Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had several rootkits, want to make sure everything is clean


  • This topic is locked This topic is locked
26 replies to this topic

#1 silentcommit

silentcommit

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 07 September 2013 - 09:49 AM

I recently ran avast boot scan and several root kits were shown.  I used avast to clean them, but computer is still having some problems.  Several services were disabled such as windows update, firewall, BITS, etc.  I've tried to restore them; windows update is working but will only update about half of the possbilities, and I can't get BITS or firewall servicse restore .  I would like some help to make sure computer is completely clean before further troubleshooting.  Thanks very much .   

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457  BrowserJavaVersion: 10.25.2
Run by Carrie at 9:37:05 on 2013-09-07
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2663.1577 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\Dwm.exe
C:\windows\system32\taskhost.exe
C:\windows\Explorer.EXE
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\windows\system32\lxdqcoms.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\TODDSrv.exe
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\SymcPCCULaunchSvc.exe
C:\windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.facebook.com/
uDefault_Page_URL = hxxp://start.toshiba.com/g/
uProxyOverride = <local>
uURLSearchHooks: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - <orphaned>
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Arcadesafari BHO: {adff4c9a-4f49-4a1f-8885-360e107b7938} -
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun: [NPSStartup] <no file>
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
LSP: mswsock.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{84C12B02-1015-4B74-9541-2E439C66FB89} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{84C12B02-1015-4B74-9541-2E439C66FB89}\2375942554832303 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{84C12B02-1015-4B74-9541-2E439C66FB89}\64169627669656C6460294E6E6 : DHCPNameServer = 207.230.75.34 207.230.75.50 8.8.8.8
TCP: Interfaces\{84C12B02-1015-4B74-9541-2E439C66FB89}\84F6C6964616970294E6E60254870727563737 : DHCPNameServer = 24.177.176.38 24.197.160.18
TCP: Interfaces\{84C12B02-1015-4B74-9541-2E439C66FB89}\C696E6B6379737 : DHCPNameServer = 24.159.64.23 24.217.201.67 66.189.0.100 192.168.1.1
TCP: Interfaces\{84C12B02-1015-4B74-9541-2E439C66FB89}\D4364416E69656C6 : DHCPNameServer = 192.168.254.254 192.168.254.254
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\MSOSB.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.62\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\office15\GROOVEEX.DLL
x64-TB: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\windows\System32\drivers\amd_sata.sys [2011-6-8 75904]
R0 amd_xata;amd_xata;C:\windows\System32\drivers\amd_xata.sys [2011-6-8 38016]
R0 aswRvrt;aswRvrt;C:\windows\System32\drivers\aswRvrt.sys [2013-8-31 65336]
R0 aswVmm;aswVmm;C:\windows\System32\drivers\aswVmm.sys [2013-8-31 189936]
R0 MpFilter;Microsoft Malware Protection Driver;C:\windows\System32\drivers\MpFilter.sys [2013-6-18 247216]
R1 aswSnx;aswSnx;C:\windows\System32\drivers\aswSnx.sys [2013-8-31 1030952]
R1 aswSP;aswSP;C:\windows\System32\drivers\aswSP.sys [2013-8-31 378944]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2011-6-8 203776]
R2 aswFsBlk;aswFsBlk;C:\windows\System32\drivers\aswFsBlk.sys [2013-8-31 33400]
R2 aswMonFlt;aswMonFlt;C:\windows\System32\drivers\aswMonFlt.sys [2013-8-31 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-8-31 46808]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 lxdq_device;lxdq_device;C:\windows\System32\lxdqcoms.exe -service --> C:\windows\System32\lxdqcoms.exe -service [?]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-11 418376]
R2 NisDrv;Microsoft Network Inspection System;C:\windows\System32\drivers\NisDrvWFP.sys [2013-6-18 139616]
R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\SymcPCCULaunchSvc.exe [2011-6-8 135608]
R2 OfficeSvc;Microsoft Office Service;C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [2013-7-3 1900728]
R2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2013-3-22 93072]
R3 FwLnk;FwLnk Driver;C:\windows\System32\drivers\FwLnk.sys [2011-6-8 9216]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\System32\drivers\L1C62x64.sys [2010-9-27 76912]
R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2011-8-1 25928]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-6-20 366600]
R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2011-6-8 38096]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\System32\drivers\rtl8192ce.sys [2011-6-8 1109096]
S2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;C:\windows\System32\spool\drivers\x64\3\lxdqserv.exe [2009-4-28 29184]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-11 701512]
S2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe [2011-6-8 126392]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-7-28 1153368]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2013-6-1 178760]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2011-6-8 243712]
S3 TFsExDisk;TFsExDisk;C:\windows\System32\drivers\TFsExDisk.sys [2011-12-26 16448]
S3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2011-6-8 51576]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2011-7-20 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-09-07 12:45:08 965008 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{94551378-51AD-4E74-9893-F505A1CA9EBE}\gapaengine.dll
2013-09-07 12:44:38 9515512 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{69BA9534-253A-4CA0-B4AE-1D7EDF6DAFC6}\mpengine.dll
2013-09-07 12:31:27 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2013-09-07 12:31:18 -------- d-----w- C:\Program Files\Microsoft Security Client
2013-09-07 05:58:06 -------- d-----w- C:\windows\System32\MRT
2013-08-31 23:58:28 72016 ----a-w- C:\windows\System32\drivers\aswRdr2.sys
2013-08-31 23:58:27 189936 ----a-w- C:\windows\System32\drivers\aswVmm.sys
2013-08-31 23:58:27 1030952 ----a-w- C:\windows\System32\drivers\aswSnx.sys
2013-08-31 23:58:25 65336 ----a-w- C:\windows\System32\drivers\aswRvrt.sys
2013-08-31 23:58:23 80816 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
2013-08-31 23:57:30 41664 ----a-w- C:\windows\avastSS.scr
2013-08-31 04:03:28 867240 ----a-w- C:\windows\SysWow64\npDeployJava1.dll
2013-08-31 04:03:12 96168 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll
.
==================== Find3M  ====================
.
2013-08-31 04:02:57 789416 ----a-w- C:\windows\SysWow64\deployJava1.dll
2013-06-19 02:50:08 247216 ----a-w- C:\windows\System32\drivers\MpFilter.sys
2013-06-19 02:50:08 139616 ----a-w- C:\windows\System32\drivers\NisDrvWFP.sys
2013-06-10 12:08:10 278800 ------w- C:\windows\System32\MpSigStub.exe
.
============= FINISH:  9:38:40.00 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:01 AM

Posted 08 September 2013 - 04:50 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,
Georgi


cXfZ4wS.png


#3 silentcommit

silentcommit
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 09 September 2013 - 07:09 AM

Thanks for your help:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-09-2013
Ran by Carrie (administrator) on CARRIE-PC on 09-09-2013 07:00:57
Running from C:\Users\Carrie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZZWJGCKV
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(AMD) C:\windows\system32\atiesrxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
( ) C:\windows\system32\lxdqcoms.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
(TOSHIBA Corporation) C:\windows\system32\TODDSrv.exe
(TomTom) C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(AMD) C:\windows\system32\atieclxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\SymcPCCULaunchSvc.exe
(Microsoft Corporation) C:\Users\Carrie\AppData\Local\Temp\{00718839-FB46-4F4C-ABF2-6BBC0DE3062B}\Setup.exe
(Microsoft Corporation) C:\windows\system32\msiexec.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] -
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029\n. ATTENTION! ====> ZeroAccess?
HKLM\...\Policies\Explorer: [NoActiveDesktop] 1
HKLM\...\Policies\Explorer: [NoActiveDesktopChanges] 1
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-3547224266-3633241506-1922221131-1001\$396bc10f298855c1bcfdd01a8cd3c029\n. ATTENTION! ====> ZeroAccess?
MountPoints2: {0b373d41-b926-11e0-a679-00266cc4ba16} - E:\LaunchU3.exe -a
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [NPSStartup] -  [x]
HKLM-x32\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\avastUI.exe [4858968 2013-05-09] (AVAST Software)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.facebook.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.toshiba.com/g/
URLSearchHook: (No Name) - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} -  No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2260173
SearchScopes: HKCU - {167330B3-1CB8-4C46-93DD-3F2603B0E8E1} URL =
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
BHO: avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
BHO-x32: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Arcadesafari BHO - {adff4c9a-4f49-4a1f-8885-360e107b7938} - C:\Windows\\SysWOW64\mscoree.dll (Microsoft Corporation)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM-x32 - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} -  No File
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {BEA7310D-06C4-4339-A784-DC3804819809} http://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 10 mswsock.dll File Not found (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

Chrome:
=======
CHR HomePage: hxxp://mysearch.avg.com/?cid={8B748D9D-EED4-47E8-B212-6FB598386A83}&mid=696c9b3edd7647d3926ad16f2a2053e5-a05584d13206e4493aa386783604a1f5d423f1e9&lang=en&ds=am011&pr=sa&d=2013-07-12 22:29:42&v=15.3.0.11&pid=safeguard&sg=0&sap=hp
CHR RestoreOnStartup: "hxxp://www.google.com/"
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.60\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.200.2) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java™ Platform SE 6 U20) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Unity Player) - C:\Users\Carrie\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
CHR Plugin: (Shockwave for Director) - C:\windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
CHR Extension: (Chrome In-App Payments service) - C:\Users\Carrie\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.10_0
CHR HKLM-x32\...\Chrome\Extension: [fdeikhckcedpnofpmfaakfhppidegbcp] - C:\Users\Carrie\AppData\Local\CRE\fdeikhckcedpnofpmfaakfhppidegbcp.crx

