Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Funny, funny business


  • This topic is locked This topic is locked
45 replies to this topic

#1 pnbsoup

pnbsoup

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 01 May 2013 - 12:35 PM

Within the past couple of days I've been on internet explorer and noticed that the webpages look wierd and odd..Below I have attached a couple of scans from Hijack this, Adware, and Rogue Killer...Please advise

 

Thanks for your help!!!

 

pnbsoup

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:05:21 PM, on 5/1/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16537)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Voltage Security\VSManager2.exe
C:\Program Files\Common Files\Voltage Security\VSAgent.exe
C:\Windows\system32\conhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: PDF Architect Helper - {3A2D5EBA-F86D-4BD3-A177-019765996711} - C:\Program Files\PDF Architect\PDFIEHelper.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\20.3.1.22\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\20.3.1.22\IPS\IPSBHO.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll" (file missing)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\20.3.1.22\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PDF Architect Toolbar - {25A3A431-30BB-47C8-AD6A-E1063801134F} - C:\Program Files\PDF Architect\PDFIEPlugin.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Voltage Encryption Manager.lnk = C:\Program Files\Common Files\Voltage Security\VSManager2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Fantapper - {AB745E88-1BAD-4B80-A83E-7C964EAC9804} - C:\Program Files\Brand Affinity Technologies\Fantapper Player\\IEInstaller.dll (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.harleysvillegroup.com
O15 - Trusted Zone: http://www.qqsolutions.com
O16 - DPF: {1C203F13-95AD-11D0-A84B-00A0247B735B} (Infragistics ActiveTreeView Control) - https://accesscl.harleysvillegroup.com/aqs.advantage.client/system/cab/sstree.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - https://accesscl.harleysvillegroup.com/aqs.advantage.client/system/CAB/iemenu.cab
O16 - DPF: {81F0C919-AB0B-4F5C-932D-5CEEF05879E9} (IITLoadCtrl Class) - https://www.imoncall.com/go/iitloader.cab
O16 - DPF: {B52058E9-B6DD-11D3-AFDC-005004A74E81} (qqRegister Control) - http://www.qqsolutions.com/web/webupdates/qqRegister.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://harleysville.webex.com/client/WBXclient-T27L10NSP32EP5-14362/webex/ieatgpc1.cab
O18 - Filter: application/x-vs-authtoken - {1F17617E-C296-4C16-89E3-E22C6C454645} - C:\Program Files\Common Files\Voltage Security\VSTokenHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs:  
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: WebEx Service Host for Support Center (atashost) - Cisco WebEx LLC - C:\Windows\system32\atashost.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® PROSet Monitoring Service - Intel Corporation - C:\Windows\system32\IProsetMonitor.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe
O23 - Service: PDF Architect Helper Service - pdfforge GbR - C:\Program Files\PDF Architect\HelperService.exe
O23 - Service: PDF Architect Service - pdfforge GbR - C:\Program Files\PDF Architect\ConversionService.exe
O23 - Service: ShareFile Auto-update Service (SFUpdater) - Unknown owner - C:\Program Files\ShareFile\Updater\UpdateService.exe
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

--
End of file - 10242 bytes
 

# AdwCleaner v2.300 - Logfile created 05/01/2013 at 13:17:41
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : End User - CK-1211-1
# Boot Mode : Normal
# Running from : C:\Users\End User\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.dll
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.xpt
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.xpt
Folder Deleted : C:\Program Files\Common Files\Software Update Utility
Folder Deleted : C:\Program Files\Winamp Toolbar
Folder Deleted : C:\ProgramData\clsoft ltd
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\WeCareReminder
Folder Deleted : C:\ProgramData\Winamp Toolbar
Folder Deleted : C:\Users\End User\AppData\Roaming\Mozilla\Firefox\Profiles\8mtigf06.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
Folder Deleted : C:\Users\End User\AppData\Roaming\Mozilla\Firefox\Profiles\8mtigf06.default\WinampToolbarData
Folder Deleted : C:\Users\End User\AppData\Roaming\OpenCandy
Folder Deleted : C:\Users\End User\AppData\Roaming\pdfforge

