Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware redirecting browser


  • This topic is locked This topic is locked
24 replies to this topic

#1 earlbot

earlbot

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 26 June 2013 - 10:39 AM

I have tried everything that I know to remove this malware but I have not been successful.  Fairly sure that it came from a fake gedcom viewer file that I downloaded.  Anyway here is my hijack this log

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 11:38:44 AM, on 6/26/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16611)
 
FIREFOX: 21.0 (en-US)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Plustek\Plustek OpticPro A320\DocuAction.exe
C:\Users\wrobinson\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Users\wrobinson\Desktop\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wilson-co.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wilson-co.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\bin\IPS\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MIF5BA~1\Office14\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PIconStartup.exe" -startup
O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe"
O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\Windows\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1377569590-3452105914-1722782537-21653\..\Run: [GoogleChromeAutoLaunch_01A486AD6EA2C8E674FD04EAE66C7CC6] "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window (User 'wrobinson')
O4 - S-1-5-21-1377569590-3452105914-1722782537-21653 Startup: Dropbox.lnk = C:\Users\wrobinson\AppData\Roaming\Dropbox\bin\Dropbox.exe (User 'wrobinson')
O4 - S-1-5-21-1377569590-3452105914-1722782537-21653 User Startup: Dropbox.lnk = C:\Users\wrobinson\AppData\Roaming\Dropbox\bin\Dropbox.exe (User 'wrobinson')
O4 - Global Startup: DocAction (Plustek OpticPro A320).lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wilson-co.com
O17 - HKLM\Software\..\Telephony: DomainName = wilson-co.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wilson-co.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wilson-co.com
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: SEP - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll (file missing)
O20 - Winlogon Notify: spba - C:\Program Files\Common Files\SPBA\homefus2.dll
O23 - Service: ABBYY FineReader 9.0 Sprint Licensing Service (ABBYY.Licensing.FineReader.Sprint.9.0) - ABBYY - C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Numara Asset Management Platform Agent - Numara ® Software, Inc. - C:\Program Files\Numara Software\Numara AMP\Client\bin\mtxagent.exe
O23 - Service: RoxMediaDB12OEM - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe
O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Endpoint Protection (SepMasterService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.34 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
 
--
End of file - 12683 bytes
 

Thak you for your help!

 



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:33 PM

Posted 27 June 2013 - 12:38 AM


Hello earlbot

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 earlbot

earlbot
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 27 June 2013 - 08:40 AM

I had tried AdwCleaner before and had no luck with it (the browser was still being redirected).  Here is the logfile from that
 
# AdwCleaner v2.303 - Logfile created 06/18/2013 at 17:58:26
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : cjones - GENEAOLOGYDESK
# Boot Mode : Normal
# Running from : C:\Users\wrobinson\Downloads\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
 
***** [Registry] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v10.0.9200.16611
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v20.0.1 (en-US)
 
File : C:\Users\cjones\AppData\Roaming\Mozilla\Firefox\Profiles\ovg9ug6u.default\prefs.js
 
[OK] File is clean.
 
File : C:\Users\rrains\AppData\Roaming\Mozilla\Firefox\Profiles\jnp59epn.default\prefs.js
 
[OK] File is clean.
 
File : C:\Users\dsnider\AppData\Roaming\Mozilla\Firefox\Profiles\lu3p099q.default\prefs.js
 
[OK] File is clean.
 
File : C:\Users\wrobinson\AppData\Roaming\Mozilla\Firefox\Profiles\yrbnjtcm.default\prefs.js
 
C:\Users\wrobinson\AppData\Roaming\Mozilla\Firefox\Profiles\yrbnjtcm.default\user.js ... Deleted !
 
[OK] File is clean.
 
File : C:\Users\Geneaology Desk\AppData\Roaming\Mozilla\Firefox\Profiles\d2bepn98.default\prefs.js
 
[OK] File is clean.
 
-\\ Google Chrome v27.0.1453.110
 
File : C:\Users\cjones\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
File : C:\Users\wrobinson\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
Deleted [l.2166] : homepage = "hxxp://isearch.avg.com/?cid={3AE9056F-7F32-4F36-83CE-0790FB851142}&mid=adf03ff8a42c4[...]
 
*************************
 
AdwCleaner[R1].txt - [1975 octets] - [18/06/2013 17:56:12]
AdwCleaner[S1].txt - [1897 octets] - [18/06/2013 17:58:26]
 
########## EOF - \AdwCleaner[S1].txt - [1957 octets] ##########
 

 



#4 earlbot

earlbot
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 27 June 2013 - 08:43 AM

Since I used the Junkware removal tool I have not had any redirections of my browser.  Here is the logfile

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Professional x86
Ran by cjones on Thu 06/27/2013 at  9:13:37.07
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
Successfully deleted: [File] C:\eula.1028.txt
Successfully deleted: [File] C:\eula.1031.txt
Successfully deleted: [File] C:\eula.1033.txt
Successfully deleted: [File] C:\eula.1036.txt
Successfully deleted: [File] C:\eula.1040.txt
Successfully deleted: [File] C:\eula.1041.txt
Successfully deleted: [File] C:\eula.1042.txt
Successfully deleted: [File] C:\eula.2052.txt
Successfully deleted: [File] C:\install.res.1028.dll
Successfully deleted: [File] C:\install.res.1031.dll
Successfully deleted: [File] C:\install.res.1033.dll
Successfully deleted: [File] C:\install.res.1036.dll
Successfully deleted: [File] C:\install.res.1040.dll
Successfully deleted: [File] C:\install.res.1041.dll
Successfully deleted: [File] C:\install.res.1042.dll
Successfully deleted: [File] C:\install.res.2052.dll
Successfully deleted: [File] C:\install.res.3082.dll
 
 
 
~~~ Folders
 
 
 
~~~ FireFox
 
Emptied folder: C:\Users\cjones\AppData\Roaming\mozilla\firefox\profiles\ovg9ug6u.default\minidumps [10 files]
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 06/27/2013 at  9:16:51.91
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 



#5 earlbot

earlbot
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 27 June 2013 - 09:16 AM

I just realized that the junkware removal tool causes my profile to switch to the administrators so it just scans and cleans the administrators profile.  My personal profile is still having the same redirection problems.  Is there a way to get it to stay in my profile?



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:33 PM

Posted 27 June 2013 - 12:54 PM


Hello earlbot

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 earlbot

earlbot
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 27 June 2013 - 03:18 PM

Unfortunately combofix does the same thing (switches to the administrator user) that it did with Junkware.  Thus my browsers are still redirected.



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:33 PM

Posted 27 June 2013 - 09:39 PM


Hello earlbot



Please download Farbar Recovery Scan Tool and save it to your desktop.


Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:33 PM

Posted 30 June 2013 - 12:06 PM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 earlbot

earlbot
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 01 July 2013 - 08:22 AM

Hey I'm back.  Sill having problems with the browsers redirecting.  Here is the first Farbar log and I have attached the Additional log.

