Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Virus Help


  • This topic is locked This topic is locked
18 replies to this topic

#1 EthaNox

EthaNox

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 23 August 2013 - 06:59 PM

Hi all, my uncle just gave me a newer laptop because it has a virus on it. It started out as the fake blaster worm virus...randomly shutting off, but it has pretty much taken over the whole computer. When it logs into Windows 7 the white screen comes up, webcam turns on and takes a picture of whoever is using the computer and presents the FBI warning with instructions for payment. When I first got it, I went through the motions of going in Safe Mode, loading Malwarebytes and Spybot as well as TDDS Killer and running then MULTIPLE times. I also ran another program which was supposed to shut down the virus so Malwarebytes could delete it, but it seemed like every time I ran the scanners the problem would get worse. Now the ONLY mode I can open is Safe Mode with Command Prompt. 

 

I appreciate the help you all offer and hope you can help me too. Thank you SO MUCH in advance. I am ready to follow all instructions (:



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:32 PM

Posted 23 August 2013 - 09:17 PM


Hello EthaNox

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe or e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First Press the Scan button.
  • It will make a log (FRST.txt)
I want you to poste the FRST.txt report into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 EthaNox

EthaNox
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 24 August 2013 - 07:26 AM

Thanks for your help Gringo! I am currently trying to run this log but I ran into some issues. Since I wasn't sure if it was a 32 or a 64 I just tried the 32 version first and got an error. I Googled the model number and it is in fact 64. So as I was reloading the new version onto my flash drive the computer shut down and tried to reboot a few times but it just couldn't (poor thing!) We usually have to wait a few minutes to get it to start again...I'll post the log as soon as I can get it back on.



#4 EthaNox

EthaNox
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 24 August 2013 - 07:31 AM

That was faster than I expected....here you go:

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-08-2013 01

Ran by SYSTEM on 24-08-2013 08:28:54

Running from F:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 10

Boot Mode: Recovery

 

The current controlset is ControlSet001

ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [] -  [x]

HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [590256 2011-05-17] (TOSHIBA Corporation)

HKLM\...\Run: [HSON] - C:\Program Files\TOSHIBA\TBS\HSON.exe [296824 2010-09-25] (TOSHIBA Corporation)

HKLM\...\Run: [TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [972672 2011-04-27] (TOSHIBA Corporation)

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11786344 2011-04-21] (Realtek Semiconductor)

HKLM\...\Run: [RtHDVBg] - C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2207848 2011-04-21] (Realtek Semiconductor)

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2679592 2011-02-03] (Synaptics Incorporated)

HKLM\...\Run: [ThpSrv] - C:\windows\system32\thpsrv /logon [x]

HKLM\...\Run: [Teco] - C:\Program Files\TOSHIBA\TECO\Teco.exe [1544624 2011-05-24] (TOSHIBA Corporation)

HKLM\...\Run: [TosWaitSrv] - C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-07-01] (TOSHIBA Corporation)

HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710560 2011-06-09] (TOSHIBA Corporation)

HKLM\...\Run: [TosVolRegulator] - C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)

HKLM\...\Run: [TosNC] - C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [597936 2011-07-27] (TOSHIBA Corporation)

HKLM\...\Run: [TosReelTimeMonitor] - C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38824 2011-06-28] (TOSHIBA Corporation)

HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [343168 2011-11-11] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [SVPWUTIL] - C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe [532480 2011-03-10] (TOSHIBA CORPORATION)

HKLM-x32\...\Run: [HWSetup] - C:\Program Files\TOSHIBA\Utilities\HWSetup.exe [423936 2011-03-10] (TOSHIBA Electronics, Inc.)

HKLM-x32\...\Run: [KeNotify] - C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe [34160 2010-08-16] (TOSHIBA CORPORATION)

HKLM-x32\...\Run: [TSleepSrv] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe [252792 2010-06-04] (TOSHIBA)

HKLM-x32\...\Run: [ToshibaServiceStation] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1298816 2011-07-11] (TOSHIBA Corporation)

HKLM-x32\...\Run: [NortonOnlineBackupReminder] - C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe [3218864 2011-06-22] (Toshiba)

HKLM-x32\...\Run: [ToshibaAppPlace] - C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)

HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [SDTray] - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)

HKU\Gary\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-01-24] (Google Inc.)

HKU\Gary\...\Run: [NCsoft] -  [x]

HKU\Gary\...\Run: [Pando Media Booster] - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [3093624 2012-12-22] ()

HKU\Gary\...\Run: [Skyrim] - C:\Users\Gary\AppData\Local\Microsoft Games\Skyrim\adalmcgo.dll [453632 2013-08-17] (Microsoft Corporation) <===== ATTENTION

HKU\Gary\...\Run: [ClassesB Update] - C:\Users\Gary\AppData\Local\ClassesB\idqbe32.dll [536576 2013-08-17] ()

HKU\Gary\...\Run: [Internet Security] - C:\Users\Gary\AppData\Roaming\msprotection.exe [845824 2013-08-18] (Peter Pawlowski)

HKU\Gary\...\Winlogon: [Shell] explorer.exe,C:\Users\Gary\AppData\Roaming\skype.dat [144896 2011-11-16] (MicroDigits Software Group) <==== ATTENTION

BootExecute: autocheck autochk * sdnclean64.exe

 

==================== Services (Whitelisted) =================

 

S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe [138272 2012-06-15] (Symantec Corporation)

S2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\PC Checkup\SymcPCCULaunchSvc.exe [132056 2012-11-15] (Symantec Corporation)

S2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [126392 2011-07-19] (Symantec Corporation)

S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)

S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)

S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)

S2 Web Assistant Updater; C:\Program Files\Web Assistant\ExtensionUpdaterService.exe [185856 2012-06-06] ()

 

==================== Drivers (Whitelisted) ====================

 

S3 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20130702.001\BHDrvx64.sys [1393240 2013-07-01] (Symantec Corporation)

S3 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20130702.001\BHDrvx64.sys [1393240 2013-07-01] (Symantec Corporation)

S3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1309010.00E\ccSetx64.sys [167072 2012-06-06] (Symantec Corporation)

S3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2013-01-19] (Symantec Corporation)

S3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2013-01-19] (Symantec Corporation)

S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2013-01-19] (Symantec Corporation)

S3 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20130702.001\IDSvia64.sys [513184 2013-06-29] (Symantec Corporation)

S3 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20130702.001\IDSvia64.sys [513184 2013-06-29] (Symantec Corporation)

S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20130702.016\ENG64.SYS [126040 2013-07-02] (Symantec Corporation)

S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20130702.016\ENG64.SYS [126040 2013-07-02] (Symantec Corporation)

S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20130702.016\EX64.SYS [2098776 2013-07-02] (Symantec Corporation)

S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20130702.016\EX64.SYS [2098776 2013-07-02] (Symantec Corporation)

S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1309010.00E\SRTSP64.SYS [737952 2012-07-05] (Symantec Corporation)

S3 SRTSPX; C:\Windows\system32\drivers\NISx64\1309010.00E\SRTSPX64.SYS [37536 2012-07-05] (Symantec Corporation)

S3 SymDS; C:\Windows\system32\drivers\NISx64\1309010.00E\SYMDS64.SYS [451192 2011-07-25] (Symantec Corporation)

S3 SymEFA; C:\Windows\system32\drivers\NISx64\1309010.00E\SYMEFA64.SYS [1129120 2012-05-21] (Symantec Corporation)

S3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-04-01] (Symantec Corporation)

