Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ICE Ransomware Evolved - Still hijacked after Kaspersky Rescue 10


  • This topic is locked This topic is locked
14 replies to this topic

#1 Mike_D_76

Mike_D_76

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 23 July 2013 - 11:11 AM

My desktop is infected with the ICE Ransomware.  I've been working on the machine since yesterday using this forum and others as guides, but I am still infected.

 

It is the "evolved" version of the ransomware that causes safe modes to automatically reboot when I log in; system restore from the safe startup menu is not recognizing any previous snapshots; Hitman did not activate from the USB; and while I have been able to boot a Kaspersky Rescue Disc, it did not find the malware.  I am currently digging through my software dustbin for my Windows recovery disc, but I was hoping to avoid a complete reformat of the hard drive.

 

As it stands right now, I have Kaspersky Rescue 10 up and running, but until Kaspersky figures out the new iteration of this particular malware I'm kind of stuck.  Please advise.



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:59 PM

Posted 23 July 2013 - 04:38 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:
  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.
We need to see some information about what is happening in your machine. Please perform the following scan again:
  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


W


Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice



Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Mike_D_76

Mike_D_76
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 23 July 2013 - 04:53 PM

I have a Windows 7 x64 operating system.

 

I can only get Kaspersky Rescue Disc running, and I can't seem to run any programs inside the shell.  

 

I am looking for the original Windows CD.  It's packed away from our move a few years back and will take some digging.

 

I have the ICE 300 USD Ransomware that activates when I log in. (It likely was a java based intrusion if that matters). I attempted to restart in Safe Mode, but when login completes the computer restarts. This was also the case for safe with a command prompt.  I did attempt to activate a system restore from registry, but there were no snapshots detected.  I then created a Hitman Pro USB drive to attempt using that program, but it did not activate from the USB drive.  Finally, I was able to get the Kaspersky Rescue Disc running, but it did not detect the malware (though I did have a trojan [awesome]).

 

As it stands, I have transferred some files from the C: to an external HD through Kaspersky in case I wind up having to wipe the drive, but I am still hoping to have some success.  Currently, my keyboard is not being recognized half of the time before it goes through the full startup and Kaspersky boot interrupt. :/

 

Since I am unable to get into anything but the Kaspersky Rescue Disc shell, I do not know exactly how to run DDS or aswMBR since I have not been able to run any executables via the system.  Thanks.



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:59 PM

Posted 23 July 2013 - 05:26 PM



For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
  • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Mike_D_76

Mike_D_76
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 24 July 2013 - 07:37 AM

Ok... a friend told me about "Windows Unlocker" on the Kaspersky Rescue Disc and told me how to run it (Open Terminal > enter "windowsunlocker" on the command line > choose option 1) <--for those browsing this who were at my level of knowledge and couldn't figure it out ;))

 

I am in my system now and ran DDS.  Here are the logs....

