Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search hijack


  • This topic is locked This topic is locked
13 replies to this topic

#1 dragor786

dragor786

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 23 July 2013 - 07:20 AM

Have a computer on our network which has both firefox and internet explorer 9.

both are set to use google for search .

in both the search results appear correctly but clicking on them initially redirected to a random useless page.

 

Have attempted to check if any rootkits using tdsskiller, malwarebytes and rkill.

also ran combofix would rather be honest than hide any steps.

 

Panda did not pick up anything, nor have any of the above programs - seriously require assistance as adverts are now of a pornographic nature.

 

DDS log below

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16496
Run by scotland at 13:17:12 on 2013-07-23
Microsoft Windows 7 Professional   6.1.7601.1.1252.44.1033.18.3971.2775 [GMT 1:00]
.
AV: Trend Micro Client/Server Security Agent Antivirus *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro Client/Server Security Agent Anti-spyware *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall *Enabled* {50C2E989-60CF-0845-AFD3-290B7D301E79}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\LogonUI.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Dell\DELLOSD\DellOSDService.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files (x86)\DELL\DELLOSD\CalibrationTool.exe
C:\Program Files (x86)\DELL\DELLOSD\MediaButtons.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
C:\Program Files (x86)\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
C:\Program Files (x86)\DELL\DELLOSD\DELLOSD.exe
C:\Program Files (x86)\Panda Software\Panda Administrator 3\Pav_Agent\pagentwd.exe
C:\Program Files (x86)\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\hapi64\pbadrvsvc.exe
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk
uDefault_Page_URL = hxxp://www.google.co.uk
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - 
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: DisableCAD = dword:1
IE: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll
TCP: NameServer = 192.168.0.15
TCP: Interfaces\{4076F06C-62E0-4D0F-A8FE-247FAD0EA473} : DHCPNameServer = 192.168.0.15
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - 
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - 
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe /s
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /MAXX3 
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [TdmNotify] C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
x64-Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - 
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-Notify: spba - C:\Program Files\Common Files\SPBA\homefus2.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\scotland\AppData\Roaming\Mozilla\Firefox\Profiles\ntdb548j.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-5-6 20024]
R2 Dell WMI Service;Dell WMI Service;C:\Program Files (x86)\Dell\DELLOSD\DellOSDService.exe [2013-5-6 73728]
R2 DellDigitalDelivery;Dell Digital Delivery Service;C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [2013-6-25 196104]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-5-6 13632]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2013-5-6 2451456]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-7-27 636952]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;C:\Windows\System32\IPROSetMonitor.exe [2012-7-27 170824]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2013-5-6 166432]
R2 OfficeSvc;Microsoft Office Service;C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [2013-5-16 1900728]
R2 PAVAGENTE;Panda AdminSecure Communications Agent;C:\Program Files (x86)\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe [2013-5-20 439616]
R2 PavAtScheduler;Panda AdminSecure Scheduler;C:\Program Files (x86)\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe [2013-5-20 255296]
R2 PbaDrvSvc_x64;Dell PBA x64 Service;C:\Program Files\Dell\Dell Data Protection\Access\Advanced\hapi64\pbadrvsvc.exe [2012-11-23 20480]
R2 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-7-22 4157280]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-5-6 365600]
R2 Wave Authentication Manager Service;Wave Authentication Manager Service;C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [2012-11-19 1758720]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2013-5-6 176000]
R3 dcdbas;System Management Driver;C:\Windows\System32\drivers\dcdbas64.sys [2012-9-23 39016]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-5-6 331264]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-5-6 358456]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-5-6 791608]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2013-5-6 339600]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 EmbassyService;EmbassyService;C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [2012-11-20 225720]
S2 WvPCR;WvPCR;C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [2012-11-8 254384]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2013-5-6 57856]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-9-12 1512448]
S3 netvsc;netvsc;C:\Windows\System32\drivers\netvsc60.sys [2010-11-21 168448]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 SynthVid;SynthVid;C:\Windows\System32\drivers\VMBusVideoM.sys [2010-11-21 22528]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
.
=============== Created Last 30 ================
.
2013-07-23 08:46:03 -------- d-sh--w- C:\$RECYCLE.BIN
2013-07-23 00:33:36 -------- d-----w- C:\Users\scotland\AppData\Local\temp
2013-07-22 22:21:43 98816 ----a-w- C:\Windows\sed.exe
2013-07-22 22:21:43 256000 ----a-w- C:\Windows\PEV.exe
2013-07-22 22:21:43 208896 ----a-w- C:\Windows\MBR.exe
2013-07-22 15:38:19 -------- d-----w- C:\Users\scotland\AppData\Local\Mozilla
2013-07-22 15:29:40 -------- d-----w- C:\Program Files (x86)\TeamViewer
2013-07-22 13:49:14 -------- d-----w- C:\ProgramData\Malwarebytes
2013-07-22 13:49:13 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-07-22 13:49:13 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-07-12 16:34:47 -------- d-----w- C:\Users\scotland\AppData\Roaming\Intel Corporation
2013-07-12 16:33:23 -------- d-----w- C:\Users\scotland\AppData\Local\VirtualStore
2013-07-12 16:33:18 -------- d-----w- C:\Users\scotland\AppData\Roaming\Windows Small Business Server
2013-07-11 12:16:17 466944 --sha-r- C:\Windows\SysWow64\WlanMMG.dll
2013-07-10 17:01:54 9216 ----a-w- C:\Program Files (x86)\Windows Defender\MpAsDesc.dll
2013-07-10 17:01:54 571904 ----a-w- C:\Program Files\Windows Defender\MpClient.dll
2013-07-10 17:01:54 54784 ----a-w- C:\Program Files (x86)\Windows Defender\MpOAV.dll
2013-07-10 17:01:54 4608 ----a-w- C:\Program Files (x86)\Windows Defender\MsMpLics.dll
2013-07-10 17:01:54 392704 ----a-w- C:\Program Files (x86)\Windows Defender\MpClient.dll
2013-07-10 17:01:54 314880 ----a-w- C:\Program Files\Windows Defender\MpCommu.dll
2013-07-10 17:01:54 1011712 ----a-w- C:\Program Files\Windows Defender\MpSvc.dll
2013-07-10 17:01:40 624128 ----a-w- C:\Windows\System32\qedit.dll
2013-07-10 17:01:40 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2013-07-10 17:01:29 1887744 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-10 17:01:29 1620480 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-10 16:57:32 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-07-10 16:57:18 936448 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-07-10 16:57:18 1732608 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2013-07-10 16:57:18 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2013-07-10 16:57:18 1393152 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2013-07-10 16:57:18 1367040 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-10 16:56:34 1545728 ----a-w- C:\Windows\System32\DWrite.dll
2013-07-10 16:56:34 1077760 ----a-w- C:\Windows\SysWow64\DWrite.dll
2013-07-10 08:41:39 -------- d-----w- C:\Program Files (x86)\Dell Digital Delivery
.
==================== Find3M  ====================
.
2013-07-22 08:46:10 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-22 08:46:10 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-29 05:43:16 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-05-29 05:35:44 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-05-29 05:34:14 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-05-29 05:29:56 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-05-29 05:29:02 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-05-29 05:25:09 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-05-29 01:50:14 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-05-29 01:41:52 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-05-29 01:41:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-05-29 01:37:15 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-05-29 01:36:09 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-05-29 01:33:22 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-05-20 13:20:14 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2013-05-13 05:51:01 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-05-13 05:51:00 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2013-05-13 05:51:00 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-05-13 05:50:40 52224 ----a-w- C:\Windows\System32\certenc.dll
2013-05-13 04:45:55 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55 1160192 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-05-13 04:45:55 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55 1192448 ----a-w- C:\Windows\System32\certutil.exe
2013-05-13 03:08:10 903168 ----a-w- C:\Windows\SysWow64\certutil.exe
2013-05-13 03:08:06 43008 ----a-w- C:\Windows\SysWow64\certenc.dll
2013-05-08 06:39:01 1910632 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-05-06 17:05:58 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2013-05-06 16:53:09 91648 ----a-w- C:\Windows\System32\SetIEInstalledDate.exe
2013-04-26 05:51:36 751104 ----a-w- C:\Windows\System32\win32spl.dll
2013-04-26 04:55:21 492544 ----a-w- C:\Windows\SysWow64\win32spl.dll
.
============= FINISH: 13:17:17.88 ===============
 

