Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win7-32 can't run any .exe files. DDS log attached. FRST logs available. Thank U


  • This topic is locked This topic is locked
20 replies to this topic

#1 mactiegre

mactiegre

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:06:49 PM

Posted 16 November 2013 - 10:41 AM

Hello friendly AV wizards, you are a god. especially Gringo and nasdaq. We really enjoyed reading your helpful postings and appreciate your help. My first post. 

 

I have a friends Toshiba (AMD CPU) Win7-32 Home Premium Laptop that won't run any EXEs. I had a problem like it once, and I fixed it by running HitmanPro from Cnet, but it won't run on her computer (yes tried 32-bit version) but that was from CNET before I found bleeping. I downloaded hitmanpro from bleeping and it ran ok, found 101 threats and repaired. many java scripts. Still won't work and Rkill won't run now even after adding Set Windir = C:\Windows. (Update - Using Set Windir=C:\Windows and running Rkill from thumb drive worked. Spaces in Set are bad. Rkill messages indicated that a key called Isolated command was set on the exefile registry entry. Rkill log posted at bottom of this post. ) 

 

 She has no recent backup, and about 50gb of files she wants me to backup.  90Gb important data backed-up to external drive. 

 

At first, the .exe files were associated with Mozilla browser. I was able to UNINSTALL Mozilla and its AutoUpdater. Now .EXEs are associated with Windows Media Center. 

 

I am doing everything from a Thumb drive. Clean, never had anything on it. 

 

RKILL ran from Command.com prompt, but I didn't see any log output. Didn't seem to fix anything. Regedit opens. 

Can't run msconfig.exe, error says it can't find the file.  

I ran FRST 2 ways, but both ways FRST crashed. (still crashes in Safe mode after AVG scan/repair and HitmanPro Scan/fix)

The first way from booting F8 Safe Mode Command Prompt. I can attached logs (largest one of the 2). The instructions say to ZIP the attach.txt and post as an attachment. Please let me know which way you want it. 

FRST just crashed with an error saying it experienced unexpected fatal error. 

Then I ran using the Recovery Mode and got logs. (not attached until requested). This time it got a exception FRST at x77648B6E tried to reference memory x00000000 and it crashed. I have those logs also. (Still crashes after AVG/HitmanPro). (more logs avail)

 

I tried running DDS.COM in recovery mode - didn't work. 

Was able to run DDS.Com from starting windows normally. Log attached below. 

I have checked my forum notification settings. I think it is right for immediate notifications. Please let me know if you want the FRST logs and Attach.txt from FRST. 

The system date and time on the infected computer is wrong. At 9:45 today it said 8:10am Nov 8, 2013. 

 

Also I just started AVGUI.exe version 10.0.1432 engine 10.0.3222 from safemode command.com and it is scanning using Antivirus database  version 3222/6341 2013-11-16 found 1 threat. fixed. now runs clean.

