Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ICE virus/ransomware removal from OLD BIOS not booting computer


  • This topic is locked This topic is locked
32 replies to this topic

#1 novice84

novice84

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 12 July 2013 - 11:05 AM

Hello

 

I have a windows 7 64 computer that is infected with ICE scareware.

 

I am not able to boot it in any of the three safemode options.  (safemode, safemode with networking, safemode with command prompt

 

I was able to boot it with a rescue disk. At this point it recognizes USB drives too.. I have run FRST64.exe... following a post on this site

 

http://www.bleepingcomputer.com/forums/t/499991/i-have-the-ice-cyber-crime-center-ransomware-virus/?hl=%2Bice+%2Bvirus+%2Bremoval+%2Bgringo#entry3095484

 

 

 I have the FRST.TXT file available and am posting it

Please advise

 

thanks

Novice84Attached File  FRST.txt   23.09KB   0 downloads



BC AdBot (Login to Remove)

 


#2 novice84

novice84
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 12 July 2013 - 11:08 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-07-2013 01
Ran by SYSTEM on 12-07-2013 08:38:35
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM\...\Run: [cAudioFilterAgent] - C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [495104 2009-07-13] (Conexant Systems, Inc.)
HKLM\...\Run: [IgfxTray] - C:\Windows\system32\igfxtray.exe [161304 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [386584 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] - C:\Windows\system32\igfxpers.exe [415256 2010-08-25] (Intel Corporation)
HKLM\...\Run: [SunJavaUpdateSched] - "C:\Program Files\Java\jre6\bin\jusched.exe" [171520 2010-03-12] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QlbCtrl.exe] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [322104 2009-08-20] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [WirelessAssistant] - C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [AVG_TRAY] - C:\Program Files (x86)\AVG\AVG10\avgtray.exe [2334560 2011-04-18] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [APSDaemon] - "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-11-12] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [IndexSearch] - "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe" [46368 2010-03-08] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] - "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe" [29984 2010-03-08] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] - C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] - C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [ControlCenter4] - C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun [139264 2011-04-20] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] - C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN [2629632 2011-05-19] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] - "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [x]
HKU\AppuAmmu\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-08-20] (Hewlett-Packard Company)
HKU\AppuAmmu\...\Run: [ctfmon.exe] - C:\WINDOWS\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
HKU\AppuAmmu\...\Run: [Google Update] - "C:\Users\AppuAmmu\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-11-01] (Google Inc.)
HKU\AppuAmmu\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\AppuAmmu\AppData\Local\Temp\uwclfldvovccctkiyfk.bfg [52736 2013-07-11] (NVIDIA Corporation) <===== ATTENTION
HKU\AppuAmmu\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\AppuAmmu\...\Command Processor: "C:\Users\AppuAmmu\AppData\Local\Temp\uwclfldvovccctkiyfk.bfg" <===== ATTENTION!
HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
Startup: C:\Users\AppuAmmu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk
ShortcutTarget: MyPC Backup.lnk -> C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe (No File)
BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG10\avgchsva.exe /syncC:\PROGRA~2\AVG\AVG10\avgrsa.exe /sync /restart

==================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [7398752 2011-04-18] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [269520 2011-02-08] (AVG Technologies CZ, s.r.o.)
S2 DefaultTabSearch; C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe [572928 2013-02-10] ()
S2 DefaultTabUpdate; C:\Users\AppuAmmu\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-06-04] ()
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe [126400 2011-08-03] (Symantec Corporation)
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-08] (Nuance Communications, Inc.)
S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-07-06] ()
S2 BackupStack; C:\Program Files (x86)\MyPC Backup\BackupStack.exe [x]
S4 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [x]

