Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Security Pro


  • This topic is locked This topic is locked
12 replies to this topic

#1 eviljello

eviljello

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 02 November 2013 - 07:44 PM

Help! I have the ASP virus and cannot remove it. I ended its processes but the virus itself is still on my computer, even tried windows defender offline but no deal. Please help - I am running xp professional

 

Thank You 



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:09 AM

Posted 02 November 2013 - 08:56 PM

Hello eviljello

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

We are going to try System Restore to restore the system prior to the infection.

Depending on your Windows version.


Option 1.

Step 1: Use F8 to Boot to SafeMode With Command Prompt
Step 2: Use ctrl/alt/del (keys) to get task manager opened
Step 3: choose file and create new task
Step 4: Then Navigate to:
C:\windows\system32\restore\rstrui.exe and press Enter and press Enter (double click rstrui.exe) and press Enter (double click rstrui)
Step 5: Restore Computer to a Date you know you were virus free
Step 6: Run Malwarebytes

Option 2.

Step 1: Use F8 to Boot to SafeMode With Command Prompt
At the command prompt type in: rstrui.exe



Gringo

Edited by gringo_pr, 02 November 2013 - 09:04 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:09 AM

Posted 02 November 2013 - 08:56 PM

Thanks I did not see that

gringo

Edited by gringo_pr, 02 November 2013 - 09:05 PM.

Old duck...


#4 eviljello

eviljello
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 02 November 2013 - 10:08 PM

Thanks Gringo and Aaflac. I will do option 2 and yes my computer does boot into windows, i stopped the process from executing but i have not been able to remove infected files.



#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:09 AM

Posted 02 November 2013 - 10:16 PM


Hello eviljello

If you can boot into windows let me have this report please

Please download Farbar Recovery Scan Tool and save it to your desktop.


Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 eviljello

eviljello
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 02 November 2013 - 10:26 PM

still on my system restore, should i abort?



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:09 AM

Posted 02 November 2013 - 10:29 PM

No let it finish

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 eviljello

eviljello
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 02 November 2013 - 10:53 PM

can result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-10-2013
Ran by Susan (administrator) on HP-LAPTOP on 02-11-2013 20:41:05
Running from C:\Documents and Settings\Susan\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
(Agere Systems) C:\WINDOWS\AGRSMMSG.exe
(Hewlett-Packard Company) C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\HPQ\Shared\hpqwmi.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [QlbCtrl.exe] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe [202032 2007-10-19] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [AGRSMMSG] - C:\WINDOWS\AGRSMMSG.exe [88363 2004-08-24] (Agere Systems)
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe [794624 2005-05-04] (Hewlett-Packard Company)
HKLM\...\Run: [SoundMAXPnP] - C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [1388544 2004-10-14] (Analog Devices, Inc.)
HKLM\...\Run: [SoundMAX] - C:\Program Files\Analog Devices\SoundMAX\SMax4.exe [860160 2004-09-23] (Analog Devices, Inc.)
HKLM\...\Run: [HotKeysCmds] - C:\WINDOWS\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-08-12] (Microsoft Corporation)
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION

==================== Internet (Whitelisted) ====================

SearchScopes: HKLM - DefaultScope {597b1823-7ff0-4cd3-8095-9d8cba514992} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XN^xdm002^YY^us&si=CMi2ubLmlLcCFYc34godKhEAYQ&ptb=E7B8E4A8-F234-4072-9616-8C8124C7CEB9&psa=&ind=2013051400&st=sb&n=77fcba08&searchfor={searchTerms}
SearchScopes: HKLM - {597b1823-7ff0-4cd3-8095-9d8cba514992} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XN^xdm002^YY^us&si=CMi2ubLmlLcCFYc34godKhEAYQ&ptb=E7B8E4A8-F234-4072-9616-8C8124C7CEB9&psa=&ind=2013051400&st=sb&n=77fcba08&searchfor={searchTerms}
SearchScopes: HKCU - {597b1823-7ff0-4cd3-8095-9d8cba514992} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XN^xdm002^YY^us&si=CMi2ubLmlLcCFYc34godKhEAYQ&ptb=E7B8E4A8-F234-4072-9616-8C8124C7CEB9&psa=&ind=2013051400&st=sb&n=77fcba08&searchfor={searchTerms}
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
Toolbar: HKCU - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.11.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