==================== Services (Whitelisted) =================

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-05-09] (AVAST Software)
S2 lxdqCATSCustConnectService; C:\windows\system32\spool\DRIVERS\x64\3\\lxdqserv.exe [29184 2009-04-28] (Lexmark International, Inc.)
R2 lxdq_device; C:\windows\system32\lxdqcoms.exe [1039872 2007-11-28] ( )
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\SymcPCCULaunchSvc.exe [135608 2011-12-07] (Symantec Corporation)
R2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [1900728 2013-06-09] (Microsoft Corporation)
S2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe [126392 2011-02-03] (Symantec Corporation)
S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

==================== Drivers (Whitelisted) ====================

R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [33400 2013-05-09] (AVAST Software)
R2 aswMonFlt; C:\windows\system32\drivers\aswMonFlt.sys [80816 2013-05-09] (AVAST Software)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [72016 2013-05-09] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65336 2013-05-09] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [1030952 2013-08-31] (AVAST Software)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [378944 2013-08-31] (AVAST Software)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [64288 2013-05-09] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [189936 2013-08-31] ()
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-09-09 07:00 - 2013-09-09 07:00 - 00000000 ____D C:\FRST
2013-09-07 09:39 - 2013-09-07 09:39 - 00021696 _____ C:\Users\Carrie\Desktop\attach.txt
2013-09-07 09:39 - 2013-09-07 09:38 - 00016206 _____ C:\Users\Carrie\Desktop\dds.txt
2013-09-07 09:36 - 2013-09-07 09:36 - 00688992 ____R (Swearware) C:\Users\Carrie\Desktop\dds.com
2013-09-07 08:13 - 2013-09-07 08:15 - 04745728 _____ (AVAST Software) C:\Users\Carrie\Desktop\iexplore.exe.exe
2013-09-07 07:40 - 2013-09-07 07:40 - 00181064 _____ (Sysinternals) C:\windows\PSEXESVC.EXE
2013-09-07 07:39 - 2013-09-07 07:39 - 00003274 _____ C:\Users\Carrie\Desktop\EventSystemWin7.reg
2013-09-07 07:34 - 2012-10-17 18:28 - 00171608 _____ (Sysinternals - www.sysinternals.com) C:\windows\system32\pspasswd.exe
2013-09-07 07:34 - 2012-10-02 14:03 - 00167048 _____ (Sysinternals - www.sysinternals.com) C:\windows\system32\psping.exe
2013-09-07 07:34 - 2012-10-01 09:23 - 00066582 _____ C:\windows\system32\Pstools.chm
2013-09-07 07:34 - 2012-06-21 23:34 - 00468592 _____ (Sysinternals - www.sysinternals.com) C:\windows\system32\pskill.exe
2013-09-07 07:34 - 2012-03-22 15:53 - 00232232 _____ (Sysinternals - www.sysinternals.com) C:\windows\system32\pslist.exe
2013-09-07 07:34 - 2010-04-27 11:04 - 00390520 _____ (Sysinternals - www.sysinternals.com) C:\windows\system32\PsInfo.exe
2013-09-07 07:34 - 2010-04-27 11:04 - 00381816 _____ (Sysinternals - www.sysinternals.com) C:\windows\system32\PsExec.exe
2013-09-07 07:34 - 2010-04-27 11:04 - 00333176 _____ (Sysinternals - www.sysinternals.com) C:\windows\system32\PsGetsid.exe
2013-09-07 07:34 - 2010-04-27 11:04 - 00183160 _____ (Sysinternals - www.sysinternals.com) C:\windows\system32\PsLoggedon.exe
2013-09-07 07:34 - 2010-04-27 11:04 - 00178040 _____ (Sysinternals - www.sysinternals.com) C:\windows\system32\psloglist.exe
2013-09-07 07:34 - 2010-04-27 11:04 - 00169848 _____ (Sysinternals - www.sysinternals.com) C:\windows\system32\PsService.exe
2013-09-07 07:34 - 2007-11-06 09:17 - 00000039 _____ C:\windows\system32\psversion.txt
2013-09-07 07:34 - 2006-12-04 17:53 - 00207664 _____ (Sysinternals - www.sysinternals.com) C:\windows\system32\psshutdown.exe
2013-09-07 07:34 - 2006-12-04 17:53 - 00187184 _____ (Sysinternals) C:\windows\system32\pssuspend.exe
2013-09-07 07:34 - 2006-12-04 17:53 - 00105264 _____ (Sysinternals) C:\windows\system32\psfile.exe
2013-09-07 07:34 - 2006-07-28 09:32 - 00007005 _____ C:\windows\system32\Eula.txt
2013-09-07 07:32 - 2013-09-09 07:01 - 00001945 _____ C:\windows\epplauncher.mif
2013-09-07 07:29 - 2013-09-07 07:29 - 01658191 _____ C:\Users\Carrie\Desktop\PSTools.zip
2013-09-07 00:58 - 2013-09-07 01:03 - 00000000 ____D C:\windows\system32\MRT
2013-09-07 00:13 - 2013-07-24 22:54 - 17830400 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2013-09-07 00:13 - 2013-07-24 22:37 - 02312704 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2013-09-07 00:13 - 2013-07-24 22:35 - 10926080 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2013-09-07 00:13 - 2013-07-24 22:31 - 01346560 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2013-09-07 00:13 - 2013-07-24 22:30 - 01392128 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2013-09-07 00:13 - 2013-07-24 22:29 - 01494528 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2013-09-07 00:13 - 2013-07-24 22:29 - 00237056 _____ (Microsoft Corporation) C:\windows\system32\url.dll
2013-09-07 00:13 - 2013-07-24 22:29 - 00086016 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2013-09-07 00:13 - 2013-07-24 22:28 - 02147840 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2013-09-07 00:13 - 2013-07-24 22:28 - 00816640 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2013-09-07 00:13 - 2013-07-24 22:28 - 00729088 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2013-09-07 00:13 - 2013-07-24 22:28 - 00599040 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2013-09-07 00:13 - 2013-07-24 22:28 - 00173056 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2013-09-07 00:13 - 2013-07-24 22:27 - 02382848 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2013-09-07 00:13 - 2013-07-24 22:27 - 00096768 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2013-09-07 00:13 - 2013-07-24 22:26 - 00248320 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2013-09-07 00:13 - 2013-07-24 21:40 - 12334080 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2013-09-07 00:13 - 2013-07-24 21:32 - 01800704 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2013-09-07 00:13 - 2013-07-24 21:26 - 01129472 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2013-09-07 00:13 - 2013-07-24 21:26 - 01104384 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2013-09-07 00:13 - 2013-07-24 21:25 - 01427968 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2013-09-07 00:13 - 2013-07-24 21:24 - 00231936 _____ (Microsoft Corporation) C:\windows\SysWOW64\url.dll
2013-09-07 00:13 - 2013-07-24 21:24 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2013-09-07 00:13 - 2013-07-24 21:23 - 01796096 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2013-09-07 00:13 - 2013-07-24 21:23 - 00717824 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2013-09-07 00:13 - 2013-07-24 21:23 - 00607744 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2013-09-07 00:13 - 2013-07-24 21:23 - 00420864 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2013-09-07 00:13 - 2013-07-24 21:23 - 00142848 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2013-09-07 00:13 - 2013-07-24 21:22 - 02382848 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2013-09-07 00:13 - 2013-07-24 21:22 - 00176640 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2013-09-07 00:13 - 2013-07-24 21:22 - 00073216 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2013-09-07 00:12 - 2013-07-24 21:30 - 09738752 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2013-09-07 00:10 - 2012-12-07 08:20 - 00441856 _____ (Microsoft Corporation) C:\windows\system32\Wpc.dll
2013-09-07 00:10 - 2012-12-07 08:15 - 02746368 _____ (Microsoft Corporation) C:\windows\system32\gameux.dll
2013-09-07 00:10 - 2012-12-07 07:26 - 00308736 _____ (Microsoft Corporation) C:\windows\SysWOW64\Wpc.dll
2013-09-07 00:10 - 2012-12-07 07:20 - 02576384 _____ (Microsoft Corporation) C:\windows\SysWOW64\gameux.dll
2013-09-07 00:10 - 2012-12-07 06:20 - 00045568 _____ (Microsoft) C:\windows\system32\oflc-nz.rs
2013-09-07 00:10 - 2012-12-07 06:20 - 00044544 _____ (Microsoft) C:\windows\system32\pegibbfc.rs
2013-09-07 00:10 - 2012-12-07 06:20 - 00043520 _____ (Microsoft) C:\windows\system32\csrr.rs
2013-09-07 00:10 - 2012-12-07 06:20 - 00030720 _____ (Microsoft) C:\windows\system32\usk.rs
2013-09-07 00:10 - 2012-12-07 06:20 - 00023552 _____ (Microsoft) C:\windows\system32\oflc.rs
2013-09-07 00:10 - 2012-12-07 06:20 - 00020480 _____ (Microsoft) C:\windows\system32\pegi-pt.rs
2013-09-07 00:10 - 2012-12-07 06:20 - 00020480 _____ (Microsoft) C:\windows\system32\pegi-fi.rs
2013-09-07 00:10 - 2012-12-07 06:19 - 00055296 _____ (Microsoft) C:\windows\system32\cero.rs
2013-09-07 00:10 - 2012-12-07 06:19 - 00051712 _____ (Microsoft) C:\windows\system32\esrb.rs
2013-09-07 00:10 - 2012-12-07 06:19 - 00046592 _____ (Microsoft) C:\windows\system32\fpb.rs
2013-09-07 00:10 - 2012-12-07 06:19 - 00040960 _____ (Microsoft) C:\windows\system32\cob-au.rs
2013-09-07 00:10 - 2012-12-07 06:19 - 00021504 _____ (Microsoft) C:\windows\system32\grb.rs
2013-09-07 00:10 - 2012-12-07 06:19 - 00020480 _____ (Microsoft) C:\windows\system32\pegi.rs
