Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ICE Cyber Crime Malware


  • Please log in to reply
13 replies to this topic

#1 tbos88

tbos88

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 07 July 2013 - 05:28 PM

How do I remove the ICE Cyber Crime Malware?


Edited by hamluis, 07 July 2013 - 06:31 PM.
No logs, moved to Am I Infected from Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:26 AM

Posted 08 July 2013 - 01:43 PM

Hello, and  :welcome: to BleepingComputer. A few questions before I report your topic to those who deal with these types of infections, one; what version of Windows are you running? Two; can you boot into safe mode (instruction on how to do that are here)?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 tbos88

tbos88
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 08 July 2013 - 01:58 PM

Hello, and  :welcome: to BleepingComputer. A few questions before I report your topic to those who deal with these types of infections, one; what version of Windows are you running? Two; can you boot into safe mode (instruction on how to do that are here)?
 
xXToffeeXx~



#4 tbos88

tbos88
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 08 July 2013 - 02:00 PM

Hi thanks for the reply. I have Windows 7 home premium 64 bit. I am unable to boot into safe mode. Each time I try the virus restarts me and takes me back to its hijack screen.

#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:26 AM

Posted 08 July 2013 - 02:07 PM

Okay, thank you for the information, that will really help the team. Hopefully one of them should come and help you soon.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,553 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:26 PM

Posted 08 July 2013 - 02:34 PM

Hi and welcome.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 tbos88

tbos88
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 08 July 2013 - 07:34 PM

OK. Here's what it came up with.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-07-2013
Ran by SYSTEM on 07-07-2013 16:48:09
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: []  [x]
HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] ()
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %PROGRAMFILES%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %PROGRAMFILES%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %PROGRAMFILES%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] %PROGRAMFILES%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %PROGRAMFILES%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] %PROGRAMFILES%\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] "%PROGRAMFILES%\TOSHIBA\TECO\Teco.exe" /r [1483776 2010-02-25] (TOSHIBA Corporation)
HKLM-x32\...\Run: [VMM Mode Selection] C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe [43520 2011-02-14] ()
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1564872 2012-06-06] (Ask)
HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [309184 2012-03-27] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe" [83232 2013-07-01] (Sendori, Inc.)
HKLM-x32\...\Run: [AgentMonitor] C:\Program Files (x86)\VTech\DownloadManager\System\AgentMonitor.exe [376776 2012-08-08] ()
HKLM-x32\...\Run: [ShopAtHomeWatcher] C:\Users\Ty\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeWatcher.exe [103864 2012-10-18] ()
HKLM-x32\...\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [298376 2012-09-28] (LeapFrog Enterprises, Inc.)
HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [295512 2013-03-25] (RealNetworks, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1295736 2011-02-11] (TOSHIBA Corporation)
HKU\Ty\...\Run: [Best Buy pc app] C:\Users\Ty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms [x]
HKU\Ty\...\Run: [Facebook Update] "C:\Users\Ty\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-11] (Facebook Inc.)
HKU\Ty\...\Run: [AdobeBridge]  [x]
HKU\Ty\...\Run: [SearchEngineProtection] C:\Program Files (x86)\GamesBar\update\SearchEngineProtection.exe [620480 2012-11-05] (Oberon Media )
HKU\Ty\...\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-04-05] (Apple Inc.)
HKU\Ty\...\Run: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-04-05] (Apple Inc.)
HKU\Ty\...\Run: [com.apple.dav.bookmarks.daemon] C:\Program Files (x86)\Common Files\Apple\Internet Services\BookmarkDAV_client.exe [59720 2013-04-05] (Apple Inc.)
HKU\Ty\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-10-14] (Google Inc.)
HKU\Ty\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Ty\AppData\Local\Temp\xkerpyqhqtansgjfb.exe [46080 2013-07-06] (NVIDIA Corporation) <===== ATTENTION
HKU\Ty\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Ty\...\Command Processor: "C:\Users\Ty\AppData\Local\Temp\xkerpyqhqtansgjfb.exe" <===== ATTENTION!
AppInit_DLLs-x32: c:\progra~3\browse~1\261070~1.41\{c16c1~1\browse~1.dll  c:\progra~2\safesa~1\sprote~1.dll [1050112 2013-01-24] ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Ty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart 5510 series.lnk
ShortcutTarget: Monitor Ink Alerts - HP Photosmart 5510 series.lnk -> C:\Program Files\HP\HP Photosmart 5510 series\bin\HPStatusBL.dll (Hewlett-Packard Co.)

==================== Services (Whitelisted) =================

S2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [119072 2013-07-01] (Sendori, Inc.)
S2 BrowserProtect; C:\ProgramData\BrowserProtect\2.6.1070.41\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [2554472 2013-01-04] ()
S2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2009-09-15] (Alcatel-Lucent)
S2 N360; C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe [144368 2013-05-20] (Symantec Corporation)
S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-03-05] ()
S2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [22304 2013-07-01] (sendori)
S2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3623200 2013-07-01] (Sendori)
S2 WajamUpdater; C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe [109064 2012-10-05] (Wajam)