========================== Services (Whitelisted) =================

R3 hpqwmi; C:\Program Files\HPQ\Shared\hpqwmi.exe [98304 2005-06-14] (Hewlett-Packard Development Company, L.P.)
S4 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S4 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-08-12] (Microsoft Corporation)
R2 SoundMAX Agent Service (default); C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [45056 2002-09-20] (Analog Devices, Inc.)

==================== Drivers (Whitelisted) ====================

S3 cpudrv; C:\Program Files\SystemRequirementsLab\cpudrv.sys [11336 2011-06-02] ()
S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [35144 2013-11-01] ()
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 MidiSyn; C:\Windows\System32\drivers\MidiSyn.sys [88960 2004-09-14] (Analog Devices, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
R3 rtl8139; C:\Windows\System32\DRIVERS\RTL8139.SYS [20992 2004-08-03] (Realtek Semiconductor Corporation)
R3 senfilt; C:\Windows\System32\drivers\senfilt.sys [392704 2005-03-01] (Sensaura)
S3 TrojanKillerDriver; C:\Windows\System32\DRIVERS\gtkdrv.sys [16128 2013-10-11] (Windows ® Win 7 DDK provider)
R3 w29n51; C:\Windows\System32\DRIVERS\w29n51.sys [2206720 2006-08-21] (Intel® Corporation)
U1 eabfiltr;
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-11-02 20:40 - 2013-11-02 20:40 - 01089445 _____ (Farbar) C:\Documents and Settings\Susan\Desktop\FRST.exe
2013-11-02 20:40 - 2013-11-02 20:40 - 00000000 ____D C:\FRST
2013-11-02 20:35 - 2013-11-02 20:35 - 00000000 ____D C:\WINDOWS\system32\appmgmt
2013-11-02 20:35 - 2013-11-02 20:35 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\GridinSoft Trojan Killer
2013-11-02 20:00 - 2013-11-02 20:00 - 00001416 _____ C:\Documents and Settings\Susan\Desktop\Rkill.txt
2013-11-02 19:33 - 2013-11-02 19:33 - 00275181 _____ C:\Documents and Settings\Susan\Desktop\WindowsUpdateDiagnostic.diagcab
2013-11-02 19:09 - 2013-11-02 19:10 - 00000000 ____D C:\WINDOWS\pss
2013-11-02 18:05 - 2013-11-02 20:20 - 00000000 ____D C:\Program Files\GridinSoft Trojan Killer
2013-11-02 18:05 - 2013-11-02 18:05 - 00000814 _____ C:\Documents and Settings\All Users\Desktop\Trojan Killer.lnk
2013-11-02 17:42 - 2013-11-02 17:42 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware
2013-11-02 16:17 - 2013-11-02 16:17 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
2013-11-02 15:34 - 2013-11-02 20:21 - 00000000 ____D C:\Documents and Settings\Susan\Desktop\mbam-chameleon-1.62.1.1000
2013-11-02 13:32 - 2013-11-02 20:22 - 00000000 ____D C:\Documents and Settings\Susan\Local Settings\Application Data\NPE
2013-11-02 13:32 - 2013-11-02 20:22 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-11-02 13:32 - 2013-11-02 13:32 - 03053496 ____N (Symantec Corporation) C:\Documents and Settings\Susan\Desktop\NPE.exe
2013-11-02 11:17 - 2013-11-02 11:22 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2013-11-02 03:59 - 2013-11-02 03:59 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-02 01:33 - 2013-11-02 19:58 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-11-02 01:27 - 2013-09-03 14:35 - 00238872 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2013-11-02 01:23 - 2013-11-02 01:23 - 00001698 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
2013-11-02 01:22 - 2013-11-02 01:23 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-11-01 23:56 - 2013-11-02 13:11 - 00006508 _____ C:\WINDOWS\bitssetup.log
2013-11-01 23:49 - 2013-11-01 23:49 - 00027760 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-11-01 23:44 - 2013-11-01 23:47 - 00007052 __RSH C:\Documents and Settings\All Users\ntuser.pol
2013-11-01 23:40 - 2013-11-01 23:40 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard
2013-11-01 23:33 - 2013-11-01 23:33 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2013-11-01 23:29 - 2013-11-01 23:29 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Macromedia
2013-11-01 23:28 - 2013-11-01 23:28 - 00000000 __SHD C:\Documents and Settings\Administrator\PrivacIE
2013-11-01 20:48 - 2013-11-02 19:03 - 00001917 _____ C:\WINDOWS\epplauncher.mif
2013-11-01 19:57 - 2013-11-01 20:03 - 00001260 _____ C:\Documents and Settings\Administrator\avgrep.txt
2013-11-01 19:54 - 2013-11-01 15:51 - 05154304 _____ C:\Documents and Settings\Administrator\Desktop\WindowsDefender.msi
2013-11-01 19:53 - 2013-11-01 19:53 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
2013-11-01 19:53 - 2013-11-01 19:53 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Adobe
2013-11-01 19:52 - 2013-11-01 19:52 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2013-11-01 19:51 - 2013-11-02 17:48 - 00000000 ____D C:\Documents and Settings\Administrator
2013-11-01 19:51 - 2013-11-02 00:42 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2013-11-01 19:51 - 2012-11-10 12:41 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2013-11-01 19:51 - 2012-10-29 17:48 - 00001599 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2013-11-01 19:51 - 2012-10-29 17:48 - 00000792 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2013-11-01 19:51 - 2012-10-29 17:48 - 00000000 ___RD C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2013-10-28 19:30 - 2013-11-01 20:42 - 00035144 _____ C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-10-28 19:20 - 2013-10-28 19:20 - 00000000 ___HD C:\WINDOWS\PIF
2013-10-27 18:01 - 2013-11-02 11:47 - 01898232 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Susan\Desktop\iExplore.exe
2013-10-26 19:45 - 2013-10-26 19:45 - 00000000 __SHD C:\WINDOWS\CSC
2013-10-26 17:43 - 2013-10-26 17:43 - 00000068 _____ C:\Documents and Settings\Susan\Application Data\mbam.context.scan
2013-10-26 17:27 - 2013-11-02 04:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\s3ngX3ga
2013-10-26 17:01 - 2013-11-02 11:45 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVG2014
2013-10-13 23:43 - 2013-10-13 23:43 - 00130068 _____ C:\WINDOWS\KB2862335.log
2013-10-13 23:43 - 2013-10-13 23:43 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862335$
2013-10-13 23:43 - 2013-10-13 23:43 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2847311$
2013-10-13 23:36 - 2013-10-13 23:36 - 00010419 _____ C:\WINDOWS\KB2868038.log
2013-10-13 23:36 - 2013-10-13 23:36 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2868038$
2013-10-13 23:35 - 2013-10-13 23:35 - 00011518 _____ C:\WINDOWS\KB2879017-IE8.log
2013-10-13 23:35 - 2013-10-13 23:35 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2883150$
2013-10-13 23:34 - 2013-10-13 23:34 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862330$
2013-10-11 04:06 - 2013-10-11 04:06 - 00016128 _____ (Windows ® Win 7 DDK provider) C:\WINDOWS\system32\Drivers\gtkdrv.sys
2013-10-10 20:41 - 2013-10-13 23:43 - 00134959 _____ C:\WINDOWS\KB2847311.log
2013-10-10 20:41 - 2013-07-02 19:12 - 00025088 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hidparse.sys
2013-10-10 20:41 - 2013-07-02 18:59 - 00014976 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbscan.sys
2013-10-10 20:40 - 2013-07-16 17:58 - 00123008 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbvideo.sys
2013-10-10 20:40 - 2013-07-16 17:58 - 00060160 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbaudio.sys
2013-10-10 20:40 - 2013-07-16 17:58 - 00046848 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\irbus.sys
2013-10-10 20:38 - 2013-08-08 17:55 - 00005376 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbd.sys