==================== Drivers (Whitelisted) ====================

S1 A2DDA; C:\Users\AppuAmmu\Desktop\EmsisoftEmergencyKit\Run\a2ddax64.sys [26176 2013-04-20] (Emsisoft GmbH)
S1 A2DDA; C:\Users\AppuAmmu\Desktop\EmsisoftEmergencyKit\Run\a2ddax64.sys [26176 2013-04-20] (Emsisoft GmbH)
S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [118864 2011-04-14] (AVG Technologies CZ, s.r.o. )
S0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [26704 2011-02-22] (AVG Technologies CZ, s.r.o. )
S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [29264 2011-02-10] (AVG Technologies CZ, s.r.o. )
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [304720 2011-01-07] (AVG Technologies CZ, s.r.o.)
S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [41552 2011-03-01] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [37456 2011-03-16] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [377936 2011-04-04] (AVG Technologies CZ, s.r.o.)
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20110812.001\BHDrvx64.sys [1151096 2011-07-22] (Symantec Corporation)
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20110812.001\BHDrvx64.sys [1151096 2011-07-22] (Symantec Corporation)
S1 ccHP; C:\Windows\system32\drivers\NISx64\1109000.00C\ccHPx64.sys [593544 2011-08-03] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-07-27] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-07-27] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20110831.030\IDSvia64.sys [488568 2011-08-22] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20110831.030\IDSvia64.sys [488568 2011-08-22] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20110831.024\ENG64.SYS [117880 2011-08-04] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20110831.024\ENG64.SYS [117880 2011-08-04] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20110831.024\EX64.SYS [2048632 2011-08-04] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20110831.024\EX64.SYS [2048632 2011-08-04] (Symantec Corporation)
S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1109000.00C\SRTSP64.SYS [505392 2010-04-21] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1109000.00C\SRTSPX64.SYS [32304 2010-04-21] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\NISx64\1109000.00C\SYMDS64.SYS [433200 2009-08-29] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\NISx64\1109000.00C\SYMEFA64.SYS [221304 2011-08-21] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [173104 2011-07-03] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NISx64\1109000.00C\Ironx64.SYS [150064 2010-04-28] (Symantec Corporation)
S1 SYMTDIv; C:\Windows\System32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS [451704 2011-08-21] (Symantec Corporation)
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [x]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-12 08:36 - 2013-07-12 08:36 - 00000000 ____D C:\FRST
2013-07-11 16:09 - 2013-07-11 16:09 - 01097677 _____ C:\ProgramData\2433f433
2013-07-11 16:09 - 2013-07-11 16:09 - 01097638 _____ C:\Users\AppuAmmu\AppData\Roaming\2433f433
2013-07-11 16:09 - 2013-07-11 16:09 - 01097638 _____ C:\Users\AppuAmmu\AppData\Local\2433f433
2013-07-11 05:44 - 2013-07-11 05:44 - 00000000 ____D C:\fe1b91fca0d7e1a3b8b27c53f36a9c
2013-07-11 05:39 - 2013-06-11 15:43 - 14329856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-11 05:39 - 2013-06-11 15:43 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-11 05:39 - 2013-06-11 15:43 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-11 05:39 - 2013-06-11 15:43 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-11 05:39 - 2013-06-11 15:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-11 05:39 - 2013-06-11 15:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-11 05:39 - 2013-06-11 15:43 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-11 05:39 - 2013-06-11 15:42 - 13760512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-11 05:39 - 2013-06-11 15:42 - 02046976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-11 05:39 - 2013-06-11 15:42 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-11 05:39 - 2013-06-11 15:42 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-07-11 05:39 - 2013-06-11 15:42 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-07-11 05:39 - 2013-06-11 15:42 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-07-11 05:39 - 2013-06-11 15:26 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-11 05:39 - 2013-06-11 15:26 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-11 05:39 - 2013-06-11 15:26 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-11 05:39 - 2013-06-11 15:25 - 19238912 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 15404032 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-11 05:39 - 2013-06-11 14:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-07-11 05:39 - 2013-06-11 14:50 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-11 05:39 - 2013-06-06 19:22 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-11 05:39 - 2013-06-06 18:37 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-10 05:10 - 2013-06-03 22:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-10 05:10 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-10 05:10 - 2013-05-05 22:03 - 01887744 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-10 05:10 - 2013-05-05 20:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-10 05:09 - 2013-06-04 19:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-10 05:08 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-10 05:08 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-05 05:15 - 2013-07-05 05:15 - 00285112 _____ C:\Windows\Minidump\070513-24258-01.dmp
2013-07-03 07:41 - 2013-07-03 07:41 - 00000000 _____ C:\Users\AppuAmmu\Desktop\report-july 2013.txt
2013-07-03 07:29 - 2013-07-03 07:29 - 00000000 _____ C:\Users\AppuAmmu\Desktop\Updated report-070313.txt
2013-06-17 09:34 - 2013-06-17 09:34 - 00000073 _____ C:\Users\AppuAmmu\Desktop\awards.txt
2013-06-13 10:00 - 2013-06-13 10:01 - 00285088 _____ C:\Windows\Minidump\061313-23306-01.dmp
2013-06-12 03:08 - 2013-05-07 22:39 - 01910632 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-12 03:07 - 2013-05-09 21:49 - 00030720 _____ (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-12 03:07 - 2013-05-09 19:20 - 00024576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-12 03:07 - 2013-04-25 21:51 - 00751104 _____ (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-12 03:07 - 2013-04-25 20:55 - 00492544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-12 03:06 - 2013-05-12 21:51 - 01464320 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-12 03:06 - 2013-05-12 21:51 - 00184320 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-12 03:06 - 2013-05-12 21:51 - 00139776 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-12 03:06 - 2013-05-12 21:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-12 03:06 - 2013-05-12 20:45 - 01160192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-12 03:06 - 2013-05-12 20:45 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-12 03:06 - 2013-05-12 20:45 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-12 03:06 - 2013-05-12 19:43 - 01192448 _____ (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-12 03:06 - 2013-05-12 19:08 - 00903168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-12 03:06 - 2013-05-12 19:08 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-12 03:06 - 2013-04-25 15:30 - 01505280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-06-12 03:06 - 2013-04-16 23:02 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-06-12 03:06 - 2013-04-16 22:24 - 01424384 _____ (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-12 03:06 - 2013-03-31 14:52 - 01887232 _____ (Microsoft Corporation) C:\Windows\System32\d3d11.dll