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:12 AM

Posted 23 July 2013 - 04:29 PM

Hello dragor786,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
1.
Download AdwCleaner
  • Double click on AdwCleaner.exe to run the tool.
    ***Note: Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select
    Run%20as%20admin.png
  • Click the Delete button.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your next reply.
  • Or you can find the logfile at C:\AdwCleaner[R1].txt.
2.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Scan
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again
Things to include in your next reply::
AdwCleaner log
Roguekiller log
Do you have a USB Flash Drive you can use?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 dragor786

dragor786
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 25 July 2013 - 09:17 AM

sorry about delay in replying thanks for your help

 

please see logs requested below

 

RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : scotland [Admin rights]
Mode : Scan -- Date : 07/24/2013 11:17:29
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][SUSP PATH] EPUpdater : C:\Users\scotland\AppData\Roaming\BABSOL~1\Shared\BabMaint.exe [x] -> FOUND
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: WDC WD5000AAKX-75U6AA0 +++++
--- User ---
[MBR] 02e381420e7e63e8a84b4b96042f1e1d
[BSP] e6b9ea665616b93475672ca7a8fa292d : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 12444 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25567232 | Size: 464452 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_07242013_111729.txt >>
 
 
 
# AdwCleaner v2.306 - Logfile created 07/24/2013 at 11:11:00
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : scotland - CALA-W7-MULL
# Boot Mode : Normal
# Running from : C:\Users\scotland\Downloads\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
Stopped & Deleted : BrowserDefendert
 
***** [Files / Folders] *****
 
Deleted on reboot : C:\ProgramData\BrowserDefender
File Deleted : C:\Users\scotland\AppData\Roaming\Mozilla\Firefox\Profiles\ntdb548j.default\bprotector_extensions.sqlite
File Deleted : C:\Users\scotland\AppData\Roaming\Mozilla\Firefox\Profiles\ntdb548j.default\bprotector_prefs.js
File Deleted : C:\Users\scotland\AppData\Roaming\Mozilla\Firefox\Profiles\ntdb548j.default\searchplugins\Babylon.xml
File Deleted : C:\Users\scotland\AppData\Roaming\Mozilla\Firefox\Profiles\ntdb548j.default\searchplugins\delta.xml
Folder Deleted : C:\Program Files (x86)\delta
Folder Deleted : C:\Users\scotland\AppData\Roaming\BabSolution
Folder Deleted : C:\Users\scotland\AppData\Roaming\Babylon
Folder Deleted : C:\Users\scotland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowserDefender
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\BabSolution
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\Delta
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings
Key Deleted : HKCU\Software\868bdfbc35ee49
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{39CB8175-E224-4446-8746-00566302DF8D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltaappCore
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltaappCore.1
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltadskBnd
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltadskBnd.1
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltaHlpr
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltaHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
Key Deleted : HKLM\SOFTWARE\Classes\esrv.deltaESrvc
Key Deleted : HKLM\SOFTWARE\Classes\esrv.deltaESrvc.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{39CB8175-E224-4446-8746-00566302DF8D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\Delta
Key Deleted : HKLM\SOFTWARE\Wow6432Node\868bdfbc35ee49
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{261DD098-8A3E-43D4-87AA-63324FA897D8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{82E1477C-B154-48D3-9891-33D83C26BCD3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{86838207-681D-469D-9511-D0DCC6F19F9B}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{1231839B-064E-4788-B865-465A1B5266FD}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{2DAC2231-CC35-482B-97C5-CED1D4185080}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{3F1CD84C-04A3-4EA0-9EA1-7D134FD66C82}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{3F83A9CA-B5F0-44EC-9357-35BB3E84B07F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{47E520EA-CAD2-4F51-8F30-613B3A1C33EB}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{57C91446-8D81-4156-A70E-624551442DE9}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{70AFB7B2-9FB5-4A70-905B-0E9576142E1D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{7AD65FD1-79E0-406D-B03C-DD7C14726D69}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{97DD820D-2E20-40AD-B01E-6730B2FCE630}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{B177446D-54A4-4869-BABC-8566110B4BE0}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{D9D1DFC5-502D-43E4-B1BB-4D0B7841489A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E0B07188-A528-4F9E-B2F7-C7FDE8680AE4}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eooncjejnppfjjklapaamhcdmjbilmde
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Delta
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Delta Chrome Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1231839B-064E-4788-B865-465A1B5266FD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2DAC2231-CC35-482B-97C5-CED1D4185080}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F1CD84C-04A3-4EA0-9EA1-7D134FD66C82}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F83A9CA-B5F0-44EC-9357-35BB3E84B07F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{47E520EA-CAD2-4F51-8F30-613B3A1C33EB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{57C91446-8D81-4156-A70E-624551442DE9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{70AFB7B2-9FB5-4A70-905B-0E9576142E1D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7AD65FD1-79E0-406D-B03C-DD7C14726D69}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{97DD820D-2E20-40AD-B01E-6730B2FCE630}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B177446D-54A4-4869-BABC-8566110B4BE0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D9D1DFC5-502D-43E4-B1BB-4D0B7841489A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E0B07188-A528-4F9E-B2F7-C7FDE8680AE4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}
Key Deleted : HKU\S-1-5-21-1673159585-975685126-1515113503-1179\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Main [bprotector start page]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [bProtectorDefaultScope]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{82E1477C-B154-48D3-9891-33D83C26BCD3}]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16496
 
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www1.delta-search.com/?babsrc=HP_ss&mntrId=C0E65CF9DDE27116&affID=122471&tsp=4952 --> hxxp://www.google.com
 
-\\ Mozilla Firefox v22.0 (en-US)
 
File : C:\Users\geeksource\AppData\Roaming\Mozilla\Firefox\Profiles\2f30203j.default\prefs.js
 
[OK] File is clean.
 
File : C:\Users\Ramsay\AppData\Roaming\Mozilla\Firefox\Profiles\5tm0iufn.default-1374504449057\prefs.js
 
[OK] File is clean.
 
File : C:\Users\scotland\AppData\Roaming\Mozilla\Firefox\Profiles\ntdb548j.default\prefs.js
 
C:\Users\scotland\AppData\Roaming\Mozilla\Firefox\Profiles\ntdb548j.default\user.js ... Deleted !
 
Deleted : user_pref("extensions.delta.admin", false);
Deleted : user_pref("extensions.delta.aflt", "babsst");
Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
Deleted : user_pref("extensions.delta.autoRvrt", "false");
Deleted : user_pref("extensions.delta.dfltLng", "en");
Deleted : user_pref("extensions.delta.excTlbr", false);
Deleted : user_pref("extensions.delta.ffxUnstlRst", true);
Deleted : user_pref("extensions.delta.id", "c0e689280000000000005cf9dde27116");
Deleted : user_pref("extensions.delta.instlDay", "15909");
Deleted : user_pref("extensions.delta.instlRef", "sst");
Deleted : user_pref("extensions.delta.newTab", false);
Deleted : user_pref("extensions.delta.prdct", "delta");
Deleted : user_pref("extensions.delta.prtnrId", "delta");
Deleted : user_pref("extensions.delta.rvrt", "false");
Deleted : user_pref("extensions.delta.smplGrp", "none");
Deleted : user_pref("extensions.delta.tlbrId", "base");
Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");
Deleted : user_pref("extensions.delta.vrsn", "1.8.21.5");
Deleted : user_pref("extensions.delta.vrsni", "1.8.21.5");
Deleted : user_pref("extensions.delta.vrsnTs", "1.8.21.520:19:41");
Deleted : user_pref("extensions.delta_i.babExt", "");
Deleted : user_pref("extensions.delta_i.babTrack", "affID=122471&tsp=4952");
Deleted : user_pref("extensions.delta_i.srcExt", "ss");
 
*************************
 
AdwCleaner[S1].txt - [9801 octets] - [24/07/2013 11:11:00]
 
########## EOF - C:\AdwCleaner[S1].txt - [9861 octets] ##########
 

 



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:12 AM

Posted 25 July 2013 - 08:55 PM

  •    
  • Re-Run RogueKiller
       
  • Close all the running processes
       
  • Under Vista/Seven, right click -> Run as Administrator
       
  • Otherwise just double-click on RogueKiller.exe
       
  • When prompted, Click Delete 
       
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
       
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

 

How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 dragor786

dragor786
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 25 July 2013 - 09:52 PM

have re-run rougue killer and pressed delete as requested.

