Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tech Support Scam - logmein123


  • This topic is locked This topic is locked
11 replies to this topic

#1 girsler

girsler

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 03 February 2013 - 07:34 PM

A few days ago, my Yahoo email was hacked. I changed my password and after searching for computer assistance, I inadvertently thought an ad was a legitimate Yahoo technical support link. I called pc tech site at 1-888-727-0571(www.pctechsite.com). The technicians informed me to run some command line tools and used logmein123 to gain access to my computer. They installed Malwarebytes, Ccleaner, Microsoft Security Essentials and Security Shield. After I thought this was a scam, I called this company to complain, they said they would not refund my money. A little while later I received another phone call from "Marlin from the tech department at Microsoft" in New York (1-212-777-3457) informing me my computer had many errors including malicious downloads, was compromised and would crash. I questioned the legitimacy of this call and they hung up on me. After this call a black box appeared in the lower left-hand side of my computer screen. I assume this was them trying to access my computer again. I disabled imi_rescue.exe, Remote Assistance, and WebKit on my firewall which I assume were allowing logmein access to my computer and generated the below DDS text file. Could you please assist me with ensuring my computer is cleaned and no longer infected or compromised. My wife posted a similar post earlier for her laptop. The following log is for my desktop PC. Thank you for your assistance.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.9.2
Run by Dee at 18:24:34 on 2013-02-03
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2048.278 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.0.1\ToolbarUpdater.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe
C:\Program Files (x86)\AVG\AVG PC Tuneup\BoostSpeed.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files (x86)\TeamViewer\Version7\tv_w32.exe
C:\Program Files (x86)\TeamViewer\Version7\tv_x64.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\SlySoft\AnyDVD\ADvdDiscHlp64.exe
C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe
C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoDashboard.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Memeo\AutoBackup\InstantBackup.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
c:\program files (x86)\teamviewer\version7\TeamViewer_Desktop.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: AVG SafeGuard toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\14.0.0.14\AVG SafeGuard toolbar_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: AVG SafeGuard toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\14.0.0.14\AVG SafeGuard toolbar_toolbar.dll
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [AnyDVD] C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe
mRun: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Memeo Instant Backup] C:\Program Files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui
mRun: [Seagate Dashboard] C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui
mRun: [vProt] "C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{76015842-B501-4FB6-A59C-41FBB2EE1DA4} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{A73911CE-F18E-4C66-B92E-24CEB3E2604D} : DHCPNameServer = 75.75.75.75 75.75.76.76
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\14.0.1\ViProtocol.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
x64-Run: [SoundMan] SOUNDMAN.EXE
x64-Run: [Logitech Download Assistant] C:\Windows\System32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Dee\AppData\Roaming\Mozilla\Firefox\Profiles\pi8c6pdn.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://mysearch.avg.com/search?cid={8F3E2D84-EEFF-4CCD-BAA2-077D16CD6E4B}&mid=1c27fab2662947d181d6d15a958742cd-06ce4fc639803a2e3563922518183d8e94088cb9&lang=en&ds=AVG&pr=fr&d=2013-01-24 12:16:03&pid=safeguard&sg=1&v=14.0.0.14&sap=ku&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\14.0.1\npsitesafety.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Users\Dee\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-01-16 14:03; pfuspqteuplgtiz@xkpbswnp.ypr; C:\Users\Dee\AppData\Roaming\Mozilla\Firefox\Profiles\pi8c6pdn.default\extensions\pfuspqteuplgtiz@xkpbswnp.ypr.xpi
FF - ExtSQL: 2013-01-24 12:16; avg@toolbar; C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\14.0.0.14