 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-07-2013 01
Ran by wrobinson (ATTENTION: The logged in user is not administrator) on 01-07-2013 09:15:33
Running from C:\Users\wrobinson\Downloads
Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) ===================
 
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
() C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
() C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgui.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(NewSoft Technology Corporation) C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
() C:\Program Files\Plustek\Plustek OpticPro A320\DocuAction.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [1314816 2009-06-22] (Analog Devices, Inc.)
HKLM\...\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM\...\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PIconStartup.exe" -startup [104960 2010-05-21] ()
HKLM\...\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2009-07-06] (CyberLink Corp.)
HKLM\...\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-04-29] (CyberLink Corp.)
HKLM\...\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM\...\Run: [Desktop Disc Tool] "C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-02] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2011-12-08] (Apple Inc.)
HKLM\...\Run: [WrtMon.exe] C:\Windows\system32\spool\drivers\w32x86\3\WrtMon.exe [20480 2007-07-18] ()
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-29] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll [X]
HKCU\...\Run: [GoogleChromeAutoLaunch_01A486AD6EA2C8E674FD04EAE66C7CC6] "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window [825808 2013-06-14] (Google Inc.)
HKCU\...\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun [1174016 2010-11-20] (Microsoft Corporation)
HKCR\...0c966feabec1\InprocServer32: [Default-shell32] %SystemRoot%\system32\shell32.dll ATTENTION! ====> ZeroAccess?
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] %SystemRoot%\system32\shell32.dll ATTENTION! ====> ZeroAccess?
Lsa: [Authentication Packages] msv1_0 wvauth
Startup: C:\ProgramData\Start Menu\Programs\Startup\DocAction (Plustek OpticPro A320).lnk
ShortcutTarget: DocAction (Plustek OpticPro A320).lnk -> C:\Program Files\Plustek\Plustek OpticPro A320\DocuAction.exe ()
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USREL/1
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\bin\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MIF5BA~1\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Winsock: Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.16.10.23 10.16.10.30
 
FireFox:
========
FF ProfilePath: C:\Users\wrobinson\AppData\Roaming\Mozilla\Firefox\Profiles\yrbnjtcm.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=10.25.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Unit Layers - C:\Users\wrobinson\AppData\Roaming\Mozilla\Firefox\Profiles\yrbnjtcm.default\Extensions\gnzeaty@tkbgrszrmflnue.com
FF Extension: feedly - C:\Users\wrobinson\AppData\Roaming\Mozilla\Firefox\Profiles\yrbnjtcm.default\Extensions\feedly@devhd.xpi
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFFPlgn\
FF Extension: Symantec Intrusion Prevention - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFFPlgn\
 
Chrome: 
=======
CHR HomePage: hxxp://isearch.avg.com/?cid={3AE9056F-7F32-4F36-83CE-0790FB851142}&mid=adf03ff8a42c47d088ef012ea3c2c92e-92285248aaed9740705cbc82fd2485ed4a4ae75d&lang=en&ds=AVG&pr=fr&d=2012-12-13 10:27:11&v=13.3.0.17&sap=hp
CHR RestoreOnStartup: "hxxp://www.huffingtonpost.com/"
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\27.0.1453.116\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\27.0.1453.116\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
CHR Plugin: (Java™ Platform SE 6 U37) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll No File
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.370.6) - C:\Windows\system32\npdeployJava1.dll (Oracle Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
CHR Extension: (Google Science Fair 2012) - C:\Users\wrobinson\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjibekncdookhijmkplhapjcfnglelcn\2.0_0
CHR Extension: (Unit Layers) - C:\Users\wrobinson\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjkpcnacdgdlpfejlgflolpaigoicibh\1_0
CHR Extension: (Feedly - Your News, RSS, Google Reader) - C:\Users\wrobinson\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipbfijinpcgfogaopmgehiegacbhmob\16.0.528_0
 
========================== Services (Whitelisted) =================
 
R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-14] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-18] (AVG Technologies CZ, s.r.o.)
R2 lmhosts; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 NlaSvc; C:\Windows\System32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 Numara Asset Management Platform Agent; C:\Program Files\Numara Software\Numara AMP\Client\bin\mtxagent.exe [460208 2011-04-05] (Numara ® Software, Inc.)
S3 RoxMediaDB12OEM; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [1116656 2010-11-25] (Sonic Solutions)
S2 RoxWatch12; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [219632 2010-11-25] (Sonic Solutions)
S3 SecureStorageService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe [1477632 2010-11-03] (Wave Systems Corp.)
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\sms.dll [167344 2011-11-09] (Symantec Corporation)
R3 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe [1664744 2011-11-09] (Symantec Corporation)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe [280496 2011-11-09] (Symantec Corporation)
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1629696 2010-07-13] ()
R2 TdmService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe [2336104 2010-10-16] (Wave Systems Corp.)
R2 TIRmtSvc; C:\WINDOWS\TIREMOTE\TIRemoteService.exe [210944 2012-05-04] (Numara Software, Inc.)
R2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2071064 2010-05-21] (Intel Corporation)
 