==================== One Month Modified Files and Folders =======

2013-07-12 08:36 - 2013-07-12 08:36 - 00000000 ____D C:\FRST
2013-07-11 18:29 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-11 18:29 - 2009-07-13 20:51 - 00084200 _____ C:\Windows\setupact.log
2013-07-11 17:08 - 2010-05-19 00:15 - 02076286 _____ C:\Windows\WindowsUpdate.log
2013-07-11 16:40 - 2009-07-13 20:45 - 00023248 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-11 16:40 - 2009-07-13 20:45 - 00023248 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-11 16:11 - 2009-07-13 21:08 - 00032616 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-11 16:09 - 2013-07-11 16:09 - 01097677 _____ C:\ProgramData\2433f433
2013-07-11 16:09 - 2013-07-11 16:09 - 01097638 _____ C:\Users\AppuAmmu\AppData\Roaming\2433f433
2013-07-11 16:09 - 2013-07-11 16:09 - 01097638 _____ C:\Users\AppuAmmu\AppData\Local\2433f433
2013-07-11 16:09 - 2013-06-08 10:38 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\CrashDumps
2013-07-11 16:03 - 2011-11-01 06:53 - 00000920 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2044528303-4007568261-328015136-1001UA.job
2013-07-11 16:03 - 2011-11-01 06:53 - 00000868 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2044528303-4007568261-328015136-1001Core.job
2013-07-11 15:47 - 2012-04-15 16:57 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-11 13:43 - 2011-02-25 17:22 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2013-07-11 11:14 - 2011-11-01 06:57 - 00002382 _____ C:\Users\AppuAmmu\Desktop\Google Chrome.lnk
2013-07-11 05:49 - 2009-07-13 20:45 - 00356784 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-11 05:48 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-11 05:48 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-11 05:46 - 2009-07-13 21:13 - 00740814 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-11 05:44 - 2013-07-11 05:44 - 00000000 ____D C:\fe1b91fca0d7e1a3b8b27c53f36a9c
2013-07-11 05:41 - 2011-09-08 14:04 - 78185248 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-07-07 08:06 - 2011-11-19 11:27 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\Apple Computer
2013-07-05 05:15 - 2013-07-05 05:15 - 00285112 _____ C:\Windows\Minidump\070513-24258-01.dmp
2013-07-05 05:15 - 2011-07-15 01:38 - 365293851 _____ C:\Windows\MEMORY.DMP
2013-07-05 05:15 - 2011-07-15 01:38 - 00000000 ____D C:\Windows\Minidump
2013-07-04 15:58 - 2011-11-01 06:53 - 00003896 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2044528303-4007568261-328015136-1001UA
2013-07-04 15:58 - 2011-11-01 06:53 - 00003500 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2044528303-4007568261-328015136-1001Core
2013-07-03 07:41 - 2013-07-03 07:41 - 00000000 _____ C:\Users\AppuAmmu\Desktop\report-july 2013.txt
2013-07-03 07:29 - 2013-07-03 07:29 - 00000000 _____ C:\Users\AppuAmmu\Desktop\Updated report-070313.txt
2013-07-01 19:23 - 2011-07-20 17:35 - 00003204 _____ C:\Windows\System32\Tasks\HPCeeScheduleForAppuAmmu
2013-07-01 19:23 - 2011-07-20 17:35 - 00000344 _____ C:\Windows\Tasks\HPCeeScheduleForAppuAmmu.job
2013-06-18 12:48 - 2013-06-04 16:10 - 00000060 _____ C:\Users\AppuAmmu\Documents\LMOL.txt
2013-06-17 09:34 - 2013-06-17 09:34 - 00000073 _____ C:\Users\AppuAmmu\Desktop\awards.txt
2013-06-13 10:21 - 2011-02-19 22:31 - 00000000 ____D C:\users\AppuAmmu
2013-06-13 10:01 - 2013-06-13 10:00 - 00285088 _____ C:\Windows\Minidump\061313-23306-01.dmp
2013-06-13 09:58 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

Files to move or delete:
====================
C:\Users\AppuAmmu\flashplayer.exe
C:\Users\AppuAmmu\icq.exe
C:\Users\AppuAmmu\msconfig.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

==================== Memory info ===========================

Percentage of memory in use: 25%
Total physical RAM: 1979.19 MB
Available physical RAM: 1472.49 MB
Total Pagefile: 1979.19 MB
Available Pagefile: 1475.04 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:285.38 GB) (Free:144.03 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive e: (RECOVERY) (Fixed) (Total:12.52 GB) (Free:2.08 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)]
Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
Drive g: (HITMANPRO) (Removable) (Total:7.46 GB) (Free:7.44 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.15 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298 GB) (Disk ID: 8C232226)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=285 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 67455771)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)

LastRegBack: 2013-07-03 04:53

==================== End Of Log ============================



#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 13 July 2013 - 12:58 AM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKU\AppuAmmu\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\AppuAmmu\AppData\Local\Temp\uwclfldvovccctkiyfk.bfg [52736 2013-07-11] (NVIDIA Corporation) <===== ATTENTION
HKU\AppuAmmu\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\AppuAmmu\...\Command Processor: "C:\Users\AppuAmmu\AppData\Local\Temp\uwclfldvovccctkiyfk.bfg" <===== ATTENTION!
013-07-11 16:09 - 2013-07-11 16:09 - 01097677 _____ C:\ProgramData\2433f433
2013-07-11 16:09 - 2013-07-11 16:09 - 01097638 _____ C:\Users\AppuAmmu\AppData\Roaming\2433f433
2013-07-11 16:09 - 2013-07-11 16:09 - 01097638 _____ C:\Users\AppuAmmu\AppData\Local\2433f433
C:\Users\AppuAmmu\flashplayer.exe
C:\Users\AppuAmmu\icq.exe
C:\Users\AppuAmmu\msconfig.exe
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options again.
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#4 novice84

novice84
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 13 July 2013 - 07:49 AM

I made one change to the code block started the fourth line with '2013' instead of 013...