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16496  BrowserJavaVersion: 10.7.2
Run by Michael at 8:31:12 on 2013-07-24
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4094.1778 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Michael\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit = userinit.exe
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: {99079a25-328f-4bd4-be04-00955acaa0a7} - <orphaned>
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [InstaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\Michael\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Michael\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: &ieSpell Options - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - C:\Program Files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - C:\Program Files (x86)\ieSpell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.64.0.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} - hxxp://64.247.253.34/activex/decoder/intel_mpeg4_dec.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://64.247.253.34/activex/AMC.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{3D554093-7D2E-4F27-BDF8-4BF1565BF1EB} : DHCPNameServer = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs=   
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-6-18 247216]
R1 ElRawDisk;ElRawDisk;C:\Windows\System32\drivers\ElRawDsk.sys [2013-6-25 30752]
R2 Dokan;Dokan;C:\Windows\System32\drivers\dokan.sys [2011-1-10 120408]
R2 DokanMounter;DokanMounter;C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe [2011-1-10 14848]
R2 ioloSystemService;iolo System Service;C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2013-6-25 1072664]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 139616]
R2 PDFsFilter;PDFsFilter;C:\Windows\System32\drivers\PDFsFilter.sys [2013-6-25 82160]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-6-20 366600]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-1-22 236544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AndNetDiag;LGE AndroidNet USB Serial Port;C:\Windows\System32\drivers\lgandnetdiag64.sys [2012-7-3 29184]
S3 AndNetDiag2;LGE AndroidNet For Diagnostics Port;C:\Windows\System32\drivers\lgandnetdiag264.sys [2012-7-3 29184]
S3 ANDNetModem;LGE AndroidNet USB Modem;C:\Windows\System32\drivers\lgandnetmodem64.sys [2012-7-3 36352]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2010-11-3 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 HTCAND64;HTC Device Driver;C:\Windows\System32\drivers\ANDROIDUSB.sys [2009-11-1 33736]
S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\System32\drivers\htcnprot.sys [2010-6-25 36928]
S3 rspSanity;rspSanity;C:\Windows\System32\drivers\rspSanity64.sys [2012-1-2 29752]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-2-28 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-4-6 1255736]
S4 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-8-12 87040]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264]
S4 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2013-3-22 93072]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
FileExt: .scr: scrfile=NOTEPAD.EXE "%1"
FileExt: .reg: regfile=NOTEPAD.EXE "%1"
FileExt: .vbe: VBEFile=NOTEPAD.EXE "%1"
FileExt: .vbs: VBSFile=NOTEPAD.EXE "%1"
FileExt: .js: JSFile=NOTEPAD.EXE "%1"
FileExt: .jse: JSEFile=NOTEPAD.EXE "%1"
FileExt: .wsf: WSFFile=NOTEPAD.EXE "%1"
.
=============== Created Last 30 ================
.
2013-07-22 17:15:27 9460976 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3293523B-A213-4A5E-A2C5-7058B000B8B0}\mpengine.dll
2013-07-22 16:15:37 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2013-07-21 17:15:08 9460976 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-07-17 17:16:07 941720 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{040DF822-2700-4A84-8246-D924158E2052}\gapaengine.dll
2013-07-15 07:00:50 -------- d-----w- C:\Windows\System32\MRT
2013-07-10 01:13:06 1011712 ----a-w- C:\Program Files\Windows Defender\MpSvc.dll
2013-07-10 01:13:05 571904 ----a-w- C:\Program Files\Windows Defender\MpClient.dll
2013-07-10 01:13:05 392704 ----a-w- C:\Program Files (x86)\Windows Defender\MpClient.dll
2013-07-10 01:13:05 314880 ----a-w- C:\Program Files\Windows Defender\MpCommu.dll
2013-07-10 01:13:04 9216 ----a-w- C:\Program Files (x86)\Windows Defender\MpAsDesc.dll
2013-07-10 01:13:04 54784 ----a-w- C:\Program Files (x86)\Windows Defender\MpOAV.dll
2013-07-10 01:13:04 4608 ----a-w- C:\Program Files (x86)\Windows Defender\MsMpLics.dll
2013-07-10 01:12:25 624128 ----a-w- C:\Windows\System32\qedit.dll
2013-07-10 01:12:25 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2013-07-10 01:12:18 1887744 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-10 01:12:17 1620480 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-10 01:10:47 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-07-10 01:10:45 1732608 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2013-07-10 01:10:45 1393152 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2013-07-10 01:10:45 1367040 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-10 01:10:44 936448 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-07-10 01:10:44 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2013-07-10 01:10:10 1545728 ----a-w- C:\Windows\System32\DWrite.dll
2013-07-10 01:10:09 1077760 ----a-w- C:\Windows\SysWow64\DWrite.dll
2013-07-06 14:47:55 -------- d-----w- C:\Users\Michael\AppData\Roaming\.technic
2013-07-05 12:40:32 -------- d-----w- C:\Program Files (x86)\Dokan
2013-06-26 19:03:51 -------- d-----w- C:\Users\Michael\AppData\Roaming\DefendersQuest
2013-06-25 19:38:27 2155688 ----a-w- C:\Windows\System32\Incinerator64.dll
2013-06-25 19:38:27 2097472 ----a-w- C:\Windows\SysWow64\Incinerator32.dll
2013-06-25 19:38:14 82160 ----a-w- C:\Windows\System32\drivers\PDFsFilter.sys
2013-06-25 19:38:13 57584 ----a-w- C:\Windows\System32\iolobtdfg.exe
2013-06-25 19:38:13 26184 ----a-w- C:\Windows\System32\smrgdf.exe
2013-06-25 19:38:12 69000 ----a-w- C:\Windows\System32\offreg.dll
2013-06-25 19:38:12 56200 ----a-w- C:\Windows\SysWow64\offreg.dll
2013-06-25 19:36:47 30752 ----a-w- C:\Windows\System32\drivers\ElRawDsk.sys
2013-06-25 19:36:28 -------- d-----w- C:\iolo
2013-06-25 19:30:29 -------- d-----w- C:\Users\Michael\AppData\Roaming\iolo
2013-06-25 18:38:18 74703 ----a-w- C:\Windows\SysWow64\mfc45.dat
2013-06-25 18:38:17 -------- d-----w- C:\ProgramData\iolo
2013-06-25 18:38:17 -------- d-----w- C:\Program Files (x86)\iolo
2013-06-25 14:20:26 -------- d-----w- C:\Program Files\iPod
2013-06-25 14:20:25 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-25 14:20:25 -------- d-----w- C:\Program Files\iTunes
2013-06-25 14:20:25 -------- d-----w- C:\Program Files (x86)\iTunes
.
==================== Find3M  ====================
.
2013-06-19 01:50:08 247216 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2013-06-19 01:50:08 139616 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2013-06-15 01:35:37 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-15 01:35:37 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-29 05:43:16 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-05-29 05:35:44 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-05-29 05:34:14 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-05-29 05:29:56 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-05-29 05:29:02 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-05-29 05:25:09 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-05-29 01:50:14 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-05-29 01:41:52 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-05-29 01:41:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-05-29 01:37:15 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-05-29 01:36:09 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-05-29 01:33:22 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-05-13 05:51:01 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-05-13 05:51:00 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2013-05-13 05:51:00 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-05-13 05:50:40 52224 ----a-w- C:\Windows\System32\certenc.dll
2013-05-13 04:45:55 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55 1160192 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-05-13 04:45:55 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55 1192448 ----a-w- C:\Windows\System32\certutil.exe
2013-05-13 03:08:10 903168 ----a-w- C:\Windows\SysWow64\certutil.exe
2013-05-13 03:08:06 43008 ----a-w- C:\Windows\SysWow64\certenc.dll
2013-05-10 05:49:27 30720 ----a-w- C:\Windows\System32\cryptdlg.dll
2013-05-10 03:20:54 24576 ----a-w- C:\Windows\SysWow64\cryptdlg.dll
2013-05-08 06:39:01 1910632 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-05-02 15:29:56 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-05-01 07:59:12 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2013-05-01 07:59:12 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2013-04-26 05:51:36 751104 ----a-w- C:\Windows\System32\win32spl.dll
2013-04-26 04:55:21 492544 ----a-w- C:\Windows\SysWow64\win32spl.dll
.
============= FINISH:  8:32:44.26 ===============
 

 



I will continue to monitor this topic of course because I want to ensure my system is sterilized before I do anything.

Attached Files



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:59 PM

Posted 24 July 2013 - 06:36 PM

Will you please follow the direction I gave you for Downloading and installing Farbar Recovery scan tool.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Mike_D_76

Mike_D_76
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 25 July 2013 - 06:40 AM

Here is the FRST scan log...