==================== Drivers (Whitelisted) ====================
 
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-03-29] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-02-08] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-03-01] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [170808 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [245048 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-02-08] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [39224 2013-02-08] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2013-03-21] (AVG Technologies CZ, s.r.o.)
R1 BHDrvx86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20130620.011\BHDrvx86.sys [1002072 2013-06-12] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-04-30] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-09] (Symantec Corporation)
R1 IDSvix86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20130628.001\IDSvix86.sys [386720 2012-12-27] (Symantec Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 MHIKEY10; C:\Windows\System32\Drivers\MHIKEY10.sys [52096 2010-10-01] (Generic USB smartcard reader)
S3 NAL; C:\Windows\system32\Drivers\iqvw32.sys [30880 2010-02-03] (Intel Corporation )
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130630.003\NAVENG.SYS [93272 2013-07-01] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20130630.003\NAVEX15.SYS [1611992 2013-07-01] (Symantec Corporation)
S3 netvsc; C:\Windows\System32\DRIVERS\netvsc60.sys [126464 2010-11-20] (Microsoft Corporation)
R3 NumaraMirror.10.1.0.110405r; C:\Windows\System32\DRIVERS\NumaraMirror.10.1.0.110405r.mini.sys [10416 2011-04-05] (Numara ® Software, Inc.)
R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SRTSP.SYS [516216 2011-11-09] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SRTSPX.SYS [50168 2011-11-09] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SYMDS.SYS [340088 2011-11-09] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SYMEFA.SYS [756856 2011-11-09] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [127096 2011-12-18] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\Ironx86.SYS [136312 2011-11-09] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SYMNETS.SYS [299640 2011-11-09] (Symantec Corporation)
S3 SynthVid; C:\Windows\System32\DRIVERS\VMBusVideoM.sys [19456 2010-11-20] (Microsoft Corporation)
R3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2011-06-18] (Microsoft Corporation)
R1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2011-06-18] (Microsoft Corporation)
R3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2011-06-18] (Microsoft Corporation)
R1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2011-06-18] (Microsoft Corporation)
S3 catchme; \??\C:\Users\cjones\AppData\Local\Temp\catchme.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-07-01 09:15 - 2013-07-01 09:15 - 00000000 ____D C:\FRST
2013-07-01 09:14 - 2013-07-01 09:14 - 01372463 ____A (Farbar) C:\Users\wrobinson\Downloads\FRST.exe
2013-06-27 16:25 - 2013-06-27 16:26 - 00000000 ____D C:\Users\wrobinson\Documents\robinson
2013-06-27 15:57 - 2013-06-27 15:57 - 00020925 ____A C:\ComboFix.txt
2013-06-27 15:42 - 2013-06-27 15:57 - 00000000 ____D C:\ComboFix
2013-06-27 15:42 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2013-06-27 15:42 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2013-06-27 15:42 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-06-27 15:42 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-06-27 15:42 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-06-27 15:42 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2013-06-27 15:42 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2013-06-27 15:42 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2013-06-27 15:40 - 2013-06-27 15:57 - 00000000 ____D C:\Qoobox
2013-06-27 15:40 - 2013-06-27 15:56 - 00000000 ____D C:\Windows\erdnt
2013-06-27 15:39 - 2013-06-27 15:39 - 05084314 ____R (Swearware) C:\Users\wrobinson\Downloads\ComboFix.exe
2013-06-27 10:04 - 2013-06-27 10:04 - 00545954 ____A (Oleg N. Scherbakov) C:\Users\wrobinson\Downloads\JRT (2).exe
2013-06-27 09:48 - 2013-06-27 09:48 - 00545954 ____A (Oleg N. Scherbakov) C:\Users\wrobinson\Downloads\JRT (1).exe
2013-06-27 09:13 - 2013-06-27 11:26 - 00000000 ____D C:\JRT
2013-06-27 09:13 - 2013-06-27 09:13 - 00000000 ____D C:\Windows\ERUNT
2013-06-27 09:12 - 2013-06-27 09:12 - 00545954 ____A (Oleg N. Scherbakov) C:\Users\wrobinson\Downloads\JRT.exe
2013-06-27 09:07 - 2013-06-27 09:09 - 00002045 ____A C:\AdwCleaner[S3].txt
2013-06-27 09:05 - 2013-06-27 09:06 - 00002219 ____A C:\AdwCleaner[R3].txt
2013-06-27 09:04 - 2013-06-27 09:04 - 00648201 ____A C:\Users\wrobinson\Downloads\AdwCleaner (2).exe
2013-06-26 11:21 - 2013-06-26 11:38 - 00012685 ____A C:\Users\wrobinson\Desktop\hijackthis.log
2013-06-26 09:55 - 2013-06-26 09:55 - 00000974 ____A C:\Users\Public\Desktop\IrfanView.lnk
2013-06-26 09:55 - 2013-06-26 09:55 - 00000000 ____D C:\Program Files\IrfanView
2013-06-26 09:50 - 2013-06-26 09:50 - 21648204 ____A C:\Users\wrobinson\Documents\1920s_schoolbuses.tif
2013-06-26 09:14 - 2013-06-26 09:14 - 00000000 ____D C:\Users\wrobinson\AppData\Roaming\AVG2013
2013-06-26 09:12 - 2013-06-26 09:15 - 00000000 ____D C:\Users\wrobinson\AppData\Local\Avg2013
2013-06-26 09:11 - 2013-06-26 09:12 - 00000000 ____D C:\ProgramData\AVG2013
2013-06-26 09:11 - 2013-06-26 09:11 - 00000937 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-06-26 09:11 - 2013-06-26 09:11 - 00000000 ____D C:\$AVG
2013-06-26 09:10 - 2013-06-26 09:10 - 00000000 ____D C:\Program Files\AVG
2013-06-26 08:38 - 2013-07-01 09:17 - 00000000 ____D C:\ProgramData\MFAData