 

Here is the fixlog

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-07-2013 01
Ran by SYSTEM at 2013-07-13 08:42:09 Run:1
Running from G:\
Boot Mode: Recovery
==============================================

HKU\AppuAmmu\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.
HKU\AppuAmmu\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\AppuAmmu\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
C:\ProgramData\2433f433 => Moved successfully.
C:\Users\AppuAmmu\AppData\Roaming\2433f433 => Moved successfully.
C:\Users\AppuAmmu\AppData\Local\2433f433 => Moved successfully.
C:\Users\AppuAmmu\flashplayer.exe => Moved successfully.
C:\Users\AppuAmmu\icq.exe => Moved successfully.
C:\Users\AppuAmmu\msconfig.exe => Moved successfully.

==== End of Fixlog ====



#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 13 July 2013 - 07:58 AM

Are you able to boot normally now?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 novice84

novice84
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 13 July 2013 - 08:27 AM

will try rightaway and let you know RP



#7 novice84

novice84
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 13 July 2013 - 08:32 AM

Yes I am: should i run hitman pro on there?



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 13 July 2013 - 09:00 AM

No, please do this instead:

icon11.gif  Go to this page and download Malwarebytes Anti-Rootkit (MBAR)

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • MBAR will create logs that you will find in the same folder you found MBAR.exe.  Please post those for me to review.

Please include the following in your next post:
  • MBAR log(s)


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 novice84

novice84
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 14 July 2013 - 02:18 PM

ok malwarebytes ran by accident ahead of mbar it removed 2433f433...

 

, and my kids did something to the computer before I could get the log... is it stored somewhere.. A second run of MBAR said the computer was clean



#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 14 July 2013 - 06:38 PM

Don't worry about that log as long as the second scan was clean.  How is it running now?  Please do this next:

 

icon11.gif   Download AdwCleaner from  here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:

  • How is the computer running now?

  • AdwCleaner log

  • ESET log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 21 July 2013 - 10:01 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 22 July 2013 - 09:57 PM

This topic has been re-opened at the request of the person who originally posted.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 22 July 2013 - 09:58 PM

Based on the info you provided in your PM to me, I'd like you to do the following from the safe mode:

 

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 novice84

novice84
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 23 July 2013 - 06:30 AM

I jumped the gun on this one. Here is the log from the FRST tool . I ran it again with a rescue disk boot because nothing was running from safemode... Here is the log

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-07-2013
Ran by SYSTEM on 22-07-2013 08:40:35
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM\...\Run: [cAudioFilterAgent] - C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [495104 2009-07-13] (Conexant Systems, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Java\jre6\bin\jusched.exe [171520 2010-03-12] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QlbCtrl.exe] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [322104 2009-08-20] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [WirelessAssistant] - C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [AVG_TRAY] - C:\Program Files (x86)\AVG\AVG10\avgtray.exe [2334560 2011-04-18] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [iTunesHelper] - "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-11-12] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [IndexSearch] - "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe" [46368 2010-03-08] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] - "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe" [29984 2010-03-08] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] - C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] - C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [ControlCenter4] - C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun [139264 2011-04-20] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] - C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN [2629632 2011-05-19] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] - "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [x]
HKU\AppuAmmu\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-08-20] (Hewlett-Packard Company)
HKU\AppuAmmu\...\Run: [ctfmon.exe] - C:\WINDOWS\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
HKU\AppuAmmu\...\Run: [Google Update] - "C:\Users\AppuAmmu\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-11-01] (Google Inc.)
HKU\AppuAmmu\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\AppuAmmu\...\Command Processor: rundll32 "C:\Users\AppuAmmu\AppData\Local\e4lGdQIKhiH\clySLGT9tMa.dll",v5GNerRx <===== ATTENTION!
BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG10\avgchsva.exe /syncC:\PROGRA~2\AVG\AVG10\avgrsa.exe /sync /restart

==================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [7398752 2011-04-18] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [269520 2011-02-08] (AVG Technologies CZ, s.r.o.)
S2 DefaultTabSearch; C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe [572928 2013-02-10] ()
S2 DefaultTabUpdate; C:\Users\AppuAmmu\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-06-04] ()
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe [126400 2011-08-03] (Symantec Corporation)
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-08] (Nuance Communications, Inc.)
S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-07-06] ()
S2 BackupStack; C:\Program Files (x86)\MyPC Backup\BackupStack.exe [x]
S4 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [x]