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-10-15 63328]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2012-9-21 225120]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2012-11-15 111968]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-9-14 40800]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2012-10-22 154464]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-10-2 185696]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-9-21 200032]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2013-1-24 37720]
R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2011-8-10 91864]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-8-5 283200]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-15 5814904]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\System32\drivers\LVPr2M64.sys [2009-10-7 30232]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2009-10-7 327704]
R3 LVUVC64;QuickCam Communicate Deluxe(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2009-10-7 6379288]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-2 24176]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
R3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-9-28 395264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
.
=============== Created Last 30 ================
.
2013-02-02 01:10:20 -------- d-----w- C:\Users\Dee\AppData\Local\LogMeIn Rescue Applet
2013-01-28 01:14:46 -------- d-----w- C:\Users\Dee\AppData\Local\Microsoft Games
2013-01-24 18:16:27 -------- d-----w- C:\Users\Dee\AppData\Local\AVG SafeGuard toolbar
2013-01-24 18:16:10 -------- d-----w- C:\ProgramData\AVG Security Toolbar
2013-01-24 18:16:07 -------- d-----w- C:\ProgramData\AVG SafeGuard toolbar
2013-01-24 18:16:00 37720 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys
2013-01-24 18:15:55 -------- d-----w- C:\Program Files (x86)\Common Files\AVG Secure Search
2013-01-24 18:15:53 -------- d-----w- C:\Program Files (x86)\AVG SafeGuard toolbar
2013-01-24 04:30:06 -------- d-----w- C:\Users\Dee\AppData\Local\Programs
2013-01-23 01:55:30 -------- d-----w- C:\ProgramData\AVG January 2013 Campaign
2013-01-09 12:37:37 750592 ----a-w- C:\Windows\System32\win32spl.dll
2013-01-09 12:36:51 424448 ----a-w- C:\Windows\System32\KernelBase.dll
.
==================== Find3M ====================
.
2013-01-09 07:27:17 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-09 07:27:17 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-12-25 14:24:23 60416 ----a-w- C:\Windows\ALCFDRTM.VER
2012-12-25 14:24:23 60416 ----a-w- C:\Windows\ALCFDRTM.EXE
2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-12-14 22:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll
2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll
2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll
2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs
2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs
2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs
2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs
2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs
2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs
2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs
2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs
2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs
2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs
2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs
2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs
2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs
2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs
2012-11-30 05:45:35 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-11-30 05:45:35 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-11-30 05:45:35 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-11-30 05:45:14 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-11-30 05:43:12 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-11-30 04:54:00 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-11-30 04:53:59 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-11-30 02:44:06 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-11-30 02:44:04 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-11-30 02:44:04 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-11-30 02:44:03 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-11-30 02:38:59 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-23 03:26:31 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-11-23 03:13:57 68608 ----a-w- C:\Windows\System32\taskhost.exe
2012-11-22 05:44:23 800768 ----a-w- C:\Windows\System32\usp10.dll
2012-11-22 04:45:03 626688 ----a-w- C:\Windows\SysWow64\usp10.dll
2012-11-20 05:48:49 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-11-20 04:51:09 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-11-16 05:33:24 111968 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-09 04:43:04 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
.
============= FINISH: 18:26:01.25 ===============