2013-09-07 00:10 - 2012-12-07 06:19 - 00015360 _____ (Microsoft) C:\windows\system32\djctq.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00055296 _____ (Microsoft) C:\windows\SysWOW64\cero.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00051712 _____ (Microsoft) C:\windows\SysWOW64\esrb.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00046592 _____ (Microsoft) C:\windows\SysWOW64\fpb.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00045568 _____ (Microsoft) C:\windows\SysWOW64\oflc-nz.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00044544 _____ (Microsoft) C:\windows\SysWOW64\pegibbfc.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00043520 _____ (Microsoft) C:\windows\SysWOW64\csrr.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00040960 _____ (Microsoft) C:\windows\SysWOW64\cob-au.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00030720 _____ (Microsoft) C:\windows\SysWOW64\usk.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00023552 _____ (Microsoft) C:\windows\SysWOW64\oflc.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00021504 _____ (Microsoft) C:\windows\SysWOW64\grb.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00020480 _____ (Microsoft) C:\windows\SysWOW64\pegi-pt.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00020480 _____ (Microsoft) C:\windows\SysWOW64\pegi-fi.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00020480 _____ (Microsoft) C:\windows\SysWOW64\pegi.rs
2013-09-07 00:10 - 2012-12-07 05:46 - 00015360 _____ (Microsoft) C:\windows\SysWOW64\djctq.rs
2013-09-07 00:09 - 2013-05-10 00:49 - 00030720 _____ (Microsoft Corporation) C:\windows\system32\cryptdlg.dll
2013-09-07 00:09 - 2013-05-09 22:20 - 00024576 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptdlg.dll
2013-09-07 00:07 - 2012-11-30 00:45 - 00362496 _____ (Microsoft Corporation) C:\windows\system32\wow64win.dll
2013-09-07 00:07 - 2012-11-30 00:45 - 00243200 _____ (Microsoft Corporation) C:\windows\system32\wow64.dll
2013-09-07 00:07 - 2012-11-30 00:45 - 00215040 _____ (Microsoft Corporation) C:\windows\system32\winsrv.dll
2013-09-07 00:07 - 2012-11-30 00:45 - 00013312 _____ (Microsoft Corporation) C:\windows\system32\wow64cpu.dll
2013-09-07 00:07 - 2012-11-30 00:43 - 00016384 _____ (Microsoft Corporation) C:\windows\system32\ntvdm64.dll
2013-09-07 00:07 - 2012-11-30 00:41 - 01161216 _____ (Microsoft Corporation) C:\windows\system32\kernel32.dll
2013-09-07 00:07 - 2012-11-30 00:41 - 00424448 _____ (Microsoft Corporation) C:\windows\system32\KernelBase.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00006144 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00005120 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2013-09-07 00:07 - 2012-11-30 00:38 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:54 - 00005120 _____ (Microsoft Corporation) C:\windows\SysWOW64\wow32.dll
2013-09-07 00:07 - 2012-11-29 23:53 - 01114112 _____ (Microsoft Corporation) C:\windows\SysWOW64\kernel32.dll
2013-09-07 00:07 - 2012-11-29 23:53 - 00274944 _____ (Microsoft Corporation) C:\windows\SysWOW64\KernelBase.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00005120 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 23:45 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 22:23 - 00338432 _____ (Microsoft Corporation) C:\windows\system32\conhost.exe
2013-09-07 00:07 - 2012-11-29 21:44 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\setup16.exe
2013-09-07 00:07 - 2012-11-29 21:44 - 00014336 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntvdm64.dll
2013-09-07 00:07 - 2012-11-29 21:44 - 00007680 _____ (Microsoft Corporation) C:\windows\SysWOW64\instnm.exe
2013-09-07 00:07 - 2012-11-29 21:44 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\user.exe
2013-09-07 00:07 - 2012-11-29 21:38 - 00006144 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 21:38 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 21:38 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 21:38 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2013-09-07 00:07 - 2012-11-29 18:17 - 00420064 _____ C:\windows\SysWOW64\locale.nls
2013-09-07 00:07 - 2012-11-29 18:15 - 00420064 _____ C:\windows\system32\locale.nls
2013-09-07 00:06 - 2013-06-14 23:32 - 00039936 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tssecsrv.sys
2013-09-07 00:06 - 2013-04-26 00:51 - 00751104 _____ (Microsoft Corporation) C:\windows\system32\win32spl.dll
2013-09-07 00:06 - 2013-04-25 23:55 - 00492544 _____ (Microsoft Corporation) C:\windows\SysWOW64\win32spl.dll
2013-09-07 00:05 - 2013-06-04 22:34 - 03153920 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2013-09-07 00:04 - 2012-11-22 00:44 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\usp10.dll
2013-09-07 00:04 - 2012-11-21 23:45 - 00626688 _____ (Microsoft Corporation) C:\windows\SysWOW64\usp10.dll
2013-09-07 00:03 - 2013-07-06 01:03 - 01910208 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tcpip.sys
2013-09-07 00:03 - 2013-01-03 01:00 - 00288088 _____ (Microsoft Corporation) C:\windows\system32\Drivers\FWPKCLNT.SYS
2013-09-07 00:00 - 2013-01-24 01:01 - 00223752 _____ (Microsoft Corporation) C:\windows\system32\Drivers\fvevol.sys
2013-09-06 23:55 - 2013-05-13 00:51 - 01464320 _____ (Microsoft Corporation) C:\windows\system32\crypt32.dll
2013-09-06 23:55 - 2013-05-13 00:51 - 00184320 _____ (Microsoft Corporation) C:\windows\system32\cryptsvc.dll
2013-09-06 23:55 - 2013-05-13 00:51 - 00139776 _____ (Microsoft Corporation) C:\windows\system32\cryptnet.dll
2013-09-06 23:55 - 2013-05-13 00:50 - 00052224 _____ (Microsoft Corporation) C:\windows\system32\certenc.dll
2013-09-06 23:55 - 2013-05-12 23:45 - 01160192 _____ (Microsoft Corporation) C:\windows\SysWOW64\crypt32.dll
2013-09-06 23:55 - 2013-05-12 23:45 - 00140288 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptsvc.dll
2013-09-06 23:55 - 2013-05-12 23:45 - 00103936 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptnet.dll
2013-09-06 23:55 - 2013-05-12 22:43 - 01192448 _____ (Microsoft Corporation) C:\windows\system32\certutil.exe
2013-09-06 23:55 - 2013-05-12 22:08 - 00903168 _____ (Microsoft Corporation) C:\windows\SysWOW64\certutil.exe
2013-09-06 23:55 - 2013-05-12 22:08 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\certenc.dll
2013-09-06 23:55 - 2013-04-10 00:45 - 01545728 _____ (Microsoft Corporation) C:\windows\system32\DWrite.dll
2013-09-06 23:55 - 2013-04-10 00:02 - 01077760 _____ (Microsoft Corporation) C:\windows\SysWOW64\DWrite.dll
2013-09-06 23:55 - 2013-03-19 01:04 - 05550424 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2013-09-06 23:55 - 2013-03-19 00:46 - 00043520 _____ (Microsoft Corporation) C:\windows\system32\csrsrv.dll
2013-09-06 23:55 - 2013-03-19 00:04 - 03968856 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2013-09-06 23:55 - 2013-03-19 00:04 - 03913560 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2013-09-06 23:55 - 2013-03-18 23:47 - 00006656 _____ (Microsoft Corporation) C:\windows\SysWOW64\apisetschema.dll
2013-09-06 23:55 - 2013-03-18 22:06 - 00112640 _____ (Microsoft Corporation) C:\windows\system32\smss.exe
2013-09-06 23:54 - 2012-11-22 22:13 - 00068608 _____ (Microsoft Corporation) C:\windows\system32\taskhost.exe
2013-09-06 23:33 - 2013-09-06 23:34 - 00006288 _____ C:\Users\Carrie\Desktop\BITS.reg
2013-09-06 23:32 - 2013-09-06 23:32 - 00006176 _____ C:\Users\Carrie\Desktop\wuauserv.reg
2013-09-06 23:12 - 2013-09-06 23:12 - 00014086 _____ C:\Users\Carrie\Desktop\Seven.zip
2013-09-06 23:09 - 2013-09-06 23:09 - 00006396 _____ C:\Users\Carrie\Desktop\MpsSvc.reg
2013-09-06 23:08 - 2013-09-06 23:08 - 00176940 _____ C:\Users\Carrie\Desktop\BFE.reg
2013-09-04 21:48 - 2013-09-07 18:44 - 00019232 _____ C:\Users\Carrie\Documents\Ethan Grades.xlsx
2013-09-04 21:26 - 2013-09-04 22:18 - 00018043 _____ C:\Users\Carrie\Documents\Leah Grades.xlsx
2013-08-31 21:58 - 2013-08-31 21:58 - 00000232 _____ C:\aswBoot.log
2013-08-31 18:58 - 2013-09-09 06:18 - 00004182 _____ C:\windows\System32\Tasks\avast! Emergency Update
2013-08-31 18:58 - 2013-08-31 18:58 - 01030952 _____ (AVAST Software) C:\windows\system32\Drivers\aswSnx.sys
2013-08-31 18:58 - 2013-08-31 18:58 - 00378944 _____ (AVAST Software) C:\windows\system32\Drivers\aswSP.sys
2013-08-31 18:58 - 2013-08-31 18:58 - 00189936 _____ C:\windows\system32\Drivers\aswVmm.sys
2013-08-31 18:58 - 2013-08-31 18:58 - 00000175 _____ C:\windows\system32\Drivers\aswVmm.sys.sum
2013-08-31 18:58 - 2013-08-31 18:58 - 00000175 _____ C:\windows\system32\Drivers\aswSP.sys.sum
2013-08-31 18:58 - 2013-08-31 18:58 - 00000175 _____ C:\windows\system32\Drivers\aswSnx.sys.sum
2013-08-31 18:58 - 2013-05-09 03:59 - 00080816 _____ (AVAST Software) C:\windows\system32\Drivers\aswMonFlt.sys
2013-08-31 18:58 - 2013-05-09 03:59 - 00072016 _____ (AVAST Software) C:\windows\system32\Drivers\aswRdr2.sys
2013-08-31 18:58 - 2013-05-09 03:59 - 00065336 _____ C:\windows\system32\Drivers\aswRvrt.sys
2013-08-31 18:58 - 2013-05-09 03:59 - 00064288 _____ (AVAST Software) C:\windows\system32\Drivers\aswTdi.sys
2013-08-31 18:58 - 2013-05-09 03:59 - 00033400 _____ (AVAST Software) C:\windows\system32\Drivers\aswFsBlk.sys
2013-08-31 18:57 - 2013-05-09 03:58 - 00041664 _____ (AVAST Software) C:\windows\avastSS.scr
2013-08-30 23:03 - 2013-08-30 23:02 - 00867240 _____ (Oracle Corporation) C:\windows\SysWOW64\npDeployJava1.dll
2013-08-30 23:03 - 2013-08-30 23:02 - 00263592 _____ (Oracle Corporation) C:\windows\SysWOW64\javaws.exe
2013-08-30 23:03 - 2013-08-30 23:02 - 00175016 _____ (Oracle Corporation) C:\windows\SysWOW64\javaw.exe
2013-08-30 23:03 - 2013-08-30 23:02 - 00175016 _____ (Oracle Corporation) C:\windows\SysWOW64\java.exe
2013-08-30 23:03 - 2013-08-30 23:02 - 00096168 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll
2013-08-30 23:01 - 2013-08-30 23:01 - 00000000 ____D C:\ProgramData\McAfee
2013-08-30 22:58 - 2013-08-30 22:59 - 00903080 _____ (Oracle Corporation) C:\Users\Carrie\Downloads\chromeinstall-7u25 (1).exe
2013-08-30 22:57 - 2013-08-30 22:57 - 00903080 _____ (Oracle Corporation) C:\Users\Carrie\Downloads\chromeinstall-7u25.exe
2013-08-20 19:47 - 2013-08-20 22:14 - 01732063 _____ C:\Users\Carrie\Downloads\WIP Rollforward 08-2013 incomplete.xlsx