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\SProtector
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{25A3A431-30BB-47C8-AD6A-E1063801134F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{25CEE8EC-5730-41BC-8B58-22DDC8AB8C20}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25A3A431-30BB-47C8-AD6A-E1063801134F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25CEE8EC-5730-41BC-8B58-22DDC8AB8C20}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Winamp Toolbar
Key Deleted : HKCU\Software\Winamp Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B27D9527-3762-4D71-963D-FB7A94FDD678}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\winamptbServer.exe
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{25A3A431-30BB-47C8-AD6A-E1063801134F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{25CEE8EC-5730-41BC-8B58-22DDC8AB8C20}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{57BCA5FA-5DBB-45A2-B558-1755C3F6253B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6EF4E91D-DDD5-4478-BCA7-DA04435934C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{841FD004-57A2-4B49-BBDB-5897394619DB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B38D6EDE-390B-4620-8365-29E16459EBDA}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E1164984-B567-47BD-A7FF-240C2594404A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F20F11FD-203E-45A9-B7BB-AFC1B4FEA7A6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE178B09-C8AA-4734-804D-1849BCCA0C29}
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0F54B66A-21CF-4548-AE59-A6B83EE6676F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{51A971CA-D36E-4D13-A799-2CF0A491D04D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{56FBEA9F-EF93-4318-B75F-A96FC7C7BD7B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66DD22B9-6521-4B05-97DB-0EBC00B1DA5D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{78B3C85E-44FF-4DC8-B3AD-156F39DC75E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{841FD004-57A2-4B49-BBDB-5897394619DB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E1164984-B567-47BD-A7FF-240C2594404A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E19FDA06-5BDF-43C2-B794-BCD8A4C2051F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FAB076F5-E4DD-4EA4-AFEE-F18BF972B057}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{507591C2-2F4E-46A7-92D6-E6CFF82E5F26}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{538CD77C-BFDD-49B0-9562-77419CAB89D1}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\SOFTWARE\Classes\WinampTb.AOLTBSearch
Key Deleted : HKLM\SOFTWARE\Classes\WinampTb.AOLTBSearch.1
Key Deleted : HKLM\SOFTWARE\Classes\WinampTb.AOLToolBand
Key Deleted : HKLM\SOFTWARE\Classes\WinampTb.AOLToolBand.1
Key Deleted : HKLM\SOFTWARE\Classes\WinampTb.Downloader
Key Deleted : HKLM\SOFTWARE\Classes\WinampTb.Downloader.1
Key Deleted : HKLM\SOFTWARE\Classes\WinampTb.ToolbarInfo
Key Deleted : HKLM\SOFTWARE\Classes\WinampTb.ToolbarInfo.1
Key Deleted : HKLM\SOFTWARE\Classes\WinampTb.ToolbarParams
Key Deleted : HKLM\SOFTWARE\Classes\WinampTb.ToolbarParams.1
Key Deleted : HKLM\SOFTWARE\Classes\WinampTbServer.AolToolbarHelper
Key Deleted : HKLM\SOFTWARE\Classes\WinampTbServer.AolToolbarHelper.1
Key Deleted : HKLM\Software\Description
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A8C2644D-BF72-4A89-A88C-D85F565F2F46}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SaveByClick_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SaveByClick_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25CEE8EC-5730-41BC-8B58-22DDC8AB8C20}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winamp Toolbar
Key Deleted : HKLM\Software\SP Global
Key Deleted : HKLM\Software\SProtector
Key Deleted : HKLM\Software\Winamp Toolbar
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{25A3A431-30BB-47C8-AD6A-E1063801134F}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\End User\AppData\Roaming\Mozilla\Firefox\Profiles\8mtigf06.default\prefs.js

C:\Users\End User\AppData\Roaming\Mozilla\Firefox\Profiles\8mtigf06.default\user.js ... Deleted !

Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Deleted : user_pref("aol_toolbar.default.search.check", false);
Deleted : user_pref("extensions.50f836935005a.scode", "(function(){try{if('aol.com,mail.google.com,mystart.inc[...]
Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

-\\ Google Chrome v26.0.1410.64

File : C:\Users\End User\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [8961 octets] - [01/05/2013 13:17:41]

########## EOF - C:\AdwCleaner[S1].txt - [9021 octets] ##########
 

 

