Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Accidently used mybleepingcomputer site for download, now have even more trouble


  • This topic is locked This topic is locked
35 replies to this topic

#1 FlaGal311

FlaGal311

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Florida
  • Local time:11:10 PM

Posted 21 October 2013 - 12:23 PM

Hi community of the “real” Bleeping Computer Forum – I have been infected and don’t the proper steps to resolve the problem other than turning to this forum. Please, if I have posted in the wrong area I would love to have my post sent to the correct area. Thanks in advance for helping me. 

 

In my effort to get rid of: Delta-Search Toolbar I cleaned/deleted, uninstalled yet still shows up so I thought I would go to your site and look for a solution.

 

I thought I went to your site www.bleepingcomputer.com but went instead to www.mybleepingcomputer.com .  and unfortunately when I tried to download AdwCleaner -instead their site started another download and a bunch of stuff such as:

 

PCOptimizerPro –I didn’t realize I was downloading the wrong thing and when I did it was just about done - I knew I was in trouble and then. I immediately went to uninstall and delete what I could of that program. 

 

However, it apparently downloaded more:

Browser Safeguard at the same time –which also tried to uninstall and remove.

Sweetpacks, MCPC Backup (all of which I didn’t have before.)

Setup by Express Installer

 

What  I also had before was and want to remove are:

Ot Shot

Hosts by Alex  (this software even has a notepad file of its action)

 

Other Downloads I have on the laptop to help fix the laptop (which I’m not sure how/when to use) are:

TDSSKiller

ADWCleaner

Minitool Box

Junkware Removal Tool

Super AntiSpyware

Malwarebytes Antimalware

Spybot

MSE Microsoft Search Client

 

I have a refurbished DELL Inspiron 1525 running Windows 7. Even though I was advised the hardrive was scrubbed, I don’t believe it was. Just reformatted to add other users. I am trying to use MSE for security and usually use CHROME for internet access rather than Internet Explorer.  While there are bunch of kids in this house, they don’t access this laptop (they’ve had the displeasure of infecting the desktop – another day, I’ll deal with that one) and their mom once in a blue moon uses this one, but rarely but when she last used it did download the stuff I was initially trying to get rid of.

 

In the past, I’ve been able to see what has been done and fix simple things. However, now I know I’m in some real trouble or maybe just toss the laptop. If someone would be so kind to help me figure this out, I would be so grateful.  Thank you in advance.



BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:10 PM

Posted 21 October 2013 - 04:04 PM

Hello FlaGal311 and welcome to the "real" Bleeping Computer! :)

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • Please do not run any other tools without my instruction to do so!

==========

If you've gotten any of those other tools from the imposter site (we're looking into it), I would advise you delete them. We'll get all the tools we will need from here only, and I will provide you with all links necessary as well.

Now, let's have a closer look to see what might be lurking in there:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

==========

Once you get the two requested logs posted, we'll go from there! :wink:

bloopie



#3 FlaGal311

FlaGal311
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Florida
  • Local time:11:10 PM

Posted 23 October 2013 - 07:27 AM

Bloopie -

Thank you so much for replying.

First questions answer - No, I have not resolved this problem and don't want to try without help from the experts!

And, about CD's - NO I do not have CD's.  The laptop was a gift from a friend but they did not include the CD's.

Also a contributing factor for me to stop trying on my own and look to the guru's at your site.  Believe me, I was very upset with myself when I realized I was on the wrong site.  

 

I believe all I got from the "imposter" is:

PCOptimizerPro = Browser Safeguard = Sweetpacks = MCPC Backup = Setup by Express Installer

 

This morning I have a rather full schedule of household/kidcare things to handle but when I'm back, I will try to uninstall the things from the imposter, download what you have suggested and try to post logs.  I really need to do this after all the kids are asleep so I'm not interrupted and can concentrate.  

 

Again, Thank you!  I'll be back to you ASAP.

Sincerely, 

Alice



#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:10 PM

Posted 23 October 2013 - 12:58 PM

Hello Alice,
 

Thank you so much for replying.

It's my pleasure! :)
 

I believe all I got from the "imposter" is:
PCOptimizerPro = Browser Safeguard = Sweetpacks = MCPC Backup = Setup by Express Installer

Not to worry, we'll be removing those during the cleaning process if you are unable to do it yourself. :wink:
 

This morning I have a rather full schedule of household/kidcare things to handle but when I'm back, I will try to uninstall the things from the imposter, download what you have suggested and try to post logs.  I really need to do this after all the kids are asleep so I'm not interrupted and can concentrate.

Once again, not to worry. Take your time, I'm not going anywhere. As long as you don't go AWOL on me, I'll leave this thread open as long as it takes.

bloopie

#5 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:10 PM

Posted 27 October 2013 - 06:39 PM

Are you still with me?

 

Any luck with the scan?

 

bloopie



#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:10 PM

Posted 29 October 2013 - 02:12 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:10 PM

Posted 01 December 2013 - 10:48 PM

I have re-opened this topic at the request of the person who originally posted.
 
==============================
 
Hello again Alice,
 
Let's see what's been going on...please run a scan with FRST and post the log for my review:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

bloopie

Edited by bloopie, 01 December 2013 - 10:51 PM.


#8 FlaGal311

FlaGal311
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Florida
  • Local time:11:10 PM

Posted 02 December 2013 - 08:45 PM

I took the chance on getting this downloaded and run tonight.  Here's the results of the FRST Scan.  I've attached both files. 

 

Guess I should indicate that the prior owner of this laptop was Kieyanna Kong and any non-essential files under her name can be removed or deleted I just don't know what all is safe to remove. 

 

When I want to find my downloads I usually go to My Computer, find  Local Disk (C:) then find  Users then find  Administrator

 

My laptop is a 32 bit, I do not have any CD's to setup this laptop should something go crazy either.  I also use an Epson Printer if that's any use to anyone.

Attached Files



#9 FlaGal311

FlaGal311
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Florida
  • Local time:11:10 PM

Posted 02 December 2013 - 08:48 PM

Here are the files - copied and pasted rather than attached.  

