Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Accidentally installed Delta Toolbar, looking for confirmation that it's gone


  • This topic is locked This topic is locked
18 replies to this topic

#1 Sophira

Sophira

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 06 August 2013 - 09:35 AM

Hi,

 

I accidentally installed Delta Toolbar while installing another app. I'm fairly good at malware removal, but it can't hurt to have more eyes looking at this. The DDS log for the current state of affairs follows (and the Attach.txt file is zipped and attached), but this is after I've already taken quite a few steps to get rid of it, which I believe fixed it apart from a few stray config entries. Please see after the log for a complete list of everything I've already done.

 

Current DDS Log follows:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 10.21.2
Run by Sophie at 14:48:12 on 2013-08-06
Microsoft Windows 7 Professional   6.1.7601.1.1252.44.1033.18.8182.5762 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\cygwin\bin\cygrunsrv.exe
C:\cygwin\usr\sbin\cygserver.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files\Classic Shell\ClassicStartMenu.exe
C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\PowerMenu\PowerMenu.exe
C:\Program Files (x86)\Vidalia Bundle\Polipo\polipo.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\cygwin\bin\mintty.exe
C:\cygwin\bin\bash.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
mWinlogon: Userinit = userinit.exe,
BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
uRun: [Vidalia] "C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Sophie\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DEFAUL~1.LNK - C:\autohotkey\default.ahk
StartupFolder: C:\Users\Sophie\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MAGICD~1.LNK - C:\Program Files (x86)\MagicDisc\MagicDisc.exe
StartupFolder: C:\Users\Sophie\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\POWERM~1.LNK - C:\Program Files (x86)\PowerMenu\PowerMenu.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{3FE2D78E-478A-475E-9E3A-5F5DFBA97A8E} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{3FE2D78E-478A-475E-9E3A-5F5DFBA97A8E}\0756E64716 : DHCPNameServer = 62.140.195.84 62.140.218.148 8.8.8.8
TCP: Interfaces\{3FE2D78E-478A-475E-9E3A-5F5DFBA97A8E}\34275716368616E6 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{3FE2D78E-478A-475E-9E3A-5F5DFBA97A8E}\35B4D4D27455543545 : DHCPNameServer = 172.16.23.11 172.20.151.12 172.20.151.1
TCP: Interfaces\{3FE2D78E-478A-475E-9E3A-5F5DFBA97A8E}\36F627579637B6 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{3FE2D78E-478A-475E-9E3A-5F5DFBA97A8E}\B4964627F6E6 : DHCPNameServer = 194.74.65.69 213.120.234.70
TCP: Interfaces\{3FE2D78E-478A-475E-9E3A-5F5DFBA97A8E}\B6964627F6E6 : DHCPNameServer = 194.72.9.38 213.120.234.38
TCP: Interfaces\{5F84F680-D6B6-4009-9BCA-135C693D8BC3} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{6AB55774-2D52-435A-978C-AE74E6DACF86} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{6AB55774-2D52-435A-978C-AE74E6DACF86}\34275716368616E6 : DHCPNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
x64-Run: [Creative SB Monitoring Utility] RunDll32 sbavmon.dll,SBAVMonitor
x64-Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe /minimized
x64-Run: [Classic Start Menu] "C:\Program Files\Classic Shell\ClassicStartMenu.exe" -startup
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\36wpv6m3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\OnLive\Plugin\npolgdet.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll
FF - ExtSQL: 2013-06-07 15:50; superstop@gavinsharp.com; C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\36wpv6m3.default\extensions\superstop@gavinsharp.com.xpi
FF - ExtSQL: 2013-06-08 14:47; jid1-tHrhDJXsKvsiCw@jetpack; C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\36wpv6m3.default\extensions\jid1-tHrhDJXsKvsiCw@jetpack.xpi
FF - ExtSQL: 2013-07-28 17:16; {f69e22c7-bc50-414a-9269-0f5c344cd94c}; C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\36wpv6m3.default\extensions\{f69e22c7-bc50-414a-9269-0f5c344cd94c}
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - d4244d4f000000000000b803059f3806
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15923
FF - user.js: extensions.delta.vrsn - 1.8.22.0
FF - user.js: extensions.delta.vrsni - 1.8.22.0
FF - user.js: extensions.delta.vrsnTs - 1.8.22.011:43:23
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.ffxUnstlRst - true
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta_i.babTrack - affID=122471&tsp=4966
FF - user.js: extensions.delta_i.babExt -
FF - user.js: extensions.delta_i.srcExt - ss
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2012-7-25 984144]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2012-7-25 370288]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-9-28 239616]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2012-7-25 25232]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2012-7-25 71600]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-11-30 44808]
R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2011-3-30 923984]
R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2011-3-30 1001808]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-8-3 13592]
R2 IntelHaxm;Intel HAXM Service;C:\Windows\System32\drivers\IntelHaxm.sys [2012-10-18 85008]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-7-25 1153368]
R2 VmbService;Vodafone Mobile Broadband Service;C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2011-12-14 8704]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-14 96896]
R3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2011-3-30 1321296]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2013-6-28 103064]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);C:\Windows\System32\drivers\vrtaucbl.sys [2012-7-26 66728]
R3 ksaud;Creative USB Audio Driver;C:\Windows\System32\drivers\ksaud.sys [2011-7-6 1148288]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\System32\drivers\L1C62x64.sys [2009-6-10 57344]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\System32\drivers\LGBusEnum.sys [2009-11-24 22408]
R3 LGSHidFilt;Logitech Gaming KMDF HID Filter Driver;C:\Windows\System32\drivers\LGSHidFilt.Sys [2012-10-2 66360]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\System32\drivers\LGVirHid.sys [2009-11-24 16008]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2013-6-28 203672]
R3 teVirtualMIDI64;teVirtualMIDI - Virtual MIDI Driver x64;C:\Windows\System32\drivers\teVirtualMIDI64.sys [2012-8-15 30208]
R3 vodafone_K3805-z_dc_enum;vodafone_K3805-z_dc_enum;C:\Windows\System32\drivers\vodafone_K3805-z_dc_enum.sys [2010-9-1 75776]
R3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);C:\Windows\System32\drivers\ymidusbx64.sys [2011-11-1 51016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;C:\Windows\System32\drivers\ssadadb.sys [2013-6-28 38080]
S3 btmaudio;Intel Bluetooth Audio Service;C:\Windows\System32\drivers\btmaud.sys [2011-3-8 46592]
S3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2011-3-8 51712]
S3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2011-3-8 274944]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2012-7-25 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2012-7-25 79360]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 enecir;ENE CIR Receiver;C:\Windows\System32\drivers\enecir.sys [2012-9-26 36864]
S3 iBtFltCoex;iBtFltCoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2011-3-22 59904]
S3 RTL2832U_IRHID;TERRATEC T-Stick Plus HID service;C:\Windows\System32\drivers\RTL2832U_IRHID.sys [2009-10-5 45056]
S3 RTL2832UBDA;TERRATEC T-Stick PLUS BDA service;C:\Windows\System32\drivers\RTL2832UBDA.sys [2010-7-1 225152]
S3 RTL2832UUSB;TERRATEC T-Stick PLUS USB service;C:\Windows\System32\drivers\RTL2832UUSB.sys [2010-7-1 39680]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\Windows\System32\drivers\wg111v2.sys [2007-12-26 340992]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\System32\drivers\ssadbus.sys [2013-6-28 169288]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\System32\drivers\ssadmdfl.sys [2013-6-28 21320]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\System32\drivers\ssadmdm.sys [2013-6-28 188232]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);C:\Windows\System32\drivers\ssadserd.sys [2013-6-28 158024]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 VBoxUSB;VirtualBox USB;C:\Windows\System32\drivers\VBoxUSB.sys [2013-4-12 106256]
S3 vodafone_zte_cdc_acm;Vodafone Vodafone ZTE CDC-ACM driver (ZTE);C:\Windows\System32\drivers\vodafone_zte_cdc_acm.sys [2011-5-20 79872]
S3 vodafone_zte_cdc_ecm;vodafone_zte_cdc_ecm;C:\Windows\System32\drivers\vodafone_zte_cdc_ecm.sys [2011-5-20 58880]
S3 vodafone_zte_cpo;Vodafone Vodafone ZTE Install;C:\Windows\System32\drivers\vodafone_zte_cpo.sys [2011-5-20 14336]
S3 vodafone_zte_ecm_enum;Vodafone Vodafone ZTE DC Enumerator (ZTE);C:\Windows\System32\drivers\vodafone_zte_ecm_enum.sys [2011-5-20 56320]
S3 vodafone_zte_ecm_enum_filter;vodafone_zte_ecm_enum_filter;C:\Windows\System32\drivers\vodafone_zte_ecm_enum_filter.sys [2011-5-20 56320]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-14 25088]
S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\notepad++.exe="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2013-08-06 13:22:04    --------    d-----w-    C:\Users\Sophie\AppData\Roaming\Malwarebytes
2013-08-06 11:04:32    --------    d-----w-    C:\hjt
2013-08-01 19:15:27    --------    d-----w-    C:\Users\Sophie\Gpredict
2013-08-01 19:15:08    --------    d-----w-    C:\GPredict
2013-08-01 08:55:16    --------    d-----w-    C:\Program Files (x86)\PowerMenu
2013-07-28 16:53:15    9460976    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FE64E2F7-284B-4311-88A9-7D7261239E4F}\mpengine.dll
2013-07-28 16:46:52    2048    ----a-w-    C:\Windows\SysWow64\tzres.dll
2013-07-28 16:46:52    2048    ----a-w-    C:\Windows\System32\tzres.dll
2013-07-28 16:46:29    41472    ----a-w-    C:\Windows\System32\drivers\rndismpx.sys
2013-07-28 16:46:29    19968    ----a-w-    C:\Windows\System32\drivers\usb8023x.sys
2013-07-28 16:46:29    19968    ----a-w-    C:\Windows\System32\drivers\usb8023.sys
2013-07-28 14:35:40    --------    d-----w-    C:\cdex-rips
2013-07-28 11:37:14    --------    d-----w-    C:\Program Files (x86)\Duty Calls
2013-07-26 22:01:59    --------    d-----w-    C:\Users\Sophie\AppData\Roaming\ClassicShell
2013-07-26 22:01:33    --------    d-----w-    C:\Program Files\Classic Shell
2013-07-24 11:57:00    --------    d-----w-    C:\Program Files (x86)\Munt
2013-07-21 12:02:04    --------    d-----w-    C:\Users\Sophie\AppData\Local\Almalence
2013-07-21 12:01:00    --------    d-----w-    C:\Program Files\PhotoAcute3
2013-07-21 09:09:18    275456    ----a-w-    C:\Windows\System32\StartMenuHelper64.dll
2013-07-21 09:08:52    226304    ----a-w-    C:\Windows\SysWow64\StartMenuHelper32.dll
2013-07-21 00:07:31    --------    d-----w-    C:\Users\Sophie\AppData\Roaming\SynthFont
2013-07-21 00:07:23    --------    d-----w-    C:\Program Files (x86)\Viena
2013-07-20 10:02:50    --------    d-----w-    C:\Program Files (x86)\Blink
2013-07-14 23:13:46    --------    d-----w-    C:\webcam-bed-backup
2013-07-13 17:38:39    --------    d-----w-    C:\trans
2013-07-12 22:12:58    --------    d-----w-    C:\Windows\SysWow64\VirtualMIDISynth
2013-07-12 20:09:47    --------    d-----w-    C:\Windows\System32\VirtualMIDISynth
.
==================== Find3M  ====================
.
2013-07-22 09:46:53    18960    ----a-w-    C:\Windows\System32\drivers\LNonPnP.sys
2013-07-15 18:15:48    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-15 18:15:48    692104    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-06-27 23:47:54    301568    ----a-w-    C:\Windows\SysWow64\LiveWrapRTSP.dll
2013-05-09 15:58:53    178800    ----a-w-    C:\Windows\SysWow64\CmdLineExt_x64.dll
.
============= FINISH: 14:48:25.98 ===============
 

