Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

computer infected with US Courts and Zero Access?


  • This topic is locked This topic is locked
21 replies to this topic

#1 spradillac81

spradillac81

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 02 September 2013 - 05:17 PM

Hi there,

Im working on resolving an issue with a computer i have. Somebody has downloaded some nasty bugs from somewhere, but in short the big one initially was the US COURTS RANSOMWARE that locked the computer screen.  After following the instructions in the "Virus Removal" section for the US COURTS VIRUS, it appears to have been removed, however now there is no access to the internet. So I am not sure if the virus/malware has hijacked the IP protocols or what, but i have another PC on the network that is able to connect so im fairly certain that it is not something to do with my network but something that the malware is blocking. This makes it difficult to run any updates on removal tools. So far, as per the "Virus Removal" area of this page, I've run the Rkill and Malwarebytes.  Lots of nasty looking names popped up in the quarantine.  All help, very much, and greatly appreciated. 

 

Thanks Team.



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:54 PM

Posted 03 September 2013 - 05:38 PM

Hello and welcome to Bleeping Computer,

Please run the following:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 spradillac81

spradillac81
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 04 September 2013 - 02:19 PM

here is the frst.txt file after scan with Farbar

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-09-2013 03
Ran by True Value (administrator) on TRUEVALUE-PC on 04-09-2013 12:04:47
Running from C:\Users\True Value\Desktop
Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Safe Mode (minimal)

==================== Processes (Whitelisted) ===================

(Farbar) C:\Users\True Value\Desktop\FRST(1).exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [6183456 2008-07-23] (Realtek Semiconductor)
HKLM\...\Run: [ccApp] - c:\Program Files\Common Files\Symantec Shared\ccApp.exe [51048 2008-10-17] (Symantec Corporation)
HKLM\...\Run: [osCheck] - c:\Program Files\Norton 360\osCheck.exe [988512 2008-02-25] (Symantec Corporation)
HKLM\...\Run: [RemoteControl] - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [71216 2007-03-14] (Cyberlink Corp.)
HKLM\...\Run: [LanguageShortcut] - C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [52256 2007-01-08] ()
HKLM\...\Run: [eRecoveryService] -  [x]
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [Skytel] - C:\Windows\Skytel.exe [1826816 2008-07-23] (Realtek Semiconductor Corp.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [NA1Messenger] - C:\UPS\WSTD\UPSNA1Msgr.exe [30744 2013-03-07] ()
HKLM\...\Run: [Privoxy] - C:\Program Files\privoxy\starthelp.exe [51115 2013-08-26] ()
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\822\G2AWinLogon.dll [X]
HKCU\...\Run: [Google Update*] -  [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-12-31] (Google Inc.)
HKU\Default\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [ 2009-04-10] (Microsoft Corporation)
HKU\UpdatusUser\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [ 2009-04-10] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\BigFix.lnk
ShortcutTarget: BigFix.lnk -> C:\Program Files\BigFix\bigfix.exe (BigFix Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\UPS WorldShip Messaging Utility.lnk
ShortcutTarget: UPS WorldShip Messaging Utility.lnk -> C:\UPS\WSTD\WSTDMessaging.exe (United Parcel Service, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk
ShortcutTarget: UPS WorldShip PLD Reminder Utility.lnk -> C:\UPS\WSTD\wstdPldReminder.exe (UPS)
Startup: C:\Users\True Value\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vb32&d=0808&m=et1161-01
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vb32&d=0808&m=et1161-01
URLSearchHook: Produtools Manuals 2.1 E1 Toolbar - {36e08630-e60d-4d95-b8e2-cd1734987edc} - C:\Program Files\Produtools_Manuals_2.1_E1\prxtbProd.dll (Conduit Ltd.)
SearchScopes: HKLM - DefaultScope {04A92E07-08B7-4694-87E2-10E2FE0D638C} URL =
SearchScopes: HKCU - DefaultScope {04A92E07-08B7-4694-87E2-10E2FE0D638C} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289847&CUI=UN96218301332473238&UM=2
SearchScopes: HKCU - {04A92E07-08B7-4694-87E2-10E2FE0D638C} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289847&CUI=UN96218301332473238&UM=2
BHO: Web Protect - {2CEBF6C7-2B40-469B-B5D5-CD3F3676C3C4} - C:\Program Files\Web Protect\WebProtect.dll (WebProtect)
BHO: Produtools Manuals 2.1 E1 Toolbar - {36e08630-e60d-4d95-b8e2-cd1734987edc} - C:\Program Files\Produtools_Manuals_2.1_E1\prxtbProd.dll (Conduit Ltd.)
BHO: No Name - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll (Symantec Corporation)
BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll (Google Inc.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)
Toolbar: HKLM - Produtools Manuals 2.1 E1 Toolbar - {36e08630-e60d-4d95-b8e2-cd1734987edc} - C:\Program Files\Produtools_Manuals_2.1_E1\prxtbProd.dll (Conduit Ltd.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -Produtools Manuals 2.1 E1 Toolbar - {36E08630-E60D-4D95-B8E2-CD1734987EDC} - C:\Program Files\Produtools_Manuals_2.1_E1\prxtbProd.dll (Conduit Ltd.)
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 16 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 17 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 18 mswsock.dll File Not found (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

========================== Services (Whitelisted) =================

S2 Automatic LiveUpdate Scheduler; c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [238968 2008-02-20] (Symantec Corporation)
S2 ccEvtMgr; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
S2 ccSetMgr; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
S2 CLTNetCnService; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
S3 comHost; c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe [55640 2007-08-21] (Symantec Corporation)
S2 ETService; C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [24576 2008-06-11] ()
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106280 2013-09-02] (SurfRight B.V.)
S3 LiveUpdate; c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE [3220856 2008-09-05] (Symantec Corporation)
S2 LiveUpdate Notice; c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
S2 MSSQL$UPSWSDBSERVER; c:\UPS\WSTD\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)
S2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [272024 2007-05-13] ()
S2 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [994360 2011-10-13] (Secunia)
S2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [399416 2011-10-13] (Secunia)
S3 Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [1245064 2008-08-07] ()
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d}\   \...\???\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-10] (Microsoft Corporation)
S3 COH_Mon; C:\Windows\system32\Drivers\COH_Mon.sys [23888 2008-07-30] (Symantec Corporation)
S2 CO_Mon; C:\Windows\system32\drivers\CO_Mon.sys [36056 2007-08-07] (Symantec Corporation)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2008-10-15] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [99376 2008-10-15] (Symantec Corporation)
S1 IDSvix86; C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20081220.001\IDSvix86.sys [270384 2008-10-03] (Symantec Corporation)
S2 int15; C:\Windows\system32\drivers\int15.sys [15392 2008-06-11] (Acer, Inc.)
S3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
S1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [447024 2008-09-05] (Symantec Corporation)
S3 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [279088 2008-01-30] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [317616 2008-01-30] (Symantec Corporation)
S1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2008-01-30] (Symantec Corporation)
S3 SYMDNS; C:\Windows\System32\Drivers\SYMDNS.SYS [13616 2009-02-19] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [124464 2009-01-09] (Symantec Corporation)
S3 SYMFW; C:\Windows\System32\Drivers\SYMFW.SYS [96560 2009-02-19] (Symantec Corporation)
S1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [24112 2009-02-19] (Symantec Corporation)
S3 SYMNDISV; C:\Windows\System32\Drivers\SYMNDISV.SYS [41008 2009-02-19] (Symantec Corporation)
S3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [22320 2009-02-19] (Symantec Corporation)
S1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [184496 2009-02-19] (Symantec Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090102.006\NAVENG.SYS [x]
S3 NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090102.006\NAVEX15.SYS [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