 

FRST

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-12-2013
Ran by Administrator (administrator) on INSPIRON1525 on 02-12-2013 20:19:25
Running from C:\Users\Administrator\Downloads
Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) ===================
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher32.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(TorchMedia Inc.) C:\Users\Administrator\AppData\Local\Torch\Update\TorchCrashHandler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
() C:\Program Files\OtShot\otshot.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(www.BitComet.com) C:\Program Files\BitComet\BitComet.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(www.BitComet.com) C:\Program Files\BitComet\tools\BitCometService.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [OtShot] - C:\Program Files\OtShot\otshot.exe [4386816 2012-10-18] ()
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-09-17] (Apple Inc.)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [948440 2013-10-23] (Microsoft Corporation)
HKCU\...\Run: [BitComet] - C:\Program Files\BitComet\BitComet.exe [12805888 2013-02-19] (www.BitComet.com)
HKCU\...\Run: [TBHostSupport] - "C:\Windows\system32\Rundll32.exe" "C:\Users\Administrator\AppData\Local\TBHostSupport\TBHostSupport.dll",DLLRunTBHostSupportPlugin <===== ATTENTION
HKCU\...\Run: [GoogleChromeAutoLaunch_361C1DD22E1256C6B68316A32E8B1949] - C:\Program Files\Google\Chrome\Application\chrome.exe [825808 2013-06-14] (Google Inc.)
HKU\Keiyanna Kong\...\Run: [ooVoo.exe] - C:\Program Files\oovoo\ooVoo.exe [ 2011-11-20] (ooVoo LLC)
HKU\Keiyanna Kong\...\Run: [Facebook Update] - C:\Users\Keiyanna Kong\AppData\Local\Facebook\Update\FacebookUpdate.exe [ 2013-01-19] (Facebook Inc.)
HKU\Keiyanna Kong\...\Run: [WebCake Desktop] - "C:\Users\Administrator\AppData\Roaming\WebCake\WebCakeDesktop.exe"
HKU\Keiyanna Kong\...\Run: [Browser Infrastructure Helper] - C:\Users\Keiyanna Kong\AppData\Local\Smartbar\Application\QuickShare.exe startup
HKU\Keiyanna Kong\...\Run: [SearchProtect] - C:\Users\Keiyanna Kong\AppData\Roaming\SearchProtect\bin\cltmng.exe
HKU\Keiyanna Kong\...\Run: [Optimizer Pro] - C:\Program Files\Optimizer Pro\OptProLauncher.exe
HKU\Keiyanna Kong\...\Run: [Exetender] - "C:\Program Files\Free Ride Games\GPlayer.exe" /schedule 300000
 
==================== Internet (Whitelisted) ====================
 
ProxyServer: http=127.0.0.1:49177;https=127.0.0.1:49177
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x28AFEB6481F2CD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
SearchScopes: HKLM - DefaultScope {E9D9E16F-9548-4A09-9D54-C0ADAF857509} URL = 
SearchScopes: HKLM - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = 
&tb_mrud=21-03-2013
 
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
&tb_mrud=21-03-2013
 
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = 
BHO: ScorpionSaver - {10AD2C61-0898-4348-8600-14A342F22AC3} - C:\Program Files\ScorpionSaver\IECore.dll ()
BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll (BitComet)
BHO: PasswordBox Helper - {5DB69B97-934B-451D-94DB-32EF802A01CD} - C:\Program Files\PasswordBox\Application\pbbtn.dll (PasswordBox, Inc.)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: No Name - {878B8524-AED5-4870-9A96-A515440DAC75} -  No File
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: No Name - {B530A9A4-1722-4D16-AAD6-AA85E3AD2ADE} -  No File
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - PasswordBox - {25E2E5C9-C43C-4EE8-B23E-4383915F2BCE} - C:\Program Files\PasswordBox\Application\pbbtn.dll (PasswordBox, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKCU - PasswordBox - {25E2E5C9-C43C-4EE8-B23E-4383915F2BCE} - C:\Program Files\PasswordBox\Application\pbbtn.dll (PasswordBox, Inc.)
Toolbar: HKCU - No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} -  No File
Toolbar: HKCU - No Name - {00000000-0000-0000-0000-000000000000} -  No File
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} 
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://www.gamehouse.com/games/mjolauncher.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.gamehouse.com/games/zuma/popcaploader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Hosts: 127.0.0.1 validation.sls.microsoft.com
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
 
Chrome: 
=======
CHR HomePage: hxxp://search.conduit.com/?ctid=CT3308837&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP8F92EC9E-1736-41EA-9E2A-47471F6F1ABB&SSPV=
CHR Extension: (YouTube) - C:\Users\ADMINI~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\ADMINI~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Scorpion Saver) - C:\Users\ADMINI~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\oclgomenfkljhfkfflghppidonpkljjg\5.0_0
CHR Extension: (Gmail) - C:\Users\ADMINI~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR HKLM\...\Chrome\Extension: [dlnembnfbcpjnepmfjmngjenhhajpdfd] - C:\Program Files\IB Updater\source.crx
CHR HKLM\...\Chrome\Extension: [fbnmfdkmgihfljaegoejdjonfdpkdlci] - C:\Users\Administrator\AppData\Local\CRE\fbnmfdkmgihfljaegoejdjonfdpkdlci.crx
CHR HKLM\...\Chrome\Extension: [fdkednngfjmpnljkolbapdednncafhen] - C:\Users\Administrator\AppData\Local\CRE\fdkednngfjmpnljkolbapdednncafhen.crx
CHR HKLM\...\Chrome\Extension: [gpaiibklhaneknloaoccoidbaffjjlnb] - C:\Users\Administrator\AppData\Local\CRE\gpaiibklhaneknloaoccoidbaffjjlnb.crx
CHR HKLM\...\Chrome\Extension: [haagkflomlmpdjaojgbeljnkkohbbegb] - C:\Users\Administrator\AppData\Local\CRE\haagkflomlmpdjaojgbeljnkkohbbegb.crx
CHR HKLM\...\Chrome\Extension: [hbcennhacfaagdopikcegfcobcadeocj] - C:\Program Files\Common Files\Spigot\GC\saebay_1.1.crx
CHR HKLM\...\Chrome\Extension: [icdlfehblmklkikfigmjhbmmpmkmpooj] - C:\Program Files\Common Files\Spigot\GC\ErrorAssistant_1.2.crx
CHR HKLM\...\Chrome\Extension: [jifflliplgeajjdhmkcfnngfpgbjonjg] - C:\Program Files\Perion\NewTab\newTab.crx
CHR HKLM\...\Chrome\Extension: [kiplfnciaokpcennlkldkdaeaaomamof] - C:\Users\Administrator\AppData\Local\Torch\Plugins\TorchPlugin.crx
CHR HKLM\...\Chrome\Extension: [klibnahbojhkanfgaglnlalfkgpcppfi] - C:\Users\Administrator\AppData\Local\CRE\klibnahbojhkanfgaglnlalfkgpcppfi.crx
CHR HKLM\...\Chrome\Extension: [mhkaekfpcppmmioggniknbnbdbcigpkk] - C:\Users\Administrator\AppData\Local\Slick Savings\coupons.crx
CHR HKLM\...\Chrome\Extension: [mogmppbjfkngfoaecoialclfiabnpndg] - C:\Users\Administrator\AppData\Local\CRE\mogmppbjfkngfoaecoialclfiabnpndg.crx
CHR HKLM\...\Chrome\Extension: [pfndaklgolladniicklehhancnlgocpp] - C:\Program Files\Common Files\Spigot\GC\saamazon_1.0.crx
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
========================== Services (Whitelisted) =================
 