==================== Drivers (Whitelisted) ====================

S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\Definitions\BASHDefs\20130702.001\BHDrvx64.sys [1393240 2013-05-20] (Symantec Corporation)
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\Definitions\BASHDefs\20130702.001\BHDrvx64.sys [1393240 2013-05-20] (Symantec Corporation)
S1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1404000.028\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2013-07-03] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2013-07-03] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2013-07-03] (Symantec Corporation)
S3 FlyUsb; C:\Windows\System32\DRIVERS\FlyUsb.sys [24576 2012-09-28] (LeapFrog)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\Definitions\IPSDefs\20130705.001\IDSvia64.sys [513184 2013-07-04] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\Definitions\IPSDefs\20130705.001\IDSvia64.sys [513184 2013-07-04] (Symantec Corporation)
S3 MREMP50; C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [21248 2009-09-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MREMP50; C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [21248 2009-09-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MREMP50a64; C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [43008 2009-09-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [20096 2009-09-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [20096 2009-09-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50a64; C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [40960 2009-09-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\Definitions\VirusDefs\20130707.005\ENG64.SYS [126040 2013-07-03] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\Definitions\VirusDefs\20130707.005\ENG64.SYS [126040 2013-07-03] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\Definitions\VirusDefs\20130707.005\EX64.SYS [2098776 2013-07-03] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.4.0.40\Definitions\VirusDefs\20130707.005\EX64.SYS [2098776 2013-07-03] (Symantec Corporation)
S1 SRTSP; C:\Windows\system32\drivers\N360x64\1404000.028\SRTSP64.SYS [796760 2013-05-15] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\N360x64\1404000.028\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\N360x64\1404000.028\SYMDS64.SYS [493656 2013-05-20] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\N360x64\1404000.028\SYMEFA64.SYS [1139800 2013-05-22] (Symantec Corporation)
S3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-07-04] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\N360x64\1404000.028\Ironx64.SYS [224416 2013-03-04] (Symantec Corporation)
S1 SymNetS; C:\Windows\system32\drivers\N360x64\1404000.028\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation)
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-07 16:47 - 2013-07-07 16:47 - 00000000 ____D C:\FRST
2013-07-06 18:47 - 2013-07-06 18:47 - 02019330 ____A C:\Users\Ty\AppData\Roaming\2433f433
2013-07-06 18:47 - 2013-07-06 18:47 - 02019298 ____A C:\Users\Ty\AppData\Local\2433f433
2013-07-06 18:47 - 2013-07-06 18:47 - 02019292 ____A C:\ProgramData\2433f433
2013-07-06 11:51 - 2013-07-06 11:52 - 00001186 ____A C:\Users\Ty\Desktop\FrostWire 5.6.2.lnk
2013-07-06 11:50 - 2013-06-06 12:41 - 00489392 ____A (Ask Partner Network) C:\Users\Ty\Documents\APNSetup.exe
2013-07-04 17:29 - 2013-07-04 17:29 - 00177312 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2013-07-04 17:29 - 2013-07-04 17:29 - 00007631 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2013-07-04 17:29 - 2013-07-04 17:29 - 00002366 ____A C:\Users\Public\Desktop\Norton 360.lnk
2013-07-04 17:29 - 2013-07-04 17:29 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-07-04 17:27 - 2013-07-04 17:27 - 00000000 ____D C:\Windows\System32\Drivers\N360x64
2013-07-04 17:27 - 2013-07-04 17:27 - 00000000 ____D C:\Program Files (x86)\Norton 360
2013-06-19 19:30 - 2013-06-19 19:32 - 00000000 ____D C:\Users\Ty\AppData\Local\File Viewer
2013-06-19 19:29 - 2013-06-19 19:30 - 00539633 ____A C:\Users\Ty\Downloads\taxReturn (1).tax2012
2013-06-19 19:29 - 2013-06-19 19:29 - 00539633 ____A C:\Users\Ty\Downloads\taxReturn.tax2012
2013-06-19 19:14 - 2013-06-29 16:29 - 00000000 ____D C:\Program Files (x86)\SearchDonkey
2013-06-19 19:14 - 2013-06-29 16:28 - 00000000 ____D C:\Program Files (x86)\File Viewer
2013-06-19 19:14 - 2013-06-29 16:28 - 00000000 ____D C:\Program Files (x86)\File Identifier
2013-06-19 19:14 - 2013-06-19 19:28 - 00000967 ____A C:\Users\Public\Desktop\File Viewer.lnk
2013-06-19 19:12 - 2013-06-19 19:12 - 00000000 ____D C:\ProgramData\APN
2013-06-14 02:24 - 2013-05-16 19:09 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-14 02:24 - 2013-05-16 19:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-14 02:24 - 2013-05-16 19:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet(1868).dll
2013-06-14 02:24 - 2013-05-16 19:02 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-14 02:24 - 2013-05-16 19:02 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon(1838).dll
2013-06-14 02:24 - 2013-05-16 19:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-14 02:24 - 2013-05-16 19:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-14 02:24 - 2013-05-16 18:58 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-14 02:24 - 2013-05-16 18:56 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-14 02:24 - 2013-05-16 18:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-14 02:24 - 2013-05-16 18:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-14 02:24 - 2013-05-16 18:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-14 02:24 - 2013-05-16 18:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-14 02:24 - 2013-05-16 18:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-14 02:24 - 2013-05-16 18:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-14 02:24 - 2013-05-16 14:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-14 02:24 - 2013-05-16 14:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-14 02:24 - 2013-05-16 14:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet(1990).dll
2013-06-14 02:24 - 2013-05-16 14:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-14 02:24 - 2013-05-16 14:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon(1982).dll
2013-06-14 02:24 - 2013-05-16 14:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-06-14 02:24 - 2013-05-16 14:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-06-14 02:24 - 2013-05-16 14:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-14 02:24 - 2013-05-16 14:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-06-14 02:24 - 2013-05-16 14:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-06-14 02:24 - 2013-05-16 14:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-14 02:24 - 2013-05-16 14:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-06-14 02:24 - 2013-05-16 14:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-14 02:24 - 2013-05-16 14:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-14 02:23 - 2013-05-16 20:05 - 17824768 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-14 02:23 - 2013-05-16 19:27 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-14 02:23 - 2013-05-16 18:53 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-14 02:23 - 2013-05-16 15:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-14 02:23 - 2013-05-16 14:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-14 02:23 - 2013-05-16 14:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-14 02:23 - 2013-05-16 14:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-14 02:23 - 2013-05-16 14:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil(1926).dll
2013-06-13 21:46 - 2013-06-13 21:46 - 00011413 ____A C:\Users\Ty\Documents\WLMContacts.csv
2013-06-13 19:03 - 2013-06-29 16:29 - 00000000 ____D C:\Program Files (x86)\SafeSaver
2013-06-13 19:03 - 2013-06-13 19:03 - 00000000 ____D C:\ProgramData\StarApp
2013-06-13 18:57 - 2013-06-13 19:03 - 00000000 ____D C:\ProgramData\InstallMate
2013-06-13 18:43 - 2013-06-13 18:43 - 00000000 ____D C:\Users\Ty\AppData\Roaming\Mozilla
2013-06-13 18:42 - 2013-06-13 18:42 - 00000000 ____D C:\Users\Ty\AppData\Local\nCryptedCloud
2013-06-13 18:41 - 2013-06-13 18:41 - 00000000 ____D C:\Users\Ty\AppData\Roaming\nCryptedCloud
2013-06-13 18:39 - 2013-06-13 18:49 - 00000000 ____D C:\Users\Ty\AppData\Roaming\BitTorrent
2013-06-12 08:04 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-12 08:04 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32(1670).dll
2013-06-12 08:04 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-12 08:04 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-12 08:04 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet(1673).dll
2013-06-12 08:04 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-12 08:04 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-12 08:04 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32(1907).dll
2013-06-12 08:04 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-12 08:04 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-12 08:04 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet(1909).dll
2013-06-12 08:04 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-12 08:04 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-12 08:04 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-12 08:04 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-12 08:04 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-12 08:04 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-12 08:04 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-12 08:04 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-12 08:04 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-06-12 08:04 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-12 08:04 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs(1866).dll
2013-06-12 08:03 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-06-12 08:03 - 2013-03-31 14:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-06-09 16:31 - 2013-06-09 16:31 - 00001754 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-09 16:30 - 2013-06-29 16:29 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-09 16:30 - 2013-06-29 16:29 - 00000000 ____D C:\Program Files\iTunes
2013-06-09 16:30 - 2013-06-29 16:28 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-09 16:30 - 2013-06-09 16:30 - 00000000 ____D C:\Program Files\iPod
2013-06-09 16:21 - 2013-06-29 16:29 - 00000000 ____D C:\Program Files (x86)\QuickTime
2013-06-09 16:21 - 2013-06-09 16:21 - 00001816 ____A C:\Users\Public\Desktop\QuickTime Player.lnk