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-07-2013
Ran by Michael (administrator) on 25-07-2013 07:36:10
Running from E:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(ATI Technologies Inc.) C:\Windows\system32\Ati2evxx.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(ATI Technologies Inc.) C:\Windows\system32\Ati2evxx.exe
(Lavasoft Limited) C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe
(Affinegy, Inc.) C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Dropbox, Inc.) C:\Users\Michael\AppData\Roaming\Dropbox\bin\Dropbox.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Affinegy, Inc.) C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Lavasoft) C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Lavasoft) C:\ProgramData\Search Protection\SearchProtection.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(GFI Software) C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe
(Affinegy, Inc.) C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinSetup.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Lavasoft Limited) C:\PROGRA~2\AD-AWA~1\AdAware.exe
(Google Inc.) C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\System Mechanic\SMSystemAnalyzer.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8067616 2009-08-18] (Realtek Semiconductor)
HKLM\...\Run: [IntelliPoint] - C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
HKCU\...\Run: [Steam] - C:\Program Files (x86)\Steam\steam.exe [1672616 2013-07-09] (Valve Corporation)
HKCU\...\Run: [GoogleDriveSync] - C:\Program Files (x86)\Google\Drive\googledrivesync.exe [19676256 2013-06-06] (Google)
HKCU\...\Run: [Sidebar] - C:\Program Files\Windows Sidebar\sidebar.exe [1475584 2010-11-20] (Microsoft Corporation)
HKCU\...\Winlogon: [Shell] Explorer.exe <==== ATTENTION 
HKCU\...\Command Processor:  <======= ATTENTION
MountPoints2: {10d412d8-a6ab-11df-ad0f-6cf0490c7ab2} - J:\LaunchU3.exe -a
MountPoints2: {949f3103-c899-11e2-b309-6cf0490c7ab2} - E:\LGAutoRun.exe
HKLM-x32\...\Run: [InstaLAN] - "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup [1770400 2011-02-24] (Affinegy, Inc.)
HKLM-x32\...\Run: [iTunesHelper] - "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [Ad-Aware Browsing Protection] - "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" [554408 2013-05-15] (Lavasoft)
HKLM-x32\...\Run: [Search Protection] - C:\ProgramData\Search Protection\SearchProtection.exe [943016 2013-06-13] (Lavasoft)
HKU\Julia\...\Run: [Pando Media Booster] - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [2937528 2010-01-28] ()
HKU\Julia\...\Run: [Steam] - "C:\Program Files (x86)\Steam\Steam.exe" -silent [1672616 2013-07-09] (Valve Corporation)
AppInit_DLLs:    [0 ] ()
AppInit_DLLs-x32:    [0 ] ()
Startup: C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Michael\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&appid=362&systemid=406&sr=0&q={searchTerms}
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&appid=362&systemid=406&sr=0&q={searchTerms}
SearchScopes: HKLM-x32 - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&appid=362&systemid=406&sr=0&q={searchTerms}
SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&appid=362&systemid=406&sr=0&q={searchTerms}
SearchScopes: HKCU - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&appid=362&systemid=406&sr=0&q={searchTerms}
SearchScopes: HKCU - {3CDC7708-FAD8-4408-8ABA-6E405531AAE3} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&appid=362&systemid=406&sr=0&q={searchTerms}
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll ()
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: No Name - {99079a25-328f-4bd4-be04-00955acaa0a7} -  No File
Toolbar: HKLM-x32 - No Name - {99079a25-328f-4bd4-be04-00955acaa0a7} -  No File
Toolbar: HKLM-x32 - Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll ()
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
DPF: HKLM-x32 {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: HKLM-x32 {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: HKLM-x32 {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: HKLM-x32 {C32FE9F1-A857-48B0-B7BF-065B5792F28D} http://64.247.253.34/activex/decoder/intel_mpeg4_dec.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {DE625294-70E6-45ED-B895-CFFA13AEB044} http://64.247.253.34/activex/AMC.cab
DPF: HKLM-x32 {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
 
FireFox:
========
FF ProfilePath: C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\u4dgorkt.default
FF Homepage: hxxp://www.searchnu.com/406
FF NetworkProxy: "no_proxies_on", "*.local"
FF NetworkProxy: "type", 0
FF SelectedSearchEngine: Search Results
FF Keyword.URL: hxxp://dts.search-results.com/sr?src=ffb&appid=362&systemid=406&sr=0&q=
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin: @java.com/DTPlugin,version=10.5.0 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.5.0 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.7.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.7.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 - C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\Michael\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\Michael\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Users\Michael\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Michael\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Michael\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Michael\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF SearchPlugin: C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\u4dgorkt.default\searchplugins\Search_Results.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\Search_Results.xml
FF Extension: No Name - C:\Users\Michael\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com
FF Extension: No Name - C:\Users\Michael\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
FF Extension:     <em:name>SOE Web Installer - C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\u4dgorkt.default\Extensions\{000F1EA4-5E08-4564-A29B-29076F63A37A}
FF Extension: No Name - C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\u4dgorkt.default\Extensions\{1FD91A9C-410C-4090-BBCC-55D3450EF433}
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com/
CHR RestoreOnStartup: "hxxp://www.google.com/", "hxxp://securedsearch2.lavasoft.com/index.php?pr=vmn&id=adawaretb&v=3_1&ent=hp&u=EAEC167D024647A7852E2C51F000835B"
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Michael\AppData\Local\Google\Chrome\Application\28.0.1500.72\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Michael\AppData\Local\Google\Chrome\Application\28.0.1500.72\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Michael\AppData\Local\Google\Chrome\Application\28.0.1500.72\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Microsoft\u00AE Windows Media Player Firefox Plugin) - C:\Program Files (x86)\Mozilla Firefox\plugins\np-mswmp.dll (Microsoft Corporation)
CHR Plugin: (Java Deployment Toolkit 6.0.310.5) - C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll No File
CHR Plugin: (2007 Microsoft Office system) - C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office Live Plug-in for Firefox) - C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll No File
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Unity Player) - C:\Users\Michael\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
CHR Plugin: (Google Update) - C:\Users\Michael\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (SOE Web Installer) - C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\u4dgorkt.default\extensions\{000F1EA4-5E08-4564-A29B-29076F63A37A}\plugins\npsoe.dll No File
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
CHR Extension: (Bejeweled) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\adpkifcfcacgmnggcbpbjbkdijciiigm\2_0
CHR Extension: (Angry Birds) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.5.0.7_0
CHR Extension: (Google Drive) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Google Calendar) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn\4.5.3_0
CHR Extension: (Classic) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkacjpbfdknhflllbcmjibkdeoafencn\1.1_0
CHR Extension: (NPR Infinite Player) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkpcelemhneoooapbbopolpjhmbfmnbf\2.1_0
CHR Extension: (Typing Test - KeyHero) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcieoaeooeidmpaopkpjpjfakidlabm\1.4.0_0
CHR Extension: (Speed Reading Trainer) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\klloefpijaofgelefjimlhdikagaegfe\2.4.23_0
CHR Extension: (Evernote Web) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbfehkoinhhcknnbdgnnmjhiladcgbol\1.0.7_0
CHR Extension: (Google Maps) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh\5.2.7_0
CHR Extension: (Google Play Books) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmimngoggfoobjdlefbcabngfnmieonb\1.1.8_0
CHR Extension: (Online Quiz Maker) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\njoombelnfefhiknamhoahfjidfhihkm\1.0.0.0_0
CHR Extension: (Lavasoft NewTab) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\oejkcgajlodefenbbjdnaiahmbnnoole\0.9_0
CHR Extension: (ClassDojo) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbinoojbbajacmkigmfnkclhgjnglpon\1.1_0
CHR Extension: (Gmail) - C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR HKLM-x32\...\Chrome\Extension: [oejkcgajlodefenbbjdnaiahmbnnoole] - C:\Program Files (x86)\adawaretb\chrome-newtab-search.crx
CHR StartMenuInternet: Google Chrome - "C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe"
 
