Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Issue #2 of 4...Dell Laptop- past FBI infection? new nasty?


  • Please log in to reply
35 replies to this topic

#1 Ajmarks

Ajmarks

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 17 September 2013 - 08:14 PM

Okay, first things first- I was told to post in this forum on my original post (http://www.bleepingcomputer.com/forums/t/506868/so-over-my-head-now-whole-network-infection-if-seems/). Here’s the dealio and the logs for this computer (for more info on the WHOLE issue please see the link above).

 

This is part 2 of 4 issues I am having…ugh.

 

Computer #2 is a DELL INSPIRON LAPTOP running WINDOWS 7

I suspect this machine was the source of whatever infection my network caught because it was what I watch Internet TV on and the initial scans said it was most infected- Trojans backdoors toolbars you name it. I had the FBI virus about 4-6 months ago but I thought I had gotten rid of it. After all this I’m now wondering if it is somehow a delayed reaction from that. Regardless, I reinstalled windows from CD about 2 weeks ago. Been scared to turn it on since after the reinstallation I was getting clean scans. So, as far as I know...it was at one point clean/good at pretending and I just want to make sure it ACTUALLY is clean

 

Across my 4 computers I’ve seen everything flagged from Trojans to backdoors to spyware to adware. Can’t recall what specifically got flagged on this one BUT since I’ve got more logs than I know what to do with I’ve included the dropbox link to ALL the logs I have over the past 1-2 months: http://db.tt/zlnSAkDq

 

Like I mentioned, I had this posted in another forum but no response until someone told me to post here and wait all over again! L I had a bunch of views, and almost 5 days of waiting. Truthfully I'm sorta ready to just dban everything (tech guy @ work just mentioned this program) and reinstall...but even THAT I’m scared to do without ya’lls help (or if will even actually make a difference).

 

 I really do need help!! My tech @ home...all of it...is basically useless and I keep falling further and further behind in work and personal life because of this (can't complete work @ home because can't reinstall/install needed programs, can't pay bills online or order items I need for my house because I don't know my computer is clean enough to use my cc; can't forget about all this and watch TV because I don't have cable and my TV comes from the internet; etc.). Add to that I'm going through cancer treatment and all this building stress is NOT good for me (TMI? well i figure gives a sense for why I am so desperate. I swear there is a special place in hell for some of these hacker/virus creators!)

Someone please....

xxxxxxxx ORIGINAL DELL INSPIRON LAPTOP LOG xxxxxxxxxxx

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 9.0.8112.16450  BrowserJavaVersion: 1.6.0_22
Run by Alison at 22:20:30 on 2013-08-24
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3582.3058 [GMT -5:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
BHO: AutorunsDisabled - <orphaned>
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [QuickSet] c:\program files\dell\quickset\QuickSet.exe
mRun: [Dell PC TuneUp Startup] "c:\program files\iolo\common\lib\ioloLManager.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
dRunOnce: [adawarebp] reg.exe delete "HKCU\Software\AppDataLow\Software\adawarebp" /f
dRunOnce: [adawarebp_XP] reg.exe delete "HKCU\Software\adawarebp" /f
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - <no file>
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: NameServer = 192.168.2.1 66.90.130.101 216.82.201.11
TCP: Interfaces\{36B97D22-088E-42E5-AB48-DEDE49877890} : DHCPNameServer = 192.168.2.1 66.90.130.101 216.82.201.11
TCP: Interfaces\{36B97D22-088E-42E5-AB48-DEDE49877890}\14A4D4 : DHCPNameServer = 192.168.2.1 66.90.130.101 216.82.201.11
TCP: Interfaces\{36B97D22-088E-42E5-AB48-DEDE49877890}\16474777966696 : DHCPNameServer = 192.168.4.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{36B97D22-088E-42E5-AB48-DEDE49877890}\2456C6B696E6F5E4F575962756C6563737F5031663934316 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{36B97D22-088E-42E5-AB48-DEDE49877890}\9437C616E6465627F51446D696E6 : DHCPNameServer = 10.20.0.56 10.20.0.50 10.20.0.4
TCP: Interfaces\{36B97D22-088E-42E5-AB48-DEDE49877890}\C696E6B6379737 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{68BBE856-C261-4531-B0D3-C27F99F451FC} : DHCPNameServer = 66.174.71.33 66.174.95.44
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - <orphaned>
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-4-14 13560]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2009-8-6 20392]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_4c73f4a9a59a84bb\AEstSrv.exe [2009-8-6 81920]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
S2 HitmanPro37CrusaderBoot;HitmanPro 3.7 Crusader (Boot);"l:\hitmanpro.exe" /crusader:boot --> l:\HitmanPro.exe [?]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-8-6 712048]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-8-6 712048]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2010-12-15 198000]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-8-6 144128]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 htcusbnet;HTC USB-NDIS miniport;c:\windows\system32\drivers\htcusbnet.sys [2011-7-8 129024]
S3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [2009-3-6 133632]
S3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [2009-3-19 271552]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-4-28 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-28 52224]
S4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S4 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-4-11 1343400]
.
=============== File Associations ===============
.
FileExt: .vbe: VBEFile=NOTEPAD.EXE %1
FileExt: .vbs: VBSFile=NOTEPAD.EXE %1
FileExt: .js: JSFile=NOTEPAD.EXE %1
FileExt: .jse: JSEFile=NOTEPAD.EXE %1
FileExt: .wsf: WSFFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2013-08-25 00:55:36    --------    d-----w-    c:\users\alison\appdata\local\Temp
2013-08-25 00:00:52    --------    d-----w-    c:\program files\VS Revo Group
2013-08-24 23:42:47    --------    d-----w-    c:\program files\HitmanPro
2013-08-24 23:20:33    12872    ----a-w-    c:\windows\system32\bootdelete.exe
2013-08-24 23:02:23    --------    d-----w-    c:\users\alison\appdata\local\Avg2013
2013-08-24 22:56:37    --------    d-----w-    c:\programdata\HitmanPro
2013-08-24 22:50:39    --------    d-----w-    c:\users\alison\appdata\roaming\TrueCrypt
2013-08-24 22:42:23    231760    ----a-w-    c:\windows\system32\drivers\truecrypt.sys
2013-08-24 22:24:59    --------    d-----w-    C:\AdwCleaner
2013-08-24 22:23:47    --------    d-----w-    c:\program files\TrueCrypt
2013-08-18 19:55:29    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-08-18 07:30:25    --------    d-----w-    c:\programdata\Ad-Aware Browsing Protection
2013-08-18 04:04:54    --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2013-08-18 04:04:54    --------    d-----w-    c:\program files\spies be damned
2013-08-18 03:16:41    --------    d-----w-    c:\windows\ERUNT
.
==================== Find3M  ====================
.
2013-08-25 00:00:25    8192    ----a-w-    c:\windows\system32\drivers\mouhid.sys.bak
.
============= FINISH: 22:28:24.04 ===============

 

 