Here are the steps I took:

  1. I did not continue installation of the original (non-malware) app, cancelling it instead.
  2. The Delta installer, of course, was running invisibly in the background, and had closed Firefox and was attempting to re-open it. I had Firefox set up to choose between multiple profiles, however, so I was able to cancel that and close Firefox without any further interaction there; the toolbars it had installed in Firefox never once got the chance to load.
  3. I attempted to kill the processes the installer had spawned, which included an installer for Browser Defender. I believe I managed to kill one, but the other one just kept restarting after killing it.
  4. (edited in as I forgot this when I posted this at first) I ran the uninstaller for Browser Defender and Delta from the Programs & Features Control Panel applet.
  5. I immediately ran Spybot Search & Destroy, updated its databases (which were only a few days out of date anyway), then ran it. It detected various items for Delta and Browser Defender, along with some entries for Babylon Toolbar which I had missed. Spybot fixed the items it could for me, and asked me to reboot so it could fix the rest. I did so and waited the 30 minutes or so it took to complete the scan, then fixed the one item it actually managed to find that hadn't already been fixed, the "C:\Program Files (x86)\Delta\" directory. (I assume the directory was empty, since there were no additional detections inside that directory.)
  6. I ran HijackThis v2.0.4 and looked over the log file. I saw only one item which was amiss - the Start Page for IE was set to the Delta site. I fixed it using HJT, and then manually edited it in the Registry to Google UK's site.
  7. I then ran Malwarebytes' Quick Scan after updating its databases, which found only one item in the Temporary Internet Files called pack[1].7z, which was apparently the installer for Browser Defender. Malwarebytes fixed this for me.
  8. I ran Firefox with the --safe-mode switch to prevent addons/plugins from running and verified that I knew of all the extensions and plugins listed in the Addon Manager. Delta/Browser Defender/Babylon were not listed anywhere in either of the two profiles I checked (of which I have quite a few). I then re-ran Firefox in its normal mode in my normal profile, and there seems to be nothing amiss.
  9. Finally, I ran DDS, the log of which is posted above. I haven't taken any action based on this yet. The only items I can see that are amiss are the entries in Firefox Policies, which I assume I would just be able to delete in about:config. However, I wanted to be sure I wasn't missing anything first!

I am happy to rerun any of these programs and supply the appropriate logs if needed. Note that MagicDisc is a CD emulation program and I didn't disable it before doing any of this. I will gladly disable it if needed. (It does not have any anti-copy protection code as far as I know, unlike other popular CD emulator programs.)

 

Thank you!

 

 - Sophie.

Attached Files


Edited by Sophira, 06 August 2013 - 09:41 AM.