2013-06-26 08:38 - 2013-06-26 08:38 - 04464544 ____A (AVG Technologies) C:\Users\wrobinson\Downloads\avg_free_stb_all_2013_3345_cnet.exe
2013-06-25 12:33 - 2013-06-25 12:33 - 00000000 ____D C:\Program Files\ESET
2013-06-25 12:32 - 2013-06-25 12:32 - 02347384 ____A (ESET) C:\Users\wrobinson\Downloads\esetsmartinstaller_enu.exe
2013-06-25 12:16 - 2013-06-25 14:13 - 00012397 ____A C:\Users\wrobinson\Downloads\hijackthis.log
2013-06-25 12:15 - 2013-06-25 12:15 - 00388608 ____A (Trend Micro Inc.) C:\Users\wrobinson\Desktop\HijackThis.exe
2013-06-22 16:23 - 2012-08-23 10:48 - 00221184 ____A (Microsoft Corporation) C:\Windows\System32\rdpudd.dll
2013-06-22 16:23 - 2012-08-23 10:44 - 00014848 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpvideominiport.sys
2013-06-22 16:23 - 2012-08-23 10:41 - 00027136 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\TsUsbGD.sys
2013-06-22 16:23 - 2012-08-23 10:40 - 00049664 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\TsUsbFlt.sys
2013-06-22 16:23 - 2012-08-23 10:10 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll
2013-06-22 16:23 - 2012-08-23 10:10 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe
2013-06-22 16:23 - 2012-08-23 09:52 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\RdpGroupPolicyExtension.dll
2013-06-22 16:23 - 2012-08-23 09:47 - 00046592 ____A (Microsoft Corporation) C:\Windows\System32\MsRdpWebAccess.dll
2013-06-22 16:23 - 2012-08-23 09:46 - 00016896 ____A (Microsoft Corporation) C:\Windows\System32\wksprtPS.dll
2013-06-22 16:23 - 2012-08-23 09:32 - 00032768 ____A (Microsoft Corporation) C:\Windows\System32\TsUsbGDCoInstaller.dll
2013-06-22 16:23 - 2012-08-23 09:18 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-06-22 16:23 - 2012-08-23 07:40 - 00056320 ____A (Microsoft Corporation) C:\Windows\System32\TSWbPrxy.exe
2013-06-22 16:23 - 2012-08-23 07:32 - 00317440 ____A (Microsoft Corporation) C:\Windows\System32\wksprt.exe
2013-06-22 16:23 - 2012-08-23 07:15 - 00269312 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-06-22 16:23 - 2012-08-23 07:12 - 00192000 ____A (Microsoft Corporation) C:\Windows\System32\rdpendp_winip.dll
2013-06-22 16:23 - 2012-08-23 06:39 - 01048064 ____A (Microsoft Corporation) C:\Windows\System32\mstsc.exe
2013-06-22 16:23 - 2012-08-23 06:08 - 02739712 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2013-06-22 16:23 - 2012-08-23 04:19 - 04916224 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-06-22 16:20 - 2012-08-24 13:05 - 00136560 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2013-06-22 16:20 - 2012-08-24 13:02 - 00369856 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2013-06-22 16:20 - 2012-08-24 12:57 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2013-06-22 16:20 - 2012-08-24 12:56 - 01039360 ____A (Microsoft Corporation) C:\Windows\System32\lsasrv.dll
2013-06-22 16:19 - 2012-05-04 05:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2013-06-22 15:08 - 2013-06-22 15:08 - 02617648 ____A (VS Revo Group Ltd.) C:\Users\wrobinson\Downloads\revosetup.exe
2013-06-22 14:20 - 2013-06-22 14:20 - 01814144 ____A (Bleeping Computer, LLC) C:\Users\wrobinson\Downloads\rkill.com
2013-06-20 17:16 - 2013-06-20 17:16 - 00000000 ____D C:\Users\wrobinson\AppData\Local\Wave Systems Corp
2013-06-20 17:12 - 2013-06-20 17:14 - 00002104 ____A C:\AdwCleaner[S2].txt
2013-06-20 17:11 - 2013-06-20 17:11 - 00002151 ____A C:\AdwCleaner[R2].txt
2013-06-20 17:10 - 2013-06-20 17:10 - 00648201 ____A C:\Users\wrobinson\Downloads\adwcleaner (1).exe
2013-06-20 16:45 - 2013-06-20 16:45 - 09171472 ____A (SurfRight B.V.) C:\Users\wrobinson\Downloads\HitmanPro (1).exe
2013-06-20 16:42 - 2013-06-20 16:43 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\wrobinson\Downloads\tdsskiller (1).exe
2013-06-20 11:11 - 2013-06-27 17:31 - 00000000 ___HD C:\Users\Public\Documents\DI Capture
2013-06-20 09:58 - 2013-06-20 09:58 - 00001642 ____A C:\Users\Public\Desktop\DI Capture.lnk
2013-06-20 09:58 - 2013-06-20 09:58 - 00000246 ____A C:\Windows\261U.ini
2013-06-20 09:58 - 2013-06-20 09:58 - 00000000 ____D C:\Program Files\DI Capture
2013-06-20 09:58 - 2005-08-12 16:49 - 00000104 ____A C:\Windows\iris.ini
2013-06-20 09:57 - 2013-06-20 09:58 - 00000000 ____D C:\Program Files\Common Files\iMpacct
2013-06-20 09:57 - 2013-06-20 09:57 - 00000000 ____D C:\Program Files\Common Files\Comscan
2013-06-20 09:55 - 2013-06-20 09:55 - 00094632 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-06-20 09:54 - 2013-06-20 09:54 - 00000000 ____D C:\ProgramData\McAfee
2013-06-20 09:19 - 2013-06-20 11:47 - 00000000 ____D C:\Users\wrobinson\Documents\ImageFolio
2013-06-19 16:46 - 2013-06-25 14:06 - 00000000 ____D C:\Users\wrobinson\AppData\Roaming\.oit
2013-06-19 16:45 - 2013-06-25 14:07 - 00000000 ____D C:\Users\wrobinson\Documents\My PageManager
2013-06-19 16:45 - 2013-06-20 09:19 - 00000000 ____D C:\Users\wrobinson\AppData\Local\NewSoft
2013-06-19 16:45 - 2013-06-19 16:45 - 00000000 ____D C:\Users\wrobinson\AppData\Roaming\NewSoft
2013-06-19 16:09 - 2013-06-19 16:10 - 00000264 ____A C:\Windows\setup.iss
2013-06-19 16:09 - 2013-06-19 16:09 - 00002169 ____A C:\Users\Public\Desktop\Presto! PageManager 7.23.lnk
2013-06-19 16:08 - 2013-06-19 16:08 - 00000000 ____D C:\Windows\System32\color
2013-06-19 16:07 - 2013-06-19 16:08 - 00000000 ____D C:\Program Files\Common Files\NewSoft
2013-06-19 16:07 - 2013-06-19 16:07 - 00002088 ____A C:\Users\Public\Desktop\Presto! ImageFolio 4.lnk
2013-06-19 16:07 - 2013-06-19 16:07 - 00001809 ____A C:\Windows\if42le.ini
2013-06-19 16:07 - 2013-06-19 16:07 - 00000299 ____A C:\Windows\Pexplore.ini
2013-06-19 16:07 - 2013-06-19 16:07 - 00000000 ____D C:\ProgramData\Newsoft