xxxxxxxx MOST RECENT DELL INSPIRON LAPTOP LOG xxxxxxxxxxx

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16660
Run by AJM-DELL at 13:43:13 on 2013-09-07
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3582.2595 [GMT -5:00]
.
AV: AVG Internet Security 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Internet Security 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
FW: AVG Internet Security 2014 *Disabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2014\avgrsx.exe
C:\Program Files\AVG\AVG2014\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG2014\avgfws.exe
C:\Program Files\AVG\AVG2014\avgidsagent.exe
C:\Program Files\AVG\AVG2014\avgwdsvc.exe
C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG2014\avgnsx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG2014\avgcsrvx.exe
C:\Program Files\AVG\AVG2014\avgui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\AVG\AVG2014\avgcfgex.exe
C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe
C:\Windows\explorer.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
mRun: [AVG_UI] "c:\program files\avg\avg2014\avgui.exe" /TRAYONLY
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
TCP: NameServer = 192.168.2.1 66.90.130.101 216.82.201.11
TCP: Interfaces\{336F7B84-6BA4-474D-B699-B711DF6DF93F} : DHCPNameServer = 192.168.2.1 66.90.130.101 216.82.201.11
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ajm-dell\appdata\roaming\mozilla\firefox\profiles\nt13ll76.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - ExtSQL: 2013-09-07 09:13; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\ajm-dell\appdata\roaming\mozilla\firefox\profiles\nt13ll76.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-8-22 146232]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-8-22 223032]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-8-20 102200]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-8-1 26936]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2013-8-1 120120]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2012-9-4 50296]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-8-22 209208]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-8-1 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-8-22 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-8-1 193848]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 avgfws;AVG Firewall;c:\program files\avg\avg2014\avgfws.exe [2013-8-26 1358432]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2013-8-27 3534896]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2013-8-20 300640]
R2 TuneUp.UtilitiesSvc;AVG PC TuneUp Service;c:\program files\avg\avg pc tuneup\TuneUpUtilitiesService32.exe [2013-8-29 1740088]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2013-9-7 30976]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\avg\avg pc tuneup\TuneUpUtilitiesDriver32.sys [2013-8-21 12320]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2013-8-25 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-8-25 14848]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-8-25 49664]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-8-25 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2013-09-07 17:54:25    30976    ----a-w-    c:\windows\system32\drivers\hitmanpro37.sys
2013-09-07 17:54:01    --------    d-----w-    c:\program files\HitmanPro
2013-09-06 23:57:47    36152    ----a-w-    c:\windows\system32\TURegOpt.exe
2013-09-06 23:57:47    25400    ----a-w-    c:\windows\system32\authuitu.dll
2013-09-06 23:57:26    --------    d-----w-    c:\users\ajm-dell\appdata\roaming\AVG
2013-09-06 23:56:44    --------    d-----w-    c:\programdata\AVG
2013-09-06 23:56:24    --------    d-sh--w-    c:\programdata\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2013-09-06 23:51:08    --------    d-----w-    c:\users\ajm-dell\appdata\roaming\AVG2014
2013-09-06 23:50:16    --------    d-----w-    c:\users\ajm-dell\appdata\roaming\TuneUp Software
2013-09-06 23:48:49    --------    d--h--w-    C:\$AVG
2013-09-06 23:48:48    --------    d-----w-    c:\programdata\AVG2014
2013-09-06 23:48:19    --------    d-----w-    c:\program files\AVG
2013-09-06 23:37:14    --------    d--h--w-    c:\programdata\Common Files
2013-09-06 23:37:14    --------    d-----w-    c:\users\ajm-dell\appdata\local\MFAData
2013-09-06 23:37:14    --------    d-----w-    c:\users\ajm-dell\appdata\local\Avg2014
2013-09-06 23:37:14    --------    d-----w-    c:\programdata\MFAData
2013-09-06 23:35:47    --------    d-----w-    c:\users\ajm-dell\appdata\roaming\VSRevoGroup
2013-09-06 23:34:39    7166848    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2013-09-06 23:34:35    7166848    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{9a2fbe7f-d9f0-46a9-aa4a-6b932451b253}\mpengine.dll
2013-08-26 01:15:51    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-08-26 01:07:17    1247744    ----a-w-    c:\windows\system32\DWrite.dll
2013-08-26 00:32:52    49152    ----a-w-    c:\windows\system32\taskhost.exe
2013-08-26 00:31:44    1505280    ----a-w-    c:\windows\system32\d3d11.dll
2013-08-26 00:29:57    3968960    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-08-26 00:27:48    936448    ----a-w-    c:\program files\common files\microsoft shared\ink\journal.dll
2013-08-25 23:37:55    --------    d-----w-    c:\windows\system32\SPReview
2013-08-25 23:20:56    --------    d-----w-    c:\windows\system32\EventProviders
2013-08-25 22:01:22    --------    d-----w-    c:\windows\en
2013-08-25 22:00:57    39272    ----a-w-    c:\windows\system32\drivers\fssfltr.sys
2013-08-25 22:00:10    --------    d-----w-    c:\program files\Microsoft SQL Server Compact Edition
2013-08-25 21:59:18    --------    d-----w-    c:\windows\PCHEALTH
2013-08-25 21:58:30    --------    d-----w-    c:\program files\Microsoft
2013-08-25 21:58:28    69464    ----a-w-    c:\windows\system32\XAPOFX1_3.dll
2013-08-25 21:58:28    515416    ----a-w-    c:\windows\system32\XAudio2_5.dll
2013-08-25 21:58:28    453456    ----a-w-    c:\windows\system32\d3dx10_42.dll
2013-08-25 21:58:26    3426072    ----a-w-    c:\windows\system32\d3dx9_32.dll
2013-08-25 21:54:54    15712    ----a-w-    c:\program files\common files\windows live\.cache\bb6d725d1cea1dd39\MeshBetaRemover.exe
2013-08-25 21:52:26    89944    ----a-w-    c:\program files\common files\windows live\.cache\634059171cea1dd2b\DSETUP.dll
2013-08-25 21:52:26    537432    ----a-w-    c:\program files\common files\windows live\.cache\634059171cea1dd2b\DXSETUP.exe
2013-08-25 21:52:26    1801048    ----a-w-    c:\program files\common files\windows live\.cache\634059171cea1dd2b\dsetup32.dll
2013-08-25 21:52:20    94040    ----a-w-    c:\program files\common files\windows live\.cache\5eaad2b01cea1dd2a\DSETUP.dll
2013-08-25 21:52:20    525656    ----a-w-    c:\program files\common files\windows live\.cache\5eaad2b01cea1dd2a\DXSETUP.exe
2013-08-25 21:52:20    1691480    ----a-w-    c:\program files\common files\windows live\.cache\5eaad2b01cea1dd2a\dsetup32.dll
2013-08-25 21:48:51    6260088    ----a-w-    c:\program files\common files\windows live\.cache\e1e953f41cea1dc17\Silverlight.4.0.exe
2013-08-25 21:45:45    --------    d-----w-    c:\users\ajm-dell\appdata\local\Windows Live
2013-08-25 21:45:45    --------    d-----w-    c:\program files\common files\Windows Live
2013-08-25 21:44:26    --------    d-----w-    c:\program files\MSXML 4.0
2013-08-25 21:11:59    80384    ----a-w-    c:\windows\system32\davclnt.dll
2013-08-25 21:07:22    --------    d-----r-    c:\users\ajm-dell\Dropbox
2013-08-25 21:04:37    --------    d-----w-    c:\users\ajm-dell\appdata\roaming\Dropbox
2013-08-25 21:00:04    --------    d-----w-    c:\users\ajm-dell\appdata\local\Mozilla
2013-08-25 20:56:56    80256    ----a-w-    c:\windows\system32\drivers\amdsata.sys
2013-08-25 20:22:17    --------    d-----w-    c:\windows\system32\Wat
2013-08-25 20:10:17    67072    ----a-w-    c:\windows\system32\packager.dll
2013-08-25 20:10:10    314880    ----a-w-    c:\windows\system32\webio.dll
2013-08-25 20:10:03    96768    ----a-w-    c:\windows\system32\drivers\mrxsmb20.sys
2013-08-25 20:10:03    223744    ----a-w-    c:\windows\system32\drivers\mrxsmb10.sys
2013-08-25 20:10:03    123904    ----a-w-    c:\windows\system32\drivers\mrxsmb.sys
2013-08-25 20:09:58    2616320    ----a-w-    c:\windows\explorer.exe
2013-08-25 20:09:57    8192    ----a-w-    c:\windows\system32\rdrmemptylst.exe
2013-08-25 20:09:57    769024    ----a-w-    c:\windows\system32\localspl.dll
2013-08-25 20:09:57    690688    ----a-w-    c:\windows\system32\msvcrt.dll
2013-08-25 20:09:57    58880    ----a-w-    c:\windows\system32\rdpwsx.dll
2013-08-25 20:09:57    129536    ----a-w-    c:\windows\system32\rdpcorekmts.dll
2013-08-25 20:09:10    123904    ----a-w-    c:\windows\system32\poqexec.exe
2013-08-25 19:42:07    70656    ----a-w-    c:\windows\system32\fontsub.dll
2013-08-25 19:42:06    34304    ----a-w-    c:\windows\system32\atmlib.dll
2013-08-25 19:42:06    295424    ----a-w-    c:\windows\system32\atmfd.dll
2013-08-25 19:35:18    --------    d-----w-    c:\windows\system32\MRT
2013-08-25 19:15:58    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2013-08-25 19:15:58    526952    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-08-25 19:15:58    47720    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-08-25 19:15:05    73216    ----a-w-    c:\windows\system32\WUDFSvc.dll
2013-08-25 19:15:05    66560    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2013-08-25 19:15:05    613888    ----a-w-    c:\windows\system32\WUDFx.dll
2013-08-25 19:15:05    38912    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2013-08-25 19:15:05    196608    ----a-w-    c:\windows\system32\WUDFHost.exe
2013-08-25 19:15:05    172032    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2013-08-25 19:15:05    155136    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2013-08-25 19:14:01    5120    ----a-w-    c:\windows\system32\wmi.dll
2013-08-25 19:14:01    19824    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2013-08-25 19:14:01    159232    ----a-w-    c:\windows\system32\imagehlp.dll
2013-08-25 19:05:58    183808    ----a-w-    c:\windows\system32\drivers\rdpwd.sys
2013-08-25 19:04:49    220160    ----a-w-    c:\windows\system32\ncrypt.dll
2013-08-25 19:04:38    478720    ----a-w-    c:\windows\system32\timedate.cpl
2013-08-25 19:03:50    534528    ----a-w-    c:\windows\system32\EncDec.dll
2013-08-25 19:01:19    1328128    ----a-w-    c:\windows\system32\quartz.dll
2013-08-25 19:01:12    28672    ----a-w-    c:\windows\system32\profprov.dll
2013-08-25 19:01:12    164352    ----a-w-    c:\windows\system32\profsvc.dll
2013-08-25 19:00:56    31232    ----a-w-    c:\windows\system32\prevhost.exe
2013-08-25 18:59:24    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-08-25 18:54:06    571904    ----a-w-    c:\windows\system32\oleaut32.dll
2013-08-25 18:54:06    233472    ----a-w-    c:\windows\system32\oleacc.dll
2013-08-25 18:52:37    169984    ----a-w-    c:\windows\system32\winsrv.dll
2013-08-25 18:52:10    27008    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2013-08-25 18:52:10    107520    ----a-w-    c:\windows\system32\cdd.dll
2013-08-25 18:33:38    --------    d-----w-    c:\program files\common files\MSSoap
2013-08-25 18:32:53    --------    d-----w-    c:\windows\Downloaded Installations
2013-08-25 18:14:33    --------    d-----w-    c:\users\ajm-dell\appdata\local\Programs
2013-08-25 18:12:33    --------    d-----w-    c:\programdata\Sophos
2013-08-25 18:11:03    --------    d-----w-    c:\programdata\HitmanPro
2013-08-25 18:09:21    --------    d-----w-    C:\AdwCleaner
2013-08-25 18:05:08    --------    d-----w-    C:\FRST
2013-08-25 17:42:29    302    ----a-w-    C:\FixitRegBackup.reg
2013-08-25 17:42:02    --------    d-sh--w-    c:\windows\Installer
2013-08-25 17:12:46    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-08-25 16:49:44    826880    ----a-w-    c:\windows\system32\rdpcore.dll
2013-08-25 16:49:44    24576    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2013-08-25 16:49:44    18432    ----a-w-    c:\windows\system32\drivers\tdpipe.sys
2013-08-25 16:44:38    2422272    ----a-w-    c:\windows\system32\wucltux.dll
2013-08-25 16:44:33    88576    ----a-w-    c:\windows\system32\wudriver.dll
2013-08-25 16:44:21    33792    ----a-w-    c:\windows\system32\wuapp.exe
2013-08-25 16:44:21    171904    ----a-w-    c:\windows\system32\wuwebv.dll
2013-08-25 16:42:18    --------    d-----w-    c:\windows\system32\wbem\Performance
2013-08-25 16:41:52    --------    d-----w-    c:\users\ajm-dell\appdata\local\Diagnostics
2013-08-25 08:31:39    --------    d-----w-    c:\windows\Panther
2013-08-25 08:31:25    --------    d-sh--w-    C:\Boot
2013-08-25 07:34:03    0    ----a-w-    c:\windows\ativpsrm.bin
2013-08-23 04:37:18    176952    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2013-08-23 03:56:56    209208    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-08-23 03:56:16    223032    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2013-08-23 03:56:16    146232    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
.
==================== Find3M  ====================
.
2013-08-26 00:32:34    9728    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-08-25 23:43:10    152576    ----a-w-    c:\windows\system32\msclmd.dll
2013-08-01 21:08:52    193848    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2013-08-01 21:06:40    22840    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2013-08-01 21:06:14    120120    ----a-w-    c:\windows\system32\drivers\avgdiskx.sys
2013-08-01 21:05:58    26936    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
2013-07-25 08:57:27    1620992    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-07-19 01:41:01    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-07-09 05:03:34    3913664    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-07-09 04:53:46    1289096    ----a-w-    c:\windows\system32\ntdll.dll
2013-07-09 04:52:10    175104    ----a-w-    c:\windows\system32\wintrust.dll
2013-07-09 04:50:42    652800    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-07-09 04:46:31    140288    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-07-09 04:46:31    1166848    ----a-w-    c:\windows\system32\crypt32.dll
2013-07-09 04:46:31    103936    ----a-w-    c:\windows\system32\cryptnet.dll
2013-07-06 05:05:35    1293760    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-06-15 03:38:43    31232    ----a-w-    c:\windows\system32\drivers\tssecsrv.sys
.
============= FINISH: 13:44:02.55 ===============

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Ajmarks

Ajmarks
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 17 September 2013 - 08:30 PM

Alright so in checking that my post showed up correctly I stumbled upon this post...seems like A LOT of the stuff that happened on my computers (including the weird desktop.ini files in all my folders!!) Not sure if this is helpful but thought since it was soo similar it might be relevant. Haven't done anything suggested here though since I had my own post already and I am trying to be patient :)
http://www.bleepingcomputer.com/forums/t/506405/unknown-undetected-virus-now-created-authorized-user-permissions/



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:04 PM

Posted 21 September 2013 - 01:13 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#4 Ajmarks

Ajmarks
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 24 September 2013 - 09:02 PM

Well, much as I suspected, this one turned out to be a bit of a doozy!

 

So I tried to follow your directions but I kept getting an error message abot not having permission to edit the temp folder when I tried to download the files. So, I looked into the properties and saw a lock on my whole user file- desktop, temp, the whole thing. I tried resetting this under the properties menu for the folders and it wouldn't work. I remember in looking around this site a while back a program that was designed to reset permissions so I looked at the permissions and saw a weird user I didn't recognize

 

I decided to download and run the "grantperms" app (log included with the others below). I know I know, I shouldnt have done that without checking first...I got ahead of myself :( Everything seemed to go okay but then firefox wouldn't open because it said I already had an instance of firefox open. Except I didn't. Not on my screen, not in my task manager. nowhere! So I decided to delete my most recent programs that I thought would be changing permissions and blocking the internet- mbam and super antispyware. This seemed to FINALLY work to let me download the files but only through using internet explorer. Firefox is still telling me there is another instance running (even after a full computer restart).

 

Guess this one still needs some help....