BC AdBot (Login to Remove)

 


#2 Sophira

Sophira
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 06 August 2013 - 09:44 AM

Forgot to mention when I posted originally that I had attempted to remove BD and Delta via the Programs & Features Control Panel applet, so I edited the post to include that after step 3.

 

Also of note: At some point before rebooting for Spybot, a dialog appeared asking if I wanted to reset Chrome back to normal. Unfortunately I was in the process of hitting Escape at the time and accidentally pressed it on this dialog instead of what I was attempting to do. Thus, it's quite possible that Chrome's settings may still be messed up. I have not started Chrome since then. (My usual browser is Firefox anyway.) I'd like to find a way to fix these settings if needed without starting Chrome, in case it uses some sort of exploit to reinstall itself.



#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,309 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:43 AM

Posted 07 August 2013 - 04:33 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

STEP 1

 

 

Please download a new version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

STEP 2



Download the adwCleaner

  • Run the Tool
    Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select the option
    Run%20as%20admin.png
  • Select the Delete button.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically.
  • A text file will open after the restart. Please post the content of that log file in your reply.


STEP 3



thisisujrt.gif  Please download Junkware Removal Tool to your desktop.


  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

 

Regards,
Georgi

 


cXfZ4wS.png


#4 Sophira

Sophira
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 07 August 2013 - 05:49 AM

Hi Georgi! Thanks for helping. :)

 

I did as you asked and the logs are below (with Addition.txt attached as requested). AdwCleaner picked up quite a few things that were missed! I also noticed some problems:

  1. After running JRT, I noticed that Classic Shell was no longer replacing my Start menu. I assume this is because Explorer.exe was killed and restarted during the process?
  2. I noticed that the log files for AdwCleaner and JRT say that between them they deleted everything in the "jetpack" folder of my Firefox profiles. I'm curious why, since these would be how Firefox extensions that use the new API store their settings? I've lost all the settings in RES (Reddit Enhancement Suite) because of that, for example. (I know this isn't your fault, I'm just curious as to why they do that.)
  3. According to JRT's logs, it removed the "RequestPolicy" Firefox extension from one of my Firefox profiles. Is this malware? (As it turns out, I didn't end up using it after I installed it anyway, but it still concerns me.)

Log files follow:

 

FRST:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-08-2013
Ran by Sophie (administrator) on 07-08-2013 10:52:41
Running from C:\Users\Sophie\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\system32\atiesrxx.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(AMD) C:\Windows\system32\atieclxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
() C:\cygwin\bin\cygrunsrv.exe
() C:\cygwin\usr\sbin\cygserver.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(Vodafone) C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
() C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe
() C:\Program Files\AutoHotkey\AutoHotkey.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(MagicISO, Inc.) C:\Program Files (x86)\MagicDisc\MagicDisc.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Thong Nguyen) C:\Program Files (x86)\PowerMenu\PowerMenu.exe
() C:\Program Files (x86)\Vidalia Bundle\Polipo\polipo.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Andy Koppe) C:\cygwin\bin\mintty.exe
() C:\cygwin\bin\bash.exe
() C:\cygwin\bin\screen.exe
() C:\cygwin\bin\screen.exe
() C:\cygwin\bin\bash.exe
() C:\cygwin\bin\bash.exe
() C:\cygwin\bin\ssh.exe
(Un4seen Developments) C:\XMPlay\xmplay.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [BTMTrayAgent] - C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll [10372368 2011-03-30] (Intel Corporation)
HKLM\...\Run: [Creative SB Monitoring Utility] - C:\Windows\System32\sbavmon.dll [109056 2009-12-16] (Creative Technology Ltd.)
HKLM\...\Run: [Launch LCore] - C:\Program Files\Logitech Gaming Software\LCore.exe [7406392 2012-11-29] (Logitech Inc.)
HKLM\...\Run: [Classic Start Menu] - C:\Program Files\Classic Shell\ClassicStartMenu.exe [156640 2013-07-21] (IvoSoft)
HKCU\...\Run: [Vidalia] - C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe [6172985 2012-07-28] ()
HKCU\...\Policies\system: [LogonHoursAction] 2
HKCU\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
MountPoints2: {392472ba-7466-11e2-b08f-1c75082fee6a} - H:\setup_vmb_lite.exe /checkApplicationPresence
MountPoints2: {39247899-7466-11e2-b08f-1c75082fee6a} - H:\HTC_Sync_Manager_PC.exe
MountPoints2: {392478c5-7466-11e2-b08f-1c75082fee6a} - H:\HTC_Sync_Manager_PC.exe
MountPoints2: {3edc9758-6fa9-11e2-8be6-1c75082fee6a} - H:\setup_vmb_lite.exe /checkApplicationPresence
MountPoints2: {9c158ea5-6992-11e2-af0c-1c75082fee6a} - I:\AUTORUN.EXE
HKLM-x32\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\avastUI.exe [4297136 2012-10-30] (AVAST Software)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-10-17] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642728 2012-09-28] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKU\96 DPI\...\Run: [Sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\Default\...\Run: [Sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\Default User\...\Run: [Sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
Startup: C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Default AutoHotKey Script.lnk
ShortcutTarget: Default AutoHotKey Script.lnk -> C:\autohotkey\default.ahk ()
Startup: C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
Startup: C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerMenu.lnk
ShortcutTarget: PowerMenu.lnk -> C:\Program Files (x86)\PowerMenu\PowerMenu.exe (Thong Nguyen)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: ExplorerBHO Class - {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: ExplorerBHO Class - {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
Toolbar: HKLM-x32 - avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Path=Profiles\vp8qo250.Firefox OS Simulator
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin: @java.com/DTPlugin,version=1.6.0_37 - C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/JavaPlugin,version=10.21.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @onlive.com/OnLiveGameClientDetector,version=1.0.0 - C:\Program Files (x86)\OnLive\Plugin\npolgdet.dll (OnLive)
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\ffxtlbr@babylon.com
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! WebRep - C:\Program Files\AVAST Software\Avast\WebRep\FF

Chrome:
=======
CHR Extension: (Google Drive) - C:\Users\Sophie\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\Sophie\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0
CHR Extension: (Google Search) - C:\Users\Sophie\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0
CHR Extension: (avast! WebRep) - C:\Users\Sophie\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1474_0
CHR Extension: (Gmail) - C:\Users\Sophie\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM-x32\...\Chrome\Extension: [icmlaeflemplmjndnaapfdbbnpncnbda] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx
CHR StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) =================

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [44808 2012-10-30] (AVAST Software)
R2 cygserver; C:\cygwin\bin\cygrunsrv.exe [129550 2012-04-25] ()
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2010-06-25] (CACE Technologies, Inc.)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

