44 - 2009-07-13 20:34 - 00014736 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-05 11:44 - 2009-07-13 20:34 - 00014736 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-05 11:42 - 2010-02-18 13:02 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-05 11:35 - 2012-10-12 10:32 - 00000316 ____A C:\Windows\Tasks\AQEDABM.job
2012-11-05 11:35 - 2010-02-18 13:02 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-05 11:35 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-05 11:35 - 2009-07-13 20:39 - 00148926 ____A C:\Windows\setupact.log
2012-11-04 15:31 - 2012-10-25 11:18 - 00001058 ____A C:\Users\Mike N\Desktop\Rkill.txt
2012-11-04 14:39 - 2012-11-04 14:39 - 00035310 ____A C:\Users\Mike N\Desktop\ark.txt
2012-11-04 13:47 - 2012-11-04 13:47 - 00302592 ____A C:\Users\Mike N\Downloads\hr6z42vu.exe
2012-11-04 13:45 - 2012-11-04 13:42 - 00009172 ____A C:\Users\Mike N\Desktop\attach.txt
2012-11-04 13:42 - 2012-11-04 13:42 - 00022188 ____A C:\Users\Mike N\Desktop\dds.txt
2012-11-04 13:40 - 2012-11-04 13:39 - 00687724 ____R (Swearware) C:\Users\Mike N\Downloads\dds.com
2012-11-04 02:25 - 2012-11-04 02:25 - 00000505 ____A C:\Users\Mike N\Desktop\Devices and Printers - Shortcut.lnk
2012-10-31 12:41 - 2012-10-31 12:18 - 00032026 ____A C:\Users\Mike N\Documents\intervention group grid.xlsx
2012-10-25 12:55 - 2012-10-25 12:55 - 00002748 ____A C:\AdwCleaner[S2].txt
2012-10-25 12:43 - 2012-10-25 12:43 - 00002853 ____A C:\AdwCleaner[R1].txt
2012-10-25 12:42 - 2012-10-25 12:43 - 00538941 ____A C:\Users\Mike N\Desktop\adwcleaner.exe
2012-10-25 12:30 - 2012-10-25 12:31 - 00302592 ____A C:\Users\Mike N\Desktop\qde56efn.exe
2012-10-25 11:16 - 2012-10-25 11:17 - 01678240 ____A (Bleeping Computer, LLC) C:\Users\Mike N\Desktop\rkill.exe
2012-10-25 10:10 - 2012-10-25 12:07 - 02213464 ____A (Kaspersky Lab ZAO) C:\Users\Mike N\Desktop\tdk.com.exe
2012-10-25 09:35 - 2012-10-25 09:35 - 03164248 ____A (TeamViewer) C:\Users\Mike N\Downloads\TeamViewerQS_en(1).exe
2012-10-25 09:34 - 2012-10-25 09:34 - 03164248 ____A (TeamViewer) C:\Users\Mike N\Desktop\TeamViewerQS_en.exe
2012-10-25 02:31 - 2012-10-25 02:31 - 00003007 ____A C:\Windows\System32\jupdate-1.6.0_37-b06.log
2012-10-18 10:28 - 2012-10-18 10:28 - 00000000 _RASH C:\MSDOS.SYS
2012-10-18 10:28 - 2012-10-18 10:28 - 00000000 _RASH C:\IO.SYS
2012-10-13 09:20 - 2009-09-22 21:02 - 00672836 ____A C:\Windows\PFRO.log
2012-10-12 10:32 - 2012-10-12 10:32 - 00098304 _RASH C:\Windows\System32\WpdMtpr.dll
2012-10-12 03:45 - 2010-03-10 14:35 - 00002320 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-10-11 03:15 - 2010-03-19 10:25 - 62968832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-10-08 14:16 - 2012-04-13 14:02 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-10-08 14:16 - 2011-05-26 03:49 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-09-24 06:32 - 2012-06-23 11:14 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-09-24 06:32 - 2010-05-23 10:13 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-09-24 06:23 - 2012-10-25 02:31 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-09-24 06:23 - 2012-10-25 02:31 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-09-24 06:23 - 2012-10-25 02:31 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-09-14 10:28 - 2012-10-11 00:58 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-09-13 09:01 - 2009-07-13 20:53 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-13 08:34 - 2012-09-13 08:34 - 00001753 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-08-31 09:18 - 2012-10-11 00:58 - 01211760 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2012-08-30 09:12 - 2012-10-11 00:58 - 03968880 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-08-30 09:12 - 2012-10-11 00:58 - 03914096 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-08-24 08:57 - 2012-10-11 00:58 - 00172544 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-08-23 23:27 - 2012-09-21 12:57 - 12319744 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-23 23:03 - 2012-09-21 12:57 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-23 22:59 - 2012-09-21 12:58 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-23 22:51 - 2012-09-21 12:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-23 22:51 - 2012-09-21 12:58 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-23 22:51 - 2012-09-21 12:58 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-23 22:49 - 2012-09-21 12:58 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-23 22:48 - 2012-09-21 12:58 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-23 22:47 - 2012-09-21 12:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-23 22:47 - 2012-09-21 12:58 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-23 22:47 - 2012-09-21 12:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-23 22:45 - 2012-09-21 12:58 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-23 22:44 - 2012-09-21 12:58 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-23 22:44 - 2012-09-21 12:58 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-23 22:43 - 2012-09-21 12:58 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-23 22:40 - 2012-09-21 12:58 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-22 09:16 - 2012-09-12 07:41 - 01292144 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-08-22 09:16 - 2012-09-12 07:41 - 00712048 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-08-22 09:16 - 2012-09-12 07:41 - 00240496 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-22 09:16 - 2012-09-12 07:41 - 00187760 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-08-21 12:12 - 2012-09-26 03:18 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
2012-08-21 04:01 - 2012-09-13 08:34 - 00026840 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-08-21 04:01 - 2011-12-24 18:27 - 00106928 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi.dll
2012-08-20 09:40 - 2012-10-11 00:58 - 00868352 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-08-20 09:40 - 2012-10-11 00:58 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-08-20 09:40 - 2012-10-11 00:58 - 00169984 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-08-20 09:37 - 2012-10-11 00:58 - 00271360 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-08-20 09:32 - 2012-10-11 00:58 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-08-20 09:32 - 2012-10-11 00:58 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-08-20 07:33 - 2012-10-11 00:58 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-08-20 07:33 - 2012-10-11 00:58 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 07:33 - 2012-10-11 00:58 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 07:33 - 2012-10-11 00:58 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-08-20 03:01 - 2009-07-13 20:33 - 00454304 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-10 15:56 - 2012-10-11 00:58 - 00542208 ____A (Microsoft Corporation) C:\Windows\System32\kerberos.dll