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : End User [Admin rights]
Mode : Remove -- Date : 05/01/2013 13:28:32
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x82EE2DA5 -> HOOKED (Unknown @ 0x8791A8A0)
SSDT[14] : NtAlertThread @ 0x82E35CC7 -> HOOKED (Unknown @ 0x8791A960)
SSDT[19] : NtAllocateVirtualMemory @ 0x82E2ECBC -> HOOKED (Unknown @ 0x878BBAB0)
SSDT[22] : NtAlpcConnectPort @ 0x82E7A56E -> HOOKED (Unknown @ 0x86BC5218)
SSDT[43] : NtAssignProcessToJobObject @ 0x82E040BE -> HOOKED (Unknown @ 0x878D5BA0)
SSDT[74] : NtCreateMutant @ 0x82E1534C -> HOOKED (Unknown @ 0x879279C0)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x82E069C6 -> HOOKED (Unknown @ 0x878D5920)
SSDT[87] : NtCreateThread @ 0x82EE0FE2 -> HOOKED (Unknown @ 0x8791D898)
SSDT[88] : NtCreateThreadEx @ 0x82E7549B -> HOOKED (Unknown @ 0x878D59F0)
SSDT[96] : NtDebugActiveProcess @ 0x82EB2EAA -> HOOKED (Unknown @ 0x8792C918)
SSDT[111] : NtDuplicateObject @ 0x82E36761 -> HOOKED (Unknown @ 0x86CB8C80)
SSDT[131] : NtFreeVirtualMemory @ 0x82CBD81C -> HOOKED (Unknown @ 0x878BB8C8)
SSDT[145] : NtImpersonateAnonymousToken @ 0x82DFA962 -> HOOKED (Unknown @ 0x87927A90)
SSDT[147] : NtImpersonateThread @ 0x82E7E962 -> HOOKED (Unknown @ 0x8791A868)
SSDT[155] : NtLoadDriver @ 0x82DCAC32 -> HOOKED (Unknown @ 0x86B29170)
SSDT[168] : NtMapViewOfSection @ 0x82E4B5F1 -> HOOKED (Unknown @ 0x87915B40)
SSDT[177] : NtOpenEvent @ 0x82E14D48 -> HOOKED (Unknown @ 0x87927900)
SSDT[190] : NtOpenProcess @ 0x82E16B93 -> HOOKED (Unknown @ 0x8792A8E0)
SSDT[191] : NtOpenProcessToken @ 0x82E6936F -> HOOKED (Unknown @ 0x86CB8C00)
SSDT[194] : NtOpenSection @ 0x82E6E9EB -> HOOKED (Unknown @ 0x8792CAE0)
SSDT[198] : NtOpenThread @ 0x82E630EE -> HOOKED (Unknown @ 0x86CB8D50)
SSDT[215] : NtProtectVirtualMemory @ 0x82E47651 -> HOOKED (Unknown @ 0x878D5AD0)
SSDT[304] : NtResumeThread @ 0x82E756C2 -> HOOKED (Unknown @ 0x8791AA20)
SSDT[316] : NtSetContextThread @ 0x82EE2851 -> HOOKED (Unknown @ 0x879158F0)
SSDT[333] : NtSetInformationProcess @ 0x82E3D875 -> HOOKED (Unknown @ 0x879159B0)
SSDT[350] : NtSetSystemInformation @ 0x82E5337A -> HOOKED (Unknown @ 0x8792C9D8)
SSDT[366] : NtSuspendProcess @ 0x82EE2CDF -> HOOKED (Unknown @ 0x8792CBA0)
SSDT[367] : NtSuspendThread @ 0x82E9A19B -> HOOKED (Unknown @ 0x8791AAE0)
SSDT[370] : NtTerminateProcess @ 0x82E5FD86 -> HOOKED (Unknown @ 0x8791D978)
SSDT[371] : unknown @ 0x82E7D69B -> HOOKED (Unknown @ 0x8791ABA0)
SSDT[385] : NtUnmapViewOfSection @ 0x82E699AA -> HOOKED (Unknown @ 0x87915A80)
SSDT[399] : NtWriteVirtualMemory @ 0x82E64A83 -> HOOKED (Unknown @ 0x878BB998)
S_SSDT[318] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8743D078)
S_SSDT[402] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x87438078)
S_SSDT[434] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x86CD9248)
S_SSDT[436] : NtUserGetKeyState -> HOOKED (Unknown @ 0x86B855C8)
S_SSDT[448] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x86CDE008)
S_SSDT[490] : NtUserMessageCall -> HOOKED (Unknown @ 0x86CE6088)
S_SSDT[508] : NtUserPostMessage -> HOOKED (Unknown @ 0x86CE2080)
S_SSDT[509] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x86CE4088)
S_SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x86CDD0C8)
S_SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8669B3B8)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKX-603CA0 ATA Device +++++
--- User ---
[MBR] 3df67d4cfd5ca7ce9bea0f1512f99f0e
[BSP] 2310f4ebb28028db18690506c4aea7bb : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_05012013_02d1328.txt >>
RKreport[1]_S_05012013_02d1327.txt ; RKreport[2]_D_05012013_02d1328.txt


 



BC AdBot (Login to Remove)

 


#2 pnbsoup

pnbsoup
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 01 May 2013 - 03:08 PM

Can anyone help me with my above mentioned logs..I appreciate the help!



#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:53 PM

Posted 04 May 2013 - 03:39 AM


Hello pnbsoup

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 pnbsoup

pnbsoup
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 06 May 2013 - 12:43 PM

Gringo -

I appreciate your help, but I'm being helped on my other post...or if you could take a look at that post as well that would be awesome!!!  I was asked to run OTL and to post logs..

 

Appreciate your help!

pnbsoup..



#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:53 PM

Posted 06 May 2013 - 03:40 PM

thank you for letting me know


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 pnbsoup

pnbsoup
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 08 May 2013 - 03:34 PM

Sorry Gringo

Think you could help me out with the above mentioned post...below is the lastest log from combofix..I previously indicated that i was not getting the advertisements over the articles any more but actually I am..On my computer I use company's rating systems and when and I go to log in to these systems I need to enter login and password information. The login and password looks a little distorted the login and password box is outlined in bold, its not usually like this....Also when I go and look at list of quotes that i've done, the heading's (name, eff. date, exp date, etc) is all distorted, it should be read straight across instead its in paragraph form.  This only happens when i use Internet Explorer...I do not use Firefox on company websites, for its not compatible.  I do not use Chrome either, again b/c its not compatible....For another company's website login and password boxes were not on my screen, instead I get a link to update internet explorer...I know its not the website b/c when I use another computer its okay and could login from that computer...Also,  when I enter password there is like an icon that looks like an eyebrow over an eye..

 

Please I appreciated your help on this!!!

 

Below is my combo fix....

 