R3 BITCOMET_HELPER_SERVICE; C:\Program Files\BitComet\tools\BitCometService.exe [1296728 2010-12-28] (www.BitComet.com)
S4 EPSON_EB_RPCV4_04; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [156160 2011-01-11] (SEIKO EPSON CORPORATION)
S4 EPSON_PM_RPCV4_04; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [125440 2011-01-11] (SEIKO EPSON CORPORATION)
R2 Level Quality Watcher; C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher32.exe [418808 2013-11-25] ()
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [280288 2013-10-23] (Microsoft Corporation)
S4 PasswordBox; C:\Program Files\PasswordBox\pbbtnService.exe [67584 2013-03-11] (PasswordBox, Inc.)
R2 TorchCrashHandler; C:\Users\Administrator\AppData\Local\Torch\Update\TorchCrashHandler.exe [1213280 2013-10-07] (TorchMedia Inc.)
S3 iPod Service; "C:\Program Files\iPod\bin\iPodService.exe" [x]
 
==================== Drivers (Whitelisted) ====================
 
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
S3 MREMP50; C:\Program Files\Common Files\Motive\MREMP50.sys [21248 2011-09-09] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\Program Files\Common Files\Motive\MRESP50.sys [20096 2011-09-09] (Printing Communications Assoc., Inc. (PCAUSA))
R3 yukonw7; C:\Windows\System32\DRIVERS\yk62x86.sys [315392 2009-09-28] ()
S3 lmimirr; system32\DRIVERS\lmimirr.sys [x]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
S3 radpms; system32\DRIVERS\radpms.sys [x]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-12-02 20:19 - 2013-12-02 20:20 - 00013732 _____ C:\Users\Administrator\Downloads\FRST.txt
2013-12-02 20:18 - 2013-12-02 20:18 - 00000000 ____D C:\FRST
2013-12-02 20:17 - 2013-12-02 20:17 - 01092389 _____ (Farbar) C:\Users\Administrator\Downloads\FRST.exe
2013-12-01 19:16 - 2013-12-01 19:17 - 00000000 ____D C:\Program Files\ScorpionSaver
2013-11-29 22:04 - 2013-10-16 10:18 - 00338944 _____ (Adpeak, Inc.) C:\Windows\system32\AdpeakProxy.dll
2013-11-22 04:42 - 2013-11-22 04:42 - 00000000 ____D C:\Users\Administrator\AppData\Local\TBHostSupport
2013-11-22 04:08 - 2013-11-22 04:12 - 00000000 ____D C:\Users\Administrator\AppData\Local\NativeMessaging
2013-11-22 04:07 - 2013-11-22 04:07 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\SearchProtect
2013-11-21 23:16 - 2013-11-21 23:16 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\DealPly
2013-11-21 22:53 - 2013-11-28 22:02 - 00000000 ____D C:\Program Files\Level Quality Watcher
2013-11-21 22:08 - 2013-11-21 22:12 - 00460168 _____ C:\Users\Administrator\Downloads\microsoft-publisher.exe
2013-11-21 09:28 - 2013-12-01 18:20 - 00000000 ____D C:\Program Files\Common Files\Spigot
2013-11-21 09:28 - 2013-11-21 09:28 - 00000000 ____D C:\Users\Administrator\AppData\Local\Slick Savings
2013-11-21 09:27 - 2013-11-21 09:27 - 00001207 _____ C:\Users\Public\Desktop\YTD Video Downloader.lnk
2013-11-21 09:27 - 2013-11-21 09:27 - 00000000 ____D C:\ProgramData\YTD Video Downloader
2013-11-21 09:27 - 2013-11-21 09:27 - 00000000 ____D C:\Program Files\GreenTree Applications
2013-11-21 09:25 - 2013-11-21 09:25 - 11617048 _____ C:\Users\Administrator\Downloads\YTDSetup.exe
2013-11-19 09:12 - 2013-11-19 09:12 - 00095232 _____ C:\Users\Administrator\Documents\LegoNativityPartList.xls
2013-11-14 07:18 - 2013-10-12 02:04 - 00042496 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-11-14 07:18 - 2013-10-12 02:03 - 01767936 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-11-14 07:18 - 2013-10-12 02:03 - 01138176 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-11-14 07:18 - 2013-10-12 02:02 - 02877952 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-11-14 07:18 - 2013-10-12 02:02 - 02049024 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-11-14 07:18 - 2013-10-12 02:02 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-11-14 07:18 - 2013-10-12 02:02 - 00493056 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-11-14 07:18 - 2013-10-12 02:02 - 00391168 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-11-14 07:18 - 2013-10-12 02:02 - 00109056 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-11-14 07:18 - 2013-10-12 02:02 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-11-14 07:18 - 2013-10-12 02:02 - 00039424 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-11-14 07:18 - 2013-10-12 02:02 - 00033280 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-11-14 07:18 - 2013-10-12 01:08 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-11-14 07:18 - 2013-10-12 00:15 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-11-14 07:17 - 2013-10-12 02:02 - 14355968 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-11-14 07:17 - 2013-10-12 02:02 - 13761024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-11-13 21:47 - 2013-10-11 21:03 - 00656896 _____ (Microsoft Corporation) C:\Windows\system32\nshwfp.dll
2013-11-13 21:47 - 2013-10-11 21:01 - 00679424 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2013-11-13 21:47 - 2013-10-11 21:01 - 00216576 _____ (Microsoft Corporation) C:\Windows\system32\FWPUCLNT.DLL
2013-11-13 21:47 - 2013-10-03 20:58 - 00152576 _____ (Microsoft Corporation) C:\Windows\system32\SmartcardCredentialProvider.dll
2013-11-13 21:47 - 2013-10-03 20:56 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2013-11-13 21:47 - 2013-10-03 20:56 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\credui.dll
2013-11-13 21:47 - 2013-10-02 20:58 - 00305152 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2013-11-13 21:47 - 2013-09-24 21:01 - 00136640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2013-11-13 21:47 - 2013-09-24 21:01 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2013-11-13 21:47 - 2013-09-24 20:57 - 00247808 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2013-11-13 21:47 - 2013-09-24 20:57 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2013-11-13 21:47 - 2013-09-24 20:57 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2013-11-13 21:47 - 2013-09-24 20:56 - 01038848 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2013-11-13 21:47 - 2013-09-24 20:56 - 00220160 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2013-11-13 21:47 - 2013-09-24 19:49 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2013-11-13 21:47 - 2013-09-24 19:49 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2013-11-13 21:47 - 2013-07-04 07:16 - 00369848 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2013-11-13 21:46 - 2013-10-05 14:57 - 01168384 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-11-07 11:47 - 2013-11-07 11:47 - 00145768 _____ C:\Windows\Minidump\110713-32463-01.dmp
2013-11-04 10:13 - 2013-11-04 10:25 - 00504320 ____H C:\Users\Administrator\Documents\~WRL0777.tmp
2013-11-04 10:13 - 2013-11-04 10:22 - 00494080 ____H C:\Users\Administrator\Documents\~WRL3171.tmp
2013-11-04 10:13 - 2013-11-04 10:18 - 00492544 ____H C:\Users\Administrator\Documents\~WRL3206.tmp
2013-11-04 10:13 - 2013-11-04 10:16 - 00491008 ____H C:\Users\Administrator\Documents\~WRL1266.tmp
2013-11-04 10:13 - 2013-11-04 10:13 - 00246272 ____H C:\Users\Administrator\Documents\~WRL2070.tmp
 