========================== Drivers MD5 =======================

C:\Windows\System32\drivers\acpi.sys 82B296AE1892FE3DBEE00C9CF92F8AC7
C:\Windows\system32\drivers\adp94xx.sys 04F0FCAC69C7C71A3AC4EB97FAFC8303
C:\Windows\system32\drivers\adpahci.sys 60505E0041F7751BDBB80F88BF45C2CE
C:\Windows\system32\drivers\adpu160m.sys 8A42779B02AEC986EAB64ECFC98F8BD7
C:\Windows\system32\drivers\adpu320.sys 241C9E37F8CE45EF51C3DE27515CA4E5
C:\Windows\system32\drivers\afd.sys 3911B972B55FEA0478476B2E777B29FA
C:\Windows\system32\drivers\agp440.sys 13F9E33747E6B41A3FF305C37DB0D360
C:\Windows\system32\drivers\djsvs.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys 9EAEF5FC9B8E351AFA7E78A6FAE91F91
C:\Windows\system32\drivers\amdagp.sys C47344BC706E5F0B9DCE369516661578
C:\Windows\system32\drivers\amdide.sys 9B78A39A4C173FDBC1321E0DD659B34C
C:\Windows\system32\drivers\amdk7.sys 18F29B49AD23ECEE3D2A826C725C8D48
C:\Windows\System32\DRIVERS\amdk8.sys 93AE7F7DD54AB986A6F1A1B37BE7442D
C:\Windows\system32\drivers\arc.sys 5D2888182FB46632511ACEE92FDAD522
C:\Windows\system32\drivers\arcsas.sys 5E2A321BD7C8B3624E41FDEC3E244945
C:\Windows\System32\DRIVERS\asyncmac.sys 53B202ABEE6455406254444303E87BE1
C:\Windows\System32\drivers\atapi.sys 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\Drivers\Beep.sys 67E506B75BD5326A3EC7B70BD014DFB6
C:\Windows\system32\drivers\blbdrive.sys D4DF28447741FD3D953526E33A617397
C:\Windows\System32\DRIVERS\bowser.sys 35F376253F687BDE63976CCB3F2108CA
C:\Windows\system32\drivers\brfiltlo.sys ==> MD5 is legit
C:\Windows\system32\drivers\brfiltup.sys ==> MD5 is legit
C:\Windows\system32\drivers\brserid.sys ==> MD5 is legit
C:\Windows\system32\drivers\brserwdm.sys ==> MD5 is legit
C:\Windows\system32\drivers\brusbmdm.sys ==> MD5 is legit
C:\Windows\system32\drivers\brusbser.sys ==> MD5 is legit
C:\Windows\system32\drivers\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdfs.sys 7ADD03E75BEB9E6DD102C3081D29840A
C:\Windows\System32\DRIVERS\cdrom.sys 6B4BFFB9BECD728097024276430DB314
C:\Windows\system32\drivers\circlass.sys E5D4133F37219DBCFE102BC61072589D
C:\Windows\System32\CLFS.sys D7659D3B5B92C31E84E53C1431F35132
C:\Windows\system32\drivers\cmdide.sys 0CA25E686A4928484E9FDABD168AB629
C:\Windows\system32\Drivers\COH_Mon.sys 6186B6B953BDC884F0F379B84B3E3A98
C:\Windows\system32\drivers\compbatt.sys 6AFEF0B60FA25DE07C0968983EE4F60A
C:\Windows\system32\drivers\CO_Mon.sys 73F5D6835BFA66019C03E316D99649DA
C:\Windows\System32\drivers\crcdisk.sys 741E9DFF4F42D2D8477D0FC1DC0DF871
C:\Windows\system32\drivers\crusoe.sys 1F07BECDCA750766A96CDA811BA86410
C:\Windows\System32\Drivers\dfsc.sys 622C41A07CA7E6DD91770F50D532CB6C
C:\Windows\System32\drivers\disk.sys 5D4AEFC3386920236A548271F8F1AF6A
C:\Windows\System32\drivers\drmkaud.sys 97FEF831AB90BEE128C9AF390E243F80
C:\Windows\System32\drivers\dxgkrnl.sys 5DE0FAEC9E5D1AAE74F8568897891A01
C:\Windows\System32\DRIVERS\E1G60I32.sys 5425F74AC0C1DBD96A1E04F17D63F94C
C:\Windows\System32\drivers\ecache.sys 7F64EA048DCFAC7ACF8B4D7B4E6FE371
C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 47CE4E650D91DC095A2FDDB15631A78A
C:\Windows\system32\drivers\elxstor.sys 23B62471681A124889978F6295B3F4C6
C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys CE3EF5C79CB0BFA036E844F74C52D759
C:\Windows\system32\drivers\errdev.sys 3DB974F3935483555D7148663F726C61
C:\Windows\System32\Drivers\exfat.sys 22B408651F9123527BCEE54B4F6C5CAE
C:\Windows\System32\Drivers\fastfat.sys 1E9B9A70D332103C52995E957DC09EF8
C:\Windows\System32\DRIVERS\fdc.sys AFE1E8B9782A0DD7FB46BBD88E43F89A
C:\Windows\System32\drivers\fileinfo.sys A8C0139A884861E3AAE9CFE73B208A9F
C:\Windows\System32\drivers\filetrace.sys 0AE429A696AECBC5970E3CF2C62635AE
C:\Windows\System32\DRIVERS\flpydisk.sys 85B7CF99D532820495D68D747FDA9EBD
C:\Windows\System32\drivers\fltmgr.sys 01334F9EA68E6877C4EF05D3EA8ABB05
C:\Windows\System32\Drivers\Fs_Rec.sys B972A66758577E0BFD1DE0F91AAA27B5
C:\Windows\system32\drivers\gagp30kx.sys 34582A6E6573D54A07ECE5FE24A126B5
C:\Windows\System32\Drivers\GEARAspiWDM.sys AB8A6A87D9D7255C3884D5B9541A6E80
C:\Windows\System32\drivers\HdAudio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\HDAudBus.sys 062452B7FFD68C8C042A6261FE8DFF4A
C:\Windows\system32\drivers\hidbth.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys CCA4B519B17E23A00B826C55716809CC
C:\Windows\system32\drivers\hpcisss.sys 16EE7B23A009E00D835CDB79574A91A6
C:\Windows\System32\DRIVERS\HSX_DPV.sys 9EFA5FEC26CEC696A66A891AC90B412D
C:\Windows\System32\DRIVERS\HSXHWBS2.sys A3077D9ED7FF612A033536A6009DBEA5
C:\Windows\System32\drivers\HTTP.sys 0EEECA26C8D4BDE2A4664DB058A81937
C:\Windows\system32\drivers\i2omp.sys C6B032D69650985468160FC9937CF5B4
C:\Windows\System32\DRIVERS\i8042prt.sys 22D56C8184586B7A1F6FA60BE5F5A2BD
C:\Windows\system32\drivers\iastorv.sys 54155EA1B0DF185878E0FC9EC3AC3A14
C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20081220.001\IDSvix86.sys CE5D5AABA62949B9BFA44D0EAF2D93E5
C:\Windows\system32\drivers\iirsp.sys ==> MD5 is legit
C:\Windows\system32\drivers\int15.sys C6E5276C00EBDEB096BB5EF4B797D1B6
C:\Windows\System32\drivers\RTKVHDA.sys 23EBCEE9AAA4D6C88728791FAB462456
C:\Windows\system32\drivers\intelide.sys 83AA759F3189E6370C30DE5DC5590718
C:\Windows\System32\DRIVERS\intelppm.sys 224191001E78C89DFA78924C3EA595FF
C:\Windows\System32\DRIVERS\ipfltdrv.sys 62C265C38769B864CB25B4BCF62DF6C3
C:\Windows\system32\drivers\ipmidrv.sys B25AAF203552B7B3491139D582B39AD1
C:\Windows\System32\DRIVERS\ipnat.sys 8793643A67B42CEC66490B2A0CF92D68
C:\Windows\System32\drivers\irenum.sys 109C0DFB82C3632FBD11949B73AEEAC9
C:\Windows\system32\drivers\isapnp.sys 6C70698A3E5C4376C6AB5C7C17FB0614
C:\Windows\System32\DRIVERS\msiscsi.sys 232FA340531D940AAC623B121A595034
C:\Windows\system32\drivers\iteatapi.sys ==> MD5 is legit
C:\Windows\system32\drivers\iteraid.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdclass.sys 37605E0A8CF00CBBA538E753E4344C6E
C:\Windows\System32\DRIVERS\kbdhid.sys EDE59EC70E25C24581ADD1FBEC7325F7
C:\Windows\System32\Drivers\ksecdd.sys 4A1445EFA932A3BAF5BDB02D7131EE20
C:\Windows\System32\DRIVERS\lltdio.sys D1C5883087A0C3F1344D9D55A44901F6
C:\Windows\system32\drivers\lsi_fc.sys C7E15E82879BF3235B559563D4185365
C:\Windows\system32\drivers\lsi_sas.sys EE01EBAE8C9BF0FA072E0FF68718920A
C:\Windows\system32\drivers\lsi_scsi.sys 912A04696E9CA30146A62AFA1463DD5C
C:\Windows\system32\drivers\luafv.sys 8F5C7426567798E62A3B3614965D62CC
C:\Windows\System32\DRIVERS\mdmxsdk.sys 0CEA2D0D3FA284B85ED5B68365114F76
C:\Windows\system32\drivers\megasas.sys 0001CE609D66632FA17B84705F658879
C:\Windows\system32\drivers\megasr.sys C252F32CD9A49DBFC25ECF26EBD51A99
C:\Windows\System32\drivers\modem.sys E13B5EA0F51BA5B1512EC671393D09BA
C:\Windows\System32\DRIVERS\monitor.sys 0A9BB33B56E294F686ABB7C1E4E2D8A8
C:\Windows\System32\DRIVERS\mouclass.sys 5BF6A1326A335C5298477754A506D263
C:\Windows\System32\DRIVERS\mouhid.sys 93B8D4869E12CFBE663915502900876F
C:\Windows\System32\drivers\mountmgr.sys BDAFC88AA6B92F7842416EA6A48E1600
C:\Windows\system32\drivers\mpio.sys 511D011289755DD9F9A7579FB0B064E6
C:\Windows\System32\drivers\mpsdrv.sys 22241FEBA9B2DEFA669C8CB0A8DD7D2E
C:\Windows\system32\drivers\mraid35x.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys 82CEA0395524AACFEB58BA1448E8325C
C:\Windows\System32\DRIVERS\mrxsmb.sys 1E94971C4B446AB2290DEB71D01CF0C2
C:\Windows\System32\DRIVERS\mrxsmb10.sys 4FCCB34D793B116423209C0F8B7A3B03
C:\Windows\System32\DRIVERS\mrxsmb20.sys C3CB1B40AD4A0124D617A1199B0B9D7C
C:\Windows\system32\drivers\msahci.sys 28023E86F17001F7CD9B15A5BC9AE07D
C:\Windows\system32\drivers\msdsm.sys 4468B0F385A86ECDDAF8D3CA662EC0E7
C:\Windows\System32\Drivers\Msfs.sys A9927F4A46B816C92F461ACB90CF8515
C:\Windows\System32\drivers\msisadrv.sys 0F400E306F385C56317357D6DEA56F62
C:\Windows\System32\drivers\MSKSSRV.sys D8C63D34D9C9E56C059E24EC7185CC07
C:\Windows\System32\drivers\MSPCLOCK.sys 1D373C90D62DDB641D50E55B9E78D65E
C:\Windows\System32\drivers\MSPQM.sys B572DA05BF4E098D4BBA3A4734FB505B
C:\Windows\System32\Drivers\MsRPC.sys B49456D70555DE905C311BCDA6EC6ADB
C:\Windows\System32\DRIVERS\mssmbios.sys E384487CB84BE41D09711C30CA79646C
C:\Windows\System32\drivers\MSTEE.sys 7199C1EEC1E4993CAF96B8C0A26BD58A
C:\Windows\System32\Drivers\mup.sys 6A57B5733D4CB702C8EA4542E836B96C
C:\Windows\System32\DRIVERS\nwifi.sys 85C44FDFF9CF7E72A40DCB7EC06A4416