Attached Files

  • Attached File  dds.txt   21.87KB   1 downloads

Edited by bloopie, 07 February 2013 - 06:53 PM.
Removed previous edit


BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:13 AM

Posted 07 February 2013 - 07:00 PM

Hello girsler, and welcome to BC!thumbup.gif

My name is bloopie and I'll be helping you with your problems as best I can! thumbup2.gif

A few things to keep in mind while we are working together:
  • As you have posted several similar topics here, please be sure to keep each machine and topic instructions seperate. What instructions I give in this topic may not be the best for the others!
  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • ==========

    Now let's get another log from a more powerful tool:

    Run Combofix

    You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

    Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

    Combofix may need to reboot your computer more than once to do its job...this is normal.

    You can download Combofix from one of these links.
    • Close any open browsers or any other programs that are open.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.
  • Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

    Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

    bloopie


#3 girsler

girsler
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 10 February 2013 - 04:14 PM

Hello Bloopie,

 

I have the original Windows 7 CD/DVD.  Below is my combofix log.  I disabled antivirus, other malware scanners and firewall when running my scan. 

 

ComboFix 13-02-07.02 - Dee 02/10/2013  14:48:52.1.1 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2048.900 [GMT -6:00]
Running from: c:\users\Dee\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . Failed to delete
c:\windows\TEMP\logishrd\LVPrcInj02.dll . . . . Failed to delete
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-10 to 2013-02-10  )))))))))))))))))))))))))))))))
.
.
2013-02-02 01:10 . 2013-02-02 16:15    --------    d-----w-    c:\users\Dee\AppData\Local\LogMeIn Rescue Applet
2013-01-28 01:14 . 2013-01-28 01:15    --------    d-----w-    c:\users\Dee\AppData\Local\Microsoft Games
2013-01-27 17:52 . 2013-01-27 17:52    --------    d-----w-    c:\users\Jane\AppData\Local\AVG SafeGuard toolbar
2013-01-24 18:16 . 2013-01-24 18:16    --------    d-----w-    c:\users\Dee\AppData\Local\AVG SafeGuard toolbar
2013-01-24 18:16 . 2013-01-24 18:16    --------    d-----w-    c:\programdata\AVG Security Toolbar
2013-01-24 18:16 . 2013-01-24 18:16    --------    d-----w-    c:\programdata\AVG SafeGuard toolbar
2013-01-24 18:16 . 2013-02-10 20:34    39768    ----a-w-    c:\windows\system32\drivers\avgtpx64.sys
2013-01-24 18:15 . 2013-01-24 18:16    --------    d-----w-    c:\program files (x86)\Common Files\AVG Secure Search
2013-01-24 18:15 . 2013-02-10 20:34    --------    d-----w-    c:\program files (x86)\AVG SafeGuard toolbar
2013-01-24 04:30 . 2013-01-24 04:30    --------    d-----w-    c:\users\Dee\AppData\Local\Programs
2013-01-23 01:55 . 2013-01-23 01:57    --------    d-----w-    c:\programdata\AVG January 2013 Campaign
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-10 09:04 . 2011-12-27 05:25    67599240    ----a-w-    c:\windows\system32\MRT.exe
2013-01-09 07:27 . 2012-05-02 01:18    697864    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-09 07:27 . 2011-12-26 20:40    74248    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-25 14:24 . 2012-12-25 14:24    60416    ----a-w-    c:\windows\ALCFDRTM.VER
2012-12-25 14:24 . 2012-12-25 14:24    60416    ----a-w-    c:\windows\ALCFDRTM.EXE
2012-12-16 17:11 . 2012-12-25 09:01    46080    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-25 09:01    367616    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-25 09:01    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-25 09:01    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2012-12-14 22:49 . 2012-11-02 14:48    24176    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-12-07 13:20 . 2013-01-09 12:37    441856    ----a-w-    c:\windows\system32\Wpc.dll
2012-12-07 13:15 . 2013-01-09 12:37    2746368    ----a-w-    c:\windows\system32\gameux.dll
2012-12-07 12:26 . 2013-01-09 12:37    308736    ----a-w-    c:\windows\SysWow64\Wpc.dll
