Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Viruses removed and now, no boot.


  • This topic is locked This topic is locked
41 replies to this topic

#1 ctol

ctol

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:48 PM

Posted 29 October 2013 - 07:54 PM

Using TDSSKiller, Alureon.gen!A and boot.pihar.b were removed. Now the computer won't boot, not even in safe mode. I have downloaded on my thumb drive frst64 and ran it from command prompt after trying to boot from disk. What can I do now?



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:48 PM

Posted 29 October 2013 - 08:27 PM


Hello ctol

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe or e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First Press the Scan button.
  • It will make a log (FRST.txt)
I want you to poste the FRST.txt report into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 ctol

ctol
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:48 PM

Posted 29 October 2013 - 08:47 PM

Thanks for your help!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-10-2013
Ran by SYSTEM on MININT-SRN7AL6 on 29-10-2013 20:42:38
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-06-18] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1890088 2010-03-17] (Synaptics Incorporated)
HKLM\...\Run: [QuickSet] - C:\Program Files\Dell\QuickSet\quickset.exe [3179288 2010-01-06] (Dell Inc.)
HKLM\...\Run: [IntelWireless] - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1928976 2010-03-05] (Intel® Corporation)
HKLM\...\Run: [DellStage] - C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj [483424 2012-02-01] ()
HKLM-x32\...\RunOnce: [Launcher] - C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe [165184 2011-01-13] (Softthinks)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-06-08] (Intel Corporation)
HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe [498160 2009-10-15] ()
HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [ApnUpdater] - "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [AccuWeatherWidget] - C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj [2835443 2012-02-01] ()
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-09-09] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [WRSVC] - C:\Program Files\Webroot\WRSA.exe [751664 2013-10-12] (Webroot)
HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2404376 2013-10-11] ()
HKU\Ciara Jay\...\Run: [Google Update] - C:\Users\Ciara Jay\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-09-02] (Google Inc.)
HKU\Ciara Jay\...\Run: [MobileDocuments] - C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Ciara Jay\...\Run: [RESTART_STICKY_NOTES] - C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
AppInit_DLLs-x32: c:\progra~2\browse~1\sprote~1.dll c:\progra~2\easylife\sprote~1.dll [ ] ()
BootExecute: autocheck autochk *  /sync /restart /sync /restart /sync /restart /sync /restart /sync /restart

==================== Services (Whitelisted) =================

S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()
S2 vToolbarUpdater17.0.12; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe [1734680 2013-10-11] (AVG Secure Search)
S2 WRSVC; C:\Program Files\Webroot\WRSA.exe [751664 2013-10-12] (Webroot)

==================== Drivers (Whitelisted) ====================

S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [46368 2013-10-11] (AVG Technologies)
S3 ssmirrdr; C:\Windows\System32\DRIVERS\ssmirrdr.sys [10112 2011-03-15] (support.com, Inc)
S0 WRkrn; C:\Windows\System32\drivers\WRkrn.sys [113152 2013-10-12] (Webroot)
S3 PROCEXP151; \??\C:\Windows\system32\Drivers\PROCEXP151.SYS [x]