==================== Services (Whitelisted) =================
 
R2 Ad-Aware Service; C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe [1236336 2013-06-13] (Lavasoft Limited)
R2 AffinegyService; C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe [566688 2011-02-24] (Affinegy, Inc.)
R2 DokanMounter; C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe [14848 2011-01-10] ()
R2 ioloSystemService; C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [1072664 2013-05-29] (iolo technologies, LLC)
S4 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [87040 2011-08-12] ()
R2 SBAMSvc; C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [3677000 2012-09-20] (GFI Software)
 
==================== Drivers (Whitelisted) ====================
 
S3 AndNetDiag; C:\Windows\System32\DRIVERS\lgandnetdiag64.sys [29184 2012-07-03] (LG Electronics Inc.)
S3 AndNetDiag2; C:\Windows\System32\DRIVERS\lgandnetdiag264.sys [29184 2012-07-03] (LG Electronics Inc.)
S3 ANDNetModem; C:\Windows\System32\DRIVERS\lgandnetmodem64.sys [36352 2012-07-03] (LG Electronics Inc.)
R2 Dokan; C:\Windows\system32\drivers\dokan.sys [120408 2011-01-10] (Windows ® Win 7 DDK provider)
R2 Dokan; C:\Windows\system32\drivers\dokan.sys [120408 2011-01-10] (Windows ® Win 7 DDK provider)
R1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [30752 2013-05-29] (EldoS Corporation)
R1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [30752 2013-05-29] (EldoS Corporation)
R3 gfiark; C:\Windows\System32\drivers\gfiark.sys [39504 2013-04-11] (ThreatTrack Security)
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2013-07-24] (GFI Software)
S3 rspSanity; C:\Windows\System32\DRIVERS\rspSanity64.sys [29752 2011-05-04] (Resplendence Software Projects Sp.)
S3 gdrv; \??\C:\Windows\gdrv.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-07-25 07:36 - 2013-07-25 07:36 - 00000000 ____D C:\FRST
2013-07-25 07:35 - 2013-07-25 07:35 - 01779761 _____ (Farbar) C:\Users\Michael\Downloads\FRST64.exe
2013-07-24 12:42 - 2013-04-11 11:06 - 00039504 _____ (ThreatTrack Security) C:\Windows\system32\Drivers\gfiark.sys
2013-07-24 12:31 - 2013-07-24 12:31 - 00004336 _____ C:\Windows\System32\Tasks\Ad-Aware Antivirus Scheduled Scan
2013-07-24 12:31 - 2013-07-24 12:31 - 00000000 ____D C:\Users\Michael\AppData\Roaming\LavasoftStatistics
2013-07-24 12:30 - 2013-07-24 12:47 - 00000000 ____D C:\ProgramData\Ad-Aware Antivirus
2013-07-24 12:28 - 2013-07-24 12:47 - 00001868 _____ C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2013-07-24 12:28 - 2013-07-24 12:42 - 00000000 ____D C:\Program Files (x86)\Ad-Aware Antivirus
2013-07-24 12:28 - 2013-07-24 12:28 - 00000000 ____D C:\Users\Michael\AppData\Local\adawarebp
2013-07-24 12:28 - 2013-07-24 12:28 - 00000000 ____D C:\ProgramData\Search Protection
2013-07-24 12:28 - 2013-07-24 12:28 - 00000000 ____D C:\ProgramData\Lavasoft
2013-07-24 12:28 - 2013-07-24 12:28 - 00000000 ____D C:\ProgramData\Downloaded Installations
2013-07-24 12:28 - 2013-07-24 12:28 - 00000000 ____D C:\ProgramData\blekko toolbars
2013-07-24 12:27 - 2013-07-24 12:28 - 00000000 ____D C:\ProgramData\Ad-Aware Browsing Protection
2013-07-24 12:27 - 2013-07-24 12:28 - 00000000 ____D C:\Program Files (x86)\adawaretb
2013-07-24 12:27 - 2013-07-24 12:27 - 00000000 ____D C:\Program Files (x86)\Toolbar Cleaner
2013-07-24 12:24 - 2013-07-24 12:32 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Ad-Aware Antivirus
2013-07-24 12:24 - 2013-07-24 12:24 - 05616264 _____ (Lavasoft Limited) C:\Users\Michael\Downloads\Adaware_Installer.exe
2013-07-24 12:24 - 2013-07-24 12:24 - 00014456 _____ (GFI Software) C:\Windows\system32\Drivers\gfibto.sys
2013-07-24 12:24 - 2012-09-20 05:40 - 00047496 _____ (GFI Software) C:\Windows\system32\sbbd.exe
2013-07-24 08:33 - 2013-07-24 08:33 - 00005249 _____ C:\Users\Michael\attach.zip
2013-07-24 08:32 - 2013-07-24 08:32 - 00022551 _____ C:\Users\Michael\attach.txt
2013-07-24 08:32 - 2013-07-24 08:32 - 00017893 _____ C:\Users\Michael\dds.txt
2013-07-24 08:30 - 2013-07-24 08:30 - 00688992 ____R (Swearware) C:\Users\Michael\Downloads\dds.com
2013-07-22 14:08 - 2013-07-22 14:08 - 01097659 _____ C:\Users\Michael\AppData\Local\2433f433
2013-07-22 14:08 - 2013-07-22 14:08 - 01097645 _____ C:\ProgramData\2433f433
2013-07-22 14:08 - 2013-07-22 14:08 - 01097631 _____ C:\Users\Michael\AppData\Roaming\2433f433
2013-07-22 12:15 - 2013-07-24 04:21 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2013-07-15 03:00 - 2013-07-15 03:03 - 00000000 ____D C:\Windows\system32\MRT
2013-07-10 03:07 - 2013-05-29 02:15 - 17829376 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-07-10 03:07 - 2013-05-29 01:50 - 10926080 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-07-10 03:07 - 2013-05-29 01:43 - 02312704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-07-10 03:07 - 2013-05-29 01:36 - 01346560 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-07-10 03:07 - 2013-05-29 01:35 - 01392128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-07-10 03:07 - 2013-05-29 01:34 - 01494528 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-07-10 03:07 - 2013-05-29 01:33 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-07-10 03:07 - 2013-05-29 01:31 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-07-10 03:07 - 2013-05-29 01:29 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-07-10 03:07 - 2013-05-29 01:29 - 00599040 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-07-10 03:07 - 2013-05-29 01:29 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-07-10 03:07 - 2013-05-29 01:27 - 02147840 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-07-10 03:07 - 2013-05-29 01:27 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-07-10 03:07 - 2013-05-29 01:25 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-07-10 03:07 - 2013-05-29 01:25 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-07-10 