==================== One Month Modified Files and Folders =======
 
2013-12-02 20:20 - 2013-12-02 20:19 - 00013732 _____ C:\Users\Administrator\Downloads\FRST.txt
2013-12-02 20:19 - 2013-01-24 11:05 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\BitComet
2013-12-02 20:18 - 2013-12-02 20:18 - 00000000 ____D C:\FRST
2013-12-02 20:17 - 2013-12-02 20:17 - 01092389 _____ (Farbar) C:\Users\Administrator\Downloads\FRST.exe
2013-12-02 20:07 - 2010-12-24 16:05 - 01573887 _____ C:\Windows\WindowsUpdate.log
2013-12-02 20:05 - 2013-01-23 18:08 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-12-02 19:54 - 2012-04-03 02:09 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-12-02 19:54 - 2011-08-16 14:51 - 00000960 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1161120922-706058692-2495451801-1000UA.job
2013-12-02 17:18 - 2011-08-16 14:51 - 00000938 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1161120922-706058692-2495451801-1000Core.job
2013-12-02 13:26 - 2010-12-24 16:10 - 00726444 _____ C:\Windows\system32\PerfStringBackup.INI
2013-12-02 13:26 - 2009-07-13 23:34 - 00017984 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-12-02 13:26 - 2009-07-13 23:34 - 00017984 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-12-02 13:21 - 2013-10-29 08:02 - 00000000 ____D C:\ProgramData\TorchCrashHandler
2013-12-02 13:21 - 2013-01-23 18:08 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-12-02 13:21 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-12-02 13:21 - 2009-07-13 23:39 - 00172655 _____ C:\Windows\setupact.log
2013-12-01 19:17 - 2013-12-01 19:16 - 00000000 ____D C:\Program Files\ScorpionSaver
2013-12-01 18:20 - 2013-11-21 09:28 - 00000000 ____D C:\Program Files\Common Files\Spigot
2013-12-01 18:20 - 2010-12-27 15:40 - 00151212 _____ C:\Windows\PFRO.log
2013-12-01 18:04 - 2013-06-25 17:26 - 00000000 ____D C:\Users\Administrator\AppData\Local\Conduit
2013-11-28 22:02 - 2013-11-21 22:53 - 00000000 ____D C:\Program Files\Level Quality Watcher
2013-11-28 19:55 - 2013-01-08 13:00 - 00000000 ____D C:\Users\Administrator
2013-11-28 12:33 - 2010-12-24 16:08 - 00000000 ____D C:\Users\Keiyanna Kong
2013-11-28 12:33 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\wfp
2013-11-28 12:33 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\registration
2013-11-22 19:30 - 2013-01-28 16:56 - 00000000 ____D C:\Users\Administrator\Documents\Childrens Folder
2013-11-22 04:42 - 2013-11-22 04:42 - 00000000 ____D C:\Users\Administrator\AppData\Local\TBHostSupport
2013-11-22 04:24 - 2010-12-27 11:11 - 00000000 ____D C:\Program Files\Creative Live! Cam
2013-11-22 04:14 - 2013-03-21 11:22 - 00000009 _____ C:\END
2013-11-22 04:12 - 2013-11-22 04:08 - 00000000 ____D C:\Users\Administrator\AppData\Local\NativeMessaging
2013-11-22 04:12 - 2013-06-25 17:26 - 00000000 ____D C:\Users\Administrator\AppData\Local\CRE
2013-11-22 04:08 - 2013-10-16 21:45 - 00000000 ____D C:\ProgramData\Conduit
2013-11-22 04:07 - 2013-11-22 04:07 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\SearchProtect
2013-11-21 23:16 - 2013-11-21 23:16 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\DealPly
2013-11-21 23:02 - 2013-06-27 00:33 - 00000000 ____D C:\Users\Administrator\Documents\Puppetry
2013-11-21 22:12 - 2013-11-21 22:08 - 00460168 _____ C:\Users\Administrator\Downloads\microsoft-publisher.exe
2013-11-21 20:19 - 2013-05-12 11:58 - 00000000 ____D C:\Users\Administrator\Documents\recipes
2013-11-21 09:28 - 2013-11-21 09:28 - 00000000 ____D C:\Users\Administrator\AppData\Local\Slick Savings
2013-11-21 09:27 - 2013-11-21 09:27 - 00001207 _____ C:\Users\Public\Desktop\YTD Video Downloader.lnk
2013-11-21 09:27 - 2013-11-21 09:27 - 00000000 ____D C:\ProgramData\YTD Video Downloader
2013-11-21 09:27 - 2013-11-21 09:27 - 00000000 ____D C:\Program Files\GreenTree Applications
2013-11-21 09:25 - 2013-11-21 09:25 - 11617048 _____ C:\Users\Administrator\Downloads\YTDSetup.exe
2013-11-19 19:21 - 2013-01-28 16:56 - 00000000 ____D C:\Users\Administrator\Documents\Creative Stuff
2013-11-19 18:42 - 2013-01-28 16:58 - 00000000 ____D C:\Users\Administrator\Documents\Sewing Related
2013-11-19 09:12 - 2013-11-19 09:12 - 00095232 _____ C:\Users\Administrator\Documents\LegoNativityPartList.xls
2013-11-19 09:07 - 2010-12-26 19:42 - 00001945 _____ C:\Windows\epplauncher.mif
2013-11-19 09:06 - 2010-12-26 23:38 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-11-19 05:21 - 2010-12-26 17:16 - 00230048 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2013-11-17 10:37 - 2013-10-06 16:15 - 00014336 _____ C:\Users\Administrator\Documents\puppet directory.xls
2013-11-17 09:01 - 2013-01-28 16:56 - 00000000 ____D C:\Users\Administrator\Documents\House Stuff
2013-11-14 07:22 - 2009-07-13 21:04 - 00000499 _____ C:\Windows\win.ini
2013-11-14 07:17 - 2013-07-21 03:20 - 00000000 ____D C:\Windows\system32\MRT
2013-11-14 07:13 - 2010-12-26 17:25 - 80340640 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-11-07 11:47 - 2013-11-07 11:47 - 00145768 _____ C:\Windows\Minidump\110713-32463-01.dmp
2013-11-07 11:47 - 2011-02-21 03:13 - 00000000 ____D C:\Windows\Minidump
2013-11-07 11:46 - 2011-02-21 03:13 - 160847862 _____ C:\Windows\MEMORY.DMP
2013-11-04 10:25 - 2013-11-04 10:13 - 00504320 ____H C:\Users\Administrator\Documents\~WRL0777.tmp
2013-11-04 10:22 - 2013-11-04 10:13 - 00494080 ____H C:\Users\Administrator\Documents\~WRL3171.tmp
2013-11-04 10:18 - 2013-11-04 10:13 - 00492544 ____H C:\Users\Administrator\Documents\~WRL3206.tmp
2013-11-04 10:16 - 2013-11-04 10:13 - 00491008 ____H C:\Users\Administrator\Documents\~WRL1266.tmp
2013-11-04 10:13 - 2013-11-04 10:13 - 00246272 ____H C:\Users\Administrator\Documents\~WRL2070.tmp
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$795439073347400b490ef5c6ba249fda
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1161120922-706058692-2495451801-500\$795439073347400b490ef5c6ba249fda
 