ComboFix 13-05-08.02 - End User 05/08/2013   9:35.2.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3494.2284 [GMT -4:00]
Running from: c:\users\End User\Downloads\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\End User\AppData\Local\assembly\tmp
c:\users\End User\g2mdlhlpx.exe
c:\users\End User\RDesktop1225.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-08 to 2013-05-08  )))))))))))))))))))))))))))))))
.
.
2013-05-08 13:39 . 2013-05-08 13:39 -------- d-----w- c:\users\End User\AppData\Local\temp
2013-05-08 13:39 . 2013-05-08 13:39 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-05-08 13:39 . 2013-05-08 13:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-07 21:06 . 2013-05-07 21:06 -------- d-----w- c:\program files\Common Files\Java
2013-05-07 21:06 . 2013-05-07 21:06 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-07 21:06 . 2013-05-07 21:06 -------- d-----w- c:\program files\Java
2013-05-07 20:56 . 2013-05-07 20:56 -------- d-----w- c:\programdata\McAfee
2013-05-07 14:20 . 2013-05-07 14:20 -------- d-----w- c:\users\End User\AppData\Roaming\pdfforge
2013-05-07 14:20 . 2012-05-05 15:54 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2013-05-07 14:19 . 2013-04-09 19:13 95416 ----a-w- c:\windows\system32\pdfcmon.dll
2013-05-07 14:19 . 2013-05-07 14:20 -------- d-----w- c:\program files\PDFCreator
2013-05-07 14:19 . 2013-05-07 14:19 -------- d-----w- c:\users\End User\AppData\Roaming\OpenCandy
2013-05-07 14:19 . 2012-05-05 15:54 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2013-05-03 16:43 . 2013-05-03 16:43 -------- d-----w- C:\N360_BACKUP
2013-04-30 21:19 . 2013-04-30 21:19 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-24 13:22 . 2013-04-12 13:45 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-16 14:15 . 2013-04-17 13:10 -------- d-----w- c:\windows\system32\drivers\N360\1403010.016
2013-04-10 13:41 . 2013-03-01 03:09 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-04-10 13:40 . 2013-01-24 04:47 196328 ----a-w- c:\windows\system32\drivers\fvevol.sys
2013-04-10 13:40 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 13:40 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-10 13:40 . 2013-03-19 04:48 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-10 13:40 . 2013-03-19 02:49 69632 ----a-w- c:\windows\system32\smss.exe
2013-04-10 13:39 . 2013-02-15 04:37 3217408 ----a-w- c:\windows\system32\mstscax.dll
2013-04-10 13:39 . 2013-02-15 04:34 131584 ----a-w- c:\windows\system32\aaclient.dll
2013-04-10 13:39 . 2013-02-15 03:25 36864 ----a-w- c:\windows\system32\tsgqec.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-07 21:06 . 2012-05-07 17:35 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-07 21:06 . 2011-12-30 20:22 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-12 13:16 . 2012-04-05 13:04 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-12 13:16 . 2011-12-30 20:21 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-04 18:50 . 2012-07-19 19:18 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-12 04:48 . 2013-03-13 13:41 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 13:41 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-12 03:32 . 2013-03-20 20:13 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-04-12 14:43 . 2013-04-12 14:43 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SecureOfficeIconOverlay]
@="{419B6A44-1B3E-4AB2-A14D-5D1B95C57BA5}"
[HKEY_CLASSES_ROOT\CLSID\{419B6A44-1B3E-4AB2-A14D-5D1B95C57BA5}]
2012-02-15 21:11 287816 ----a-w- c:\program files\Voltage Security\Voltage SecureFile\SecureOfficeIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-01-27 9914984]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-21 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-21 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-21 176408]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-10-26 74752]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
Voltage Encryption Manager.lnk - c:\program files\Common Files\Voltage Security\VSManager2.exe [2012-2-15 1188936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.361.0\BBSvc.exe [x]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1403010.016\SYMDS.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1403010.016\SYMEFA.SYS [x]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130502.001\BHDrvx86.sys [x]
S1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\1403010.016\ccSetx86.sys [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130507.001\IDSvix86.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1403010.016\Ironx86.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360\1403010.016\SYMNETS.SYS [x]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe [x]
S2 PDF Architect Helper Service;PDF Architect Helper Service;c:\program files\PDF Architect\HelperService.exe [x]
S2 PDF Architect Service;PDF Architect Service;c:\program files\PDF Architect\ConversionService.exe [x]
S2 SFUpdater;ShareFile Auto-update Service;c:\program files\ShareFile\Updater\UpdateService.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.361.0\SeaPort.exe [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]
S3 rdsdrvdm;rdsdrvdm;c:\windows\system32\DRIVERS\rdsdrvdm.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ    HPSLPSVC
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-10 18:44 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 13:16]
.
2013-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-28 13:11]
.
2013-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-28 13:11]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: harleysvillegroup.com
Trusted Zone: qqsolutions.com\www
TCP: DhcpNameServer = 66.80.130.23 64.7.11.2
DPF: {1C203F13-95AD-11D0-A84B-00A0247B735B} - hxxps://accesscl.harleysvillegroup.com/aqs.advantage.client/system/cab/sstree.cab
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxps://accesscl.harleysvillegroup.com/aqs.advantage.client/system/CAB/iemenu.cab
DPF: {81F0C919-AB0B-4F5C-932D-5CEEF05879E9} - hxxps://www.imoncall.com/go/iitloader.cab
DPF: {B52058E9-B6DD-11D3-AFDC-005004A74E81} - hxxp://www.qqsolutions.com/web/webupdates/qqRegister.ocx
FF - ProfilePath - c:\users\End User\AppData\Roaming\Mozilla\Firefox\Profiles\8mtigf06.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=827316&p=
FF - ExtSQL: !HIDDEN! 2012-01-04 10:34; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.3.1.22\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-05-08  09:41:43
ComboFix-quarantined-files.txt  2013-05-08 13:41
.
Pre-Run: 446,250,958,848 bytes free
Post-Run: 445,704,826,880 bytes free
.
- - End Of File - - 0C3FB60A059CB76BE85CC07AF839B001



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:53 PM

Posted 08 May 2013 - 05:20 PM


Hello pnbsoup

download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First Press the Scan button.
  • It will make a log (FRST.txt)
  • Second Type the following in the edit box after "Search:". services.exe
  • Click the Search button
  • It will make a log (Search.txt)
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 pnbsoup

pnbsoup
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 09 May 2013 - 08:33 AM

Gringo -

I appreciate you helping me out with this....Below are the logs that you requested...