03:07 - 2013-05-29 01:18 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-07-10 03:07 - 2013-05-28 21:56 - 12333568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-10 03:07 - 2013-05-28 21:50 - 01800704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-10 03:07 - 2013-05-28 21:48 - 09738752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-10 03:07 - 2013-05-28 21:41 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-07-10 03:07 - 2013-05-28 21:41 - 01129472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-10 03:07 - 2013-05-28 21:41 - 01104384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-10 03:07 - 2013-05-28 21:40 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-07-10 03:07 - 2013-05-28 21:38 - 00065024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-10 03:07 - 2013-05-28 21:37 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-07-10 03:07 - 2013-05-28 21:36 - 00420864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-07-10 03:07 - 2013-05-28 21:35 - 00717824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-10 03:07 - 2013-05-28 21:35 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-10 03:07 - 2013-05-28 21:33 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-10 03:07 - 2013-05-28 21:33 - 01796096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-10 03:07 - 2013-05-28 21:33 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-07-10 03:07 - 2013-05-28 21:29 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-09 21:12 - 2013-06-04 02:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2013-07-09 21:12 - 2013-06-04 00:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-09 21:12 - 2013-05-06 02:03 - 01887744 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-07-09 21:12 - 2013-05-06 00:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-09 21:10 - 2013-06-04 23:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-07-09 21:10 - 2013-04-10 01:45 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2013-07-09 21:10 - 2013-04-10 01:02 - 01077760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-06 10:47 - 2013-07-06 10:49 - 00000000 ____D C:\Users\Michael\AppData\Roaming\.technic
2013-07-05 21:32 - 2013-07-05 21:32 - 00001141 _____ C:\Users\Michael\Desktop\World of Tanks.lnk
2013-07-05 20:37 - 2013-07-05 20:37 - 00001577 _____ C:\Users\Michael\Downloads\Aslains_XVM_Mod_WinChance_Enabler.zip
2013-07-05 20:32 - 2013-07-05 20:33 - 08787628 _____ C:\Users\Michael\Downloads\Aslains_XVM_Mod_v.2.8.10_EN_86.zip
2013-07-05 20:17 - 2013-07-05 20:25 - 727351296 _____ C:\Users\Michael\Downloads\VS2010Express1.iso
2013-07-05 08:48 - 2013-07-05 08:48 - 01092607 _____ C:\Users\Michael\Downloads\J1mB0_s_Crosshair_Mod_v1.28.zip
2013-07-05 08:40 - 2013-07-05 08:40 - 00575945 _____ C:\Users\Michael\Downloads\DokanInstall_0.6.0.exe
2013-07-05 08:40 - 2013-07-05 08:40 - 00000000 ____D C:\Program Files (x86)\Dokan
2013-07-03 12:31 - 2013-07-03 12:31 - 00060118 _____ C:\Users\Michael\Downloads\xvm-stat-1.5.0.zip
2013-07-03 09:18 - 2013-07-03 09:18 - 10077175 _____ C:\Users\Michael\Downloads\xvm-4.0.0.zip
2013-07-03 09:09 - 2013-07-03 09:09 - 10231484 _____ C:\Users\Michael\Downloads\J1mB0s Crosshair Mod v1.27.zip
2013-06-26 15:03 - 2013-06-26 15:03 - 00000000 ____D C:\Users\Michael\Documents\DefendersQuest
2013-06-26 15:03 - 2013-06-26 15:03 - 00000000 ____D C:\Users\Michael\AppData\Roaming\DefendersQuest
2013-06-25 18:22 - 2013-06-25 18:23 - 09237816 _____ (Wargaming.net                                               ) C:\Users\Michael\Downloads\WoT_internet_install_na.exe
2013-06-25 15:42 - 2013-06-26 06:45 - 00000386 _____ C:\Windows\system32\ioloBootDefrag.cfg
2013-06-25 15:38 - 2013-06-25 15:38 - 00003148 _____ C:\Windows\System32\Tasks\SidebarExecute
2013-06-25 15:38 - 2013-06-25 15:38 - 00002223 _____ C:\Users\Michael\Desktop\System Mechanic.lnk
2013-06-25 15:38 - 2013-05-29 11:28 - 00057584 _____ (iolo technologies, LLC) C:\Windows\system32\iolobtdfg.exe
2013-06-25 15:38 - 2013-05-29 11:28 - 00026184 _____ (iolo technologies, LLC) C:\Windows\system32\smrgdf.exe
2013-06-25 15:38 - 2013-05-29 11:12 - 02155688 _____ (iolo technologies, LLC) C:\Windows\system32\Incinerator64.dll
2013-06-25 15:38 - 2013-05-29 11:12 - 02097472 _____ (iolo technologies, LLC) C:\Windows\SysWOW64\Incinerator32.dll
2013-06-25 15:38 - 2013-05-29 11:06 - 00082160 _____ (Raxco Software, Inc.) C:\Windows\system32\Drivers\PDFsFilter.sys
2013-06-25 15:38 - 2013-05-29 11:06 - 00069000 _____ (Microsoft Corporation) C:\Windows\system32\offreg.dll
2013-06-25 15:38 - 2013-05-29 11:06 - 00056200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\offreg.dll
2013-06-25 15:36 - 2013-06-25 15:36 - 00000000 ____D C:\iolo
2013-06-25 15:36 - 2013-05-29 11:37 - 31732800 _____ (iolo technologies, LLC                                      ) C:\Users\Michael\Downloads\SystemMechanic.exe
2013-06-25 15:36 - 2013-05-29 11:06 - 00030752 _____ (EldoS Corporation) C:\Windows\system32\Drivers\ElRawDsk.sys
2013-06-25 15:30 - 2013-06-25 17:25 - 00000000 ____D C:\Users\Michael\AppData\Roaming\iolo
2013-06-25 15:30 - 2013-06-25 15:30 - 00459696 _____ C:\Users\Michael\Downloads\sm_dm.exe
2013-06-25 14:38 - 2013-06-27 23:43 - 00000000 ____D C:\ProgramData\iolo
2013-06-25 14:38 - 2013-06-25 15:38 - 00000000 ____D C:\Program Files (x86)\iolo
2013-06-25 14:38 - 2013-06-25 14:38 - 00074703 _____ C:\Windows\SysWOW64\mfc45.dat
2013-06-25 14:37 - 2013-06-25 14:38 - 06653248 _____ C:\Users\Michael\Downloads\SCUDownloader.exe
2013-06-25 10:20 - 2013-06-25 10:21 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-25 10:20 - 2013-06-25 10:21 - 00000000 ____D C:\Program Files\iTunes
2013-06-25 10:20 - 2013-06-25 10:21 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-25 10:20 - 2013-06-25 10:20 - 00000000 ____D C:\Program Files\iPod
 