2013-06-19 16:06 - 2013-06-19 16:06 - 00000000 ____D C:\Program Files\Common Files\InstallShield
2013-06-19 16:04 - 2013-06-20 09:57 - 00000000 ____D C:\Program Files\Plustek
2013-06-19 16:04 - 2013-06-19 16:04 - 00000000 ____D C:\ProgramData\ABBYY
2013-06-19 16:04 - 2013-06-19 16:04 - 00000000 ____D C:\Program Files\Common Files\ABBYY
2013-06-19 16:03 - 2009-07-03 09:13 - 00057344 ____A (Windows ® 2004 DDK Provider) C:\Windows\System32\mic-261U.dll
2013-06-19 16:03 - 2007-01-25 23:56 - 00015360 ____A () C:\Windows\System32\GetInst32.dll
2013-06-19 15:57 - 2013-06-22 15:08 - 00000000 ____D C:\Program Files\VS Revo Group
2013-06-19 15:50 - 2013-06-19 15:50 - 00000000 ____D C:\Windows\System32\appmgmt
2013-06-19 13:30 - 2013-06-19 13:30 - 00000000 ____D C:\Users\wrobinson\AppData\Roaming\Malwarebytes
2013-06-19 13:21 - 2013-06-19 13:21 - 00696064 ____A () C:\Users\wrobinson\Downloads\77ZipSetup.exe
2013-06-18 17:58 - 2013-06-18 18:00 - 00002024 ____A C:\AdwCleaner[S1].txt
2013-06-18 17:56 - 2013-06-18 17:56 - 00001975 ____A C:\AdwCleaner[R1].txt
2013-06-18 17:55 - 2013-06-18 17:55 - 00648201 ____A C:\Users\wrobinson\Downloads\adwcleaner.exe
2013-06-18 16:22 - 2013-06-18 16:28 - 00000000 ____D C:\ProgramData\HitmanPro
2013-06-18 16:20 - 2013-06-18 16:22 - 09171472 ____A (SurfRight B.V.) C:\Users\wrobinson\Downloads\HitmanPro.exe
2013-06-18 16:19 - 2013-06-18 16:19 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\wrobinson\Downloads\tdsskiller.exe
2013-06-18 13:49 - 2013-06-18 13:49 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-18 13:49 - 2013-06-18 13:49 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-18 13:49 - 2013-06-18 13:49 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-18 13:49 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-06-18 13:48 - 2013-06-18 13:48 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Users\wrobinson\Downloads\mbam-setup-1.75.0.1300.exe
2013-06-17 15:09 - 2013-06-19 15:52 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2013-06-17 15:09 - 2013-06-19 15:47 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-06-17 15:05 - 2013-06-17 15:06 - 16409960 ____A (Safer Networking Limited                                    ) C:\Users\wrobinson\Downloads\spybotsd162.exe
2013-06-14 11:39 - 2013-06-14 11:39 - 03313664 ____A C:\Users\wrobinson\Downloads\InstallGenoPro.exe
2013-06-14 11:39 - 2013-06-14 11:39 - 00001101 ____A C:\Users\Public\Desktop\GenoPro.lnk
2013-06-14 11:39 - 2013-06-14 11:39 - 00000000 ____D C:\Program Files\GenoPro
2013-06-14 11:37 - 2013-06-14 11:38 - 00000000 ____D C:\Users\wrobinson\AppData\Roaming\MudCreek
2013-06-14 11:36 - 2013-06-14 11:36 - 00000000 ____D C:\Users\wrobinson\AppData\Local\UnitLayers
2013-06-14 11:32 - 2013-06-14 11:32 - 00000000 ____D C:\Program Files\MudCreek
2013-06-14 11:31 - 2013-06-14 11:31 - 02384994 ____A (                                                            ) C:\Users\wrobinson\Downloads\mudgv123.exe
2013-06-14 11:29 - 2013-06-14 11:29 - 36879640 ____A C:\Users\wrobinson\Downloads\family_tree_builder_7107.exe
2013-06-13 03:02 - 2013-06-08 07:42 - 01141248 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-13 03:02 - 2013-06-08 07:40 - 14327808 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-13 03:02 - 2013-06-08 07:40 - 13760512 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-13 03:02 - 2013-06-08 07:40 - 02046976 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-13 03:02 - 2013-06-08 07:40 - 00391168 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-13 03:02 - 2013-06-08 07:13 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-13 03:00 - 2013-05-16 21:26 - 00042496 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-13 03:00 - 2013-05-16 21:25 - 02877440 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-13 03:00 - 2013-05-16 21:25 - 01767936 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-13 03:00 - 2013-05-16 21:25 - 00690688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-13 03:00 - 2013-05-16 21:25 - 00493056 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-13 03:00 - 2013-05-16 21:25 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-13 03:00 - 2013-05-16 21:25 - 00061440 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-13 03:00 - 2013-05-16 21:25 - 00039424 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-13 03:00 - 2013-05-16 21:25 - 00033280 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-13 03:00 - 2013-05-14 04:40 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-12 10:35 - 2013-05-13 00:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-12 10:35 - 2013-05-13 00:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-12 10:35 - 2013-05-13 00:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-12 10:35 - 2013-05-12 23:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-12 10:35 - 2013-05-12 23:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-12 10:35 - 2013-05-09 23:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-12 10:35 - 2013-05-08 01:38 - 01293672 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-12 10:35 - 2013-05-06 01:06 - 03968872 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-06-12 10:35 - 2013-05-06 01:06 - 03913576 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-06-12 10:35 - 2013-04-26 00:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-12 10:35 - 2013-04-25 19:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-06-12 10:35 - 2013-04-17 03:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-04 17:57 - 2013-06-04 17:57 - 00382326 ____A C:\Users\wrobinson\Desktop\jweaver.tif
2013-06-04 16:08 - 2013-06-26 09:42 - 00012028 ____A C:\Users\wrobinson\Documents\June stats.xlsx
 