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16736
Run by Jenny at 7:06:10 on 2013-11-08
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2812.1942 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\atiesrxx.exe
C:\windows\system32\atieclxx.exe
C:\windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\DICTIO~2\bar\1.bin\v4barsvc.exe
C:\Program Files\Brand Affinity Technologies\Fantapper Player\FantapperUpdateService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Amazon Browser Bar\ToolbarUpdaterService.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\windows\system32\conhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\loggingserver.exe
C:\windows\system32\conhost.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Google\Update\1.3.21.165\GoogleCrashHandler.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\windows\System32\WUDFHost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\conhost.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k Akamai
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.mysearchdial.com/?f=1&a=adkmsd&cd=2XzuyEtN2Y1L1QzutDtDtByC0ByCyD0C0CyEyEyBtAzzyE0FtN0D0Tzu0CyCyDzytN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu&cr=1549792290&ir=
uWindow Title = Internet Explorer, optimized for Bing and MSN
uSearch Bar = hxxp://feed.helperbar.com/?publisher=OC&dpid=OC&co=US&userid=6ef0b95d-b6ad-4858-b1d7-c58ea2316152&affid=111583&searchtype=ds&babsrc=lnkry&q={searchTerms}
uSearch Page = hxxp://feed.helperbar.com/?publisher=OC&dpid=OC&co=US&userid=6ef0b95d-b6ad-4858-b1d7-c58ea2316152&affid=111583&searchtype=ds&babsrc=lnkry&q={searchTerms}
mStart Page = hxxp://start.mysearchdial.com/?f=1&a=adkmsd&cd=2XzuyEtN2Y1L1QzutDtDtByC0ByCyD0C0CyEyEyBtAzzyE0FtN0D0Tzu0CyCyDzytN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu&cr=1549792290&ir=
uProxyOverride = 127.0.0.1:9421;*.local;<local>
uSearchAssistant = hxxp://feed.helperbar.com/?publisher=OC&dpid=OC&co=US&userid=6ef0b95d-b6ad-4858-b1d7-c58ea2316152&affid=111583&searchtype=ds&babsrc=lnkry&q={searchTerms}
uURLSearchHooks: <No Name>: {e7472076-ff9d-4325-8eaf-613572008758} - c:\program files\dictionaryboss\bar\1.bin\v4SrcAs.dll
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: I Want This: {11111111-1111-1111-1111-110011221158} - c:\program files\i want this\I Want This.dll
BHO: Object Browser: {11111111-1111-1111-1111-110311281150} - 
BHO: Plus-HD-2.3: {11111111-1111-1111-1111-110311341126} - 
BHO: weDownload Manager Pro: {11111111-1111-1111-1111-110411361128} - 
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg10\avgssie.dll
BHO: Search Assistant BHO: {58376892-60e7-4f63-aca0-0f686af554d6} - c:\program files\dictionaryboss\bar\1.bin\v4SrcAs.dll
BHO: Toolbar BHO: {6eb534fb-2001-45c4-b860-bc904865a379} - c:\program files\dictionaryboss\bar\1.bin\v4bar.dll
BHO: Fantapper: {8A86D350-37AB-410A-8531-7D1363F317B3} - c:\program files\brand affinity technologies\fantapper player\\IEInstaller.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - 
BHO: Updater For Quizulous: {bd3764dc-af95-4c47-984a-e7997e1d4691} - 
BHO: GreatArcadeHits Add-on: {D0C21091-FF8E-432C-9006-0540E81BA9D7} - c:\users\mario\appdata\local\greatarcadehits\GreatArcadeHitsIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SweetIM Toolbar Helper: {EEE6C35C-6118-11DC-9C72-001320C79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
BHO: mysearchdial Helper Object: {EF5625A3-37AB-4BDB-9875-2A3D91CD0DFD} - c:\program files\mysearchdial\bh\mysearchdial.dll
BHO: AlxHelper Class: {F443A627-5009-4323-9C1D-7FD598D0D712} - c:\program files\amazon browser bar\AmazonBrowserBar.3.0.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: DictionaryBoss: {3042DF7A-E900-4389-9B94-923DF0DAA57E} - c:\program files\dictionaryboss\bar\1.bin\v4bar.dll
TB: att.net Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: DictionaryBoss: {3042df7a-e900-4389-9b94-923df0daa57e} - c:\program files\dictionaryboss\bar\1.bin\v4bar.dll
TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>