==================== One Month Modified Files and Folders =======

2013-07-07 16:47 - 2013-07-07 16:47 - 00000000 ____D C:\FRST
2013-07-07 13:32 - 2012-03-28 17:29 - 01995341 ____A C:\Windows\WindowsUpdate.log
2013-07-07 13:31 - 2009-07-13 20:51 - 00074797 ____A C:\Windows\setupact.log
2013-07-07 13:19 - 2013-01-05 08:04 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-07 13:17 - 2010-10-14 20:04 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-07 11:28 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-07 11:28 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-07 11:23 - 2012-06-19 13:49 - 00000916 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1700098618-1420843639-2691858636-1001UA.job
2013-07-06 20:43 - 2010-10-14 20:04 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-06 20:43 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-06 19:09 - 2013-03-25 15:39 - 00000000 ____A C:\END
2013-07-06 18:47 - 2013-07-06 18:47 - 02019330 ____A C:\Users\Ty\AppData\Roaming\2433f433
2013-07-06 18:47 - 2013-07-06 18:47 - 02019298 ____A C:\Users\Ty\AppData\Local\2433f433
2013-07-06 18:47 - 2013-07-06 18:47 - 02019292 ____A C:\ProgramData\2433f433
2013-07-06 16:12 - 2012-07-01 16:34 - 00000000 ____D C:\Users\Ty\.frostwire5
2013-07-06 15:53 - 2012-03-31 16:56 - 00000000 ____D C:\Users\Ty\AppData\Local\CrashDumps
2013-07-06 15:15 - 2009-07-13 21:13 - 00727310 ____A C:\Windows\System32\PerfStringBackup.INI
2013-07-06 13:59 - 2012-06-19 13:49 - 00000894 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1700098618-1420843639-2691858636-1001Core.job
2013-07-06 12:42 - 2010-10-14 20:32 - 01135310 ____A C:\Windows\PFRO.log
2013-07-06 11:52 - 2013-07-06 11:51 - 00001186 ____A C:\Users\Ty\Desktop\FrostWire 5.6.2.lnk
2013-07-06 11:51 - 2012-07-01 16:32 - 00000000 ____D C:\Program Files (x86)\FrostWire 5
2013-07-06 11:42 - 2012-04-15 10:12 - 00000000 ____D C:\Users\Ty\AppData\Roaming\Skype
2013-07-06 08:36 - 2012-10-08 18:04 - 00000000 ____D C:\ProgramData\Freemake
2013-07-06 08:36 - 2012-10-08 18:04 - 00000000 ____D C:\Program Files (x86)\Freemake
2013-07-06 08:30 - 2012-09-03 14:03 - 00000000 ____D C:\Users\Ty\AppData\Roaming\DVDVideoSoft
2013-07-06 08:28 - 2012-05-06 20:24 - 00000000 ____D C:\Program Files (x86)\Adobe
2013-07-06 08:28 - 2010-10-14 19:57 - 00000000 ____D C:\ProgramData\Adobe
2013-07-06 06:37 - 2012-03-28 17:53 - 00000000 ____D C:\ProgramData\Norton
2013-07-06 06:32 - 2012-03-30 13:45 - 00001271 ____A C:\Users\Ty\Desktop\Norton Installation Files.lnk
2013-07-06 06:13 - 2012-12-09 19:05 - 00000000 ____D C:\Users\Public\Documents\2012_12_09
2013-07-04 19:04 - 2012-12-30 09:49 - 00000000 ____D C:\Program Files (x86)\Coupon Companion Plugin
2013-07-04 17:29 - 2013-07-04 17:29 - 00177312 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2013-07-04 17:29 - 2013-07-04 17:29 - 00007631 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2013-07-04 17:29 - 2013-07-04 17:29 - 00002366 ____A C:\Users\Public\Desktop\Norton 360.lnk
2013-07-04 17:29 - 2013-07-04 17:29 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-07-04 17:27 - 2013-07-04 17:27 - 00000000 ____D C:\Windows\System32\Drivers\N360x64
2013-07-04 17:27 - 2013-07-04 17:27 - 00000000 ____D C:\Program Files (x86)\Norton 360
2013-07-04 17:25 - 2012-08-01 12:52 - 00000000 ____D C:\ProgramData\McAfee
2013-07-04 17:21 - 2009-07-13 21:08 - 00000000 ____D C:\users\Administrator
2013-07-04 17:15 - 2012-03-30 13:45 - 00000000 ____D C:\Users\Public\Downloads\Norton
2013-07-02 23:05 - 2012-03-31 17:29 - 00000000 ____D C:\Users\Ty\AppData\Local\Adobe
2013-07-02 19:38 - 2012-10-08 18:06 - 00000000 ____D C:\ProgramData\Sendori
2013-07-02 19:38 - 2012-10-08 18:06 - 00000000 ____D C:\Program Files (x86)\Sendori
2013-07-01 11:28 - 2012-10-08 18:06 - 00325920 ____A (Sendori) C:\Windows\SysWOW64\Sendori.dll
2013-06-29 18:36 - 2012-03-30 12:54 - 00000000 ____D C:\users\Ty
2013-06-29 16:31 - 2010-10-14 19:57 - 00000000 ____D C:\ProgramData\Blio
2013-06-29 16:31 - 2010-10-14 19:57 - 00000000 ____D C:\Program Files (x86)\PlayReady
2013-06-29 16:31 - 2010-10-14 19:20 - 00000000 ____D C:\Program Files\PlayReady
2013-06-29 16:31 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker
2013-06-29 16:31 - 2009-07-13 19:20 - 00000000 __RSD C:\Windows\Media