C:\Windows\System32\drivers\ndis.sys 1357274D1883F68300AEADD15D7BBB42
C:\Windows\System32\DRIVERS\ndistapi.sys 0E186E90404980569FB449BA7519AE61
C:\Windows\System32\DRIVERS\ndisuio.sys D6973AA34C4D5D76C0430B181C3CD389
C:\Windows\System32\DRIVERS\ndiswan.sys 818F648618AE34F729FDB47EC68345C3
C:\Windows\System32\Drivers\NDProxy.sys 71DAB552B41936358F3B541AE5997FB3
C:\Windows\System32\DRIVERS\netbios.sys BCD093A5A6777CF626434568DC7DBA78
C:\Windows\System32\DRIVERS\netbt.sys ECD64230A59CBD93C85F1CD1CAB9F3F6
C:\Windows\system32\drivers\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Npfs.sys D36F239D7CCE1931598E8FB90A0DBC26
C:\Windows\System32\drivers\nsiproxy.sys 609773E344A97410CE4EBF74A8914FCF
C:\Windows\System32\Drivers\Ntfs.sys 2C1121F2B87E9A6B12485DF53CD848C7
C:\Windows\system32\drivers\ntrigdigi.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Null.sys C5DBBCDA07D780BDA9B685DF333BB41E
C:\Windows\System32\DRIVERS\nvmfdx32.sys C39AD3B818502EDFA4B819148B72A0E3
C:\Windows\System32\DRIVERS\nvlddmkm.sys 9A77B1C13BCCEDDF78DFD7AFC25B4F5E
C:\Windows\system32\drivers\nvraid.sys 2EDF9E7751554B42CBB60116DE727101
C:\Windows\system32\drivers\nvstor.sys ABED0C09758D1D97DB0042DBB2688177
C:\Windows\System32\DRIVERS\nvstor32.sys FA7B8ECA6E845B244B7E30A9DCD82C6C
C:\Windows\system32\drivers\nv_agp.sys 18BBDF913916B71BD54575BDB6EEAC0B
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\drivers\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys B9C2B89F08670E159F7181891E449CD9
C:\Windows\system32\drivers\parvdm.sys ==> MD5 is legit
C:\Windows\System32\drivers\pci.sys 941DC1D19E7E8620F40BBC206981EFDB
C:\Windows\System32\drivers\pciide.sys 1636D43F10416AEB483BC6001097B26C
C:\Windows\system32\drivers\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ECFFFAEC0C1ECD8DBC77F39070EA1DB1
C:\Windows\system32\drivers\processr.sys 2027293619DD0F047C584CF2E7DF4FFD
C:\Windows\System32\DRIVERS\pacer.sys 99514FAA8DF93D34B5589187DB3AA0BA
C:\Windows\System32\DRIVERS\psi_mf.sys D24DFD16A1E2A76034DF5AA18125C35D
C:\Windows\System32\Drivers\PxHelp20.sys 49452BFCEC22F36A7A9B9C2181BC3042
C:\Windows\system32\drivers\ql2300.sys 0A6DB55AFB7820C99AA1F3A1D270F4F6
C:\Windows\system32\drivers\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys 9F5E0E1926014D17486901C88ECA2DB7
C:\Windows\System32\DRIVERS\rasacd.sys 147D7F9C556D259924351FEB0DE606C3
C:\Windows\System32\DRIVERS\rasl2tp.sys A214ADBAF4CB47DD2728859EF31F26B0
C:\Windows\System32\DRIVERS\raspppoe.sys 509A98DD18AF4375E1FC40BC175F1DEF
C:\Windows\System32\DRIVERS\rassstp.sys 2005F4A1E05FA09389AC85840F0A9E4D
C:\Windows\System32\DRIVERS\rdbss.sys B14C9D5B9ADD2F84F70570BBBFAA7935
C:\Windows\System32\DRIVERS\RDPCDD.sys 89E59BE9A564262A3FB6C4F4F1CD9899
C:\Windows\system32\drivers\rdpdr.sys FBC0BACD9C3D7F6956853F64A66E252D
C:\Windows\System32\drivers\rdpencdd.sys 9D91FE5286F748862ECFFA05F8A0710C
C:\Windows\System32\Drivers\RDPWD.sys C127EBD5AFAB31524662C48DFCEB773A
C:\Windows\System32\DRIVERS\rspndr.sys 9C508F4074A39E8B4B31D27198146FAD
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\serenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\serial.sys ==> MD5 is legit
C:\Windows\system32\drivers\sermouse.sys 8AF3D28A879BF75DB53A0EE7A4289624
C:\Windows\system32\drivers\sffdisk.sys 3EFA810BDCA87F6ECC24F9832243FE86
C:\Windows\system32\drivers\sffp_mmc.sys E95D451F7EA3E583AEC75F3B3EE42DC5
C:\Windows\system32\drivers\sffp_sd.sys 3D0EA348784B7AC9EA9BD9F317980979
C:\Windows\system32\drivers\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisagp.sys 1D76624A09A054F682D746B924E2DBC3
C:\Windows\system32\drivers\sisraid2.sys 43CB7AA756C7DB280D01DA9B676CFDE2
C:\Windows\system32\drivers\sisraid4.sys A99C6C8B0BAA970D8AA59DDC50B57F94
C:\Windows\System32\DRIVERS\smb.sys 7B75299A4D201D6A6533603D6914AB04
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys DC4DC886D3779C446F9B0E9D6B006E72
C:\Windows\System32\Drivers\spldr.sys 7AEBDEEF071FE28B0EEF2CDD69102BFF
C:\Windows\System32\Drivers\SRTSP.SYS E0E54A571D4323567E95E11FE76A5FF3
C:\Windows\System32\Drivers\SRTSPL.SYS 4E44F0E22DF824D318988CAA6F321C30
C:\Windows\System32\Drivers\SRTSPX.SYS D3BB40427CF3D02E56BBA97FEDA0A3AA
C:\Windows\System32\DRIVERS\srv.sys 41987F9FC0E61ADF54F581E15029AD91
C:\Windows\System32\DRIVERS\srv2.sys FF33AFF99564B1AA534F58868CBE41EF
C:\Windows\System32\DRIVERS\srvnet.sys 7605C0E1D01A08F3ECD743F38B834A44
C:\Windows\System32\DRIVERS\swenum.sys 7BA58ECF0C0A9A69D44B3DCA62BECF56
C:\Windows\system32\drivers\symc8xx.sys ==> MD5 is legit
C:\Windows\System32\Drivers\SYMDNS.SYS FE9F8B3A8BC22D85332B42E92308DDF9
C:\Windows\system32\Drivers\SYMEVENT.SYS 06B95820DF51502099A8A15C93E87986
C:\Windows\System32\Drivers\SYMFW.SYS A0EA9D273889E53CFAABF2444692CCBF
C:\Windows\System32\DRIVERS\SymIMv.sys 8EAB28DD6CD25355B951AE460FA86B48
C:\Windows\System32\Drivers\SYMNDISV.SYS C94EACA4B522012EE0691F1E79C42A7D
C:\Windows\System32\Drivers\SYMREDRV.SYS 7C6505EA598E58099D3B7E1F70426864
C:\Windows\System32\Drivers\SYMTDI.SYS E6FF7ACE71D07CA90119F2C6AB592BA4
C:\Windows\system32\drivers\sym_hi.sys ==> MD5 is legit
C:\Windows\system32\drivers\sym_u3.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpip.sys D18D53974FD715D50FC76F9FFE1C830D
C:\Windows\System32\DRIVERS\tcpip.sys D18D53974FD715D50FC76F9FFE1C830D
C:\Windows\System32\drivers\tcpipreg.sys 608C345A255D82A6289C2D468EB41FD7
C:\Windows\System32\drivers\tdpipe.sys 5DCF5E267BE67A1AE926F2DF77FBCC56
C:\Windows\System32\drivers\tdtcp.sys 389C63E32B3CEFED425B61ED92D3F021
C:\Windows\System32\DRIVERS\tdx.sys 76B06EB8A01FC8624D699E7045303E54
C:\Windows\System32\DRIVERS\termdd.sys 3CAD38910468EAB9A6479E2F01DB43C7
C:\Windows\System32\DRIVERS\tssecsrv.sys F4EAA7ECBCB25DE901C9B7F2CDCDA0B3
C:\Windows\System32\DRIVERS\tunmp.sys CAECC0120AC49E3D2F758B9169872D38
C:\Windows\System32\DRIVERS\tunnel.sys 300DB877AC094FEAB0BE7688C3454A9C
C:\Windows\system32\drivers\uagp35.sys 7D33C4DB2CE363C8518D2DFCF533941F
C:\Windows\System32\DRIVERS\udfs.sys D9728AF68C4C7693CB100B8441CBDEC6
C:\Windows\system32\drivers\uliagpkx.sys B0ACFDC9E4AF279E9116C03E014B2B27
C:\Windows\system32\drivers\uliahci.sys 9224BB254F591DE4CA8D572A5F0D635C
C:\Windows\system32\drivers\ulsata.sys ==> MD5 is legit
C:\Windows\system32\drivers\ulsata2.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\umbus.sys 32CFF9F809AE9AED85464492BF3E32D2
C:\Windows\System32\DRIVERS\usbccgp.sys CAF811AE4C147FFCD5B51750C7F09142
C:\Windows\system32\drivers\usbcir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbehci.sys 79E96C23A97CE7B8F14D310DA2DB0C9B
C:\Windows\System32\DRIVERS\usbhub.sys 4673BBCB006AF60E7ABDDBE7A130BA42
C:\Windows\System32\DRIVERS\usbohci.sys CE697FEE0D479290D89BEC80DFE793B7
C:\Windows\System32\DRIVERS\usbprint.sys E75C4B5269091D15A2E7DC0B6D35F2F5
C:\Windows\System32\DRIVERS\USBSTOR.SYS BE3DA31C191BC222D9AD503C5224F2AD
C:\Windows\System32\DRIVERS\usbuhci.sys 814D653EFC4D48BE3B04A307ECEFF56F
C:\Windows\System32\DRIVERS\vgapnp.sys 87B06E1F30B749A114F74622D013F8D4
C:\Windows\System32\drivers\vga.sys 2E93AC0A1D8C79D019DB6C51F036636C
C:\Windows\system32\drivers\viaagp.sys 5D7159DEF58A800D5781BA3A879627BC
C:\Windows\system32\drivers\viac7.sys C4F3A691B5BAD343E6249BD8C2D45DEE
C:\Windows\system32\drivers\viaide.sys AADF5587A4063F52C2C3FED7887426FC
C:\Windows\System32\drivers\volmgr.sys 69503668AC66C77C6CD7AF86FBDF8C43
C:\Windows\System32\drivers\volmgrx.sys 23E41B834759917BFD6B9A0D625D0C28
C:\Windows\System32\drivers\volsnap.sys 786DB5771F05EF300390399F626BF30A
C:\Windows\system32\drivers\vsmraid.sys 587253E09325E6BF226B299774B728A9
C:\Windows\system32\drivers\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys 55201897378CCA7AF8B5EFD874374A26
C:\Windows\System32\DRIVERS\wanarp.sys 55201897378CCA7AF8B5EFD874374A26
C:\Windows\system32\drivers\wd.sys 78FE9542363F297B18C027B2D7E7C07F
C:\Windows\System32\drivers\Wdf01000.sys A840213F1ACDCC175B4D1D5AAEAC0D7A
C:\Windows\System32\DRIVERS\HSX_CNXT.sys CF27EDAC75C87F2B776D9218F02F8301
C:\Windows\system32\drivers\wmiacpi.sys 2E7255D172DF0B8283CDFB7B433B864E
C:\Windows\system32\drivers\ws2ifsl.sys E3A3CB253C0EC2494D4A61F5E43A389C
C:\Windows\System32\drivers\WudfPf.sys 06E6F32C8D0A3F66D956F57B43A2E070
C:\Windows\System32\DRIVERS\WUDFRd.sys 867C301E8B790040AE9CF6486E8041DF
C:\Windows\System32\DRIVERS\xaudio.sys 5A7FF9A18FF6D7E0527FE3ABF9204EF8