S3 SymIRON; C:\Windows\system32\drivers\NISx64\1309010.00E\Ironx64.SYS [190072 2012-04-17] (Symantec Corporation)

S3 SymNetS; C:\Windows\System32\Drivers\NISx64\1309010.00E\SYMNETS.SYS [405624 2012-04-17] (Symantec Corporation)

S3 Tosrfcom; No ImagePath

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-08-19 15:02 - 2013-08-19 15:06 - 00000004 _____ C:\Users\Gary\AppData\Roaming\skype.ini

2013-08-18 16:24 - 2013-08-19 15:02 - 00000224 _____ C:\Windows\setupact.log

2013-08-18 16:24 - 2013-08-18 16:24 - 00000000 _____ C:\Windows\setuperr.log

2013-08-18 16:23 - 2013-08-18 16:23 - 00845824 _____ (Peter Pawlowski) C:\Users\Gary\AppData\Roaming\msprotection.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00845824 _____ (Peter Pawlowski) C:\Users\Gary\AppData\Roaming\8EA7.tmp

2013-08-18 16:23 - 2013-08-18 16:23 - 00208896 _____ C:\Users\Gary\alg.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00144896 _____ (MicroDigits Software Group) C:\Users\Gary\mstsc.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00144896 _____ (MicroDigits Software Group) C:\Users\Gary\msconfig.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00000000 _____ C:\Users\Gary\spoolsv.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00000000 _____ C:\Users\Gary\iexplore.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00000000 _____ C:\Users\Gary\firefox.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00000000 _____ C:\Users\Gary\csrss.exe

2013-08-18 16:22 - 2013-08-18 16:23 - 00865280 _____ (Peter Pawlowski) C:\Users\Gary\icq.exe

2013-08-18 16:18 - 2013-08-18 16:18 - 00091034 _____ C:\Users\Gary\Documents\registrybackupaug2013.reg

2013-08-18 13:38 - 2013-08-18 13:38 - 00208896 _____ C:\Users\Gary\vlcplayer.exe

2013-08-18 13:38 - 2013-08-18 13:38 - 00144896 _____ (MicroDigits Software Group) C:\Users\Gary\teamviewer.exe

2013-08-18 13:38 - 2013-08-18 13:38 - 00000000 _____ C:\Users\Gary\opera.exe

2013-08-18 13:38 - 2013-08-18 13:38 - 00000000 _____ C:\Users\Gary\java.exe

2013-08-18 13:31 - 2013-08-18 13:31 - 00002770 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC

2013-08-18 13:31 - 2013-08-18 13:31 - 00000833 _____ C:\Users\Public\Desktop\CCleaner.lnk

2013-08-18 13:31 - 2013-08-18 13:31 - 00000000 ____D C:\Program Files\CCleaner

2013-08-18 13:30 - 2013-08-18 13:30 - 04429440 _____ (Piriform Ltd) C:\Users\Gary\Downloads\ccsetup404.exe

2013-08-18 12:09 - 2013-08-18 16:52 - 00005052 _____ C:\Users\Gary\Desktop\Rkill.txt

2013-08-18 12:09 - 2013-08-18 12:09 - 00000000 ____D C:\Users\Gary\Desktop\rkill

2013-08-18 12:08 - 2013-08-18 12:08 - 00000624 _____ C:\Users\Gary\Desktop\iExplore - Shortcut.lnk

2013-08-18 12:06 - 2013-08-18 12:02 - 02748256 _____ (Kaspersky Lab ZAO) C:\Users\Gary\Desktop\tdsskiller.exe

2013-08-18 11:18 - 2013-08-18 11:18 - 00000000 ____H C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2013-08-18 10:04 - 2013-08-18 10:04 - 00000000 ____D C:\Users\Gary\AppData\Roaming\Malwarebytes

2013-08-18 09:19 - 2013-08-18 11:18 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy

2013-08-18 09:14 - 2013-08-18 09:14 - 00001120 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-08-18 09:14 - 2013-08-18 09:14 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-08-18 09:13 - 2013-08-18 13:45 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2

2013-08-18 09:13 - 2013-08-18 09:14 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-08-18 09:13 - 2013-08-18 09:13 - 00001390 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk

2013-08-18 09:13 - 2013-08-18 09:13 - 00000656 _____ C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job

2013-08-18 09:13 - 2013-08-18 09:13 - 00000628 _____ C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job

2013-08-18 09:13 - 2013-08-18 09:13 - 00000458 _____ C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job

2013-08-18 09:13 - 2013-04-04 10:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2013-08-18 09:13 - 2009-01-25 09:14 - 00017272 _____ (Safer Networking Limited) C:\Windows\System32\sdnclean64.exe

2013-08-18 09:12 - 2013-08-18 09:06 - 37672592 _____ (Safer-Networking Ltd.                                       ) C:\Users\Gary\Desktop\spybotsd-2.1.21-SR2.exe

2013-08-18 09:12 - 2013-08-18 09:03 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Gary\Desktop\mbam-setup-1.75.0.1300.exe

2013-08-18 05:42 - 2013-08-18 16:23 - 00000776 _____ C:\Users\Gary\Desktop\Internet Security 2013.lnk

2013-08-18 05:42 - 2013-08-18 05:42 - 00135168 _____ (MicroDigits Software Group) C:\Users\Gary\notepad.exe

2013-08-18 05:42 - 2013-08-18 05:42 - 00135168 _____ (MicroDigits Software Group) C:\Users\Gary\jqs.exe

2013-08-16 18:36 - 2013-08-16 18:36 - 00000000 ____D C:\Windows\System32\MRT

2013-08-16 17:51 - 2013-07-25 01:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL

2013-08-16 17:51 - 2013-07-25 00:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL

2013-08-16 17:51 - 2013-07-18 17:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll

2013-08-16 17:51 - 2013-07-18 17:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll

2013-08-16 17:51 - 2013-07-08 21:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll

2013-08-16 17:51 - 2013-07-08 20:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll

2013-08-16 17:50 - 2013-06-14 20:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys

2013-08-16 17:50 - 2013-06-03 22:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll

2013-08-16 17:50 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll

2013-08-16 17:36 - 2013-07-25 21:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-08-16 17:36 - 2013-07-25 21:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-08-16 17:36 - 2013-07-25 21:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2013-08-16 17:36 - 2013-07-25 21:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-08-16 17:36 - 2013-07-25 21:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-08-16 17:36 - 2013-07-25 21:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-08-16 17:36 - 2013-07-25 21:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-08-16 17:36 - 2013-07-25 21:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-08-16 17:36 - 2013-07-25 21:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-08-16 17:36 - 2013-07-25 21:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-08-16 17:36 - 2013-07-25 21:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2013-08-16 17:36 - 2013-07-25 21:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2013-08-16 17:36 - 2013-07-25 21:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-08-16 17:36 - 2013-07-25 21:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2013-08-16 17:36 - 2013-07-25 19:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-08-16 17:36 - 2013-07-25 19:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-08-16 17:36 - 2013-07-25 19:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-08-16 17:36 - 2013-07-25 19:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-08-16 17:36 - 2013-07-25 19:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-08-16 17:36 - 2013-07-25 19:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-08-16 17:36 - 2013-07-25 19:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-08-16 17:36 - 2013-07-25 19:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-08-16 17:36 - 2013-07-25 19:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-08-16 17:36 - 2013-07-25 19:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll

2013-08-16 17:36 - 2013-07-25 19:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2013-08-16 17:36 - 2013-07-25 19:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-08-16 17:36 - 2013-07-25 19:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-08-16 17:36 - 2013-07-25 19:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2013-08-16 17:36 - 2013-07-25 18:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-08-16 17:36 - 2013-07-25 18:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2013-08-16 17:36 - 2013-07-25 17:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