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 3032.61 MB
Available physical RAM: 2564.98 MB
Total Pagefile: 3028.82 MB
Available Pagefile: 2572.09 MB
Total Virtual: 2047.88 MB
Available Virtual: 1960.7 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:141.49 GB) (Free:97.4 GB) NTFS
2 Drive e: () (Fixed) (Total:141.5 GB) (Free:133.69 GB) NTFS
3 Drive f: (RECOVERY) (Fixed) (Total:15 GB) (Free:4.17 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive h: (CHRIS N) (Removable) (Total:0.48 GB) (Free:0.36 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 495 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 15 GB 1024 KB
Partition 2 Primary 100 MB 15 GB
Partition 3 Primary 141 GB 15 GB
Partition 4 Primary 141 GB 156 GB

=========================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F RECOVERY NTFS Partition 15 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 141 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E NTFS Partition 141 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 495 MB 16 KB

=========================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H CHRIS N FAT Removable 495 MB Healthy

=========================================================

Last Boot: 2012-10-26 07:58

==================== End Of Log ============================

===================================================================================================

Search


Farbar Recovery Scan Tool (x86) Version: 30-10-2012
Ran by SYSTEM at 2012-11-05 20:12:27
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:15 PM

Posted 05 November 2012 - 08:23 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt


start
2012-10-18 10:28 - 1997-12-19 01:10 - 00079055 ____A C:\Windows\blob2z.exe
2012-10-18 10:28 - 1997-12-19 01:10 - 00079054 ____A C:\Windows\blob1z.exe
2012-10-12 10:32 - 2012-11-05 11:35 - 00000316 ____A C:\Windows\Tasks\AQEDABM.job
2012-10-12 10:32 - 2012-10-12 10:32 - 00098304 _RASH C:\Windows\System32\WpdMtpr.dll
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt
Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.



NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 chris_83

chris_83
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 06 November 2012 - 11:13 AM

As requested:

Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-10-2012
Ran by SYSTEM at 2012-11-06 15:31:33 Run:1
Running from H:\

==============================================

C:\Windows\blob2z.exe moved successfully.
C:\Windows\blob1z.exe moved successfully.
C:\Windows\Tasks\AQEDABM.job moved successfully.
C:\Windows\System32\WpdMtpr.dll moved successfully.

==== End of Fixlog ====

ComboFix Log

ComboFix 12-11-05.03 - Mike N 06/11/2012 15:48:25.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3033.1997 [GMT 0:00]
Running from: c:\users\Mike N\Desktop\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1049.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc11A3.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc126B.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc150B.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc17C5.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1A78.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1F17.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc21E8.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2370.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc23B8.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2493.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2617.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2A0D.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2AF.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2B1.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2CBB.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2D57.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2EA1.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc31BC.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc34C8.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3534.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3786.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3D7.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3EF4.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3F81.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc40D7.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc41.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc41C3.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc43B6.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4481.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc456.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc47EB.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc48D4.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4A1C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4A4C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4EBC.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5237.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc53FC.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc54A7.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc56B8.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc591A.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc59B4.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc59C6.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5ACD.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5B2D.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5E08.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5ED2.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc601C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc60A8.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc60D5.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc629C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc62BC.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6401.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc649C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6682.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc66D9.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6844.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc698E.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc69DC.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6A47.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6BC0.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6C6.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6E63.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc70AF.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc717A.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7226.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc731E.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc733C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc739C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc73D8.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc74D2.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7754.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc78C8.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc799D.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7A40.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7B19.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7BF6.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7C0.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7C24.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7C25.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7C72.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7C73.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7DD9.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7E78.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7ED0.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8181.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc81DE.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8267.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc82CB.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8315.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc833E.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8382.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8452.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc845C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8577.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc85F4.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc86DC.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8758.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8825.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc894E.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8D22.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8D70.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8D92.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8E0E.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8E4D.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8FB8.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc90CC.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9157.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9188.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9494.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc959D.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc961A.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc96B6.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc96E4.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc97DE.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc988A.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9897.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9914.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9B1F.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9B84.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9BD7.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9CED.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9D5A.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9E34.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9E52.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9F1C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9F80.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9FA9.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9FEB.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA278.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA332.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA3FE.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA630.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA6DA.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA6FB.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA7F4.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA8E0.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA9C9.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAAD2.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAD40.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAE4A.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAE97.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAF26.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAF33.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAF83.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAF92.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB02C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB51C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB7CB.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB859.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB937.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB9FE.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBB25.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBBA3.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBBEF.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBCA0.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBCAB.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBCCC.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBD97.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBE04.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBEAD.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBF88.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBFB7.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC11D.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC1AC.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC246.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC26F.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC33F.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC3C0.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC50A.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC525.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC52A.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC533.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC6FD.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC9E.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCA63.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCA9F.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCBEE.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCC29.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCC46.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCC54.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCE87.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCEE1.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCF23.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD08A.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD21E.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD22D.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD2A.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD4D0.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD4DE.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD54B.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD633.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD78C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD9FC.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDBFF.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE035.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE044.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE3EC.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE62C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE658.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEA01.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF0D6.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF22B.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF327.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF5C.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF683.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF9BA.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFBEB.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFCA7.tmp
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFF74.tmp
c:\users\Mike N\AppData\Roaming\.#
c:\users\Mike N\AppData\Roaming\completescan
c:\users\Mike N\AppData\Roaming\install
c:\users\Mike N\Documents\~WRL1364.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-10-06 to 2012-11-06 )))))))))))))))))))))))))))))))
.
.
2012-11-06 15:58 . 2012-11-06 15:58 -------- d-----w- c:\users\Mike N\AppData\Local\temp
2012-11-06 15:58 . 2012-11-06 15:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-06 04:10 . 2012-11-06 04:10 -------- d-----w- C:\FRST
2012-10-25 17:35 . 2012-10-25 17:35 -------- d-----w- c:\users\Mike N\AppData\Roaming\TeamViewer
2012-10-25 10:31 . 2012-10-25 10:31 -------- d-----w- c:\program files\Common Files\Java
2012-10-18 18:28 . 1997-09-26 12:56 81920 ----a-w- c:\windows\system\bivbx11.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-08 22:16 . 2012-04-13 22:02 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-08 22:16 . 2011-05-26 11:49 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-24 14:32 . 2012-06-23 19:14 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 14:32 . 2010-05-23 18:13 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-24 06:59 . 2012-09-21 20:58 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-21 20:58 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-21 20:58 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-21 20:58 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-21 20:58 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-21 20:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16 . 2012-09-12 15:41 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16 . 2012-09-12 15:41 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16 . 2012-09-12 15:41 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16 . 2012-09-12 15:41 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 20:12 . 2012-09-26 11:18 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-08-21 12:01 . 2012-09-13 16:34 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 12:01 . 2011-12-25 02:27 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-10-29 17:29 . 2012-10-29 17:29 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-23 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-19 7711264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-09 1578280]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-03 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-15 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-15 50472]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-07-21 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-25 218408]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 172568]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-27 59280]
"SMART Board Service"="c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe" [2007-05-03 1099280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-11 348664]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-09 421776]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
c:\users\Mike N\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
F1U201.401.lnk - c:\program files\Belkin\F1U201.401\usbshare.exe [2010-4-4 135168]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
SMART Board Tools.lnk - c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe [2007-5-3 4048400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-12-07 18:22 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [x]
S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe [x]
S2 Rezip;Rezip;c:\windows\SYSTEM32\Rezip.exe [x]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 rtl819xp;Realtek RTL8190/RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\DRIVERS\rtl819xp.sys [x]
S3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
S3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\Drivers\VMC326.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
yksvcs REG_MULTI_SZ yksvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 22:16]
.
2012-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
.
2012-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://search.searchonme.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Mike N\AppData\Roaming\Mozilla\Firefox\Profiles\06a0w5ko.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.searchonme.com/?l=1&q=
FF - ExtSQL: 2012-10-25 11:31; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: !HIDDEN! 2010-05-23 08:24; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-MobileDocuments - c:\program files\Common Files\Apple\Internet Services\ubd.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3323010118-170626019-2861679131-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3323010118-170626019-2861679131-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-06 16:05:33
ComboFix-quarantined-files.txt 2012-11-06 16:05
.
Pre-Run: 104,272,953,344 bytes free
Post-Run: 105,183,600,640 bytes free
.
- - End Of File - - 8A0F96F3D4F57AAC705E519268348743