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-09-04 12:02 - 2013-09-04 12:02 - 00000000 ____D C:\FRST
2013-09-03 16:49 - 2013-09-03 16:49 - 00000758 _____ C:\Windows\system32\.crusader
2013-09-02 12:12 - 2013-09-02 12:12 - 00001734 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2013-09-02 12:12 - 2013-09-02 12:12 - 00000000 ____D C:\Program Files\HitmanPro
2013-09-02 12:11 - 2013-09-03 16:49 - 00000000 ____D C:\ProgramData\HitmanPro
2013-09-02 12:11 - 2013-09-02 12:13 - 09186416 _____ (SurfRight B.V.) C:\Users\True Value\Desktop\HitmanPro.exe
2013-09-02 12:03 - 2013-09-04 09:18 - 00004314 _____ C:\Users\True Value\Desktop\Rkill.txt
2013-09-02 12:03 - 2013-09-02 12:12 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\True Value\Desktop\iExplore.exe
2013-09-02 12:03 - 2013-09-02 12:03 - 00000000 ____D C:\Users\True Value\Desktop\rkill
2013-08-31 17:43 - 2013-08-31 17:55 - 1796574218 _____ C:\avenger.txt
2013-08-31 17:43 - 2013-08-31 17:43 - 00000000 ____D C:\Avenger
2013-08-31 16:15 - 2013-08-31 16:15 - 00000280 _____ C:\Users\True Value\Desktop\Setup - Shortcut (2).lnk
2013-08-31 16:14 - 2013-08-31 16:14 - 00000280 _____ C:\Users\True Value\Desktop\Setup - Shortcut.lnk
2013-08-31 16:10 - 2013-08-31 16:10 - 00000000 ____D C:\Program Files\privoxy
2013-08-31 16:10 - 2013-08-31 16:10 - 00000000 ____D C:\Program Files\FileOpenerPro
2013-08-31 16:09 - 2013-08-31 16:10 - 00000000 ____D C:\Program Files\Web Protect
2013-08-31 16:08 - 2013-08-31 17:42 - 00000000 ____D C:\Users\TRUEVA~1\AppData\Local\SwvUpdater
2013-08-31 16:08 - 2013-08-31 16:08 - 00000009 _____ C:\END
2013-08-31 15:49 - 2013-08-31 15:49 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\gUzd85a8p
2013-08-31 15:49 - 2013-08-31 15:49 - 00182272 _____ C:\Users\True Value\AppData\Roaming\J2qVx3n51Qx
2013-08-31 15:49 - 2013-08-31 15:49 - 00182272 _____ C:\ProgramData\VtJTryrxRVP
2013-08-31 15:13 - 2013-08-31 15:13 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\vGa7Lqzh
2013-08-31 15:13 - 2013-08-31 15:13 - 00182272 _____ C:\Users\True Value\AppData\Roaming\9H2xRA5VMwH
2013-08-31 15:13 - 2013-08-31 15:13 - 00182272 _____ C:\ProgramData\by6nvIHtj
2013-08-31 14:57 - 2013-08-31 14:57 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\eLQH5PAvILb
2013-08-31 14:57 - 2013-08-31 14:57 - 00182272 _____ C:\Users\True Value\AppData\Roaming\ZxzKLbiN
2013-08-31 14:57 - 2013-08-31 14:57 - 00182272 _____ C:\ProgramData\s9dlIeiPnzQ
2013-08-31 14:53 - 2013-08-31 14:53 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\OEjfryc6
2013-08-31 14:53 - 2013-08-31 14:53 - 00182272 _____ C:\Users\True Value\AppData\Roaming\NJ7NTPoa
2013-08-31 14:53 - 2013-08-31 14:53 - 00182272 _____ C:\ProgramData\lRQ4cv5B
2013-08-31 12:47 - 2013-08-31 12:47 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\8SWxrGDjJyc
2013-08-31 12:47 - 2013-08-31 12:47 - 00182272 _____ C:\Users\True Value\AppData\Roaming\WIthmIde0
2013-08-31 12:47 - 2013-08-31 12:47 - 00182272 _____ C:\ProgramData\GoR1CwFE
2013-08-31 12:31 - 2013-08-31 15:56 - 00000004 _____ C:\Users\True Value\AppData\Roaming\skype.ini
2013-08-31 12:28 - 2013-08-31 12:28 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\AN9Z2sQD0w
2013-08-31 12:28 - 2013-08-31 12:28 - 00182272 _____ C:\Users\True Value\AppData\Roaming\UU4yAxRlPR
2013-08-31 12:28 - 2013-08-31 12:28 - 00182272 _____ C:\ProgramData\GpDpNQd4s
2013-08-31 12:28 - 2013-08-31 12:28 - 00119808 _____ (HitSonic Solutions) C:\Users\True Value\acrobatreader.exe
2013-08-31 12:28 - 2013-08-31 12:28 - 00117760 _____ C:\Users\True Value\msconfig.exe
2013-08-31 12:28 - 2013-08-31 12:28 - 00000680 _____ C:\Users\TRUEVA~1\AppData\Local\d3d9caps.dat
2013-08-31 12:28 - 2013-08-31 12:28 - 00000000 _____ C:\Users\True Value\skype.exe
2013-08-31 12:28 - 2013-08-31 12:28 - 00000000 _____ C:\Users\True Value\flashplayer.exe
2013-08-31 12:27 - 2013-08-31 17:44 - 00000000 ____D C:\Users\TRUEVA~1\AppData\Local\jVv7QMPsV
2013-08-31 12:27 - 2013-08-31 12:27 - 00000000 _____ C:\Users\True Value\teamviewer.exe
2013-08-31 12:27 - 2013-08-31 12:27 - 00000000 _____ C:\Users\True Value\acrobat.exe
2013-08-15 03:30 - 2013-08-15 03:39 - 00000000 ____D C:\Windows\system32\MRT
2013-08-15 03:03 - 2013-07-24 19:40 - 12334080 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-08-15 03:03 - 2013-07-24 19:32 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-08-15 03:03 - 2013-07-24 19:30 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-08-15 03:03 - 2013-07-24 19:26 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-08-15 03:03 - 2013-07-24 19:26 - 01104384 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-08-15 03:03 - 2013-07-24 19:25 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-08-15 03:03 - 2013-07-24 19:24 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-08-15 03:03 - 2013-07-24 19:24 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-08-15 03:03 - 2013-07-24 19:23 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-08-15 03:03 - 2013-07-24 19:23 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-08-15 03:03 - 2013-07-24 19:23 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-08-15 03:03 - 2013-07-24 19:23 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-08-15 03:03 - 2013-07-24 19:23 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-08-15 03:03 - 2013-07-24 19:22 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-08-15 03:03 - 2013-07-24 19:22 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-08-15 03:03 - 2013-07-24 19:22 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-08-14 16:41 - 2013-07-17 12:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-08-14 16:41 - 2013-07-10 02:47 - 00783360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2013-08-14 16:41 - 2013-07-09 05:10 - 01205168 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-08-14 16:41 - 2013-07-07 21:55 - 03603904 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2013-08-14 16:41 - 2013-07-07 21:55 - 03551680 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-08-14 16:41 - 2013-07-07 21:20 - 00172544 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2013-08-14 16:41 - 2013-07-07 21:16 - 00992768 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-08-14 16:41 - 2013-07-07 21:16 - 00133120 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2013-08-14 16:41 - 2013-07-07 21:16 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2013-08-14 16:41 - 2013-07-04 21:53 - 00905664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-08-14 16:41 - 2013-06-15 06:22 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\icaapi.dll
2013-08-14 16:41 - 2013-06-15 04:23 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys

==================== One Month Modified Files and Folders =======

2013-09-04 12:02 - 2013-09-04 12:02 - 00000000 ____D C:\FRST
2013-09-04 09:18 - 2013-09-02 12:03 - 00004314 _____ C:\Users\True Value\Desktop\Rkill.txt
2013-09-04 09:12 - 2006-11-02 05:45 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-04 09:12 - 2006-11-02 05:45 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-04 09:11 - 2006-11-02 05:58 - 00032654 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-04 09:11 - 2006-11-02 05:58 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-04 09:09 - 2011-12-31 10:51 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-04 08:22 - 2012-04-07 07:56 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-04 08:01 - 2011-12-31 10:51 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-04 07:48 - 2008-11-04 11:40 - 00000199 _____ C:\Windows\wstdUPSWSHIP.INI
2013-09-04 07:48 - 2008-11-03 16:58 - 00000000 ____D C:\Users\True Value\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink DVD Suite
2013-09-03 18:01 - 2006-11-02 03:33 - 00769800 _____ C:\Windows\system32\PerfStringBackup.INI
2013-09-03 17:57 - 2008-08-29 16:04 - 00000000 _____ C:\Windows\system32\LogConfigTemp.xml
2013-09-03 17:12 - 2008-11-04 11:11 - 00000000 ____D C:\UPS
2013-09-03 16:49 - 2013-09-03 16:49 - 00000758 _____ C:\Windows\system32\.crusader
2013-09-03 16:49 - 2013-09-02 12:11 - 00000000 ____D C:\ProgramData\HitmanPro
2013-09-03 16:29 - 2008-08-29 15:58 - 01433254 _____ C:\Windows\WindowsUpdate.log
2013-09-02 12:13 - 2013-09-02 12:11 - 09186416 _____ (SurfRight B.V.) C:\Users\True Value\Desktop\HitmanPro.exe
2013-09-02 12:12 - 2013-09-02 12:12 - 00001734 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2013-09-02 12:12 - 2013-09-02 12:12 - 00000000 ____D C:\Program Files\HitmanPro
2013-09-02 12:12 - 2013-09-02 12:03 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\True Value\Desktop\iExplore.exe
2013-09-02 12:03 - 2013-09-02 12:03 - 00000000 ____D C:\Users\True Value\Desktop\rkill
2013-09-02 11:58 - 2006-11-02 05:49 - 00062258 _____ C:\Windows\setupact.log
2013-09-02 10:54 - 2009-09-15 07:29 - 00000000 ____D C:\Users\Public\Documents\Symantec
2013-08-31 17:55 - 2013-08-31 17:43 - 1796574218 _____ C:\avenger.txt
2013-08-31 17:44 - 2013-08-31 12:27 - 00000000 ____D C:\Users\TRUEVA~1\AppData\Local\jVv7QMPsV
2013-08-31 17:44 - 2008-01-20 20:02 - 00134788 _____ C:\Windows\PFRO.log
2013-08-31 17:43 - 2013-08-31 17:43 - 00000000 ____D C:\Avenger
2013-08-31 17:42 - 2013-08-31 16:08 - 00000000 ____D C:\Users\TRUEVA~1\AppData\Local\SwvUpdater
2013-08-31 17:42 - 2008-11-03 16:54 - 00000000 ____D C:\Users\True Value
2013-08-31 17:42 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-08-31 16:15 - 2013-08-31 16:15 - 00000280 _____ C:\Users\True Value\Desktop\Setup - Shortcut (2).lnk
2013-08-31 16:14 - 2013-08-31 16:14 - 00000280 _____ C:\Users\True Value\Desktop\Setup - Shortcut.lnk
2013-08-31 16:10 - 2013-08-31 16:10 - 00000000 ____D C:\Program Files\privoxy
2013-08-31 16:10 - 2013-08-31 16:10 - 00000000 ____D C:\Program Files\FileOpenerPro
2013-08-31 16:10 - 2013-08-31 16:09 - 00000000 ____D C:\Program Files\Web Protect
2013-08-31 16:08 - 2013-08-31 16:08 - 00000009 _____ C:\END
2013-08-31 16:08 - 2012-11-30 14:21 - 00000000 ____D C:\Users\TRUEVA~1\AppData\Local\Conduit
2013-08-31 16:06 - 2011-12-30 18:43 - 00000908 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-08-31 16:06 - 2011-12-30 18:31 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-08-31 15:56 - 2013-08-31 12:31 - 00000004 _____ C:\Users\True Value\AppData\Roaming\skype.ini
2013-08-31 15:49 - 2013-08-31 15:49 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\gUzd85a8p
2013-08-31 15:49 - 2013-08-31 15:49 - 00182272 _____ C:\Users\True Value\AppData\Roaming\J2qVx3n51Qx
2013-08-31 15:49 - 2013-08-31 15:49 - 00182272 _____ C:\ProgramData\VtJTryrxRVP
2013-08-31 15:13 - 2013-08-31 15:13 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\vGa7Lqzh
2013-08-31 15:13 - 2013-08-31 15:13 - 00182272 _____ C:\Users\True Value\AppData\Roaming\9H2xRA5VMwH
2013-08-31 15:13 - 2013-08-31 15:13 - 00182272 _____ C:\ProgramData\by6nvIHtj
2013-08-31 14:57 - 2013-08-31 14:57 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\eLQH5PAvILb
2013-08-31 14:57 - 2013-08-31 14:57 - 00182272 _____ C:\Users\True Value\AppData\Roaming\ZxzKLbiN
2013-08-31 14:57 - 2013-08-31 14:57 - 00182272 _____ C:\ProgramData\s9dlIeiPnzQ
2013-08-31 14:53 - 2013-08-31 14:53 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\OEjfryc6
2013-08-31 14:53 - 2013-08-31 14:53 - 00182272 _____ C:\Users\True Value\AppData\Roaming\NJ7NTPoa
2013-08-31 14:53 - 2013-08-31 14:53 - 00182272 _____ C:\ProgramData\lRQ4cv5B
2013-08-31 12:47 - 2013-08-31 12:47 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\8SWxrGDjJyc
2013-08-31 12:47 - 2013-08-31 12:47 - 00182272 _____ C:\Users\True Value\AppData\Roaming\WIthmIde0
2013-08-31 12:47 - 2013-08-31 12:47 - 00182272 _____ C:\ProgramData\GoR1CwFE
2013-08-31 12:28 - 2013-08-31 12:28 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\AN9Z2sQD0w
2013-08-31 12:28 - 2013-08-31 12:28 - 00182272 _____ C:\Users\True Value\AppData\Roaming\UU4yAxRlPR
2013-08-31 12:28 - 2013-08-31 12:28 - 00182272 _____ C:\ProgramData\GpDpNQd4s
2013-08-31 12:28 - 2013-08-31 12:28 - 00119808 _____ (HitSonic Solutions) C:\Users\True Value\acrobatreader.exe
2013-08-31 12:28 - 2013-08-31 12:28 - 00117760 _____ C:\Users\True Value\msconfig.exe
2013-08-31 12:28 - 2013-08-31 12:28 - 00000680 _____ C:\Users\TRUEVA~1\AppData\Local\d3d9caps.dat
2013-08-31 12:28 - 2013-08-31 12:28 - 00000000 _____ C:\Users\True Value\skype.exe
2013-08-31 12:28 - 2013-08-31 12:28 - 00000000 _____ C:\Users\True Value\flashplayer.exe
2013-08-31 12:27 - 2013-08-31 12:27 - 00000000 _____ C:\Users\True Value\teamviewer.exe
2013-08-31 12:27 - 2013-08-31 12:27 - 00000000 _____ C:\Users\True Value\acrobat.exe
2013-08-27 16:15 - 2012-04-07 07:56 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-08-27 16:15 - 2011-12-31 10:29 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-08-27 16:13 - 2010-04-07 07:26 - 00000000 ____D C:\Program Files\Google
2013-08-27 08:43 - 2008-11-03 16:59 - 00000000 ____D C:\Users\TRUEVA~1\AppData\Local\Google
2013-08-15 13:47 - 2008-11-06 17:32 - 00045391 _____ C:\Windows\DYNAZIP.LOG
2013-08-15 04:18 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\rescache
2013-08-15 03:39 - 2013-08-15 03:30 - 00000000 ____D C:\Windows\system32\MRT
2013-08-15 03:29 - 2006-11-02 03:24 - 75778376 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2013-08-15 03:22 - 2008-08-07 15:40 - 00000000 ____D C:\ProgramData\Microsoft Help

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

Files to move or delete:
====================
ZeroAccess:
C:\Users\TRUEVA~1\AppData\Local\Google\Desktop\Install\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d}
ZeroAccess:
C:\Program Files\Google\Desktop\Install\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d}
C:\Users\True Value\acrobat.exe
C:\Users\True Value\acrobatreader.exe
C:\Users\True Value\flashplayer.exe
C:\Users\True Value\GoToAssistDownloadHelper.exe
C:\Users\True Value\msconfig.exe
C:\Users\True Value\skype.exe
C:\Users\True Value\teamviewer.exe
C:\Users\True Value\AppData\Roaming\skype.ini
C:\Users\TRUEVA~1\AppData\Local\Temp\AdobeUpdater12345.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\launch.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\symlcsv1.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\TB_5E7C.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\{FFACBCCE-685E-4843-B4BB-1888A0C02CEA}\ISSetup.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\{FFACBCCE-685E-4843-B4BB-1888A0C02CEA}\SETUP.EXE
C:\Users\TRUEVA~1\AppData\Local\Temp\{D2BAD404-DC53-4CDC-A1FF-5BC9217709BE}\dotnetinstaller.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\{D2BAD404-DC53-4CDC-A1FF-5BC9217709BE}\{8C5BD501-AD5D-4A75-9321-076509B438FC}\isrt.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\{D2BAD404-DC53-4CDC-A1FF-5BC9217709BE}\{8C5BD501-AD5D-4A75-9321-076509B438FC}\_isres_0x0409.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\{B1B92DF9-2665-49A3-99D2-77A81801A058}\ISSetup.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\{B1B92DF9-2665-49A3-99D2-77A81801A058}\SETUP.EXE
C:\Users\TRUEVA~1\AppData\Local\Temp\{650C0E91-FD9D-466F-8C02-DE848953AECA}\dotnetinstaller.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\{650C0E91-FD9D-466F-8C02-DE848953AECA}\{8C5BD501-AD5D-4A75-9321-076509B438FC}\isrt.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\{650C0E91-FD9D-466F-8C02-DE848953AECA}\{8C5BD501-AD5D-4A75-9321-076509B438FC}\_isres_0x0409.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Artinsoft.VB6.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\BRComponent.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\BRGUI.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\BRLogger.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\DataVersionUtility.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\InstallManager.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\InstallUtility.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Interop.DBSUPPORTENGINELib.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Interop.SQLDMO.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\BPAClient.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\Launch.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\PSet.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\UpgradeValidator.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\WaitAndKill.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\DataVersionUtility.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\InstallManager.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\InstallUtility.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Interop.DBSUPPORTENGINELib.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\BPAClient.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\Launch.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\PSet.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\UpgradeValidator.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\WaitAndKill.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Temp1_antimalware_stuff.zip\antimalware stuff\FRST(1).exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Low\Google Toolbar\gtb193A.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Low\Google Toolbar\gtb5DE1.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Low\Google Toolbar\gtb9E94.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Low\Google Toolbar\gtbF078.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb29CD.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb69EB.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb6E7B.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb7E4E.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb8340.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtbE10E.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\C7C2.dir\InstallFlashPlayer.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\17B5.dir\InstallFlashPlayer.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
resume                  No

Windows Boot Loader
-------------------
identifier              {572bcd55-ffa7-11d9-aae0-0007e994107d}
device                  partition=\Device\HarddiskVolume1
path                    \windows\system32\boot\winload.exe
description             Windows Recovery Environment
osdevice                partition=\Device\HarddiskVolume1
systemroot              \windows
nx                      OptIn
detecthal               Yes
winpe                   Yes

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Microsoft Windows Vista
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {572bcd55-ffa7-11d9-aae0-0007e994107d}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {d7b45050-64d3-11dd-8e5f-001e90e881a5}
nx                      OptIn

Resume from Hibernate
---------------------
identifier              {d7b45050-64d3-11dd-8e5f-001e90e881a5}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
pae                     Yes
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

Windows Legacy OS Loader
------------------------
identifier              {ntldr}
device                  unknown
path                    \ntldr
description             Earlier Version of Windows

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}



LastRegBack: 2013-09-04 09:32

==================== End Of Log ============================



#4 spradillac81

spradillac81
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 04 September 2013 - 02:20 PM

here is the additional.txt scan from Farbar

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 03-09-2013 03
Ran by True Value at 2013-09-04 12:05:52
Running from C:\Users\True Value\Desktop
Boot Mode: Safe Mode (minimal)
==========================================================