2013-08-16 17:29 - 2013-07-05 22:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2013-08-16 17:29 - 2013-06-04 19:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-08-16 17:29 - 2013-04-25 21:51 - 00751104 _____ (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2013-08-16 17:29 - 2013-04-25 20:55 - 00492544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2013-08-16 17:27 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll

2013-08-16 17:27 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll

2013-08-15 15:11 - 2013-04-09 22:01 - 00983400 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-08-15 15:11 - 2013-04-09 22:01 - 00265064 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-08-15 15:11 - 2013-03-18 21:53 - 00230400 _____ (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-08-15 15:11 - 2013-03-18 21:53 - 00048640 _____ (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-08-15 15:11 - 2011-02-03 03:25 - 00144384 _____ (Microsoft Corporation) C:\Windows\System32\cdd.dll

2013-08-15 15:10 - 2013-07-08 21:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll

2013-08-15 15:10 - 2013-07-08 21:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2013-08-15 15:10 - 2013-07-08 21:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2013-08-15 15:10 - 2013-07-08 21:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2013-08-15 15:10 - 2013-07-08 20:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll

2013-08-15 15:10 - 2013-07-08 20:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll

2013-08-15 15:10 - 2013-07-08 20:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll

2013-08-15 15:10 - 2013-07-08 20:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

2013-08-10 02:52 - 2013-08-11 04:04 - 00000000 ____D C:\ProgramData\Foresight Software

2013-08-10 02:52 - 2013-08-10 02:52 - 00000000 ____D C:\Users\Gary\AppData\Roaming\Foresight Software

2013-08-10 02:52 - 2013-08-10 02:52 - 00000000 ____D C:\Users\Gary\AppData\Roaming\DriverCure

2013-08-07 15:11 - 2013-08-18 02:47 - 00000000 ____D C:\Users\Gary\AppData\Local\ClassesB

2013-07-27 04:47 - 2013-07-27 04:47 - 00000000 ____D C:\Users\Gary\Documents\Symantec

 

==================== One Month Modified Files and Folders =======

 

2013-08-19 15:06 - 2013-08-19 15:02 - 00000004 _____ C:\Users\Gary\AppData\Roaming\skype.ini

2013-08-19 15:02 - 2013-08-18 16:24 - 00000224 _____ C:\Windows\setupact.log

2013-08-19 15:02 - 2012-01-24 02:26 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-08-19 15:02 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2013-08-18 16:52 - 2013-08-18 12:09 - 00005052 _____ C:\Users\Gary\Desktop\Rkill.txt

2013-08-18 16:52 - 2009-07-13 21:13 - 00740594 _____ C:\Windows\System32\PerfStringBackup.INI

2013-08-18 16:46 - 2009-07-13 21:08 - 00032598 _____ C:\Windows\Tasks\SCHEDLGU.TXT

2013-08-18 16:24 - 2013-08-18 16:24 - 00000000 _____ C:\Windows\setuperr.log

2013-08-18 16:23 - 2013-08-18 16:23 - 00845824 _____ (Peter Pawlowski) C:\Users\Gary\AppData\Roaming\msprotection.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00845824 _____ (Peter Pawlowski) C:\Users\Gary\AppData\Roaming\8EA7.tmp

2013-08-18 16:23 - 2013-08-18 16:23 - 00208896 _____ C:\Users\Gary\alg.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00144896 _____ (MicroDigits Software Group) C:\Users\Gary\mstsc.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00144896 _____ (MicroDigits Software Group) C:\Users\Gary\msconfig.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00000000 _____ C:\Users\Gary\spoolsv.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00000000 _____ C:\Users\Gary\iexplore.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00000000 _____ C:\Users\Gary\firefox.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00000000 _____ C:\Users\Gary\csrss.exe

2013-08-18 16:23 - 2013-08-18 16:22 - 00865280 _____ (Peter Pawlowski) C:\Users\Gary\icq.exe

2013-08-18 16:23 - 2013-08-18 05:42 - 00000776 _____ C:\Users\Gary\Desktop\Internet Security 2013.lnk

2013-08-18 16:23 - 2012-03-31 23:13 - 00000000 ____D C:\users\Gary

2013-08-18 16:23 - 2012-01-24 01:40 - 01715307 _____ C:\Windows\WindowsUpdate.log

2013-08-18 16:23 - 2009-07-13 20:45 - 00025120 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-08-18 16:23 - 2009-07-13 20:45 - 00025120 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-08-18 16:22 - 2012-12-22 01:47 - 00000000 ____D C:\Users\Gary\AppData\Local\PMB Files

2013-08-18 16:18 - 2013-08-18 16:18 - 00091034 _____ C:\Users\Gary\Documents\registrybackupaug2013.reg

2013-08-18 16:14 - 2012-07-08 15:52 - 00000000 ____D C:\Program Files\Web Assistant

2013-08-18 13:45 - 2013-08-18 09:13 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2

2013-08-18 13:38 - 2013-08-18 13:38 - 00208896 _____ C:\Users\Gary\vlcplayer.exe

2013-08-18 13:38 - 2013-08-18 13:38 - 00144896 _____ (MicroDigits Software Group) C:\Users\Gary\teamviewer.exe

2013-08-18 13:38 - 2013-08-18 13:38 - 00000000 _____ C:\Users\Gary\opera.exe

2013-08-18 13:38 - 2013-08-18 13:38 - 00000000 _____ C:\Users\Gary\java.exe

2013-08-18 13:37 - 2012-04-01 08:47 - 00000000 ____D C:\Program Files (x86)\Steam

2013-08-18 13:36 - 2012-04-01 11:36 - 00000000 ____D C:\Users\Gary\AppData\Local\CrashDumps

2013-08-18 13:36 - 2011-11-23 13:52 - 00000000 ____D C:\Windows\Panther

2013-08-18 13:31 - 2013-08-18 13:31 - 00002770 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC

2013-08-18 13:31 - 2013-08-18 13:31 - 00000833 _____ C:\Users\Public\Desktop\CCleaner.lnk

2013-08-18 13:31 - 2013-08-18 13:31 - 00000000 ____D C:\Program Files\CCleaner

2013-08-18 13:30 - 2013-08-18 13:30 - 04429440 _____ (Piriform Ltd) C:\Users\Gary\Downloads\ccsetup404.exe

2013-08-18 12:09 - 2013-08-18 12:09 - 00000000 ____D C:\Users\Gary\Desktop\rkill

2013-08-18 12:08 - 2013-08-18 12:08 - 00000624 _____ C:\Users\Gary\Desktop\iExplore - Shortcut.lnk

2013-08-18 12:02 - 2013-08-18 12:06 - 02748256 _____ (Kaspersky Lab ZAO) C:\Users\Gary\Desktop\tdsskiller.exe

2013-08-18 11:18 - 2013-08-18 11:18 - 00000000 ____H C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2013-08-18 11:18 - 2013-08-18 09:19 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy

2013-08-18 10:04 - 2013-08-18 10:04 - 00000000 ____D C:\Users\Gary\AppData\Roaming\Malwarebytes

2013-08-18 09:14 - 2013-08-18 09:14 - 00001120 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-08-18 09:14 - 2013-08-18 09:14 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-08-18 09:14 - 2013-08-18 09:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-08-18 09:13 - 2013-08-18 09:13 - 00001390 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk

2013-08-18 09:13 - 2013-08-18 09:13 - 00000656 _____ C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job