==================== One Month Modified Files and Folders =======

2013-11-02 20:40 - 2013-11-02 20:40 - 01089445 _____ (Farbar) C:\Documents and Settings\Susan\Desktop\FRST.exe
2013-11-02 20:40 - 2013-11-02 20:40 - 00000000 ____D C:\FRST
2013-11-02 20:37 - 2012-10-29 17:46 - 02011407 _____ C:\WINDOWS\WindowsUpdate.log
2013-11-02 20:37 - 2012-10-29 09:27 - 00000000 ____D C:\WINDOWS\system32\ias
2013-11-02 20:37 - 2001-08-23 04:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2013-11-02 20:36 - 2012-10-29 17:52 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-11-02 20:35 - 2013-11-02 20:35 - 00000000 ____D C:\WINDOWS\system32\appmgmt
2013-11-02 20:35 - 2013-11-02 20:35 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\GridinSoft Trojan Killer
2013-11-02 20:29 - 2012-10-29 18:35 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\MFAData
2013-11-02 20:23 - 2012-10-29 17:53 - 00000000 ____D C:\WINDOWS\SoftwareDistribution.old
2013-11-02 20:22 - 2013-11-02 13:32 - 00000000 ____D C:\Documents and Settings\Susan\Local Settings\Application Data\NPE
2013-11-02 20:22 - 2013-11-02 13:32 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-11-02 20:21 - 2013-11-02 15:34 - 00000000 ____D C:\Documents and Settings\Susan\Desktop\mbam-chameleon-1.62.1.1000
2013-11-02 20:20 - 2013-11-02 18:05 - 00000000 ____D C:\Program Files\GridinSoft Trojan Killer
2013-11-02 20:12 - 2012-10-29 17:54 - 00000178 ___SH C:\Documents and Settings\Susan\ntuser.ini
2013-11-02 20:12 - 2012-10-29 17:52 - 00032474 _____ C:\WINDOWS\SchedLgU.Txt
2013-11-02 20:00 - 2013-11-02 20:00 - 00001416 _____ C:\Documents and Settings\Susan\Desktop\Rkill.txt
2013-11-02 19:58 - 2013-11-02 01:33 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-11-02 19:55 - 2012-10-29 09:32 - 00000211 _____ C:\boot.ini
2013-11-02 19:45 - 2012-10-29 21:14 - 00065536 _____ C:\WINDOWS\system32\config\WindowsPowerShell.evt
2013-11-02 19:33 - 2013-11-02 19:33 - 00275181 _____ C:\Documents and Settings\Susan\Desktop\WindowsUpdateDiagnostic.diagcab
2013-11-02 19:29 - 2012-10-30 20:15 - 00000210 _____ C:\WINDOWS\setupact.log
2013-11-02 19:21 - 2001-08-23 04:00 - 00000573 _____ C:\WINDOWS\win.ini
2013-11-02 19:21 - 2001-08-23 04:00 - 00000227 _____ C:\WINDOWS\system.ini
2013-11-02 19:14 - 2013-01-27 12:25 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2013-11-02 19:10 - 2013-11-02 19:09 - 00000000 ____D C:\WINDOWS\pss
2013-11-02 19:07 - 2012-10-29 22:19 - 00002473 _____ C:\Documents and Settings\Susan\Desktop\Microsoft Word.lnk
2013-11-02 19:03 - 2013-11-01 20:48 - 00001917 _____ C:\WINDOWS\epplauncher.mif
2013-11-02 18:05 - 2013-11-02 18:05 - 00000814 _____ C:\Documents and Settings\All Users\Desktop\Trojan Killer.lnk
2013-11-02 17:48 - 2013-11-01 19:51 - 00000000 ____D C:\Documents and Settings\Administrator
2013-11-02 17:48 - 2012-10-29 17:54 - 00000000 ____D C:\Documents and Settings\Susan
2013-11-02 17:48 - 2012-10-29 17:52 - 00000000 __SHD C:\Documents and Settings\NetworkService
2013-11-02 17:42 - 2013-11-02 17:42 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware
2013-11-02 17:42 - 2012-10-29 17:52 - 00000000 __SHD C:\Documents and Settings\LocalService
2013-11-02 16:17 - 2013-11-02 16:17 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
2013-11-02 13:32 - 2013-11-02 13:32 - 03053496 ____N (Symantec Corporation) C:\Documents and Settings\Susan\Desktop\NPE.exe
2013-11-02 13:11 - 2013-11-01 23:56 - 00006508 _____ C:\WINDOWS\bitssetup.log
2013-11-02 13:10 - 2012-11-04 13:39 - 00058749 _____ C:\WINDOWS\setupapi.log
2013-11-02 12:38 - 2012-10-29 09:33 - 00000000 ____D C:\WINDOWS\system32\CatRoot2.old