 

log file below

RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : scotland [Admin rights]
Mode : Scan -- Date : 07/26/2013 03:44:38
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][SUSP PATH] EPUpdater : C:\Users\scotland\AppData\Roaming\BABSOL~1\Shared\BabMaint.exe [x] -> FOUND
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: WDC WD5000AAKX-75U6AA0 +++++
--- User ---
[MBR] 02e381420e7e63e8a84b4b96042f1e1d
[BSP] e6b9ea665616b93475672ca7a8fa292d : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 12444 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25567232 | Size: 464452 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_07262013_034438.txt >>
RKreport[0]_S_07242013_111729.txt


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:12 AM

Posted 27 July 2013 - 03:53 PM

How is the machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 dragor786

dragor786
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 27 July 2013 - 11:54 PM

Just checked - unfortunately it is still redirecting :(



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:12 AM

Posted 28 July 2013 - 01:33 AM

Do you have a USB Flash Drive?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 dragor786

dragor786
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 28 July 2013 - 06:45 AM

I do - but i will not have access to pc till tomorrow now.
if you can advise what to run and any logs required will get them posted asap.



#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:12 AM

Posted 28 July 2013 - 09:34 AM

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Your version will be the 64bit version
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Edited by fireman4it, 28 July 2013 - 09:37 AM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 dragor786

dragor786
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 28 July 2013 - 08:44 PM

Addition
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-07-2013
Ran by scotland at 2013-07-29 02:39:45
Running from C:\Users\scotland\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Installed Programs =======================
 
   
Adobe Flash Player 11 ActiveX (x32 Version: 11.7.700.224)
Adobe Flash Player 11 Plugin (x32 Version: 11.8.800.94)
Adobe Reader XI (11.0.03) (x32 Version: 11.0.03)
Advanced Audio FX Engine (x32 Version: 1.12.05)
Custom (Version: 01.00.00.002)
D3DX10 (x32 Version: 15.4.2368.0902)
Dell Backup and Recovery Manager (Version: 1.3.1)
Dell Client System Update (x32 Version: 1.3.0)
Dell Data Protection | Access (Version: 2.3.00001.021)
Dell Digital Delivery (x32 Version: 2.6.1000.0)
Dell Edoc Viewer (Version: 1.0.0)
Dell Webcam Central (x32 Version: 2.01.15)
DellAccess (Version: 01.03.00.046)
DELLOSD (x32 Version: 1.0.0.16)
EMBASSY Client Core (Version: 01.03.00.092)
ERAS Connector (Version: 02.09.05.0330)
Gemalto (Version: 01.64.01.0010)
GemPcCCID (Version: 2.0.1)
Google Drive (x32 Version: 1.10.4769.632)
Google Update Helper (x32 Version: 1.3.21.153)
Intel® Control Center (x32 Version: 1.2.1.1008)
Intel® Management Engine Components (x32 Version: 8.1.20.1337)
Intel® Network Connections 17.3.63.0 (Version: 17.3.63.0)
Intel® Processor Graphics (x32 Version: 8.15.10.2639)
Intel® Rapid Storage Technology (x32 Version: 11.2.0.1006)
Intel® USB 3.0 eXtensible Host Controller Driver (x32 Version: 1.0.6.245)
Intel® Trusted Connect Service Client (Version: 1.26.242.3)
Junk Mail filter update (x32 Version: 16.4.3505.0912)
Malwarebytes Anti-Malware version 1.75.0.1300 (x32 Version: 1.75.0.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft SQL Server 2005 Compact Edition [ENU] (x32 Version: 3.1.0000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (x32 Version: 10.0.40219)
Movie Maker (x32 Version: 16.4.3505.0912)
Mozilla Firefox 22.0 (x86 en-US) (x32 Version: 22.0)
Mozilla Maintenance Service (x32 Version: 22.0)
MSVCRT (x32 Version: 15.4.2862.0708)
MSVCRT_amd64 (x32 Version: 15.4.2862.0708)
MSVCRT110 (x32 Version: 16.4.1108.0727)
MSVCRT110_amd64 (Version: 16.4.1109.0912)
MSXML 4.0 SP2 (KB954430) (x32 Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (x32 Version: 4.20.9876.0)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4517.1005)
Office 15 Click-to-Run Licensing Component (Version: 15.0.4517.1005)
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4517.1005)
PBA Driver (Version: 1.0.1.7)
Photo Gallery (x32 Version: 16.4.3505.0912)
Preboot Manager (Version: 03.05.00.026)
Private Information Manager (Version: 07.03.00.016)
Realtek High Definition Audio Driver (x32 Version: 6.0.1.5922)
Realtek PCIE Card Reader (x32 Version: 6.2.8400.28123)
rosoft Office Home and Business 2013 - en-us (Version: 15.0.4517.1005)
SI TSS (Version: 2.1.41)
SPBA (WBF) 5.9 (Version: 5.9.7.7232)
TeamViewer 8 Host (x32 Version: 8.0.19617)
toolkit32for64bit (x32 Version: 7.68.85.0013)
Trusted Drive Manager (Version: 5.0.0.304)
Unlocker 1.9.2 (Version: 1.9.2)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (x32 Version: 1)
Wave Crypto Runtime 2.0.9.0 x64 (Version: 02.00.09.0000)
Wave Crypto Runtime 2.0.9.0 x86 (x32 Version: 02.00.09.0000)
Wave Infrastructure Installer (Version: 07.68.85.0014)
Wave Support Software Installer (Version: 05.15.00.021)
Windows Live Communications Platform (x32 Version: 16.4.3505.0912)
Windows Live Essentials (x32 Version: 16.4.3505.0912)
Windows Live Family Safety (Version: 16.4.3505.0912)
Windows Live Family Safety (x32 Version: 16.4.3505.0912)
Windows Live ID Sign-in Assistant (Version: 7.250.4311.0)
Windows Live Installer (x32 Version: 16.4.3505.0912)
Windows Live Mail (x32 Version: 16.4.3505.0912)
Windows Live MIME IFilter (Version: 16.4.3505.0912)
Windows Live Photo Common (x32 Version: 16.4.3505.0912)
Windows Live PIMT Platform (x32 Version: 16.4.3505.0912)
Windows Live SOXE (x32 Version: 16.4.3505.0912)
Windows Live SOXE Definitions (x32 Version: 16.4.3505.0912)
Windows Live UX Platform (x32 Version: 16.4.3505.0912)
Windows Live UX Platform Language Pack (x32 Version: 16.4.3505.0912)
Windows Live Writer (x32 Version: 16.4.3505.0912)
Windows Live Writer Resources (x32 Version: 16.4.3505.0912)
Windows Small Business Server 2011 Standard ClientAgent (Version: 6.1.7900.1)
Windows Small Business Server 2011 Standard WMI Provider (x32 Version: 6.1.7900.1)
 