==================== Drivers (Whitelisted) ====================

R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-10-30] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [71600 2012-10-30] (AVAST Software)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [54072 2012-10-15] (AVAST Software)
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [984144 2012-10-30] (AVAST Software)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [370288 2012-10-30] (AVAST Software)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-10-30] (AVAST Software)
R2 IntelHaxm; C:\Windows\System32\DRIVERS\IntelHaxm.sys [85008 2012-05-22] ()
R3 ksaud; C:\Windows\System32\drivers\ksaud.sys [1148288 2011-07-06] (Creative Technology Ltd.)
R3 LGSHidFilt; C:\Windows\System32\DRIVERS\LGSHidFilt.Sys [66360 2012-10-02] (Logitech Inc.)
R3 NETwNs64; C:\Windows\System32\DRIVERS\Netwsw00.sys [11471872 2012-07-25] (Intel Corporation)
S3 NPF; C:\Windows\System32\drivers\npf.sys [35344 2010-06-25] (CACE Technologies, Inc.)
S3 RTL8187; C:\Windows\System32\DRIVERS\wg111v2.sys [340992 2007-12-26] (NETGEAR Inc.)
R3 teVirtualMIDI64; C:\Windows\System32\DRIVERS\teVirtualMIDI64.sys [30208 2012-08-15] (Tobias Erichsen)
S3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [106256 2013-04-12] (Oracle Corporation)
S3 vodafone_zte_cdc_acm; C:\Windows\System32\DRIVERS\vodafone_zte_cdc_acm.sys [79872 2011-05-20] (Vodafone)
S3 vodafone_zte_cdc_ecm; C:\Windows\System32\DRIVERS\vodafone_zte_cdc_ecm.sys [58880 2011-05-20] (Vodafone)
S3 vodafone_zte_cpo; C:\Windows\System32\DRIVERS\vodafone_zte_cpo.sys [14336 2011-05-20] (Vodafone)
S3 vodafone_zte_ecm_enum; C:\Windows\System32\DRIVERS\vodafone_zte_ecm_enum.sys [56320 2011-05-20] (Vodafone)
S3 vodafone_zte_ecm_enum_filter; C:\Windows\System32\DRIVERS\vodafone_zte_ecm_enum_filter.sys [56320 2011-05-20] (Vodafone)
R3 YMIDUSBW; C:\Windows\System32\drivers\ymidusbx64.sys [51016 2011-11-01] (Yamaha Corporation)
S3 cpuz132; \??\C:\Users\Sophie\AppData\Local\Temp\cpuz132\cpuz132_x64.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-07 10:52 - 2013-08-07 10:52 - 00000000 ____D C:\FRST
2013-08-07 10:51 - 2013-08-07 10:51 - 01788943 _____ (Farbar) C:\Users\Sophie\Desktop\FRST64.exe
2013-08-07 02:03 - 2013-08-07 02:03 - 00045510 _____ C:\Users\Sophie\.recently-used.xbel
2013-08-06 14:48 - 2013-08-06 14:48 - 00020582 _____ C:\Users\Sophie\Desktop\dds.txt
2013-08-06 14:48 - 2013-08-06 14:48 - 00010139 _____ C:\Users\Sophie\Desktop\attach.txt
2013-08-06 14:22 - 2013-08-06 14:22 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Malwarebytes
2013-08-06 12:23 - 2013-08-06 12:23 - 00000092 _____ C:\Users\Sophie\Desktop\zilch high score README.txt
2013-08-06 12:15 - 2013-08-06 12:15 - 00001192 _____ C:\Windows\wininit.ini
2013-08-06 12:04 - 2013-08-06 15:33 - 00000000 ____D C:\hjt
2013-08-03 16:42 - 2013-08-03 16:42 - 00069513 _____ C:\Users\Sophie\AppData\Local\recently-used.xbel
2013-08-01 20:15 - 2013-08-01 20:43 - 00000000 ____D C:\Users\Sophie\Gpredict
2013-08-01 20:15 - 2013-08-01 20:15 - 00000000 ____D C:\GPredict
2013-08-01 09:55 - 2013-08-01 09:55 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PowerMenu
2013-08-01 09:55 - 2013-08-01 09:55 - 00000000 ____D C:\Program Files (x86)\PowerMenu
2013-07-31 23:01 - 2013-07-31 23:01 - 01811408 _____ C:\Users\Sophie\Desktop\glados4-2.wav
2013-07-31 22:53 - 2013-07-31 22:53 - 01825572 _____ C:\Users\Sophie\Desktop\glados4.wav
2013-07-31 22:53 - 2013-07-31 22:53 - 00104311 _____ C:\Users\Sophie\Desktop\glados4.wav.mdd
2013-07-31 22:48 - 2013-07-31 22:48 - 01056392 _____ C:\Users\Sophie\Desktop\glados3.wav
2013-07-31 22:48 - 2013-07-31 22:48 - 00061401 _____ C:\Users\Sophie\Desktop\glados3.wav.mdd
2013-07-30 01:05 - 2013-07-30 01:05 - 00000000 ____D C:\Users\Sophie\Desktop\arg archival
2013-07-29 23:01 - 2013-07-30 23:41 - 00000000 ____D C:\Users\Sophie\Documents\Euro Truck Simulator 2
2013-07-29 19:20 - 2013-07-29 19:21 - 00002084 _____ C:\Users\Sophie\Documents\ARG Box.RDP
2013-07-28 20:02 - 2013-07-28 20:02 - 00000000 ___RD C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Radio
2013-07-28 19:59 - 2013-07-28 19:59 - 00000000 ___RD C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Pinned Items
2013-07-28 19:52 - 2013-07-28 19:52 - 00001235 _____ C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Cakewalk Professional.lnk
2013-07-28 17:46 - 2013-02-12 05:12 - 00019968 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usb8023x.sys
2013-07-28 17:46 - 2013-02-12 05:12 - 00019968 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usb8023.sys
2013-07-28 17:46 - 2012-11-09 06:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-07-28 17:46 - 2012-11-09 05:42 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-07-28 17:46 - 2012-07-04 21:26 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rndismpx.sys
2013-07-28 15:35 - 2013-07-28 15:42 - 00000000 ____D C:\cdex-rips
2013-07-28 12:37 - 2013-07-28 12:48 - 00000000 ____D C:\Program Files (x86)\Duty Calls
2013-07-26 23:01 - 2013-08-07 04:36 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\ClassicShell
2013-07-26 23:01 - 2013-07-26 23:01 - 00000000 ____D C:\Program Files\Classic Shell
2013-07-24 12:57 - 2013-07-24 12:58 - 00000000 ____D C:\Program Files (x86)\Munt
2013-07-21 13:02 - 2013-07-21 13:02 - 00000000 ____D C:\Users\Sophie\AppData\Local\Almalence
2013-07-21 13:01 - 2013-07-21 13:01 - 00000000 ____D C:\Program Files\PhotoAcute3
2013-07-21 10:09 - 2013-07-21 10:09 - 00275456 _____ (IvoSoft) C:\Windows\system32\StartMenuHelper64.dll
2013-07-21 10:08 - 2013-07-21 10:08 - 00226304 _____ (IvoSoft) C:\Windows\SysWOW64\StartMenuHelper32.dll
2013-07-21 01:07 - 2013-07-21 01:24 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\SynthFont
2013-07-21 01:07 - 2013-07-21 01:07 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Viena
2013-07-21 01:07 - 2013-07-21 01:07 - 00000000 ____D C:\Program Files (x86)\Viena
2013-07-20 11:02 - 2013-07-20 11:02 - 00000000 ____D C:\Program Files (x86)\Blink
2013-07-19 15:51 - 2013-07-19 15:51 - 00000000 ____D C:\Users\Sophie\Documents\Square Enix
2013-07-15 00:13 - 2013-07-15 00:14 - 00000000 ____D C:\webcam-bed-backup
2013-07-13 18:38 - 2013-07-13 21:13 - 00000000 ____D C:\trans
2013-07-12 23:12 - 2013-07-12 23:12 - 00000000 ____D C:\Windows\SysWOW64\VirtualMIDISynth
2013-07-12 21:09 - 2013-07-12 23:12 - 00000000 ____D C:\Windows\system32\VirtualMIDISynth
2013-07-11 08:45 - 2013-07-11 08:45 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_ssadadb_01005.Wdf