Some content of TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\BackupSetup.exe
C:\Users\Administrator\AppData\Local\Temp\Bit32D4.tmp.exe
C:\Users\Administrator\AppData\Local\Temp\Bit355D.tmp.exe
C:\Users\Administrator\AppData\Local\Temp\Bit39F7.tmp.exe
C:\Users\Administrator\AppData\Local\Temp\Bit679A.tmp.exe
C:\Users\Administrator\AppData\Local\Temp\Bit6C1B.tmp.exe
C:\Users\Administrator\AppData\Local\Temp\BitA351.tmp.exe
C:\Users\Administrator\AppData\Local\Temp\BitAC1E.tmp.exe
C:\Users\Administrator\AppData\Local\Temp\BitAF1C.tmp.exe
C:\Users\Administrator\AppData\Local\Temp\BitD347.tmp.exe
C:\Users\Administrator\AppData\Local\Temp\BitECCE.tmp.exe
C:\Users\Administrator\AppData\Local\Temp\BitF007.tmp.exe
C:\Users\Administrator\AppData\Local\Temp\conduitinstaller.exe
C:\Users\Administrator\AppData\Local\Temp\HotShot_installerNewNoStartUp.exe
C:\Users\Administrator\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\Administrator\AppData\Local\Temp\mconduitinstaller.exe
C:\Users\Administrator\AppData\Local\Temp\mgsqlite3.dll
C:\Users\Administrator\AppData\Local\Temp\newsetup.exe
C:\Users\Administrator\AppData\Local\Temp\nsa3F67.exe
C:\Users\Administrator\AppData\Local\Temp\nsbB59A.exe
C:\Users\Administrator\AppData\Local\Temp\nsd8ACA.exe
C:\Users\Administrator\AppData\Local\Temp\nsf4774.exe
C:\Users\Administrator\AppData\Local\Temp\nsf68AB.exe
C:\Users\Administrator\AppData\Local\Temp\nsfC99A.exe
C:\Users\Administrator\AppData\Local\Temp\nshD689.exe
C:\Users\Administrator\AppData\Local\Temp\nshE055.exe
C:\Users\Administrator\AppData\Local\Temp\nsj440B.exe
C:\Users\Administrator\AppData\Local\Temp\nsj8B94.exe
C:\Users\Administrator\AppData\Local\Temp\nsk65BD.exe
C:\Users\Administrator\AppData\Local\Temp\nsm327A.exe
C:\Users\Administrator\AppData\Local\Temp\nso4265.exe
C:\Users\Administrator\AppData\Local\Temp\nso5026.exe
C:\Users\Administrator\AppData\Local\Temp\nsp43BB.exe
C:\Users\Administrator\AppData\Local\Temp\nsp8D3B.exe
C:\Users\Administrator\AppData\Local\Temp\nss8CAE.exe
C:\Users\Administrator\AppData\Local\Temp\nssD4F3.exe
C:\Users\Administrator\AppData\Local\Temp\nssFFD9.exe
C:\Users\Administrator\AppData\Local\Temp\nsuC2F4.exe
C:\Users\Administrator\AppData\Local\Temp\nsuD0AC.exe
C:\Users\Administrator\AppData\Local\Temp\nswCEB5.exe
C:\Users\Administrator\AppData\Local\Temp\nsx590A.exe
C:\Users\Administrator\AppData\Local\Temp\nsx6EAF.exe
C:\Users\Administrator\AppData\Local\Temp\nsy180.exe
C:\Users\Administrator\AppData\Local\Temp\nsy5053.exe
C:\Users\Administrator\AppData\Local\Temp\Shortcut_bundlesweetimsetup.exe
C:\Users\Administrator\AppData\Local\Temp\SpOrder.dll
C:\Users\Administrator\AppData\Local\Temp\SPStub.exe
C:\Users\Administrator\AppData\Local\Temp\SweetIMInstallValidator.exe
C:\Users\Administrator\AppData\Local\Temp\System.Data.SQLite.dll
C:\Users\Administrator\AppData\Local\Temp\tbKeyB.dll
C:\Users\Administrator\AppData\Local\Temp\tbMixi.dll
C:\Users\Administrator\AppData\Local\Temp\tbpreinst83E8.exe
C:\Users\Administrator\AppData\Local\Temp\tbPrin.dll
C:\Users\Administrator\AppData\Local\Temp\tbSwee.dll
C:\Users\Administrator\AppData\Local\Temp\tbVafm.dll
C:\Users\Administrator\AppData\Local\Temp\tbWhit.dll
C:\Users\Administrator\AppData\Local\Temp\uninst1.exe
C:\Users\Administrator\AppData\Local\Temp\vcredist_x86.exe
C:\Users\Administrator\AppData\Local\Temp\wget.exe
C:\Users\Administrator\AppData\Local\Temp\WSSetup.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\225E.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\226E.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\87C5.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\A8FB.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\ApnStub.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\AskSLib.dll
C:\Users\Keiyanna Kong\AppData\Local\Temp\bing.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\dogpile_sub_installer.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\E79F.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\esnips-silent-us.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\FileBulldog.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\GLFA615.tmp.ConduitEngineSetup.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\not_bundled_icytower14_install.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\ooVooTBing.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\prxGLFA615.tmp.tbquix.dll
C:\Users\Keiyanna Kong\AppData\Local\Temp\PR_OoVoO.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\pstagesetup.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\smartinstallAllinOne.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\tbquix.dll
C:\Users\Keiyanna Kong\AppData\Local\Temp\uninst.exe
C:\Users\Keiyanna Kong\AppData\Local\Temp\wpsetup.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!
 