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:15 PM

Posted 06 November 2012 - 11:17 AM

Please run the following:

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 chris_83

chris_83
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 06 November 2012 - 06:31 PM

Thanks, logs below:

Adwcleaner

# AdwCleaner v2.006 - Logfile created 11/06/2012 at 16:47:40
# Updated 30/10/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : Mike N - MIKES-LAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Mike N\Desktop\adwcleaner(1).exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default
File : C:\Users\Mike N\AppData\Roaming\Mozilla\Firefox\Profiles\06a0w5ko.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Mike N\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2853 octets] - [25/10/2012 20:43:48]
AdwCleaner[S2].txt - [2748 octets] - [25/10/2012 20:55:36]
AdwCleaner[S3].txt - [1027 octets] - [06/11/2012 16:47:40]

########## EOF - C:\AdwCleaner[S3].txt - [1087 octets] ##########

Malwarebytes (didnt appear to find anything)

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 912110608

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

06/11/2012 17:00:08
mbam-log-2012-11-06 (17-00-08).txt

Scan type: Quick scan
Objects scanned: 221383
Time elapsed: 9 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Eset (ran from firefox and took a while to complete)

C:\Users\Mike N\AppData\Local\Mozilla\Firefox\Profiles\06a0w5ko.default\Cache\4\80\D79D3d01 HTML/ScrInject.B.Gen virus
C:\Users\Mike N\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\120c570a-4487fa1b multiple threats

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:15 PM

Posted 06 November 2012 - 06:37 PM

Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\Mike N\AppData\Local\Mozilla\Firefox\Profiles\06a0w5ko.default\Cache\4\80\D79D3d01 
C:\Users\Mike N\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\120c570a-4487fa1b 

ClearjavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT


please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 chris_83

chris_83
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 06 November 2012 - 07:24 PM

Many thanks CatByte, everything appears to be clean and back to normal! Is there anything else I need to do?