==================== Drivers (Whitelisted) ====================

S1 A2DDA; C:\Users\AppuAmmu\Desktop\EmsisoftEmergencyKit\Run\a2ddax64.sys [26176 2013-04-20] (Emsisoft GmbH)
S1 A2DDA; C:\Users\AppuAmmu\Desktop\EmsisoftEmergencyKit\Run\a2ddax64.sys [26176 2013-04-20] (Emsisoft GmbH)
S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [118864 2011-04-14] (AVG Technologies CZ, s.r.o. )
S0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [26704 2011-02-22] (AVG Technologies CZ, s.r.o. )
S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [29264 2011-02-10] (AVG Technologies CZ, s.r.o. )
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [304720 2011-01-07] (AVG Technologies CZ, s.r.o.)
S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [41552 2011-03-01] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [37456 2011-03-16] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [377936 2011-04-04] (AVG Technologies CZ, s.r.o.)
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20110812.001\BHDrvx64.sys [1151096 2011-07-22] (Symantec Corporation)
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20110812.001\BHDrvx64.sys [1151096 2011-07-22] (Symantec Corporation)
S1 ccHP; C:\Windows\system32\drivers\NISx64\1109000.00C\ccHPx64.sys [593544 2011-08-03] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-07-27] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-07-27] (Symantec Corporation)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32000 2013-07-13] ()
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20110831.030\IDSvia64.sys [488568 2011-08-22] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20110831.030\IDSvia64.sys [488568 2011-08-22] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20110831.024\ENG64.SYS [117880 2011-08-04] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20110831.024\ENG64.SYS [117880 2011-08-04] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20110831.024\EX64.SYS [2048632 2011-08-04] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20110831.024\EX64.SYS [2048632 2011-08-04] (Symantec Corporation)
S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1109000.00C\SRTSP64.SYS [505392 2010-04-21] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1109000.00C\SRTSPX64.SYS [32304 2010-04-21] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\NISx64\1109000.00C\SYMDS64.SYS [433200 2009-08-29] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\NISx64\1109000.00C\SYMEFA64.SYS [221304 2011-08-21] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [173104 2011-07-03] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NISx64\1109000.00C\Ironx64.SYS [150064 2010-04-28] (Symantec Corporation)
S1 SYMTDIv; C:\Windows\System32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS [451704 2011-08-21] (Symantec Corporation)
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [x]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-20 03:41 - 2013-07-20 03:41 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\e4lGdQIKhiH
2013-07-20 03:39 - 2013-07-20 03:39 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\bmjv3hvIGoO
2013-07-19 17:24 - 2013-07-19 17:24 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\m1Xh6ZF8sG
2013-07-19 16:48 - 2013-07-19 17:24 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\EDiqEPKOEL
2013-07-19 07:39 - 2013-07-19 16:48 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\DavVzNgJ4m
2013-07-19 06:43 - 2013-07-19 07:39 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\vBKOtGoPHW
2013-07-19 06:41 - 2013-07-19 06:43 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\CuanWMoTQH
2013-07-17 08:22 - 2013-07-17 08:22 - 00000000 ____D C:\Users\AppuAmmu\AppData\Roaming\WildTangent
2013-07-13 09:05 - 2013-07-14 11:09 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-07-13 08:55 - 2013-07-21 08:31 - 00000920 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2044528303-4007568261-328015136-1001UA.job
2013-07-13 08:55 - 2013-07-20 22:36 - 00000868 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2044528303-4007568261-328015136-1001Core.job
2013-07-13 08:51 - 2013-07-13 08:51 - 00032000 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-07-13 05:44 - 2013-07-13 05:44 - 00000470 _____ C:\Windows\System32\.crusader
2013-07-13 05:36 - 2013-07-13 05:44 - 00000000 ____D C:\ProgramData\HitmanPro
2013-07-12 08:36 - 2013-07-12 08:36 - 00000000 ____D C:\FRST
2013-07-11 05:44 - 2013-07-11 05:44 - 00000000 ____D C:\fe1b91fca0d7e1a3b8b27c53f36a9c
2013-07-11 05:39 - 2013-06-11 15:43 - 14329856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-11 05:39 - 2013-06-11 15:43 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-11 05:39 - 2013-06-11 15:43 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-11 05:39 - 2013-06-11 15:43 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-11 05:39 - 2013-06-11 15:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-11 05:39 - 2013-06-11 15:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-11 05:39 - 2013-06-11 15:43 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-11 05:39 - 2013-06-11 15:42 - 13760512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-11 05:39 - 2013-06-11 15:42 - 02046976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-11 05:39 - 2013-06-11 15:42 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-11 05:39 - 2013-06-11 15:42 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-07-11 05:39 - 2013-06-11 15:42 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-07-11 05:39 - 2013-06-11 15:42 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-07-11 05:39 - 2013-06-11 15:26 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-11 05:39 - 2013-06-11 15:26 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-11 05:39 - 2013-06-11 15:26 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-11 05:39 - 2013-06-11 15:25 - 19238912 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 15404032 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-11 05:39 - 2013-06-11 15:25 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-11 05:39 - 2013-06-11 14:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-07-11 05:39 - 2013-06-11 14:50 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-11 05:39 - 2013-06-06 19:22 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-11 05:39 - 2013-06-06 18:37 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-10 05:10 - 2013-06-03 22:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-10 05:10 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-10 05:10 - 2013-05-05 22:03 - 01887744 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-10 05:10 - 2013-05-05 20:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-10 05:09 - 2013-06-04 19:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-10 05:08 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-10 05:08 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-05 05:15 - 2013-07-05 05:15 - 00285112 _____ C:\Windows\Minidump\070513-24258-01.dmp
2013-07-03 07:41 - 2013-07-03 07:41 - 00000000 _____ C:\Users\AppuAmmu\Desktop\report-july 2013.txt
2013-07-03 07:29 - 2013-07-03 07:29 - 00000000 _____ C:\Users\AppuAmmu\Desktop\Updated report-070313.txt