2013-06-29 16:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2013-06-29 16:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Recovery
2013-06-29 16:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2013-06-29 16:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\L2Schemas
2013-06-29 16:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\IME
2013-06-29 16:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Cursors
2013-06-29 16:31 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2013-06-29 16:31 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Services
2013-06-29 16:30 - 2013-05-30 18:31 - 00000000 ___RD C:\Users\Ty\Dropbox
2013-06-29 16:30 - 2012-11-18 06:29 - 00000000 ____D C:\ProgramData\Real
2013-06-29 16:30 - 2012-11-05 18:19 - 00000000 ____D C:\Users\Ty\Desktop\Adobe Photoshop CS6
2013-06-29 16:30 - 2012-10-27 09:07 - 00000000 ___RD C:\Users\Ty\SkyDrive
2013-06-29 16:30 - 2012-07-30 08:39 - 00000000 ____D C:\Users\Ty\AppData\Roaming\ICAClient
2013-06-29 16:30 - 2012-06-28 18:39 - 00000000 ____D C:\ProgramData\Yahoo! Companion
2013-06-29 16:30 - 2012-05-16 18:07 - 00000000 ____D C:\tcConference
2013-06-29 16:30 - 2012-04-06 16:15 - 00000000 __SHD C:\ProgramData\{32364CEA-7855-4A3C-B674-53D8E9B97936}
2013-06-29 16:30 - 2012-03-28 17:51 - 00000000 __HDC C:\ProgramData\{FBF3739B-717D-4429-BCEB-98D514E65F29}
2013-06-29 16:30 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal
2013-06-29 16:30 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\restore
2013-06-29 16:30 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2013-06-29 16:30 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Portable Devices
2013-06-29 16:30 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2013-06-29 16:30 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2013-06-29 16:30 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2013-06-29 16:30 - 2009-07-13 19:20 - 00000000 __RHD C:\Users\Public\Libraries
2013-06-29 16:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-06-29 16:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-06-29 16:29 - 2013-06-19 19:14 - 00000000 ____D C:\Program Files (x86)\SearchDonkey
2013-06-29 16:29 - 2013-06-13 19:03 - 00000000 ____D C:\Program Files (x86)\SafeSaver
2013-06-29 16:29 - 2013-06-09 16:30 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-29 16:29 - 2013-06-09 16:30 - 00000000 ____D C:\Program Files\iTunes
2013-06-29 16:29 - 2013-06-09 16:21 - 00000000 ____D C:\Program Files (x86)\QuickTime
2013-06-29 16:29 - 2013-03-14 07:34 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-06-29 16:29 - 2013-03-14 07:34 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-06-29 16:29 - 2013-01-13 19:14 - 00000000 ____D C:\Program Files (x86)\World of Warcraft
2013-06-29 16:29 - 2012-12-30 09:49 - 00000000 ____D C:\Program Files (x86)\Wajam
2013-06-29 16:29 - 2012-11-14 19:10 - 00000000 ____D C:\Program Files (x86)\Scratch
2013-06-29 16:29 - 2012-10-27 09:07 - 00000000 ____D C:\Program Files (x86)\Microsoft SkyDrive
2013-06-29 16:29 - 2012-08-04 08:01 - 00000000 ____D C:\Program Files (x86)\Solid Mp4 to DVD Converter and Burner
2013-06-29 16:29 - 2012-07-01 14:41 - 00000000 ____D C:\Program Files (x86)\NCH_EN
2013-06-29 16:29 - 2012-06-06 18:55 - 00000000 ____D C:\Program Files (x86)\Microsoft Works
2013-06-29 16:29 - 2012-06-06 18:09 - 00000000 ____D C:\Program Files\WinZip
2013-06-29 16:29 - 2012-06-06 16:16 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-06-29 16:29 - 2012-04-25 13:36 - 00000000 ____D C:\Program Files (x86)\SystemRequirementsLab
2013-06-29 16:29 - 2012-04-25 05:41 - 00000000 ____D C:\Program Files\Common Files\Motive
2013-06-29 16:29 - 2012-04-15 10:11 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-06-29 16:29 - 2012-03-31 12:51 - 00000000 ____D C:\Program Files (x86)\Vuze
2013-06-29 16:29 - 2012-03-30 14:43 - 00000000 ____D C:\Program Files\Bonjour
2013-06-29 16:29 - 2012-03-28 17:51 - 00000000 ____D C:\ProgramData\Best Buy pc app
2013-06-29 16:29 - 2012-03-28 17:38 - 00000000 ____D C:\Program Files (x86)\Realtek WLAN Driver
2013-06-29 16:29 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\MSBuild
2013-06-29 16:28 - 2013-06-19 19:14 - 00000000 ____D C:\Program Files (x86)\File Viewer