==================== One Month Modified Files and Folders =======

2013-08-07 10:51 - 2013-08-07 10:51 - 01788943 _____ (Farbar) C:\Users\Sophie\Desktop\FRST64.exe
2013-08-07 10:48 - 2009-07-14 05:45 - 00031680 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-07 10:48 - 2009-07-14 05:45 - 00031680 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-07 10:47 - 2009-07-14 06:13 - 00006206 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-07 10:41 - 2012-08-30 23:28 - 00000438 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2013-08-07 10:41 - 2012-08-19 15:23 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-08-07 10:41 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-07 10:41 - 2009-07-14 05:51 - 00013657 _____ C:\Windows\setupact.log
2013-08-07 10:30 - 2012-07-26 01:29 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Skype
2013-08-07 07:44 - 2012-08-19 15:23 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-07 06:24 - 2012-07-25 13:58 - 01812579 _____ C:\Windows\WindowsUpdate.log
2013-08-07 04:36 - 2013-07-26 23:01 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\ClassicShell
2013-08-07 02:36 - 2012-07-25 21:01 - 00000000 ____D C:\Steam
2013-08-07 02:03 - 2013-08-07 02:03 - 00045510 _____ C:\Users\Sophie\.recently-used.xbel
2013-08-07 02:03 - 2012-07-27 15:53 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\gtk-2.0
2013-08-07 02:03 - 2012-07-25 13:57 - 00000000 ____D C:\Users\Sophie
2013-08-06 22:44 - 2012-07-26 20:31 - 00000000 ____D C:\Users\Sophie\.gimp-2.6
2013-08-06 15:33 - 2013-08-06 12:04 - 00000000 ____D C:\hjt
2013-08-06 14:48 - 2013-08-06 14:48 - 00020582 _____ C:\Users\Sophie\Desktop\dds.txt
2013-08-06 14:48 - 2013-08-06 14:48 - 00010139 _____ C:\Users\Sophie\Desktop\attach.txt
2013-08-06 14:22 - 2013-08-06 14:22 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Malwarebytes
2013-08-06 14:07 - 2012-11-25 17:00 - 00000000 ____D C:\Users\Sophie\AppData\Local\Vidalia
2013-08-06 12:24 - 2010-11-21 04:47 - 00024830 _____ C:\Windows\PFRO.log
2013-08-06 12:23 - 2013-08-06 12:23 - 00000092 _____ C:\Users\Sophie\Desktop\zilch high score README.txt
2013-08-06 12:20 - 2012-07-25 21:48 - 00000000 ____D C:\procmon
2013-08-06 12:20 - 2012-07-25 15:05 - 00000000 ____D C:\XMPlay
2013-08-06 12:15 - 2013-08-06 12:15 - 00001192 _____ C:\Windows\wininit.ini
2013-08-06 11:43 - 2012-07-25 14:23 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-08-05 14:27 - 2012-12-17 17:38 - 00000000 ____D C:\wav
2013-08-05 00:46 - 2012-08-10 04:49 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Audacity
2013-08-03 17:43 - 2012-08-08 23:36 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\.minecraft
2013-08-03 16:42 - 2013-08-03 16:42 - 00069513 _____ C:\Users\Sophie\AppData\Local\recently-used.xbel
2013-08-01 20:43 - 2013-08-01 20:15 - 00000000 ____D C:\Users\Sophie\Gpredict
2013-08-01 20:15 - 2013-08-01 20:15 - 00000000 ____D C:\GPredict
2013-08-01 14:31 - 2012-07-27 05:03 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2013-08-01 11:20 - 2012-08-06 17:59 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Blink
2013-08-01 09:55 - 2013-08-01 09:55 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PowerMenu
2013-08-01 09:55 - 2013-08-01 09:55 - 00000000 ____D C:\Program Files (x86)\PowerMenu
2013-08-01 09:55 - 2012-07-25 13:57 - 00000000 ___RD C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-07-31 23:01 - 2013-07-31 23:01 - 01811408 _____ C:\Users\Sophie\Desktop\glados4-2.wav
2013-07-31 23:01 - 2012-11-12 19:19 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Celemony Software GmbH
2013-07-31 22:53 - 2013-07-31 22:53 - 01825572 _____ C:\Users\Sophie\Desktop\glados4.wav
2013-07-31 22:53 - 2013-07-31 22:53 - 00104311 _____ C:\Users\Sophie\Desktop\glados4.wav.mdd
2013-07-31 22:48 - 2013-07-31 22:48 - 01056392 _____ C:\Users\Sophie\Desktop\glados3.wav
2013-07-31 22:48 - 2013-07-31 22:48 - 00061401 _____ C:\Users\Sophie\Desktop\glados3.wav.mdd
2013-07-30 23:41 - 2013-07-29 23:01 - 00000000 ____D C:\Users\Sophie\Documents\Euro Truck Simulator 2
2013-07-30 22:22 - 2012-09-27 15:31 - 00000000 ____D C:\Users\Sophie\.VirtualBox
2013-07-30 01:05 - 2013-07-30 01:05 - 00000000 ____D C:\Users\Sophie\Desktop\arg archival
2013-07-29 21:48 - 2012-07-26 22:11 - 00002048 ____H C:\Users\Sophie\Documents\Default.rdp
2013-07-29 19:21 - 2013-07-29 19:20 - 00002084 _____ C:\Users\Sophie\Documents\ARG Box.RDP
2013-07-29 15:08 - 2013-05-02 23:19 - 00000000 ____D C:\Users\Sophie\AppData\Local\Game Dev Tycoon
2013-07-28 20:08 - 2013-03-12 01:48 - 00000000 ____D C:\mashup
2013-07-28 20:02 - 2013-07-28 20:02 - 00000000 ___RD C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Radio
2013-07-28 19:59 - 2013-07-28 19:59 - 00000000 ___RD C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Pinned Items
2013-07-28 19:52 - 2013-07-28 19:52 - 00001235 _____ C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Cakewalk Professional.lnk
2013-07-28 18:00 - 2012-07-25 14:01 - 00078912 _____ C:\Users\Sophie\AppData\Local\GDIPFONTCACHEV1.DAT
2013-07-28 17:56 - 2012-10-02 20:07 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-07-28 17:56 - 2009-07-14 05:45 - 00342776 _____ C:\Windows\system32\FNTCACHE.DAT
2013-07-28 16:48 - 2013-05-18 21:30 - 00002398 _____ C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Firefox OS Simulator.lnk
2013-07-28 16:47 - 2013-03-18 17:21 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Nettalk
2013-07-28 15:42 - 2013-07-28 15:35 - 00000000 ____D C:\cdex-rips
2013-07-28 15:32 - 2013-02-11 20:48 - 00000000 ____D C:\Users\Sophie\AppData\Local\Help
2013-07-28 15:28 - 2012-11-25 17:01 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\tor
2013-07-28 15:24 - 2013-03-22 18:24 - 00000000 ____D C:\Program Files (x86)\Shortcuts Map
2013-07-28 14:48 - 2012-12-17 00:16 - 00000000 ____D C:\isos
2013-07-28 12:48 - 2013-07-28 12:37 - 00000000 ____D C:\Program Files (x86)\Duty Calls
2013-07-28 12:36 - 2012-07-27 10:07 - 00206600 _____ C:\Windows\DirectX.log
2013-07-26 23:01 - 2013-07-26 23:01 - 00000000 ____D C:\Program Files\Classic Shell
2013-07-26 19:55 - 2012-07-27 14:37 - 00000000 ____D C:\Users\Sophie\.android
2013-07-25 20:53 - 2013-05-31 12:09 - 00000000 ____D C:\andrew-huang-c
2013-07-25 20:46 - 2012-09-09 23:41 - 00000000 ____D C:\arss
2013-07-24 12:58 - 2013-07-24 12:57 - 00000000 ____D C:\Program Files (x86)\Munt
2013-07-22 12:12 - 2012-07-27 10:09 - 00000000 ____D C:\Users\Sophie\Documents\My Games
2013-07-22 10:46 - 2012-12-09 12:20 - 00018960 _____ (Logitech, Inc.) C:\Windows\system32\Drivers\LNonPnP.sys
2013-07-22 10:46 - 2012-12-09 12:20 - 00003096 _____ C:\Windows\LkmdfCoInst.log
2013-07-21 13:02 - 2013-07-21 13:02 - 00000000 ____D C:\Users\Sophie\AppData\Local\Almalence
2013-07-21 13:01 - 2013-07-21 13:01 - 00000000 ____D C:\Program Files\PhotoAcute3
2013-07-21 10:09 - 2013-07-21 10:09 - 00275456 _____ (IvoSoft) C:\Windows\system32\StartMenuHelper64.dll
2013-07-21 10:08 - 2013-07-21 10:08 - 00226304 _____ (IvoSoft) C:\Windows\SysWOW64\StartMenuHelper32.dll
2013-07-21 01:24 - 2013-07-21 01:07 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\SynthFont
2013-07-21 01:07 - 2013-07-21 01:07 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Viena
2013-07-21 01:07 - 2013-07-21 01:07 - 00000000 ____D C:\Program Files (x86)\Viena
2013-07-20 15:07 - 2012-07-25 19:02 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\vlc
2013-07-20 11:02 - 2013-07-20 11:02 - 00000000 ____D C:\Program Files (x86)\Blink
2013-07-19 15:51 - 2013-07-19 15:51 - 00000000 ____D C:\Users\Sophie\Documents\Square Enix
2013-07-19 15:35 - 2012-07-25 21:48 - 00000000 ____D C:\procexp
2013-07-18 22:30 - 2013-06-17 11:52 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Mumble
2013-07-18 19:54 - 2012-11-25 20:38 - 00000000 ____D C:\Users\Sophie\Documents\OnLive App
2013-07-17 14:25 - 2012-09-08 18:05 - 00000000 ____D C:\Users\Sophie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2013-07-16 16:48 - 2012-10-06 22:17 - 00000213 _____ C:\Windows\PCWGXDRV.INI
2013-07-15 20:40 - 2013-04-16 17:12 - 00000000 ____D C:\Games
2013-07-15 19:15 - 2012-09-27 01:42 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-07-15 19:15 - 2012-09-27 01:42 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-07-15 19:07 - 2013-04-15 12:59 - 00000000 ____D C:\Users\Sophie\AppData\Local\Adobe
2013-07-15 00:14 - 2013-07-15 00:13 - 00000000 ____D C:\webcam-bed-backup
2013-07-14 17:55 - 2013-01-24 23:35 - 00000000 ____D C:\sdr
2013-07-13 21:13 - 2013-07-13 18:38 - 00000000 ____D C:\trans
2013-07-12 23:12 - 2013-07-12 23:12 - 00000000 ____D C:\Windows\SysWOW64\VirtualMIDISynth
2013-07-12 23:12 - 2013-07-12 21:09 - 00000000 ____D C:\Windows\system32\VirtualMIDISynth
2013-07-12 17:02 - 2012-08-19 15:23 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-07-12 17:02 - 2012-08-19 15:23 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-07-11 08:45 - 2013-07-11 08:45 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_ssadadb_01005.Wdf
2013-07-09 14:55 - 2012-07-25 14:55 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-08-02 02:57