2013-11-02 11:47 - 2013-10-27 18:01 - 01898232 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Susan\Desktop\iExplore.exe
2013-11-02 11:45 - 2013-10-26 17:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVG2014
2013-11-02 11:22 - 2013-11-02 11:17 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2013-11-02 11:12 - 2012-10-29 19:17 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2756822$
2013-11-02 04:48 - 2012-10-29 17:43 - 00000000 ____D C:\WINDOWS\Registration
2013-11-02 04:37 - 2013-06-21 18:50 - 00000000 ____D C:\Documents and Settings\Susan\My Documents\SMC
2013-11-02 04:29 - 2013-10-26 17:27 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\s3ngX3ga
2013-11-02 03:59 - 2013-11-02 03:59 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-02 03:59 - 2012-10-29 21:54 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-11-02 03:59 - 2012-10-29 21:54 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-11-02 03:21 - 2013-08-17 14:32 - 00000000 ____D C:\Documents and Settings\Susan\My Documents\Journal
2013-11-02 03:08 - 2012-10-29 17:52 - 00000178 ___SH C:\Documents and Settings\NetworkService\ntuser.ini
2013-11-02 01:23 - 2013-11-02 01:23 - 00001698 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
2013-11-02 01:23 - 2013-11-02 01:22 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-11-02 00:42 - 2013-11-01 19:51 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2013-11-01 23:49 - 2013-11-01 23:49 - 00027760 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-11-01 23:47 - 2013-11-01 23:44 - 00007052 __RSH C:\Documents and Settings\All Users\ntuser.pol
2013-11-01 23:40 - 2013-11-01 23:40 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard
2013-11-01 23:33 - 2013-11-01 23:33 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2013-11-01 23:29 - 2013-11-01 23:29 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Macromedia
2013-11-01 23:28 - 2013-11-01 23:28 - 00000000 __SHD C:\Documents and Settings\Administrator\PrivacIE
2013-11-01 20:42 - 2013-10-28 19:30 - 00035144 _____ C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-11-01 20:03 - 2013-11-01 19:57 - 00001260 _____ C:\Documents and Settings\Administrator\avgrep.txt
2013-11-01 19:53 - 2013-11-01 19:53 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
2013-11-01 19:53 - 2013-11-01 19:53 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Adobe
2013-11-01 19:52 - 2013-11-01 19:52 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2013-11-01 15:51 - 2013-11-01 19:54 - 05154304 _____ C:\Documents and Settings\Administrator\Desktop\WindowsDefender.msi
2013-10-28 20:13 - 2013-06-19 18:03 - 00000000 ____D C:\WINDOWS\system32\NtmsData
2013-10-28 19:20 - 2013-10-28 19:20 - 00000000 ___HD C:\WINDOWS\PIF
2013-10-26 19:45 - 2013-10-26 19:45 - 00000000 __SHD C:\WINDOWS\CSC
2013-10-26 17:43 - 2013-10-26 17:43 - 00000068 _____ C:\Documents and Settings\Susan\Application Data\mbam.context.scan
2013-10-20 09:57 - 2013-03-31 15:13 - 00002347 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2013-10-16 19:30 - 2012-10-29 20:42 - 00000000 ____D C:\WINDOWS\Microsoft.NET
2013-10-15 21:55 - 2013-02-02 13:49 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-15 21:55 - 2012-10-29 09:33 - 00160344 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-10-13 23:48 - 2012-10-29 09:34 - 00489766 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-10-13 23:43 - 2013-10-13 23:43 - 00130068 _____ C:\WINDOWS\KB2862335.log
2013-10-13 23:43 - 2013-10-13 23:43 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862335$
2013-10-13 23:43 - 2013-10-13 23:43 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2847311$