 

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 08-05-2013
Ran by SYSTEM on 09-05-2013 09:25:31
Running from F:\
Windows 7 Home Premium Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [9914984 2011-01-26] (Realtek Semiconductor)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM\...\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" [74752 2011-10-26] (Nullsoft, Inc.)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Winlogon: [System]
Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Voltage Encryption Manager.lnk
ShortcutTarget: Voltage Encryption Manager.lnk -> C:\Program Files\Common Files\Voltage Security\VSManager2.exe ()

========================== Services (Whitelisted) =================

S2 atashost; C:\Windows\system32\atashost.exe [134456 2012-09-19] (Cisco WebEx LLC)
S2 Intel® PROSet Monitoring Service; C:\Windows\system32\IProsetMonitor.exe [110752 2010-09-21] (Intel Corporation)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 N360; C:\Program Files\Norton 360\Engine\20.3.1.22\diMaster.dll [554288 2013-03-29] (Symantec Corporation)
S2 PDF Architect Helper Service; C:\Program Files\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR)
S2 PDF Architect Service; C:\Program Files\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR)
S2 SFUpdater; C:\Program Files\ShareFile\Updater\UpdateService.exe [24576 2012-07-11] ()

==================== Drivers (Whitelisted) ====================

S1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130502.001\BHDrvx86.sys [1000024 2013-04-12] (Symantec Corporation)
S1 ccSet_N360; C:\Windows\system32\drivers\N360\1403010.016\ccSetx86.sys [134304 2012-11-15] (Symantec Corporation)
S3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [238760 2011-01-03] (Intel Corporation)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-02-04] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-01-28] (Symantec Corporation)
S1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130507.001\IDSvix86.sys [386720 2012-12-20] (Symantec Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2011-01-23] (Intel Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130508.003\NAVENG.SYS [93296 2013-05-06] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130508.003\NAVEX15.SYS [1603824 2013-05-06] (Symantec Corporation)
S3 rdsdrvdm; C:\Windows\System32\DRIVERS\rdsdrvdm.sys [27648 2008-12-17] (01 Communique Laboratory Inc.)
S3 SRTSP; C:\Windows\System32\Drivers\N360\1403010.016\SRTSP.SYS [602712 2013-01-28] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\N360\1403010.016\SRTSPX.SYS [32344 2013-01-28] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\N360\1403010.016\SYMDS.SYS [367704 2013-01-21] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\N360\1403010.016\SYMEFA.SYS [934488 2013-01-30] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2012-12-20] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\N360\1403010.016\Ironx86.SYS [175264 2012-11-15] (Symantec Corporation)
S1 SymNetS; C:\Windows\System32\Drivers\N360\1403010.016\SYMNETS.SYS [338592 2013-01-30] (Symantec Corporation)
S3 catchme; \??\C:\Users\ENDUSE~1\AppData\Local\Temp\catchme.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-09 05:20 - 2013-05-09 05:20 - 00000000 ____D C:\10805d9c292ead624d
2013-05-09 05:13 - 2013-05-09 05:13 - 00000000 ____D C:\FRST
2013-05-09 05:12 - 2013-05-09 05:12 - 01313963 ____A (Farbar) C:\Users\End User\Downloads\FRST.exe
2013-05-08 05:41 - 2013-05-08 05:41 - 00012674 ____A C:\ComboFix.txt
2013-05-07 13:06 - 2013-05-07 13:06 - 00263584 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-05-07 13:06 - 2013-05-07 13:06 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-05-07 13:06 - 2013-05-07 13:06 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-05-07 13:06 - 2013-05-07 13:06 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-05-07 13:06 - 2013-05-07 13:06 - 00000000 ____D C:\Program Files\Java
2013-05-07 13:06 - 2013-05-07 13:06 - 00000000 ____D C:\Program Files\Common Files\Java
2013-05-07 13:00 - 2013-05-07 13:00 - 00903072 ____A (Oracle Corporation) C:\Users\End User\Downloads\jxpiinstall(3).exe
2013-05-07 12:56 - 2013-05-07 12:56 - 00000000 ____D C:\ProgramData\McAfee
2013-05-07 12:52 - 2013-05-07 12:52 - 00903072 ____A (Oracle Corporation) C:\Users\End User\Downloads\jxpiinstall(2).exe
2013-05-07 06:20 - 2013-05-07 06:20 - 00000985 ____A C:\Users\Public\Desktop\PDFCreator.lnk
2013-05-07 06:20 - 2013-05-07 06:20 - 00000000 ____D C:\Users\End User\AppData\Roaming\pdfforge
2013-05-07 06:20 - 2012-05-05 07:54 - 00137000 ____A (Microsoft Corporation) C:\Windows\System32\MSMAPI32.OCX
2013-05-07 06:19 - 2013-05-07 06:20 - 00000000 ____D C:\Program Files\PDFCreator
2013-05-07 06:19 - 2013-05-07 06:19 - 00000000 ____D C:\Users\End User\AppData\Roaming\OpenCandy
2013-05-07 06:19 - 2013-04-09 11:13 - 00095416 ____A (pdfforge GmbH) C:\Windows\System32\pdfcmon.dll
2013-05-07 06:19 - 2012-05-05 07:54 - 00023552 ____A (Microsoft Corporation) C:\Windows\System32\MSMPIDE.DLL
2013-05-07 06:14 - 2013-05-07 06:18 - 17502040 ____A (pdfforge GbR) C:\Users\End User\Downloads\PDFCreator-1_7_0_setup.exe
2013-05-06 05:06 - 2013-05-06 05:06 - 00602112 ____A (OldTimer Tools) C:\Users\End User\Downloads\OTL.scr
2013-05-03 10:22 - 2013-05-03 10:22 - 02347384 ____A (ESET) C:\Users\End User\Downloads\esetsmartinstaller_enu.exe
2013-05-03 09:25 - 2013-05-03 09:27 - 04745728 ____A (AVAST Software) C:\Users\End User\Downloads\aswMBR(1).exe
2013-05-03 09:21 - 2013-05-03 09:21 - 00688992 ____R (Swearware) C:\Users\End User\Downloads\dds(1).com
2013-05-03 08:43 - 2013-05-03 08:43 - 00000000 ____D C:\N360_BACKUP
2013-05-03 08:18 - 2013-05-03 08:18 - 00002368 ____A C:\{57140938-09A6-4E1B-86DF-84661EB4AD5A}
2013-05-01 09:22 - 2013-05-01 09:22 - 00816128 ____A C:\Users\End User\Downloads\RogueKiller.exe
2013-05-01 09:17 - 2013-05-01 09:18 - 00009090 ____A C:\AdwCleaner[S1].txt
2013-05-01 09:16 - 2013-05-01 09:16 - 00628743 ____A C:\Users\End User\Downloads\adwcleaner.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 14323200 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 13761024 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 02877440 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-30 13:20 - 2013-04-30 13:20 - 02046464 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 01766912 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 01441280 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-04-30 13:20 - 2013-04-30 13:20 - 01400416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2013-04-30 13:20 - 2013-04-30 13:20 - 01129984 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00745472 ____A (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00719360 ____A (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00690688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00629248 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00523264 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00493056 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00391168 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00361984 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2013-04-30 13:20 - 2013-04-30 13:20 - 00357888 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00242200 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00232960 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00185344 ____A (Microsoft Corporation) C:\Windows\System32\elshyph.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00150528 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00138752 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00137216 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00125440 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00117248 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00110592 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00082432 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00079872 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00073728 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00069120 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00061952 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2013-04-30 13:20 - 2013-04-30 13:20 - 00061440 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00042496 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00039424 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00038400 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00033280 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00023040 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00011776 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2013-04-30 13:19 - 2013-04-30 13:19 - 03419136 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 02284544 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 01988096 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 01504768 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 01247744 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 01230336 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 01158144 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 01080832 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00906240 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00604160 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00417792 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00364544 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00249856 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00220160 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00207872 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00187392 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00161792 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-04-30 13:16 - 2013-04-30 13:22 - 00007971 ____A C:\Windows\IE10_main.log
2013-04-24 05:22 - 2013-04-12 05:45 - 01211752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-12 06:43 - 2013-04-15 05:16 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-04-10 05:41 - 2013-02-28 19:09 - 02347008 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-10 05:40 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-04-10 05:40 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-10 05:40 - 2013-03-18 20:48 - 00038912 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-04-10 05:40 - 2013-03-18 18:49 - 00069632 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-04-10 05:40 - 2013-01-23 20:47 - 00196328 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys
2013-04-10 05:39 - 2013-02-14 20:37 - 03217408 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-04-10 05:39 - 2013-02-14 20:34 - 00131584 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-04-10 05:39 - 2013-02-14 19:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll

==================== One Month Modified Files and Folders ========

2013-05-09 05:20 - 2013-05-09 05:20 - 00000000 ____D C:\10805d9c292ead624d
2013-05-09 05:20 - 2011-12-31 07:02 - 00200640 ____A C:\Windows\msxml4-KB954430-enu.LOG
2013-05-09 05:20 - 2011-12-30 11:52 - 01759252 ____A C:\Windows\WindowsUpdate.log
2013-05-09 05:14 - 2009-07-13 20:34 - 00022064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-09 05:14 - 2009-07-13 20:34 - 00022064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-09 05:13 - 2013-05-09 05:13 - 00000000 ____D C:\FRST
2013-05-09 05:13 - 2012-07-17 05:06 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-09 05:13 - 2012-03-15 13:01 - 00000000 ____D C:\Users\End User\AppData\Roaming\Voltage
2013-05-09 05:12 - 2013-05-09 05:12 - 01313963 ____A (Farbar) C:\Users\End User\Downloads\FRST.exe
2013-05-09 05:11 - 2010-11-20 13:01 - 00730320 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-09 05:07 - 2012-08-28 05:11 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-09 05:07 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-09 05:07 - 2009-07-13 20:39 - 00048439 ____A C:\Windows\setupact.log
2013-05-08 13:09 - 2011-12-30 16:12 - 00000000 ____D C:\Users\End User\Documents\Outlook Files
2013-05-08 12:35 - 2012-08-28 05:11 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-08 12:17 - 2010-11-20 13:48 - 01116248 ____A C:\Windows\PFRO.log
2013-05-08 12:14 - 2012-03-02 08:15 - 00000000 ____D C:\QuickFL
2013-05-08 07:23 - 2012-04-05 05:04 - 00691592 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-05-08 07:23 - 2011-12-30 12:21 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-05-08 07:21 - 2011-12-30 12:22 - 00000000 ____D C:\ProgramData\Adobe
2013-05-08 05:41 - 2013-05-08 05:41 - 00012674 ____A C:\ComboFix.txt
2013-05-08 05:41 - 2012-07-19 10:07 - 00000000 ____D C:\Qoobox
2013-05-08 05:39 - 2009-07-13 18:04 - 00000215 ____A C:\Windows\system.ini
2013-05-08 05:30 - 2012-07-19 10:05 - 05067786 ____R (Swearware) C:\Users\End User\Downloads\ComboFix.exe
2013-05-07 13:06 - 2013-05-07 13:06 - 00263584 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-05-07 13:06 - 2013-05-07 13:06 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-05-07 13:06 - 2013-05-07 13:06 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-05-07 13:06 - 2013-05-07 13:06 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-05-07 13:06 - 2013-05-07 13:06 - 00000000 ____D C:\Program Files\Java
2013-05-07 13:06 - 2013-05-07 13:06 - 00000000 ____D C:\Program Files\Common Files\Java
2013-05-07 13:06 - 2012-05-07 09:35 - 00866720 ____A (Oracle Corporation) C:\Windows\System32\npdeployJava1.dll
2013-05-07 13:06 - 2011-12-30 12:22 - 00788896 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-05-07 13:00 - 2013-05-07 13:00 - 00903072 ____A (Oracle Corporation) C:\Users\End User\Downloads\jxpiinstall(3).exe
2013-05-07 12:56 - 2013-05-07 12:56 - 00000000 ____D C:\ProgramData\McAfee
2013-05-07 12:52 - 2013-05-07 12:52 - 00903072 ____A (Oracle Corporation) C:\Users\End User\Downloads\jxpiinstall(2).exe
2013-05-07 12:50 - 2009-07-13 20:53 - 00032604 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-05-07 12:30 - 2012-01-03 14:02 - 00000000 ____D C:\Users\End User\Documents\My Scans
2013-05-07 07:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-05-07 06:20 - 2013-05-07 06:20 - 00000985 ____A C:\Users\Public\Desktop\PDFCreator.lnk
2013-05-07 06:20 - 2013-05-07 06:20 - 00000000 ____D C:\Users\End User\AppData\Roaming\pdfforge
2013-05-07 06:20 - 2013-05-07 06:19 - 00000000 ____D C:\Program Files\PDFCreator
2013-05-07 06:19 - 2013-05-07 06:19 - 00000000 ____D C:\Users\End User\AppData\Roaming\OpenCandy
2013-05-07 06:18 - 2013-05-07 06:14 - 17502040 ____A (pdfforge GbR) C:\Users\End User\Downloads\PDFCreator-1_7_0_setup.exe
2013-05-06 05:06 - 2013-05-06 05:06 - 00602112 ____A (OldTimer Tools) C:\Users\End User\Downloads\OTL.scr
2013-05-03 11:57 - 2012-01-04 07:18 - 00000000 ____D C:\Users\End User\AppData\Local\CrashDumps
2013-05-03 11:34 - 2011-12-30 11:52 - 00000000 ____D C:\Users\End User\AppData\Local\VirtualStore
2013-05-03 10:22 - 2013-05-03 10:22 - 02347384 ____A (ESET) C:\Users\End User\Downloads\esetsmartinstaller_enu.exe
2013-05-03 09:27 - 2013-05-03 09:25 - 04745728 ____A (AVAST Software) C:\Users\End User\Downloads\aswMBR(1).exe
2013-05-03 09:21 - 2013-05-03 09:21 - 00688992 ____R (Swearware) C:\Users\End User\Downloads\dds(1).com
2013-05-03 08:43 - 2013-05-03 08:43 - 00000000 ____D C:\N360_BACKUP
2013-05-03 08:18 - 2013-05-03 08:18 - 00002368 ____A C:\{57140938-09A6-4E1B-86DF-84661EB4AD5A}
2013-05-01 09:22 - 2013-05-01 09:22 - 00816128 ____A C:\Users\End User\Downloads\RogueKiller.exe
2013-05-01 09:18 - 2013-05-01 09:17 - 00009090 ____A C:\AdwCleaner[S1].txt
2013-05-01 09:16 - 2013-05-01 09:16 - 00628743 ____A C:\Users\End User\Downloads\adwcleaner.exe
2013-05-01 07:11 - 2012-07-19 11:18 - 00001063 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-01 07:11 - 2012-07-19 11:18 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-TW
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-HK
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-CN
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\tr-TR
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\sv-SE
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ru-RU
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pt-PT
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pt-BR
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pl-PL