========================== Drivers MD5 =======================

C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpahci.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys 1C7857B62DE5994A75B054A9FD4C3825
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdk8.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys D4121AE6D0C0E7E13AA221AA57EF2D49
C:\Windows\system32\DRIVERS\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys 540DAF1CEA6094886D72126FD7C33048
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\system32\drivers\avgtpx64.sys A1F53D2A00E64679A1D81B61D2333D06
C:\Windows\system32\DRIVERS\bxvbda.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60a.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\drivers\BthEnum.sys CF98190A94F62E405C8CB255018B2315
C:\Windows\system32\DRIVERS\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bthpan.sys 02DD601B708DD0667E1331FA8518E9FF
C:\Windows\System32\Drivers\BTHport.sys 738D0E9272F59EB7A1449C3EC118E6C4
C:\Windows\System32\Drivers\BTHUSB.sys F188B7394D81010767B6DF3178519A37
C:\Windows\System32\drivers\btusbflt.sys D3466F77C2C49C6E393BA5FBA963A33E
C:\Windows\System32\drivers\btwaudio.sys AF838D8029AE7C27470862D63FA54D24
C:\Windows\System32\DRIVERS\btwavdt.sys 5C849BD7C78791C5CEE9F4651D7FE38D
C:\Windows\System32\DRIVERS\btwl2cap.sys 6149301DC3F81D6F9667A3FBAC410975
C:\Windows\System32\DRIVERS\btwrchid.sys 3E1991AFA851A36DC978B0A1B0535C8B
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\cdrom.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys 9AC4F97C2D3E93367E2148EA940CD2CD
C:\Windows\System32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CtClsFlt.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\disk.sys ==> MD5 is legit
C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys AF2E16242AA723F68F461B6EAE2EAD3D
C:\Windows\system32\DRIVERS\evbda.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\flpydisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys 6BD9295CC032DD3077C671FCCF579A7B
C:\Windows\System32\DRIVERS\fvevol.sys 8F6322049018354F45F05A2FD2D4E5E0
C:\Windows\system32\DRIVERS\gagp30kx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\GEARAspiWDM.sys 8E98D21EE06192492A5671A6144D092F
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\system32\drivers\HdAudio.sys 975761C778E33CD22498059B91E7373A
C:\Windows\system32\drivers\HDAudBus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\HECIx64.sys B6AC71AAA2B10848F57FC49D55A651AF
C:\Windows\system32\DRIVERS\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidbth.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidir.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\iaStor.sys 2064090C9FAAD92C090D77E50E735B2E
C:\Windows\system32\drivers\iaStorV.sys AAAF44DB3BD0B9D1FB6969B23ECC8366
C:\Windows\System32\DRIVERS\igdkmd64.sys 677AA5991026A65ADA128C4B59CF2BAD
C:\Windows\system32\DRIVERS\iirsp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Impcd.sys DD587A55390ED2295BCE6D36AD567DA9
C:\Windows\System32\DRIVERS\IntcDAud.sys C6C1F19205DA83C801BE7C25F4E2EE07
C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdclass.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys 97A7070AEA4C058B6418519E869A63B4
C:\Windows\System32\Drivers\ksecpkg.sys 26C43A7C2862447EC59DEDA188D1DA07
C:\Windows\system32\drivers\ksthunk.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\megasas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\system32\drivers\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mrxsmb.sys A5D9106A73DC88564C825D317CAC68AC
C:\Windows\System32\DRIVERS\mrxsmb10.sys D711B3C1D5F42C0C2415687BE09FC163
C:\Windows\System32\DRIVERS\mrxsmb20.sys 9423E9D355C8D303E76B8CFBD8A5C30C
C:\Windows\System32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\system32\drivers\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys 760E38053BF56E501D562B70AD796B88
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\NETw5s64.sys 24F64343F14A119308456E1CA7507B26
C:\Windows\system32\DRIVERS\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys B98F8C6E31CD07B2E6F71F7F648E38C0
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvraid.sys 0A92CB65770442ED0DC44834632F66AD
C:\Windows\system32\drivers\nvstor.sys DAB0E87525C10052BF65F06152F37E4A
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\system32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\System32\Drivers\PxHlpa64.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql2300.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RDPWD.sys E61608AA35E98999AF9AAEEEA6114B0A
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rfcomm.sys 3DD798846E2C28102B922C56E71B7932
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RtsUStor.sys 135A64530D7699AD48F29D73A658DD11
C:\Windows\System32\DRIVERS\Rt64win7.sys FD978B2BF8A9B2390DCBEF435E9C1F9F
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sfloppy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Sftfslh.sys 2046AA7491DE7EFA4D70E615D9BC9D09
C:\Windows\System32\DRIVERS\Sftplaylh.sys 0E0446BC4D51BE4263ACB7E33491191C
C:\Windows\System32\DRIVERS\Sftredirlh.sys C5FB982CD266E604ED3142102C26D62C
C:\Windows\System32\DRIVERS\Sftvollh.sys 2575511AF67AA1FA068CCC4918E2C2A3
C:\Windows\system32\DRIVERS\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys 441FBA48BFF01FDB9D5969EBC1838F0B
C:\Windows\System32\DRIVERS\srv2.sys B4ADEBBF5E3677CCE9651E0F01F7CC28
C:\Windows\System32\DRIVERS\srvnet.sys 27E461F0BE5BFF5FC737328F749538C3
C:\Windows\System32\DRIVERS\ssmirrdr.sys 1100066057FBF612B573EFD3B21383F1
C:\Windows\system32\DRIVERS\stexstor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\stwrt64.sys 4304B75094E106FB5423A290C95841E5
C:\Windows\system32\drivers\swenum.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\SynTP.sys 8A3FBCB3D6D4710730D27DA4392A4863
C:\Windows\System32\drivers\tcpip.sys DB74544B75566C974815E79A62433F29
C:\Windows\System32\DRIVERS\tcpip.sys DB74544B75566C974815E79A62433F29
C:\Windows\System32\drivers\tcpipreg.sys 1B16D0BD9841794A6E0CDE0CEF744ABC
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys 51C5ECEB1CDEE2468A1748BE550CFBC8
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\system32\drivers\termdd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tssecsrv.sys 4CE278FC9671BA81A138D70823FCAA09
C:\Windows\System32\drivers\tsusbflt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\system32\drivers\umbus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\umpass.sys ==> MD5 is legit
C:\Windows\System32\Drivers\usbaapl64.sys AF1B9474D67897D0C2CFF58E0ACEACCC
C:\Windows\System32\DRIVERS\usbccgp.sys 6F1A3157A1C89435352CEB543CDB359C
C:\Windows\system32\drivers\usbcir.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbehci.sys C025055FE7B87701EB042095DF1A2D7B
C:\Windows\System32\DRIVERS\usbhub.sys 287C6C9410B111B68B52CA298F7B8C24
C:\Windows\system32\drivers\usbohci.sys 9840FC418B4CBD632D3D0A667A725C31
C:\Windows\System32\DRIVERS\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbscan.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\USBSTOR.SYS FED648B01349A3C8395A5169DB5FB7D6
C:\Windows\system32\drivers\usbuhci.sys 62069A34518BCF9C1FD9E74B3F6DB7CD
C:\Windows\System32\Drivers\usbvideo.sys 454800C2BC7F3927CE030141EE4F4C50
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwifibus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwififlt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwifimp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys 442783E2CB0DA19873B7A63833FF4CB4
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wimfltr.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\SysWow64\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WinUsb.sys FE88B288356E7B47B74B13372ADD906D
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\System32\drivers\WRkrn.sys 4921C70FE2EDD6190F7509BEC90E1352
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys AB886378EEB55C6C75B4F2D14B6C869F
C:\Windows\System32\DRIVERS\WUDFRd.sys DDA4CAF29D8C0A297F886BFE561E6659
C:\Windows\System32\DRIVERS\yk62x64.sys B3EEACF62445E24FBB2CD4B0FB4DB026