==================== End Of Log ============================

 

(Addition.txt is attached, as requested)

 

adwCleaner:

 

# AdwCleaner v2.306 - Logfile created 08/07/2013 at 11:00:34
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Sophie - SOPHIE-LAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Sophie\Desktop\bleepingcomputer-tools\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\Mozilla Firefox\Extensions\ffxtlbr@babylon.com
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\36wpv6m3.default\jetpack
Folder Deleted : C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\36wpv6m3.default\StumbleUpon
Folder Deleted : C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\q4229jpf.Blank\extensions\staged
Folder Deleted : C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\vp8qo250.Firefox OS Simulator\jetpack
Folder Deleted : C:\Users\Sophie\AppData\Roaming\pdfforge

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{39CB8175-E224-4446-8746-00566302DF8D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\f2dcddb068e817
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://www1.delta-search.com/?babsrc=NT_ss&mntrId=D424B803059F3806&affID=122471&tsp=4966 --> hxxp://www.google.com

-\\ Mozilla Firefox v22.0 (en-GB)

File : C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\36wpv6m3.default\prefs.js

C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\36wpv6m3.default\user.js ... Deleted !

Deleted : user_pref("extensions.delta.admin", false);
Deleted : user_pref("extensions.delta.aflt", "babsst");
Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
Deleted : user_pref("extensions.delta.autoRvrt", "false");
Deleted : user_pref("extensions.delta.dfltLng", "en");
Deleted : user_pref("extensions.delta.excTlbr", false);
Deleted : user_pref("extensions.delta.ffxUnstlRst", true);
Deleted : user_pref("extensions.delta.id", "d4244d4f000000000000b803059f3806");
Deleted : user_pref("extensions.delta.instlDay", "15923");
Deleted : user_pref("extensions.delta.instlRef", "sst");
Deleted : user_pref("extensions.delta.newTab", false);
Deleted : user_pref("extensions.delta.prdct", "delta");
Deleted : user_pref("extensions.delta.prtnrId", "delta");
Deleted : user_pref("extensions.delta.rvrt", "false");
Deleted : user_pref("extensions.delta.smplGrp", "none");
Deleted : user_pref("extensions.delta.tlbrId", "base");
Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");
Deleted : user_pref("extensions.delta.vrsn", "1.8.22.0");
Deleted : user_pref("extensions.delta.vrsnTs", "1.8.22.011:43:23");
Deleted : user_pref("extensions.delta.vrsni", "1.8.22.0");
Deleted : user_pref("extensions.delta_i.babExt", "");
Deleted : user_pref("extensions.delta_i.babTrack", "affID=122471&tsp=4966");
Deleted : user_pref("extensions.delta_i.srcExt", "ss");

File : C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\49zlmv2b.default\prefs.js

C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\49zlmv2b.default\user.js ... Deleted !