==================== One Month Modified Files and Folders =======

2013-09-09 07:01 - 2013-09-07 07:32 - 00001945 _____ C:\windows\epplauncher.mif
2013-09-09 07:00 - 2013-09-09 07:00 - 00000000 ____D C:\FRST
2013-09-09 06:29 - 2011-06-08 20:27 - 01807344 _____ C:\windows\WindowsUpdate.log
2013-09-09 06:25 - 2009-07-13 23:45 - 00024608 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-09 06:25 - 2009-07-13 23:45 - 00024608 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-09 06:22 - 2009-07-14 00:13 - 00726444 _____ C:\windows\system32\PerfStringBackup.INI
2013-09-09 06:18 - 2013-08-31 18:58 - 00004182 _____ C:\windows\System32\Tasks\avast! Emergency Update
2013-09-09 06:18 - 2011-06-08 21:14 - 00000908 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-09 06:16 - 2009-07-14 00:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2013-09-09 06:16 - 2009-07-13 23:51 - 00135174 _____ C:\windows\setupact.log
2013-09-09 06:16 - 2009-07-13 23:45 - 00436072 _____ C:\windows\system32\FNTCACHE.DAT
2013-09-09 06:14 - 2010-11-21 02:17 - 00000000 ____D C:\Program Files\Windows Journal
2013-09-08 15:14 - 2011-06-08 21:14 - 00000912 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-08 14:24 - 2013-03-02 21:07 - 00000470 _____ C:\windows\Tasks\Arcadesafari.job
2013-09-07 20:59 - 2009-07-13 22:20 - 00000000 ____D C:\windows\rescache
2013-09-07 18:44 - 2013-09-04 21:48 - 00019232 _____ C:\Users\Carrie\Documents\Ethan Grades.xlsx
2013-09-07 17:25 - 2013-07-29 22:32 - 00000400 _____ C:\windows\Tasks\AllmyappsUpdateTask.job
2013-09-07 09:39 - 2013-09-07 09:39 - 00021696 _____ C:\Users\Carrie\Desktop\attach.txt
2013-09-07 09:38 - 2013-09-07 09:39 - 00016206 _____ C:\Users\Carrie\Desktop\dds.txt
2013-09-07 09:36 - 2013-09-07 09:36 - 00688992 ____R (Swearware) C:\Users\Carrie\Desktop\dds.com
2013-09-07 09:24 - 2011-07-18 21:44 - 00000000 ____D C:\Users\Carrie\AppData\Local\CrashDumps
2013-09-07 09:15 - 2010-11-20 22:47 - 00276700 _____ C:\windows\PFRO.log
2013-09-07 08:15 - 2013-09-07 08:13 - 04745728 _____ (AVAST Software) C:\Users\Carrie\Desktop\iexplore.exe.exe
2013-09-07 07:54 - 2009-07-14 00:08 - 00032540 _____ C:\windows\Tasks\SCHEDLGU.TXT
2013-09-07 07:40 - 2013-09-07 07:40 - 00181064 _____ (Sysinternals) C:\windows\PSEXESVC.EXE
2013-09-07 07:39 - 2013-09-07 07:39 - 00003274 _____ C:\Users\Carrie\Desktop\EventSystemWin7.reg
2013-09-07 07:29 - 2013-09-07 07:29 - 01658191 _____ C:\Users\Carrie\Desktop\PSTools.zip
2013-09-07 06:49 - 2009-07-13 22:20 - 00000000 ____D C:\windows\PolicyDefinitions
2013-09-07 06:37 - 2012-05-15 06:04 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-09-07 06:37 - 2012-05-15 06:04 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-09-07 01:03 - 2013-09-07 00:58 - 00000000 ____D C:\windows\system32\MRT
2013-09-06 23:34 - 2013-09-06 23:33 - 00006288 _____ C:\Users\Carrie\Desktop\BITS.reg
2013-09-06 23:32 - 2013-09-06 23:32 - 00006176 _____ C:\Users\Carrie\Desktop\wuauserv.reg
2013-09-06 23:29 - 2009-07-13 22:20 - 00000000 ____D C:\windows\registration
2013-09-06 23:12 - 2013-09-06 23:12 - 00014086 _____ C:\Users\Carrie\Desktop\Seven.zip
2013-09-06 23:09 - 2013-09-06 23:09 - 00006396 _____ C:\Users\Carrie\Desktop\MpsSvc.reg
2013-09-06 23:08 - 2013-09-06 23:08 - 00176940 _____ C:\Users\Carrie\Desktop\BFE.reg
2013-09-04 22:18 - 2013-09-04 21:26 - 00018043 _____ C:\Users\Carrie\Documents\Leah Grades.xlsx
2013-09-04 22:11 - 2012-09-14 08:06 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-08-31 21:58 - 2013-08-31 21:58 - 00000232 _____ C:\aswBoot.log
2013-08-31 18:58 - 2013-08-31 18:58 - 01030952 _____ (AVAST Software) C:\windows\system32\Drivers\aswSnx.sys
2013-08-31 18:58 - 2013-08-31 18:58 - 00378944 _____ (AVAST Software) C:\windows\system32\Drivers\aswSP.sys
2013-08-31 18:58 - 2013-08-31 18:58 - 00189936 _____ C:\windows\system32\Drivers\aswVmm.sys
2013-08-31 18:58 - 2013-08-31 18:58 - 00000175 _____ C:\windows\system32\Drivers\aswVmm.sys.sum
2013-08-31 18:58 - 2013-08-31 18:58 - 00000175 _____ C:\windows\system32\Drivers\aswSP.sys.sum
2013-08-31 18:58 - 2013-08-31 18:58 - 00000175 _____ C:\windows\system32\Drivers\aswSnx.sys.sum
2013-08-31 18:58 - 2012-07-26 23:06 - 00000000 _____ C:\windows\SysWOW64\config.nt
2013-08-31 18:56 - 2012-07-26 23:05 - 00000000 ____D C:\ProgramData\AVAST Software
2013-08-31 18:56 - 2012-07-26 23:05 - 00000000 ____D C:\Program Files\AVAST Software
2013-08-30 23:06 - 2013-07-12 21:12 - 00000000 ____D C:\Users\Carrie\AppData\Roaming\.minecraft
2013-08-30 23:02 - 2013-08-30 23:03 - 00867240 _____ (Oracle Corporation) C:\windows\SysWOW64\npDeployJava1.dll
2013-08-30 23:02 - 2013-08-30 23:03 - 00263592 _____ (Oracle Corporation) C:\windows\SysWOW64\javaws.exe
2013-08-30 23:02 - 2013-08-30 23:03 - 00175016 _____ (Oracle Corporation) C:\windows\SysWOW64\javaw.exe
2013-08-30 23:02 - 2013-08-30 23:03 - 00175016 _____ (Oracle Corporation) C:\windows\SysWOW64\java.exe
2013-08-30 23:02 - 2013-08-30 23:03 - 00096168 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll
2013-08-30 23:02 - 2011-03-29 21:48 - 00789416 _____ (Oracle Corporation) C:\windows\SysWOW64\deployJava1.dll
2013-08-30 23:02 - 2011-03-29 21:48 - 00000000 ____D C:\Program Files (x86)\Java
2013-08-30 23:01 - 2013-08-30 23:01 - 00000000 ____D C:\ProgramData\McAfee
2013-08-30 22:59 - 2013-08-30 22:58 - 00903080 _____ (Oracle Corporation) C:\Users\Carrie\Downloads\chromeinstall-7u25 (1).exe
2013-08-30 22:57 - 2013-08-30 22:57 - 00903080 _____ (Oracle Corporation) C:\Users\Carrie\Downloads\chromeinstall-7u25.exe
2013-08-30 16:46 - 2013-07-12 22:27 - 00003066 _____ C:\windows\System32\Tasks\AllmyappsUpdateTask
2013-08-26 21:53 - 2011-07-21 21:03 - 00000000 ___HD C:\Users\Carrie\Documents\From Acer
2013-08-20 22:14 - 2013-08-20 19:47 - 01732063 _____ C:\Users\Carrie\Downloads\WIP Rollforward 08-2013 incomplete.xlsx
2013-08-16 09:58 - 2013-07-03 22:38 - 00000000 ____D C:\Program Files\Microsoft Office 15
2013-08-15 18:23 - 2009-07-13 21:34 - 00000430 _____ C:\windows\win.ini
2013-08-15 18:19 - 2013-04-13 21:18 - 00001330 _____ C:\Users\Carrie\Desktop\ROBLOX Player.lnk
2013-08-15 18:19 - 2013-04-13 21:14 - 00001149 _____ C:\Users\Carrie\Desktop\ROBLOX Studio 2013.lnk