==================== Installed Programs =======================

 Update for Microsoft Office 2007 (KB2508958)
Activation Assistant for the 2007 Microsoft Office suites
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0)
Adobe AIR (Version: 3.1.0.4880)
Adobe Flash Player 11 ActiveX (Version: 11.8.800.94)
Adobe Reader X (10.1.7) (Version: 10.1.7)
AlignmentUtility (Version: 16.00.0000)
AppCore (Version: 2.0.0.79)
Applet
ATI Catalyst Install Manager (Version: 3.0.664.0)
Backup (Version: 1.0.0.382)
BigFix (Version: 2.2.0.04)
CCC (Version: 16.00.0000)
ccCommon (Version: 107.0.5.5)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
CyberLink DVD Suite (Version: 5.0.3019)
CyberLink Power2Go (Version: 5.0.3925)
Digital Media Reader (Version: 2.01.03.01)
eMachines Games (Version: 1.0.0.52)
eMachines Recovery Management (Version: 3.1.3003)
File Opener Pro
FormsComponent (Version: 16.00.0000)
FOSS (Version: 16.00.0500)
GearDrvs (Version: 1.00.0000)
GearDrvs (Version: 5.0.0.2)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4413.1752)
Google Update Helper (Version: 1.3.21.153)
GoToAssist Corporate (Version: 10.2.0.822)
GoToMeeting 4.1.0.366
HitmanPro 3.7 (Version: 3.7.7.205)
ICCHelp (Version: 1.0.0.2)
Java Auto Updater (Version: 2.0.7.2)
Java™ 6 Update 39 (Version: 6.0.390)
Java™ 6 Update 5 (Version: 1.6.0.50)
LabelPrint (Version: 2.0.2212)
LiveUpdate (Symantec Corporation) (Version: 3.4.1.234)
LiveUpdate (Symantec Corporation) (Version: 3.4.1.238)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
MeadCo ScriptX (v7.0.0.8 (x86)) (Version: 7.0.8)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 5.1.20513.0)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Backward compatibility (Version: 8.05.2309)
Microsoft SQL Server 2005 Express Edition (UPSWSDBSERVER) (Version: 9.4.5000.00)
Microsoft SQL Server Native Client (Version: 9.00.5000.00)
Microsoft SQL Server Setup Support Files (English) (Version: 9.00.5000.00)
Microsoft SQL Server VSS Writer (Version: 9.00.5000.00)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Works (Version: 9.7.0621)
mIRC
MSIChecker (Version: 9.00.0000)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
NA1Messenger (Version: 16.00.0000)
Napster (Version: 4.1.0.4)
Napster Burn Engine (Version: 3.5.0000)
Norton 360 (Symantec Corporation) (Version: 2.0.0.242)
Norton 360 (Version: 2.0.0.242)
Norton 360 HTMLHelp (Version: 2.0.0.175)
Norton Confidential Core (Version: 2.6.0.3)
NRF (Version: 16.00.0000)
NVIDIA Control Panel 307.83 (Version: 307.83)
NVIDIA Drivers
NVIDIA Graphics Driver 307.83 (Version: 307.83)
NVIDIA Install Application (Version: 2.1002.109.706)
NVIDIA Update 1.10.8 (Version: 1.10.8)
NVIDIA Update Components (Version: 1.10.8)
PolicyManager (Version: 16.00.0000)
PowerDVD (Version: 7.0.3409.a)
Produtools Manuals 2.1 E1 Toolbar (Version: 6.9.0.16)
Realtek High Definition Audio Driver (Version: 6.0.1.5643)
Reconciler (Version: 16.00.0000)
ReportServer (Version: 16.00.0000)
Secunia PSI (2.0.0.4003) (Version: 2.0.0.4003)
Soft Data Fax Modem with SmartCP
SPBBC 32bit (Version: 4.1.0.15)
SupportUtility (Version: 16.00.0000)
Symantec Real Time Storage Protection Component (Version: 10.2.3.9)
Symantec Technical Support Controls (Version: 3.5.3)
SymNet (Version: 8.0.3.4)
System (Version: 16.00.0000)
UnifiedPrinting (Version: 16.00.0000)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB2836940) (Version: 1)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update Installer for WildTangent Games App
UPS WorldShip (Version: 15.0)
UPSDB (Version: 16.00.0000)
UPSICC (Version: 16.00.0000)
UPSlinkHTTP (Version: 1.0.0.13)
UPSVC2008MM (Version: 1.00.0000)
UPSVCMM (Version: 11.00.0000)
UPSVCMM (Version: 12.00.0000)
Web Protect for Windows (Version: 3.28.33)
WebHelp (Version: 1.00.0000)
WildTangent Games App (Version: 4.0.10.2)
WorldShip (Version: 16.00.0000)
WSShared (Version: 16.00.0000)
X-Script
 

==================== Restore Points  =========================

25-04-2013 10:01:12 Windows Update
01-05-2013 18:21:11 Scheduled Checkpoint
14-05-2013 16:38:22 Scheduled Checkpoint
16-05-2013 10:00:32 Windows Update
27-05-2013 16:51:46 Scheduled Checkpoint
04-06-2013 00:14:20 Scheduled Checkpoint
13-06-2013 10:00:37 Windows Update
19-06-2013 17:16:08 Scheduled Checkpoint
26-06-2013 17:08:58 Scheduled Checkpoint
28-06-2013 16:17:34 Scheduled Checkpoint
02-07-2013 18:02:46 Installed WebHelp
06-07-2013 10:00:48 Windows Update
11-07-2013 10:00:48 Windows Update
12-07-2013 17:34:59 Scheduled Checkpoint
18-07-2013 18:46:55 Scheduled Checkpoint
22-07-2013 23:07:54 Scheduled Checkpoint
26-07-2013 18:15:00 Scheduled Checkpoint
15-08-2013 00:14:00 Scheduled Checkpoint
15-08-2013 10:01:22 Windows Update
19-08-2013 15:35:04 Scheduled Checkpoint

==================== Hosts content: ==========================

2006-11-02 03:23 - 2006-09-18 14:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {18DFD9FC-082E-4E9B-8285-5F21D2B4EDAE} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {2D2DEC4F-74BB-4FB5-9626-21B3A60365F1} - System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries => C:\Windows\system32\pla.dll [2008-01-20] (Microsoft Corporation)
Task: {5916F864-469C-4391-8604-E4EA141A2699} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-20] ()
Task: {60460F69-EDDF-41DB-A8C4-992BBE6D1568} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\OptinNotification => C:\Windows\System32\wsqmcons.exe [2008-01-20] (Microsoft Corporation)
Task: {7C5A51E8-1AD7-48C6-8879-257A8A9609F5} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {8B0E6FAB-F43A-4988-AF0A-A21646C212F0} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {9ED703A9-5FFD-40D5-895A-4385EE1509DE} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-20] (Microsoft Corporation)
Task: {A2A51489-D70C-44DC-B765-725AA47B6F56} - System32\Tasks\Microsoft\Windows\Tcpip\WSHReset => C:\Windows\system32\schtasks.exe [2008-01-20] (Microsoft Corporation)
Task: {AF64809C-3B81-479F-928D-E920C4C9CCD2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-12-31] (Google Inc.)
Task: {BAD16A80-5DA8-4695-B22B-F874035D1B7D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-08-27] (Adobe Systems Incorporated)
Task: {C450B722-AD19-4FA0-99D3-382B2972D6B3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-12-31] (Google Inc.)
Task: {EE7E2B56-D4FE-44DD-B6D4-3EFFD973564A} - System32\Tasks\Microsoft\Windows\Defrag\ManualDefrag => C:\Windows\system32\defrag.exe [2008-01-20] (Microsoft Corp.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2008-02-25 02:34 - 2008-10-31 13:24 - 00576352 _____ (Symantec Corporation) c:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
2008-02-17 13:46 - 2008-10-17 16:52 - 00621928 _____ (Symantec Corporation) c:\Program Files\Common Files\Symantec Shared\ccL70U.dll
2008-02-17 13:37 - 2008-10-17 16:52 - 00120680 _____ (Symantec Corporation) c:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll
2008-02-17 13:37 - 2008-10-17 16:52 - 00121192 _____ (Symantec Corporation) c:\Program Files\Common Files\Symantec Shared\ccSet.dll
2008-02-17 13:37 - 2008-10-17 16:52 - 00153960 _____ (Symantec Corporation) c:\Program Files\Common Files\Symantec Shared\ccIPC.dll
2012-09-28 08:03 - 2010-05-04 12:13 - 00231424 _____ (Microsoft Corporation) C:\Windows\System32\msshsq.dll
2008-02-23 16:59 - 2008-11-10 19:50 - 00279384 _____ (Symantec Corporation) c:\Program Files\Common Files\Symantec Shared\AppCore\AppMgr32.dll
2008-02-25 08:51 - 2008-02-25 08:51 - 00557408 _____ (Symantec Corporation) C:\Program Files\Norton 360\tpShell.dll
2012-11-18 04:13 - 2013-01-31 02:00 - 00062752 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll
2008-01-20 19:33 - 2008-01-20 19:33 - 00206336 _____ (Microsoft Corporation) C:\Windows\System32\mstask.dll

==================== Alternate Data Streams (whitelisted) ==========

AlternateDataStreams: C:\Users\True Value\Desktop\AOL.com - Welcome to AOL.url:favicon
AlternateDataStreams: C:\Users\True Value\Desktop\FoxNews.com - Breaking News  Latest News  Current News.url:favicon
AlternateDataStreams: C:\Users\True Value\Desktop\Husqvarna - Dashboard.url:favicon
AlternateDataStreams: C:\Users\True Value\Desktop\Husqvarna.url:favicon

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (09/04/2013 00:02:57 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/04/2013 00:01:49 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/04/2013 11:05:54 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/04/2013 09:14:52 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/04/2013 09:13:50 AM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/04/2013 09:02:25 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/03/2013 06:00:29 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\TRUE VALUE\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\UNINSTALL POWERDVD.LNK> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (09/03/2013 06:00:29 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\TRUE VALUE\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\UNINSTALL POWERDVD.LNK> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (09/03/2013 06:00:28 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\TRUE VALUE\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\README.LNK> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (09/03/2013 06:00:28 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\TRUE VALUE\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\README.LNK> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)


System errors:
=============
Error: (09/04/2013 00:02:57 PM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (09/04/2013 00:02:57 PM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (09/04/2013 00:02:57 PM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (09/04/2013 00:02:57 PM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (09/04/2013 00:02:57 PM) (Source: Service Control Manager) (User: )
Description: AFD
DfsC
eeCtrl
NetBIOS
netbt
nsiproxy
PSched
RasAcd
rdbss
Smb
SPBBCDrv
spldr
SRTSPX
SymIM
SYMTDI
tdx
Wanarpv6

Error: (09/04/2013 00:02:57 PM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (09/04/2013 00:02:57 PM) (Source: Service Control Manager) (User: )
Description: IPsec Policy AgentBFE

Error: (09/04/2013 00:02:57 PM) (Source: Service Control Manager) (User: )
Description: Network Location AwarenessNetwork Store Interface Service%%1068

Error: (09/04/2013 00:02:57 PM) (Source: Service Control Manager) (User: )
Description: IKE and AuthIP IPsec Keying ModulesBFE

Error: (09/04/2013 00:02:57 PM) (Source: Service Control Manager) (User: )
Description: WebClientWebDav Client Redirector Driver%%1068


Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2013-08-31 17:36:00.590
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-31 17:36:00.325
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-31 17:36:00.060
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-31 17:35:59.794
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-31 17:35:59.529
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-31 17:35:59.280
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-31 17:35:58.952
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-31 17:35:58.687
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-31 17:35:58.422
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-31 17:35:58.156
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 45%
Total physical RAM: 893.76 MB
Available physical RAM: 486.22 MB
Total Pagefile: 2045.8 MB
Available Pagefile: 1787.45 MB
Total Virtual: 2047.88 MB
Available Virtual: 1939.63 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:139.05 GB) (Free:77.01 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive i: () (Removable) (Total:7.48 GB) (Free:7.48 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 149 GB) (Disk ID: C9AE75F4)
Partition 1: (Not Active) - (Size=10 GB) - (Type=27)
Partition 2: (Active) - (Size=139 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (Size: 8 GB) (Disk ID: 75E5A19E)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)

==================== End Of Log ============================



#5 spradillac81

spradillac81
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 04 September 2013 - 02:49 PM

these scans were run in regular safe mode



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:54 PM

Posted 04 September 2013 - 04:10 PM

Please run the following:

Download attached fixlist.txt file and save it to the Desktop.