TB: Amazon Browser Bar: {EA582743-9076-4178-9AA6-7393FDF4D5CE} - c:\program files\amazon browser bar\AmazonBrowserBar.3.0.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - 
TB: mysearchdial Toolbar: {3004627E-F8E9-4E8B-909D-316753CBA923} - c:\program files\mysearchdial\mysearchdialTlbr.dll
uRun: [MyTOSHIBA] "c:\program files\toshiba\my toshiba\MyToshiba.exe" /AUTO
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [Akamai NetSession Interface] "c:\users\jenny\appdata\local\akamai\netsession_win.exe"
uRun: [msnmsgr] ~"c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\users\jenny\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE
mRun: [SmoothView] c:\program files\toshiba\smoothview\SmoothView.exe
mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60
mRun: [TosWaitSrv] c:\program files\toshiba\tphm\TosWaitSrv.exe
mRun: [Teco] "c:\program files\toshiba\teco\Teco.exe" /r
mRun: [TWebCamera] "c:\program files\toshiba\toshiba web camera application\TWebCamera.exe" autorun
mRun: [SmartFaceVWatcher] c:\program files\toshiba\smartfacev\SmartFaceVWatcher.exe
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
mRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TobuActivation.exe" UNATTENDED
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Anti-phishing Domain Advisor] "c:\programdata\anti-phishing domain advisor\visicom_antiphishing.exe"
mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [DictionaryBoss Search Scope Monitor] "c:\progra~1\dictio~2\bar\1.bin\v4srchmn.exe" /m=2 /w /h
mRun: [DictionaryBoss Browser Plugin Loader] c:\progra~1\dictio~2\bar\1.bin\v4brmon.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [vProt] "c:\program files\avg safeguard toolbar\vprot.exe"
mRun: [YTDownloader] "c:\program files\ytdownloader\YTDownloader.exe" /boot
mRun: [ClearStick] c:\program files\clearwire\clearstick\ClearStick.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: c:\users\jenny\appdata\roaming\micros~1\windows\startm~1\programs\startup\mypcba~1.lnk - c:\program files\mypc backup\MyPC Backup.exe
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: $talisma_url$
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{028D974A-0861-4B2E-9073-DB879C4918CE} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{028D974A-0861-4B2E-9073-DB879C4918CE}\0516071602A4F686E637 : DHCPNameServer = 66.80.131.5 66.80.130.23 192.168.0.1
TCP: Interfaces\{028D974A-0861-4B2E-9073-DB879C4918CE}\144545536363 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{028D974A-0861-4B2E-9073-DB879C4918CE}\D4270224F6E65637 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{028D974A-0861-4B2E-9073-DB879C4918CE}\D4F64756C60263 : DHCPNameServer = 10.128.128.128
TCP: Interfaces\{370D3706-5F13-43DF-B982-40E5816A8F73} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{46873257-4BC6-472A-A56A-B1B2BDB941B3} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{79768233-DEA6-4F8C-B746-1A63A210392F} : DHCPNameServer = 192.168.14.1 64.13.74.12
TCP: Interfaces\{C4539CD7-30F6-40A5-83C2-555C6491A0F3} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{D9147D83-6482-44B2-B5F6-B70017E25CB3} : DHCPNameServer = 192.168.14.1 64.13.74.12
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\17.0.12\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\30.0.1599.101\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-11-12 255968]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-4 297168]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-4 37664]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-6 176128]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2012-1-31 7391072]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 DictionaryBossService;DictionaryBossService;c:\progra~1\dictio~2\bar\1.bin\v4barsvc.exe [2012-3-22 42504]
R2 FTSvc;Fantapper Player Update Service;c:\program files\brand affinity technologies\fantapper player\FantapperUpdateService.exe [2011-12-15 11776]
R2 sbmntr;sbmntr;c:\progra~1\ytdown~1\sbmntr.sys [2013-9-16 50024]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-8-11 185712]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-6-19 12920]