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029
C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029\L\00000004.@
C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029\L\201d3dde
C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029\L\76603ac3

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029
C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029\L\00000004.@
C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029\L\201d3dde
C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029\L\76603ac3

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3547224266-3633241506-1922221131-1001\$396bc10f298855c1bcfdd01a8cd3c029

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029

Files to move or delete:
====================
C:\Users\Carrie\AppData\Local\Temp\apnpip.exe
C:\Users\Carrie\AppData\Local\Temp\AVGSafeguard.exe
C:\Users\Carrie\AppData\Local\Temp\deerdrive-111448437-setup.s111448437.c110268333.len.u.dl.exe
C:\Users\Carrie\AppData\Local\Temp\nsb620C.exe
C:\Users\Carrie\AppData\Local\Temp\nsi711F.exe
C:\Users\Carrie\AppData\Local\Temp\nsl8D8F.exe
C:\Users\Carrie\AppData\Local\Temp\OfficeSetup.exe
C:\Users\Carrie\AppData\Local\Temp\oi_{FD214BDD-1D37-4E96-934E-2210B6E62962}.exe
C:\Users\Carrie\AppData\Local\Temp\Setup.x64.en-US_ProPlusRetail_RT3DM-MN9CB-9TXKH-YW7RM-CWC9Q_TX_PR_act_1_.exe
C:\Users\Carrie\AppData\Local\Temp\Setup.x86.en-US_ProPlusRetail_RT3DM-MN9CB-9TXKH-YW7RM-CWC9Q_TX_PR_act_1_ (1).exe
C:\Users\Carrie\AppData\Local\Temp\setupproplusretail.x86.en-us_TX_PR_act_1_.exe
C:\Users\Carrie\AppData\Local\Temp\sfamcc00001.dll
C:\Users\Carrie\AppData\Local\Temp\sfareca00001.dll
C:\Users\Carrie\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Carrie\AppData\Local\Temp\tbSwa2.dll
C:\Users\Carrie\AppData\Local\Temp\UNINSTALL.EXE

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-09-01 08:40

==================== End Of Log ============================

 

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:01 AM

Posted 09 September 2013 - 07:55 AM

Hi,

 

Now please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 09 September 2013 - 07:56 AM.

cXfZ4wS.png


#5 silentcommit

silentcommit
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 09 September 2013 - 12:02 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-09-2013 01
Ran by Carrie at 2013-09-09 12:01:00 Run:1
Running from C:\Users\Carrie\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
(Microsoft Corporation) C:\Users\Carrie\AppData\Local\Temp\{00718839-FB46-4F4C-ABF2-6BBC0DE3062B}\Setup.exe
Folder: C:\Users\Carrie\AppData\Local\Temp\{00718839-FB46-4F4C-ABF2-6BBC0DE3062B}
HKLM\...\Run: [] -
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029\n. ATTENTION! ====> ZeroAccess?
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-3547224266-3633241506-1922221131-1001\$396bc10f298855c1bcfdd01a8cd3c029\n. ATTENTION! ====> ZeroAccess?
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [NPSStartup] -  [x]
URLSearchHook: (No Name) - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} -  No File
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2260173
SearchScopes: HKCU - {167330B3-1CB8-4C46-93DD-3F2603B0E8E1} URL =
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
BHO-x32: No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
BHO-x32: Arcadesafari BHO - {adff4c9a-4f49-4a1f-8885-360e107b7938}
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} -  No File
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
CHR HomePage: hxxp://mysearch.avg.com/?cid={8B748D9D-EED4-47E8-B212-6FB598386A83}&mid=696c9b3edd7647d3926ad16f2a2053e5-a05584d13206e4493aa386783604a1f5d423f1e9&lang=en&ds=am011&pr=sa&d=2013-07-12 22:29:42&v=15.3.0.11&pid=safeguard&sg=0&sap=hp
CHR HKLM-x32\...\Chrome\Extension: [fdeikhckcedpnofpmfaakfhppidegbcp] - C:\Users\Carrie\AppData\Local\CRE\fdeikhckcedpnofpmfaakfhppidegbcp.crx
C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029
C:\$Recycle.Bin\S-1-5-21-3547224266-3633241506-1922221131-1001\$396bc10f298855c1bcfdd01a8cd3c029
C:\Users\Carrie\AppData\Local\Temp\apnpip.exe
C:\Users\Carrie\AppData\Local\Temp\AVGSafeguard.exe
C:\Users\Carrie\AppData\Local\Temp\deerdrive-111448437-setup.s111448437.c110268333.len.u.dl.exe
C:\Users\Carrie\AppData\Local\Temp\nsb620C.exe
C:\Users\Carrie\AppData\Local\Temp\nsi711F.exe
C:\Users\Carrie\AppData\Local\Temp\nsl8D8F.exe
C:\Users\Carrie\AppData\Local\Temp\OfficeSetup.exe
C:\Users\Carrie\AppData\Local\Temp\oi_{FD214BDD-1D37-4E96-934E-2210B6E62962}.exe
C:\Users\Carrie\AppData\Local\Temp\Setup.x64.en-US_ProPlusRetail_RT3DM-MN9CB-9TXKH-YW7RM-CWC9Q_TX_PR_act_1_.exe
C:\Users\Carrie\AppData\Local\Temp\Setup.x86.en-US_ProPlusRetail_RT3DM-MN9CB-9TXKH-YW7RM-CWC9Q_TX_PR_act_1_ (1).exe
C:\Users\Carrie\AppData\Local\Temp\setupproplusretail.x86.en-us_TX_PR_act_1_.exe
C:\Users\Carrie\AppData\Local\Temp\sfamcc00001.dll
C:\Users\Carrie\AppData\Local\Temp\sfareca00001.dll
C:\Users\Carrie\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Carrie\AppData\Local\Temp\tbSwa2.dll
C:\Users\Carrie\AppData\Local\Temp\UNINSTALL.EXE
AlternateDataStreams: C:\ProgramData\rkfree:cfg
AlternateDataStreams: C:\ProgramData\rkfreel:cfg
C:\ProgramData\rkfree
C:\ProgramData\rkfreel
end
*****************

C:\Users\Carrie\AppData\Local\Temp\{00718839-FB46-4F4C-ABF2-6BBC0DE3062B}\Setup.exe => No running process found

========================= Folder: C:\Users\Carrie\AppData\Local\Temp\{00718839-FB46-4F4C-ABF2-6BBC0DE3062B} ========================