2012-12-07 12:20 . 2013-01-09 12:37    2576384    ----a-w-    c:\windows\SysWow64\gameux.dll
2012-12-07 11:20 . 2013-01-09 12:37    30720    ----a-w-    c:\windows\system32\usk.rs
2012-12-07 11:20 . 2013-01-09 12:37    43520    ----a-w-    c:\windows\system32\csrr.rs
2012-12-07 11:20 . 2013-01-09 12:37    23552    ----a-w-    c:\windows\system32\oflc.rs
2012-12-07 11:20 . 2013-01-09 12:37    45568    ----a-w-    c:\windows\system32\oflc-nz.rs
2012-12-07 11:20 . 2013-01-09 12:37    44544    ----a-w-    c:\windows\system32\pegibbfc.rs
2012-12-07 11:20 . 2013-01-09 12:37    20480    ----a-w-    c:\windows\system32\pegi-fi.rs
2012-12-07 11:20 . 2013-01-09 12:37    20480    ----a-w-    c:\windows\system32\pegi-pt.rs
2012-12-07 11:19 . 2013-01-09 12:37    20480    ----a-w-    c:\windows\system32\pegi.rs
2012-12-07 11:19 . 2013-01-09 12:37    46592    ----a-w-    c:\windows\system32\fpb.rs
2012-12-07 11:19 . 2013-01-09 12:37    40960    ----a-w-    c:\windows\system32\cob-au.rs
2012-12-07 11:19 . 2013-01-09 12:37    15360    ----a-w-    c:\windows\system32\djctq.rs
2012-12-07 11:19 . 2013-01-09 12:37    21504    ----a-w-    c:\windows\system32\grb.rs
2012-12-07 11:19 . 2013-01-09 12:37    55296    ----a-w-    c:\windows\system32\cero.rs
2012-12-07 11:19 . 2013-01-09 12:37    51712    ----a-w-    c:\windows\system32\esrb.rs
2012-12-07 10:46 . 2013-01-09 12:37    43520    ----a-w-    c:\windows\SysWow64\csrr.rs
2012-12-07 10:46 . 2013-01-09 12:37    30720    ----a-w-    c:\windows\SysWow64\usk.rs
2012-12-07 10:46 . 2013-01-09 12:37    45568    ----a-w-    c:\windows\SysWow64\oflc-nz.rs
2012-12-07 10:46 . 2013-01-09 12:37    44544    ----a-w-    c:\windows\SysWow64\pegibbfc.rs
2012-12-07 10:46 . 2013-01-09 12:37    20480    ----a-w-    c:\windows\SysWow64\pegi-pt.rs
2012-12-07 10:46 . 2013-01-09 12:37    23552    ----a-w-    c:\windows\SysWow64\oflc.rs
2012-12-07 10:46 . 2013-01-09 12:37    20480    ----a-w-    c:\windows\SysWow64\pegi-fi.rs
2012-12-07 10:46 . 2013-01-09 12:37    46592    ----a-w-    c:\windows\SysWow64\fpb.rs
2012-12-07 10:46 . 2013-01-09 12:37    20480    ----a-w-    c:\windows\SysWow64\pegi.rs
2012-12-07 10:46 . 2013-01-09 12:37    21504    ----a-w-    c:\windows\SysWow64\grb.rs
2012-12-07 10:46 . 2013-01-09 12:37    40960    ----a-w-    c:\windows\SysWow64\cob-au.rs
2012-12-07 10:46 . 2013-01-09 12:37    15360    ----a-w-    c:\windows\SysWow64\djctq.rs
2012-12-07 10:46 . 2013-01-09 12:37    55296    ----a-w-    c:\windows\SysWow64\cero.rs
2012-12-07 10:46 . 2013-01-09 12:37    51712    ----a-w-    c:\windows\SysWow64\esrb.rs
2012-11-30 05:45 . 2013-01-09 12:36    362496    ----a-w-    c:\windows\system32\wow64win.dll
2012-11-30 05:45 . 2013-01-09 12:36    243200    ----a-w-    c:\windows\system32\wow64.dll
2012-11-30 05:45 . 2013-01-09 12:36    13312    ----a-w-    c:\windows\system32\wow64cpu.dll
2012-11-30 05:45 . 2013-01-09 12:36    215040    ----a-w-    c:\windows\system32\winsrv.dll
2012-11-30 05:43 . 2013-01-09 12:36    16384    ----a-w-    c:\windows\system32\ntvdm64.dll
2012-11-30 05:41 . 2013-01-09 12:36    424448    ----a-w-    c:\windows\system32\KernelBase.dll
2012-11-30 05:41 . 2013-01-09 12:36    1161216    ----a-w-    c:\windows\system32\kernel32.dll
2012-11-30 05:38 . 2013-01-09 12:36    6144    ---ha-w-    c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    5120    ---ha-w-    c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2012-11-30 04:54 . 2013-01-09 12:36    5120    ----a-w-    c:\windows\SysWow64\wow32.dll
2012-11-30 04:53 . 2013-01-09 12:36    274944    ----a-w-    c:\windows\SysWow64\KernelBase.dll
2012-11-30 04:45 . 2013-01-09 12:36    4608    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    5120    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 12:36    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2013-02-10 20:34    1920688    ----a-w-    c:\program files (x86)\AVG SafeGuard toolbar\14.1.0.10\AVG SafeGuard toolbar_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG SafeGuard toolbar\14.1.0.10\AVG SafeGuard toolbar_toolbar.dll" [2013-02-10 1920688]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG SafeGuard toolbar.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG SafeGuard toolbar.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