==================== Restore Points  =========================
 
 
==================== Hosts content: ==========================
 
2009-07-14 03:34 - 2013-07-23 00:39 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {1ECE1AAA-752E-4C19-BCB9-66FAFC306B4E} - System32\Tasks\Microsoft Office 15 Sync Maintenance for {a890fec0-ee78-4ad0-a9b1-8723792af4aa} Cala-W7-MULL.caledonia.local => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2013-07-10] (Microsoft Corporation)
Task: {1F7C5769-1E84-4AEA-A7A0-21823F4ABA97} - System32\Tasks\WPD\SqmUpload_S-1-5-21-1673159585-975685126-1515113503-1172 => C:\Windows\system32\rundll32.exe [2009-07-14] (Microsoft Corporation)
Task: {418D4DAE-837B-4878-B2FC-A9C1944A1482} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-05-20] (Google Inc.)
Task: {57E0796E-F079-4D1A-8666-4D79DF0D9131} - System32\Tasks\Dell\Client System Update => C:\Program Files (x86)\Dell\ClientSystemUpdate\DellClientSystemUpdate.exe [2012-10-11] (Dell Inc.)
Task: {64733CF5-776A-429E-B023-45ECD3B03C1D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-22] (Adobe Systems Incorporated)
Task: {7E367424-14B6-440E-A1CB-FC5E19779B98} - System32\Tasks\HQKROIYJGC => C:\Windows\system32\rundll32.exe [2009-07-14] (Microsoft Corporation)
Task: {8C803319-8243-4F57-B564-6B1EB810C490} - System32\Tasks\BrowserDefendert => C:\Windows\system32\sc.exe [2009-07-14] (Microsoft Corporation)
Task: {B29C89CE-88C3-436B-8B30-74E64343E5AA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-05-20] (Google Inc.)
Task: {BB2A38FB-34F3-4E7B-B49A-C4DD5AA9B5D7} - System32\Tasks\WSCEAA => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\RemoteManagement\WSCEAA.exe [2012-10-17] (Wave Systems Corp.)
Task: {CB2F696E-4479-43FF-8CA5-83D2F0E76054} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [2013-06-09] (Microsoft Corporation)
Task: {D340B5B6-8012-43DD-BF18-F86DB6F4DAB5} - System32\Tasks\Microsoft\Windows Live\SOXE\Extractor Definitions Update Task
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HQKROIYJGC.job => C:\Windows\system32\rundll32.exe
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/28/2013 05:51:13 AM) (Source: Application Error) (User: )
Description: Faulting application name: EmbassyServer.exe, version: 1.3.0.117, time stamp: 0x50ab6eb4
Faulting module name: EmbassyServer.exe, version: 1.3.0.117, time stamp: 0x50ab6eb4
Exception code: 0xc0000005
Fault offset: 0x000000000001711a
Faulting process id: 0x774
Faulting application start time: 0xEmbassyServer.exe0
Faulting application path: EmbassyServer.exe1
Faulting module path: EmbassyServer.exe2
Report Id: EmbassyServer.exe3
 
Error: (07/26/2013 03:54:02 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/24/2013 11:14:35 AM) (Source: Application Error) (User: )
Description: Faulting application name: EmbassyServer.exe, version: 1.3.0.117, time stamp: 0x50ab6eb4
Faulting module name: EmbassyServer.exe, version: 1.3.0.117, time stamp: 0x50ab6eb4
Exception code: 0xc0000005
Fault offset: 0x000000000001711a
Faulting process id: 0x780
Faulting application start time: 0xEmbassyServer.exe0
Faulting application path: EmbassyServer.exe1
Faulting module path: EmbassyServer.exe2
Report Id: EmbassyServer.exe3
 
Error: (07/24/2013 11:12:43 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/23/2013 00:39:23 PM) (Source: Application Error) (User: )
Description: Faulting application name: EmbassyServer.exe, version: 1.3.0.117, time stamp: 0x50ab6eb4
Faulting module name: EmbassyServer.exe, version: 1.3.0.117, time stamp: 0x50ab6eb4
Exception code: 0xc0000005
Fault offset: 0x000000000001711a
Faulting process id: 0x7e0
Faulting application start time: 0xEmbassyServer.exe0
Faulting application path: EmbassyServer.exe1
Faulting module path: EmbassyServer.exe2
Report Id: EmbassyServer.exe3
 
Error: (07/23/2013 00:37:27 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/23/2013 00:27:07 PM) (Source: Application Error) (User: )
Description: Faulting application name: EmbassyServer.exe, version: 1.3.0.117, time stamp: 0x50ab6eb4
Faulting module name: EmbassyServer.exe, version: 1.3.0.117, time stamp: 0x50ab6eb4
Exception code: 0xc0000005
Fault offset: 0x000000000001711a
Faulting process id: 0x7bc
Faulting application start time: 0xEmbassyServer.exe0
Faulting application path: EmbassyServer.exe1
Faulting module path: EmbassyServer.exe2
Report Id: EmbassyServer.exe3
 
Error: (07/23/2013 00:25:21 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/23/2013 10:34:11 AM) (Source: Microsoft-Windows-Folder Redirection) (User: CALEDONIA)
Description: Failed to apply policy and redirect folder "Desktop" to "\\CAL-SBS\RedirectedFolders\Ramsay\Desktop".
 Redirection options=0x9231.
 The following error occurred: "Can not create folder "\\CAL-SBS\RedirectedFolders\Ramsay\Desktop"".
 Error details: "Access is denied.
".
 
Error: (07/23/2013 10:33:04 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (07/28/2013 05:51:19 AM) (Source: UmrdpService) (User: )
Description: Driver Samsung CLX-8380 Series PCL 6 required for printer Samsung CLX-8380 Series PCL 6 is unknown. Contact the administrator to install the driver before you log in again.
 
Error: (07/28/2013 05:51:16 AM) (Source: Service Control Manager) (User: )
Description: The EmbassyService service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (07/26/2013 03:54:00 AM) (Source: Service Control Manager) (User: )
Description: The WvPCR service depends on the TPM Base Services service which failed to start because of the following error: 
%%0
 
Error: (07/26/2013 03:54:00 AM) (Source: Service Control Manager) (User: )
Description: The SI TSS v1.2.1.41 TCS service depends on the TPM Base Services service which failed to start because of the following error: 
%%0
 
Error: (07/24/2013 11:14:56 AM) (Source: UmrdpService) (User: )
Description: Driver Samsung CLX-8380 Series PCL 6 required for printer Samsung CLX-8380 Series PCL 6 is unknown. Contact the administrator to install the driver before you log in again.
 
Error: (07/24/2013 11:14:40 AM) (Source: Service Control Manager) (User: )
Description: The EmbassyService service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (07/24/2013 11:12:18 AM) (Source: Service Control Manager) (User: )
Description: The WvPCR service depends on the TPM Base Services service which failed to start because of the following error: 
%%0
 
Error: (07/24/2013 11:12:18 AM) (Source: Service Control Manager) (User: )
Description: The SI TSS v1.2.1.41 TCS service depends on the TPM Base Services service which failed to start because of the following error: 
%%0
 
Error: (07/23/2013 00:39:33 PM) (Source: UmrdpService) (User: )
Description: Driver Samsung CLX-8380 Series PCL 6 required for printer Samsung CLX-8380 Series PCL 6 is unknown. Contact the administrator to install the driver before you log in again.
 
Error: (07/23/2013 00:39:26 PM) (Source: Service Control Manager) (User: )
Description: The EmbassyService service terminated unexpectedly.  It has done this 1 time(s).
 