2013-09-09 07:00 - 2013-09-09 07:00 - 0000000 ____D () C:\Users\Carrie\AppData\Local\Temp\{00718839-FB46-4F4C-ABF2-6BBC0DE3062B}\en-us
2013-09-09 07:00 - 2013-06-20 22:25 - 0185664 ____A (Microsoft Corporation) C:\Users\Carrie\AppData\Local\Temp\{00718839-FB46-4F4C-ABF2-6BBC0DE3062B}\EppManifest.dll
2013-09-09 07:00 - 2013-06-20 20:33 - 1100160 ____A (Microsoft Corporation) C:\Users\Carrie\AppData\Local\Temp\{00718839-FB46-4F4C-ABF2-6BBC0DE3062B}\Setup.exe
2013-09-09 07:00 - 2013-06-20 20:28 - 0008864 ____A (Microsoft Corporation) C:\Users\Carrie\AppData\Local\Temp\{00718839-FB46-4F4C-ABF2-6BBC0DE3062B}\SetupRes.dll
2013-09-09 07:00 - 2013-01-20 16:58 - 0241984 ____A (Microsoft Corporation) C:\Users\Carrie\AppData\Local\Temp\{00718839-FB46-4F4C-ABF2-6BBC0DE3062B}\SqmApi.dll
2013-09-09 07:00 - 2013-06-20 22:12 - 0043680 ____A (Microsoft Corporation) C:\Users\Carrie\AppData\Local\Temp\{00718839-FB46-4F4C-ABF2-6BBC0DE3062B}\en-us\setupres.dll.mui

====== End of Folder: ======

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\HKLM\...\Run: [] - => Value not found.
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\NPSStartup => Value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} => Value deleted successfully.
HKCR\CLSID\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{167330B3-1CB8-4C46-93DD-3F2603B0E8E1} => Key deleted successfully.
HKCR\CLSID\{167330B3-1CB8-4C46-93DD-3F2603B0E8E1} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} => Key deleted successfully.
HKCR\CLSID\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{adff4c9a-4f49-4a1f-8885-360e107b7938} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{adff4c9a-4f49-4a1f-8885-360e107b7938} => Key deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} => Value deleted successfully.
HKCR\CLSID\{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} => Key not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000005\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5-x64 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000005\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll

=========  netsh winsock reset catalog =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

CHR HomePage: hxxp://mysearch.avg.com/?cid={8B748D9D-EED4-47E8-B212-6FB598386A83}&mid=696c9b3edd7647d3926ad16f2a2053e5-a05584d13206e4493aa386783604a1f5d423f1e9&lang=en&ds=am011&pr=sa&d=2013-07-12 22:29:42&v=15.3.0.11&pid=safeguard&sg=0&sap=hp ==> The Chrome "Settings" can be used to fix the entry.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fdeikhckcedpnofpmfaakfhppidegbcp => Key deleted successfully.
C:\Users\Carrie\AppData\Local\CRE\fdeikhckcedpnofpmfaakfhppidegbcp.crx => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029 => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-3547224266-3633241506-1922221131-1001\$396bc10f298855c1bcfdd01a8cd3c029 => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\apnpip.exe => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\AVGSafeguard.exe => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\deerdrive-111448437-setup.s111448437.c110268333.len.u.dl.exe => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\nsb620C.exe => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\nsi711F.exe => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\nsl8D8F.exe => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\OfficeSetup.exe => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\oi_{FD214BDD-1D37-4E96-934E-2210B6E62962}.exe => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\Setup.x64.en-US_ProPlusRetail_RT3DM-MN9CB-9TXKH-YW7RM-CWC9Q_TX_PR_act_1_.exe => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\Setup.x86.en-US_ProPlusRetail_RT3DM-MN9CB-9TXKH-YW7RM-CWC9Q_TX_PR_act_1_ (1).exe => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\setupproplusretail.x86.en-us_TX_PR_act_1_.exe => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\sfamcc00001.dll => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\sfareca00001.dll => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\tbSwa2.dll => Moved successfully.
C:\Users\Carrie\AppData\Local\Temp\UNINSTALL.EXE => Moved successfully.
C:\ProgramData\rkfree => ":cfg" ADS removed successfully.
C:\ProgramData\rkfreel => ":cfg" ADS removed successfully.
C:\ProgramData\rkfree => Moved successfully.
C:\ProgramData\rkfreel => Moved successfully.

==== End of Fixlog ====



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:01 AM

Posted 10 September 2013 - 03:03 AM

Hi,

 

 

Nice work! :)
Let's check for leftovers.
The most of them should take no more than 5 minutes each.
Eset could take up to an hour or two depending on the size of your hard drive and the speed of your computer.
You can run these scans at night when you are not there and the computer is idle.

Also we need to repair some of the Windows services like Windows Update, Windows Firewall, Security Center etc. which are probably broken by the rootkit.
And then I'll give you my final recommendations:



STEP 1

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
     
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 2




  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.




STEP 3



Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 4




  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and copy and past the results at pastebin.com and post the link to the log in your next reply.




STEP 5



Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 6



Please download AdwCleaner by Xplode and save to your Desktop.


  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.




STEP 7
 

  1. Please download OTL from the link below:
  2. Save it to your desktop/
  3. Double click on the otlDesktopIcon.png icon on your desktop.
  4. OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  5. Copy and Paste the following code into the customFix.png textbox.
  6. Don't copy the word "quote"

     netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Local\*.
    %USERPROFILE%\AppData\Local\temp\*.exe
    %USERPROFILE%\AppData\Roaming\*.*
    %USERPROFILE%\AppData\Roaming\*.
    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Templates\*.*
    %USERPROFILE%\AppData\Local\Microsoft\*.*

    %USERPROFILE%\AppData\Local\Microsoft\*.

    %USERPROFILE%\AppData\Roaming\Microsoft\*.*

    %USERPROFILE%\AppData\Roaming\Microsoft\*.

    %windir%\AppPatch\*.*

    %windir%\AppPatch\*.
    %Public%\Documents\*.*

    %Public%\Documents\*.

    %ProgramData%\*.*
    %ProgramData%\*.
    %CommonProgramFiles%\*.*

    %CommonProgramFiles%\*.
    %CommonProgramFiles%\ComObjects\*.exe
    %ProgramFiles%\*.*
    %ProgramFiles%\*.

    %programdata%\Microsoft\Windows\DRM\*.tmp
    %programdata%\Microsoft\DRM\*.tmp
    %systemroot%\system32\config\systemprofile\AppData\Local\*.*

    %systemroot%\system32\config\systemprofile\AppData\Local\*.

    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.*

    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.

    %windir%\SysWOW64\config\systemprofile\AppData\Local\*.*

    %windir%\SysWOW64\config\systemprofile\AppData\Local\*.

    %windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.*

    %windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.

    %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
    %windir%\temp\*.exe
    %windir%\*.
    %windir%\ShellNew\*.*
    %windir%\installer\*.
    %windir%\system32\*.
    %windir%\sysnative\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\syswow64\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\syswow64\drivers\*.sys /90
    %systemroot%\syswow64\drivers\*.sys /lockedfiles
    %SYSTEMDRIVE%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s

    HKEY_CLASSES_ROOT\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887} /s

    HKEY_CLASSES_ROOT\CLSID\{312BED3C-A901-4203-B4F2-ADCB957D1887} /s

    HKEY_CLASSES_ROOT\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} /s

    HKEY_CLASSES_ROOT\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887} /s

    HKEY_CLASSES_ROOT\CLSID\{212B3DCC-A901-4203-B4F2-ADCB957D1887} /s

    HKEY_CLASSES_ROOT\CLSID\{A12BEDCC-A901-4203-B4F2-ADCB957D1887} /s

    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188F} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188B} /s

    HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers /s
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers /s

    HKEY_CURRENT_USER\Software\MSOLoad /s
    type C:\WINDOWS\system.ini >> test.txt /c
    bcdedit /enum all /v >C:\boot.txt /c
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    consrv.dll
    services.exe
    explorer.exe
    lsass.exe
    svchost.exe
    wininit.exe
    winlogon.exe
    userinit.exe
    imapi.sys
    fastfat.sys
    atapi.sys
    iaStor.sys
    serial.sys
    volsnap.sys
    disk.sys
    redbook.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    csc.sys
    tcpip.sys
    kbdclass.sys
    kbdhid.sys
    mouclass.sys
    mouhid.sys
    spldr.sys
    dfsc.sys
    hlp.dat
    str.sys

    CREXVX.OCX

    crexv.ocx

    msseedir.dll
    msdr.dll
    lmbd.dll
    wsse.dll

    /md5stop

     

  7. Push the runscanbutton.png button.
  8. Two reports will open, attach the logs to your next reply.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

cXfZ4wS.png


#7 silentcommit

silentcommit
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 10 September 2013 - 12:32 PM

roguekiller will not run.  I tried changing it's name but still nothing happens.  Should I go to next step?

 

Also, you mentioned ESET may take a while, but I didn't see anything about ESET in the steps.  Where does that fit it?

 

Thanks.


Edited by silentcommit, 10 September 2013 - 04:25 PM.


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:01 AM

Posted 10 September 2013 - 05:26 PM

Hi,

 

Can you please try with this version of RogueKillerx64.exe and let me know about the results?

Also what happening when you try to run it? Any warnings or errors?

If no joy again please continue with the rest of the steps. About Eset - my fault. This step will be included at the end of the cleaning process to verify everything is clean.

 

 

Regards,

Georgi


cXfZ4wS.png


#9 silentcommit

silentcommit
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 10 September 2013 - 11:04 PM

http://pastebin.com/mMeNfyrg   rkill

http://pastebin.com/XT81v1Sm  roguekiller

http://pastebin.com/YE4CbpCp  tdsskiller

http://pastebin.com/gRV6bEhw   malwarebytes

http://pastebin.com/g7wxxdQF    fss

http://pastebin.com/yLt1YzJK    adwcleaner

 

 

 

 

 

 

 

 

 

 

 

Attached Files



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:01 AM

Posted 11 September 2013 - 06:13 PM

Hi,

 

 

I am sorry for the delay (but it seems that we have different timezone). :)

 

Rkill

 

Next let's try to fix the broken services.
 