"AnyDVD"="c:\program files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe" [2013-01-24 6824024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2011-08-11 358336]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"Memeo Instant Backup"="c:\program files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe" [2011-04-06 136416]
"Seagate Dashboard"="c:\program files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-11-03 73728]
"vProt"="c:\program files (x86)\AVG SafeGuard toolbar\vprot.exe" [2013-02-10 1124016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-28 1255736]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2012-02-15 834544]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-10-15 63328]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys [2012-09-21 225120]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2012-11-16 111968]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-09-14 40800]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2012-10-22 154464]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-10-02 185696]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-09-21 200032]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2013-02-10 39768]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2011-08-11 91864]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-08-05 283200]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-16 5814904]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-08-25 13672]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [2011-04-06 25824]
S2 SeagateDashboardService;Seagate Dashboard Service;c:\program files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2011-11-03 8704]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-10-23 2848168]
S2 vToolbarUpdater14.1.7;vToolbarUpdater14.1.7;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.1.7\ToolbarUpdater.exe [2013-02-10 965296]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2009-10-07 30232]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2009-10-07 327704]
S3 LVUVC64;QuickCam Communicate Deluxe(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2009-10-07 6379288]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 25088]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-31 00:11    1607120    ----a-w-    c:\program files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 07:27]
.
2013-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-24 02:22]
.
2013-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-24 02:22]
.
2013-01-24 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\programdata\AVG January 2013 Campaign\ROC.exe [2013-01-23 21:16]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-04 1580368]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\14.1.7\ViProtocol.dll
FF - ProfilePath - c:\users\Dee\AppData\Roaming\Mozilla\Firefox\Profiles\pi8c6pdn.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://mysearch.avg.com/search?cid={8F3E2D84-EEFF-4CCD-BAA2-077D16CD6E4B}&mid=1c27fab2662947d181d6d15a958742cd-06ce4fc639803a2e3563922518183d8e94088cb9&lang=en&ds=AVG&pr=fr&d=2013-01-24 12:16&pid=safeguard&sg=1&v=14.0.0.14&sap=ku&q=
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-01-16 14:03; pfuspqteuplgtiz@xkpbswnp.ypr; c:\users\Dee\AppData\Roaming\Mozilla\Firefox\Profiles\pi8c6pdn.default\extensions\pfuspqteuplgtiz@xkpbswnp.ypr.xpi
FF - ExtSQL: 2013-01-24 12:16; avg@toolbar; c:\programdata\AVG SafeGuard toolbar\FireFoxExt\14.0.0.14
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
   91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"=hex:51,66,7a,6c,4c,1d,38,12,7c,f0,b1,
   38,5c,21,3d,0e,d9,78,0d,25,e1,c9,8c,d4
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
   76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
   2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
   fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:53,10,fd,d4,46,26,cd,01
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files (x86)\TeamViewer\Version7\TeamViewer.exe
c:\program files (x86)\TeamViewer\Version7\tv_w32.exe
c:\program files (x86)\AVG\AVG PC Tuneup\BoostSpeed.exe
.
**************************************************************************
.
Completion time: 2013-02-10  15:05:24 - machine was rebooted
ComboFix-quarantined-files.txt  2013-02-10 21:05
.
Pre-Run: 28,788,162,560 bytes free
Post-Run: 28,525,264,896 bytes free
.
- - End Of File - - C4F3B762BDAF3FEE6D67C4C33F4F619C
 