Deleted : user_pref("extensions.delta.admin", false);
Deleted : user_pref("extensions.delta.aflt", "babsst");
Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
Deleted : user_pref("extensions.delta.autoRvrt", "false");
Deleted : user_pref("extensions.delta.dfltLng", "en");
Deleted : user_pref("extensions.delta.excTlbr", false);
Deleted : user_pref("extensions.delta.ffxUnstlRst", true);
Deleted : user_pref("extensions.delta.id", "d4244d4f000000000000b803059f3806");
Deleted : user_pref("extensions.delta.instlDay", "15923");
Deleted : user_pref("extensions.delta.instlRef", "sst");
Deleted : user_pref("extensions.delta.newTab", false);
Deleted : user_pref("extensions.delta.prdct", "delta");
Deleted : user_pref("extensions.delta.prtnrId", "delta");
Deleted : user_pref("extensions.delta.rvrt", "false");
Deleted : user_pref("extensions.delta.smplGrp", "none");
Deleted : user_pref("extensions.delta.tlbrId", "base");
Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");
Deleted : user_pref("extensions.delta.vrsn", "1.8.22.0");
Deleted : user_pref("extensions.delta.vrsnTs", "1.8.22.011:43:22");
Deleted : user_pref("extensions.delta.vrsni", "1.8.22.0");
Deleted : user_pref("extensions.delta_i.babExt", "");
Deleted : user_pref("extensions.delta_i.babTrack", "affID=122471&tsp=4966");
Deleted : user_pref("extensions.delta_i.srcExt", "ss");

File : C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\o7kfid21.Tor\prefs.js

C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\o7kfid21.Tor\user.js ... Deleted !

Deleted : user_pref("browser.newtab.url", "hxxp://www1.delta-search.com/?babsrc=NT_ss&mntrId=D424B803059F3806&[...]
Deleted : user_pref("browser.search.selectedEngine", "Delta Search");
Deleted : user_pref("browser.startup.homepage", "hxxp://www1.delta-search.com/?babsrc=HP_ss&mntrId=D424B803059[...]

File : C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\q4229jpf.Blank\prefs.js

C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\q4229jpf.Blank\user.js ... Deleted !

[OK] File is clean.

File : C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\ts8641jx.Tor\prefs.js

[OK] File is clean.

File : C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\vp8qo250.Firefox OS Simulator\prefs.js

C:\Users\Sophie\AppData\Roaming\Mozilla\Firefox\Profiles\vp8qo250.Firefox OS Simulator\user.js ... Deleted !

[OK] File is clean.

-\\ Google Chrome v28.0.1500.95

File : C:\Users\Sophie\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [6779 octets] - [07/08/2013 11:00:34]

########## EOF - C:\AdwCleaner[S1].txt - [6839 octets] ##########
 

JRT:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.3.4 (08.06.2013:1)
OS: Windows 7 Professional x64
Ran by Sophie on 07/08/2013 at 11:19:58.33
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] C:\eula.1028.txt
Successfully deleted: [File] C:\eula.1031.txt
Successfully deleted: [File] C:\eula.1033.txt
Successfully deleted: [File] C:\eula.1036.txt
Successfully deleted: [File] C:\eula.1040.txt
Successfully deleted: [File] C:\eula.1041.txt
Successfully deleted: [File] C:\eula.1042.txt
Successfully deleted: [File] C:\eula.2052.txt
Successfully deleted: [File] C:\install.res.1028.dll
Successfully deleted: [File] C:\install.res.1031.dll
Successfully deleted: [File] C:\install.res.1033.dll
Successfully deleted: [File] C:\install.res.1036.dll
Successfully deleted: [File] C:\install.res.1040.dll
Successfully deleted: [File] C:\install.res.1041.dll
Successfully deleted: [File] C:\install.res.1042.dll
Successfully deleted: [File] C:\install.res.2052.dll
Successfully deleted: [File] C:\install.res.3082.dll



~~~ Folders

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"



~~~ FireFox

Successfully deleted: [File] C:\Users\Sophie\AppData\Roaming\mozilla\firefox\profiles\49zlmv2b.default\invalidprefs.js
Successfully deleted: [File] "C:\Users\Sophie\AppData\Roaming\mozilla\firefox\profiles\49zlmv2b.default\extensions\jid0-SmvlvxGpvCyG252KbVMqIKR79Uc@jetpack.xpi"
Successfully deleted: [File] "C:\Users\Sophie\AppData\Roaming\mozilla\firefox\profiles\49zlmv2b.default\extensions\requestpolicy@requestpolicy.com.xpi"
Successfully deleted: [Folder] C:\Users\Sophie\AppData\Roaming\mozilla\firefox\profiles\36wpv6m3.default\jetpack
Successfully deleted the following from C:\Users\Sophie\AppData\Roaming\mozilla\firefox\profiles\36wpv6m3.default\prefs.js

user_pref("extensions.imagesearchoptions.sitearray", "IQDB Search|0|1|chrome://ImageSearchOptions/content/images/IQDB.png;;;0|1|0|1;;;2;;;hxxp://iqdb.org;;;url=::$URL::;;;?|&;
user_pref("stumble.16174943.file_stumbletags_failsafe", "hxxp://www.buzzfeed.com/mjs538/16-bad-marriage-proposals    Live TV Can we\nhxxp://www.thetechgame.com/Forums/search/sea
Emptied folder: C:\Users\Sophie\AppData\Roaming\mozilla\firefox\profiles\36wpv6m3.default\minidumps [19 files]
Emptied folder: C:\Users\Sophie\AppData\Roaming\mozilla\firefox\profiles\q4229jpf.Blank\minidumps [1 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 07/08/2013 at 11:26:17.37
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Attached Files


Edited by Sophira, 07 August 2013 - 05:59 AM.


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,309 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:43 AM

Posted 07 August 2013 - 06:48 AM

Hi,


 

After running JRT, I noticed that Classic Shell was no longer replacing my Start menu. I assume this is because Explorer.exe was killed and restarted during the process?



I have no idea because I never used ClassiShell before. it's a pity because the developer is bulgarian... Maybe I'll use it in the near future if I migrate to Windows 8 which don't have Start Menu available. If the problem persist event afrer reboot then try to reinstall ClassicShell to see if this help.


 

I noticed that the log files for AdwCleaner and JRT say that between them they deleted everything in the "jetpack" folder of my Firefox profiles. I'm curious why, since these would be how Firefox extensions that use the new API store their settings? I've lost all the settings in RES (Reddit Enhancement Suite) because of that, for example. (I know this isn't your fault, I'm just curious as to why they do that.)



I'll check that with the developers. This may be false positives provided by both tools. However I don't think that you lost your customizations because of deleting the jetpack folders but because of deleting the user.js instead which was compromised by Delta Search as you can see by yourself. Can you try re-install the reddit extension to see if that help? That's why it's a good idea to have a backup of your profile once we finish with the cleaning process. Mozbackup or Febe are the way to go at least for Mozilla Firefox.


 

According to JRT's logs, it removed the "RequestPolicy" Firefox extension from one of my Firefox profiles. Is this malware? (As it turns out, I didn't end up using it after I installed it anyway, but it still concerns me.)


I don't thing so regarding it's reputation at the Mozilla add-ons site. I'll check that with the developer of JRT as well and I'll keep you posted.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#6 Sophira

Sophira
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 07 August 2013 - 07:52 AM

After running JRT, I noticed that Classic Shell was no longer replacing my Start menu. I assume this is because Explorer.exe was killed and restarted during the process?



I have no idea because I never used ClassiShell before. it's a pity because the developer is bulgarian... Maybe I'll use it in the near future if I migrate to Windows 8 which don't have Start Menu available. If the problem persist event afrer reboot then try to reinstall ClassicShell to see if this help.


A reboot fixed the issue. (I also rebooted because as it turns out, JRT restarted Explorer as administrator due to being run with admin privileges, and I wasn't comfortable with that.)
 

I noticed that the log files for AdwCleaner and JRT say that between them they deleted everything in the "jetpack" folder of my Firefox profiles. I'm curious why, since these would be how Firefox extensions that use the new API store their settings? I've lost all the settings in RES (Reddit Enhancement Suite) because of that, for example. (I know this isn't your fault, I'm just curious as to why they do that.)