Please download the following files and save them to your desktop:

iphlpsvc.reg

 

WinDefend.reg

 

wscsvc.reg

 

SharedAccess.reg

 

 

Now double click on each of them one by one. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Now reboot the computer.

 

  • Next please download the ESET ServicesRepair utility and save it to your Desktop.
     
  • Double-click ServicesRepair.exe to run the ESET ServicesRepair utility. If you are using User Access Control, click Run when prompted and then click Yes when asked to allow changes.
     
  • Reboot the computer and post fresh log from Rkill.

 

RogueKiller

 

Please re-run RogueKiller.
Wait until Prescan has finished.
Click on Scan.
Now click on the Scheduled tasks tab

Place a checkmark each of these items:

 

 

[V1][SUSP PATH] Arcadesafari.job : C:\Users\Carrie\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe [7] -> FOUND
[V2][SUSP PATH] Arcadesafari : C:\Users\Carrie\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe [7] -> FOUND
[V2][SUSP PATH] {077DF77B-3544-4BC4-851A-184819D868F2} : C:\Users\Carrie\Desktop\safe.exe [-] -> FOUND
[V2][SUSP PATH] {0E8750C1-1D26-4E71-9C42-A85FCF43E0EF} : C:\Users\Carrie\Desktop\ie.exe [x] -> FOUND
[V2][SUSP PATH] {14BAEAF4-9954-4703-93BA-8A328CDC7898} : C:\Users\Carrie\Desktop\ie.exe [x] -> FOUND
[V2][SUSP PATH] {2D31A804-F9FF-4C63-AD61-7A26008A1C8E} : C:\Users\Carrie\Desktop\safe.exe [-] -> FOUND
[V2][SUSP PATH] {5C944199-76A3-4989-B558-4926FA7D2E8B} : C:\Users\Carrie\Desktop\safe.exe [-] -> FOUND
[V2][SUSP PATH] {781DA757-B430-43DE-9F6F-C2FC08BEA2FE} : C:\Users\Carrie\Desktop\ie.exe [x] -> FOUND
[V2][SUSP PATH] {7EFDA9EA-9287-42ED-9A0D-9FD12E909264} : C:\Users\Carrie\Desktop\safe.exe [-] -> FOUND
[V2][SUSP PATH] {8D2C11BA-8E55-4483-87B7-71CE7195A128} : C:\Users\Carrie\Desktop\safe.exe [-] -> FOUND
[V2][SUSP PATH] {C3F5A4FC-0E7A-40DD-98BA-7782EAF94EBF} : C:\Users\Carrie\Desktop\ie.exe [x] -> FOUND
[V2][SUSP PATH] {E90DEAF8-3137-44AA-9165-31B4CD3D2637} : C:\Users\Carrie\Desktop\safe.exe [-] -> FOUND
[V2][SUSP PATH] {F226BD7F-F697-4C0C-BB59-3C661F80D2B2} : C:\Users\Carrie\Desktop\ie.exe [x] -> FOUND

Now press the Delete button.
If asked to restart the computer, please do so immediately.
When it is finished, there will be a log on your desktop.
Post the newest log in your next reply.

 

AdwCleaner

 

Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished this time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

OTL

 

 

  • Please reopen otlDesktopIcon.png on your desktop.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"

    :OTL
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\module@com.arcadesafari.firefox: C:\Users\Carrie\AppData\Local\Arcadesafari\module@com.arcadesafari.firefox [2013/03/02 21:07:20 | 000,000,000 | ---D | M]
    CHR - homepage: http://mysearch.avg.com/?cid={8B748D9D-EED4-47E8-B212-6FB598386A83}&mid=696c9b3edd7647d3926ad16f2a2053e5-a05584d13206e4493aa386783604a1f5d423f1e9&lang=en&ds=am011&pr=sa&d=2013-07-12 22:29:42&v=15.3.0.11&pid=safeguard&sg=0&sap=hp
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4:64bit: - HKLM..\Run: []  File not found
    [2013/09/10 20:24:33 | 000,000,470 | ---- | M] () -- C:\windows\tasks\Arcadesafari.job
    :files
    C:\Users\Carrie\AppData\Local\Arcadesafari

    :commands
    [emptytemp]

  • Push runFixbutton.png
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click btnOK.png.
  • A report will open. Copy and Paste that report in your next reply.
  • If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  • Copy/paste the content of the log back here in your next post.

 

Next please re-run OTL and run a new scan (not fix) but don't forget to include the script from the quote from the following post and attach the log to your next reply.

Only 1 report will appear this time - OTL.txt. This is normal.

 

 

Regards,

Georgi


cXfZ4wS.png


#11 silentcommit

silentcommit
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 12 September 2013 - 11:01 AM

Rkill 2.6.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/12/2013 06:41:53 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.

 * HOSTS file entries found:

  127.0.0.1 www.007guard.com
  127.0.0.1 007guard.com
  127.0.0.1 008i.com
  127.0.0.1 www.008k.com
  127.0.0.1 008k.com
  127.0.0.1 www.00hq.com
  127.0.0.1 00hq.com
  127.0.0.1 010402.com
  127.0.0.1 www.032439.com
  127.0.0.1 032439.com
  127.0.0.1 www.0scan.com
  127.0.0.1 0scan.com
  127.0.0.1 www.1000gratisproben.com
  127.0.0.1 1000gratisproben.com
  127.0.0.1 1001namen.com
  127.0.0.1 www.1001namen.com
  127.0.0.1 100888290cs.com
  127.0.0.1 www.100888290cs.com
  127.0.0.1 www.100sexlinks.com
  127.0.0.1 100sexlinks.com

  20 out of 15267 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 09/12/2013 06:43:13 AM
Execution time: 0 hours(s), 1 minute(s), and 20 seconds(s)l

 

 

RogueKiller V8.6.11 _x64_ [Sep 11 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Carrie [Admin rights]
Mode : Remove -- Date : 09/12/2013 07:06:59
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> NOT SELECTED
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> NOT SELECTED
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> NOT SELECTED
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> NOT SELECTED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED

¤¤¤ Scheduled tasks : 15 ¤¤¤
[V1][SUSP PATH] Arcadesafari.job : C:\Users\Carrie\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe [7] -> DELETED
[V1][SUSP PATH] AllmyappsUpdateTask.job : C:\Users\Carrie\AppData\Roaming\Allmyapps\AllmyappsUpdater.exe - check startup [7][x] -> DELETED
[V2][SUSP PATH] AllmyappsUpdateTask : C:\Users\Carrie\AppData\Roaming\Allmyapps\AllmyappsUpdater.exe - check startup [7][x] -> DELETED
[V2][SUSP PATH] Arcadesafari : C:\Users\Carrie\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe [7] -> ERROR DELETING TASK
[V2][SUSP PATH] {077DF77B-3544-4BC4-851A-184819D868F2} : C:\Users\Carrie\Desktop\safe.exe [x] -> DELETED
[V2][SUSP PATH] {0E8750C1-1D26-4E71-9C42-A85FCF43E0EF} : C:\Users\Carrie\Desktop\ie.exe [x] -> DELETED
[V2][SUSP PATH] {14BAEAF4-9954-4703-93BA-8A328CDC7898} : C:\Users\Carrie\Desktop\ie.exe [x] -> DELETED
[V2][SUSP PATH] {2D31A804-F9FF-4C63-AD61-7A26008A1C8E} : C:\Users\Carrie\Desktop\safe.exe [x] -> DELETED
[V2][SUSP PATH] {5C944199-76A3-4989-B558-4926FA7D2E8B} : C:\Users\Carrie\Desktop\safe.exe [x] -> DELETED
[V2][SUSP PATH] {781DA757-B430-43DE-9F6F-C2FC08BEA2FE} : C:\Users\Carrie\Desktop\ie.exe [x] -> DELETED
[V2][SUSP PATH] {7EFDA9EA-9287-42ED-9A0D-9FD12E909264} : C:\Users\Carrie\Desktop\safe.exe [x] -> DELETED
[V2][SUSP PATH] {8D2C11BA-8E55-4483-87B7-71CE7195A128} : C:\Users\Carrie\Desktop\safe.exe [x] -> DELETED
[V2][SUSP PATH] {C3F5A4FC-0E7A-40DD-98BA-7782EAF94EBF} : C:\Users\Carrie\Desktop\ie.exe [x] -> DELETED
[V2][SUSP PATH] {E90DEAF8-3137-44AA-9165-31B4CD3D2637} : C:\Users\Carrie\Desktop\safe.exe [x] -> DELETED
[V2][SUSP PATH] {F226BD7F-F697-4C0C-BB59-3C661F80D2B2} : C:\Users\Carrie\Desktop\ie.exe [x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK3265GSXN SATA Disk Device +++++
--- User ---
[MBR] ccf60736590eef2cfd6a7aa695256f66
[BSP] 66145dbfca0f0410ab0749a594446f83 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 292137 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 601370624 | Size: 11607 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_09122013_070659.txt >>
RKreport[0]_S_09102013_191204.txt;RKreport[0]_S_09122013_070255.txt

 

 

 

# AdwCleaner v3.003 - Report created 12/09/2013 at 07:13:10
# Updated 07/09/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Carrie - CARRIE-PC
# Running from : C:\Users\Carrie\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Users\Carrie\AppData\Local\Conduit
Folder Deleted : C:\Users\Carrie\AppData\Local\cre
Folder Deleted : C:\Users\Carrie\AppData\LocalLow\Conduit

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2260173
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\PIP

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502

-\\ Google Chrome v29.0.1547.66

[ File : C:\Users\Carrie\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R1].txt - [2183 octets] - [10/09/2013 19:30:32]
AdwCleaner[R2].txt - [2243 octets] - [12/09/2013 07:10:20]
AdwCleaner[S0].txt - [2129 octets] - [12/09/2013 07:13:10]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2189 octets] ##########

 

 

 

Attached Files



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:01 AM

Posted 12 September 2013 - 03:00 PM

Hi,

 

So far, so good but please don't miss this part from my previous post: :)

 

 

Next please re-run OTL and run a new scan (not fix) but don't forget to include the script from the quote from the following post and attach the log to your next reply.