 
nointegritychecks: ==> Integrity Checks is disabled <===== ATTENTION!
 
 
LastRegBack: 2013-10-21 22:55
 
==================== End Of Log ============================


#10 FlaGal311

FlaGal311
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Florida
  • Local time:11:10 PM

Posted 02 December 2013 - 08:50 PM

and here is the second log - copied and pasted rather than attached.

 

ADDITION

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 02-12-2013
Ran by Administrator at 2013-12-02 20:22:17
Running from C:\Users\Administrator\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
 
==================== Installed Programs ======================
 
Adobe AIR (Version: 3.7.0.1860)
Adobe Flash Player 11 ActiveX (Version: 11.7.700.202)
Adobe Flash Player 11 Plugin (Version: 11.7.700.202)
Adobe Reader XI (11.0.05) (Version: 11.0.05)
Adobe Shockwave Player 12.0 (Version: 12.0.2.122)
Advanced Audio FX Engine
Advanced Video FX Engine
Apple Application Support (Version: 2.3.6)
Apple Mobile Device Support (Version: 7.0.0.117)
Apple Software Update (Version: 2.1.3.127)
BitComet 1.35 (Version: 1.35)
BitLord 2.3 (Version: 2.3.1-237)
BlackBerry Device Software Updater (Version: 6.0.1.37)
Bonjour (Version: 3.0.0.10)
Dell Webcam Center
Dell Webcam Manager
EPSON NX330 Series Printer Uninstall
Facebook Video Calling 1.2.0.287 (Version: 1.2.287)
Flash Player Pro V5.4
Google Chrome (Version: 27.0.1453.116)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4209.2358)
Google Update Helper (Version: 1.3.21.165)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.1930)
Intel® TV Wizard
iTunes (Version: 11.1.0.126)
Java™ 6 Update 31 (Version: 6.0.310)
Laptop Integrated Webcam Driver (1.04.01.1011)  
Level Quality Watcher (Version: 1.0.0.0) <==== ATTENTION
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office Basic Edition 2003 (Version: 11.0.8173.0)
Microsoft Security Client (Version: 4.4.0304.0)
Microsoft Security Essentials (Version: 4.4.304.0)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft VC9 runtime libraries (Version: 2.0.0)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mozilla Firefox 11.0 (x86 en-US) (Version: 11.0)
ooVoo (Version: 3.0.7023)
OpenOffice.org 3.4.1 (Version: 3.41.9593)
PasswordBox (Version: 1.4.2.415)
PDFCreator (Version: 1.2.0)
QuickTime (Version: 7.73.80.64)
ScorpionSaver (Version: 1.0.0.0) <==== ATTENTION
swMSM (Version: 12.0.0.1)
Torch (HKCU Version: 25.0.0.4626) <==== ATTENTION
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (Version: 3)
WinRAR 4.01
YTD Video Downloader 4.7.1 (Version: 4.7.1)
 
==================== Restore Points  =========================
 
04-11-2013 19:28:40 Windows Update
07-11-2013 22:46:07 Windows Update
11-11-2013 03:51:49 Windows Update
14-11-2013 12:17:35 Windows Modules Installer
15-11-2013 02:03:25 Windows Update
19-11-2013 04:12:42 Windows Update
22-11-2013 04:16:17 Uniblue SpeedUpMyPC installation
22-11-2013 14:30:09 Windows Update
26-11-2013 00:26:29 Windows Update
28-11-2013 17:46:07 Windows Update
01-12-2013 23:01:53 Windows Update
01-12-2013 23:09:07 Removed YTD Toolbar v8.3.
01-12-2013 23:10:20 Removed ScorpionSaver Services
 
==================== Hosts content: ==========================
 
2009-07-13 21:04 - 2011-02-01 22:10 - 00000864 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 validation.sls.microsoft.com
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {04927649-CFD9-4B4E-8B74-CA951131D065} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-01-23] (Google Inc.)
Task: {0AE89F0A-B903-4DDC-8752-E850B9446FC6} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask No Task File
Task: {20F4616C-2550-4779-AB88-3FD02BD1117F} - System32\Tasks\{0EF83C32-40AB-4AAA-AE03-984BB2EF1AAC} => C:\Program Files\Skype\\Phone\Skype.exe
Task: {4114F8FA-2C47-49F0-836D-5759CE79F5A1} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-01-23] (Google Inc.)
Task: {46014E31-D337-4385-B1DD-FD0012F1548A} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-1161120922-706058692-2495451801-1000Core => C:\Users\Keiyanna Kong\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-01-19] (Facebook Inc.)
Task: {471BD73D-AF84-494E-9330-FE6E9387120C} - System32\Tasks\0 => Iexplore.exe 
Task: {55B012B6-2D50-44D0-977D-BEFAF4FEDC6C} - System32\Tasks\4790 => C:\Users\ADMINI~1\AppData\Local\Temp\launchie.vbsC:\Users\ADMINI~1\AppData\Local\Temp\launchie.vbs //B
Task: {96EFAF77-BF56-49E3-AA6E-08FB3B80DD35} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-14] (Adobe Systems Incorporated)
Task: {9F49CA51-637A-4722-A7D6-D78A5F7B3E06} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {D87DABAD-D137-4879-99C5-758831A14DF9} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline No Task File
Task: {EA5B11B4-9348-4004-906E-861F6A9EE6CA} - System32\Tasks\DealPly => C:\Users\Administrator\AppData\Roaming\DealPly\UpdateProc\UpdateTask.exe [2013-03-19] () <==== ATTENTION
Task: {F50B94FA-802E-4E2C-86EA-69E2822D96D1} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-1161120922-706058692-2495451801-1000UA => C:\Users\Keiyanna Kong\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-01-19] (Facebook Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1161120922-706058692-2495451801-1000Core.job => C:\Users\Keiyanna Kong\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1161120922-706058692-2495451801-1000UA.job => C:\Users\Keiyanna Kong\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2013-06-19 12:36 - 2013-06-14 20:27 - 00599504 _____ () C:\Program Files\Google\Chrome\Application\27.0.1453.116\libglesv2.dll
2013-06-19 12:36 - 2013-06-14 20:27 - 00124368 _____ () C:\Program Files\Google\Chrome\Application\27.0.1453.116\libegl.dll
2013-06-19 12:36 - 2013-06-14 20:28 - 04051408 _____ () C:\Program Files\Google\Chrome\Application\27.0.1453.116\pdf.dll
2013-06-19 12:36 - 2013-06-14 20:28 - 00393168 _____ () C:\Program Files\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll
2013-06-19 12:36 - 2013-06-14 20:27 - 01597392 _____ () C:\Program Files\Google\Chrome\Application\27.0.1453.116\ffmpegsumo.dll
2013-06-19 12:36 - 2013-06-14 20:28 - 13140432 _____ () C:\Program Files\Google\Chrome\Application\27.0.1453.116\PepperFlash\pepflashplayer.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
AlternateDataStreams: C:\ProgramData\TEMP:2A8A3140
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
AlternateDataStreams: C:\ProgramData\TEMP:B623B5B8
AlternateDataStreams: C:\ProgramData\TEMP:D8A7F3FF
 