 

In the meantime, here are the requested logs:

Grantperms

GrantPerms by Farbar
Ran by AJM-DELL (administrator) at 2013-09-24 09:16:16

===============================================
\\?\C:\Users\AJM-DELL

   Owner: NT AUTHORITY\SYSTEM

   DACL(P)(AI):
   S-1-5-21-466443174-2913434031-3550566235-1001   READ/EXECUTE   DENY   (NI) <<<<<<this is the user I don't recognize/understand!!!
   NT AUTHORITY\SYSTEM   FULL   ALLOW   (CI)(OI)
   BUILTIN\Administrators   FULL   ALLOW   (CI)(OI)
   Dell-Laptop\AJM-DELL   FULL   ALLOW   (CI)(OI)

 

 

Adwcleaner (I had to run this as an admin to get it to work)

# AdwCleaner v3.005 - Report created 24/09/2013 at 09:39:16
# Updated 22/09/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : AJM-DELL - DELL-LAPTOP
# Running from : C:\Users\AJM-DELL\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686


-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Users\AJM-DELL\AppData\Roaming\Mozilla\Firefox\Profiles\nt13ll76.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [684 octets] - [25/08/2013 13:09:23]
AdwCleaner[R1].txt - [940 octets] - [07/09/2013 11:23:16]
AdwCleaner[R2].txt - [959 octets] - [24/09/2013 09:38:10]
AdwCleaner[R3].txt - [820 octets] - [24/09/2013 09:39:16]
AdwCleaner[S0].txt - [1002 octets] - [07/09/2013 12:24:14]

########## EOF - C:\AdwCleaner\AdwCleaner[R3].txt - [939 octets] ##########

 

 

JRT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.2 (09.22.2013:1)
OS: Windows 7 Ultimate x86
Ran by AJM-DELL on Tue 09/24/2013 at 10:00:32.27
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 09/24/2013 at 10:02:39.30
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Combofix (initially just ran from desktop but as you will see below, I went back and ran it as an admin- this is the logs from both)

(first one)

ComboFix 13-09-24.02 - AJM-DELL 09/24/2013   9:50.1.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3582.2744 [GMT -5:00]
Running from: c:\users\AJM-DELL\Desktop\ComboFix.exe
AV: AVG Internet Security 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
FW: AVG Internet Security 2014 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
SP: AVG Internet Security 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
D:\AUTORUN.INF
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-24 to 2013-09-24  )))))))))))))))))))))))))))))))
.
.
2013-09-24 14:55 . 2013-09-24 14:55    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-09-07 20:29 . 2013-09-07 20:29    --------    d-----w-    c:\programdata\Malwarebytes
2013-09-07 19:40 . 2013-09-07 19:40    --------    d-----w-    c:\windows\ERUNT
2013-09-07 17:54 . 2013-09-07 17:54    --------    d-----w-    c:\program files\HitmanPro
2013-09-06 23:56 . 2013-09-06 23:59    --------    d-----w-    c:\programdata\AVG
2013-09-06 23:56 . 2013-09-07 00:26    --------    d-sh--w-    c:\programdata\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2013-09-06 23:48 . 2013-09-06 23:48    --------    d-----w-    C:\$AVG
2013-09-06 23:48 . 2013-09-24 13:48    --------    d-----w-    c:\program files\AVG
2013-09-06 23:37 . 2013-09-24 13:37    --------    d-----w-    c:\programdata\MFAData
2013-09-06 23:37 . 2013-09-06 23:37    --------    d--h--w-    c:\programdata\Common Files
2013-09-06 23:34 . 2013-08-20 05:47    7166848    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{9A2FBE7F-D9F0-46A9-AA4A-6B932451B253}\mpengine.dll
2013-08-26 01:15 . 2013-04-17 07:02    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-08-26 01:07 . 2013-04-09 23:34    1247744    ----a-w-    c:\windows\system32\DWrite.dll
2013-08-26 00:32 . 2013-08-26 00:32    49152    ----a-w-    c:\windows\system32\taskhost.exe
2013-08-26 00:31 . 2013-08-26 00:31    1505280    ----a-w-    c:\windows\system32\d3d11.dll
2013-08-26 00:29 . 2013-07-09 05:03    3968960    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-08-26 00:27 . 2013-06-04 04:53    509440    ----a-w-    c:\windows\system32\qedit.dll
2013-08-25 23:37 . 2013-08-25 23:37    --------    d-----w-    c:\windows\system32\SPReview
2013-08-25 23:20 . 2013-08-25 23:20    --------    d-----w-    c:\windows\system32\EventProviders
2013-08-25 22:01 . 2013-08-25 22:01    --------    d-----w-    c:\windows\en
2013-08-25 22:00 . 2013-08-25 22:00    --------    dc----w-    c:\windows\system32\DRVSTORE
2013-08-25 22:00 . 2012-03-08 23:32    39272    ----a-w-    c:\windows\system32\drivers\fssfltr.sys
2013-08-25 22:00 . 2013-08-25 22:00    --------    d-----w-    c:\program files\Microsoft SQL Server Compact Edition
2013-08-25 21:59 . 2013-08-25 21:59    --------    d-----w-    c:\windows\PCHEALTH
2013-08-25 21:59 . 2013-09-07 14:13    --------    d-----w-    c:\program files\Windows Live
2013-08-25 21:58 . 2013-09-06 23:33    --------    d-----w-    c:\program files\Microsoft
2013-08-25 21:58 . 2009-09-04 22:44    69464    ----a-w-    c:\windows\system32\XAPOFX1_3.dll
2013-08-25 21:58 . 2009-09-04 22:44    515416    ----a-w-    c:\windows\system32\XAudio2_5.dll
2013-08-25 21:58 . 2009-09-04 22:29    453456    ----a-w-    c:\windows\system32\d3dx10_42.dll
2013-08-25 21:58 . 2006-11-29 18:06    3426072    ----a-w-    c:\windows\system32\d3dx9_32.dll
2013-08-25 21:58 . 2013-08-26 01:00    --------    d-----w-    c:\program files\Microsoft Silverlight
2013-08-25 21:45 . 2013-08-25 21:45    --------    d-----w-    c:\program files\Common Files\Windows Live
2013-08-25 21:44 . 2013-08-25 21:44    --------    d-----w-    c:\program files\MSXML 4.0
2013-08-25 21:11 . 2010-11-20 12:21    411648    ----a-w-    c:\windows\system32\wlangpui.dll
2013-08-25 20:59 . 2013-08-25 20:59    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2013-08-25 20:22 . 2013-08-25 20:22    --------    d-----w-    c:\windows\system32\Wat
2013-08-25 20:10 . 2011-11-19 14:01    67072    ----a-w-    c:\windows\system32\packager.dll
2013-08-25 20:10 . 2011-11-17 05:35    314880    ----a-w-    c:\windows\system32\webio.dll
2013-08-25 20:10 . 2011-07-09 02:30    223744    ----a-w-    c:\windows\system32\drivers\mrxsmb10.sys
2013-08-25 20:10 . 2011-04-27 02:17    96768    ----a-w-    c:\windows\system32\drivers\mrxsmb20.sys
2013-08-25 20:10 . 2011-04-27 02:17    123904    ----a-w-    c:\windows\system32\drivers\mrxsmb.sys
2013-08-25 20:09 . 2011-02-25 05:30    2616320    ----a-w-    c:\windows\explorer.exe
2013-08-25 20:09 . 2012-05-14 04:33    769024    ----a-w-    c:\windows\system32\localspl.dll
2013-08-25 20:09 . 2012-04-26 04:45    58880    ----a-w-    c:\windows\system32\rdpwsx.dll
2013-08-25 20:09 . 2012-04-26 04:45    129536    ----a-w-    c:\windows\system32\rdpcorekmts.dll
2013-08-25 20:09 . 2012-04-26 04:41    8192    ----a-w-    c:\windows\system32\rdrmemptylst.exe
2013-08-25 20:09 . 2011-12-16 07:52    690688    ----a-w-    c:\windows\system32\msvcrt.dll
2013-08-25 20:09 . 2011-04-09 05:56    123904    ----a-w-    c:\windows\system32\poqexec.exe
2013-08-25 19:42 . 2010-09-30 06:47    70656    ----a-w-    c:\windows\system32\fontsub.dll
2013-08-25 19:42 . 2012-12-16 14:13    295424    ----a-w-    c:\windows\system32\atmfd.dll
2013-08-25 19:42 . 2012-12-16 14:13    34304    ----a-w-    c:\windows\system32\atmlib.dll
2013-08-25 19:35 . 2013-09-24 13:49    --------    d-----w-    c:\windows\system32\MRT
2013-08-25 19:18 . 2013-08-25 19:18    --------    d-----w-    c:\program files\Intel
2013-08-25 19:15 . 2012-07-26 03:39    526952    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-08-25 19:15 . 2012-07-26 03:39    47720    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-08-25 19:15 . 2012-07-26 02:46    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2013-08-25 19:15 . 2012-07-26 03:21    196608    ----a-w-    c:\windows\system32\WUDFHost.exe
2013-08-25 19:15 . 2012-07-26 03:20    73216    ----a-w-    c:\windows\system32\WUDFSvc.dll
2013-08-25 19:15 . 2012-07-26 03:20    613888    ----a-w-    c:\windows\system32\WUDFx.dll
2013-08-25 19:15 . 2012-07-26 03:20    38912    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2013-08-25 19:15 . 2012-07-26 03:20    172032    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2013-08-25 19:15 . 2012-07-26 02:33    66560    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2013-08-25 19:15 . 2012-07-26 02:32    155136    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2013-08-25 19:14 . 2012-03-01 05:46    19824    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2013-08-25 19:14 . 2012-03-01 05:33    159232    ----a-w-    c:\windows\system32\imagehlp.dll
2013-08-25 19:14 . 2012-03-01 05:29    5120    ----a-w-    c:\windows\system32\wmi.dll
2013-08-25 19:05 . 2012-04-28 03:17    183808    ----a-w-    c:\windows\system32\drivers\rdpwd.sys
2013-08-25 19:04 . 2012-11-20 04:51    220160    ----a-w-    c:\windows\system32\ncrypt.dll
2013-08-25 19:04 . 2011-12-30 05:27    478720    ----a-w-    c:\windows\system32\timedate.cpl
2013-08-25 19:03 . 2011-10-15 05:38    534528    ----a-w-    c:\windows\system32\EncDec.dll
2013-08-25 19:01 . 2011-10-26 04:32    1328128    ----a-w-    c:\windows\system32\quartz.dll
2013-08-25 19:01 . 2012-05-01 04:44    164352    ----a-w-    c:\windows\system32\profsvc.dll
2013-08-25 19:01 . 2010-11-20 12:20    28672    ----a-w-    c:\windows\system32\profprov.dll
2013-08-25 19:00 . 2011-02-18 05:39    31232    ----a-w-    c:\windows\system32\prevhost.exe
2013-08-25 18:59 . 2011-04-25 02:18    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-08-25 18:54 . 2011-08-27 04:26    571904    ----a-w-    c:\windows\system32\oleaut32.dll
2013-08-25 18:54 . 2011-08-27 04:26    233472    ----a-w-    c:\windows\system32\oleacc.dll
2013-08-25 18:52 . 2011-04-22 19:14    27008    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2013-08-25 18:52 . 2010-11-20 11:56    107520    ----a-w-    c:\windows\system32\cdd.dll
2013-08-25 18:32 . 2013-08-25 18:32    --------    d-----w-    c:\windows\Downloaded Installations
2013-08-25 18:12 . 2013-08-25 18:12    --------    d-----w-    c:\programdata\Sophos
2013-08-25 18:11 . 2013-08-25 18:14    --------    d-----w-    c:\programdata\HitmanPro
2013-08-25 18:09 . 2013-09-24 14:39    --------    d-----w-    C:\AdwCleaner
2013-08-25 18:05 . 2013-08-25 18:05    --------    d-----w-    C:\FRST
2013-08-25 17:42 . 2013-08-25 17:42    302    ----a-w-    C:\FixitRegBackup.reg
2013-08-25 17:42 . 2013-09-24 13:48    --------    d-sh--w-    c:\windows\Installer
2013-08-25 17:12 . 2013-08-07 09:22    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-08-25 16:49 . 2012-02-17 05:34    826880    ----a-w-    c:\windows\system32\rdpcore.dll
2013-08-25 16:49 . 2012-02-17 04:13    24576    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2013-08-25 16:49 . 2010-11-20 10:21    18432    ----a-w-    c:\windows\system32\drivers\tdpipe.sys
2013-08-25 16:44 . 2012-06-02 22:19    53784    ----a-w-    c:\windows\system32\wuauclt.exe
2013-08-25 16:44 . 2012-06-02 22:19    45080    ----a-w-    c:\windows\system32\wups2.dll
2013-08-25 16:44 . 2012-06-02 22:19    1933848    ----a-w-    c:\windows\system32\wuaueng.dll
2013-08-25 16:44 . 2012-06-02 22:12    2422272    ----a-w-    c:\windows\system32\wucltux.dll
2013-08-25 16:44 . 2012-06-02 22:19    35864    ----a-w-    c:\windows\system32\wups.dll
2013-08-25 16:44 . 2012-06-02 22:19    577048    ----a-w-    c:\windows\system32\wuapi.dll
2013-08-25 16:44 . 2012-06-02 22:12    88576    ----a-w-    c:\windows\system32\wudriver.dll
2013-08-25 16:44 . 2012-06-02 20:19    171904    ----a-w-    c:\windows\system32\wuwebv.dll
2013-08-25 16:44 . 2012-06-02 20:12    33792    ----a-w-    c:\windows\system32\wuapp.exe
2013-08-25 16:42 . 2013-09-24 14:28    --------    d-----w-    c:\windows\system32\wbem\Performance
2013-08-25 16:39 . 2013-09-07 14:24    --------    d-----w-    c:\users\AJM-DELL
2013-08-25 16:39 . 2013-08-25 16:39    --------    d-----w-    C:\Recovery
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-25 23:43 . 2009-07-14 02:05    152576    ----a-w-    c:\windows\system32\msclmd.dll
2013-08-25 21:59 . 2011-03-28 23:36    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-08-23 04:37 . 2013-08-23 04:37    176952    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2013-08-23 03:56 . 2013-08-23 03:56    209208    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-08-23 03:56 . 2013-08-23 03:56    223032    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2013-08-23 03:56 . 2013-08-23 03:56    146232    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2013-08-21 03:54 . 2013-08-21 03:54    102200    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2013-08-01 21:08 . 2013-08-01 21:08    193848    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2013-08-01 21:06 . 2013-08-01 21:06    22840    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2013-08-01 21:06 . 2013-08-01 21:06    120120    ----a-w-    c:\windows\system32\drivers\avgdiskx.sys
2013-08-01 21:05 . 2013-08-01 21:05    26936    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17    130736    ----a-w-    c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17    130736    ----a-w-    c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17    130736    ----a-w-    c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2013-08-26 4851248]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-08-25 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [2013-08-27 3534896]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-08-25 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2013-08-23 146232]
S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [2013-08-23 223032]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2013-08-01 26936]
S1 Avgdiskx;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiskx.sys [2013-08-01 120120]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2012-09-04 50296]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2013-08-23 209208]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2013-08-01 22840]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2013-08-23 176952]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2013-08-01 193848]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 avgfws;AVG Firewall;c:\program files\AVG\AVG2014\avgfws.exe [2013-08-26 1358432]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [2013-08-21 300640]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
TCP: DhcpNameServer = 10.20.0.56 10.20.0.50 10.20.0.4
FF - ProfilePath - c:\users\AJM-DELL\AppData\Roaming\Mozilla\Firefox\Profiles\nt13ll76.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - ExtSQL: 2013-09-07 09:13; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\AJM-DELL\AppData\Roaming\Mozilla\Firefox\Profiles\nt13ll76.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-466443174-2913434031-3550566235-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-466443174-2913434031-3550566235-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-24  09:57:56
ComboFix-quarantined-files.txt  2013-09-24 14:57
.
Pre-Run: 269,552,435,200 bytes free
Post-Run: 269,139,152,896 bytes free
.
- - End Of File - - 4C75D1F732655C37D5DDFFF6A46DE720
A36C5E4F47E84449FF07ED3517B43A31
 