 
Microsoft Office Sessions:
=========================
Error: (07/28/2013 05:51:13 AM) (Source: Application Error)(User: )
Description: EmbassyServer.exe1.3.0.11750ab6eb4EmbassyServer.exe1.3.0.11750ab6eb4c0000005000000000001711a77401ce89ab6167ac18C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exeC:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe53cf59f3-f741-11e2-acad-5cf9dde27116
 
Error: (07/26/2013 03:54:02 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/24/2013 11:14:35 AM) (Source: Application Error)(User: )
Description: EmbassyServer.exe1.3.0.11750ab6eb4EmbassyServer.exe1.3.0.11750ab6eb4c0000005000000000001711a78001ce885649d9c46eC:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exeC:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exed6699d63-f449-11e2-83af-5cf9dde27116
 
Error: (07/24/2013 11:12:43 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/23/2013 00:39:23 PM) (Source: Application Error)(User: )
Description: EmbassyServer.exe1.3.0.11750ab6eb4EmbassyServer.exe1.3.0.11750ab6eb4c0000005000000000001711a7e001ce8798fe33a137C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exeC:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe851e7804-f38c-11e2-993f-5cf9dde27116
 
Error: (07/23/2013 00:37:27 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/23/2013 00:27:07 PM) (Source: Application Error)(User: )
Description: EmbassyServer.exe1.3.0.11750ab6eb4EmbassyServer.exe1.3.0.11750ab6eb4c0000005000000000001711a7bc01ce87974e952710C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exeC:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exece191e0c-f38a-11e2-a3a9-5cf9dde27116
 
Error: (07/23/2013 00:25:21 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/23/2013 10:34:11 AM) (Source: Microsoft-Windows-Folder Redirection)(User: CALEDONIA)
Description: Desktop\\CAL-SBS\RedirectedFolders\Ramsay\Desktop0x9231Can not create folder "\\CAL-SBS\RedirectedFolders\Ramsay\Desktop"Access is denied.
 
Error: (07/23/2013 10:33:04 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
CodeIntegrity Errors:
===================================
  Date: 2013-07-29 02:38:38.084
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-07-28 06:00:08.936
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-07-28 05:51:19.578
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-07-26 03:43:16.520
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-07-25 15:16:56.050
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-07-24 11:15:07.080
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-07-24 11:11:00.604
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-07-23 20:16:57.070
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-07-23 13:15:24.832
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-07-23 12:40:12.388
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 37%
Total physical RAM: 3971.16 MB
Available physical RAM: 2477.98 MB
Total Pagefile: 7940.5 MB
Available Pagefile: 6359.02 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:453.57 GB) (Free:423.31 GB) NTFS (Disk=0 Partition=3)
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 311B6862)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=454 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================

 

 

FRST

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-07-2013
Ran by scotland (administrator) on 29-07-2013 02:39:30
Running from C:\Users\scotland\Downloads
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(Microsoft Corporation) C:\Windows\system32\LogonUI.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(Authentec Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
() C:\Program Files (x86)\Dell\DELLOSD\DellOSDService.exe
() C:\Program Files (x86)\DELL\DELLOSD\CalibrationTool.exe
(DELL INC.) C:\Program Files (x86)\DELL\DELLOSD\MediaButtons.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(DELL INC.) C:\Program Files (x86)\DELL\DELLOSD\DELLOSD.exe
(Intel Corporation) C:\Windows\system32\IProsetMonitor.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Software\Panda Administrator 3\Pav_Agent\pagentwd.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
() C:\Program Files\Dell\Dell Data Protection\Access\Advanced\hapi64\pbadrvsvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Dell Products, LP.) c:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Authentec Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(Microsoft Corporation) C:\Windows\system32\rdpclip.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
(Dell Computer Corporation) C:\dell\DBRM\Reminder\DbrmTrayicon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Creative Technology Ltd) C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6827664 2012-08-15] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] - C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1158248 2012-03-09] (Realtek Semiconductor)
HKLM\...\Run: [TdmNotify] - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe [370584 2012-11-08] (Wave Systems Corp.)
HKLM\...\Run: [DBRMTray] - C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (Authentec Inc.)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284480 2012-05-30] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-10-16] (Intel Corporation)
HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [577024 2012-03-06] (Creative Technology Ltd)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
AppInit_DLLs-x32: c:\progra~3\browse~1\261339~1.144\{c16c1~1\browse~1.dll [2521040 2013-05-23] ()
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
StartMenuInternet: IEXPLORE.EXE - "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM - {370B2E6C-8F0D-4917-8797-A737641F5ADF} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=MDDRJS
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 - {370B2E6C-8F0D-4917-8797-A737641F5ADF} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=MDDRJS
SearchScopes: HKCU - DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www1.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=C0E65CF9DDE27116&affID=122471&tsp=4952
SearchScopes: HKCU - bProtectorDefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
BHO: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
Tcpip\Parameters: [DhcpNameServer] 192.168.0.15
 
FireFox:
========
FF ProfilePath: C:\Users\scotland\AppData\Roaming\Mozilla\Firefox\Profiles\ntdb548j.default
FF NewTab: user_pref("browser.newtab.url", "");
FF SelectedSearchEngine: user_pref("browser.search.selectedEngine", "");
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_8_800_94.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\scotland\AppData\Roaming\Mozilla\Firefox\Profiles\ntdb548j.default\searchplugins\babylon.xml
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension
 
==================== Services (Whitelisted) =================
 
R2 Dell WMI Service; C:\Program Files (x86)\Dell\DELLOSD\DellOSDService.exe [73728 2012-08-01] ()
S2 EmbassyService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [225720 2012-11-20] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166432 2012-10-23] (Intel Corporation)
R2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [1900728 2013-06-09] (Microsoft Corporation)
R2 PAVAGENTE; C:\Program Files (x86)\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe [439616 2010-09-30] (Panda Security, S.L.)
R2 PavAtScheduler; C:\Program Files (x86)\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe [255296 2010-09-30] (Panda Security, S.L.)
R2 PbaDrvSvc_x64; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\hapi64\pbadrvsvc.exe [20480 2012-11-23] ()
S2 tcsd_win32.exe; C:\Program Files (x86)\Security Innovation\SI TSS\bin\tcsd_win32.exe [1643520 2012-05-11] ()
R2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1758720 2012-11-19] (Wave Systems Corp.)
S2 WvPCR; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [254384 2012-11-08] (Wave Systems Corp.)
 