==================== One Month Modified Files and Folders ========
 
2013-07-01 09:17 - 2013-06-26 08:38 - 00000000 ____D C:\ProgramData\MFAData
2013-07-01 09:15 - 2013-07-01 09:15 - 00000000 ____D C:\FRST
2013-07-01 09:14 - 2013-07-01 09:14 - 01372463 ____A (Farbar) C:\Users\wrobinson\Downloads\FRST.exe
2013-07-01 09:12 - 2013-04-22 14:06 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-01 09:11 - 2009-07-14 00:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-01 09:11 - 2009-07-14 00:39 - 00119551 ____A C:\Windows\setupact.log
2013-06-28 12:08 - 2011-06-18 00:34 - 01419191 ____A C:\Windows\WindowsUpdate.log
2013-06-28 11:34 - 2012-11-16 00:08 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-28 11:21 - 2013-04-22 14:06 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-28 09:34 - 2013-05-24 15:00 - 00000000 ____D C:\Legacy
2013-06-28 09:17 - 2009-07-14 00:34 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-28 09:17 - 2009-07-14 00:34 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-28 09:16 - 2010-11-20 17:01 - 00778834 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-27 17:40 - 2013-05-09 15:38 - 00000000 ____D C:\Users\wrobinson\Documents\wilson jpgs
2013-06-27 17:33 - 2013-05-09 15:19 - 00000000 ____D C:\Users\wrobinson\Documents\wilson tifs
2013-06-27 17:31 - 2013-06-20 11:11 - 00000000 ___HD C:\Users\Public\Documents\DI Capture
2013-06-27 16:26 - 2013-06-27 16:25 - 00000000 ____D C:\Users\wrobinson\Documents\robinson
2013-06-27 16:00 - 2010-11-20 17:48 - 00466320 ____A C:\Windows\PFRO.log
2013-06-27 15:57 - 2013-06-27 15:57 - 00020925 ____A C:\ComboFix.txt
2013-06-27 15:57 - 2013-06-27 15:42 - 00000000 ____D C:\ComboFix
2013-06-27 15:57 - 2013-06-27 15:40 - 00000000 ____D C:\Qoobox
2013-06-27 15:57 - 2009-07-13 22:37 - 00000000 ___RD C:\users\Public
2013-06-27 15:56 - 2013-06-27 15:40 - 00000000 ____D C:\Windows\erdnt
2013-06-27 15:56 - 2009-07-13 22:04 - 00000215 ____A C:\Windows\system.ini
2013-06-27 15:54 - 2011-09-16 13:21 - 00000000 ____D C:\users\pbileckyj
2013-06-27 15:54 - 2011-09-16 13:15 - 00000000 ____D C:\users\cjones
2013-06-27 15:54 - 2011-09-16 13:13 - 00000000 ____D C:\users\rrains
2013-06-27 15:39 - 2013-06-27 15:39 - 05084314 ____R (Swearware) C:\Users\wrobinson\Downloads\ComboFix.exe
2013-06-27 11:32 - 2013-04-24 14:13 - 00000000 ____D C:\Users\wrobinson\AppData\Roaming\Dropbox
2013-06-27 11:31 - 2013-04-24 14:16 - 00000000 ___RD C:\Users\wrobinson\Dropbox
2013-06-27 11:26 - 2013-06-27 09:13 - 00000000 ____D C:\JRT
2013-06-27 10:04 - 2013-06-27 10:04 - 00545954 ____A (Oleg N. Scherbakov) C:\Users\wrobinson\Downloads\JRT (2).exe
2013-06-27 09:48 - 2013-06-27 09:48 - 00545954 ____A (Oleg N. Scherbakov) C:\Users\wrobinson\Downloads\JRT (1).exe
2013-06-27 09:13 - 2013-06-27 09:13 - 00000000 ____D C:\Windows\ERUNT
2013-06-27 09:12 - 2013-06-27 09:12 - 00545954 ____A (Oleg N. Scherbakov) C:\Users\wrobinson\Downloads\JRT.exe
2013-06-27 09:09 - 2013-06-27 09:07 - 00002045 ____A C:\AdwCleaner[S3].txt
2013-06-27 09:06 - 2013-06-27 09:05 - 00002219 ____A C:\AdwCleaner[R3].txt
2013-06-27 09:04 - 2013-06-27 09:04 - 00648201 ____A C:\Users\wrobinson\Downloads\AdwCleaner (2).exe
2013-06-26 15:43 - 2007-02-19 22:19 - 00000065 ____H C:\TrackitAudit.id
2013-06-26 11:38 - 2013-06-26 11:21 - 00012685 ____A C:\Users\wrobinson\Desktop\hijackthis.log
2013-06-26 09:55 - 2013-06-26 09:55 - 00000974 ____A C:\Users\Public\Desktop\IrfanView.lnk
2013-06-26 09:55 - 2013-06-26 09:55 - 00000000 ____D C:\Program Files\IrfanView
2013-06-26 09:55 - 2013-04-25 11:57 - 00001854 ____A C:\Users\Public\Desktop\IrfanView Thumbnails.lnk
2013-06-26 09:50 - 2013-06-26 09:50 - 21648204 ____A C:\Users\wrobinson\Documents\1920s_schoolbuses.tif
2013-06-26 09:42 - 2013-06-04 16:08 - 00012028 ____A C:\Users\wrobinson\Documents\June stats.xlsx
2013-06-26 09:15 - 2013-06-26 09:12 - 00000000 ____D C:\Users\wrobinson\AppData\Local\Avg2013
2013-06-26 09:14 - 2013-06-26 09:14 - 00000000 ____D C:\Users\wrobinson\AppData\Roaming\AVG2013
2013-06-26 09:12 - 2013-06-26 09:11 - 00000000 ____D C:\ProgramData\AVG2013
2013-06-26 09:11 - 2013-06-26 09:11 - 00000937 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-06-26 09:11 - 2013-06-26 09:11 - 00000000 ____D C:\$AVG
2013-06-26 09:10 - 2013-06-26 09:10 - 00000000 ____D C:\Program Files\AVG
2013-06-26 08:38 - 2013-06-26 08:38 - 04464544 ____A (AVG Technologies) C:\Users\wrobinson\Downloads\avg_free_stb_all_2013_3345_cnet.exe
2013-06-25 14:13 - 2013-06-25 12:16 - 00012397 ____A C:\Users\wrobinson\Downloads\hijackthis.log
2013-06-25 14:07 - 2013-06-19 16:45 - 00000000 ____D C:\Users\wrobinson\Documents\My PageManager
2013-06-25 14:06 - 2013-06-19 16:46 - 00000000 ____D C:\Users\wrobinson\AppData\Roaming\.oit
2013-06-25 12:33 - 2013-06-25 12:33 - 00000000 ____D C:\Program Files\ESET
2013-06-25 12:32 - 2013-06-25 12:32 - 02347384 ____A (ESET) C:\Users\wrobinson\Downloads\esetsmartinstaller_enu.exe
2013-06-25 12:16 - 2013-04-15 11:50 - 00000000 ____D C:\Users\wrobinson\AppData\Local\VirtualStore
2013-06-25 12:15 - 2013-06-25 12:15 - 00388608 ____A (Trend Micro Inc.) C:\Users\wrobinson\Desktop\HijackThis.exe
2013-06-24 13:29 - 2011-09-20 01:40 - 00094208 ____A C:\Windows\TIRHService.exe
2013-06-24 13:29 - 2011-09-20 01:40 - 00000000 ____D C:\Windows\TIREMOTE
2013-06-22 18:45 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\rescache
2013-06-22 16:54 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-06-22 16:38 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-06-22 16:23 - 2013-04-22 14:07 - 00002131 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-06-22 15:08 - 2013-06-22 15:08 - 02617648 ____A (VS Revo Group Ltd.) C:\Users\wrobinson\Downloads\revosetup.exe
2013-06-22 15:08 - 2013-06-19 15:57 - 00000000 ____D C:\Program Files\VS Revo Group
2013-06-22 14:20 - 2013-06-22 14:20 - 01814144 ____A (Bleeping Computer, LLC) C:\Users\wrobinson\Downloads\rkill.com
2013-06-20 17:16 - 2013-06-20 17:16 - 00000000 ____D C:\Users\wrobinson\AppData\Local\Wave Systems Corp
2013-06-20 17:14 - 2013-06-20 17:12 - 00002104 ____A C:\AdwCleaner[S2].txt
2013-06-20 17:11 - 2013-06-20 17:11 - 00002151 ____A C:\AdwCleaner[R2].txt
2013-06-20 17:10 - 2013-06-20 17:10 - 00648201 ____A C:\Users\wrobinson\Downloads\adwcleaner (1).exe
2013-06-20 16:45 - 2013-06-20 16:45 - 09171472 ____A (SurfRight B.V.) C:\Users\wrobinson\Downloads\HitmanPro (1).exe
2013-06-20 16:43 - 2013-06-20 16:42 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\wrobinson\Downloads\tdsskiller (1).exe
2013-06-20 11:47 - 2013-06-20 09:19 - 00000000 ____D C:\Users\wrobinson\Documents\ImageFolio
2013-06-20 11:43 - 2013-04-15 13:52 - 00000000 ____D C:\Users\wrobinson\Sirsi