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-10-14 20:58 - 2013-10-14 20:58 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-10-14 20:54 - 2013-10-14 20:54 - 04101172 _____ C:\Users\Ciara Jay\Downloads\tdsskiller.zip
2013-10-14 20:43 - 2013-10-14 20:44 - 00029285 _____ C:\Users\Ciara Jay\Downloads\Addition.txt
2013-10-14 20:42 - 2013-10-14 20:42 - 00000000 ____D C:\FRST
2013-10-14 03:08 - 2013-10-21 17:27 - 00000000 ____D C:\a2ec109d048729d62ff604
2013-10-12 09:14 - 2013-10-12 09:14 - 00003440 _____ C:\Windows\System32\Tasks\PCDEventLauncherTask
2013-10-12 09:13 - 2013-10-12 09:14 - 00000000 ____D C:\Program Files\My Dell
2013-10-12 04:14 - 2013-10-12 04:17 - 20402176 _____ C:\Users\Ciara Jay\Downloads\LogMeIn(2).msi
2013-10-12 03:34 - 2013-08-27 20:12 - 00461312 _____ (Microsoft Corporation) C:\Windows\System32\scavengeui.dll
2013-10-12 03:32 - 2013-10-25 15:47 - 00000000 ____D C:\Windows\System32\MpEngineStore
2013-10-12 03:12 - 2013-10-12 03:12 - 00000000 ____D C:\Program Files (x86)\DLLSuite
2013-10-12 03:07 - 2013-10-12 03:10 - 16214030 _____ (                                                            ) C:\Users\Ciara Jay\Downloads\DLLSuite_Setup.exe
2013-10-12 02:02 - 2013-10-12 02:02 - 00000000 ____D C:\Users\Ciara Jay\AppData\Local\{0B157234-6F6D-47C3-9422-0D20C8A1C38A}
2013-10-12 02:01 - 2013-10-12 02:02 - 00000000 ____D C:\Users\Ciara Jay\AppData\Local\Windows Live Writer
2013-10-12 02:01 - 2013-10-12 02:01 - 00000000 ____D C:\Users\Ciara Jay\Documents\My Weblog Posts
2013-10-12 02:01 - 2013-10-12 02:01 - 00000000 ____D C:\Users\Ciara Jay\AppData\Roaming\Windows Live Writer
2013-10-12 01:53 - 2013-10-12 01:53 - 00281640 _____ (Mozilla) C:\Users\Ciara Jay\Downloads\Firefox Setup Stub 24.0.exe
2013-10-12 01:53 - 2013-10-12 01:53 - 00281640 _____ (Mozilla) C:\Users\Ciara Jay\Downloads\Firefox Setup Stub 24.0(1).exe
2013-10-11 22:54 - 2013-10-11 22:54 - 00279712 _____ C:\Windows\Minidump\101113-22058-01.dmp
2013-09-30 17:28 - 2013-09-30 17:28 - 00000000 ____D C:\Users\Ciara Jay\AppData\Local\AVG SafeGuard toolbar
2013-09-30 17:24 - 2013-10-11 22:39 - 00000000 ____D C:\Program Files (x86)\AVG SafeGuard toolbar
2013-09-30 17:24 - 2013-10-11 22:38 - 00046368 _____ (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2013-09-30 17:24 - 2013-09-30 17:24 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
2013-09-30 17:23 - 2013-09-30 19:03 - 00000000 ____D C:\Program Files (x86)\MyPC Backup
2013-09-30 17:22 - 2013-09-30 19:02 - 00000000 ____D C:\ProgramData\SecTaskMan
2013-09-30 17:22 - 2013-09-30 19:02 - 00000000 ____D C:\Program Files (x86)\Security Task Manager
2013-09-30 17:20 - 2013-09-30 17:20 - 00894600 _____ (CNET Download.com) C:\Users\Ciara Jay\Downloads\cbsidlm-cbsi134-Security_Task_Manager-SEO-10246545(1).exe
2013-09-30 17:18 - 2013-09-30 17:18 - 00016990 _____ C:\Users\Ciara Jay\Downloads\SecurityTaskManager_Setup.exe
2013-09-30 17:17 - 2013-09-30 17:17 - 00894600 _____ (CNET Download.com) C:\Users\Ciara Jay\Downloads\cbsidlm-cbsi134-Security_Task_Manager-SEO-10246545.exe
2013-09-30 15:44 - 2013-09-30 15:58 - 92852496 _____ (Microsoft Corporation) C:\Users\Ciara Jay\Downloads\msert.exe
2013-09-30 15:01 - 2013-09-30 15:01 - 00347424 _____ (Microsoft Corporation) C:\Users\Ciara Jay\Downloads\MicrosoftFixit.WindowsFirewall.RNP.147304002055268658.1.1.Run.exe
2013-09-30 13:05 - 2013-09-30 13:05 - 00001107 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-30 13:05 - 2013-09-30 13:05 - 00001107 _____ C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-30 13:05 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-09-30 13:02 - 2013-09-30 13:04 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Ciara Jay\Downloads\mbam-setup-1.75.0.1300(1).exe