==================== Drivers (Whitelisted) ====================
 
R3 dcdbas; C:\Windows\System32\DRIVERS\dcdbas64.sys [39016 2012-09-23] (Dell Inc.)
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHD64.sys [2963856 2012-08-17] (Realtek Semiconductor Corp.)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-07-29 02:39 - 2013-07-29 02:39 - 01780547 _____ (Farbar) C:\Users\scotland\Downloads\FRST64.exe
2013-07-29 02:39 - 2013-07-29 02:39 - 00000000 ____D C:\FRST
2013-07-26 03:46 - 2013-07-26 03:46 - 00001486 _____ C:\Users\scotland\Desktop\RKreport[0]_S_07262013_034619.txt
2013-07-26 03:44 - 2013-07-26 03:44 - 00002039 _____ C:\Users\scotland\Desktop\RKreport[0]_D_07262013_034458.txt
2013-07-26 03:44 - 2013-07-26 03:44 - 00001934 _____ C:\Users\scotland\Desktop\RKreport[0]_S_07262013_034438.txt
2013-07-24 11:17 - 2013-07-24 11:17 - 00001901 _____ C:\Users\scotland\Desktop\RKreport[0]_S_07242013_111729.txt
2013-07-24 11:16 - 2013-07-26 03:44 - 00000000 ____D C:\Users\scotland\Desktop\RK_Quarantine
2013-07-24 11:11 - 2013-07-24 11:11 - 00009900 _____ C:\AdwCleaner[S1].txt
2013-07-24 11:11 - 2013-07-24 11:11 - 00000098 _____ C:\Windows\DeleteOnReboot.bat
2013-07-24 11:09 - 2013-07-24 11:09 - 00915968 _____ C:\Users\scotland\Downloads\RogueKiller.exe
2013-07-24 11:09 - 2013-07-24 11:09 - 00666633 _____ C:\Users\scotland\Downloads\adwcleaner.exe
2013-07-23 20:20 - 2013-07-23 20:20 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker
2013-07-23 20:20 - 2013-07-23 20:20 - 00000000 ____D C:\Program Files\Unlocker
2013-07-23 20:19 - 2013-07-23 20:19 - 01078591 _____ C:\Users\scotland\Downloads\Unlocker1.9.2.exe
2013-07-23 20:19 - 2013-07-23 20:19 - 00003440 _____ C:\Windows\System32\Tasks\BrowserDefendert
2013-07-23 20:19 - 2013-07-23 20:19 - 00000000 ____D C:\ProgramData\BrowserDefender
2013-07-23 13:17 - 2013-07-23 13:17 - 00018863 _____ C:\Users\scotland\Desktop\dds.txt
2013-07-23 13:17 - 2013-07-23 13:17 - 00008479 _____ C:\Users\scotland\Desktop\attach.txt
2013-07-23 13:16 - 2013-07-23 13:17 - 00688992 ____R (Swearware) C:\Users\scotland\Downloads\dds.com
2013-07-23 12:35 - 2013-07-23 12:35 - 02240864 _____ (Kaspersky Lab ZAO) C:\Users\scotland\Downloads\tdsskiller.exe
2013-07-23 12:28 - 2013-07-23 12:28 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Macromedia
2013-07-23 12:28 - 2013-07-23 12:28 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Adobe
2013-07-23 01:35 - 2013-07-23 01:35 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Malwarebytes
2013-07-23 01:33 - 2013-07-23 01:33 - 00030686 _____ C:\ComboFix.txt
2013-07-23 01:00 - 2013-07-23 01:01 - 00002408 _____ C:\Users\geeksource\Desktop\Rkill.txt
2013-07-23 00:59 - 2013-07-23 00:59 - 05091940 ____R (Swearware) C:\Users\geeksource\Downloads\ComboFix.exe
2013-07-23 00:58 - 2013-07-23 00:58 - 01844864 _____ (Bleeping Computer, LLC) C:\Users\geeksource\Downloads\iExplore.exe
2013-07-23 00:58 - 2013-07-23 00:58 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Mozilla
2013-07-23 00:58 - 2013-07-23 00:58 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Macromedia
2013-07-23 00:58 - 2013-07-23 00:58 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Intel Corporation
2013-07-23 00:58 - 2013-07-23 00:58 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Adobe
2013-07-23 00:58 - 2013-07-23 00:58 - 00000000 ____D C:\Users\geeksource\AppData\Local\Mozilla
2013-07-23 00:58 - 2013-07-23 00:58 - 00000000 ____D C:\Users\geeksource\AppData\Local\Macromedia
2013-07-23 00:57 - 2013-07-23 00:57 - 00070872 _____ C:\Users\geeksource\AppData\Local\GDIPFONTCACHEV1.DAT
2013-07-23 00:57 - 2013-07-23 00:57 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Creative
2013-07-23 00:56 - 2013-07-23 00:57 - 00000000 ____D C:\Users\geeksource
2013-07-23 00:56 - 2013-07-23 00:56 - 00000844 __RSH C:\Users\geeksource\ntuser.pol
2013-07-23 00:56 - 2013-07-23 00:56 - 00000020 ___SH C:\Users\geeksource\ntuser.ini
2013-07-23 00:56 - 2013-07-23 00:56 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Windows Small Business Server
2013-07-23 00:56 - 2013-07-23 00:56 - 00000000 ____D C:\Users\geeksource\AppData\Local\VirtualStore
2013-07-23 00:56 - 2013-05-20 10:54 - 00000000 ____D C:\Users\geeksource\AppData\LocalGoogle
2013-07-23 00:56 - 2013-05-20 10:54 - 00000000 ____D C:\Users\geeksource\AppData\Local\Google
2013-07-22 23:21 - 2013-07-23 01:33 - 00000000 ____D C:\Qoobox
2013-07-22 23:21 - 2013-07-23 00:41 - 00000000 ____D C:\Windows\erdnt
2013-07-22 23:21 - 2011-06-26 07:45 - 00256000 _____ C:\Windows\PEV.exe
2013-07-22 23:21 - 2010-11-07 18:20 - 00208896 _____ C:\Windows\MBR.exe
2013-07-22 23:21 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2013-07-22 23:21 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2013-07-22 23:21 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2013-07-22 23:21 - 2000-08-31 01:00 - 00098816 _____ C:\Windows\sed.exe
2013-07-22 23:21 - 2000-08-31 01:00 - 00080412 _____ C:\Windows\grep.exe
2013-07-22 23:21 - 2000-08-31 01:00 - 00068096 _____ C:\Windows\zip.exe
2013-07-22 23:20 - 2013-07-22 23:20 - 05091940 ____R (Swearware) C:\Users\Ramsay\Downloads\ComboFix.exe
2013-07-22 16:38 - 2013-07-22 16:38 - 01844864 _____ (Bleeping Computer, LLC) C:\Users\scotland\Downloads\rkill.exe
2013-07-22 16:38 - 2013-07-22 16:38 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Mozilla
2013-07-22 16:38 - 2013-07-22 16:38 - 00000000 ____D C:\Users\scotland\AppData\Local\Mozilla
2013-07-22 16:29 - 2013-07-22 16:29 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2013-07-22 15:47 - 2013-07-22 15:47 - 00000000 ____D C:\Users\Ramsay\Desktop\Old Firefox Data
2013-07-22 14:49 - 2013-07-22 14:49 - 00000000 ____D C:\Users\Ramsay\AppData\Roaming\Malwarebytes
2013-07-22 14:49 - 2013-07-22 14:49 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-07-22 14:49 - 2013-07-22 14:49 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-07-22 14:49 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-07-22 14:48 - 2013-07-22 14:48 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Ramsay\Downloads\mbam-setup-1.75.0.1300.exe
2013-07-22 11:42 - 2013-07-22 11:42 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2013-07-22 10:49 - 2013-07-22 10:49 - 00000665 _____ C:\Users\Ramsay\Desktop\Ramsay (CAL-SBSFolderRedirections) (U) - Shortcut.lnk
2013-07-22 10:49 - 2013-07-22 10:49 - 00000580 _____ C:\Users\Ramsay\Desktop\companysharedfolders (H) - Shortcut.lnk
2013-07-12 17:34 - 2013-07-12 17:34 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Intel Corporation
2013-07-12 17:33 - 2013-07-23 12:27 - 00000844 __RSH C:\Users\scotland\ntuser.pol
2013-07-12 17:33 - 2013-07-12 17:33 - 00070872 _____ C:\Users\scotland\AppData\Local\GDIPFONTCACHEV1.DAT
2013-07-12 17:33 - 2013-07-12 17:33 - 00001445 _____ C:\Users\scotland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-07-12 17:33 - 2013-07-12 17:33 - 00001411 _____ C:\Users\scotland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2013-07-12 17:33 - 2013-07-12 17:33 - 00000000 ___RD C:\Users\scotland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-07-12 17:33 - 2013-07-12 17:33 - 00000000 ___RD C:\Users\scotland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-07-12 17:33 - 2013-07-12 17:33 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Windows Small Business Server
2013-07-12 17:33 - 2013-07-12 17:33 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows SBS
2013-07-12 17:33 - 2013-07-12 17:33 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Creative
2013-07-12 17:33 - 2013-07-12 17:33 - 00000000 ____D C:\Users\scotland\AppData\Local\VirtualStore
2013-07-11 13:16 - 2013-07-26 03:53 - 00000302 _____ C:\Windows\Tasks\HQKROIYJGC.job
2013-07-11 13:16 - 2013-07-11 13:16 - 00466944 __RSH C:\Windows\SysWOW64\WlanMMG.dll
2013-07-11 13:16 - 2013-07-11 13:16 - 00002582 _____ C:\Windows\System32\Tasks\HQKROIYJGC
2013-07-10 18:01 - 2013-06-04 07:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2013-07-10 18:01 - 2013-06-04 05:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-10 18:01 - 2013-05-06 07:03 - 01887744 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-07-10 18:01 - 2013-05-06 05:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-10 18:00 - 2013-05-29 07:15 - 17829376 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-07-10 18:00 - 2013-05-29 06:50 - 10926080 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-07-10 18:00 - 2013-05-29 06:43 - 02312704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-07-10 18:00 - 2013-05-29 06:36 - 01346560 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-07-10 18:00 - 2013-05-29 06:35 - 01392128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-07-10 18:00 - 2013-05-29 06:34 - 01494528 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-07-10 18:00 - 2013-05-29 06:33 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-07-10 18:00 - 2013-05-29 06:31 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-07-10 18:00 - 2013-05-29 06:29 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-07-10 18:00 - 2013-05-29 06:29 - 00599040 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-07-10 18:00 - 2013-05-29 06:29 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-07-10 18:00 - 2013-05-29 06:27 - 02147840 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-07-10 18:00 - 2013-05-29 06:27 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-07-10 18:00 - 2013-05-29 06:25 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-07-10 18:00 - 2013-05-29 06:25 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-07-10 18:00 - 2013-05-29 06:18 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-07-10 18:00 - 2013-05-29 02:56 - 12333568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-10 18:00 - 2013-05-29 02:50 - 01800704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-10 18:00 - 2013-05-29 02:48 - 09738752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-10 18:00 - 2013-05-29 02:41 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-07-10 18:00 - 2013-05-29 02:41 - 01129472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-10 18:00 - 2013-05-29 02:41 - 01104384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-10 18:00 - 2013-05-29 02:40 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-07-10 18:00 - 2013-05-29 02:38 - 00065024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-10 18:00 - 2013-05-29 02:37 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-07-10 18:00 - 2013-05-29 02:36 - 00420864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-07-10 18:00 - 2013-05-29 02:35 - 00717824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-10 18:00 - 2013-05-29 02:35 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-10 18:00 - 2013-05-29 02:33 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-10 18:00 - 2013-05-29 02:33 - 01796096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-10 18:00 - 2013-05-29 02:33 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-07-10 18:00 - 2013-05-29 02:29 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-10 17:57 - 2013-06-05 04:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-07-10 17:56 - 2013-04-10 06:45 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2013-07-10 17:56 - 2013-04-10 06:02 - 01077760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-10 09:41 - 2013-07-10 09:41 - 00000000 ____D C:\Program Files (x86)\Dell Digital Delivery
2013-07-05 10:40 - 2013-07-05 10:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
 