#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:13 AM

Posted 11 February 2013 - 05:04 PM

Hi again,

Combofix attempted, but failed to delete two files. Those two files seem to be related to Logitech Webcam and reside in a temporary folder, so I'm going to leave them as we will clean your temp files later on.

Okay, let's gather some more information:

Step step1.gif


Combofix Extra Report
  • Hold the "Windows0d8a4985-b5e2-41a6-a1b6-e4bafb517937_92." key and press "R" to open the runbox.
  • Please copy and paste the contents of the codebox below into the empty runbox:
  • C:\Qoobox\Add-Remove Programs.txt
  • Then click Ok.

Now, copy and paste the contents of the file that opens into your next reply.

==========

Step step2.gif

Run RogueKiller

Download RogueKiller from here or here and save it to your desktop.
  • Close all programs and disconnect any USB or external drives before running the tool.
  • Right-click RogueKiller.exe and select Run as Administrator.
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", click Delete.
  • When the Status box shows "Deleting Finished", click Report and then copy and paste the log in your next reply.
  • The log can also be found at RKreport[1].txt on your desktop.
  • ==========

    In your next reply, please include the following:

    The CF Extra Report
    The RogueKiller log

    bloopie


#5 girsler

girsler
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 12 February 2013 - 01:37 AM

CF Extra Report
Update for Microsoft Office 2007 (KB2508958)
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4)
AnyDVD
Apple Application Support
Apple Software Update
AVG PC Tuneup
AVG SafeGuard toolbar
Citrix Receiver
Citrix Receiver (HDX Flash Redirection)
Citrix Receiver Inside
Citrix Receiver(Aero)
Citrix Receiver(DV)
Citrix Receiver(USB)
DAEMON Tools Lite
Google Chrome
Google Earth
Google Update Helper
Java 7 Update 9
Java Auto Updater
Juniper Citrix Services Client
Juniper Networks, Inc. Setup Client
Juniper Networks, Inc. Setup Client Activex Control
Logitech Vid HD
Malwarebytes Anti-Malware version 1.70.0.1100
Memeo Instant Backup
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mozilla Firefox 18.0.1 (x86 en-US)
Mozilla Maintenance Service
NVIDIA Stereoscopic 3D Driver
Online Plug-in
QuickTime
Realtek AC'97 Audio
Seagate Dashboard
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Spotify
TeamViewer 7
TurboTax 2011
TurboTax 2011 wiliper
TurboTax 2011 WinPerFedFormset
TurboTax 2011 WinPerReleaseEngine
TurboTax 2011 WinPerTaxSupport
TurboTax 2011 wrapper
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2760586) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Visual Studio 2008 x64 Redistributables
VLC media player 2.0.4
WinX DVD Ripper Platinum 7.0.0
WinX YouTube Downloader 3.0.4
Yahoo! BrowserPlus 2.9.8
Yahoo! Messenger
 

 

RogueKiller log

RogueKiller V8.5.0 [Feb  9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dee [Admin rights]
Mode : Remove -- Date : 02/12/2013 00:37:36
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[TASK][SUSP PATH] ROC_REG_JAN_DELETE.job : C:\ProgramData\AVG January 2013 Campaign\ROC.exe /DELETE_FROM_SYSTEM=1 -> DELETED
[TASK][SUSP PATH] ROC_REG_JAN_DELETE : C:\ProgramData\AVG January 2013 Campaign\ROC.exe /DELETE_FROM_SYSTEM=1 -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: NVIDIA  STRIPE   465.77G +++++
--- User ---
[MBR] 3354c567c8a81ad2f807f123eb3ede79
[BSP] 8c923d5ad35846cbc95a7eaebf81d0d0 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 80026 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 163895130 | Size: 396918 Mo
Error reading LL1 MBR!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_02122013_02d0037.txt >>
RKreport[1]_S_02122013_02d0036.txt ; RKreport[2]_D_02122013_02d0037.txt
 



#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:13 AM

Posted 12 February 2013 - 12:16 PM

Hi again,

Okay, let's run these tools next:

Step step1.gif

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • ==========

    Step step2.gif

    ESET Online Scanner:

    Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

    Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
    • Please go here to run the scan.

      Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
      All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

    • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Now click on: EOLS3.gif
    • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Click the Back button.
    • Now click on: EOLS4.gif
  • Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

    ==========

    In your next reply, please include the following:

    The adwCleaner log
    The ESET log

    bloopie


#7 girsler

girsler
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 13 February 2013 - 10:46 PM

adwCleaner log

 

# AdwCleaner v2.112 - Logfile created 02/13/2013 at 18:56:41
# Updated 10/02/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Dee - TSUNAMI
# Boot Mode : Normal
# Running from : C:\Users\Dee\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\Users\Dee\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Folder Deleted : C:\Users\Jane\AppData\LocalLow\AVG Secure Search

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key
Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key
Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key
Deleted :
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.2 (en-US)

File : C:\Users\Dee\AppData\Roaming\Mozilla\Firefox\Profiles\pi8c6pdn.default\prefs.js

Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");

File : C:\Users\Jane\AppData\Roaming\Mozilla\Firefox\Profiles\p1w6vdzb.default\prefs.js

Deleted : user_pref("avg.install.installDirPath", "C:\\ProgramData\\AVG Secure Search\\12.2.5.34");
Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("keyword.URL", "hxxps://isearch.avg.com/search?cid=%7B2628aef1-b08e-4cfd-bebc-3d9a3a2881b9[...]

-\\ Google Chrome v24.0.1312.57

File : C:\Users\Dee\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted
[l.1] : icon_url
={"backup":{"_signature":"C3dDQdQ2JRghivLRRwKT++Ij++kjf1mx/PdNDRof5Is=","_version":4,"extensions":{"i[...]

File : C:\Users\Jane\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted
[l.1] : icon_url
={"backup":{"_signature":"k91uvu0vJlsDHZpP2OHm+b5mSAd0VOYrdzjVbPjdYDM=","_version":4,"extensions":{"i[...]

*************************

AdwCleaner[S1].txt - [5652 octets] - [13/02/2013 18:56:41]

########## EOF - C:\AdwCleaner[S1].txt - [5712 octets] ##########
 

ESET log

 

C:\Users\Dee\Desktop\cbsidlm-tr1_8-WinX_YouTube_Downloader-BP2-75744186.exe    Win32/DownloadAdmin.E application
C:\Users\Jane\Downloads\Installer_Regwork.exe    a variant of Win32/Adware.RegRevive application
G:\Liz Desktop\My Documents\Software\INTERVIDEO_WINDVD_6_0_PLATI\keygen.exe    probably a variant of Win32/Agent.LHPKIKX trojan
G:\Liz Desktop\My Documents\Software\INTERVIDEO_WINDVD_6_0_PLATI\ror.rar    probably a variant of Win32/Agent.LHPKIKX trojan



#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:13 AM

Posted 15 February 2013 - 11:28 AM

Hi again,

Sorry for the delay. Your logs are looking pretty good!

Now, lets remove what was found in the ESET scan with a batch, and then we'll do some updates:

Step step1.gif
  • Hold the "Windows0d8a4985-b5e2-41a6-a1b6-e4bafb517937_92." key and press "R" to open the runbox and type in notepad and click Ok.
  • Copy the text in the code box below then paste it into the blank Notepad and save it to your Desktop as DelFile.bat
    @echo off
    del /f /s /q "C:\Users\Dee\Desktop\cbsidlm-tr1_8-WinX_YouTube_Downloader-BP2-75744186.exe"
    del /f /s /q "C:\Users\Jane\Downloads\Installer_Regwork.exe"
    del /f /s /q "G:\Liz Desktop\My Documents\Software\INTERVIDEO_WINDVD_6_0_PLATI\keygen.exe"
    del /f /s /q "G:\Liz Desktop\My Documents\Software\INTERVIDEO_WINDVD_6_0_PLATI\ror.rar"
    del %0
    • ---->>The batch file should now look like this: batwin7.png<--in Windows Vista/7 and this:batxp.png<--in Windows XP
    • Now double click on the DelFile.bat on your Desktop and the batch will quickly run and delete itself for you.
    • Now reboot the machine.
    ==========