==================== One Month Modified Files and Folders =======

2013-10-25 15:47 - 2013-10-12 03:32 - 00000000 ____D C:\Windows\System32\MpEngineStore
2013-10-21 17:28 - 2011-08-12 21:19 - 00000000 ____D C:\users\Ciara Jay
2013-10-21 17:28 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2013-10-21 17:27 - 2013-10-14 03:08 - 00000000 ____D C:\a2ec109d048729d62ff604
2013-10-21 17:27 - 2013-09-23 10:42 - 00000000 ____D C:\Users\Ciara Jay\AppData\Local\lptmp1028017875
2013-10-21 17:27 - 2013-09-23 10:42 - 00000000 ____D C:\Program Files\Webroot
2013-10-21 17:27 - 2013-03-21 21:45 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-21 17:27 - 2013-03-21 21:45 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-10-21 17:27 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-10-21 17:26 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration
2013-10-21 17:24 - 2011-05-21 03:58 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-10-21 14:04 - 2011-08-12 21:19 - 00000000 ____D C:\Users\Ciara Jay\AppData\Local\SoftThinks
2013-10-14 20:58 - 2013-10-14 20:58 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-10-14 20:54 - 2013-10-14 20:54 - 04101172 _____ C:\Users\Ciara Jay\Downloads\tdsskiller.zip
2013-10-14 20:44 - 2013-10-14 20:43 - 00029285 _____ C:\Users\Ciara Jay\Downloads\Addition.txt
2013-10-14 20:42 - 2013-10-14 20:42 - 00000000 ____D C:\FRST
2013-10-14 03:10 - 2009-07-14 00:13 - 00741768 _____ C:\Windows\System32\PerfStringBackup.INI
2013-10-14 03:08 - 2011-05-21 03:34 - 01492368 _____ C:\Windows\WindowsUpdate.log
2013-10-14 03:08 - 2009-07-13 23:45 - 00013872 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-14 03:08 - 2009-07-13 23:45 - 00013872 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-14 03:00 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-14 03:00 - 2009-07-13 23:51 - 00083087 _____ C:\Windows\setupact.log
2013-10-13 14:31 - 2013-09-23 10:42 - 00000000 ____D C:\ProgramData\WRData
2013-10-13 05:55 - 2012-04-15 01:45 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-13 05:36 - 2011-09-02 19:01 - 00000924 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-20260535-1705568330-720531319-1001UA.job
2013-10-12 11:36 - 2011-09-02 19:00 - 00000872 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-20260535-1705568330-720531319-1001Core.job
2013-10-12 09:14 - 2013-10-12 09:14 - 00003440 _____ C:\Windows\System32\Tasks\PCDEventLauncherTask
2013-10-12 09:14 - 2013-10-12 09:13 - 00000000 ____D C:\Program Files\My Dell
2013-10-12 09:14 - 2012-08-26 17:29 - 00004000 _____ C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask
2013-10-12 09:14 - 2012-08-26 17:29 - 00003210 _____ C:\Windows\System32\Tasks\SystemToolsDailyTest
2013-10-12 09:13 - 2011-08-13 20:34 - 00000000 ____D C:\ProgramData\PCDr
2013-10-12 09:13 - 2011-05-21 03:53 - 00000000 ____D C:\Program Files\Dell Support Center
2013-10-12 09:01 - 2012-08-26 17:29 - 00003488 _____ C:\Windows\System32\Tasks\PCDEventLauncher
2013-10-12 04:27 - 2011-09-24 00:53 - 00000453 ____H C:\Users\Ciara Jay\Desktop\Twitter.website
2013-10-12 04:17 - 2013-10-12 04:14 - 20402176 _____ C:\Users\Ciara Jay\Downloads\LogMeIn(2).msi
2013-10-12 04:04 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\NDF
2013-10-12 04:01 - 2012-04-15 01:45 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-10-12 04:01 - 2012-04-15 01:45 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-10-12 04:01 - 2011-09-04 13:22 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-10-12 03:12 - 2013-10-12 03:12 - 00000000 ____D C:\Program Files (x86)\DLLSuite
2013-10-12 03:10 - 2013-10-12 03:07 - 16214030 _____ (                                                            ) C:\Users\Ciara Jay\Downloads\DLLSuite_Setup.exe
2013-10-12 03:01 - 2013-09-09 03:39 - 00000000 ____D C:\Windows\System32\MRT
2013-10-12 03:01 - 2011-10-04 21:07 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-10-12 03:01 - 2011-08-23 20:53 - 80541720 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-10-12 02:31 - 2013-01-28 18:07 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-10-12 02:29 - 2011-09-02 19:01 - 00002344 _____ C:\Users\Ciara Jay\Desktop\Google Chrome.lnk
2013-10-12 02:02 - 2013-10-12 02:02 - 00000000 ____D C:\Users\Ciara Jay\AppData\Local\{0B157234-6F6D-47C3-9422-0D20C8A1C38A}
2013-10-12 02:02 - 2013-10-12 02:01 - 00000000 ____D C:\Users\Ciara Jay\AppData\Local\Windows Live Writer
2013-10-12 02:01 - 2013-10-12 02:01 - 00000000 ____D C:\Users\Ciara Jay\Documents\My Weblog Posts
2013-10-12 02:01 - 2013-10-12 02:01 - 00000000 ____D C:\Users\Ciara Jay\AppData\Roaming\Windows Live Writer
2013-10-12 01:59 - 2013-03-08 23:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-10-12 01:59 - 2013-01-28 18:07 - 00001145 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-10-12 01:59 - 2013-01-28 18:07 - 00001145 _____ C:\ProgramData\Desktop\Mozilla Firefox.lnk
2013-10-12 01:53 - 2013-10-12 01:53 - 00281640 _____ (Mozilla) C:\Users\Ciara Jay\Downloads\Firefox Setup Stub 24.0.exe
2013-10-12 01:53 - 2013-10-12 01:53 - 00281640 _____ (Mozilla) C:\Users\Ciara Jay\Downloads\Firefox Setup Stub 24.0(1).exe
2013-10-12 00:58 - 2013-09-23 10:42 - 00152744 _____ (Webroot) C:\Windows\SysWOW64\WRusr.dll
2013-10-12 00:58 - 2013-09-23 10:42 - 00113152 _____ (Webroot) C:\Windows\System32\Drivers\WRkrn.sys
2013-10-12 00:58 - 2013-09-23 10:42 - 00103304 _____ (Webroot) C:\Windows\System32\WRusr.dll
2013-10-11 22:54 - 2013-10-11 22:54 - 00279712 _____ C:\Windows\Minidump\101113-22058-01.dmp
2013-10-11 22:54 - 2012-05-14 14:36 - 505876994 _____ C:\Windows\MEMORY.DMP
2013-10-11 22:54 - 2012-05-14 14:36 - 00000000 ____D C:\Windows\Minidump
2013-10-11 22:39 - 2013-09-30 17:24 - 00000000 ____D C:\Program Files (x86)\AVG SafeGuard toolbar
2013-10-11 22:38 - 2013-09-30 17:24 - 00046368 _____ (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2013-10-11 22:36 - 2011-05-21 03:44 - 00075816 _____ C:\Windows\PFRO.log
2013-09-30 19:03 - 2013-09-30 17:23 - 00000000 ____D C:\Program Files (x86)\MyPC Backup
2013-09-30 19:02 - 2013-09-30 17:22 - 00000000 ____D C:\ProgramData\SecTaskMan
2013-09-30 19:02 - 2013-09-30 17:22 - 00000000 ____D C:\Program Files (x86)\Security Task Manager
2013-09-30 17:28 - 2013-09-30 17:28 - 00000000 ____D C:\Users\Ciara Jay\AppData\Local\AVG SafeGuard toolbar
2013-09-30 17:24 - 2013-09-30 17:24 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
2013-09-30 17:20 - 2013-09-30 17:20 - 00894600 _____ (CNET Download.com) C:\Users\Ciara Jay\Downloads\cbsidlm-cbsi134-Security_Task_Manager-SEO-10246545(1).exe
2013-09-30 17:18 - 2013-09-30 17:18 - 00016990 _____ C:\Users\Ciara Jay\Downloads\SecurityTaskManager_Setup.exe
2013-09-30 17:17 - 2013-09-30 17:17 - 00894600 _____ (CNET Download.com) C:\Users\Ciara Jay\Downloads\cbsidlm-cbsi134-Security_Task_Manager-SEO-10246545.exe
2013-09-30 15:58 - 2013-09-30 15:44 - 92852496 _____ (Microsoft Corporation) C:\Users\Ciara Jay\Downloads\msert.exe
2013-09-30 15:01 - 2013-09-30 15:01 - 00347424 _____ (Microsoft Corporation) C:\Users\Ciara Jay\Downloads\MicrosoftFixit.WindowsFirewall.RNP.147304002055268658.1.1.Run.exe
2013-09-30 13:16 - 2011-09-16 15:44 - 00000000 ____D C:\Users\Ciara Jay\AppData\Roaming\SoftGrid Client
2013-09-30 13:05 - 2013-09-30 13:05 - 00001107 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-30 13:05 - 2013-09-30 13:05 - 00001107 _____ C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-30 13:05 - 2012-01-10 11:23 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-30 13:04 - 2013-09-30 13:02 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Ciara Jay\Downloads\mbam-setup-1.75.0.1300(1).exe