==================== Safe Mode (whitelisted) ===================
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\03637591.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\29526722.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\03637591.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\29526722.sys => ""="Driver"
 
==================== Faulty Device Manager Devices =============
 
Name: Base System Device
Description: Base System Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: Base System Device
Description: Base System Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/01/2013 07:17:03 PM) (Source: Application Error) (User: )
Description: Faulting application name: MsiExec.exe, version: 5.0.7601.17514, time stamp: 0x4ce792c4
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea91c
Exception code: 0xc0000005
Fault offset: 0x00055f99
Faulting process id: 0x2d0
Faulting application start time: 0xMsiExec.exe0
Faulting application path: MsiExec.exe1
Faulting module path: MsiExec.exe2
Report Id: MsiExec.exe3
 
Error: (12/01/2013 06:11:08 PM) (Source: Microsoft-Windows-RestartManager) (User: Inspiron1525)
Description: Application or service 'AdpeakProxy' could not be restarted.
 
Error: (12/01/2013 06:11:08 PM) (Source: Microsoft-Windows-RestartManager) (User: Inspiron1525)
Description: Application or service 'AdpeakProxy' could not be restarted.
 
Error: (12/01/2013 06:10:55 PM) (Source: Microsoft-Windows-RestartManager) (User: Inspiron1525)
Description: Application or service 'AdpeakProxy' could not be shut down.
 
Error: (12/01/2013 06:10:55 PM) (Source: Microsoft-Windows-RestartManager) (User: Inspiron1525)
Description: Application or service 'AdpeakProxy' could not be shut down.
 
Error: (12/01/2013 05:42:51 PM) (Source: ESENT) (User: )
Description: taskhost (4660) WebCacheLocal: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Users\Keiyanna Kong\AppData\Local\Microsoft\Windows\WebCache\V01.log.
 
Error: (12/01/2013 05:42:51 PM) (Source: ESENT) (User: )
Description: taskhost (4660) WebCacheLocal: An attempt to open the file "C:\Users\Keiyanna Kong\AppData\Local\Microsoft\Windows\WebCache\V01.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).
 
Error: (11/28/2013 11:17:18 AM) (Source: ESENT) (User: )
Description: DllHost (7368) WebCacheLocal: An attempt to open the file "C:\Users\Keiyanna Kong\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).
 
Error: (11/28/2013 11:17:07 AM) (Source: ESENT) (User: )
Description: DllHost (7368) WebCacheLocal: An attempt to open the file "C:\Users\Keiyanna Kong\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).
 
Error: (11/28/2013 11:16:56 AM) (Source: ESENT) (User: )
Description: DllHost (7368) WebCacheLocal: An attempt to open the file "C:\Users\Keiyanna Kong\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).
 
 
System errors:
=============
Error: (12/02/2013 07:54:21 PM) (Source: Service Control Manager) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error: 
%%-2140993535
 
Error: (12/02/2013 07:54:21 PM) (Source: Service Control Manager) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: 
%%-2140993535
 
Error: (12/02/2013 07:54:21 PM) (Source: PNRPSvc) (User: )
Description: 0x80630801
 
Error: (12/02/2013 07:54:19 PM) (Source: Service Control Manager) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: 
%%-2140993535
 
Error: (12/02/2013 07:54:19 PM) (Source: Service Control Manager) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error: 
%%-2140993535
 
Error: (12/02/2013 07:54:19 PM) (Source: PNRPSvc) (User: )
Description: 0x80630801
 
Error: (12/02/2013 07:03:55 PM) (Source: Service Control Manager) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: 
%%-2140993535
 
Error: (12/02/2013 07:03:55 PM) (Source: Service Control Manager) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error: 
%%-2140993535
 
Error: (12/02/2013 07:03:55 PM) (Source: PNRPSvc) (User: )
Description: 0x80630801
 
Error: (12/02/2013 05:25:27 PM) (Source: bowser) (User: )
Description: The master browser has received a server announcement from the computer TIGGA87-PC
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F41410C4-15E9-482B-B6E6-4499554.
The master browser is stopping or an election is being forced.
 