2013-08-18 09:13 - 2013-08-18 09:13 - 00000628 _____ C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job

2013-08-18 09:13 - 2013-08-18 09:13 - 00000458 _____ C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job

2013-08-18 09:06 - 2013-08-18 09:12 - 37672592 _____ (Safer-Networking Ltd.                                       ) C:\Users\Gary\Desktop\spybotsd-2.1.21-SR2.exe

2013-08-18 09:03 - 2013-08-18 09:12 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Gary\Desktop\mbam-setup-1.75.0.1300.exe

2013-08-18 06:01 - 2012-08-28 10:17 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-08-18 05:42 - 2013-08-18 05:42 - 00135168 _____ (MicroDigits Software Group) C:\Users\Gary\notepad.exe

2013-08-18 05:42 - 2013-08-18 05:42 - 00135168 _____ (MicroDigits Software Group) C:\Users\Gary\jqs.exe

2013-08-18 05:41 - 2012-11-27 17:22 - 00000000 ____D C:\Program Files (x86)\PC Checkup

2013-08-18 05:07 - 2012-01-24 02:26 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-08-18 02:47 - 2013-08-07 15:11 - 00000000 ____D C:\Users\Gary\AppData\Local\ClassesB

2013-08-17 21:33 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-08-17 07:18 - 2012-04-01 09:11 - 00000000 ____D C:\Program Files (x86)\Origin

2013-08-17 02:49 - 2012-07-18 17:25 - 00000000 ____D C:\Users\Gary\AppData\Local\Microsoft Games

2013-08-16 22:39 - 2009-07-13 20:45 - 00276744 _____ C:\Windows\System32\FNTCACHE.DAT

2013-08-16 22:37 - 2010-11-20 23:17 - 00000000 ____D C:\Program Files\Windows Journal

2013-08-16 22:37 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender

2013-08-16 22:37 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender

2013-08-16 20:56 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-08-16 18:36 - 2013-08-16 18:36 - 00000000 ____D C:\Windows\System32\MRT

2013-08-14 09:58 - 2012-04-01 09:13 - 00000000 ____D C:\Users\Gary\AppData\Local\Origin

2013-08-14 09:58 - 2012-04-01 09:11 - 00000000 ____D C:\Users\Gary\AppData\Roaming\Origin

2013-08-14 08:47 - 2012-08-29 13:26 - 00000000 ____D C:\Program Files (x86)\RIFT

2013-08-14 03:06 - 2013-01-03 09:55 - 00000000 ____D C:\Users\Gary\AppData\Local\Turbine

2013-08-14 03:02 - 2012-01-24 02:26 - 00003908 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA

2013-08-14 03:02 - 2012-01-24 02:26 - 00003656 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

2013-08-14 02:56 - 2013-02-08 01:26 - 00000000 ____D C:\Windows\System32\Tasks\Norton Internet Security

2013-08-14 02:56 - 2012-01-24 02:24 - 00000000 ____D C:\Windows\System32\Drivers\NISx64

2013-08-14 02:56 - 2011-11-22 23:00 - 00000000 ____D C:\Windows\SysWOW64\Macromed

2013-08-14 02:56 - 2010-11-20 23:16 - 00000000 ____D C:\Windows\ShellNew

2013-08-14 02:56 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2013-08-14 02:55 - 2013-02-25 05:07 - 00000000 ____D C:\Program Files (x86)\Istaria

2013-08-14 02:55 - 2013-01-03 10:48 - 00000000 ____D C:\Users\Gary\Documents\The Lord of the Rings Online

2013-08-14 02:55 - 2012-12-22 01:47 - 00000000 ____D C:\ProgramData\PMB Files

2013-08-14 02:55 - 2012-08-29 13:26 - 00000000 ____D C:\Users\Gary\AppData\Roaming\RIFT

2013-08-14 02:55 - 2012-04-01 09:13 - 00000000 ____D C:\ProgramData\Origin

2013-08-14 02:55 - 2012-01-24 02:37 - 00000000 ____D C:\ProgramData\WildTangent

2013-08-14 02:55 - 2012-01-24 02:24 - 00000000 ____D C:\ProgramData\Norton

2013-08-14 02:55 - 2012-01-24 02:24 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared

2013-08-14 02:55 - 2012-01-24 02:24 - 00000000 ____D C:\Program Files (x86)\Norton Internet Security

2013-08-14 02:55 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

2013-08-14 02:54 - 2013-07-09 03:05 - 00000000 ____D C:\Users\Gary\AppData\Roaming\WildTangent

2013-08-14 02:32 - 2012-01-24 02:37 - 00000000 ____D C:\Program Files (x86)\WildTangent Games

2013-08-11 04:04 - 2013-08-10 02:52 - 00000000 ____D C:\ProgramData\Foresight Software

2013-08-10 02:52 - 2013-08-10 02:52 - 00000000 ____D C:\Users\Gary\AppData\Roaming\Foresight Software

2013-08-10 02:52 - 2013-08-10 02:52 - 00000000 ____D C:\Users\Gary\AppData\Roaming\DriverCure

2013-08-06 14:24 - 2012-07-01 07:12 - 00000000 ____D C:\Users\Gary\AppData\Local\Adobe

2013-08-05 12:14 - 2012-04-01 11:23 - 78161360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-07-27 04:47 - 2013-07-27 04:47 - 00000000 ____D C:\Users\Gary\Documents\Symantec

2013-07-25 21:13 - 2013-08-16 17:36 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-07-25 21:13 - 2013-08-16 17:36 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-07-25 21:13 - 2013-08-16 17:36 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2013-07-25 21:12 - 2013-08-16 17:36 - 19239424 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-07-25 21:12 - 2013-08-16 17:36 - 15405056 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-07-25 21:12 - 2013-08-16 17:36 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-07-25 21:12 - 2013-08-16 17:36 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-07-25 21:12 - 2013-08-16 17:36 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-07-25 21:12 - 2013-08-16 17:36 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-07-25 21:12 - 2013-08-16 17:36 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-07-25 21:12 - 2013-08-16 17:36 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2013-07-25 21:12 - 2013-08-16 17:36 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2013-07-25 21:12 - 2013-08-16 17:36 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-07-25 21:12 - 2013-08-16 17:36 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2013-07-25 19:35 - 2013-08-16 17:36 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-07-25 19:13 - 2013-08-16 17:36 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-07-25 19:13 - 2013-08-16 17:36 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-07-25 19:12 - 2013-08-16 17:36 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-07-25 19:12 - 2013-08-16 17:36 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-07-25 19:12 - 2013-08-16 17:36 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-07-25 19:12 - 2013-08-16 17:36 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-07-25 19:12 - 2013-08-16 17:36 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-07-25 19:12 - 2013-08-16 17:36 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-07-25 19:12 - 2013-08-16 17:36 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll

2013-07-25 19:12 - 2013-08-16 17:36 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2013-07-25 19:12 - 2013-08-16 17:36 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-07-25 19:11 - 2013-08-16 17:36 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-07-25 19:11 - 2013-08-16 17:36 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2013-07-25 18:49 - 2013-08-16 17:36 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-07-25 18:39 - 2013-08-16 17:36 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2013-07-25 17:59 - 2013-08-16 17:36 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

2013-07-25 01:25 - 2013-08-16 17:51 - 01888768 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL

2013-07-25 00:57 - 2013-08-16 17:51 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL

 

Files to move or delete:

====================

C:\Users\Gary\AppData\Local\Microsoft Games\Skyrim\adalmcgo.dll

C:\Users\Gary\alg.exe

C:\Users\Gary\csrss.exe

C:\Users\Gary\firefox.exe

C:\Users\Gary\icq.exe

C:\Users\Gary\iexplore.exe

C:\Users\Gary\java.exe

C:\Users\Gary\jqs.exe

C:\Users\Gary\msconfig.exe

C:\Users\Gary\mstsc.exe

C:\Users\Gary\notepad.exe

C:\Users\Gary\opera.exe

C:\Users\Gary\spoolsv.exe

C:\Users\Gary\teamviewer.exe

C:\Users\Gary\vlcplayer.exe

C:\Users\Gary\AppData\Roaming\skype.dat

C:\Users\Gary\AppData\Roaming\skype.ini

 

==================== Known DLLs (Whitelisted) ================

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

==================== EXE ASSOCIATION =====================

 

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

 

==================== Restore Points  =========================

 

Restore point made on: 2013-08-15 15:47:14

Restore point made on: 2013-08-16 17:20:18

Restore point made on: 2013-08-16 18:35:02

Restore point made on: 2013-08-16 23:13:52

 

==================== Memory info ===========================

 

Percentage of memory in use: 11%

Total physical RAM: 5608.67 MB

Available physical RAM: 4976.39 MB

Total Pagefile: 5606.87 MB

Available Pagefile: 4956.56 MB

Total Virtual: 8192 MB

Available Virtual: 8191.85 MB

 

==================== Drives ================================

 

Drive c: (TI106327W0C) (Fixed) (Total:580.1 GB) (Free:316.46 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.24 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Drive f: (KINGSTON) (Removable) (Total:1.87 GB) (Free:1.79 GB) FAT

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 596 GB) (Disk ID: 3951853D)

Partition 1: (Active) - (Size=1 GB) - (Type=27)

Partition 2: (Not Active) - (Size=580 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=15 GB) - (Type=17)

 

========================================================

Disk: 1 (Size: 2 GB) (Disk ID: 7C2EDFF4)

Partition 1: (Active) - (Size=2 GB) - (Type=06)

 

 

LastRegBack: 2013-08-17 21:25

 

==================== End Of Log ============================



#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:32 PM

Posted 24 August 2013 - 10:36 AM



Hello EthaNox



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
HKU\Gary\...\Run: [Skyrim] - C:\Users\Gary\AppData\Local\Microsoft Games\Skyrim\adalmcgo.dll [453632 2013-08-17] (Microsoft Corporation) <===== ATTENTION
HKU\Gary\...\Run: [ClassesB Update] - C:\Users\Gary\AppData\Local\ClassesB\idqbe32.dll [536576 2013-08-17] ()
HKU\Gary\...\Run: [Internet Security] - C:\Users\Gary\AppData\Roaming\msprotection.exe [845824 2013-08-18] (Peter Pawlowski)
HKU\Gary\...\Winlogon: [Shell] explorer.exe,C:\Users\Gary\AppData\Roaming\skype.dat [144896 2011-11-16] (MicroDigits Software Group) <==== ATTENTION
2013-08-18 16:23 - 2013-08-18 16:23 - 00845824 _____ (Peter Pawlowski) C:\Users\Gary\AppData\Roaming\msprotection.exe
2013-08-18 16:23 - 2013-08-18 16:23 - 00845824 _____ (Peter Pawlowski) C:\Users\Gary\AppData\Roaming\8EA7.tmp
2013-08-18 05:42 - 2013-08-18 16:23 - 00000776 _____ C:\Users\Gary\Desktop\Internet Security 2013.lnk
2013-08-10 02:52 - 2013-08-11 04:04 - 00000000 ____D C:\ProgramData\Foresight Software
2013-08-10 02:52 - 2013-08-10 02:52 - 00000000 ____D C:\Users\Gary\AppData\Roaming\Foresight Software
2013-08-10 02:52 - 2013-08-10 02:52 - 00000000 ____D C:\Users\Gary\AppData\Roaming\DriverCure
2013-08-07 15:11 - 2013-08-18 02:47 - 00000000 ____D C:\Users\Gary\AppData\Local\ClassesB
C:\Users\Gary\AppData\Local\Microsoft Games\Skyrim\adalmcgo.dll
C:\Users\Gary\alg.exe
C:\Users\Gary\csrss.exe
C:\Users\Gary\firefox.exe
C:\Users\Gary\icq.exe
C:\Users\Gary\iexplore.exe
C:\Users\Gary\java.exe
C:\Users\Gary\jqs.exe
C:\Users\Gary\msconfig.exe
C:\Users\Gary\mstsc.exe
C:\Users\Gary\notepad.exe
C:\Users\Gary\opera.exe
C:\Users\Gary\spoolsv.exe
C:\Users\Gary\teamviewer.exe
C:\Users\Gary\vlcplayer.exe
C:\Users\Gary\AppData\Roaming\skype.dat
C:\Users\Gary\AppData\Roaming\skype.ini
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 EthaNox

EthaNox
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 24 August 2013 - 07:15 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-08-2013 01

Ran by SYSTEM at 2013-08-24 19:54:01 Run:1

Running from F:\

Boot Mode: Recovery

==============================================

 

Content of fixlist:

*****************

HKU\Gary\...\Run: [Skyrim] - C:\Users\Gary\AppData\Local\Microsoft Games\Skyrim\adalmcgo.dll [453632 2013-08-17] (Microsoft Corporation) <===== ATTENTION

HKU\Gary\...\Run: [ClassesB Update] - C:\Users\Gary\AppData\Local\ClassesB\idqbe32.dll [536576 2013-08-17] ()

HKU\Gary\...\Run: [Internet Security] - C:\Users\Gary\AppData\Roaming\msprotection.exe [845824 2013-08-18] (Peter Pawlowski)

HKU\Gary\...\Winlogon: [Shell] explorer.exe,C:\Users\Gary\AppData\Roaming\skype.dat [144896 2011-11-16] (MicroDigits Software Group) <==== ATTENTION

2013-08-18 16:23 - 2013-08-18 16:23 - 00845824 _____ (Peter Pawlowski) C:\Users\Gary\AppData\Roaming\msprotection.exe

2013-08-18 16:23 - 2013-08-18 16:23 - 00845824 _____ (Peter Pawlowski) C:\Users\Gary\AppData\Roaming\8EA7.tmp

2013-08-18 05:42 - 2013-08-18 16:23 - 00000776 _____ C:\Users\Gary\Desktop\Internet Security 2013.lnk

2013-08-10 02:52 - 2013-08-11 04:04 - 00000000 ____D C:\ProgramData\Foresight Software

2013-08-10 02:52 - 2013-08-10 02:52 - 00000000 ____D C:\Users\Gary\AppData\Roaming\Foresight Software

2013-08-10 02:52 - 2013-08-10 02:52 - 00000000 ____D C:\Users\Gary\AppData\Roaming\DriverCure

2013-08-07 15:11 - 2013-08-18 02:47 - 00000000 ____D C:\Users\Gary\AppData\Local\ClassesB

C:\Users\Gary\AppData\Local\Microsoft Games\Skyrim\adalmcgo.dll

C:\Users\Gary\alg.exe

C:\Users\Gary\csrss.exe

C:\Users\Gary\firefox.exe

C:\Users\Gary\icq.exe

C:\Users\Gary\iexplore.exe

C:\Users\Gary\java.exe

C:\Users\Gary\jqs.exe

C:\Users\Gary\msconfig.exe

C:\Users\Gary\mstsc.exe

C:\Users\Gary\notepad.exe

C:\Users\Gary\opera.exe

C:\Users\Gary\spoolsv.exe

C:\Users\Gary\teamviewer.exe

C:\Users\Gary\vlcplayer.exe

C:\Users\Gary\AppData\Roaming\skype.dat

C:\Users\Gary\AppData\Roaming\skype.ini

*****************

 

HKU\Gary\Software\Microsoft\Windows\CurrentVersion\Run\\Skyrim => Value deleted successfully.