==================== One Month Modified Files and Folders =======
 
2013-07-25 07:36 - 2013-07-25 07:36 - 00000000 ____D C:\FRST
2013-07-25 07:35 - 2013-07-25 07:35 - 01779761 _____ (Farbar) C:\Users\Michael\Downloads\FRST64.exe
2013-07-25 07:35 - 2012-04-10 08:30 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-25 07:18 - 2012-10-27 19:53 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-25 07:00 - 2010-01-31 16:05 - 00000000 ____D C:\Program Files (x86)\Steam
2013-07-25 06:56 - 2012-01-26 18:08 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2012079609-1611726693-3227257341-1001UA.job
2013-07-25 03:50 - 2010-01-22 12:31 - 01130737 _____ C:\Windows\WindowsUpdate.log
2013-07-25 01:45 - 2009-07-14 00:45 - 00015152 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-25 01:45 - 2009-07-14 00:45 - 00015152 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-24 20:18 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache
2013-07-24 19:30 - 2012-10-27 19:53 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-24 18:56 - 2012-01-26 18:08 - 00000864 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2012079609-1611726693-3227257341-1001Core.job
2013-07-24 16:52 - 2011-02-10 23:43 - 00001945 _____ C:\Windows\epplauncher.mif
2013-07-24 12:47 - 2013-07-24 12:30 - 00000000 ____D C:\ProgramData\Ad-Aware Antivirus
2013-07-24 12:47 - 2013-07-24 12:28 - 00001868 _____ C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2013-07-24 12:42 - 2013-07-24 12:28 - 00000000 ____D C:\Program Files (x86)\Ad-Aware Antivirus
2013-07-24 12:35 - 2012-09-10 17:36 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Dropbox
2013-07-24 12:34 - 2012-10-27 19:58 - 00000000 ___SD C:\Users\Michael\Google Drive
2013-07-24 12:33 - 2013-06-24 16:33 - 00004512 _____ C:\Windows\setupact.log
2013-07-24 12:33 - 2012-09-10 17:38 - 00000000 ___RD C:\Users\Michael\Dropbox
2013-07-24 12:33 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-24 12:32 - 2013-07-24 12:24 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Ad-Aware Antivirus
2013-07-24 12:32 - 2010-03-05 23:07 - 00000000 ____D C:\Users\Michael\AppData\Roaming\TS3Client
2013-07-24 12:32 - 2010-01-22 13:16 - 00117440 _____ C:\Windows\PFRO.log
2013-07-24 12:31 - 2013-07-24 12:31 - 00004336 _____ C:\Windows\System32\Tasks\Ad-Aware Antivirus Scheduled Scan
2013-07-24 12:31 - 2013-07-24 12:31 - 00000000 ____D C:\Users\Michael\AppData\Roaming\LavasoftStatistics
2013-07-24 12:28 - 2013-07-24 12:28 - 00000000 ____D C:\Users\Michael\AppData\Local\adawarebp
2013-07-24 12:28 - 2013-07-24 12:28 - 00000000 ____D C:\ProgramData\Search Protection
2013-07-24 12:28 - 2013-07-24 12:28 - 00000000 ____D C:\ProgramData\Lavasoft
2013-07-24 12:28 - 2013-07-24 12:28 - 00000000 ____D C:\ProgramData\Downloaded Installations
2013-07-24 12:28 - 2013-07-24 12:28 - 00000000 ____D C:\ProgramData\blekko toolbars
2013-07-24 12:28 - 2013-07-24 12:27 - 00000000 ____D C:\ProgramData\Ad-Aware Browsing Protection
2013-07-24 12:28 - 2013-07-24 12:27 - 00000000 ____D C:\Program Files (x86)\adawaretb
2013-07-24 12:28 - 2010-03-22 18:52 - 00000000 ____D C:\Users\Michael\Desktop\Games
2013-07-24 12:27 - 2013-07-24 12:27 - 00000000 ____D C:\Program Files (x86)\Toolbar Cleaner
2013-07-24 12:24 - 2013-07-24 12:24 - 05616264 _____ (Lavasoft Limited) C:\Users\Michael\Downloads\Adaware_Installer.exe
2013-07-24 12:24 - 2013-07-24 12:24 - 00014456 _____ (GFI Software) C:\Windows\system32\Drivers\gfibto.sys
2013-07-24 08:39 - 2010-01-28 19:19 - 00000000 ____D C:\Users\Michael
2013-07-24 08:33 - 2013-07-24 08:33 - 00005249 _____ C:\Users\Michael\attach.zip
2013-07-24 08:32 - 2013-07-24 08:32 - 00022551 _____ C:\Users\Michael\attach.txt
2013-07-24 08:32 - 2013-07-24 08:32 - 00017893 _____ C:\Users\Michael\dds.txt
2013-07-24 08:30 - 2013-07-24 08:30 - 00688992 ____R (Swearware) C:\Users\Michael\Downloads\dds.com
2013-07-24 08:29 - 2009-07-14 01:13 - 00792550 _____ C:\Windows\system32\PerfStringBackup.INI
2013-07-24 04:21 - 2013-07-22 12:15 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2013-07-23 06:49 - 2010-02-01 18:08 - 00000000 ____D C:\Users\Michael\Documents\My Games
2013-07-22 14:08 - 2013-07-22 14:08 - 01097659 _____ C:\Users\Michael\AppData\Local\2433f433
2013-07-22 14:08 - 2013-07-22 14:08 - 01097645 _____ C:\ProgramData\2433f433
2013-07-22 14:08 - 2013-07-22 14:08 - 01097631 _____ C:\Users\Michael\AppData\Roaming\2433f433
2013-07-16 13:01 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\zh-HK
2013-07-16 13:01 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\tr-TR
2013-07-16 13:01 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\zh-HK
2013-07-16 13:01 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\tr-TR
2013-07-16 13:01 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2013-07-16 09:20 - 2013-06-09 23:23 - 00023971 _____ C:\Windows\IE10_main.log
2013-07-15 03:03 - 2013-07-15 03:00 - 00000000 ____D C:\Windows\system32\MRT
2013-07-12 19:13 - 2012-10-27 19:53 - 00003896 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-07-12 19:13 - 2012-10-27 19:53 - 00003644 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-07-11 18:51 - 2012-01-26 18:08 - 00003890 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2012079609-1611726693-3227257341-1001UA