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\nl-NL
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\nb-NO
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ko-KR
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ja-JP
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\it-IT
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\hu-HU
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\fr-FR
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\fi-FI
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\el-GR
2013-05-01 05:02 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\de-DE
2013-04-30 13:22 - 2013-04-30 13:16 - 00007971 ____A C:\Windows\IE10_main.log
2013-04-30 13:20 - 2013-04-30 13:20 - 14323200 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 13761024 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 02877440 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-30 13:20 - 2013-04-30 13:20 - 02046464 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 01766912 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 01441280 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-04-30 13:20 - 2013-04-30 13:20 - 01400416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2013-04-30 13:20 - 2013-04-30 13:20 - 01129984 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00745472 ____A (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00719360 ____A (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00690688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00629248 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00523264 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00493056 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00391168 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00361984 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2013-04-30 13:20 - 2013-04-30 13:20 - 00357888 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00242200 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00232960 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00185344 ____A (Microsoft Corporation) C:\Windows\System32\elshyph.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00150528 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00138752 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00137216 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00125440 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00117248 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00110592 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00082432 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00079872 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00073728 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00069120 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00061952 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2013-04-30 13:20 - 2013-04-30 13:20 - 00061440 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00042496 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00039424 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00038400 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00033280 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00023040 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2013-04-30 13:20 - 2013-04-30 13:20 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2013-04-30 13:20 - 2013-04-30 13:20 - 00011776 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2013-04-30 13:19 - 2013-04-30 13:19 - 03419136 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 02284544 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 01988096 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 01504768 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 01247744 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 01230336 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 01158144 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 01080832 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00906240 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00604160 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00417792 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00364544 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00249856 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00220160 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00207872 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00187392 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00161792 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-04-30 13:19 - 2013-04-30 13:19 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-04-19 06:41 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2013-04-17 05:11 - 2012-12-20 12:09 - 00000000 ____D C:\Windows\System32\Drivers\N360
2013-04-16 05:00 - 2012-04-25 05:19 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-04-15 05:16 - 2013-04-12 06:43 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-04-12 05:45 - 2013-04-24 05:22 - 01211752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-11 05:08 - 2009-07-13 20:33 - 00345360 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-10 23:03 - 2011-12-30 14:43 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-04-10 23:01 - 2011-12-31 07:22 - 70490256 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-04-10 10:44 - 2012-08-28 05:14 - 00002129 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-04-09 11:13 - 2013-05-07 06:19 - 00095416 ____A (pdfforge GmbH) C:\Windows\System32\pdfcmon.dll