Only 1 report will appear this time - OTL.txt. This is normal.

 

Regards,

Georgi


cXfZ4wS.png


#13 silentcommit

silentcommit
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 12 September 2013 - 08:43 PM

I'm not sure I understand the instructions.  Is this the quote you are referreing to?  If the following quote is correct, that log is attached in previous response.     

 

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.*
%USERPROFILE%\*.*
%USERPROFILE%\AppData\Local\*.*
%USERPROFILE%\AppData\Local\*.
%USERPROFILE%\AppData\Local\temp\*.exe
%USERPROFILE%\AppData\Roaming\*.*
%USERPROFILE%\AppData\Roaming\*.
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Templates\*.*
%USERPROFILE%\AppData\Local\Microsoft\*.*

%USERPROFILE%\AppData\Local\Microsoft\*.

%USERPROFILE%\AppData\Roaming\Microsoft\*.*

%USERPROFILE%\AppData\Roaming\Microsoft\*.

%windir%\AppPatch\*.*

%windir%\AppPatch\*.
%Public%\Documents\*.*

%Public%\Documents\*.

%ProgramData%\*.*
%ProgramData%\*.
%CommonProgramFiles%\*.*

%CommonProgramFiles%\*.
%CommonProgramFiles%\ComObjects\*.exe
%ProgramFiles%\*.*
%ProgramFiles%\*.

%programdata%\Microsoft\Windows\DRM\*.tmp
%programdata%\Microsoft\DRM\*.tmp
%systemroot%\system32\config\systemprofile\AppData\Local\*.*

%systemroot%\system32\config\systemprofile\AppData\Local\*.

%systemroot%\system32\config\systemprofile\AppData\Roaming\*.*

%systemroot%\system32\config\systemprofile\AppData\Roaming\*.

%windir%\SysWOW64\config\systemprofile\AppData\Local\*.*

%windir%\SysWOW64\config\systemprofile\AppData\Local\*.

%windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.*

%windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.

%windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
%windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
%windir%\temp\*.exe
%windir%\*.
%windir%\ShellNew\*.*
%windir%\installer\*.
%windir%\system32\*.
%windir%\sysnative\*.
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\syswow64\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\syswow64\drivers\*.sys /90
%systemroot%\syswow64\drivers\*.sys /lockedfiles
%SYSTEMDRIVE%\*. /rp /s
%systemroot%\assembly\tmp\*.* /S /MD5
%systemroot%\assembly\temp\*.* /S /MD5
%systemroot%\assembly\GAC\*.ini
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
%SystemRoot%\assembly\GAC_MSIL\*.ini
wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
%systemdrive%\$Recycle.Bin|@;true;true;true /fp
HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s

HKEY_CLASSES_ROOT\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887} /s

HKEY_CLASSES_ROOT\CLSID\{312BED3C-A901-4203-B4F2-ADCB957D1887} /s

HKEY_CLASSES_ROOT\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} /s

HKEY_CLASSES_ROOT\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887} /s

HKEY_CLASSES_ROOT\CLSID\{212B3DCC-A901-4203-B4F2-ADCB957D1887} /s

HKEY_CLASSES_ROOT\CLSID\{A12BEDCC-A901-4203-B4F2-ADCB957D1887} /s

HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188F} /s
HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188B} /s

HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers /s
HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers /s

HKEY_CURRENT_USER\Software\MSOLoad /s
type C:\WINDOWS\system.ini >> test.txt /c
bcdedit /enum all /v >C:\boot.txt /c
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
consrv.dll
services.exe
explorer.exe
lsass.exe
svchost.exe
wininit.exe
winlogon.exe
userinit.exe
imapi.sys
fastfat.sys
atapi.sys
iaStor.sys
serial.sys
volsnap.sys
disk.sys
redbook.sys
i8042prt.sys
afd.sys
netbt.sys
csc.sys
tcpip.sys
kbdclass.sys
kbdhid.sys
mouclass.sys
mouhid.sys
spldr.sys
dfsc.sys
hlp.dat
str.sys

CREXVX.OCX

crexv.ocx

msseedir.dll
msdr.dll
lmbd.dll
wsse.dll

/md5stop


Edited by silentcommit, 12 September 2013 - 09:19 PM.


#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:01 AM

Posted 12 September 2013 - 11:23 PM

Hi,

 

The log you attached here indicates that you ran a scan with OTL without using the script below:

 

 

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.*
%USERPROFILE%\*.*
%USERPROFILE%\AppData\Local\*.*
%USERPROFILE%\AppData\Local\*.
%USERPROFILE%\AppData\Local\temp\*.exe
%USERPROFILE%\AppData\Roaming\*.*
%USERPROFILE%\AppData\Roaming\*.
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Templates\*.*
%USERPROFILE%\AppData\Local\Microsoft\*.*

%USERPROFILE%\AppData\Local\Microsoft\*.

%USERPROFILE%\AppData\Roaming\Microsoft\*.*

%USERPROFILE%\AppData\Roaming\Microsoft\*.

%windir%\AppPatch\*.*

%windir%\AppPatch\*.
%Public%\Documents\*.*

%Public%\Documents\*.

%ProgramData%\*.*
%ProgramData%\*.
%CommonProgramFiles%\*.*

%CommonProgramFiles%\*.
%CommonProgramFiles%\ComObjects\*.exe
%ProgramFiles%\*.*
%ProgramFiles%\*.

%programdata%\Microsoft\Windows\DRM\*.tmp
%programdata%\Microsoft\DRM\*.tmp
%systemroot%\system32\config\systemprofile\AppData\Local\*.*

%systemroot%\system32\config\systemprofile\AppData\Local\*.

%systemroot%\system32\config\systemprofile\AppData\Roaming\*.*

%systemroot%\system32\config\systemprofile\AppData\Roaming\*.

%windir%\SysWOW64\config\systemprofile\AppData\Local\*.*

%windir%\SysWOW64\config\systemprofile\AppData\Local\*.

%windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.*

%windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.

%windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
%windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
%windir%\temp\*.exe
%windir%\*.
%windir%\ShellNew\*.*
%windir%\installer\*.
%windir%\system32\*.
%windir%\sysnative\*.
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\syswow64\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\syswow64\drivers\*.sys /90
%systemroot%\syswow64\drivers\*.sys /lockedfiles
%SYSTEMDRIVE%\*. /rp /s
%systemroot%\assembly\tmp\*.* /S /MD5
%systemroot%\assembly\temp\*.* /S /MD5
%systemroot%\assembly\GAC\*.ini
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
%SystemRoot%\assembly\GAC_MSIL\*.ini
wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
%systemdrive%\$Recycle.Bin|@;true;true;true /fp
HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s

HKEY_CLASSES_ROOT\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887} /s

HKEY_CLASSES_ROOT\CLSID\{312BED3C-A901-4203-B4F2-ADCB957D1887} /s

HKEY_CLASSES_ROOT\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} /s

HKEY_CLASSES_ROOT\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887} /s

HKEY_CLASSES_ROOT\CLSID\{212B3DCC-A901-4203-B4F2-ADCB957D1887} /s

HKEY_CLASSES_ROOT\CLSID\{A12BEDCC-A901-4203-B4F2-ADCB957D1887} /s

HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188F} /s
HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188B} /s

HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers /s
HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers /s

HKEY_CURRENT_USER\Software\MSOLoad /s
type C:\WINDOWS\system.ini >> test.txt /c
bcdedit /enum all /v >C:\boot.txt /c
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
consrv.dll
services.exe
explorer.exe
lsass.exe
svchost.exe
wininit.exe
winlogon.exe
userinit.exe
imapi.sys
fastfat.sys
atapi.sys
iaStor.sys
serial.sys
volsnap.sys
disk.sys
redbook.sys
i8042prt.sys
afd.sys
netbt.sys
csc.sys
tcpip.sys
kbdclass.sys
kbdhid.sys
mouclass.sys
mouhid.sys
spldr.sys
dfsc.sys
hlp.dat
str.sys

CREXVX.OCX

crexv.ocx

msseedir.dll
msdr.dll
lmbd.dll
wsse.dll

/md5stop

 

and I want you re-run OTL and run a new scan using the custom search script above this time.

Thanks!

 

 

Regards,

Georgi


cXfZ4wS.png


#15 silentcommit

silentcommit
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 13 September 2013 - 09:33 AM

I tried running it again; I got this message: "cannot create file c:\Users\Carrie\Desktop\cmd.bat.  No txt log appeared.  Thanks.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users