==================== One Month Modified Files and Folders =======

2013-07-21 08:32 - 2010-05-19 00:15 - 01634428 _____ C:\Windows\WindowsUpdate.log
2013-07-21 08:31 - 2013-07-13 08:55 - 00000920 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2044528303-4007568261-328015136-1001UA.job
2013-07-20 22:36 - 2013-07-13 08:55 - 00000868 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2044528303-4007568261-328015136-1001Core.job
2013-07-20 04:28 - 2011-02-25 17:22 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2013-07-20 04:12 - 2009-07-13 21:13 - 00726444 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-20 04:12 - 2009-07-13 20:45 - 00023248 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-20 04:12 - 2009-07-13 20:45 - 00023248 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-20 04:05 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-20 04:05 - 2009-07-13 20:51 - 00085152 _____ C:\Windows\setupact.log
2013-07-20 03:41 - 2013-07-20 03:41 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\e4lGdQIKhiH
2013-07-20 03:39 - 2013-07-20 03:39 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\bmjv3hvIGoO
2013-07-19 17:24 - 2013-07-19 17:24 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\m1Xh6ZF8sG
2013-07-19 17:24 - 2013-07-19 16:48 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\EDiqEPKOEL
2013-07-19 16:48 - 2013-07-19 07:39 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\DavVzNgJ4m
2013-07-19 07:39 - 2013-07-19 06:43 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\vBKOtGoPHW
2013-07-19 06:43 - 2013-07-19 06:41 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\CuanWMoTQH
2013-07-17 08:22 - 2013-07-17 08:22 - 00000000 ____D C:\Users\AppuAmmu\AppData\Roaming\WildTangent
2013-07-14 11:09 - 2013-07-13 09:05 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-07-13 14:23 - 2011-11-01 06:57 - 00002382 _____ C:\Users\AppuAmmu\Desktop\Google Chrome.lnk
2013-07-13 11:21 - 2013-06-08 10:38 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\CrashDumps
2013-07-13 08:55 - 2011-11-01 06:53 - 00003896 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2044528303-4007568261-328015136-1001UA
2013-07-13 08:55 - 2011-11-01 06:53 - 00003500 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2044528303-4007568261-328015136-1001Core
2013-07-13 08:51 - 2013-07-13 08:51 - 00032000 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-07-13 08:48 - 2012-06-04 17:52 - 00017920 _____ C:\Users\AppuAmmu\Documents\Family God's gift.wps
2013-07-13 08:42 - 2011-02-19 22:31 - 00000000 ____D C:\users\AppuAmmu
2013-07-13 08:27 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\FxsTmp
2013-07-13 05:58 - 2011-04-30 04:57 - 00001360 _____ C:\Users\AppuAmmu\AppData\Roaming\wklnhst.dat
2013-07-13 05:44 - 2013-07-13 05:44 - 00000470 _____ C:\Windows\System32\.crusader
2013-07-13 05:44 - 2013-07-13 05:36 - 00000000 ____D C:\ProgramData\HitmanPro
2013-07-12 08:36 - 2013-07-12 08:36 - 00000000 ____D C:\FRST
2013-07-11 16:11 - 2009-07-13 21:08 - 00032616 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-11 05:49 - 2009-07-13 20:45 - 00356784 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-11 05:48 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-11 05:48 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-11 05:44 - 2013-07-11 05:44 - 00000000 ____D C:\fe1b91fca0d7e1a3b8b27c53f36a9c
2013-07-11 05:41 - 2011-09-08 14:04 - 78185248 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-07-07 08:06 - 2011-11-19 11:27 - 00000000 ____D C:\Users\AppuAmmu\AppData\Local\Apple Computer
2013-07-05 05:15 - 2013-07-05 05:15 - 00285112 _____ C:\Windows\Minidump\070513-24258-01.dmp
2013-07-05 05:15 - 2011-07-15 01:38 - 365293851 _____ C:\Windows\MEMORY.DMP
2013-07-05 05:15 - 2011-07-15 01:38 - 00000000 ____D C:\Windows\Minidump
2013-07-03 07:41 - 2013-07-03 07:41 - 00000000 _____ C:\Users\AppuAmmu\Desktop\report-july 2013.txt
2013-07-03 07:29 - 2013-07-03 07:29 - 00000000 _____ C:\Users\AppuAmmu\Desktop\Updated report-070313.txt
2013-07-01 19:23 - 2011-07-20 17:35 - 00003204 _____ C:\Windows\System32\Tasks\HPCeeScheduleForAppuAmmu

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

==================== Memory info ===========================

Percentage of memory in use: 25%
Total physical RAM: 1979.19 MB
Available physical RAM: 1484.21 MB
Total Pagefile: 1979.19 MB
Available Pagefile: 1484.02 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:285.38 GB) (Free:142.37 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive e: (RECOVERY) (Fixed) (Total:12.52 GB) (Free:2.08 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)]
Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
Drive g: (HITMANPRO) (Removable) (Total:7.46 GB) (Free:7.41 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.15 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298 GB) (Disk ID: 8C232226)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=285 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 67455771)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)

LastRegBack: 2013-07-13 07:50

==================== End Of Log ============================

 

I then created a fixlist comparing this with the previous instance and ran that too Here is the log from the fixlist:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-07-2013
Ran by SYSTEM at 2013-07-22 08:41:09 Run:2
Running from G:\
Boot Mode: Recovery
==============================================