HKU\Gary\Software\Microsoft\Windows\CurrentVersion\Run\\ClassesB Update => Value deleted successfully.

HKU\Gary\Software\Microsoft\Windows\CurrentVersion\Run\\Internet Security => Value deleted successfully.

HKU\Gary\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

C:\Users\Gary\AppData\Roaming\msprotection.exe => Moved successfully.

C:\Users\Gary\AppData\Roaming\8EA7.tmp => Moved successfully.

C:\Users\Gary\Desktop\Internet Security 2013.lnk => Moved successfully.

C:\ProgramData\Foresight Software => Moved successfully.

C:\Users\Gary\AppData\Roaming\Foresight Software => Moved successfully.

C:\Users\Gary\AppData\Roaming\DriverCure => Moved successfully.

C:\Users\Gary\AppData\Local\ClassesB => Moved successfully.

C:\Users\Gary\AppData\Local\Microsoft Games\Skyrim\adalmcgo.dll => Moved successfully.

C:\Users\Gary\alg.exe => Moved successfully.

C:\Users\Gary\csrss.exe => Moved successfully.

C:\Users\Gary\firefox.exe => Moved successfully.

C:\Users\Gary\icq.exe => Moved successfully.

C:\Users\Gary\iexplore.exe => Moved successfully.

C:\Users\Gary\java.exe => Moved successfully.

C:\Users\Gary\jqs.exe => Moved successfully.

C:\Users\Gary\msconfig.exe => Moved successfully.

C:\Users\Gary\mstsc.exe => Moved successfully.

C:\Users\Gary\notepad.exe => Moved successfully.

C:\Users\Gary\opera.exe => Moved successfully.

C:\Users\Gary\spoolsv.exe => Moved successfully.

C:\Users\Gary\teamviewer.exe => Moved successfully.

C:\Users\Gary\vlcplayer.exe => Moved successfully.

C:\Users\Gary\AppData\Roaming\skype.dat => Moved successfully.

C:\Users\Gary\AppData\Roaming\skype.ini => Moved successfully.

 

==== End of Fixlog ====

 

 

 It ran very sluggish to start but it seemed to be gone at first. Nothing popped up or anything but I just let it sit on for a while and it just shut down completely without me prompting it to do so or anything. (By the way, are you able to tell what specifically could have downloaded the virus? My husband and I suspect it was when he updated Turbine but we're not sure....) I know the computer isn't getting overheated or anything because I let it sit on the system restore screen for about 5 hours today and it stayed on completely....it did this in the beginning when he first got it. I let it sit on again for a while and it shut down again and started rebooting over and over.



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:32 PM

Posted 25 August 2013 - 06:14 PM



Hello EthaNox

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 EthaNox

EthaNox
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 25 August 2013 - 08:10 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 5.5.4 (08.22.2013:1)

OS: Windows 7 Home Premium x64

Ran by Gary on Sun 08/25/2013 at 20:55:15.23

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

Successfully stopped: [Service] web assistant updater

Successfully deleted: [Service] web assistant updater

 

 

 

~~~ Registry Values

 

 

 

~~~ Registry Keys

 

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\im

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\iminstaller

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduit

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\pricegong

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\smartbar

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\toolbar

Successfully deleted: [Registry Key] "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1232524751-3301597424-359512102-1000\Software\web assistant"

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\web assistant

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\conduitinstaller_rasapi32

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\conduitinstaller_rasmancs

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\incredibar_install_rasapi32

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\incredibar_install_rasmancs

 

 

 

~~~ Files

 

 

 

~~~ Folders

 

Successfully deleted: [Folder] "C:\Users\Gary\AppData\Roaming\pccustubinstaller"

Successfully deleted: [Folder] "C:\Users\Gary\appdata\local\cre"

Successfully deleted: [Folder] "C:\Users\Gary\appdata\locallow\conduit"

Successfully deleted: [Folder] "C:\Users\Gary\appdata\locallow\pricegong"

Successfully deleted: [Folder] "C:\Program Files (x86)\conduit"

 

 

 

~~~ Chrome

 

Successfully deleted: [Folder] C:\Users\Gary\appdata\local\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd

 

 

 

~~~ Event Viewer Logs were cleared

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sun 08/25/2013 at 21:02:15.93

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

# AdwCleaner v3.001 - Report created 25/08/2013 at 21:04:01

# Updated 24/08/2013 by Xplode

# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

# Username : Gary - GARY-PC2

# Running from : C:\Users\Gary\Desktop\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\Program Files\Web Assistant

Folder Deleted : C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpimglhojapikoeeifcifanbeinephdm

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{336D0C35-8A85-403A-B9D2-65C292C39087}]

Value Deleted : [x64] HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{336D0C35-8A85-403A-B9D2-65C292C39087}]

Key Deleted : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd

Key Deleted : HKCU\Software\Google\Chrome\Extensions\dpimglhojapikoeeifcifanbeinephdm

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dpimglhojapikoeeifcifanbeinephdm

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{336D0C35-8A85-403A-B9D2-65C292C39087}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{336D0C35-8A85-403A-B9D2-65C292C39087}

Key Deleted : [x64] HKLM\SOFTWARE\Web Assistant

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{336D0C35-8A85-403a-B9D2-65C292C39087}_is1

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v10.0.9200.16660

 

 

-\\ Google Chrome v28.0.1500.95

 

[ File : C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [3028 octets] - [25/08/2013 20:50:59]

AdwCleaner[R1].txt - [1832 octets] - [25/08/2013 21:03:22]

AdwCleaner[S0].txt - [1761 octets] - [25/08/2013 21:04:01]

 

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1821 octets] ##########

 

 

My husband and I am going to give it a go and run some programs and games and see if there is any kind of reaction....thank you for your help! I'll let you know how things go in a bit ^^



#9 EthaNox

EthaNox
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 25 August 2013 - 08:58 PM

Hey Gringo,

 

We've run various programs and have kept the computer on and running....all seems to be fixed! We will have to uninstall and reinstall most of the games, though...seems most of their files were infected and removed. Pretty much expecting that though!