2013-06-20 11:43 - 2013-04-15 11:50 - 00000000 ___RD C:\Users\wrobinson\Virtual Machines
2013-06-20 09:58 - 2013-06-20 09:58 - 00001642 ____A C:\Users\Public\Desktop\DI Capture.lnk
2013-06-20 09:58 - 2013-06-20 09:58 - 00000246 ____A C:\Windows\261U.ini
2013-06-20 09:58 - 2013-06-20 09:58 - 00000000 ____D C:\Program Files\DI Capture
2013-06-20 09:58 - 2013-06-20 09:57 - 00000000 ____D C:\Program Files\Common Files\iMpacct
2013-06-20 09:58 - 2011-06-18 00:35 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2013-06-20 09:57 - 2013-06-20 09:57 - 00000000 ____D C:\Program Files\Common Files\Comscan
2013-06-20 09:57 - 2013-06-19 16:04 - 00000000 ____D C:\Program Files\Plustek
2013-06-20 09:57 - 2009-07-14 00:52 - 00000000 ____D C:\Windows\twain_32
2013-06-20 09:56 - 2011-06-18 00:35 - 00000000 ____D C:\Program Files\Common Files\Java
2013-06-20 09:55 - 2013-06-20 09:55 - 00094632 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-06-20 09:55 - 2012-10-05 13:17 - 00867240 ____A (Oracle Corporation) C:\Windows\System32\npdeployJava1.dll
2013-06-20 09:55 - 2011-09-14 13:06 - 00263592 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-06-20 09:55 - 2011-09-14 13:06 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-06-20 09:55 - 2011-09-14 13:06 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-06-20 09:55 - 2011-06-18 00:34 - 00789416 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-06-20 09:55 - 2011-06-18 00:34 - 00000000 ____D C:\Program Files\Java
2013-06-20 09:54 - 2013-06-20 09:54 - 00000000 ____D C:\ProgramData\McAfee
2013-06-20 09:19 - 2013-06-19 16:45 - 00000000 ____D C:\Users\wrobinson\AppData\Local\NewSoft
2013-06-20 09:00 - 2012-05-03 23:02 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-06-19 16:45 - 2013-06-19 16:45 - 00000000 ____D C:\Users\wrobinson\AppData\Roaming\NewSoft
2013-06-19 16:10 - 2013-06-19 16:09 - 00000264 ____A C:\Windows\setup.iss
2013-06-19 16:09 - 2013-06-19 16:09 - 00002169 ____A C:\Users\Public\Desktop\Presto! PageManager 7.23.lnk
2013-06-19 16:08 - 2013-06-19 16:08 - 00000000 ____D C:\Windows\System32\color
2013-06-19 16:08 - 2013-06-19 16:07 - 00000000 ____D C:\Program Files\Common Files\NewSoft
2013-06-19 16:07 - 2013-06-19 16:07 - 00002088 ____A C:\Users\Public\Desktop\Presto! ImageFolio 4.lnk
2013-06-19 16:07 - 2013-06-19 16:07 - 00001809 ____A C:\Windows\if42le.ini
2013-06-19 16:07 - 2013-06-19 16:07 - 00000299 ____A C:\Windows\Pexplore.ini
2013-06-19 16:07 - 2013-06-19 16:07 - 00000000 ____D C:\ProgramData\Newsoft
2013-06-19 16:06 - 2013-06-19 16:06 - 00000000 ____D C:\Program Files\Common Files\InstallShield
2013-06-19 16:04 - 2013-06-19 16:04 - 00000000 ____D C:\ProgramData\ABBYY
2013-06-19 16:04 - 2013-06-19 16:04 - 00000000 ____D C:\Program Files\Common Files\ABBYY
2013-06-19 16:03 - 2011-06-18 00:38 - 00015998 ____A C:\Windows\DPINST.LOG
2013-06-19 15:56 - 2013-04-15 13:07 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-19 15:56 - 2011-09-14 13:20 - 00001111 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-06-19 15:52 - 2013-06-17 15:09 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2013-06-19 15:52 - 2011-09-19 08:24 - 00000000 ____D C:\Program Files\epson
2013-06-19 15:50 - 2013-06-19 15:50 - 00000000 ____D C:\Windows\System32\appmgmt
2013-06-19 15:47 - 2013-06-17 15:09 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-06-19 13:30 - 2013-06-19 13:30 - 00000000 ____D C:\Users\wrobinson\AppData\Roaming\Malwarebytes
2013-06-19 13:21 - 2013-06-19 13:21 - 00696064 ____A () C:\Users\wrobinson\Downloads\77ZipSetup.exe
2013-06-18 18:22 - 2011-09-14 13:25 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-06-18 18:00 - 2013-06-18 17:58 - 00002024 ____A C:\AdwCleaner[S1].txt
2013-06-18 17:56 - 2013-06-18 17:56 - 00001975 ____A C:\AdwCleaner[R1].txt
2013-06-18 17:55 - 2013-06-18 17:55 - 00648201 ____A C:\Users\wrobinson\Downloads\adwcleaner.exe
2013-06-18 16:28 - 2013-06-18 16:22 - 00000000 ____D C:\ProgramData\HitmanPro
2013-06-18 16:22 - 2013-06-18 16:20 - 09171472 ____A (SurfRight B.V.) C:\Users\wrobinson\Downloads\HitmanPro.exe
2013-06-18 16:19 - 2013-06-18 16:19 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\wrobinson\Downloads\tdsskiller.exe
2013-06-18 13:49 - 2013-06-18 13:49 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-18 13:49 - 2013-06-18 13:49 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-18 13:49 - 2013-06-18 13:49 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-18 13:48 - 2013-06-18 13:48 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Users\wrobinson\Downloads\mbam-setup-1.75.0.1300.exe
2013-06-17 15:06 - 2013-06-17 15:05 - 16409960 ____A (Safer Networking Limited                                    ) C:\Users\wrobinson\Downloads\spybotsd162.exe
2013-06-14 11:39 - 2013-06-14 11:39 - 03313664 ____A C:\Users\wrobinson\Downloads\InstallGenoPro.exe
2013-06-14 11:39 - 2013-06-14 11:39 - 00001101 ____A C:\Users\Public\Desktop\GenoPro.lnk
2013-06-14 11:39 - 2013-06-14 11:39 - 00000000 ____D C:\Program Files\GenoPro
2013-06-14 11:38 - 2013-06-14 11:37 - 00000000 ____D C:\Users\wrobinson\AppData\Roaming\MudCreek
2013-06-14 11:36 - 2013-06-14 11:36 - 00000000 ____D C:\Users\wrobinson\AppData\Local\UnitLayers
2013-06-14 11:32 - 2013-06-14 11:32 - 00000000 ____D C:\Program Files\MudCreek
2013-06-14 11:31 - 2013-06-14 11:31 - 02384994 ____A (                                                            ) C:\Users\wrobinson\Downloads\mudgv123.exe
2013-06-14 11:29 - 2013-06-14 11:29 - 36879640 ____A C:\Users\wrobinson\Downloads\family_tree_builder_7107.exe
2013-06-13 03:00 - 2011-09-13 15:53 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-11 16:34 - 2012-11-16 00:08 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-11 16:34 - 2011-09-14 13:21 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-08 07:42 - 2013-06-13 03:02 - 01141248 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-08 07:40 - 2013-06-13 03:02 - 14327808 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-08 07:40 - 2013-06-13 03:02 - 13760512 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-08 07:40 - 2013-06-13 03:02 - 02046976 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-08 07:40 - 2013-06-13 03:02 - 00391168 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-08 07:13 - 2013-06-13 03:02 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-04 17:57 - 2013-06-04 17:57 - 00382326 ____A C:\Users\wrobinson\Desktop\jweaver.tif
2013-06-04 16:00 - 2005-07-29 15:59 - 00000000 ____D C:\Users\Public\Documents\Local history stats
2013-06-04 12:09 - 2013-04-24 14:16 - 00000993 ____A C:\Users\wrobinson\Desktop\Dropbox.lnk
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== End Of Log ============================