 

(second one)

ComboFix 13-09-24.02 - AJM-DELL 09/24/2013  10:04:38.2.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3582.2673 [GMT -5:00]
Running from: c:\users\AJM-DELL\Desktop\ComboFix.exe
AV: AVG Internet Security 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
FW: AVG Internet Security 2014 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
SP: AVG Internet Security 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-24 to 2013-09-24  )))))))))))))))))))))))))))))))
.
.
2013-09-24 15:09 . 2013-09-24 15:09    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-09-07 20:29 . 2013-09-07 20:29    --------    d-----w-    c:\programdata\Malwarebytes
2013-09-07 19:40 . 2013-09-07 19:40    --------    d-----w-    c:\windows\ERUNT
2013-09-07 17:54 . 2013-09-07 17:54    --------    d-----w-    c:\program files\HitmanPro
2013-09-06 23:56 . 2013-09-06 23:59    --------    d-----w-    c:\programdata\AVG
2013-09-06 23:56 . 2013-09-07 00:26    --------    d-sh--w-    c:\programdata\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2013-09-06 23:48 . 2013-09-06 23:48    --------    d-----w-    C:\$AVG
2013-09-06 23:48 . 2013-09-24 13:48    --------    d-----w-    c:\program files\AVG
2013-09-06 23:37 . 2013-09-24 13:37    --------    d-----w-    c:\programdata\MFAData
2013-09-06 23:37 . 2013-09-06 23:37    --------    d--h--w-    c:\programdata\Common Files
2013-09-06 23:34 . 2013-08-20 05:47    7166848    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{9A2FBE7F-D9F0-46A9-AA4A-6B932451B253}\mpengine.dll
2013-08-26 01:15 . 2013-04-17 07:02    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-08-26 01:07 . 2013-04-09 23:34    1247744    ----a-w-    c:\windows\system32\DWrite.dll
2013-08-26 00:32 . 2013-08-26 00:32    49152    ----a-w-    c:\windows\system32\taskhost.exe
2013-08-26 00:31 . 2013-08-26 00:31    1505280    ----a-w-    c:\windows\system32\d3d11.dll
2013-08-26 00:29 . 2013-07-09 05:03    3968960    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-08-26 00:27 . 2013-06-04 04:53    509440    ----a-w-    c:\windows\system32\qedit.dll
2013-08-25 23:37 . 2013-08-25 23:37    --------    d-----w-    c:\windows\system32\SPReview
2013-08-25 23:20 . 2013-08-25 23:20    --------    d-----w-    c:\windows\system32\EventProviders
2013-08-25 22:01 . 2013-08-25 22:01    --------    d-----w-    c:\windows\en
2013-08-25 22:00 . 2013-08-25 22:00    --------    dc----w-    c:\windows\system32\DRVSTORE
2013-08-25 22:00 . 2012-03-08 23:32    39272    ----a-w-    c:\windows\system32\drivers\fssfltr.sys
2013-08-25 22:00 . 2013-08-25 22:00    --------    d-----w-    c:\program files\Microsoft SQL Server Compact Edition
2013-08-25 21:59 . 2013-08-25 21:59    --------    d-----w-    c:\windows\PCHEALTH
2013-08-25 21:59 . 2013-09-07 14:13    --------    d-----w-    c:\program files\Windows Live
2013-08-25 21:58 . 2013-09-06 23:33    --------    d-----w-    c:\program files\Microsoft
2013-08-25 21:58 . 2009-09-04 22:44    69464    ----a-w-    c:\windows\system32\XAPOFX1_3.dll
2013-08-25 21:58 . 2009-09-04 22:44    515416    ----a-w-    c:\windows\system32\XAudio2_5.dll
2013-08-25 21:58 . 2009-09-04 22:29    453456    ----a-w-    c:\windows\system32\d3dx10_42.dll
2013-08-25 21:58 . 2006-11-29 18:06    3426072    ----a-w-    c:\windows\system32\d3dx9_32.dll
2013-08-25 21:58 . 2013-08-26 01:00    --------    d-----w-    c:\program files\Microsoft Silverlight
2013-08-25 21:45 . 2013-08-25 21:45    --------    d-----w-    c:\program files\Common Files\Windows Live
2013-08-25 21:44 . 2013-08-25 21:44    --------    d-----w-    c:\program files\MSXML 4.0
2013-08-25 21:11 . 2010-11-20 12:21    411648    ----a-w-    c:\windows\system32\wlangpui.dll
2013-08-25 20:59 . 2013-08-25 20:59    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2013-08-25 20:22 . 2013-08-25 20:22    --------    d-----w-    c:\windows\system32\Wat
2013-08-25 20:10 . 2011-11-19 14:01    67072    ----a-w-    c:\windows\system32\packager.dll
2013-08-25 20:10 . 2011-11-17 05:35    314880    ----a-w-    c:\windows\system32\webio.dll
2013-08-25 20:10 . 2011-07-09 02:30    223744    ----a-w-    c:\windows\system32\drivers\mrxsmb10.sys
2013-08-25 20:10 . 2011-04-27 02:17    96768    ----a-w-    c:\windows\system32\drivers\mrxsmb20.sys
2013-08-25 20:10 . 2011-04-27 02:17    123904    ----a-w-    c:\windows\system32\drivers\mrxsmb.sys
2013-08-25 20:09 . 2011-02-25 05:30    2616320    ----a-w-    c:\windows\explorer.exe
2013-08-25 20:09 . 2012-05-14 04:33    769024    ----a-w-    c:\windows\system32\localspl.dll
2013-08-25 20:09 . 2012-04-26 04:45    58880    ----a-w-    c:\windows\system32\rdpwsx.dll
2013-08-25 20:09 . 2012-04-26 04:45    129536    ----a-w-    c:\windows\system32\rdpcorekmts.dll
2013-08-25 20:09 . 2012-04-26 04:41    8192    ----a-w-    c:\windows\system32\rdrmemptylst.exe
2013-08-25 20:09 . 2011-12-16 07:52    690688    ----a-w-    c:\windows\system32\msvcrt.dll
2013-08-25 20:09 . 2011-04-09 05:56    123904    ----a-w-    c:\windows\system32\poqexec.exe
2013-08-25 19:42 . 2010-09-30 06:47    70656    ----a-w-    c:\windows\system32\fontsub.dll
2013-08-25 19:42 . 2012-12-16 14:13    295424    ----a-w-    c:\windows\system32\atmfd.dll
2013-08-25 19:42 . 2012-12-16 14:13    34304    ----a-w-    c:\windows\system32\atmlib.dll
2013-08-25 19:35 . 2013-09-24 13:49    --------    d-----w-    c:\windows\system32\MRT
2013-08-25 19:18 . 2013-08-25 19:18    --------    d-----w-    c:\program files\Intel
2013-08-25 19:15 . 2012-07-26 03:39    526952    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-08-25 19:15 . 2012-07-26 03:39    47720    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-08-25 19:15 . 2012-07-26 02:46    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2013-08-25 19:15 . 2012-07-26 03:21    196608    ----a-w-    c:\windows\system32\WUDFHost.exe
2013-08-25 19:15 . 2012-07-26 03:20    73216    ----a-w-    c:\windows\system32\WUDFSvc.dll
2013-08-25 19:15 . 2012-07-26 03:20    613888    ----a-w-    c:\windows\system32\WUDFx.dll
2013-08-25 19:15 . 2012-07-26 03:20    38912    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2013-08-25 19:15 . 2012-07-26 03:20    172032    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2013-08-25 19:15 . 2012-07-26 02:33    66560    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2013-08-25 19:15 . 2012-07-26 02:32    155136    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2013-08-25 19:14 . 2012-03-01 05:46    19824    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2013-08-25 19:14 . 2012-03-01 05:33    159232    ----a-w-    c:\windows\system32\imagehlp.dll
2013-08-25 19:14 . 2012-03-01 05:29    5120    ----a-w-    c:\windows\system32\wmi.dll
2013-08-25 19:05 . 2012-04-28 03:17    183808    ----a-w-    c:\windows\system32\drivers\rdpwd.sys
2013-08-25 19:04 . 2012-11-20 04:51    220160    ----a-w-    c:\windows\system32\ncrypt.dll
2013-08-25 19:04 . 2011-12-30 05:27    478720    ----a-w-    c:\windows\system32\timedate.cpl
2013-08-25 19:03 . 2011-10-15 05:38    534528    ----a-w-    c:\windows\system32\EncDec.dll
2013-08-25 19:01 . 2011-10-26 04:32    1328128    ----a-w-    c:\windows\system32\quartz.dll
2013-08-25 19:01 . 2012-05-01 04:44    164352    ----a-w-    c:\windows\system32\profsvc.dll
2013-08-25 19:01 . 2010-11-20 12:20    28672    ----a-w-    c:\windows\system32\profprov.dll
2013-08-25 19:00 . 2011-02-18 05:39    31232    ----a-w-    c:\windows\system32\prevhost.exe
2013-08-25 18:59 . 2011-04-25 02:18    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-08-25 18:54 . 2011-08-27 04:26    571904    ----a-w-    c:\windows\system32\oleaut32.dll
2013-08-25 18:54 . 2011-08-27 04:26    233472    ----a-w-    c:\windows\system32\oleacc.dll
2013-08-25 18:52 . 2011-04-22 19:14    27008    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2013-08-25 18:52 . 2010-11-20 11:56    107520    ----a-w-    c:\windows\system32\cdd.dll
2013-08-25 18:32 . 2013-08-25 18:32    --------    d-----w-    c:\windows\Downloaded Installations
2013-08-25 18:12 . 2013-08-25 18:12    --------    d-----w-    c:\programdata\Sophos
2013-08-25 18:11 . 2013-08-25 18:14    --------    d-----w-    c:\programdata\HitmanPro
2013-08-25 18:09 . 2013-09-24 14:39    --------    d-----w-    C:\AdwCleaner
2013-08-25 18:05 . 2013-08-25 18:05    --------    d-----w-    C:\FRST
2013-08-25 17:42 . 2013-08-25 17:42    302    ----a-w-    C:\FixitRegBackup.reg
2013-08-25 17:42 . 2013-09-24 13:48    --------    d-sh--w-    c:\windows\Installer
2013-08-25 17:12 . 2013-08-07 09:22    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-08-25 16:49 . 2012-02-17 05:34    826880    ----a-w-    c:\windows\system32\rdpcore.dll
2013-08-25 16:49 . 2012-02-17 04:13    24576    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2013-08-25 16:49 . 2010-11-20 10:21    18432    ----a-w-    c:\windows\system32\drivers\tdpipe.sys
2013-08-25 16:44 . 2012-06-02 22:19    53784    ----a-w-    c:\windows\system32\wuauclt.exe
2013-08-25 16:44 . 2012-06-02 22:19    45080    ----a-w-    c:\windows\system32\wups2.dll
2013-08-25 16:44 . 2012-06-02 22:19    1933848    ----a-w-    c:\windows\system32\wuaueng.dll
2013-08-25 16:44 . 2012-06-02 22:12    2422272    ----a-w-    c:\windows\system32\wucltux.dll
2013-08-25 16:44 . 2012-06-02 22:19    35864    ----a-w-    c:\windows\system32\wups.dll
2013-08-25 16:44 . 2012-06-02 22:19    577048    ----a-w-    c:\windows\system32\wuapi.dll
2013-08-25 16:44 . 2012-06-02 22:12    88576    ----a-w-    c:\windows\system32\wudriver.dll
2013-08-25 16:44 . 2012-06-02 20:19    171904    ----a-w-    c:\windows\system32\wuwebv.dll
2013-08-25 16:44 . 2012-06-02 20:12    33792    ----a-w-    c:\windows\system32\wuapp.exe
2013-08-25 16:42 . 2013-09-24 14:28    --------    d-----w-    c:\windows\system32\wbem\Performance
2013-08-25 16:39 . 2013-09-07 14:24    --------    d-----w-    c:\users\AJM-DELL
2013-08-25 16:39 . 2013-08-25 16:39    --------    d-----w-    C:\Recovery
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-25 23:43 . 2009-07-14 02:05    152576    ----a-w-    c:\windows\system32\msclmd.dll
2013-08-25 21:59 . 2011-03-28 23:36    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-08-23 04:37 . 2013-08-23 04:37    176952    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2013-08-23 03:56 . 2013-08-23 03:56    209208    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-08-23 03:56 . 2013-08-23 03:56    223032    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2013-08-23 03:56 . 2013-08-23 03:56    146232    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2013-08-21 03:54 . 2013-08-21 03:54    102200    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2013-08-01 21:08 . 2013-08-01 21:08    193848    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2013-08-01 21:06 . 2013-08-01 21:06    22840    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2013-08-01 21:06 . 2013-08-01 21:06    120120    ----a-w-    c:\windows\system32\drivers\avgdiskx.sys
2013-08-01 21:05 . 2013-08-01 21:05    26936    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17    130736    ----a-w-    c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17    130736    ----a-w-    c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17    130736    ----a-w-    c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2013-08-26 4851248]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-08-25 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [2013-08-27 3534896]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-08-25 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2013-08-23 146232]
S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [2013-08-23 223032]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2013-08-01 26936]
S1 Avgdiskx;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiskx.sys [2013-08-01 120120]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2012-09-04 50296]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2013-08-23 209208]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2013-08-01 22840]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2013-08-23 176952]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2013-08-01 193848]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 avgfws;AVG Firewall;c:\program files\AVG\AVG2014\avgfws.exe [2013-08-26 1358432]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [2013-08-21 300640]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
TCP: DhcpNameServer = 10.20.0.56 10.20.0.50 10.20.0.4
FF - ProfilePath - c:\users\AJM-DELL\AppData\Roaming\Mozilla\Firefox\Profiles\nt13ll76.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - ExtSQL: 2013-09-07 09:13; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\AJM-DELL\AppData\Roaming\Mozilla\Firefox\Profiles\nt13ll76.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-466443174-2913434031-3550566235-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-466443174-2913434031-3550566235-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3308)
c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
Completion time: 2013-09-24  10:10:29
ComboFix-quarantined-files.txt  2013-09-24 15:10
ComboFix2.txt  2013-09-24 14:57
.
Pre-Run: 269,168,553,984 bytes free
Post-Run: 269,134,839,808 bytes free
.
- - End Of File - - 9C2316981CD7BBD39A860C66F1F32B5F
A36C5E4F47E84449FF07ED3517B43A31
 