 
Microsoft Office Sessions:
=========================
Error: (12/01/2013 07:17:03 PM) (Source: Application Error)(User: )
Description: MsiExec.exe5.0.7601.175144ce792c4ntdll.dll6.1.7601.18247521ea91cc000000500055f992d001ceeef3d2a40677c:\Windows\system32\MsiExec.exeC:\Windows\SYSTEM32\ntdll.dll1126cd30-5ae7-11e3-a363-00219be8a623
 
Error: (12/01/2013 06:11:08 PM) (Source: Microsoft-Windows-RestartManager)(User: Inspiron1525)
Description: 1AdpeakProxy.exeAdpeakProxy03026217817480
 
Error: (12/01/2013 06:11:08 PM) (Source: Microsoft-Windows-RestartManager)(User: Inspiron1525)
Description: 0AdpeakProxy.exeAdpeakProxy03026217817480
 
Error: (12/01/2013 06:10:55 PM) (Source: Microsoft-Windows-RestartManager)(User: Inspiron1525)
Description: 1AdpeakProxy.exeAdpeakProxy03026216117480
 
Error: (12/01/2013 06:10:55 PM) (Source: Microsoft-Windows-RestartManager)(User: Inspiron1525)
Description: 0AdpeakProxy.exeAdpeakProxy0302621611748263003A005C00500072006F006700720061006D002000460069006C00650073005C00530063006F007200700069006F006E00530061007600650072002000530065007200760069006300650073005C00410064007000650061006B00500072006F00780079002E00650078006500000063003A005C00500072006F006700720061006D002000460069006C00650073005C00530063006F007200700069006F006E00530061007600650072002000530065007200760069006300650073005C0050004300500072006F007800790044004C004C002E0064006C006C000000
 
Error: (12/01/2013 05:42:51 PM) (Source: ESENT)(User: )
Description: taskhost4660WebCacheLocal: C:\Users\Keiyanna Kong\AppData\Local\Microsoft\Windows\WebCache\V01.log-1032 (0xfffffbf8)
 
Error: (12/01/2013 05:42:51 PM) (Source: ESENT)(User: )
Description: taskhost4660WebCacheLocal: C:\Users\Keiyanna Kong\AppData\Local\Microsoft\Windows\WebCache\V01.log-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.
 
Error: (11/28/2013 11:17:18 AM) (Source: ESENT)(User: )
Description: DllHost7368WebCacheLocal: C:\Users\Keiyanna Kong\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.
 
Error: (11/28/2013 11:17:07 AM) (Source: ESENT)(User: )
Description: DllHost7368WebCacheLocal: C:\Users\Keiyanna Kong\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.
 
Error: (11/28/2013 11:16:56 AM) (Source: ESENT)(User: )
Description: DllHost7368WebCacheLocal: C:\Users\Keiyanna Kong\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.
 
 
CodeIntegrity Errors:
===================================
  Date: 2013-06-16 01:49:18.058
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-06-16 00:44:26.366
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-06-16 00:13:36.952
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-06-15 23:28:22.635
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-06-15 23:19:12.183
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-06-15 04:15:21.725
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-06-15 04:07:00.179
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-06-15 03:57:24.046
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-06-15 03:54:11.128
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2013-06-14 23:42:37.725
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 39%
Total physical RAM: 3062.04 MB
Available physical RAM: 1849.32 MB
Total Pagefile: 6122.38 MB
Available Pagefile: 4700.31 MB
Total Virtual: 2047.88 MB
Available Virtual: 1909.76 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:298.09 GB) (Free:191.27 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: E2DEB882)
Partition 1: (Active) - (Size=298 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================


#11 FlaGal311

FlaGal311
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Florida
  • Local time:11:10 PM

Posted 02 December 2013 - 09:16 PM

Ok - I have ran the downloaded FRST and sent the logs. I probably should have told you that I tried to delete unwanted software yesterday.  I only did that because I started having random ads speaking and singing without prompting them. The programs I deleted were: Slick Savings, Great Arcade Hits, Scorpionsaver, Driver Pro V.3., Vafmusic 8 toobar for IE, Search Protect, Scorpionsaver Services, Ot Shot, Hosts, SpeedUpMyPc, Registry Booster, and Uniblue.  Just because I deleted them, I know that doesn't mean they're gone.   All of these are new since my first post except Ot Shot and Hosts. The random audio ads did stop.  Not sure I emptied the recycle bin though. Have to check that.  Thanks for all your doing. I will not do anything more until I hear back from you.  



#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:10 PM

Posted 03 December 2013 - 01:37 AM

Hello alice,

 

It's late here, so I'll have the next set of instructions for you tomorrow (Tuesday). Please try not to use the machine until you hear back from me with the removal instructions. The system is infected with a rootkit.

 

Look for my post tomorrow, and thanks for your patience!

 

bloopie



#13 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:10 PM

Posted 03 December 2013 - 06:54 PM

Hello again Alice,

Firstly, I must warn you...your system has indications of a rootkit...

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Should you decide to go ahead with the cleaning process, then continue reading with the machine connected to the internet....
 
==========

Going over your logs I noticed that you have BitComet installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitComet, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Computer > Programs and Features.
If you wish to keep it, please do not use it until your computer is cleaned.

==========
 
Step :step1:

We do have some work to do...

I know you have removed some programs already, but we need to remove some more! Please uninstall the following programs as well:

  • BitLord
  • Level Quality Watcher
  • ScorpionSaver
  • Torch

Once those are uninstalled (rebooting as necessary), then continue with the next steps!

==========

Step :step2:

We need to run a fix with FRST:

  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    Attached File  fixlist.txt   2.46KB   2 downloads
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

==========

Step :step3:

Once all of the above has been completed, then please delete (via the right-click) the current version of FRST from your desktop, and download an updated version from here.

 

Then run a fresh scan with FRST and post me the new log!

 

==========

 

In your next reply, please include the following:

 

  • Were you able to uninstall all programs mentioned?
  • The Fixlog.txt
  • The fresh FRST log
  • How is the computer running now?
  • Let me know if you had any problems with the above!

bloopie



#14 FlaGal311

FlaGal311
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Florida
  • Local time:11:10 PM

Posted 04 December 2013 - 01:58 PM

Hi Bloopie

 

Thanks - I went into the laptop and removed Bitcomet (also removed BitLord2.3 first - by mistake, but I don't know what it was or ever used it), removed Scorpion Saver (again) and Torch. Could not find Level Quality Watcher in Programs and Features but did under the "C:" drive. Wouldn't let me touch it so it is still somewhere on the laptop. 

 

As for financials etc, we usually don't use the laptop for such but rather our smartphones. And if I did, there would only be one transaction once a month (if then) via a pretty secure banking sight. I don't ever respond to any type of emails or posts that ask me to update, change or do anything I did not initiate. In the long run, if I need to reinstall the OS I could do that (need to save a few things first and will try to do that later). 

 

I have downloaded the file you sent and will have to work on that later. Time is up for now as I have to go pick up kids from school.  Get back to you soon.  Alice



#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:10 PM

Posted 04 December 2013 - 03:50 PM

Hello Alice,

 

Could not find Level Quality Watcher in Programs and Features but did under the "C:" drive. Wouldn't let me touch it so it is still somewhere on the laptop.

This is not a problem as we'll remove any folders and components that are left.

Run the script I gave you (it won't take long at all), and then we'll see what's left. :wink:

 

bloopie






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users