Files to move or delete:
====================
C:\Windows\svchost.exe
ATTENTION ====> Check for partition/boot infection.


Some content of TEMP:
====================
C:\Users\Ciara Jay\AppData\Local\Temp\-12ltpmj.dll
C:\Users\Ciara Jay\AppData\Local\Temp\avguidx.dll
C:\Users\Ciara Jay\AppData\Local\Temp\BackupSetup.exe
C:\Users\Ciara Jay\AppData\Local\Temp\CommonInstaller.exe
C:\Users\Ciara Jay\AppData\Local\Temp\FastDownload.exe
C:\Users\Ciara Jay\AppData\Local\Temp\iGearedHelper.dll
C:\Users\Ciara Jay\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Ciara Jay\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Ciara Jay\AppData\Local\Temp\oi_{559B84F9-FF97-4470-90B7-BDD5295BB4F0}.exe
C:\Users\Ciara Jay\AppData\Local\Temp\oi_{5AEEF0CE-CEC8-4106-B3C6-204C8DD7F83F}.exe
C:\Users\Ciara Jay\AppData\Local\Temp\oi_{6FCCB75F-0100-4C21-A8D4-28CE6A1E71FA}.exe
C:\Users\Ciara Jay\AppData\Local\Temp\oi_{9A87AF25-D0F1-4604-B52C-CD3770B8640B}.exe
C:\Users\Ciara Jay\AppData\Local\Temp\setup.exe
C:\Users\Ciara Jay\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Ciara Jay\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\Ciara Jay\AppData\Local\Temp\UNINSTALL.exe
C:\Users\Ciara Jay\AppData\Local\Temp\vcredist_x64.exe


==================== Known DLLs (Whitelisted) ================

C:\Windows\System32\LPK.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION!