 

 

Security check (initally gave me an error " UNSUPPORTED OPERATING SYSTEM! ABORTED!". Then after I ran combofix again as an admin securitycheck decided it would work)

 Results of screen317's Security Check version 0.99.73  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
AVG Internet Security 2014   
 Antivirus out of date!  
`````````Anti-malware/Other Utilities Check:`````````
 Mozilla Firefox (23.0.1)
````````Process Check: objlist.exe by Laurent````````  
 AVG avgwdsvc.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 2%
````````````````````End of Log``````````````````````
 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:04 PM

Posted 25 September 2013 - 09:21 AM

Firefox is still telling me there is another instance running (even after a full computer restart).


A quick fix it to remove Firefox using the Add/Remove Programs.
Restart the computer normally.
Reinstall the browser.

I suggest you save your bookmards before remove Firefox.
Restore bookmarks from backup or move them to another computer
https://support.mozilla.org/en-US/kb/restore-bookmarks-from-backup-or-move-them
<<<>>>

AVG Internet Security 2014
Antivirus out of date!

Thats a false positive. The Security tool needs to be updated.
===

Let me know what problem persists.

#6 Ajmarks

Ajmarks
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 26 September 2013 - 10:34 AM

Well this was interesting (and worrisome)….I went to follow your latest firefox and AVG instructions and ran into some trouble. I uninstalled firefox just fine and re-installed it but I kept getting error messages. I tried to take screen shots and save them but I wasn’t able to save files to my desktop even when running as admin. I was suggested by the error popup to save in “my pictures” so I clicked ok but then it told me I couldn’t save there!  :huh: I wasn't even able to save to my flashdrive...
 
I thought maybe my AVG free or other computer protections were getting in the way, so I restarted in safe mode but still had trouble. I restarted in normal mode and deleted the extra spyware/malware programs (leaving AVG) but before I was gonna download the firefox installer fresh from the net I wanted to be sure my AVG was update (fool me once…) BUT AVG was telling me something about not being fully protected but the program kept freezing when I tried to change what it said was wrong and I couldn’t even close the program with a right click on the taskbar icon. :smash:
 
I then said to myself “self, you have the full version so just delete the free one and install from the CD”… but that didn’t work either. So again I tried safe mode and CD installation that SEEMED to work, asked for a restart and everything. So I was hopeful when I rebooted in normal mode but it’s still the same issues… :ranting:
 
I suspect perhaps some re-scanning in this computer’s future… I brought it to work so hopefully if you get a chance to respond I can try working on this one before all the others. Ready to follow the next set of instructions...  smiley-face-popcorn.gif
 
I also want to say I have SERIOUSLY underestimated, even when multitasking, how long this whole process takes with 4 machines on the fritz…ends up eating away my whole night!! I have a whole new level of respect and gratitude for you helping me out with this. Out of the kindness of your heart and on a volunteer basis no less. You are earning major karma points my friend…truly, hero award to you!! superman.gif


Edited by Ajmarks, 26 September 2013 - 10:35 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:04 PM

Posted 27 September 2013 - 07:38 AM

Lets do some repairs on this computer.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://windows.microsoft.com/en-gb/windows7/create-a-restore-point
Windows 8 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

Download this program to your desktop.
Tweaking.com - Windows Repair 1.9.16
http://www.bleepingcomputer.com/download/windows-repair-all-in-one-portable/


Extract and launch the Repair_Windows.exe file

Click on Start repairs tab-click on Start

check mark following options alone

Reset registry permissions
Reset file permissions
Register system files
Repair WMI
Repair Windows Firewall.
Remove Policies Set By Infections
Repair Winsock & DNS Cache
  • Checkmark Restart System When Finished option
  • click the Start button
  • System should restart after repair
==

If still having problems with AVG, remove it completely using their uninstaller.

Download the your product removal tools from this site and run it.
List of anti-malware product removal tools

http://answers.microsoft.com/en-us/protect/forum/mse-protect_start/list-of-anti-malware-product-removal-tools/407bf6da-c05d-4546-8788-0aa4c25a1f91

Close all windows and browsers, then reinstall AVG.

What are the remaining issues?

If you still see some error messages please post them.

#8 Ajmarks

Ajmarks
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 27 September 2013 - 11:41 PM

Yep that registry editing thing with only the 7 options checked most definitly did NOT work. When I tried to even save it to the desktop and extract it I got a message about "cannot creat temp folder archives" from 7-zip. Adwcleaner won't even run when I try as an admin and after I deleted firefox, internet explorer is now freezeing and not loading a home page. I still can't save things to a lot of the places on my computer. Also, I have tried uninstalling and reinstalling firefox twice now and I STILL get an error about it running when it isnt.

 

The other REALLY weird (kinda freaking me out) thing is that when I plug in my USB it pops up as the G drive...but the F drive shows up and contains almost identical files to my c drive. There is only one hard drive, a recovery sector I think (D), a CD-RW drive (E)....thats it. Not sure what F is or where it came from but I hope it isn't as ominous as it seems....

 

I did re-run in safemode with MBAM and rogue killer for this one too in this mode too and it found some things it didnt before which (again) has me worried. I attached the rougekiller log but mbam came up clean. Not sure where we go from here... my gut tells me there is something still on both of these Dells though...not sure what but...just something doesn't sit right with these scan results given such major issues are happening still...

Roguekiller log:

RogueKiller V8.6.12 [Sep 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Safe mode
User : AJM-DELL [Admin rights]
Mode : Scan -- Date : 09/27/2013 21:00:53
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0xc000035f] ¤¤¤

¤¤¤ External Hives: ¤¤¤
-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - WDC WD3200BEVT-75ZCT2 +++++
--- User ---
[MBR] 2fed789b579e8c3eb8b1bb6d3f94d916
[BSP] a7fca06e79beb987e238702e330e396b : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 290204 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_09272013_210053.txt >>

 

 

 

 

Here is the DDS for this one at the moment:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16686
Run by AJM-DELL at 15:17:16 on 2013-09-27
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3582.2764 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
TCP: NameServer = 10.20.0.56 10.20.0.50 10.20.0.4
TCP: Interfaces\{336F7B84-6BA4-474D-B699-B711DF6DF93F} : DHCPNameServer = 10.20.0.56 10.20.0.50 10.20.0.4
TCP: Interfaces\{336F7B84-6BA4-474D-B699-B711DF6DF93F}\E4163686F694E6475627E65647D2744564F412 : DHCPNameServer = 192.168.2.1 66.90.130.101 216.82.201.11
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2013-8-25 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-8-25 14848]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-8-25 49664]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-8-25 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2013-09-27 20:09:19    --------    d-----w-    c:\programdata\Package Cache
2013-09-27 19:29:15    7328304    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{92e7da67-bf5f-4bdf-b33f-805004c447eb}\mpengine.dll
2013-09-26 02:24:07    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-09-26 02:24:03    --------    d-----w-    c:\users\ajm-dell\appdata\local\temp
2013-09-24 14:50:00    98816    ----a-w-    c:\windows\sed.exe
2013-09-24 14:50:00    256000    ----a-w-    c:\windows\PEV.exe
2013-09-24 14:50:00    208896    ----a-w-    c:\windows\MBR.exe
2013-09-07 19:40:12    --------    d-----w-    c:\windows\ERUNT
2013-09-07 17:54:01    --------    d-----w-    c:\program files\HitmanPro
2013-09-06 23:57:26    --------    d-----w-    c:\users\ajm-dell\appdata\roaming\AVG
2013-09-06 23:56:44    --------    d-----w-    c:\programdata\AVG
2013-09-06 23:56:24    --------    d-sh--w-    c:\programdata\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2013-09-06 23:50:16    --------    d-----w-    c:\users\ajm-dell\appdata\roaming\TuneUp Software
2013-09-06 23:37:14    --------    d--h--w-    c:\programdata\Common Files
2013-09-06 23:34:39    7166848    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
.
==================== Find3M  ====================
.
2013-08-26 00:32:52    49152    ----a-w-    c:\windows\system32\taskhost.exe
2013-08-26 00:31:44    1505280    ----a-w-    c:\windows\system32\d3d11.dll
2013-08-25 23:43:10    152576    ----a-w-    c:\windows\system32\msclmd.dll
2013-08-25 17:42:29    302    ----a-w-    C:\FixitRegBackup.reg
2013-08-25 07:34:03    0    ----a-w-    c:\windows\ativpsrm.bin
2013-08-10 03:59:10    1767936    ----a-w-    c:\windows\system32\wininet.dll
2013-08-10 03:58:09    2876928    ----a-w-    c:\windows\system32\jscript9.dll
2013-08-10 03:58:06    61440    ----a-w-    c:\windows\system32\iesetup.dll
2013-08-10 03:58:06    109056    ----a-w-    c:\windows\system32\iesysprep.dll
2013-08-10 03:07:50    2706432    ----a-w-    c:\windows\system32\mshtml.tlb
2013-08-10 02:17:19    71680    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2013-08-08 01:03:07    2348544    ----a-w-    c:\windows\system32\win32k.sys
2013-08-07 09:22:04    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-08-05 01:56:47    133056    ----a-w-    c:\windows\system32\drivers\ataport.sys
2013-08-02 01:50:36    169984    ----a-w-    c:\windows\system32\winsrv.dll
2013-08-02 01:49:19    293376    ----a-w-    c:\windows\system32\KernelBase.dll
2013-08-02 00:52:57    271360    ----a-w-    c:\windows\system32\conhost.exe
2013-08-02 00:43:05    6144    ---ha-w-    c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-07-25 08:57:27    1620992    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-07-19 01:41:01    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-07-09 05:03:34    3968960    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-07-09 05:03:34    3913664    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-07-09 04:53:46    1289096    ----a-w-    c:\windows\system32\ntdll.dll
2013-07-09 04:52:10    175104    ----a-w-    c:\windows\system32\wintrust.dll
2013-07-09 04:50:42    652800    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-07-09 04:46:31    140288    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-07-09 04:46:31    1166848    ----a-w-    c:\windows\system32\crypt32.dll
2013-07-09 04:46:31    103936    ----a-w-    c:\windows\system32\cryptnet.dll
2013-07-06 05:05:35    1293760    ----a-w-    c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 15:17:45.64 ===============
 