==================== One Month Modified Files and Folders =======
 
2013-07-29 02:39 - 2013-07-29 02:39 - 00000000 ____D C:\FRST
2013-07-29 02:33 - 2013-05-06 09:45 - 00005014 _____ C:\Windows\System32\Tasks\WSCEAA
2013-07-29 02:29 - 2013-05-06 09:17 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-29 02:04 - 2013-05-20 10:44 - 00000902 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-29 01:54 - 2013-05-16 12:06 - 00000136 _____ C:\Windows\system32\config\netlogon.ftl
2013-07-29 00:47 - 2013-05-06 09:15 - 01133176 _____ C:\Windows\WindowsUpdate.log
2013-07-28 10:04 - 2013-05-20 10:44 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-26 04:01 - 2009-07-14 05:45 - 00021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-26 04:01 - 2009-07-14 05:45 - 00021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-26 03:58 - 2009-07-14 06:13 - 00793718 _____ C:\Windows\system32\PerfStringBackup.INI
2013-07-26 03:53 - 2013-07-11 13:16 - 00000302 _____ C:\Windows\Tasks\HQKROIYJGC.job
2013-07-26 03:53 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-26 03:53 - 2009-07-14 05:51 - 00034806 _____ C:\Windows\setupact.log
2013-07-26 03:46 - 2013-07-26 03:46 - 00001486 _____ C:\Users\scotland\Desktop\RKreport[0]_S_07262013_034619.txt
2013-07-26 03:44 - 2013-07-26 03:44 - 00002039 _____ C:\Users\scotland\Desktop\RKreport[0]_D_07262013_034458.txt
2013-07-26 03:44 - 2013-07-26 03:44 - 00001934 _____ C:\Users\scotland\Desktop\RKreport[0]_S_07262013_034438.txt
2013-07-26 03:44 - 2013-07-24 11:16 - 00000000 ____D C:\Users\scotland\Desktop\RK_Quarantine
2013-07-24 11:17 - 2013-07-24 11:17 - 00001901 _____ C:\Users\scotland\Desktop\RKreport[0]_S_07242013_111729.txt
2013-07-24 11:11 - 2013-07-24 11:11 - 00009900 _____ C:\AdwCleaner[S1].txt
2013-07-24 11:11 - 2013-07-24 11:11 - 00000098 _____ C:\Windows\DeleteOnReboot.bat
2013-07-24 11:09 - 2013-07-24 11:09 - 00915968 _____ C:\Users\scotland\Downloads\RogueKiller.exe
2013-07-24 11:09 - 2013-07-24 11:09 - 00666633 _____ C:\Users\scotland\Downloads\adwcleaner.exe
2013-07-23 20:20 - 2013-07-23 20:20 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker
2013-07-23 20:20 - 2013-07-23 20:20 - 00000000 ____D C:\Program Files\Unlocker
2013-07-23 20:19 - 2013-07-23 20:19 - 01078591 _____ C:\Users\scotland\Downloads\Unlocker1.9.2.exe
2013-07-23 20:19 - 2013-07-23 20:19 - 00003440 _____ C:\Windows\System32\Tasks\BrowserDefendert
2013-07-23 20:19 - 2013-07-23 20:19 - 00000000 ____D C:\ProgramData\BrowserDefender
2013-07-23 13:17 - 2013-07-23 13:17 - 00018863 _____ C:\Users\scotland\Desktop\dds.txt
2013-07-23 13:17 - 2013-07-23 13:17 - 00008479 _____ C:\Users\scotland\Desktop\attach.txt
2013-07-23 13:17 - 2013-07-23 13:16 - 00688992 ____R (Swearware) C:\Users\scotland\Downloads\dds.com
2013-07-23 12:35 - 2013-07-23 12:35 - 02240864 _____ (Kaspersky Lab ZAO) C:\Users\scotland\Downloads\tdsskiller.exe
2013-07-23 12:28 - 2013-07-23 12:28 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Macromedia
2013-07-23 12:28 - 2013-07-23 12:28 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Adobe
2013-07-23 12:27 - 2013-07-12 17:33 - 00000844 __RSH C:\Users\scotland\ntuser.pol
2013-07-23 12:27 - 2013-05-16 11:21 - 00000000 ____D C:\Users\scotland
2013-07-23 10:32 - 2010-11-21 04:47 - 00033230 _____ C:\Windows\PFRO.log
2013-07-23 01:35 - 2013-07-23 01:35 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Malwarebytes
2013-07-23 01:33 - 2013-07-23 01:33 - 00030686 _____ C:\ComboFix.txt
2013-07-23 01:33 - 2013-07-22 23:21 - 00000000 ____D C:\Qoobox
2013-07-23 01:32 - 2009-07-14 03:34 - 00000215 _____ C:\Windows\system.ini
2013-07-23 01:01 - 2013-07-23 01:00 - 00002408 _____ C:\Users\geeksource\Desktop\Rkill.txt
2013-07-23 00:59 - 2013-07-23 00:59 - 05091940 ____R (Swearware) C:\Users\geeksource\Downloads\ComboFix.exe
2013-07-23 00:58 - 2013-07-23 00:58 - 01844864 _____ (Bleeping Computer, LLC) C:\Users\geeksource\Downloads\iExplore.exe
2013-07-23 00:58 - 2013-07-23 00:58 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Mozilla
2013-07-23 00:58 - 2013-07-23 00:58 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Macromedia
2013-07-23 00:58 - 2013-07-23 00:58 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Intel Corporation
2013-07-23 00:58 - 2013-07-23 00:58 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Adobe
2013-07-23 00:58 - 2013-07-23 00:58 - 00000000 ____D C:\Users\geeksource\AppData\Local\Mozilla
2013-07-23 00:58 - 2013-07-23 00:58 - 00000000 ____D C:\Users\geeksource\AppData\Local\Macromedia
2013-07-23 00:57 - 2013-07-23 00:57 - 00070872 _____ C:\Users\geeksource\AppData\Local\GDIPFONTCACHEV1.DAT
2013-07-23 00:57 - 2013-07-23 00:57 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Creative
2013-07-23 00:57 - 2013-07-23 00:56 - 00000000 ____D C:\Users\geeksource
2013-07-23 00:56 - 2013-07-23 00:56 - 00000844 __RSH C:\Users\geeksource\ntuser.pol
2013-07-23 00:56 - 2013-07-23 00:56 - 00000020 ___SH C:\Users\geeksource\ntuser.ini
2013-07-23 00:56 - 2013-07-23 00:56 - 00000000 ____D C:\Users\geeksource\AppData\Roaming\Windows Small Business Server
2013-07-23 00:56 - 2013-07-23 00:56 - 00000000 ____D C:\Users\geeksource\AppData\Local\VirtualStore
2013-07-23 00:49 - 2013-05-16 11:13 - 00000844 __RSH C:\Users\Ramsay\ntuser.pol
2013-07-23 00:49 - 2013-05-16 11:13 - 00000000 ____D C:\Users\Ramsay
2013-07-23 00:42 - 2009-07-14 04:20 - 00000000 __RHD C:\Users\Default
2013-07-23 00:41 - 2013-07-22 23:21 - 00000000 ____D C:\Windows\erdnt
2013-07-23 00:37 - 2009-07-14 03:34 - 67108864 _____ C:\Windows\system32\config\SOFTWARE.bak
2013-07-23 00:37 - 2009-07-14 03:34 - 14942208 _____ C:\Windows\system32\config\SYSTEM.bak
2013-07-23 00:37 - 2009-07-14 03:34 - 00524288 _____ C:\Windows\system32\config\DEFAULT.bak