HKU\AppuAmmu\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\AppuAmmu\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
C:\Users\AppuAmmu\AppData\Local\e4lGdQIKhiH => Moved successfully.
C:\Users\AppuAmmu\AppData\Local\bmjv3hvIGoO => Moved successfully.
C:\Users\AppuAmmu\AppData\Local\m1Xh6ZF8sG => Moved successfully.
C:\Users\AppuAmmu\AppData\Local\EDiqEPKOEL => Moved successfully.
C:\Users\AppuAmmu\AppData\Local\DavVzNgJ4m => Moved successfully.
C:\Users\AppuAmmu\AppData\Local\vBKOtGoPHW => Moved successfully.
C:\Users\AppuAmmu\AppData\Local\CuanWMoTQH => Moved successfully.
C:\Windows\System32\.crusader => Moved successfully.
"C:\Users\AppuAmmu\AppData\Local\e4lGdQIKhiH" => File/Directory not found.
"C:\Users\AppuAmmu\AppData\Local\bmjv3hvIGoO" => File/Directory not found.
"C:\Users\AppuAmmu\AppData\Local\m1Xh6ZF8sG" => File/Directory not found.
"C:\Users\AppuAmmu\AppData\Local\EDiqEPKOEL" => File/Directory not found.
"C:\Users\AppuAmmu\AppData\Local\DavVzNgJ4m" => File/Directory not found.
"C:\Users\AppuAmmu\AppData\Local\vBKOtGoPHW" => File/Directory not found.
"C:\Users\AppuAmmu\AppData\Local\CuanWMoTQH" => File/Directory not found.

==== End of Fixlog ====

 

The computer then booted successfully. MBAR rootkit came back clean. However adware and ESET log basically read like a complete wall of shame here are the logs from those...

 

 

 

Here is the adware log

 

# AdwCleaner v2.306 - Logfile created 07/22/2013 at 19:49:22
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : AppuAmmu - APPUAMMU-PC
# Boot Mode : Normal
# Running from : C:\Users\AppuAmmu\Downloads\adwcleaner.exe
# Option [Delete]

***** [Services] *****

Stopped & Deleted : DefaultTabSearch
Stopped & Deleted : DefaultTabUpdate
Stopped & Deleted : Updater Service for StartNow Toolbar

***** [Files / Folders] *****

File Deleted : C:\END
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Users\Public\Desktop\eBay.lnk
Folder Deleted : C:\Program Files (x86)\Common Files\Software Update Utility
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\DefaultTab
Folder Deleted : C:\Program Files (x86)\internethelper3.1
Folder Deleted : C:\ProgramData\APN
Folder Deleted : C:\Users\AppuAmmu\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\AppuAmmu\AppData\LocalLow\internethelper3.1
Folder Deleted : C:\Users\AppuAmmu\AppData\Roaming\DefaultTab

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\AppDataLow\Software\DefaultTab
Key Deleted : HKCU\Software\AppDataLow\Software\InternetHelper3.1
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\Default Tab
Key Deleted : HKCU\Software\DefaultTab
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{07CBF788-1359-421B-A4E3-5A8D041B90A3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13D095-45C3-4271-9475-F3B48227DD9F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07CBF788-1359-421B-A4E3-5A8D041B90A3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13D095-45C3-4271-9475-F3B48227DD9F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKCU\Software\StartNow Toolbar
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7E8A36EA-2501-4ED3-A3C8-CFA9143FB169}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B27D9527-3762-4D71-963D-FB7A94FDD678}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{FAA8C612-F1B6-461B-8B60-B54D74D9642E}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\DefaultTabBHO.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\Toolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ToolbarBroker.EXE
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0005058.BHO
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.BandObject
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.BandObject.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3289663
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{38BF9661-BDA0-4A74-BB3B-576EC7AE16DC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6857AC4A-95B4-4E2C-B2D2-8A235FCCEF4A}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\SOFTWARE\Classes\ZGClnt.Mngr
Key Deleted : HKLM\SOFTWARE\Classes\ZGClnt.Mngr.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Default Tab
Key Deleted : HKLM\Software\DefaultTab
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\Software\InternetHelper3.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6CE83F03-4DFD-4070-A0A7-C46C82E20971}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKLM\Software\StartNow Toolbar
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{07CBF788-1359-421B-A4E3-5A8D041B90A3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{2CBD2A57-2FD5-4F1A-9FC8-90ED48FA4187}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{6CE83F03-4DFD-4070-A0A7-C46C82E20971}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{6E13D095-45C3-4271-9475-F3B48227DD9F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{1C888195-0160-4883-91B7-294C0CE2F277}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{99ACA0F7-D864-45CB-8C40-FD42A077E7CA}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E65F40C8-3CEB-47C2-9E01-BF73323DF4E7}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2CBD2A57-2FD5-4F1A-9FC8-90ED48FA4187}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{525DE770-24CA-4789-937D-ECF6CE819339}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FB39C495-C7C9-4A7D-99AA-9BC8261D4F4F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4B5C-9287-DA72D38F4FE6}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07CBF788-1359-421B-A4E3-5A8D041B90A3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E13D095-45C3-4271-9475-F3B48227DD9F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\InternetHelper3.1 Toolbar
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1C888195-0160-4883-91B7-294C0CE2F277}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{99ACA0F7-D864-45CB-8C40-FD42A077E7CA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E65F40C8-3CEB-47C2-9E01-BF73323DF4E7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{07CBF788-1359-421B-A4E3-5A8D041B90A3}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{07CBF788-1359-421B-A4E3-5A8D041B90A3}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{07CBF788-1359-421B-A4E3-5A8D041B90A3}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{5911488E-9D1E-40EC-8CBB-06B231CC153F}]

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16635

[OK] Registry is clean.

-\\ Google Chrome v28.0.1500.72

File : C:\Users\AppuAmmu\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.2470] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3289663&SearchSource=48&CUI[...]