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

14
Restore point made on: 2013-09-24 03:00:22
Restore point made on: 2013-09-24 09:18:39
Restore point made on: 2013-09-25 03:00:52
Restore point made on: 2013-09-30 12:51:45
Restore point made on: 2013-09-30 13:54:00
Restore point made on: 2013-09-30 17:30:44
Restore point made on: 2013-09-30 19:04:55
Restore point made on: 2013-09-30 19:05:31
Restore point made on: 2013-10-11 22:45:26
Restore point made on: 2013-10-12 02:38:32
Restore point made on: 2013-10-12 03:00:31
Restore point made on: 2013-10-14 03:06:24
Restore point made on: 2013-10-14 03:11:15
Restore point made on: 2013-10-15 03:02:37

==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-us
inherit                 {globalsettings}
default                 {default}
resumeobject            {6abef735-3411-11de-8ea8-ac010edf8f1e}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {default}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-us
inherit                 {bootloadersettings}
recoverysequence        {current}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {6abef735-3411-11de-8ea8-ac010edf8f1e}
nx                      OptIn

Windows Boot Loader
-------------------
identifier              {current}
device                  ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{6abef738-3411-11de-8ea8-ac010edf8f1e}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{6abef738-3411-11de-8ea8-ac010edf8f1e}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {6abef735-3411-11de-8ea8-ac010edf8f1e}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {6abef738-3411-11de-8ea8-ac010edf8f1e}
description             Ramdisk Options
ramdisksdidevice        partition=D:
ramdisksdipath          \Recovery\WindowsRE\boot.sdi


==================== Memory info ===========================

Percentage of memory in use: 23%
Total physical RAM: 3894.68 MB
Available physical RAM: 2987.32 MB
Total Pagefile: 3892.83 MB
Available Pagefile: 3119.56 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:384.26 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Recovery) (Fixed) (Total:14.65 GB) (Free:7.97 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: () (Removable) (Total:29.95 GB) (Free:12.33 GB) NTFS
Drive g: (Oct 29 2013) (CDROM) (Total:0.69 GB) (Free:0.68 GB) UDF
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 59EDF2A3)
Partition 1: (Not Active) - (Size=100 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=451 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 30 GB) (Disk ID: 04030201)
Partition 1: (Active) - (Size=30 GB) - (Type=07 NTFS)


LastRegBack: 2013-10-12 05:41

==================== End Of Log ============================



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:48 PM

Posted 29 October 2013 - 08:54 PM


Hello ctol

Ok lets see if we can find a replacement for the infected file

Boot back into the recovery Environment and run FRST like you did before

Type the following in the edit box after "Search:".

LPK.dll

It then should look like:

Search: LPK.dll

Click Search button and post the log (Search.txt) it makes to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 ctol

ctol
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:48 PM

Posted 29 October 2013 - 09:02 PM

Is it case sensitive? These are the search results.

 

 

Farbar Recovery Scan Tool (x64) Version: 28-10-2013
Ran by SYSTEM at 2013-10-29 20:59:47
Running from E:\
Boot Mode: Recovery

================== Search: "lpk.dll" ===================

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_1281c5a8bee46a0f\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22153_none_12ab04c4bec5c79d\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.21664_none_12a15568beccd507\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.21636_none_12c3c5c0beb2b3e2\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.18032_none_12360787a598d69a\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17991_none_11f44f93a5ca31a7\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17563_none_1216b853a5b01be6\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17537_none_123b293fa5942d6f\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_124dc839a586a988\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21402_none_10f9b8f6c177b3cc\lpk.dll
[2012-12-22 23:46] - [2012-12-16 11:34] - 0025600 ____A (Microsoft Corporation) BF6CDA72E4112DAC01E2ED8911C3FD74

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21362_none_10b8d788c1a85e4b\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20905_none_10fcda1ac174d7f3\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20875_none_10b128c0c1ad9e63\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20821_none_10e33734c188ad52\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20720_none_10e23504c18996d4\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20553_none_10c4c252c19f3c5e\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20498_none_109e822ec1bb2dae\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.17194_none_1010c9a7a8a147db\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.17159_none_10410ac9a87c56ca\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16763_none_10305b4da889affa\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16734_none_1051cb5ba870757e\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16691_none_100de90fa8a3d3f8\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16600_none_106e3811a85bbf28\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16444_none_1046f5bda87899fa\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16402_none_107034d9a859f788\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_101cb471a89825ee\lpk.dll
[2009-07-13 18:25] - [2009-07-13 20:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_082d1b568a83a814\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22153_none_08565a728a6505a2\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.21664_none_084cab168a6c130c\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.21636_none_086f1b6e8a51f1e7\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.18032_none_07e15d357138149f\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17991_none_079fa54171696fac\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17563_none_07c20e01714f59eb\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17537_none_07e67eed71336b74\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_07f91de77125e78d\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21402_none_06a50ea48d16f1d1\lpk.dll
[2012-12-22 23:46] - [2012-12-16 12:19] - 0041472 ____A (Microsoft Corporation) 838BF2634A38B344B27AC080D76B28C2