2013-07-23 00:37 - 2009-07-14 03:34 - 00262144 _____ C:\Windows\system32\config\SECURITY.bak
2013-07-22 23:27 - 2009-07-14 03:34 - 28311552 _____ C:\Windows\system32\config\COMPONENTS.bak
2013-07-22 23:20 - 2013-07-22 23:20 - 05091940 ____R (Swearware) C:\Users\Ramsay\Downloads\ComboFix.exe
2013-07-22 22:54 - 2013-05-16 11:12 - 00048628 __RSH C:\ProgramData\ntuser.pol
2013-07-22 22:54 - 2009-07-14 03:34 - 00262144 _____ C:\Windows\system32\config\SAM.bak
2013-07-22 18:29 - 2013-05-16 11:13 - 00000160 ___SH C:\Users\Ramsay\ntuser.ini
2013-07-22 16:38 - 2013-07-22 16:38 - 01844864 _____ (Bleeping Computer, LLC) C:\Users\scotland\Downloads\rkill.exe
2013-07-22 16:38 - 2013-07-22 16:38 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Mozilla
2013-07-22 16:38 - 2013-07-22 16:38 - 00000000 ____D C:\Users\scotland\AppData\Local\Mozilla
2013-07-22 16:29 - 2013-07-22 16:29 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2013-07-22 15:47 - 2013-07-22 15:47 - 00000000 ____D C:\Users\Ramsay\Desktop\Old Firefox Data
2013-07-22 14:49 - 2013-07-22 14:49 - 00000000 ____D C:\Users\Ramsay\AppData\Roaming\Malwarebytes
2013-07-22 14:49 - 2013-07-22 14:49 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-07-22 14:49 - 2013-07-22 14:49 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-07-22 14:48 - 2013-07-22 14:48 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Ramsay\Downloads\mbam-setup-1.75.0.1300.exe
2013-07-22 11:42 - 2013-07-22 11:42 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2013-07-22 10:49 - 2013-07-22 10:49 - 00000665 _____ C:\Users\Ramsay\Desktop\Ramsay (CAL-SBSFolderRedirections) (U) - Shortcut.lnk
2013-07-22 10:49 - 2013-07-22 10:49 - 00000580 _____ C:\Users\Ramsay\Desktop\companysharedfolders (H) - Shortcut.lnk
2013-07-22 09:59 - 2013-05-20 10:44 - 00003898 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-07-22 09:59 - 2013-05-20 10:44 - 00003646 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-07-22 09:47 - 2013-05-22 09:38 - 00000000 ____D C:\Users\Ramsay\AppData\Local\Adobe
2013-07-22 09:46 - 2013-05-06 09:17 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-07-22 09:46 - 2013-05-06 09:17 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-07-22 09:46 - 2013-05-06 09:17 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-07-22 09:43 - 2013-05-16 11:21 - 00000000 ____D C:\Program Files\Microsoft Office 15
2013-07-22 09:33 - 2013-05-06 09:56 - 00000031 _____ C:\tmuninst.ini
2013-07-12 17:34 - 2013-07-12 17:34 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Intel Corporation
2013-07-12 17:33 - 2013-07-12 17:33 - 00070872 _____ C:\Users\scotland\AppData\Local\GDIPFONTCACHEV1.DAT
2013-07-12 17:33 - 2013-07-12 17:33 - 00001445 _____ C:\Users\scotland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-07-12 17:33 - 2013-07-12 17:33 - 00001411 _____ C:\Users\scotland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2013-07-12 17:33 - 2013-07-12 17:33 - 00000000 ___RD C:\Users\scotland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-07-12 17:33 - 2013-07-12 17:33 - 00000000 ___RD C:\Users\scotland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-07-12 17:33 - 2013-07-12 17:33 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Windows Small Business Server
2013-07-12 17:33 - 2013-07-12 17:33 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows SBS
2013-07-12 17:33 - 2013-07-12 17:33 - 00000000 ____D C:\Users\scotland\AppData\Roaming\Creative
2013-07-12 17:33 - 2013-07-12 17:33 - 00000000 ____D C:\Users\scotland\AppData\Local\VirtualStore
2013-07-11 13:16 - 2013-07-11 13:16 - 00466944 __RSH C:\Windows\SysWOW64\WlanMMG.dll
2013-07-11 13:16 - 2013-07-11 13:16 - 00002582 _____ C:\Windows\System32\Tasks\HQKROIYJGC
2013-07-11 09:42 - 2009-07-14 05:45 - 00331328 _____ C:\Windows\system32\FNTCACHE.DAT
2013-07-11 09:41 - 2010-11-21 08:17 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-11 09:41 - 2009-07-14 06:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-11 09:41 - 2009-07-14 06:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-10 09:41 - 2013-07-10 09:41 - 00000000 ____D C:\Program Files (x86)\Dell Digital Delivery
2013-07-09 09:36 - 2013-05-20 10:34 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-07-05 10:40 - 2013-07-05 10:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2013-07-23 10:54
 
==================== End Of Log ============================


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:12 AM

Posted 29 July 2013 - 07:53 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

2013-07-11 13:16 - 2013-07-26 03:53 - 00000302 _____ C:\Windows\Tasks\HQKROIYJGC.job
C:\Windows\System32\Tasks\HQKROIYJGC
Task: C:\Windows\Tasks\HQKROIYJGC.job => C:\Windows\system32\rundll32.exe
AppInit_DLLs-x32: c:\progra~3\browse~1\261339~1.144\{c16c1~1\browse~1.dll
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www1.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=C0E65CF9DDE27116&affID=122471&tsp=4952
SearchScopes: HKCU - bProtectorDefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www1.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=C0E65CF9DDE27116&affID=122471&tsp=4952
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
BHO-x32: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
Task: {7E367424-14B6-440E-A1CB-FC5E19779B98} - System32\Tasks\HQKROIYJGC => C:\Windows\system32\rundll32.exe [2009-07-14] (Microsoft Corporation)
 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:12 AM

Posted 31 July 2013 - 07:08 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:12 AM

Posted 12 August 2013 - 04:02 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users