2013-06-29 16:28 - 2013-06-19 19:14 - 00000000 ____D C:\Program Files (x86)\File Identifier
2013-06-29 16:28 - 2013-06-09 16:30 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-29 16:28 - 2013-01-26 11:31 - 00000000 ____D C:\Program Files (x86)\Flash Player Pro
2013-06-29 16:28 - 2013-01-03 20:37 - 00000000 ____D C:\Program Files (x86)\GameFly
2013-06-29 16:28 - 2012-11-05 18:06 - 00000000 ____D C:\Program Files (x86)\GamesBar
2013-06-29 16:28 - 2012-11-05 18:06 - 00000000 ____D C:\Program Files (x86)\File Type Assistant
2013-06-29 16:28 - 2012-08-04 09:41 - 00000000 ____D C:\Program Files (x86)\Free PDF to Word Doc Converter
2013-06-29 16:28 - 2012-08-04 07:48 - 00000000 ____D C:\Program Files (x86)\Free Easy CD DVD Burner
2013-06-29 16:28 - 2012-06-28 18:39 - 00000000 ____D C:\Program Files (x86)\InfraRecorder
2013-06-29 16:28 - 2012-03-30 14:39 - 00000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client
2013-06-29 16:27 - 2012-11-05 18:06 - 00000000 ____D C:\Program Files (x86)\BitZipper
2013-06-29 16:27 - 2012-10-19 18:21 - 00000000 ____D C:\Program Files (x86)\AVS4YOU
2013-06-29 16:27 - 2012-10-02 16:08 - 00000000 ____D C:\Program Files (x86)\Adobe Download Assistant
2013-06-29 16:27 - 2012-09-29 18:34 - 00000000 ____D C:\Program Files (x86)\Acoustica Shared Effects
2013-06-29 16:27 - 2012-09-29 18:30 - 00000000 ____D C:\Program Files (x86)\Acoustica Mixcraft 5
2013-06-29 16:27 - 2012-08-15 20:30 - 00000000 ____D C:\9d7452acaace66f849dc58f9fa83
2013-06-29 16:27 - 2012-07-01 16:34 - 00000000 ____D C:\Program Files (x86)\Ask.com
2013-06-29 16:27 - 2012-04-25 05:41 - 00000000 ____D C:\Program Files (x86)\ATT-SST
2013-06-29 16:27 - 2012-03-30 14:44 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2013-06-29 16:27 - 2012-03-30 14:43 - 00000000 ____D C:\Program Files (x86)\Bonjour
2013-06-29 16:19 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-06-29 15:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\LiveKernelReports
2013-06-20 15:16 - 2009-07-13 21:08 - 00032570 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-20 15:16 - 2009-07-13 21:08 - 00032570 ____A C:\Windows\Tasks\SCHEDLGU(2005).TXT
2013-06-19 19:32 - 2013-06-19 19:30 - 00000000 ____D C:\Users\Ty\AppData\Local\File Viewer
2013-06-19 19:30 - 2013-06-19 19:29 - 00539633 ____A C:\Users\Ty\Downloads\taxReturn (1).tax2012
2013-06-19 19:29 - 2013-06-19 19:29 - 00539633 ____A C:\Users\Ty\Downloads\taxReturn.tax2012
2013-06-19 19:28 - 2013-06-19 19:14 - 00000967 ____A C:\Users\Public\Desktop\File Viewer.lnk
2013-06-19 19:12 - 2013-06-19 19:12 - 00000000 ____D C:\ProgramData\APN
2013-06-16 12:34 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-06-14 02:13 - 2012-03-31 18:50 - 75825640 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-13 21:46 - 2013-06-13 21:46 - 00011413 ____A C:\Users\Ty\Documents\WLMContacts.csv
2013-06-13 21:12 - 2012-07-01 16:21 - 00000000 ____D C:\Users\Ty\AppData\Local\Windows Live
2013-06-13 19:08 - 2013-05-30 18:27 - 00000000 ____D C:\Users\Ty\AppData\Roaming\Dropbox
2013-06-13 19:03 - 2013-06-13 19:03 - 00000000 ____D C:\ProgramData\StarApp
2013-06-13 19:03 - 2013-06-13 18:57 - 00000000 ____D C:\ProgramData\InstallMate
2013-06-13 18:49 - 2013-06-13 18:39 - 00000000 ____D C:\Users\Ty\AppData\Roaming\BitTorrent
2013-06-13 18:49 - 2012-03-31 12:50 - 00000000 ____D C:\Users\Ty\AppData\Local\Conduit
2013-06-13 18:45 - 2012-07-01 14:41 - 00000000 ____D C:\Users\Ty\AppData\Local\CRE
2013-06-13 18:43 - 2013-06-13 18:43 - 00000000 ____D C:\Users\Ty\AppData\Roaming\Mozilla
2013-06-13 18:42 - 2013-06-13 18:42 - 00000000 ____D C:\Users\Ty\AppData\Local\nCryptedCloud
2013-06-13 18:41 - 2013-06-13 18:41 - 00000000 ____D C:\Users\Ty\AppData\Roaming\nCryptedCloud
2013-06-12 09:19 - 2013-02-26 17:19 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-06-12 09:19 - 2013-01-05 08:04 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-12 09:19 - 2013-01-05 08:04 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-10 10:26 - 2009-07-13 19:20 - 00000000 ___AD C:\Windows\System32\sysprep
2013-06-09 16:31 - 2013-06-09 16:31 - 00001754 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-09 16:30 - 2013-06-09 16:30 - 00000000 ____D C:\Program Files\iPod
2013-06-09 16:21 - 2013-06-09 16:21 - 00001816 ____A C:\Users\Public\Desktop\QuickTime Player.lnk