 

Attached Files



#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:33 PM

Posted 01 July 2013 - 09:13 AM

Hello earlbot



I need you to download this script I have made for you -->Attached File  fixlist.txt   238bytes   2 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 earlbot

earlbot
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 01 July 2013 - 09:58 AM

Here is the fixlog

 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 01-07-2013 01
Ran by wrobinson at 2013-07-01 10:54:22 Run:1
Running from C:\Users\wrobinson\Downloads
Boot Mode: Normal
 
==============================================
 
HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} => Key not found.
HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key not found.
 
==== End of Fixlog ====

 



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:33 PM

Posted 01 July 2013 - 10:32 AM


Hello earlbot

I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.

    Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it

    If the forum still complains about it being to long send me everything that is at the end of the report after where it says

    ==================
    Scan finished
    ==================
and I will see if I want to see the whole report

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+
send me the reports made from TDSSKiller and Roguekiller and also let me know how the computer is doing at this time.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 earlbot

earlbot
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 01 July 2013 - 01:11 PM

Here are the resuls for TDSKiller(file too big to upload) and Rogue Killer
 
13:19:30.0766 6636  Scan finished
13:19:30.0766 6636  ============================================================
13:19:30.0773 6628  Detected object count: 5
13:19:30.0773 6628  Actual detected object count: 5
13:20:06.0161 6628  Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
13:20:06.0161 6628  Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip 
13:20:06.0161 6628  Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
13:20:06.0162 6628  Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip 
13:20:06.0163 6628  SecureStorageService ( UnsignedFile.Multi.Generic ) - skipped by user
13:20:06.0163 6628  SecureStorageService ( UnsignedFile.Multi.Generic ) - User select action: Skip 
13:20:06.0165 6628  tcsd_win32.exe ( UnsignedFile.Multi.Generic ) - skipped by user
13:20:06.0165 6628  tcsd_win32.exe ( UnsignedFile.Multi.Generic ) - User select action: Skip 
13:20:06.0166 6628  TIRmtSvc ( UnsignedFile.Multi.Generic ) - skipped by user
13:20:06.0166 6628  TIRmtSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip 
 

 

 
RogueKiller V8.6.1 [Jun 29 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : hxxp://www.adlice.com/forum/
Website : hxxp://www.adlice.com/softwares/roguekiller/
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : cjones [Admin rights]
Mode : Remove -- Date : 07/01/2013 14:06:57
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\RunOnce : B0117F03-6E62-44B2-9BD2-493AE93D2A8E (cmd.exe /C start /D "C:\Users\cjones\AppData\Local\Temp" /B B0117F03-6E62-44B2-9BD2-493AE93D2A8E.exe -activeimages -postboot [x][-][x]) -> DELETED
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[13] : NtAlertResumeThread @ 0x83126DA1 -> HOOKED (Unknown @ 0x88C71BA8)
[Address] SSDT[14] : NtAlertThread @ 0x83079CC7 -> HOOKED (Unknown @ 0x88C71C88)
[Address] SSDT[19] : NtAllocateVirtualMemory @ 0x83072CBC -> HOOKED (Unknown @ 0x88C62628)
[Address] SSDT[22] : NtAlpcConnectPort @ 0x830BE56E -> HOOKED (Unknown @ 0x88C278D0)
[Address] SSDT[43] : NtAssignProcessToJobObject @ 0x830480BE -> HOOKED (Unknown @ 0x88C71350)
[Address] SSDT[74] : NtCreateMutant @ 0x8305934C -> HOOKED (Unknown @ 0x88C718F8)
[Address] SSDT[86] : NtCreateSymbolicLinkObject @ 0x8304A9C6 -> HOOKED (Unknown @ 0x88C71070)
[Address] SSDT[87] : NtCreateThread @ 0x83124FDA -> HOOKED (Unknown @ 0x88C62B30)
[Address] SSDT[88] : NtCreateThreadEx @ 0x830B949B -> HOOKED (Unknown @ 0x88C71160)
[Address] SSDT[96] : NtDebugActiveProcess @ 0x830F6EAA -> HOOKED (Unknown @ 0x88C71430)
[Address] SSDT[111] : NtDuplicateObject @ 0x8307A761 -> HOOKED (Unknown @ 0x88C627F8)
[Address] SSDT[131] : NtFreeVirtualMemory @ 0x82F0182C -> HOOKED (Unknown @ 0x88C623E0)
[Address] SSDT[145] : NtImpersonateAnonymousToken @ 0x8303E962 -> HOOKED (Unknown @ 0x88C719E8)
[Address] SSDT[147] : NtImpersonateThread @ 0x830C2962 -> HOOKED (Unknown @ 0x88C71AC8)
[Address] SSDT[155] : NtLoadDriver @ 0x8300EC32 -> HOOKED (Unknown @ 0x88AEA188)
[Address] SSDT[168] : NtMapViewOfSection @ 0x8308F5F1 -> HOOKED (Unknown @ 0x88C622E0)
[Address] SSDT[177] : NtOpenEvent @ 0x83058D48 -> HOOKED (Unknown @ 0x88C71818)
[Address] SSDT[191] : NtOpenProcessToken @ 0x830AD36F -> HOOKED (Unknown @ 0x88C62718)
[Address] SSDT[194] : NtOpenSection @ 0x830B29EB -> HOOKED (Unknown @ 0x88C71658)
[Address] SSDT[198] : NtOpenThread @ 0x830A70EE -> HOOKED (Unknown @ 0x88C628E8)
[Address] SSDT[215] : NtProtectVirtualMemory @ 0x8308B651 -> HOOKED (Unknown @ 0x88C71260)
[Address] SSDT[304] : NtResumeThread @ 0x830B96C2 -> HOOKED (Unknown @ 0x88C71D68)
[Address] SSDT[316] : NtSetContextThread @ 0x8312684D -> HOOKED (Unknown @ 0x88C71008)
[Address] SSDT[333] : NtSetInformationProcess @ 0x83081875 -> HOOKED (Unknown @ 0x88C62110)
[Address] SSDT[350] : NtSetSystemInformation @ 0x8309737A -> HOOKED (Unknown @ 0x88C71510)
[Address] SSDT[385] : NtUnmapViewOfSection @ 0x830AD9AA -> HOOKED (Unknown @ 0x88C62200)
[Address] Shadow SSDT[318] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8961F328)
[Address] Shadow SSDT[448] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x88F46D70)
[Address] Shadow SSDT[490] : NtUserMessageCall -> HOOKED (Unknown @ 0x895928A8)
[Address] Shadow SSDT[508] : NtUserPostMessage -> HOOKED (Unknown @ 0x89592A48)
[Address] Shadow SSDT[509] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x89592978)
[Address] Shadow SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x89621350)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: WDC WD5000AAKX-753CA1 +++++
--- User ---
[MBR] 76c8a2251059beb335f630f5ca0675ce
[BSP] b46fd8bf4281fbb36060e9217049f36c : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 750 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1617920 | Size: 476149 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_07012013_140657.txt >>
RKreport[0]_S_07012013_140638.txt
 

 



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:33 PM

Posted 02 July 2013 - 12:17 AM



Hello earlbot

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users