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21362_none_06642d368d479c50\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20905_none_06a82fc88d1415f8\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20875_none_065c7e6e8d4cdc68\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20821_none_068e8ce28d27eb57\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20720_none_068d8ab28d28d4d9\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20553_none_067018008d3e7a63\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20498_none_0649d7dc8d5a6bb3\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.17194_none_05bc1f55744085e0\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.17159_none_05ec6077741b94cf\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16763_none_05dbb0fb7428edff\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16734_none_05fd2109740fb383\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16691_none_05b93ebd744311fd\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16600_none_06198dbf73fafd2d\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16444_none_05f24b6b7417d7ff\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16402_none_061b8a8773f9358d\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_05c80a1f743763f3\lpk.dll
[2009-07-13 18:38] - [2009-07-13 20:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

====== End Of Search ======



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:48 PM

Posted 29 October 2013 - 09:27 PM


Hello ctol



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
Replace: C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_1281c5a8bee46a0f\lpk.dll C:\Windows\SysWOW64\LPK.dll
Replace: C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_082d1b568a83a814\lpk.dll C:\Windows\System32\LPK.dll

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 ctol

ctol
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:48 PM

Posted 29 October 2013 - 09:37 PM

Gringo, we are back in business. Laptop started up. What now?

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-10-2013
Ran by SYSTEM at 2013-10-29 21:32:33 Run:3
Running from E:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
Replace: C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_1281c5a8bee46a0f\lpk.dll C:\Windows\SysWOW64\LPK.dll
Replace: C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_082d1b568a83a814\lpk.dll C:\Windows\System32\LPK.dll
*****************

Could not find C:\Windows\SysWOW64\LPK.dll.
C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_1281c5a8bee46a0f\lpk.dll copied successfully to C:\Windows\SysWOW64\LPK.dll
Could not find C:\Windows\System32\LPK.dll.
C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_082d1b568a83a814\lpk.dll copied successfully to C:\Windows\System32\LPK.dll

==== End of Fixlog ====



#8 ctol

ctol
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:48 PM

Posted 29 October 2013 - 09:40 PM

After typing in password, I got this message for Dell Stage...I think 0_o    stage_primary.exe - System Error "The program can't start because DCIMAN32.dll is missing from your computer. Try reinstalling the program to fix this problem."


Edited by ctol, 29 October 2013 - 09:41 PM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:48 PM

Posted 29 October 2013 - 09:48 PM



Hello ctol

we will deal with the dell problem after I am sure the computer is clean.

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 ctol

ctol
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:48 PM

Posted 29 October 2013 - 09:49 PM

One more thing...the networking icon has a red x over what looks like an empty box. I do have internet access, though.



#11 ctol

ctol
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:48 PM

Posted 29 October 2013 - 09:50 PM

Okay! I really appreciate your help and I am downloading those programs now.



#12 ctol

ctol
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:48 PM

Posted 29 October 2013 - 10:24 PM

After clicking "clean" in adwcleaner, a webroot message popped up showing pua.conduit found in adwcleaner. I didn't take any action. The laptop was already shutting down. Just though the information would be helpful. Running okay with the few exceptions I mentioned already. Here are the logs.

 

# AdwCleaner v3.010 - Report created 29/10/2013 at 21:59:54
# Updated 20/10/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Ciara Jay - CIARAJAY-PC
# Running from : C:\Users\Ciara Jay\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : vToolbarUpdater17.0.12

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\RightClick
Folder Deleted : C:\Program Files (x86)\Ask.com
Folder Deleted : C:\Program Files (x86)\BrowseToSave
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\MyPC Backup
Folder Deleted : C:\Program Files (x86)\Productivity_3
Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Deleted : C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}
Folder Deleted : C:\Users\Ciara Jay\AppData\Local\Conduit
Folder Deleted : C:\Users\Ciara Jay\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Ciara Jay\AppData\LocalLow\Browse2Save
Folder Deleted : C:\Users\Ciara Jay\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Ciara Jay\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Ciara Jay\AppData\LocalLow\Productivity_3
Folder Deleted : C:\Users\Ciara Jay\AppData\Roaming\SendSpace
File Deleted : C:\Users\Public\Desktop\eBay.lnk
File Deleted : C:\Users\CIARAJ~1\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Windows\System32\Tasks\Scheduled Update for Ask Toolbar

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASMANCS
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SP_f2a323db
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3003489
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{99066096-8989-4612-841F-621A01D54AD7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1FCA4DF8-9ACD-4DFB-89CC-DDD0082FC588}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B18460F4-6A88-4012-AB5C-78B5A45F44D7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FCA4DF8-9ACD-4DFB-89CC-DDD0082FC588}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FCA4DF8-9ACD-4DFB-89CC-DDD0082FC588}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B18460F4-6A88-4012-AB5C-78B5A45F44D7}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1FCA4DF8-9ACD-4DFB-89CC-DDD0082FC588}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B18460F4-6A88-4012-AB5C-78B5A45F44D7}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9D4B8F26-A35D-419F-9AA4-8B2C8D9CF078}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F2CE34B6-01A3-4959-A768-A14613BCDE42}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{1FCA4DF8-9ACD-4DFB-89CC-DDD0082FC588}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{1FCA4DF8-9ACD-4DFB-89CC-DDD0082FC588}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{1FCA4DF8-9ACD-4DFB-89CC-DDD0082FC588}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{1FCA4DF8-9ACD-4DFB-89CC-DDD0082FC588}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\Productivity_3
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\SP Global
Key Deleted : HKLM\Software\SProtector
Key Deleted : HKLM\Software\Productivity_3
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~2\browse~1\sprote~1.dll
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~2\easylife\sprote~1.dll
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Users\Ciara Jay\AppData\Roaming\Mozilla\Firefox\Profiles\01lkg64u.default-1381560777553\prefs.js ]