 

Thank you for all your help (:



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:32 PM

Posted 26 August 2013 - 08:57 AM


Hello EthaNox

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 EthaNox

EthaNox
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 26 August 2013 - 10:13 AM

The computer seems to be doing better now, since it can start up and run normally without shutting down. I downloaded and ran Combofix, but I couldn't disable or uninstall Norton Internet Security, since it seems to be missing some files and it appears as it got corrupted, or just plain old broken.  This is the log I got from it:

 

ComboFix 13-08-25.01 - Gary 08/26/2013  11:25:02.3.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5609.3918 [GMT -4:00]
Running from: c:\users\Gary\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-26 to 2013-08-26  )))))))))))))))))))))))))))))))
.
.
2013-08-26 15:35 . 2013-08-26 15:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-26 01:01 . 2013-08-26 01:01 17737608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2013-08-26 00:55 . 2013-08-26 00:55 -------- d-----w- c:\windows\ERUNT
2013-08-26 00:50 . 2013-08-26 01:04 -------- d-----w- C:\AdwCleaner
2013-08-24 16:28 . 2013-08-24 16:28 -------- d-----w- C:\FRST
2013-08-18 21:31 . 2013-08-18 21:31 -------- d-----w- c:\program files\CCleaner
2013-08-18 18:04 . 2013-08-18 18:04 -------- d-----w- c:\users\Gary\AppData\Roaming\Malwarebytes
2013-08-18 17:19 . 2013-08-26 15:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-08-18 17:14 . 2013-08-18 17:14 -------- d-----w- c:\programdata\Malwarebytes
2013-08-18 17:13 . 2013-08-18 17:14 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-08-18 17:13 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-08-18 17:13 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-08-18 17:13 . 2013-08-18 21:45 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-08-17 02:36 . 2013-08-17 02:36 -------- d-----w- c:\windows\system32\MRT
2013-08-17 01:50 . 2013-06-04 06:00 624128 ----a-w- c:\windows\system32\qedit.dll
2013-08-17 01:50 . 2013-06-04 04:53 509440 ----a-w- c:\windows\SysWow64\qedit.dll
2013-08-17 01:50 . 2013-06-15 04:32 39936 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-08-17 01:29 . 2013-04-26 05:51 751104 ----a-w- c:\windows\system32\win32spl.dll
2013-08-17 01:29 . 2013-04-26 04:55 492544 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-08-17 01:29 . 2013-06-05 03:34 3153920 ----a-w- c:\windows\system32\win32k.sys
2013-08-17 01:29 . 2013-04-10 05:48 1732608 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2013-08-17 01:29 . 2013-04-10 05:46 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-08-17 01:29 . 2013-04-10 05:46 1393152 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2013-08-17 01:29 . 2013-04-10 05:46 1367040 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-08-17 01:29 . 2013-04-10 05:03 936448 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-08-17 01:29 . 2013-07-06 06:03 1910208 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-17 01:27 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-08-17 01:27 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-08-15 23:11 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-08-15 23:11 . 2013-04-10 06:01 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-08-15 23:11 . 2011-02-03 11:25 144384 ----a-w- c:\windows\system32\cdd.dll
2013-08-15 23:11 . 2013-03-19 05:53 48640 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-08-15 23:11 . 2013-03-19 05:53 230400 ----a-w- c:\windows\system32\wwansvc.dll
2013-08-15 23:10 . 2013-07-09 05:52 224256 ----a-w- c:\windows\system32\wintrust.dll
2013-08-15 23:10 . 2013-07-09 05:46 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-15 23:10 . 2013-07-09 05:46 1472512 ----a-w- c:\windows\system32\crypt32.dll
2013-08-15 23:10 . 2013-07-09 05:46 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-15 23:10 . 2013-07-09 04:52 175104 ----a-w- c:\windows\SysWow64\wintrust.dll
2013-08-15 23:10 . 2013-07-09 04:46 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-08-15 23:10 . 2013-07-09 04:46 1166848 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-08-15 23:10 . 2013-07-09 04:46 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-26 01:01 . 2012-04-15 18:34 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-08-26 01:01 . 2011-11-23 07:00 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-05 20:14 . 2012-04-01 19:23 78161360 ----a-w- c:\windows\system32\MRT.exe
2013-07-02 08:55 . 2011-03-29 02:36 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-11 343168]
"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2011-03-10 532480]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2011-03-10 423936]
"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2010-08-16 34160]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-07-12 1298816]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2011-06-22 3218864]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean64.exe
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20130702.001\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20130702.001\BHDrvx64.sys [x]
R3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]
R3 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1309010.00E\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NISx64\1309010.00E\ccSetx64.sys [x]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
R3 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20130702.001\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20130702.001\IDSvia64.sys [x]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]
R3 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1309010.00E\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1309010.00E\SYMDS64.SYS [x]
R3 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1309010.00E\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1309010.00E\SYMEFA64.SYS [x]
R3 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1309010.00E\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1309010.00E\Ironx64.SYS [x]
R3 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1309010.00E\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\NISx64\1309010.00E\SYMNETS.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys;c:\windows\SYSNATIVE\DRIVERS\thpdrv.sys [x]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS;c:\windows\SYSNATIVE\DRIVERS\Thpevm.SYS [x]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys;c:\windows\SYSNATIVE\DRIVERS\tos_sps64.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe [x]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files (x86)\PC Checkup\SymcPCCULaunchSvc.exe;c:\program files (x86)\PC Checkup\SymcPCCULaunchSvc.exe [x]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [x]
S2 regi;regi;c:\windows\system32\drivers\regi.sys;c:\windows\SYSNATIVE\drivers\regi.sys [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe;c:\program files\TOSHIBA\TECO\TecoService.exe [x]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys;c:\windows\SYSNATIVE\DRIVERS\TVALZFL.sys [x]
S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys;c:\windows\SYSNATIVE\DRIVERS\amdhub30.sys [x]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys;c:\windows\SYSNATIVE\DRIVERS\amdxhc.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 CeKbFilter;CeKbFilter;c:\windows\system32\DRIVERS\CeKbFilter.sys;c:\windows\SYSNATIVE\DRIVERS\CeKbFilter.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-14 18:00 1173456 ----a-w- c:\program files (x86)\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 01:01]
.
2013-08-18 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2013-08-18 14:58]
.
2013-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-24 10:26]
.
2013-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-24 10:26]
.
2013-08-18 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2013-08-18 14:57]
.
2013-08-18 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2013-08-18 14:58]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-04-21 11786344]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-04-21 2207848]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"Teco"="c:\program files (x86)\TOSHIBA\TECO\Teco.exe" [BU]
"TosWaitSrv"="c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe" [BU]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.g4tv.com/games/pc/index/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.9.1.14\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1232524751-3301597424-359512102-1000\Software\SecuROM\License information*]
"datasecu"=hex:9b,76,5b,73,ce,5e,47,a0,87,8d,19,18,b5,a1,ce,06,43,f8,0d,b9,28,
   95,96,77,04,81,60,21,31,cc,3f,16,96,13,bd,2c,fb,fa,0a,85,97,f9,55,7e,4e,2d,\
"rkeysecu"=hex:e9,b1,fe,1b,e6,97,fd,4b,0e,32,32,db,14,3c,00,ef
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-08-26  11:55:38
ComboFix-quarantined-files.txt  2013-08-26 15:55
ComboFix2.txt  2013-08-26 15:08
.
Pre-Run: 492,307,390,464 bytes free
Post-Run: 492,015,005,696 bytes free
.
- - End Of File - - 1EC42ED8FD97CE64E4980FBEF7B4D749
5B5E648D12FCADC244C1EC30318E1EB9
 

 

 

Thanks for your help so far, Gringo!


Edited by EthaNox, 26 August 2013 - 10:59 AM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:32 PM

Posted 26 August 2013 - 11:29 AM


Hello EthaNox

After this scan I would reinstall norton

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 EthaNox

EthaNox
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 26 August 2013 - 11:57 AM

I went to do as instructed, but now the laptop is back to not starting. It shuts down right after it tries to start windows. I'll try and see if I can start it and run the scripts you posted, Gringo. 