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-05-01 06:49:25
Restore point made on: 2013-05-01 06:52:23
Restore point made on: 2013-05-01 13:03:27
Restore point made on: 2013-05-02 08:00:44
Restore point made on: 2013-05-02 13:00:35
Restore point made on: 2013-05-03 07:53:03
Restore point made on: 2013-05-03 12:58:43
Restore point made on: 2013-05-06 13:14:52
Restore point made on: 2013-05-07 12:42:19
Restore point made on: 2013-05-07 12:43:16
Restore point made on: 2013-05-07 12:43:47
Restore point made on: 2013-05-07 12:58:03
Restore point made on: 2013-05-07 13:05:34
Restore point made on: 2013-05-07 13:05:59
Restore point made on: 2013-05-07 13:07:34
Restore point made on: 2013-05-08 07:28:05
Restore point made on: 2013-05-08 12:12:02
Restore point made on: 2013-05-08 12:14:57
Restore point made on: 2013-05-08 13:10:42
Restore point made on: 2013-05-09 05:19:59

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 4004.46 MB
Available physical RAM: 3496.27 MB
Total Pagefile: 4002.75 MB
Available Pagefile: 3496.6 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.6 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.66 GB) (Free:415.32 GB) NTFS
Drive f: () (Fixed) (Total:37.23 GB) (Free:36.26 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 475B5162)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=466 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 37 GB) (Disk ID: D786E6AE)
Partition 1: (Active) - (Size=37 GB) - (Type=0C)


Last Boot: 2013-05-07 07:20

==================== End Of Log ============================

 

And Search.txt

 

Farbar Recovery Scan Tool (x86) Version: 08-05-2013
Ran by SYSTEM at 2013-05-09 09:26:52
Running from F:\
Boot Mode: Recovery

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\erdnt\cache\services.exe
[2012-07-19 10:23] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===



#9 pnbsoup

pnbsoup
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 09 May 2013 - 03:59 PM

..



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:53 PM

Posted 09 May 2013 - 04:37 PM



Hello pnbsoup



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
C:\Users\End User\AppData\Roaming\OpenCandy
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 pnbsoup

pnbsoup
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 10 May 2013 - 08:39 AM

Below is the new log...

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 08-05-2013
Ran by SYSTEM at 2013-05-10 09:34:57 Run:1
Running from F:\
Boot Mode: Recovery

==============================================

C:\Users\End User\AppData\Roaming\OpenCandy => Moved successfully.

==== End of Fixlog ====



#12 pnbsoup

pnbsoup
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 10 May 2013 - 08:44 AM

Gringo -

When I went to a website to input my login/password information, this is what was there "To get a free copy of Internet Explorer,  download from Microsoft."

 

Thanks!

 

pnbsoup



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:53 PM

Posted 10 May 2013 - 12:11 PM

I am not understanding what you are seeing - can you show me a screen shot?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 pnbsoup

pnbsoup
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 10 May 2013 - 12:26 PM

when I do a screen shot it does not allow me to do this....the webpage that asks me for my login/password info, is not there, instead the following appears "To get a free copy of Internet Explorer,  download from Microsoft."  I'll try to get a screen shot..



#15 pnbsoup

pnbsoup
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 10 May 2013 - 12:36 PM






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users