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-07-04 06:31:15
Restore point made on: 2013-07-06 05:40:15
Restore point made on: 2013-07-06 08:37:08

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 3893.86 MB
Available physical RAM: 3284.54 MB
Total Pagefile: 3892.01 MB
Available Pagefile: 3298.88 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: (TI106033W0C) (Fixed) (Total:441.41 GB) (Free:124.76 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive d: (TOSHIBA System Volume) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]
Drive f: (USB20FD) (Removable) (Total:7.59 GB) (Free:7.59 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: EB45C880)
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=441 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=23 GB) - (Type=17)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 8 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=8 GB) - (Type=0C)

LastRegBack: 2013-07-03 16:14

==================== End Of Log ============================



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,553 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:26 PM

Posted 08 July 2013 - 08:43 PM

Download the enclosed file. [attachment=139638:fixlist.txt]
 
Save it next to FRST.
 
Run FRST as you did before, except that this time around click on the Fix button and wait.
 
The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.
 
Boot in Normal Mode. If successful, follow these steps:

Please download Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

AdwCleaner.GIF

Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please post it in your next reply.

bf_new.gif Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 tbos88

tbos88
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 08 July 2013 - 08:59 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-07-2013
Ran by Ty at 2013-07-08 20:57:13 Run:1
Running from D:\
Boot Mode: Normal
==============================================

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1564872 2012-06-06 => Value not found.
HKU\Ty\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Ty\AppData\Local\Temp\xkerpyqhqtansgjfb.exe [46080 2013-07-06 => Value not found.
HKU\Ty\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value not found.
HKU\Ty\Software\Microsoft\Command Processor\\AutoRun => Value not found.
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs => Value was restored successfully.
C:\Users\Ty\AppData\Roaming\2433f433 => Moved successfully.
C:\Users\Ty\AppData\Local\2433f433 => Moved successfully.
C:\ProgramData\2433f433 => Moved successfully.
C:\Windows\Tasks\Adobe Flash Player Updater.job => Moved successfully.