#14 EthaNox

EthaNox
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 26 August 2013 - 02:39 PM

The laptop started up fine a while ago and I ran the new script. It took a while to complete and the laptop rebooted in the process, but it started up just fine afterwards. Here is the log:

 

ComboFix 13-08-25.01 - Gary 08/26/2013  14:35:33.4.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5609.3772 [GMT -4:00]
Running from: c:\users\Gary\Desktop\ComboFix.exe
Command switches used :: c:\users\Gary\Desktop\CFScript.txt
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected 
Restored copy from - c:\windows\erdnt\cache64\services.exe 
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-26 to 2013-08-26  )))))))))))))))))))))))))))))))
.
.
2013-08-26 19:28 . 2013-08-26 19:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-26 01:01 . 2013-08-26 01:01 17737608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2013-08-26 00:55 . 2013-08-26 00:55 -------- d-----w- c:\windows\ERUNT
2013-08-26 00:50 . 2013-08-26 01:04 -------- d-----w- C:\AdwCleaner
2013-08-24 16:28 . 2013-08-24 16:28 -------- d-----w- C:\FRST
2013-08-18 21:31 . 2013-08-18 21:31 -------- d-----w- c:\program files\CCleaner
2013-08-18 18:04 . 2013-08-18 18:04 -------- d-----w- c:\users\Gary\AppData\Roaming\Malwarebytes
2013-08-18 17:19 . 2013-08-26 15:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-08-18 17:14 . 2013-08-18 17:14 -------- d-----w- c:\programdata\Malwarebytes
2013-08-18 17:13 . 2013-08-18 17:14 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-08-18 17:13 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-08-18 17:13 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-08-18 17:13 . 2013-08-18 21:45 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-08-17 02:36 . 2013-08-17 02:36 -------- d-----w- c:\windows\system32\MRT
2013-08-17 01:50 . 2013-06-04 06:00 624128 ----a-w- c:\windows\system32\qedit.dll
2013-08-17 01:50 . 2013-06-04 04:53 509440 ----a-w- c:\windows\SysWow64\qedit.dll
2013-08-17 01:50 . 2013-06-15 04:32 39936 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-08-17 01:29 . 2013-04-26 05:51 751104 ----a-w- c:\windows\system32\win32spl.dll
2013-08-17 01:29 . 2013-04-26 04:55 492544 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-08-17 01:29 . 2013-06-05 03:34 3153920 ----a-w- c:\windows\system32\win32k.sys
2013-08-17 01:29 . 2013-04-10 05:48 1732608 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2013-08-17 01:29 . 2013-04-10 05:46 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-08-17 01:29 . 2013-04-10 05:46 1393152 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2013-08-17 01:29 . 2013-04-10 05:46 1367040 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-08-17 01:29 . 2013-04-10 05:03 936448 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-08-17 01:29 . 2013-07-06 06:03 1910208 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-17 01:27 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-08-17 01:27 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-08-15 23:11 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-08-15 23:11 . 2013-04-10 06:01 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-08-15 23:11 . 2011-02-03 11:25 144384 ----a-w- c:\windows\system32\cdd.dll
2013-08-15 23:11 . 2013-03-19 05:53 48640 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-08-15 23:11 . 2013-03-19 05:53 230400 ----a-w- c:\windows\system32\wwansvc.dll
2013-08-15 23:10 . 2013-07-09 05:52 224256 ----a-w- c:\windows\system32\wintrust.dll
2013-08-15 23:10 . 2013-07-09 05:46 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-15 23:10 . 2013-07-09 05:46 1472512 ----a-w- c:\windows\system32\crypt32.dll
2013-08-15 23:10 . 2013-07-09 05:46 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-15 23:10 . 2013-07-09 04:52 175104 ----a-w- c:\windows\SysWow64\wintrust.dll
2013-08-15 23:10 . 2013-07-09 04:46 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-08-15 23:10 . 2013-07-09 04:46 1166848 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-08-15 23:10 . 2013-07-09 04:46 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-26 01:01 . 2012-04-15 18:34 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-08-26 01:01 . 2011-11-23 07:00 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-05 20:14 . 2012-04-01 19:23 78161360 ----a-w- c:\windows\system32\MRT.exe
2013-07-02 08:55 . 2011-03-29 02:36 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-11 343168]
"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2011-03-10 532480]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2011-03-10 423936]
"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2010-08-16 34160]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-07-12 1298816]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2011-06-22 3218864]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean64.exe
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20130702.001\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20130702.001\BHDrvx64.sys [x]
R3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]
R3 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1309010.00E\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NISx64\1309010.00E\ccSetx64.sys [x]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
R3 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20130702.001\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20130702.001\IDSvia64.sys [x]
R3 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1309010.00E\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1309010.00E\SYMDS64.SYS [x]
R3 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1309010.00E\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1309010.00E\SYMEFA64.SYS [x]
R3 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1309010.00E\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1309010.00E\Ironx64.SYS [x]
R3 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1309010.00E\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\NISx64\1309010.00E\SYMNETS.SYS [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys;c:\windows\SYSNATIVE\DRIVERS\thpdrv.sys [x]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS;c:\windows\SYSNATIVE\DRIVERS\Thpevm.SYS [x]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys;c:\windows\SYSNATIVE\DRIVERS\tos_sps64.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe [x]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files (x86)\PC Checkup\SymcPCCULaunchSvc.exe;c:\program files (x86)\PC Checkup\SymcPCCULaunchSvc.exe [x]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [x]
S2 regi;regi;c:\windows\system32\drivers\regi.sys;c:\windows\SYSNATIVE\drivers\regi.sys [x]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe;c:\program files\TOSHIBA\TECO\TecoService.exe [x]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys;c:\windows\SYSNATIVE\DRIVERS\TVALZFL.sys [x]
S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys;c:\windows\SYSNATIVE\DRIVERS\amdhub30.sys [x]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys;c:\windows\SYSNATIVE\DRIVERS\amdxhc.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 CeKbFilter;CeKbFilter;c:\windows\system32\DRIVERS\CeKbFilter.sys;c:\windows\SYSNATIVE\DRIVERS\CeKbFilter.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-14 18:00 1173456 ----a-w- c:\program files (x86)\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 01:01]
.
2013-08-18 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2013-08-18 14:58]
.
2013-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-24 10:26]
.
2013-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-24 10:26]
.
2013-08-18 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2013-08-18 14:57]
.
2013-08-18 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2013-08-18 14:58]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-04-21 11786344]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-04-21 2207848]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"Teco"="c:\program files (x86)\TOSHIBA\TECO\Teco.exe" [BU]
"TosWaitSrv"="c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe" [BU]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.g4tv.com/games/pc/index/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.9.1.14\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1232524751-3301597424-359512102-1000\Software\SecuROM\License information*]
"datasecu"=hex:9b,76,5b,73,ce,5e,47,a0,87,8d,19,18,b5,a1,ce,06,43,f8,0d,b9,28,
   95,96,77,04,81,60,21,31,cc,3f,16,96,13,bd,2c,fb,fa,0a,85,97,f9,55,7e,4e,2d,\
"rkeysecu"=hex:e9,b1,fe,1b,e6,97,fd,4b,0e,32,32,db,14,3c,00,ef
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
.
**************************************************************************
.
Completion time: 2013-08-26  15:34:04 - machine was rebooted
ComboFix-quarantined-files.txt  2013-08-26 19:34
ComboFix2.txt  2013-08-26 15:56
ComboFix3.txt  2013-08-26 15:08
.
Pre-Run: 580,079,882,240 bytes free
Post-Run: 580,010,127,360 bytes free
.
- - End Of File - - A3AE06C021D1839EFDC1112842416C7F
5B5E648D12FCADC244C1EC30318E1EB9


#15 EthaNox

EthaNox
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 26 August 2013 - 07:10 PM

Hey Gringo, after I posted that the computer shut down and will not start up...it goes into a loop like before, even opening in Safe Mode it will start to go into the startup process but just shut down. =[






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users