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:04 PM

Posted 28 September 2013 - 07:27 AM

Windows 7 has a good recovery system.

What are the system recovery options in Windows?

http://windows.microsoft.com/en-in/windows/what-are-system-recovery-options#what-are-system-recovery-options=windows-7

===

Try to use the System Restore to get back to a date prior to the start of the problem with this computer.

Keep me posted.

#10 Ajmarks

Ajmarks
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 29 September 2013 - 11:30 PM

Do you mean before the issue with Firefox/Permissions or before the issue with the computer all together? I reinstalled Windows from CD and I don't think I have a restore point from prior to that OR prior to the computer stuff first started happening with all my machines.... I might have one from before these more recent troubles. I will have to check tomorrow when I get home (out of town at the moment)...



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:04 PM

Posted 30 September 2013 - 08:42 AM

[quote]I reinstalled Windows from CD and I don't think I have a restore point from prior to that OR prior to the computer stuff first started happening with all my machines.[quote]

Check if you still have the restore points prior to the re installation.
If you did not reformat then they may still be around, not sure.

#12 Ajmarks

Ajmarks
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 01 October 2013 - 09:24 PM

Just wanted to let you know some work stuff came up so I will not be able to work on the computer until later this week. Please do not close the 3 posts that are still open fpr inactivity! Thanks



#13 Ajmarks

Ajmarks
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 03 October 2013 - 09:27 AM

I did have a chance to look at the system restore options on this computer. Looks like my last one was 9/24 which may have been related to one of my earlier posts. I copied it below. Seems like I was still have bug issues then so I didn't restore the system since I wasn't sure it wasn't just setting us back 3 steps lol. I'll wait to do anything until you get a chance to review this post and the re-copied post and let me know the next steps...

(originally posted back on 9/24 in this thread)

 

Well, much as I suspected, this one turned out to be a bit of a doozy!

 

So I tried to follow your directions but I kept getting an error message abot not having permission to edit the temp folder when I tried to download the files. So, I looked into the properties and saw a lock on my whole user file- desktop, temp, the whole thing. I tried resetting this under the properties menu for the folders and it wouldn't work. I remember in looking around this site a while back a program that was designed to reset permissions so I looked at the permissions and saw a weird user I didn't recognize

 

I decided to download and run the "grantperms" app (log included with the others below). I know I know, I shouldnt have done that without checking first...I got ahead of myself :( Everything seemed to go okay but then firefox wouldn't open because it said I already had an instance of firefox open. Except I didn't. Not on my screen, not in my task manager. nowhere! So I decided to delete my most recent programs that I thought would be changing permissions and blocking the internet- mbam and super antispyware. This seemed to FINALLY work to let me download the files but only through using internet explorer. Firefox is still telling me there is another instance running (even after a full computer restart).

 

Guess this one still needs some help....

 

In the meantime, here are the requested logs:

Grantperms

GrantPerms by Farbar
Ran by AJM-DELL (administrator) at 2013-09-24 09:16:16

===============================================
\\?\C:\Users\AJM-DELL

   Owner: NT AUTHORITY\SYSTEM

   DACL(P)(AI):
   S-1-5-21-466443174-2913434031-3550566235-1001   READ/EXECUTE   DENY   (NI) <<<<<<this is the user I don't recognize/understand!!!
   NT AUTHORITY\SYSTEM   FULL   ALLOW   (CI)(OI)
   BUILTIN\Administrators   FULL   ALLOW   (CI)(OI)
   Dell-Laptop\AJM-DELL   FULL   ALLOW   (CI)(OI)

 

 

Adwcleaner (I had to run this as an admin to get it to work)

# AdwCleaner v3.005 - Report created 24/09/2013 at 09:39:16
# Updated 22/09/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : AJM-DELL - DELL-LAPTOP
# Running from : C:\Users\AJM-DELL\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686


-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Users\AJM-DELL\AppData\Roaming\Mozilla\Firefox\Profiles\nt13ll76.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [684 octets] - [25/08/2013 13:09:23]
AdwCleaner[R1].txt - [940 octets] - [07/09/2013 11:23:16]
AdwCleaner[R2].txt - [959 octets] - [24/09/2013 09:38:10]
AdwCleaner[R3].txt - [820 octets] - [24/09/2013 09:39:16]
AdwCleaner[S0].txt - [1002 octets] - [07/09/2013 12:24:14]

########## EOF - C:\AdwCleaner\AdwCleaner[R3].txt - [939 octets] ##########

 

 

JRT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.2 (09.22.2013:1)
OS: Windows 7 Ultimate x86
Ran by AJM-DELL on Tue 09/24/2013 at 10:00:32.27
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 09/24/2013 at 10:02:39.30
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Combofix (initially just ran from desktop but as you will see below, I went back and ran it as an admin- this is the logs from both)

(first one)

ComboFix 13-09-24.02 - AJM-DELL 09/24/2013   9:50.1.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3582.2744 [GMT -5:00]
Running from: c:\users\AJM-DELL\Desktop\ComboFix.exe
AV: AVG Internet Security 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
FW: AVG Internet Security 2014 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
SP: AVG Internet Security 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
D:\AUTORUN.INF
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-24 to 2013-09-24  )))))))))))))))))))))))))))))))
.
.
2013-09-24 14:55 . 2013-09-24 14:55    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-09-07 20:29 . 2013-09-07 20:29    --------    d-----w-    c:\programdata\Malwarebytes
2013-09-07 19:40 . 2013-09-07 19:40    --------    d-----w-    c:\windows\ERUNT
2013-09-07 17:54 . 2013-09-07 17:54    --------    d-----w-    c:\program files\HitmanPro
2013-09-06 23:56 . 2013-09-06 23:59    --------    d-----w-    c:\programdata\AVG
2013-09-06 23:56 . 2013-09-07 00:26    --------    d-sh--w-    c:\programdata\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2013-09-06 23:48 . 2013-09-06 23:48    --------    d-----w-    C:\$AVG
2013-09-06 23:48 . 2013-09-24 13:48    --------    d-----w-    c:\program files\AVG
2013-09-06 23:37 . 2013-09-24 13:37    --------    d-----w-    c:\programdata\MFAData
2013-09-06 23:37 . 2013-09-06 23:37    --------    d--h--w-    c:\programdata\Common Files
2013-09-06 23:34 . 2013-08-20 05:47    7166848    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{9A2FBE7F-D9F0-46A9-AA4A-6B932451B253}\mpengine.dll
2013-08-26 01:15 . 2013-04-17 07:02    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-08-26 01:07 . 2013-04-09 23:34    1247744    ----a-w-    c:\windows\system32\DWrite.dll
2013-08-26 00:32 . 2013-08-26 00:32    49152    ----a-w-    c:\windows\system32\taskhost.exe
2013-08-26 00:31 . 2013-08-26 00:31    1505280    ----a-w-    c:\windows\system32\d3d11.dll
2013-08-26 00:29 . 2013-07-09 05:03    3968960    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-08-26 00:27 . 2013-06-04 04:53    509440    ----a-w-    c:\windows\system32\qedit.dll
2013-08-25 23:37 . 2013-08-25 23:37    --------    d-----w-    c:\windows\system32\SPReview
2013-08-25 23:20 . 2013-08-25 23:20    --------    d-----w-    c:\windows\system32\EventProviders
2013-08-25 22:01 . 2013-08-25 22:01    --------    d-----w-    c:\windows\en
2013-08-25 22:00 . 2013-08-25 22:00    --------    dc----w-    c:\windows\system32\DRVSTORE
2013-08-25 22:00 . 2012-03-08 23:32    39272    ----a-w-    c:\windows\system32\drivers\fssfltr.sys
2013-08-25 22:00 . 2013-08-25 22:00    --------    d-----w-    c:\program files\Microsoft SQL Server Compact Edition
2013-08-25 21:59 . 2013-08-25 21:59    --------    d-----w-    c:\windows\PCHEALTH
2013-08-25 21:59 . 2013-09-07 14:13    --------    d-----w-    c:\program files\Windows Live
2013-08-25 21:58 . 2013-09-06 23:33    --------    d-----w-    c:\program files\Microsoft
2013-08-25 21:58 . 2009-09-04 22:44    69464    ----a-w-    c:\windows\system32\XAPOFX1_3.dll
2013-08-25 21:58 . 2009-09-04 22:44    515416    ----a-w-    c:\windows\system32\XAudio2_5.dll
2013-08-25 21:58 . 2009-09-04 22:29    453456    ----a-w-    c:\windows\system32\d3dx10_42.dll
2013-08-25 21:58 . 2006-11-29 18:06    3426072    ----a-w-    c:\windows\system32\d3dx9_32.dll
2013-08-25 21:58 . 2013-08-26 01:00    --------    d-----w-    c:\program files\Microsoft Silverlight
2013-08-25 21:45 . 2013-08-25 21:45    --------    d-----w-    c:\program files\Common Files\Windows Live
2013-08-25 21:44 . 2013-08-25 21:44    --------    d-----w-    c:\program files\MSXML 4.0
2013-08-25 21:11 . 2010-11-20 12:21    411648    ----a-w-    c:\windows\system32\wlangpui.dll
2013-08-25 20:59 . 2013-08-25 20:59    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2013-08-25 20:22 . 2013-08-25 20:22    --------    d-----w-    c:\windows\system32\Wat
2013-08-25 20:10 . 2011-11-19 14:01    67072    ----a-w-    c:\windows\system32\packager.dll
2013-08-25 20:10 . 2011-11-17 05:35    314880    ----a-w-    c:\windows\system32\webio.dll
2013-08-25 20:10 . 2011-07-09 02:30    223744    ----a-w-    c:\windows\system32\drivers\mrxsmb10.sys
2013-08-25 20:10 . 2011-04-27 02:17    96768    ----a-w-    c:\windows\system32\drivers\mrxsmb20.sys
2013-08-25 20:10 . 2011-04-27 02:17    123904    ----a-w-    c:\windows\system32\drivers\mrxsmb.sys
2013-08-25 20:09 . 2011-02-25 05:30    2616320    ----a-w-    c:\windows\explorer.exe
2013-08-25 20:09 . 2012-05-14 04:33    769024    ----a-w-    c:\windows\system32\localspl.dll
2013-08-25 20:09 . 2012-04-26 04:45    58880    ----a-w-    c:\windows\system32\rdpwsx.dll
2013-08-25 20:09 . 2012-04-26 04:45    129536    ----a-w-    c:\windows\system32\rdpcorekmts.dll
2013-08-25 20:09 . 2012-04-26 04:41    8192    ----a-w-    c:\windows\system32\rdrmemptylst.exe
2013-08-25 20:09 . 2011-12-16 07:52    690688    ----a-w-    c:\windows\system32\msvcrt.dll
2013-08-25 20:09 . 2011-04-09 05:56    123904    ----a-w-    c:\windows\system32\poqexec.exe
2013-08-25 19:42 . 2010-09-30 06:47    70656    ----a-w-    c:\windows\system32\fontsub.dll
2013-08-25 19:42 . 2012-12-16 14:13    295424    ----a-w-    c:\windows\system32\atmfd.dll
2013-08-25 19:42 . 2012-12-16 14:13    34304    ----a-w-    c:\windows\system32\atmlib.dll
2013-08-25 19:35 . 2013-09-24 13:49    --------    d-----w-    c:\windows\system32\MRT
2013-08-25 19:18 . 2013-08-25 19:18    --------    d-----w-    c:\program files\Intel
2013-08-25 19:15 . 2012-07-26 03:39    526952    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-08-25 19:15 . 2012-07-26 03:39    47720    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-08-25 19:15 . 2012-07-26 02:46    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2013-08-25 19:15 . 2012-07-26 03:21    196608    ----a-w-    c:\windows\system32\WUDFHost.exe