Attached File  FixList.txt   8.28KB   2 downloads

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 spradillac81

spradillac81
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 04 September 2013 - 06:37 PM

ok, hope we did this right.

fixlog report

                                                                     
                                                                     
                                                                     
                                             
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-09-2013 03
Ran by True Value at 2013-09-04 14:56:31 Run:1
Running from C:\Users\True Value\Desktop
Boot Mode: Safe Mode (minimal)

==============================================

Content of fixlist:
*****************
start
HKCU\...\Run: [Google Update*] -  [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
URLSearchHook: Produtools Manuals 2.1 E1 Toolbar - {36e08630-e60d-4d95-b8e2-cd1734987edc} - C:\Program Files\Produtools_Manuals_2.1_E1\prxtbProd.dll (Conduit Ltd.)
SearchScopes: HKLM - DefaultScope {04A92E07-08B7-4694-87E2-10E2FE0D638C} URL =
SearchScopes: HKCU - DefaultScope {04A92E07-08B7-4694-87E2-10E2FE0D638C} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289847&CUI=UN96218301332473238&UM=2
SearchScopes: HKCU - {04A92E07-08B7-4694-87E2-10E2FE0D638C} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289847&CUI=UN96218301332473238&UM=2
BHO: Web Protect - {2CEBF6C7-2B40-469B-B5D5-CD3F3676C3C4} - C:\Program Files\Web Protect\WebProtect.dll (WebProtect)
BHO: Produtools Manuals 2.1 E1 Toolbar - {36e08630-e60d-4d95-b8e2-cd1734987edc} - C:\Program Files\Produtools_Manuals_2.1_E1\prxtbProd.dll (Conduit Ltd.)
Toolbar: HKLM - Produtools Manuals 2.1 E1 Toolbar - {36e08630-e60d-4d95-b8e2-cd1734987edc} - C:\Program Files\Produtools_Manuals_2.1_E1\prxtbProd.dll (Conduit Ltd.)
Toolbar: HKCU -Produtools Manuals 2.1 E1 Toolbar - {36E08630-E60D-4D95-B8E2-CD1734987EDC} - C:\Program Files\Produtools_Manuals_2.1_E1\prxtbProd.dll (Conduit Ltd.)
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d}\   \...\???\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
2013-08-31 15:49 - 2013-08-31 15:49 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\gUzd85a8p
2013-08-31 15:49 - 2013-08-31 15:49 - 00182272 _____ C:\Users\True Value\AppData\Roaming\J2qVx3n51Qx
2013-08-31 15:49 - 2013-08-31 15:49 - 00182272 _____ C:\ProgramData\VtJTryrxRVP
2013-08-31 15:13 - 2013-08-31 15:13 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\vGa7Lqzh
2013-08-31 15:13 - 2013-08-31 15:13 - 00182272 _____ C:\Users\True Value\AppData\Roaming\9H2xRA5VMwH
2013-08-31 15:13 - 2013-08-31 15:13 - 00182272 _____ C:\ProgramData\by6nvIHtj
2013-08-31 14:57 - 2013-08-31 14:57 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\eLQH5PAvILb
2013-08-31 14:57 - 2013-08-31 14:57 - 00182272 _____ C:\Users\True Value\AppData\Roaming\ZxzKLbiN
2013-08-31 14:57 - 2013-08-31 14:57 - 00182272 _____ C:\ProgramData\s9dlIeiPnzQ
2013-08-31 14:53 - 2013-08-31 14:53 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\OEjfryc6
2013-08-31 14:53 - 2013-08-31 14:53 - 00182272 _____ C:\Users\True Value\AppData\Roaming\NJ7NTPoa
2013-08-31 14:53 - 2013-08-31 14:53 - 00182272 _____ C:\ProgramData\lRQ4cv5B
2013-08-31 12:47 - 2013-08-31 12:47 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\8SWxrGDjJyc
2013-08-31 12:47 - 2013-08-31 12:47 - 00182272 _____ C:\Users\True Value\AppData\Roaming\WIthmIde0
2013-08-31 12:47 - 2013-08-31 12:47 - 00182272 _____ C:\ProgramData\GoR1CwFE
2013-08-31 12:31 - 2013-08-31 15:56 - 00000004 _____ C:\Users\True Value\AppData\Roaming\skype.ini
2013-08-31 12:28 - 2013-08-31 12:28 - 00182272 _____ C:\Users\TRUEVA~1\AppData\Local\AN9Z2sQD0w
2013-08-31 12:28 - 2013-08-31 12:28 - 00182272 _____ C:\Users\True Value\AppData\Roaming\UU4yAxRlPR
2013-08-31 12:28 - 2013-08-31 12:28 - 00182272 _____ C:\ProgramData\GpDpNQd4s
2013-08-31 12:27 - 2013-08-31 17:44 - 00000000 ____D C:\Users\TRUEVA~1\AppData\Local\jVv7QMPsV
2013-09-04 07:48 - 2008-11-04 11:40 - 00000199 _____ C:\Windows\wstdUPSWSHIP.INI
2013-08-31 16:10 - 2013-08-31 16:09 - 00000000 ____D C:\Program Files\Web Protect
2013-08-31 16:08 - 2013-08-31 16:08 - 00000009 _____ C:\END
2013-08-31 16:08 - 2012-11-30 14:21 - 00000000 ____D C:\Users\TRUEVA~1\AppData\Local\Conduit
C:\Windows\assembly\GAC\Desktop.ini
C:\Users\TRUEVA~1\AppData\Local\Google\Desktop\Install\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d}
C:\Program Files\Google\Desktop\Install\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d}
C:\Users\True Value\acrobat.exe
C:\Users\True Value\acrobatreader.exe
C:\Users\True Value\flashplayer.exe
C:\Users\True Value\GoToAssistDownloadHelper.exe
C:\Users\True Value\msconfig.exe
C:\Users\True Value\skype.exe
C:\Users\True Value\teamviewer.exe
C:\Users\True Value\AppData\Roaming\skype.ini
C:\Users\TRUEVA~1\AppData\Local\Temp\AdobeUpdater12345.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\launch.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\symlcsv1.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\TB_5E7C.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\{FFACBCCE-685E-4843-B4BB-1888A0C02CEA}\ISSetup.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\{FFACBCCE-685E-4843-B4BB-1888A0C02CEA}\SETUP.EXE
C:\Users\TRUEVA~1\AppData\Local\Temp\{D2BAD404-DC53-4CDC-A1FF-5BC9217709BE}\dotnetinstaller.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\{D2BAD404-DC53-4CDC-A1FF-5BC9217709BE}\{8C5BD501-AD5D-4A75-9321-076509B438FC}\isrt.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\{D2BAD404-DC53-4CDC-A1FF-5BC9217709BE}\{8C5BD501-AD5D-4A75-9321-076509B438FC}\_isres_0x0409.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\{B1B92DF9-2665-49A3-99D2-77A81801A058}\ISSetup.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\{B1B92DF9-2665-49A3-99D2-77A81801A058}\SETUP.EXE
C:\Users\TRUEVA~1\AppData\Local\Temp\{650C0E91-FD9D-466F-8C02-DE848953AECA}\dotnetinstaller.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\{650C0E91-FD9D-466F-8C02-DE848953AECA}\{8C5BD501-AD5D-4A75-9321-076509B438FC}\isrt.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\{650C0E91-FD9D-466F-8C02-DE848953AECA}\{8C5BD501-AD5D-4A75-9321-076509B438FC}\_isres_0x0409.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Artinsoft.VB6.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\BRComponent.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\BRGUI.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\BRLogger.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\DataVersionUtility.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\InstallManager.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\InstallUtility.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Interop.DBSUPPORTENGINELib.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Interop.SQLDMO.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\BPAClient.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\Launch.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\PSet.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\UpgradeValidator.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\WaitAndKill.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\DataVersionUtility.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\InstallManager.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\InstallUtility.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Interop.DBSUPPORTENGINELib.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\BPAClient.dll
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\Launch.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\PSet.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\UpgradeValidator.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\WaitAndKill.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Temp1_antimalware_stuff.zip\antimalware stuff\FRST(1).exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Low\Google Toolbar\gtb193A.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Low\Google Toolbar\gtb5DE1.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Low\Google Toolbar\gtb9E94.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Low\Google Toolbar\gtbF078.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb29CD.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb69EB.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb6E7B.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb7E4E.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb8340.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtbE10E.tmp.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\C7C2.dir\InstallFlashPlayer.exe
C:\Users\TRUEVA~1\AppData\Local\Temp\17B5.dir\InstallFlashPlayer.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
end








*****************

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{36e08630-e60d-4d95-b8e2-cd1734987edc} => Value deleted successfully.
HKCR\CLSID\{36e08630-e60d-4d95-b8e2-cd1734987edc} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{04A92E07-08B7-4694-87E2-10E2FE0D638C} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{04A92E07-08B7-4694-87E2-10E2FE0D638C} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2CEBF6C7-2B40-469B-B5D5-CD3F3676C3C4} => Key deleted successfully.
HKCR\CLSID\{2CEBF6C7-2B40-469B-B5D5-CD3F3676C3C4} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36e08630-e60d-4d95-b8e2-cd1734987edc} => Key deleted successfully.
HKCR\CLSID\{36e08630-e60d-4d95-b8e2-cd1734987edc} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{36e08630-e60d-4d95-b8e2-cd1734987edc} => Value deleted successfully.
HKCR\CLSID\{36e08630-e60d-4d95-b8e2-cd1734987edc} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{36E08630-E60D-4D95-B8E2-CD1734987EDC} => Value deleted successfully.
HKCR\CLSID\{36E08630-E60D-4D95-B8E2-CD1734987EDC} => Key not found.
*etadpug => Service deleted successfully.
C:\Users\TRUEVA~1\AppData\Local\gUzd85a8p => Moved successfully.
C:\Users\True Value\AppData\Roaming\J2qVx3n51Qx => Moved successfully.
C:\ProgramData\VtJTryrxRVP => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\vGa7Lqzh => Moved successfully.
C:\Users\True Value\AppData\Roaming\9H2xRA5VMwH => Moved successfully.
C:\ProgramData\by6nvIHtj => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\eLQH5PAvILb => Moved successfully.
C:\Users\True Value\AppData\Roaming\ZxzKLbiN => Moved successfully.
C:\ProgramData\s9dlIeiPnzQ => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\OEjfryc6 => Moved successfully.
C:\Users\True Value\AppData\Roaming\NJ7NTPoa => Moved successfully.
C:\ProgramData\lRQ4cv5B => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\8SWxrGDjJyc => Moved successfully.
C:\Users\True Value\AppData\Roaming\WIthmIde0 => Moved successfully.
C:\ProgramData\GoR1CwFE => Moved successfully.
C:\Users\True Value\AppData\Roaming\skype.ini => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\AN9Z2sQD0w => Moved successfully.
C:\Users\True Value\AppData\Roaming\UU4yAxRlPR => Moved successfully.
C:\ProgramData\GpDpNQd4s => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\jVv7QMPsV => Moved successfully.
C:\Windows\wstdUPSWSHIP.INI => Moved successfully.
C:\Program Files\Web Protect => Moved successfully.
C:\END => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Conduit => Moved successfully.
C:\Windows\assembly\GAC\Desktop.ini => Moved successfully.