2013-07-11 18:51 - 2012-01-26 18:08 - 00003494 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2012079609-1611726693-3227257341-1001Core
2013-07-11 10:26 - 2013-06-18 07:09 - 00000000 ____D C:\Users\Michael\AppData\Local\Warframe
2013-07-10 17:51 - 2010-01-29 21:22 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Mozilla
2013-07-10 03:49 - 2009-07-14 00:45 - 00447680 _____ C:\Windows\system32\FNTCACHE.DAT
2013-07-10 03:32 - 2009-07-14 03:45 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-10 03:32 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-10 03:32 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-10 03:10 - 2010-01-22 13:09 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-07-10 03:01 - 2012-05-15 16:55 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-07-10 03:01 - 2012-05-15 16:55 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-07-09 21:56 - 2012-08-12 21:59 - 00000000 ____D C:\Users\Michael\AppData\Roaming\.techniclauncher
2013-07-06 14:29 - 2013-05-25 10:20 - 00002916 _____ C:\Users\Michael\Documents\UserPreferences.ini
2013-07-06 10:49 - 2013-07-06 10:47 - 00000000 ____D C:\Users\Michael\AppData\Roaming\.technic
2013-07-05 21:32 - 2013-07-05 21:32 - 00001141 _____ C:\Users\Michael\Desktop\World of Tanks.lnk
2013-07-05 20:37 - 2013-07-05 20:37 - 00001577 _____ C:\Users\Michael\Downloads\Aslains_XVM_Mod_WinChance_Enabler.zip
2013-07-05 20:33 - 2013-07-05 20:32 - 08787628 _____ C:\Users\Michael\Downloads\Aslains_XVM_Mod_v.2.8.10_EN_86.zip
2013-07-05 20:25 - 2013-07-05 20:17 - 727351296 _____ C:\Users\Michael\Downloads\VS2010Express1.iso
2013-07-05 20:15 - 2010-09-28 22:20 - 00000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 10.0
2013-07-05 16:56 - 2013-01-08 00:15 - 00000000 ____D C:\Users\Michael\AppData\Roaming\ftblauncher
2013-07-05 15:34 - 2012-08-04 18:43 - 00000000 ____D C:\Users\Michael\AppData\Roaming\.minecraft
2013-07-05 09:06 - 2010-09-28 22:21 - 00000000 ____D C:\Users\Michael\Documents\Visual Studio 2010
2013-07-05 08:48 - 2013-07-05 08:48 - 01092607 _____ C:\Users\Michael\Downloads\J1mB0_s_Crosshair_Mod_v1.28.zip
2013-07-05 08:40 - 2013-07-05 08:40 - 00575945 _____ C:\Users\Michael\Downloads\DokanInstall_0.6.0.exe
2013-07-05 08:40 - 2013-07-05 08:40 - 00000000 ____D C:\Program Files (x86)\Dokan
2013-07-03 12:31 - 2013-07-03 12:31 - 00060118 _____ C:\Users\Michael\Downloads\xvm-stat-1.5.0.zip
2013-07-03 09:18 - 2013-07-03 09:18 - 10077175 _____ C:\Users\Michael\Downloads\xvm-4.0.0.zip
2013-07-03 09:17 - 2011-09-24 16:42 - 00000000 ____D C:\Program Files (x86)\NCSoft
2013-07-03 09:17 - 2010-01-22 12:32 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-07-03 09:09 - 2013-07-03 09:09 - 10231484 _____ C:\Users\Michael\Downloads\J1mB0s Crosshair Mod v1.27.zip
2013-06-27 23:43 - 2013-06-25 14:38 - 00000000 ____D C:\ProgramData\iolo
2013-06-26 15:03 - 2013-06-26 15:03 - 00000000 ____D C:\Users\Michael\Documents\DefendersQuest
2013-06-26 15:03 - 2013-06-26 15:03 - 00000000 ____D C:\Users\Michael\AppData\Roaming\DefendersQuest
2013-06-26 15:01 - 2010-01-31 16:11 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2013-06-26 06:45 - 2013-06-25 15:42 - 00000386 _____ C:\Windows\system32\ioloBootDefrag.cfg
2013-06-25 18:23 - 2013-06-25 18:22 - 09237816 _____ (Wargaming.net                                               ) C:\Users\Michael\Downloads\WoT_internet_install_na.exe
2013-06-25 18:23 - 2010-01-29 15:26 - 00000000 ____D C:\Windows\SysWOW64\directx
2013-06-25 17:25 - 2013-06-25 15:30 - 00000000 ____D C:\Users\Michael\AppData\Roaming\iolo
2013-06-25 16:19 - 2011-12-08 20:11 - 00000000 ____D C:\Program Files (x86)\WinRAR
2013-06-25 16:19 - 2010-09-29 22:10 - 00000000 ____D C:\Users\Michael\Documents\Teaching
2013-06-25 16:19 - 2010-09-13 23:03 - 00000000 ____D C:\Users\Michael\Tracing
2013-06-25 16:19 - 2010-01-28 22:39 - 00000000 ____D C:\Users\Michael\AppData\Local\Turbine
2013-06-25 16:19 - 2010-01-22 12:39 - 00000000 ____D C:\ProgramData\NVIDIA
2013-06-25 16:19 - 2009-07-14 01:32 - 00000000 ____D C:\Windows\Offline Web Pages
2013-06-25 16:17 - 2010-09-13 23:39 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-06-25 15:38 - 2013-06-25 15:38 - 00003148 _____ C:\Windows\System32\Tasks\SidebarExecute
2013-06-25 15:38 - 2013-06-25 15:38 - 00002223 _____ C:\Users\Michael\Desktop\System Mechanic.lnk
2013-06-25 15:38 - 2013-06-25 14:38 - 00000000 ____D C:\Program Files (x86)\iolo
2013-06-25 15:36 - 2013-06-25 15:36 - 00000000 ____D C:\iolo
2013-06-25 15:30 - 2013-06-25 15:30 - 00459696 _____ C:\Users\Michael\Downloads\sm_dm.exe
2013-06-25 14:38 - 2013-06-25 14:38 - 00074703 _____ C:\Windows\SysWOW64\mfc45.dat
2013-06-25 14:38 - 2013-06-25 14:37 - 06653248 _____ C:\Users\Michael\Downloads\SCUDownloader.exe
2013-06-25 10:21 - 2013-06-25 10:20 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-25 10:21 - 2013-06-25 10:20 - 00000000 ____D C:\Program Files\iTunes
2013-06-25 10:21 - 2013-06-25 10:20 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-25 10:21 - 2012-09-18 09:16 - 00001783 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-06-25 10:20 - 2013-06-25 10:20 - 00000000 ____D C:\Program Files\iPod
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2012079609-1611726693-3227257341-1001\$5ee97928ecba285243c6c6ad0a5da5ea
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$5ee97928ecba285243c6c6ad0a5da5ea
 