2013-08-25 19:15 . 2012-07-26 03:20    73216    ----a-w-    c:\windows\system32\WUDFSvc.dll
2013-08-25 19:15 . 2012-07-26 03:20    613888    ----a-w-    c:\windows\system32\WUDFx.dll
2013-08-25 19:15 . 2012-07-26 03:20    38912    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2013-08-25 19:15 . 2012-07-26 03:20    172032    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2013-08-25 19:15 . 2012-07-26 02:33    66560    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2013-08-25 19:15 . 2012-07-26 02:32    155136    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2013-08-25 19:14 . 2012-03-01 05:46    19824    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2013-08-25 19:14 . 2012-03-01 05:33    159232    ----a-w-    c:\windows\system32\imagehlp.dll
2013-08-25 19:14 . 2012-03-01 05:29    5120    ----a-w-    c:\windows\system32\wmi.dll
2013-08-25 19:05 . 2012-04-28 03:17    183808    ----a-w-    c:\windows\system32\drivers\rdpwd.sys
2013-08-25 19:04 . 2012-11-20 04:51    220160    ----a-w-    c:\windows\system32\ncrypt.dll
2013-08-25 19:04 . 2011-12-30 05:27    478720    ----a-w-    c:\windows\system32\timedate.cpl
2013-08-25 19:03 . 2011-10-15 05:38    534528    ----a-w-    c:\windows\system32\EncDec.dll
2013-08-25 19:01 . 2011-10-26 04:32    1328128    ----a-w-    c:\windows\system32\quartz.dll
2013-08-25 19:01 . 2012-05-01 04:44    164352    ----a-w-    c:\windows\system32\profsvc.dll
2013-08-25 19:01 . 2010-11-20 12:20    28672    ----a-w-    c:\windows\system32\profprov.dll
2013-08-25 19:00 . 2011-02-18 05:39    31232    ----a-w-    c:\windows\system32\prevhost.exe
2013-08-25 18:59 . 2011-04-25 02:18    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-08-25 18:54 . 2011-08-27 04:26    571904    ----a-w-    c:\windows\system32\oleaut32.dll
2013-08-25 18:54 . 2011-08-27 04:26    233472    ----a-w-    c:\windows\system32\oleacc.dll
2013-08-25 18:52 . 2011-04-22 19:14    27008    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2013-08-25 18:52 . 2010-11-20 11:56    107520    ----a-w-    c:\windows\system32\cdd.dll
2013-08-25 18:32 . 2013-08-25 18:32    --------    d-----w-    c:\windows\Downloaded Installations
2013-08-25 18:12 . 2013-08-25 18:12    --------    d-----w-    c:\programdata\Sophos
2013-08-25 18:11 . 2013-08-25 18:14    --------    d-----w-    c:\programdata\HitmanPro
2013-08-25 18:09 . 2013-09-24 14:39    --------    d-----w-    C:\AdwCleaner
2013-08-25 18:05 . 2013-08-25 18:05    --------    d-----w-    C:\FRST
2013-08-25 17:42 . 2013-08-25 17:42    302    ----a-w-    C:\FixitRegBackup.reg
2013-08-25 17:42 . 2013-09-24 13:48    --------    d-sh--w-    c:\windows\Installer
2013-08-25 17:12 . 2013-08-07 09:22    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-08-25 16:49 . 2012-02-17 05:34    826880    ----a-w-    c:\windows\system32\rdpcore.dll
2013-08-25 16:49 . 2012-02-17 04:13    24576    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2013-08-25 16:49 . 2010-11-20 10:21    18432    ----a-w-    c:\windows\system32\drivers\tdpipe.sys
2013-08-25 16:44 . 2012-06-02 22:19    53784    ----a-w-    c:\windows\system32\wuauclt.exe
2013-08-25 16:44 . 2012-06-02 22:19    45080    ----a-w-    c:\windows\system32\wups2.dll
2013-08-25 16:44 . 2012-06-02 22:19    1933848    ----a-w-    c:\windows\system32\wuaueng.dll
2013-08-25 16:44 . 2012-06-02 22:12    2422272    ----a-w-    c:\windows\system32\wucltux.dll
2013-08-25 16:44 . 2012-06-02 22:19    35864    ----a-w-    c:\windows\system32\wups.dll
2013-08-25 16:44 . 2012-06-02 22:19    577048    ----a-w-    c:\windows\system32\wuapi.dll
2013-08-25 16:44 . 2012-06-02 22:12    88576    ----a-w-    c:\windows\system32\wudriver.dll
2013-08-25 16:44 . 2012-06-02 20:19    171904    ----a-w-    c:\windows\system32\wuwebv.dll
2013-08-25 16:44 . 2012-06-02 20:12    33792    ----a-w-    c:\windows\system32\wuapp.exe
2013-08-25 16:42 . 2013-09-24 14:28    --------    d-----w-    c:\windows\system32\wbem\Performance
2013-08-25 16:39 . 2013-09-07 14:24    --------    d-----w-    c:\users\AJM-DELL
2013-08-25 16:39 . 2013-08-25 16:39    --------    d-----w-    C:\Recovery
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-25 23:43 . 2009-07-14 02:05    152576    ----a-w-    c:\windows\system32\msclmd.dll
2013-08-25 21:59 . 2011-03-28 23:36    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-08-23 04:37 . 2013-08-23 04:37    176952    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2013-08-23 03:56 . 2013-08-23 03:56    209208    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-08-23 03:56 . 2013-08-23 03:56    223032    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2013-08-23 03:56 . 2013-08-23 03:56    146232    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2013-08-21 03:54 . 2013-08-21 03:54    102200    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2013-08-01 21:08 . 2013-08-01 21:08    193848    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2013-08-01 21:06 . 2013-08-01 21:06    22840    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2013-08-01 21:06 . 2013-08-01 21:06    120120    ----a-w-    c:\windows\system32\drivers\avgdiskx.sys
2013-08-01 21:05 . 2013-08-01 21:05    26936    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17    130736    ----a-w-    c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17    130736    ----a-w-    c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17    130736    ----a-w-    c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2013-08-26 4851248]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-08-25 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [2013-08-27 3534896]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-08-25 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2013-08-23 146232]
S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [2013-08-23 223032]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2013-08-01 26936]
S1 Avgdiskx;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiskx.sys [2013-08-01 120120]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2012-09-04 50296]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2013-08-23 209208]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2013-08-01 22840]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2013-08-23 176952]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2013-08-01 193848]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 avgfws;AVG Firewall;c:\program files\AVG\AVG2014\avgfws.exe [2013-08-26 1358432]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [2013-08-21 300640]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
TCP: DhcpNameServer = 10.20.0.56 10.20.0.50 10.20.0.4
FF - ProfilePath - c:\users\AJM-DELL\AppData\Roaming\Mozilla\Firefox\Profiles\nt13ll76.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - ExtSQL: 2013-09-07 09:13; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\AJM-DELL\AppData\Roaming\Mozilla\Firefox\Profiles\nt13ll76.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-466443174-2913434031-3550566235-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-466443174-2913434031-3550566235-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-24  09:57:56
ComboFix-quarantined-files.txt  2013-09-24 14:57
.
Pre-Run: 269,552,435,200 bytes free
Post-Run: 269,139,152,896 bytes free
.
- - End Of File - - 4C75D1F732655C37D5DDFFF6A46DE720
A36C5E4F47E84449FF07ED3517B43A31
 

 

(second one)

ComboFix 13-09-24.02 - AJM-DELL 09/24/2013  10:04:38.2.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3582.2673 [GMT -5:00]
Running from: c:\users\AJM-DELL\Desktop\ComboFix.exe
AV: AVG Internet Security 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
FW: AVG Internet Security 2014 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
SP: AVG Internet Security 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-24 to 2013-09-24  )))))))))))))))))))))))))))))))
.
.
2013-09-24 15:09 . 2013-09-24 15:09    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-09-07 20:29 . 2013-09-07 20:29    --------    d-----w-    c:\programdata\Malwarebytes
2013-09-07 19:40 . 2013-09-07 19:40    --------    d-----w-    c:\windows\ERUNT
2013-09-07 17:54 . 2013-09-07 17:54    --------    d-----w-    c:\program files\HitmanPro
2013-09-06 23:56 . 2013-09-06 23:59    --------    d-----w-    c:\programdata\AVG
2013-09-06 23:56 . 2013-09-07 00:26    --------    d-sh--w-    c:\programdata\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2013-09-06 23:48 . 2013-09-06 23:48    --------    d-----w-    C:\$AVG
2013-09-06 23:48 . 2013-09-24 13:48    --------    d-----w-    c:\program files\AVG
2013-09-06 23:37 . 2013-09-24 13:37    --------    d-----w-    c:\programdata\MFAData
2013-09-06 23:37 . 2013-09-06 23:37    --------    d--h--w-    c:\programdata\Common Files
2013-09-06 23:34 . 2013-08-20 05:47    7166848    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{9A2FBE7F-D9F0-46A9-AA4A-6B932451B253}\mpengine.dll
2013-08-26 01:15 . 2013-04-17 07:02    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-08-26 01:07 . 2013-04-09 23:34    1247744    ----a-w-    c:\windows\system32\DWrite.dll
2013-08-26 00:32 . 2013-08-26 00:32    49152    ----a-w-    c:\windows\system32\taskhost.exe
2013-08-26 00:31 . 2013-08-26 00:31    1505280    ----a-w-    c:\windows\system32\d3d11.dll
2013-08-26 00:29 . 2013-07-09 05:03    3968960    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-08-26 00:27 . 2013-06-04 04:53    509440    ----a-w-    c:\windows\system32\qedit.dll
2013-08-25 23:37 . 2013-08-25 23:37    --------    d-----w-    c:\windows\system32\SPReview
2013-08-25 23:20 . 2013-08-25 23:20    --------    d-----w-    c:\windows\system32\EventProviders
2013-08-25 22:01 . 2013-08-25 22:01    --------    d-----w-    c:\windows\en
2013-08-25 22:00 . 2013-08-25 22:00    --------    dc----w-    c:\windows\system32\DRVSTORE
2013-08-25 22:00 . 2012-03-08 23:32    39272    ----a-w-    c:\windows\system32\drivers\fssfltr.sys
2013-08-25 22:00 . 2013-08-25 22:00    --------    d-----w-    c:\program files\Microsoft SQL Server Compact Edition
2013-08-25 21:59 . 2013-08-25 21:59    --------    d-----w-    c:\windows\PCHEALTH
2013-08-25 21:59 . 2013-09-07 14:13    --------    d-----w-    c:\program files\Windows Live
2013-08-25 21:58 . 2013-09-06 23:33    --------    d-----w-    c:\program files\Microsoft
2013-08-25 21:58 . 2009-09-04 22:44    69464    ----a-w-    c:\windows\system32\XAPOFX1_3.dll
2013-08-25 21:58 . 2009-09-04 22:44    515416    ----a-w-    c:\windows\system32\XAudio2_5.dll
2013-08-25 21:58 . 2009-09-04 22:29    453456    ----a-w-    c:\windows\system32\d3dx10_42.dll
2013-08-25 21:58 . 2006-11-29 18:06    3426072    ----a-w-    c:\windows\system32\d3dx9_32.dll
2013-08-25 21:58 . 2013-08-26 01:00    --------    d-----w-    c:\program files\Microsoft Silverlight
2013-08-25 21:45 . 2013-08-25 21:45    --------    d-----w-    c:\program files\Common Files\Windows Live
2013-08-25 21:44 . 2013-08-25 21:44    --------    d-----w-    c:\program files\MSXML 4.0
2013-08-25 21:11 . 2010-11-20 12:21    411648    ----a-w-    c:\windows\system32\wlangpui.dll
2013-08-25 20:59 . 2013-08-25 20:59    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2013-08-25 20:22 . 2013-08-25 20:22    --------    d-----w-    c:\windows\system32\Wat
2013-08-25 20:10 . 2011-11-19 14:01    67072    ----a-w-    c:\windows\system32\packager.dll