==== End of Fixlog ====



#10 tbos88

tbos88
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 08 July 2013 - 11:11 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.0.1 (07.08.2013:5)
OS: Windows 7 Home Premium x64
Ran by Ty on Mon 07/08/2013 at 22:48:05.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

Successfully stopped: [Service] browserprotect
Successfully deleted: [Service] browserprotect
Successfully stopped: [Service] wajamupdater
Successfully deleted: [Service] wajamupdater

 

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\apnupdater
Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\best buy pc app
Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\searchengineprotection
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{ae07101b-46d4-4a98-af68-0333ea26e113}
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\Default_Search_URL
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\\Default
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\searchURL\\Default
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\SearchAssistant
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440}

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\babylon
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Failed to delete: [Registry Key] HKEY_CURRENT_USER\Software\datamngr
Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\datamngr
Failed to delete: [Registry Key] HKEY_CURRENT_USER\Software\datamngr_toolbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\freeze.com
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\installedbrowserextensions
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\wajam
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\wajam
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduitsearchscopes
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\crossrider
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\pricegong
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\smartbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\sprotector
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\toolbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\windows\currentversion\ext\bprotectsettings
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\appid\genericasktoolbar.dll
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\appid\priam_bho.dll
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\appid\yontooieclient.dll
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\genericasktoolbar.toolbarwnd
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\genericasktoolbar.toolbarwnd.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\features\a28b4d68debaa244eb686953b7074fef
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\products\a28b4d68debaa244eb686953b7074fef
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\prod.cap
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\wajam.wajambho
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\wajam.wajambho.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\wajam.wajamdownloader
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\wajam.wajamdownloader.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\yontooieclient.api
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\yontooieclient.api.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\yontooieclient.layers
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\yontooieclient.layers.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\conduitinstaller_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\conduitinstaller_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\mybabylontb_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\mybabylontb_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\snapdo_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\snapdo_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\wajamupdater_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\wajamupdater_rasmancs
Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\datamngr
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\sp global
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\sprotector
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CrossriderApp0021804.BHO
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CrossriderApp0021804.BHO.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CrossriderApp0021804.Sandbox
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CrossriderApp0021804.Sandbox.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\classes\CrossriderApp0021804.BHO
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\classes\CrossriderApp0021804.BHO.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\classes\CrossriderApp0021804.Sandbox
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\classes\CrossriderApp0021804.Sandbox.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\classes\Toolbar.CT2801948
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\classes\Toolbar.CT3225826
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{11111111-1111-1111-1111-110211181104}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{22222222-2222-2222-2222-220222182204}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110211181104}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\wow6432node\clsid\{11111111-1111-1111-1111-110211181104}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\wow6432node\clsid\{22222222-2222-2222-2222-220222182204}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2CCCB7FD-C698-4240-8734-A6C6BF69B75B}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{36377DD7-B3EB-42f5-986F-680BAF59BA9D}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{398E10A2-74A1-43F9-BB97-2CDFC997D353}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37483B40-C254-4A72-BDA4-22EE90182C1E}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{872B5B88-9DB5-4310-BDD0-AC189557E5F5}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Successfully deleted: [Registry Key] "hkey_current_user\software\apn pip"
Successfully deleted: [Registry Key] "hkey_current_user\software\apn"
Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\asktoolbar"
Successfully deleted: [Registry Key] "hkey_current_user\software\ask.com"
Successfully deleted: [Registry Key] "hkey_local_machine\software\apn"
Successfully deleted: [Registry Key] "hkey_local_machine\software\asktoolbar"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\{9b0cb95c-933a-4b8c-b6d4-edcd19a43874}"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\interface\{ac71b60e-94c9-4ede-ba46-e146747bb67e}"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\typelib\{2996f0e7-292b-4cae-893f-47b8b1c05b56}"
Successfully deleted: [Registry Key] "hkey_local_machine\software\pip"