Files to move or delete:
====================
C:\ProgramData\hash.dat
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2013-07-24 20:09
 
==================== End Of Log ============================

Edited by Mike_D_76, 25 July 2013 - 06:41 AM.


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:59 PM

Posted 25 July 2013 - 09:01 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKCU\...\Winlogon: [Shell] Explorer.exe <==== ATTENTION
HKCU\...\Command Processor:  <======= ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
AppInit_DLLs:    [0 ] ()
AppInit_DLLs-x32:    [0 ] ()
BHO-x32: No Name - {99079a25-328f-4bd4-be04-00955acaa0a7} -  No File
Toolbar: HKLM-x32 - No Name - {99079a25-328f-4bd4-be04-00955acaa0a7} -  No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
FF Homepage: hxxp://www.searchnu.com/406
C:\Users\Michael\AppData\Local\2433f433
C:\Users\Michael\AppData\Roaming\2433f433
C:\$Recycle.Bin\S-1-5-21-2012079609-1611726693-3227257341-1001\$5ee97928ecba285243c6c6ad0a5da5ea
C:\$Recycle.Bin\S-1-5-18\$5ee97928ecba285243c6c6ad0a5da5ea
C:\ProgramData\hash.dat
 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 Mike_D_76

Mike_D_76
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 27 July 2013 - 07:03 PM

Sorry for a lack of a response.  I was out of town for a couple days.  Will run the report tomorrow.



#10 Mike_D_76

Mike_D_76
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 29 July 2013 - 08:37 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-07-2013
Ran by Michael at 2013-07-29 09:36:55 Run:1
Running from E:\
Boot Mode: Normal
==============================================
 
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKCU\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs => Value was restored successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{99079a25-328f-4bd4-be04-00955acaa0a7} => Value deleted successfully.
HKCR\Wow6432Node\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Value deleted successfully.
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Value deleted successfully.
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Key not found.
Firefox homepage deleted successfully.
C:\Users\Michael\AppData\Local\2433f433 => Moved successfully.
C:\Users\Michael\AppData\Roaming\2433f433 => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-2012079609-1611726693-3227257341-1001\$5ee97928ecba285243c6c6ad0a5da5ea => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$5ee97928ecba285243c6c6ad0a5da5ea => Moved successfully.
C:\ProgramData\hash.dat => Moved successfully.
 
==== End of Fixlog ====


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:59 PM

Posted 29 July 2013 - 08:03 PM

Will the machine boot now successfully?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 Mike_D_76

Mike_D_76
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 29 July 2013 - 09:54 PM

Yes. As I stated I was able to boot it after running Kaspersky WindowsUnlocker.

 

My main concern was that it is completely sterilized.  I picked up AdAware Antivirus and have used that to make scans.

 

Thank you very much for your help.



#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:59 PM

Posted 30 July 2013 - 05:17 PM

Adware Antivirus is not that good of a Antivirus.

Here is a couple of good free ones. We also need to do some final checking for any leftovers of the infection.

1.
  • Please download and install an antivirus program, and make sure that you keep it updated.
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Three good antivirus programs free for non-commercial home use are:Note: You should only have one antivirus installed at a time! Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
2.
Please download Malwarebytes Anti-Malware mbamicontw5.gif and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Double-click on the renamed file to install, then follow these instructions
  • for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues
  • .Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
    • After completing the scan, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab .
    • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
    • Exit Malwarebytes when done.
    Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

    -- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).


    3.
    Download AdwCleaner
    • Double click on AdwCleaner.exe to run the tool.
      ***Note: Windows Vista and Windows 7 users:
      Right click in the adwCleaner.exe and select
      Run%20as%20admin.png
    • Click the Delete button.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your next reply.
    • Or you can find the logfile at C:\AdwCleaner[R1].txt.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:59 PM

Posted 01 August 2013 - 09:59 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:59 PM

Posted 12 August 2013 - 04:02 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users