"C:\Users\TRUEVA~1\AppData\Local\Google\Desktop\Install\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d}" directory move:

Could not move "C:\Users\TRUEVA~1\AppData\Local\Google\Desktop\Install\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d}" directory. => Scheduled to move on reboot.


"C:\Program Files\Google\Desktop\Install\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d}" directory move:

Could not move "C:\Program Files\Google\Desktop\Install\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d}" directory. => Scheduled to move on reboot.

C:\Users\True Value\acrobat.exe => Moved successfully.
C:\Users\True Value\acrobatreader.exe => Moved successfully.
C:\Users\True Value\flashplayer.exe => Moved successfully.
C:\Users\True Value\GoToAssistDownloadHelper.exe => Moved successfully.
C:\Users\True Value\msconfig.exe => Moved successfully.
C:\Users\True Value\skype.exe => Moved successfully.
C:\Users\True Value\teamviewer.exe => Moved successfully.
"C:\Users\True Value\AppData\Roaming\skype.ini" => File/Directory not found.
C:\Users\TRUEVA~1\AppData\Local\Temp\AdobeUpdater12345.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\FlashPlayerUpdate.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\InstallFlashPlayer.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\launch.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\SearchWithGoogleUpdate.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\symlcsv1.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\TB_5E7C.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\{FFACBCCE-685E-4843-B4BB-1888A0C02CEA}\ISSetup.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\{FFACBCCE-685E-4843-B4BB-1888A0C02CEA}\SETUP.EXE => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\{D2BAD404-DC53-4CDC-A1FF-5BC9217709BE}\dotnetinstaller.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\{D2BAD404-DC53-4CDC-A1FF-5BC9217709BE}\{8C5BD501-AD5D-4A75-9321-076509B438FC}\isrt.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\{D2BAD404-DC53-4CDC-A1FF-5BC9217709BE}\{8C5BD501-AD5D-4A75-9321-076509B438FC}\_isres_0x0409.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\{B1B92DF9-2665-49A3-99D2-77A81801A058}\ISSetup.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\{B1B92DF9-2665-49A3-99D2-77A81801A058}\SETUP.EXE => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\{650C0E91-FD9D-466F-8C02-DE848953AECA}\dotnetinstaller.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\{650C0E91-FD9D-466F-8C02-DE848953AECA}\{8C5BD501-AD5D-4A75-9321-076509B438FC}\isrt.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\{650C0E91-FD9D-466F-8C02-DE848953AECA}\{8C5BD501-AD5D-4A75-9321-076509B438FC}\_isres_0x0409.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Artinsoft.VB6.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\BRComponent.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\BRGUI.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\BRLogger.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\DataVersionUtility.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\InstallManager.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\InstallUtility.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Interop.DBSUPPORTENGINELib.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Interop.SQLDMO.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\BPAClient.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\Launch.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\PSet.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\UpgradeValidator.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS16\Resources\WaitAndKill.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\DataVersionUtility.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\InstallManager.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\InstallUtility.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Interop.DBSUPPORTENGINELib.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\BPAClient.dll => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\Launch.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\PSet.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\UpgradeValidator.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\WS15\Resources\WaitAndKill.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\Temp1_antimalware_stuff.zip\antimalware stuff\FRST(1).exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\Low\Google Toolbar\gtb193A.tmp.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\Low\Google Toolbar\gtb5DE1.tmp.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\Low\Google Toolbar\gtb9E94.tmp.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\Low\Google Toolbar\gtbF078.tmp.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb29CD.tmp.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb69EB.tmp.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb6E7B.tmp.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb7E4E.tmp.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtb8340.tmp.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\Google Toolbar\gtbE10E.tmp.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\C7C2.dir\InstallFlashPlayer.exe => Moved successfully.
C:\Users\TRUEVA~1\AppData\Local\Temp\17B5.dir\InstallFlashPlayer.exe => Moved successfully.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRtMon.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRtPlug.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSigDwn.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSoftEx.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

=========== Result of Scheduled Files to move ===========

C:\Users\TRUEVA~1\AppData\Local\Google\Desktop\Install\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d} => Is moved successfully.
C:\Program Files\Google\Desktop\Install\{e9cbbfa1-857b-7a18-9b92-16414edd3d5d} => Is moved successfully.

==== End of Fixlog ====


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:54 PM

Posted 04 September 2013 - 08:42 PM

That looks like it did waht we needed it to do,

we still have more work to do though, so stick with me till the end.

Please run the following:

Download ComboFix from the following location:
Link

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

CF_RC_notice.png
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
cfRC_screen_2.png
  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 spradillac81

spradillac81
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 05 September 2013 - 11:16 PM

Sorry, we haven't been able to run the last task yet.  Will be able to tomorrow morning (friday).  Sorry for the delay!



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:54 PM

Posted 06 September 2013 - 10:48 AM

no problem, :)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 spradillac81

spradillac81
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 09 September 2013 - 07:13 PM

ComboFix 13-09-04.04 - True Value 09/05/2013 15:57:30.1.1 - x86 MINIMAL
Microsoft® Windows Vista Home Basic 6.0.6002.2.1252.1.1033.18.894.482 [GMT -7:00]
Running from: c:\users\True Value\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\PFRO.log
c:\windows\Update.bat
.
.
((((((((((((((((((((((((( Files Created from 2013-08-05 to 2013-09-05 )))))))))))))))))))))))))))))))
.
.
2013-09-04 19:02 . 2013-09-04 23:04 -------- d-----w- C:\FRST
2013-09-02 19:12 . 2013-09-02 19:12 -------- d-----w- c:\program files\HitmanPro
2013-09-02 19:11 . 2013-09-03 23:49 -------- d-----w- c:\programdata\HitmanPro
2013-08-31 23:10 . 2013-08-31 23:10 -------- d-----w- c:\program files\FileOpenerPro
2013-08-31 23:10 . 2013-08-31 23:10 -------- d-----w- c:\program files\privoxy
2013-08-31 23:08 . 2013-09-01 00:42 -------- d-----w- c:\users\True Value\AppData\Local\SwvUpdater
2013-08-15 10:30 . 2013-08-15 10:39 -------- d-----w- c:\windows\system32\MRT
2013-08-14 23:41 . 2013-06-15 13:22 15872 ----a-w- c:\windows\system32\icaapi.dll
2013-08-14 23:41 . 2013-06-15 11:23 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-08-14 23:41 . 2013-07-05 04:53 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-14 23:41 . 2013-07-17 19:41 2048 ----a-w- c:\windows\system32\tzres.dll
2013-08-14 23:41 . 2013-07-10 09:47 783360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-08-14 23:41 . 2013-07-08 04:55 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-14 23:41 . 2013-07-08 04:55 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-14 23:41 . 2013-07-09 12:10 1205168 ----a-w- c:\windows\system32\ntdll.dll
2013-08-14 23:41 . 2013-07-08 04:16 992768 ----a-w- c:\windows\system32\crypt32.dll
2013-08-14 23:41 . 2013-07-08 04:20 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-08-14 23:41 . 2013-07-08 04:16 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-14 23:41 . 2013-07-08 04:16 133120 ----a-w- c:\windows\system32\cryptsvc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-27 23:15 . 2012-04-07 14:56 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-27 23:15 . 2011-12-31 17:29 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2008-11-03 23:56 157168 ----a-w- c:\programdata\Partner\partner.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-12-31 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-23 6183456]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-25 988512]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Skytel"="Skytel.exe" [2008-07-23 1826816]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2013-03-07 30744]
"Privoxy"="c:\program files\privoxy\starthelp.exe" [2013-08-26 51115]
.
c:\users\True Value\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe /atstartup [2008-8-7 2342912]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-13 291896]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2012-12-5 415328]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2012-12-5 40472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2013-07-08 19:17 13672 ----a-w- c:\program files\Citrix\GoToAssist\822\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-08-27 23:15]
.
2013-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-31 17:51]
.
2013-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-31 17:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vb32&d=0808&m=et1161-01
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-eRecoveryService - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-wp-adk - c:\program files\Web Protect\wp-adk_uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-05 16:10
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-09-05 16:12:52
ComboFix-quarantined-files.txt 2013-09-05 23:12
.
Pre-Run: 82,551,635,968 bytes free
Post-Run: 83,020,365,824 bytes free
.
- - End Of File - - 0965B94AC3DBECA24D5E80E61FB8E8D1
8C9F9E03865C35F0F3829A23CDA42F5D

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:54 PM

Posted 09 September 2013 - 08:04 PM

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Clean
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply
NEXT
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 spradillac81

spradillac81
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 10 September 2013 - 05:53 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.9 (09.07.2013:1)
OS: Windows Vista ™ Home Basic x86
Ran by True Value on Tue 09/10/2013 at 10:11:24.47
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\kt_bho_dll.dll
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduitsearchscopes
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\pricegong
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\smartbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\whitesmoke_new
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\toolbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\kt_bho.kettlebho
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\kt_bho.kettlebho.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3253926



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\partner"
Successfully deleted: [Folder] "C:\Users\True Value\appdata\local\swvupdater"
Successfully deleted: [Folder] "C:\Users\True Value\appdata\locallow\conduit"
Successfully deleted: [Folder] "C:\Users\True Value\appdata\locallow\pricegong"
Successfully deleted: [Folder] "C:\Users\True Value\appdata\locallow\whitesmoke_new"
Successfully deleted: [Folder] "C:\Program Files\bigfix"
Successfully deleted: [Folder] "C:\Program Files\conduit"
Successfully deleted: [Folder] "C:\Program Files\fileopenerpro"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 09/10/2013 at 10:22:12.23
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#14 spradillac81

spradillac81
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 10 September 2013 - 05:56 PM

So I internet explorer is still not working so might make running malware bytes difficult if it cannot update the malware definitions. Will run adwcleaner tomorrow but previous log was from JRT. Thanks for the help so far though.

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:54 PM

Posted 10 September 2013 - 08:23 PM

try resetting IE back to default

http://support.microsoft.com/kb/923737

Use the FixIt button

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users