*************************

AdwCleaner[R1].txt - [10812 octets] - [22/07/2013 19:45:53]
AdwCleaner[S1].txt - [329 octets] - [22/07/2013 19:48:48]
AdwCleaner[S2].txt - [10120 octets] - [22/07/2013 19:49:22]

########## EOF - C:\AdwCleaner[S2].txt - [10181 octets] ##########

 

 

Here is the ESET log:

C:\Documents and Settings\AppuAmmu\AppData\Local\Application Data\Google\Chrome\User Data\Default\Default\aadggcgegedjggdgdcggdjdagcdjdadi\background.js Win32/TrojanDownloader.Tracur.V trojan
C:\Documents and Settings\AppuAmmu\AppData\Local\Application Data\Google\Chrome\User Data\Default\Default\aadggcgegedjggdgdcggdjdagcdjdadi\ContentScript.js Win32/TrojanDownloader.Tracur.AD trojan
C:\Documents and Settings\AppuAmmu\AppData\Local\Application Data\VirtualStore\Microsoft Games\omkzgjbml.dll a variant of Win32/Kryptik.AZVC trojan
C:\Documents and Settings\AppuAmmu\AppData\Local\Google\Chrome\User Data\Default\Default\aadggcgegedjggdgdcggdjdagcdjdadi\background.js Win32/TrojanDownloader.Tracur.V trojan
C:\Documents and Settings\AppuAmmu\AppData\Local\Google\Chrome\User Data\Default\Default\aadggcgegedjggdgdcggdjdagcdjdadi\ContentScript.js Win32/TrojanDownloader.Tracur.AD trojan
C:\Documents and Settings\AppuAmmu\AppData\Local\VirtualStore\Microsoft Games\omkzgjbml.dll a variant of Win32/Kryptik.AZVC trojan
C:\Documents and Settings\AppuAmmu\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\2e267083-7848110e multiple threats
C:\Documents and Settings\AppuAmmu\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\dc16a76-7b960dfb multiple threats
C:\Documents and Settings\AppuAmmu\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\76ef7c7c-25fe489f a variant of Java/Exploit.Agent.NWH trojan
C:\Documents and Settings\AppuAmmu\Downloads\ArcadeCandyGames.exe a variant of Win32/Adware.Gamevance.DD application
C:\Documents and Settings\AppuAmmu\Downloads\Setup.exe a variant of Win32/AirAdInstaller.A application
C:\Documents and Settings\AppuAmmu\Local Settings\Google\Chrome\User Data\Default\Default\aadggcgegedjggdgdcggdjdagcdjdadi\background.js Win32/TrojanDownloader.Tracur.V trojan
C:\Documents and Settings\AppuAmmu\Local Settings\Google\Chrome\User Data\Default\Default\aadggcgegedjggdgdcggdjdagcdjdadi\ContentScript.js Win32/TrojanDownloader.Tracur.AD trojan
C:\Documents and Settings\AppuAmmu\Local Settings\VirtualStore\Microsoft Games\omkzgjbml.dll a variant of Win32/Kryptik.AZVC trojan
C:\Users\AppuAmmu\AppData\Local\Google\Chrome\User Data\Default\Default\aadggcgegedjggdgdcggdjdagcdjdadi\background.js Win32/TrojanDownloader.Tracur.V trojan
C:\Users\AppuAmmu\AppData\Local\Google\Chrome\User Data\Default\Default\aadggcgegedjggdgdcggdjdagcdjdadi\ContentScript.js Win32/TrojanDownloader.Tracur.AD trojan
C:\Users\AppuAmmu\AppData\Local\VirtualStore\Microsoft Games\omkzgjbml.dll a variant of Win32/Kryptik.AZVC trojan
C:\Users\AppuAmmu\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\2e267083-7848110e multiple threats
C:\Users\AppuAmmu\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\dc16a76-7b960dfb multiple threats
C:\Users\AppuAmmu\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\76ef7c7c-25fe489f a variant of Java/Exploit.Agent.NWH trojan
C:\Users\AppuAmmu\Downloads\ArcadeCandyGames.exe a variant of Win32/Adware.Gamevance.DD application
C:\Users\AppuAmmu\Downloads\Setup.exe a variant of Win32/AirAdInstaller.A application
C:\Users\AppuAmmu\Local Settings\Google\Chrome\User Data\Default\Default\aadggcgegedjggdgdcggdjdagcdjdadi\background.js Win32/TrojanDownloader.Tracur.V trojan
C:\Users\AppuAmmu\Local Settings\Google\Chrome\User Data\Default\Default\aadggcgegedjggdgdcggdjdagcdjdadi\ContentScript.js Win32/TrojanDownloader.Tracur.AD trojan
C:\Users\AppuAmmu\Local Settings\VirtualStore\Microsoft Games\omkzgjbml.dll a variant of Win32/Kryptik.AZVC trojan
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3ZV1XWT\updater-startnow-200-2.5-g[1].exe a variant of Win32/Toolbar.Zugo application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3ZV1XWT\updater-startnow-200-2.5-g[1].exe a variant of Win32/Toolbar.Zugo application
C:\Windows\Temp\TBU001\ToolbarUpdate.exe a variant of Win32/Toolbar.Zugo application
C:\Windows\Temp\TBU002\ToolbarUpdate.exe a variant of Win32/Toolbar.Zugo application
 

 

 

At this point I am quite scared of what else might be lurking inside this wonderful computer...



#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 23 July 2013 - 09:58 AM

Please do this next:

 

icon11.gif  Download Combofix from HERE, and save it to your desktop.  

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back.  Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • ComboFix log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users