ComboFix Log below

ComboFix 12-11-06.03 - Mike N 06/11/2012 23:54:34.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3033.1634 [GMT 0:00]
Running from: c:\users\Mike N\Desktop\ComboFix.exe
Command switches used :: c:\users\Mike N\Desktop\CFscript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\users\Mike N\AppData\Local\Mozilla\Firefox\Profiles\06a0w5ko.default\Cache\4\80\D79D3d01"
"c:\users\Mike N\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\120c570a-4487fa1b"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Mike N\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB38C.tmp
c:\users\Mike N\AppData\Local\Mozilla\Firefox\Profiles\06a0w5ko.default\Cache\4\80\D79D3d01
.
.
((((((((((((((((((((((((( Files Created from 2012-10-07 to 2012-11-07 )))))))))))))))))))))))))))))))
.
.
2012-11-07 00:03 . 2012-11-07 00:03 -------- d-----w- c:\users\Mike N\AppData\Local\temp
2012-11-07 00:03 . 2012-11-07 00:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-06 17:03 . 2012-11-06 17:03 -------- d-----w- c:\program files\ESET
2012-11-06 04:10 . 2012-11-06 04:10 -------- d-----w- C:\FRST
2012-10-25 17:35 . 2012-10-25 17:35 -------- d-----w- c:\users\Mike N\AppData\Roaming\TeamViewer
2012-10-25 10:31 . 2012-10-25 10:31 -------- d-----w- c:\program files\Common Files\Java
2012-10-18 18:28 . 1997-09-26 12:56 81920 ----a-w- c:\windows\system\bivbx11.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-08 22:16 . 2012-04-13 22:02 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-08 22:16 . 2011-05-26 11:49 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-24 14:32 . 2012-06-23 19:14 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 14:32 . 2010-05-23 18:13 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-24 06:59 . 2012-09-21 20:58 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-21 20:58 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-21 20:58 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-21 20:58 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-21 20:58 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-21 20:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16 . 2012-09-12 15:41 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16 . 2012-09-12 15:41 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16 . 2012-09-12 15:41 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16 . 2012-09-12 15:41 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 20:12 . 2012-09-26 11:18 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-08-21 12:01 . 2012-09-13 16:34 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 12:01 . 2011-12-25 02:27 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-10-29 17:29 . 2012-10-29 17:29 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-23 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-19 7711264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-09 1578280]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-03 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-15 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-15 50472]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-07-21 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-25 218408]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 172568]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-27 59280]
"SMART Board Service"="c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe" [2007-05-03 1099280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-11 348664]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-09 421776]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
c:\users\Mike N\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
F1U201.401.lnk - c:\program files\Belkin\F1U201.401\usbshare.exe [2010-4-4 135168]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
SMART Board Tools.lnk - c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe [2007-5-3 4048400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-12-07 18:22 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [x]
S2 Rezip;Rezip;c:\windows\SYSTEM32\Rezip.exe [x]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 rtl819xp;Realtek RTL8190/RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\DRIVERS\rtl819xp.sys [x]
S3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
S3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\Drivers\VMC326.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
yksvcs REG_MULTI_SZ yksvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 22:16]
.
2012-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
.
2012-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://search.searchonme.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Mike N\AppData\Roaming\Mozilla\Firefox\Profiles\06a0w5ko.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.searchonme.com/?l=1&q=
FF - ExtSQL: 2012-10-25 11:31; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: !HIDDEN! 2010-05-23 08:24; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3323010118-170626019-2861679131-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3323010118-170626019-2861679131-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-07 00:10:55
ComboFix-quarantined-files.txt 2012-11-07 00:10
ComboFix2.txt 2012-11-06 16:05
.
Pre-Run: 105,130,360,832 bytes free
Post-Run: 105,083,719,680 bytes free
.
- - End Of File - - 98BEDEF69B7AA5F12FFB78A0D0308C88

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:15 PM

Posted 06 November 2012 - 08:37 PM

We just have some housekeeping to do now,

Please do the following:


You can delete the DDS and the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    PC Safety and Security--What Do I Need?.
  • Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 chris_83

chris_83
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 07 November 2012 - 03:15 PM

Thank you CatByte. The amazingly fast responses and clear & concise instructions were much appreciated! I will highlight the articles on web security to my folks and hopefully we can steer clear of future infections.

Kind regards & thanks again,

Chris

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:15 PM

Posted 07 November 2012 - 03:44 PM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:15 PM

Posted 07 November 2012 - 03:44 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users