-\\ Google Chrome v

[ File : C:\Users\Ciara Jay\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [14866 octets] - [29/10/2013 21:58:26]
AdwCleaner[S0].txt - [14767 octets] - [29/10/2013 21:59:54]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [14828 octets] ##########
 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.7 (10.15.2013:3)
OS: Windows 7 Home Premium x64
Ran by Ciara Jay on Tue 10/29/2013 at 22:11:41.94
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\DropDownDealsSetup-1678_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\DropDownDealsSetup-1678_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\DropDownDealsSetup-1678_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\DropDownDealsSetup-1678_RASMANCS
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D9CCBA44-A61E-4CDE-A4F8-779C05EE9469}
Successfully deleted: [Registry Key] "hkey_current_user\software\microsoft\internet explorer\low rights\elevationpolicy\{a5aa24ea-11b8-4113-95ae-9ed71deaf12a}"



~~~ Files

Successfully deleted: [File] C:\Windows\syswow64\sho1AE7.tmp
Successfully deleted: [File] C:\Windows\syswow64\sho2D0D.tmp
Successfully deleted: [File] C:\Windows\syswow64\sho30CA.tmp
Successfully deleted: [File] C:\Windows\syswow64\sho5FF.tmp
Successfully deleted: [File] C:\Windows\syswow64\sho6171.tmp
Successfully deleted: [File] C:\Windows\syswow64\sho65D8.tmp
Successfully deleted: [File] C:\Windows\syswow64\sho6F0C.tmp
Successfully deleted: [File] C:\Windows\syswow64\sho7DCA.tmp
Successfully deleted: [File] C:\Windows\syswow64\shoB762.tmp
Successfully deleted: [File] C:\Windows\syswow64\shoE671.tmp
Successfully deleted: [File] C:\Windows\syswow64\shoEA49.tmp
Successfully deleted [File] C:\Windows\svchost.exe  [Check for TDL4 Rootkit!]



~~~ Folders

Successfully deleted: [Folder] "C:\Program Files (x86)\coupons"
Successfully deleted: [Folder] "C:\Program Files (x86)\yontoo layers runtime (drop down deals)"
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{06B5DEF9-CE3A-4FEF-8176-5BAF0983E4CE}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{0B157234-6F6D-47C3-9422-0D20C8A1C38A}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{10724F70-C5DE-4E6D-AF54-0E9BA10B45DF}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{12197EC9-9F02-4460-852D-C95344ED1CA7}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{296F186B-4BB1-40D2-BD0C-EAC9BA0BF3E7}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{3AC5AEB2-64A4-46F2-A627-32C2909C3FBF}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{680597F9-EE0E-4B58-981E-FBAEFF3D9A10}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{76864B0B-E422-419C-ACCB-67D0309BC612}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{7F535CE8-F3F1-4AFC-8C6D-DAD2A9BA11CA}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{87C50201-7437-45A0-B662-6CE277FC6B56}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{90CD7EDB-408D-48ED-9F27-DA9D3AC38A79}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{A07F8009-8F55-4418-9AAE-A244150D48CF}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{A2555B75-0D74-4F4C-BBBF-3144F50984FD}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{A6159641-F352-429A-83C3-C65B80F4C5F3}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{A74DA24F-A54B-4AEC-B8F6-E580FB495E0E}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{A8792F33-2153-4DF2-9D7C-769ADD809F3D}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{ACFDBA55-CF12-4E74-A6BD-72582B911C6B}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{AE9F6475-C48B-4EC4-B7BE-23F43CC17591}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{CE2F0EAE-F63E-45DA-9A8E-ADE91DDF43B9}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{D4792DA4-F009-4FFF-AF7C-C0EA90E322E6}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{D7BD4A0B-C420-4BD5-A6D2-E78D117617D5}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{E9E6A881-08F1-4CDE-A1B7-D4913EC02A8A}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{F6B26877-6F19-4E3A-96F0-2AC395205342}
Successfully deleted: [Empty Folder] C:\Users\Ciara Jay\appdata\local\{FB6A00AD-DD23-4380-925A-C3510D89AD22}



~~~ FireFox

Emptied folder: C:\Users\Ciara Jay\AppData\Roaming\mozilla\firefox\profiles\01lkg64u.default-1381560777553\minidumps [1 files]



~~~ Chrome

Successfully deleted: [Folder] C:\Users\Ciara Jay\appdata\local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 10/29/2013 at 22:19:25.92
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:48 PM

Posted 29 October 2013 - 10:25 PM


Hello ctol

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 ctol

ctol
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:48 PM

Posted 29 October 2013 - 10:53 PM

I immediately got an error with combofix. "c:\32788R22FWJFW\sed.3XE" Do I click Abort, Retry, or Ignore?



#15 ctol

ctol
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:48 PM

Posted 29 October 2013 - 10:55 PM

To be more specific, the error regarding the above file said "Error opening file for writing:"






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users