I'll check that with the developers. This may be false positives provided by both tools. However I don't think that you lost your customizations because of deleting the jetpack folders but because of deleting the user.js instead which was compromised by Delta Search as you can see by yourself. Can you try re-install the reddit extension to see if that help? That's why it's a good idea to have a backup of your profile once we finish with the cleaning process. Mozbackup or Febe are the way to go at least for Mozilla Firefox.


RES on Firefox stores its settings in the jetpack folder, and so does any extension that uses the new Jetpack add-on SDK (which is what allows new extensions to be installed without having to restart Firefox). I have no idea about user.js but I do know that the file didn't exist before Delta was accidentally installed, so I assume it must have come from that.





According to JRT's logs, it removed the "RequestPolicy" Firefox extension from one of my Firefox profiles. Is this malware? (As it turns out, I didn't end up using it after I installed it anyway, but it still concerns me.)


I don't thing so regarding it's reputation at the Mozilla add-ons site. I'll check that with the developer of JRT as well and I'll keep you posted.


Thanks! :D

Edited by Sophira, 07 August 2013 - 07:52 AM.


#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,309 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:43 AM

Posted 07 August 2013 - 11:20 AM

Hi,

 

requestpolicy addon was a false positive which will be fixed in the next update - so there is nothing to worry about.

The same for jetpack. They were added because many of malicious extensions were created via Jetpack but it seems that not all of them are malicious.

 

We are sorry for the incenvenience. Reinstall the extensions you think are broken.

 

Let me know if there are any issues left.

 

 

Regards,

Georgi


cXfZ4wS.png


#8 Sophira

Sophira
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 08 August 2013 - 06:41 AM

Hi,

I can't see any further issues - thanks!

It looks like I didn't just lose the data for these extensions but the extensions themselves too. Going by a complete drive listing I made not long ago before this happened, and crosschecking the extension IDs with the names listed in the addons.sqlite file, it appears I've lost these extensions:

I'll reinstall these extensions after we're done here, in case you have anything else you need to do.
 
I do have a request: In the future, to prevent problems like this from happening again, may I use the Search mode of adwCleaner and review the log (or present the log in the thread) so that we know what it's about to delete and can back up any false positives to restore after the thread is done?
 
Thanks!



#9 Sophira

Sophira
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 08 August 2013 - 06:54 AM

Oh, actually, there is one more thing. In the 30-day creation report of FRST in the logs above, you can see C:\Windows\wininit.ini listed. It looks like this still contains references to Delta, Browser Defender and Babylon:

 

[rename]

c:\tempjunk2046.tmp=C:\Program Files (x86)\Delta\delta\1.8.22.0\deltasrv.exe
nul=c:\tempjunk251.tmp
c:\tempjunk7939.tmp=C:\Program Files (x86)\Delta\delta\1.8.22.0\GUninstaller.exe
c:\tempjunk7905.tmp=C:\Program Files (x86)\Delta\delta\1.8.22.0\uninstall.exe
c:\tempjunk5807.tmp=C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe
c:\tempjunk5253.tmp=C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.dll
c:\tempjunk2331.tmp=C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\bl
c:\tempjunk9076.tmp=C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.settings
c:\tempjunk1853.tmp=C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\dm
c:\tempjunk8555.tmp=C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\uninstall.exe
c:\tempjunk6445.tmp=C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\FirefoxExtension\bprotector.js
c:\tempjunk251.tmp=C:\Users\Sophie\AppData\Roaming\Babylon\log_file.txt

 

My guess is that this is just left over and that I can safely delete it, but wanted to bring it to you first. What do you think? (For reference, no files matching c:\tempjunk*.tmp still exist.)


Edited by Sophira, 08 August 2013 - 06:57 AM.


#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,309 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:43 AM

Posted 08 August 2013 - 07:07 AM

Hi,

 

I am gonna make a suggestion to the developer of JRT to add search function to JRT if possible as well. However the search option in Adwcleaner which is currently availabe is a little useless because you can't select what to be deleted and what to be left untouched. If you use the search button you should remove the entries regarding the log manually.

Also JRT have an option to backup the registry if something goes wrong during the cleaning process so they can be restored but not for the deleted files or folders. I can ask the developers if they can add some kind of quarantine.

 

About the following file: C:\Windows\wininit.ini you can safely delete it. I'll ask the developers if they can add it for removal.

 

 

 

And please run the following scans to be sure your system is malware free:

 

 

STEP 1

 

Check this out: Malwarebytes Adopts Aggressive PUP Policy :)

 

 

  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.




STEP 2



I'd like us to scan your machine with ESET OnlineScan




  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is  checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the esetBack.png button.
  • Push esetFinish.png

 

 

 

STEP 3

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 09 August 2013 - 03:42 AM.
edit: typo.

cXfZ4wS.png


#11 Sophira

Sophira
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 08 August 2013 - 08:52 AM

Malwarebytes found nothing, and its log is below.

 

ESET is taking a *very* long time, however. The total scan time is now one hour, and it's only 4% done. Do you want me to continue with it?

 

Malwarebytes Log:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.08.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Sophie :: SOPHIE-LAPTOP [administrator]

08/08/2013 13:30:35
mbam-log-2013-08-08 (13-30-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 239807
Time elapsed: 1 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 



#12 Sophira

Sophira
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 08 August 2013 - 10:24 AM

Update: Total scan time is now 2 hours and 32 minutes, and it's 9% done.



#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,309 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:43 AM

Posted 08 August 2013 - 01:11 PM

Hi,

 

Eset could take up to several hours depending on the size of your hard drive and the speed of your computer.
You can run this scan at night when you are not there and the computer is idle.

You can always skip it if you are certain your computer is malware free.

Eset Online Scanner is slow scaner but very comprehensive one. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#14 Sophira

Sophira
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 08 August 2013 - 05:52 PM

I decided to leave it going. It still hasn't finished, so I'll leave it running overnight. (Currently it's at 10 hours, and 58% done.)

 

It has detected some things, but I have a feeling that a lot of these are likely to be samples that I keep, as one of my hobbies is analysing and reverse-engineering malware. (I do not create any, of course.) I'm by no means a professional or anything, but it's something I do like to do. I'm always very careful about it; this was unfortunately one time when I was caught out. (Specifically, when I was installing a package from the Internet unrelated to this hobby, it asked to install Delta. I never click past these things blindly, and did in fact select to not install it. However, I accidentally double-clicked on the option, which for some reason the installer took to mean to start the installation even though I said I didn't want to do so. I immediately knew what had happened because of the tell-tale hourglass pointer...)

 

Anyway, I'll review the log when it's done tomorrow. Is it okay if I filter out the stuff that I know about and want to keep?


Edited by Sophira, 08 August 2013 - 05:54 PM.


#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,309 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:43 AM

Posted 09 August 2013 - 04:03 AM

Hi,

 

Reverse-engineering is very interesting hobby indeed and I see nothing wrong with it you are on "the good side" of the barricade.Personally I can't do that due to limited free time and other obligations.

Do you have a blog or somewhere you post your analysis where I can see your work? I am just curious. :)

Why you don't use some kind of virtualization softwre like Shadow Defender, sandboxie, VirtualBox or simple create an Image before you test something like that on your real pc?

About your last question - in my instructions on how to use Eset Online Scanner I mentioned to remove the checkbox beside Remove found threats. So, if you did that, then nothing will be removed automativally and you can attach the whole log (or send it to me via PM). ;)

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users