 

~~~ Files

Successfully deleted: [File] "C:\end"
Successfully deleted: [File] "C:\users\default user\start menu\programs\startup\best buy pc app.lnk"
Successfully deleted: [File] C:\windows\syswow64\shoBEB8.tmp

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\babylon"
Successfully deleted: [Folder] "C:\ProgramData\best buy pc app"
Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"
Successfully deleted: [Folder] "C:\ProgramData\browserprotect"
Successfully deleted: [Folder] "C:\ProgramData\installmate"
Successfully deleted: [Folder] "C:\ProgramData\tarma installer"
Successfully deleted: [Folder] "C:\Users\Ty\AppData\Roaming\babylon"
Successfully deleted: [Folder] "C:\Users\Ty\AppData\Roaming\claro"
Successfully deleted: [Folder] "C:\Users\Ty\AppData\Roaming\claro ltd"
Successfully deleted: [Folder] "C:\Users\Ty\AppData\Roaming\opencandy"
Successfully deleted: [Folder] "C:\Users\Ty\appdata\local\best buy pc app"
Successfully deleted: [Folder] "C:\Users\Ty\appdata\local\conduit"
Successfully deleted: [Folder] "C:\Users\Ty\appdata\local\coupon companion plugin"
Successfully deleted: [Folder] "C:\Users\Ty\appdata\local\visi_coupon"
Successfully deleted: [Folder] "C:\Users\Ty\appdata\local\wajam"
Successfully deleted: [Folder] "C:\Users\Ty\appdata\locallow\conduit"
Successfully deleted: [Folder] "C:\Users\Ty\appdata\locallow\nch_en"
Successfully deleted: [Folder] "C:\Users\Ty\appdata\locallow\pricegong"
Successfully deleted: [Folder] "C:\Program Files (x86)\conduit"
Successfully deleted: [Folder] "C:\Program Files (x86)\coupon companion plugin"
Successfully deleted: [Folder] "C:\Program Files (x86)\gamesagogo_w3i"
Successfully deleted: [Folder] "C:\Program Files (x86)\gamesbar"
Successfully deleted: [Folder] "C:\Program Files (x86)\nch_en"
Successfully deleted: [Folder] "C:\Program Files (x86)\oapps"
Successfully deleted: [Folder] "C:\Program Files (x86)\wajam"
Successfully deleted: [Folder] "C:\Program Files (x86)\yontoo"
Successfully deleted: [Folder] "C:\Users\Ty\AppData\Roaming\microsoft\windows\start menu\programs\browserprotect"
Successfully deleted: [Folder] "C:\Users\Ty\AppData\Roaming\microsoft\windows\start menu\programs\wajam"
Successfully deleted: [Empty Folder] C:\Users\Ty\appdata\local\{3E7D8715-51CD-492B-9EFC-EBFF4F670725}
Successfully deleted: [Empty Folder] C:\Users\Ty\appdata\local\{547E0494-7DB4-48FF-AF5F-CDB9BF4E1217}
Successfully deleted: [Empty Folder] C:\Users\Ty\appdata\local\{A964F2C8-F9A0-4809-B44A-2E15470F38B6}
Successfully deleted: [Empty Folder] C:\Users\Ty\appdata\local\{AD71C748-C2CB-482F-9C80-BC7B2B101FFB}
Successfully deleted: [Empty Folder] C:\Users\Ty\appdata\local\{B2B36C8C-9C15-4089-8B14-8C7111B1F72E}
Successfully deleted: [Folder] "C:\Users\Ty\appdata\locallow\asktoolbar"
Successfully deleted: [Folder] "C:\Program Files (x86)\ask.com"
Successfully deleted: [Folder] "C:\windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}"

 

~~~ Chrome

Successfully deleted: [Folder] C:\Users\Ty\appdata\local\Google\Chrome\User Data\Default\Extensions\dknkjnkhedbanphkkpbpcgoblmkbfhlf
Successfully deleted: [Folder] C:\Users\Ty\appdata\local\Google\Chrome\User Data\Default\Extensions\jneaojaoiajhnemidnjhoempalnidbhj
Successfully deleted: [Folder] C:\Users\Ty\appdata\local\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Successfully deleted: [Folder] C:\Users\Ty\appdata\local\Google\Chrome\User Data\Default\Extensions\pgafcinpmmpklohkojmllohdhomoefph
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\dknkjnkhedbanphkkpbpcgoblmkbfhlf
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\dknkjnkhedbanphkkpbpcgoblmkbfhlf
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\jneaojaoiajhnemidnjhoempalnidbhj
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\pgafcinpmmpklohkojmllohdhomoefph

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 07/08/2013 at 22:57:33.07
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#11 tbos88

tbos88
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 09 July 2013 - 06:38 AM

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.09.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Ty :: TY-PC [administrator]

Protection: Enabled

7/9/2013 6:27:00 AM
mbam-log-2013-07-09 (06-27-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 226860
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKCR\AppID\{F85FA3F2-D2C8-4D4D-BB1C-3181E691AF2B} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCR\Typelib\{A3F56272-CDB4-4310-9BB1-9A0D0757A3B3} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCR\Interface\{D6975F9E-15B2-4FE7-9D16-FC2E85CB201B} (PUP.FaceThemes) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Ty\Templates\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.

(end)

 

2013/07/09 06:25:30 -0500 TY-PC Ty MESSAGE Starting protection
2013/07/09 06:25:30 -0500 TY-PC Ty MESSAGE Protection started successfully
2013/07/09 06:25:30 -0500 TY-PC Ty MESSAGE Starting IP protection
2013/07/09 06:25:53 -0500 TY-PC Ty MESSAGE IP Protection started successfully
2013/07/09 06:26:00 -0500 TY-PC Ty MESSAGE Starting database refresh
2013/07/09 06:26:00 -0500 TY-PC Ty MESSAGE Stopping IP protection
2013/07/09 06:26:07 -0500 TY-PC Ty MESSAGE IP Protection stopped successfully
2013/07/09 06:26:10 -0500 TY-PC Ty MESSAGE Database refreshed successfully
2013/07/09 06:26:10 -0500 TY-PC Ty MESSAGE Starting IP protection
2013/07/09 06:26:14 -0500 TY-PC Ty MESSAGE IP Protection started successfully
2013/07/09 06:31:45 -0500 TY-PC Ty MESSAGE Executing scheduled update:  Daily
2013/07/09 06:31:58 -0500 TY-PC Ty MESSAGE Database already up-to-date
 



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,553 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:26 PM

Posted 09 July 2013 - 11:17 AM

How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 tbos88

tbos88
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 09 July 2013 - 11:31 AM

Everything seems to be back to normal. Thanks for all of your help. Do you have any idea what I did to contact this infection? I would hate to fall into the same trap?

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,553 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:26 PM

Posted 09 July 2013 - 11:45 AM

Congratulations.

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Remove the C:\FRST folder

Manually remove any tool left.

Here are some suggestions.
  • Always keep your JAVA updated. Older versions will make your computer vulnerable.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft.  To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article    by Miekiemoes.

Best wishes! :hello:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users