2013-08-25 20:10 . 2011-11-17 05:35    314880    ----a-w-    c:\windows\system32\webio.dll
2013-08-25 20:10 . 2011-07-09 02:30    223744    ----a-w-    c:\windows\system32\drivers\mrxsmb10.sys
2013-08-25 20:10 . 2011-04-27 02:17    96768    ----a-w-    c:\windows\system32\drivers\mrxsmb20.sys
2013-08-25 20:10 . 2011-04-27 02:17    123904    ----a-w-    c:\windows\system32\drivers\mrxsmb.sys
2013-08-25 20:09 . 2011-02-25 05:30    2616320    ----a-w-    c:\windows\explorer.exe
2013-08-25 20:09 . 2012-05-14 04:33    769024    ----a-w-    c:\windows\system32\localspl.dll
2013-08-25 20:09 . 2012-04-26 04:45    58880    ----a-w-    c:\windows\system32\rdpwsx.dll
2013-08-25 20:09 . 2012-04-26 04:45    129536    ----a-w-    c:\windows\system32\rdpcorekmts.dll
2013-08-25 20:09 . 2012-04-26 04:41    8192    ----a-w-    c:\windows\system32\rdrmemptylst.exe
2013-08-25 20:09 . 2011-12-16 07:52    690688    ----a-w-    c:\windows\system32\msvcrt.dll
2013-08-25 20:09 . 2011-04-09 05:56    123904    ----a-w-    c:\windows\system32\poqexec.exe
2013-08-25 19:42 . 2010-09-30 06:47    70656    ----a-w-    c:\windows\system32\fontsub.dll
2013-08-25 19:42 . 2012-12-16 14:13    295424    ----a-w-    c:\windows\system32\atmfd.dll
2013-08-25 19:42 . 2012-12-16 14:13    34304    ----a-w-    c:\windows\system32\atmlib.dll
2013-08-25 19:35 . 2013-09-24 13:49    --------    d-----w-    c:\windows\system32\MRT
2013-08-25 19:18 . 2013-08-25 19:18    --------    d-----w-    c:\program files\Intel
2013-08-25 19:15 . 2012-07-26 03:39    526952    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-08-25 19:15 . 2012-07-26 03:39    47720    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-08-25 19:15 . 2012-07-26 02:46    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2013-08-25 19:15 . 2012-07-26 03:21    196608    ----a-w-    c:\windows\system32\WUDFHost.exe
2013-08-25 19:15 . 2012-07-26 03:20    73216    ----a-w-    c:\windows\system32\WUDFSvc.dll
2013-08-25 19:15 . 2012-07-26 03:20    613888    ----a-w-    c:\windows\system32\WUDFx.dll
2013-08-25 19:15 . 2012-07-26 03:20    38912    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2013-08-25 19:15 . 2012-07-26 03:20    172032    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2013-08-25 19:15 . 2012-07-26 02:33    66560    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2013-08-25 19:15 . 2012-07-26 02:32    155136    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2013-08-25 19:14 . 2012-03-01 05:46    19824    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2013-08-25 19:14 . 2012-03-01 05:33    159232    ----a-w-    c:\windows\system32\imagehlp.dll
2013-08-25 19:14 . 2012-03-01 05:29    5120    ----a-w-    c:\windows\system32\wmi.dll
2013-08-25 19:05 . 2012-04-28 03:17    183808    ----a-w-    c:\windows\system32\drivers\rdpwd.sys
2013-08-25 19:04 . 2012-11-20 04:51    220160    ----a-w-    c:\windows\system32\ncrypt.dll
2013-08-25 19:04 . 2011-12-30 05:27    478720    ----a-w-    c:\windows\system32\timedate.cpl
2013-08-25 19:03 . 2011-10-15 05:38    534528    ----a-w-    c:\windows\system32\EncDec.dll
2013-08-25 19:01 . 2011-10-26 04:32    1328128    ----a-w-    c:\windows\system32\quartz.dll
2013-08-25 19:01 . 2012-05-01 04:44    164352    ----a-w-    c:\windows\system32\profsvc.dll
2013-08-25 19:01 . 2010-11-20 12:20    28672    ----a-w-    c:\windows\system32\profprov.dll
2013-08-25 19:00 . 2011-02-18 05:39    31232    ----a-w-    c:\windows\system32\prevhost.exe
2013-08-25 18:59 . 2011-04-25 02:18    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-08-25 18:54 . 2011-08-27 04:26    571904    ----a-w-    c:\windows\system32\oleaut32.dll
2013-08-25 18:54 . 2011-08-27 04:26    233472    ----a-w-    c:\windows\system32\oleacc.dll
2013-08-25 18:52 . 2011-04-22 19:14    27008    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2013-08-25 18:52 . 2010-11-20 11:56    107520    ----a-w-    c:\windows\system32\cdd.dll
2013-08-25 18:32 . 2013-08-25 18:32    --------    d-----w-    c:\windows\Downloaded Installations
2013-08-25 18:12 . 2013-08-25 18:12    --------    d-----w-    c:\programdata\Sophos
2013-08-25 18:11 . 2013-08-25 18:14    --------    d-----w-    c:\programdata\HitmanPro
2013-08-25 18:09 . 2013-09-24 14:39    --------    d-----w-    C:\AdwCleaner
2013-08-25 18:05 . 2013-08-25 18:05    --------    d-----w-    C:\FRST
2013-08-25 17:42 . 2013-08-25 17:42    302    ----a-w-    C:\FixitRegBackup.reg
2013-08-25 17:42 . 2013-09-24 13:48    --------    d-sh--w-    c:\windows\Installer
2013-08-25 17:12 . 2013-08-07 09:22    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-08-25 16:49 . 2012-02-17 05:34    826880    ----a-w-    c:\windows\system32\rdpcore.dll
2013-08-25 16:49 . 2012-02-17 04:13    24576    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2013-08-25 16:49 . 2010-11-20 10:21    18432    ----a-w-    c:\windows\system32\drivers\tdpipe.sys
2013-08-25 16:44 . 2012-06-02 22:19    53784    ----a-w-    c:\windows\system32\wuauclt.exe
2013-08-25 16:44 . 2012-06-02 22:19    45080    ----a-w-    c:\windows\system32\wups2.dll
2013-08-25 16:44 . 2012-06-02 22:19    1933848    ----a-w-    c:\windows\system32\wuaueng.dll
2013-08-25 16:44 . 2012-06-02 22:12    2422272    ----a-w-    c:\windows\system32\wucltux.dll
2013-08-25 16:44 . 2012-06-02 22:19    35864    ----a-w-    c:\windows\system32\wups.dll
2013-08-25 16:44 . 2012-06-02 22:19    577048    ----a-w-    c:\windows\system32\wuapi.dll
2013-08-25 16:44 . 2012-06-02 22:12    88576    ----a-w-    c:\windows\system32\wudriver.dll
2013-08-25 16:44 . 2012-06-02 20:19    171904    ----a-w-    c:\windows\system32\wuwebv.dll
2013-08-25 16:44 . 2012-06-02 20:12    33792    ----a-w-    c:\windows\system32\wuapp.exe
2013-08-25 16:42 . 2013-09-24 14:28    --------    d-----w-    c:\windows\system32\wbem\Performance
2013-08-25 16:39 . 2013-09-07 14:24    --------    d-----w-    c:\users\AJM-DELL
2013-08-25 16:39 . 2013-08-25 16:39    --------    d-----w-    C:\Recovery
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-25 23:43 . 2009-07-14 02:05    152576    ----a-w-    c:\windows\system32\msclmd.dll
2013-08-25 21:59 . 2011-03-28 23:36    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-08-23 04:37 . 2013-08-23 04:37    176952    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2013-08-23 03:56 . 2013-08-23 03:56    209208    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-08-23 03:56 . 2013-08-23 03:56    223032    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2013-08-23 03:56 . 2013-08-23 03:56    146232    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2013-08-21 03:54 . 2013-08-21 03:54    102200    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2013-08-01 21:08 . 2013-08-01 21:08    193848    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2013-08-01 21:06 . 2013-08-01 21:06    22840    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2013-08-01 21:06 . 2013-08-01 21:06    120120    ----a-w-    c:\windows\system32\drivers\avgdiskx.sys
2013-08-01 21:05 . 2013-08-01 21:05    26936    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17    130736    ----a-w-    c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17    130736    ----a-w-    c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-06-05 17:17    130736    ----a-w-    c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2013-08-26 4851248]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-08-25 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [2013-08-27 3534896]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-08-25 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2013-08-23 146232]
S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [2013-08-23 223032]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2013-08-01 26936]
S1 Avgdiskx;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiskx.sys [2013-08-01 120120]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2012-09-04 50296]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2013-08-23 209208]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2013-08-01 22840]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2013-08-23 176952]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2013-08-01 193848]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 avgfws;AVG Firewall;c:\program files\AVG\AVG2014\avgfws.exe [2013-08-26 1358432]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [2013-08-21 300640]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
TCP: DhcpNameServer = 10.20.0.56 10.20.0.50 10.20.0.4
FF - ProfilePath - c:\users\AJM-DELL\AppData\Roaming\Mozilla\Firefox\Profiles\nt13ll76.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - ExtSQL: 2013-09-07 09:13; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\AJM-DELL\AppData\Roaming\Mozilla\Firefox\Profiles\nt13ll76.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-466443174-2913434031-3550566235-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-466443174-2913434031-3550566235-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3308)
c:\users\AJM-DELL\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
Completion time: 2013-09-24  10:10:29
ComboFix-quarantined-files.txt  2013-09-24 15:10
ComboFix2.txt  2013-09-24 14:57
.
Pre-Run: 269,168,553,984 bytes free
Post-Run: 269,134,839,808 bytes free
.
- - End Of File - - 9C2316981CD7BBD39A860C66F1F32B5F
A36C5E4F47E84449FF07ED3517B43A31
 

 

 

Security check (initally gave me an error " UNSUPPORTED OPERATING SYSTEM! ABORTED!". Then after I ran combofix again as an admin securitycheck decided it would work)

 Results of screen317's Security Check version 0.99.73  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
AVG Internet Security 2014   
 Antivirus out of date!  
`````````Anti-malware/Other Utilities Check:`````````
 Mozilla Firefox (23.0.1)
````````Process Check: objlist.exe by Laurent````````  
 AVG avgwdsvc.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 2%
````````````````````End of Log``````````````````````
 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:04 PM

Posted 03 October 2013 - 09:47 AM

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://windows.microsoft.com/en-gb/windows7/create-a-restore-point
Windows 8 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

Download this program to your desktop.
Tweaking.com - Windows Repair 1.9.16
http://www.bleepingcomputer.com/download/windows-repair-all-in-one-portable/


Extract and launch the Repair_Windows.exe file

Click on Start repairs tab-click on Start

check ll the options
Reset Registry Permissions
Reset File Permissions
Register System Files
Repair WMI
Repair Windows Firewall
Repair Internet Explorer
Repair MDAC & MS Jet
Repair Hosts File
Remove Policies Set By Infections
Repair Icons
Repair Winsock & DNS Cache
Remove Temp Files
Repair Proxy Settings
Unhide Non System Files
Repair Windows Updates
Repair CD/DVD Missing/Not Working
  • Checkmark Restart System When Finished option
  • click the Start button
  • System should restart after repair
Keep me posted on the results.

#15 Ajmarks

Ajmarks
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 03 October 2013 - 08:56 PM

Still the same issues. There are a lot of logs in the log file for this program- should I post them? :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users