2013-10-13 23:43 - 2013-10-10 20:41 - 00134959 _____ C:\WINDOWS\KB2847311.log
2013-10-13 23:43 - 2012-12-14 18:35 - 00031274 _____ C:\WINDOWS\updspapi.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00348525 _____ C:\WINDOWS\iis6.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00321498 _____ C:\WINDOWS\FaxSetup.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00153712 _____ C:\WINDOWS\ocgen.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00146692 _____ C:\WINDOWS\tsoc.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00107326 _____ C:\WINDOWS\comsetup.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00098560 _____ C:\WINDOWS\msmqinst.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00064997 _____ C:\WINDOWS\ntdtcsetup.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00056316 _____ C:\WINDOWS\netfxocm.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00022100 _____ C:\WINDOWS\MedCtrOC.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00017784 _____ C:\WINDOWS\ocmsn.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00016172 _____ C:\WINDOWS\tabletoc.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00016068 _____ C:\WINDOWS\msgsocm.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00001393 _____ C:\WINDOWS\imsins.log
2013-10-13 23:43 - 2012-10-30 20:15 - 00001393 _____ C:\WINDOWS\imsins.BAK
2013-10-13 23:42 - 2013-08-17 12:33 - 00000000 ____D C:\WINDOWS\system32\MRT
2013-10-13 23:38 - 2013-02-02 13:49 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
2013-10-13 23:38 - 2012-10-29 19:04 - 78106760 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2013-10-13 23:36 - 2013-10-13 23:36 - 00010419 _____ C:\WINDOWS\KB2868038.log
2013-10-13 23:36 - 2013-10-13 23:36 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2868038$
2013-10-13 23:35 - 2013-10-13 23:35 - 00011518 _____ C:\WINDOWS\KB2879017-IE8.log
2013-10-13 23:35 - 2013-10-13 23:35 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2883150$
2013-10-13 23:35 - 2012-10-29 19:11 - 00000000 ____D C:\WINDOWS\ie8updates
2013-10-13 23:34 - 2013-10-13 23:34 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862330$
2013-10-11 04:06 - 2013-10-11 04:06 - 00016128 _____ (Windows ® Win 7 DDK provider) C:\WINDOWS\system32\Drivers\gtkdrv.sys
2013-10-08 19:16 - 2012-10-29 20:37 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-10-08 19:16 - 2012-10-29 20:37 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl

Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\SHSetup.exe
C:\Documents and Settings\Susan\Local Settings\Temp\HitmanPro.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:09 AM

Posted 02 November 2013 - 11:15 PM

Hello eviljello



I need you to download this script I have made for you --> Attached File  fixlist.txt   609bytes   3 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 eviljello

eviljello
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 02 November 2013 - 11:43 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 31-10-2013
Ran by Susan at 2013-11-02 21:41:59 Run:1
Running from C:\Documents and Settings\Susan\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION

















*****************

HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.

==== End of Fixlog ====

I hope this is right.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:09 AM

Posted 02 November 2013 - 11:56 PM



Hello eviljello

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:09 AM

Posted 08 November 2013 - 12:48 PM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:09 AM

Posted 12 November 2013 - 09:07 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users