    Step step2.gif
    Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
    • Download the latest version of Adobe Reader Version X. and save it to your desktop.
    • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
    • Click the download button at the bottom.
    • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
    • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
      If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
    • Then from your desktop double-click on Adobe Reader to install the newest version.
      If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    • When the "Adobe Setup - Welcome" window opens, click the Install > button.
    • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
    Your Adobe Reader is now up to date!

    ==========

    Step step3.gif
    Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
    64-bit OS users, should read: Which Java download should I choose for my 64-bit Windows operating system?
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to StartBtn.gif
  • > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u7-windows-i586.exe (or jre-7u7-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java. Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
    To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.
    ==========

    Let me know if you had any trouble with the above steps! We're nearly finished! thumbup2.gif

    bloopie

Edited by bloopie, 15 February 2013 - 11:29 AM.
fixed image tags


#9 girsler

girsler
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 16 February 2013 - 12:35 PM

I am finished with the above steps.  Please let me know what the next steps are.  Thank you.



#10 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:13 AM

Posted 16 February 2013 - 01:14 PM

Hello again,

Here are the final steps including a Temp File Cleaner:

Your machine appears to be clean! thumbup.gif

Let's do some housekeeping now:



The following steps will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.


Step step1.gif

DeFogger:

Note** This only needs to be run if it was run before - If not then skip it.
  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    Your Emulation drivers are now re-enabled.
Step step2.gif

Uninstall ComboFix:
  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • CF-Uninstall.png
  • Step step3.gif

    Uninstall adwCleaner:
    • Double click on adwcleaner.exe to run the tool.
    • Click on Uninstall.
    • Confirm with yes.
    Step step4.gif

    Download TFC by OldTimer to your desktop.
    (TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
    Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job.
    Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

    NOTE:
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.


    Step step5.gif

    Download and Run OTC

    We will now remove the tools we used during this fix using OTC.
    • Download OTC by OldTimer and save it to your desktop.
    • Double click OTC_Icon.jpg icon to start the program. If you are using Vista, please right-click and choose run as administrator
    • Then Click the big CleanUp.jpg button.
    • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
    • Restart your computer when prompted.
    Any programs and logs that are left over you can just delete from the desktop.


    Are you having any additional problems at this point? If so, please let me know. Otherwise feel free to enjoy use of your repaired machine thumbup2.gif



    The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

    The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. you can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out of date lists mean no detection of newer malware.

    Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows XP SP2 or later is fine) and leaving it on, and using and keeping up to date an antivirus solution such as Norton AntiVirus. Antiviral solutions don't even have to cost money; for instance Microsoft Secuity Essentials provides perfectly acceptable protection for free. If for some reason you don't like MSE, there are other free products available as well:
    • Avast (home use only)
    • Avira (shows nag screen to purchase full product when updating, home use only)
    That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:If you want more information on methods malware use to infect your computer, consider browsing our How did I get infected? topic.

    Please respond to this post so I can close the thread unless you have any other questions.


    Best of regards, and happy surfing!! wink.png

    bloopie


#11 girsler

girsler
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 17 February 2013 - 12:34 AM

Thank you for your help.  My computer is running fine now. 

 

- Flippy Flapjacks.



#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:13 AM

Posted 17 February 2013 - 08:50 AM

That's good to hear, and I'm glad I could help! :)

bloopie

Since this issue appears to be resolved, I am closing this topic. If this is not the case and you need or want to have the topic reopened, please send me a PM.

Everyone else please begin a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users