R2 Updater Service for AMZN;Updater Service for AMZN;c:\program files\amazon browser bar\ToolbarUpdaterService.exe [2012-5-22 222368]
R2 vToolbarUpdater17.0.12;vToolbarUpdater17.0.12;c:\program files\common files\avg secure search\vtoolbarupdater\17.0.12\ToolbarUpdater.exe [2013-10-10 1734680]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-5-27 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2009-11-6 7680]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2009-11-6 24064]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\toshiba\rselect\RSelSvc.exe [2009-7-7 62832]
S2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\13.2.0\toolbarupdater.exe --> c:\program files\common files\avg secure search\vtoolbarupdater\13.2.0\ToolbarUpdater.exe [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-9 167264]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 GamesAppIntegrationService;GamesAppIntegrationService;c:\program files\wildtangent games\app\GamesAppIntegrationService.exe [2013-10-7 240736]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-10-11 14848]
S3 SMUpd;Search Module Update;c:\program files\common files\goobzo\gbupdate\smu.exe [2013-10-6 1688424]
S3 SMUpdd;Search Module UpdateD;c:\program files\common files\goobzo\gbupdate\smw.sys [2013-10-6 31592]
S3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-11-6 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-8-3 111960]
S3 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2009-8-6 685424]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-10-11 49664]
S3 usbrndis6;USB RNDIS6 Adapter;c:\windows\system32\drivers\usb80236.sys [2013-4-2 15872]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-3 1343400]
.
=============== File Associations ===============
.
FileExt: .exe: Applications\firefox.exe="c:\program files\mozilla firefox\firefox.exe" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2013-11-08 12:33:25 -------- d-----w- C:\FRST
2013-11-08 12:13:50 136 ----a-w- c:\users\jenny\mseinstall.exe
2013-11-08 12:10:55 2290984 ----a-w- c:\users\jenny\Setup.exe
2013-11-08 12:10:55 1898232 ----a-w- c:\users\jenny\rkill.exe
2013-11-08 12:10:54 13670584 ----a-w- c:\users\jenny\mseinstall (1).exe
2013-11-08 12:10:53 9833328 ----a-w- c:\users\jenny\hitmanpro_x64.exe
2013-11-08 12:10:53 7609104 ----a-w- c:\users\jenny\wet7xp_x86.exe
2013-11-08 12:07:28 106880 ----a-w- c:\users\jenny\SAS_FixEXEfile.com
2013-11-08 12:02:30 2600 ----a-w- c:\users\jenny\exe_fix.reg
2013-11-08 12:02:30 1205 ----a-w- c:\users\jenny\FixNCR.reg
2013-11-08 11:55:49 894600 ----a-w- c:\users\jenny\cbsidlm-cbsi134-HitmanPro_3_32bit-SEO-10895604.exe
2013-11-08 11:54:32 133 ----a-w- c:\users\jenny\Hitmanpro32.exe
2013-11-07 08:27:46 1796096 ----a-w- c:\windows\system32\authui.dll
2013-11-01 10:47:45 -------- d-----w- c:\users\jenny\appdata\local\Installer
2013-10-31 20:15:08 -------- d-----w- c:\program files\RegClean Pro
2013-10-27 05:42:20 -------- d-----w- c:\users\jenny\appdata\local\{7185D56B-1274-4AE3-896B-7ED51EA5E981}
2013-10-26 17:09:44 -------- d-----w- c:\users\jenny\appdata\local\{1C7CCCB2-24DA-483F-AD34-0587EE353034}
2013-10-26 16:28:54 -------- d-----w- c:\program files\iPod
2013-10-26 16:28:53 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-10-25 02:42:50 -------- d-----w- c:\users\jenny\appdata\local\{3A0245DB-D07B-443F-939E-A899B02FA437}
2013-10-25 02:42:49 -------- d-----w- c:\users\jenny\appdata\local\{4A0D76CB-E6C0-43AA-AC21-A33D2AAD07FB}
2013-10-25 02:42:38 -------- d-----w- c:\users\jenny\appdata\roaming\Windows Live Writer
2013-10-25 02:42:38 -------- d-----w- c:\users\jenny\appdata\local\Windows Live Writer
2013-10-21 15:49:31 -------- d-----w- c:\users\jenny\appdata\roaming\mysearchdial
2013-10-21 15:49:28 -------- d-----w- c:\program files\Mysearchdial
2013-10-21 15:19:38 -------- d-----w- c:\users\jenny\appdata\local\{380C0E1A-25B7-49A4-95E0-835EBD7048A7}
2013-10-21 01:24:53 -------- d-----w- c:\users\jenny\appdata\local\Macromedia
2013-10-21 01:19:02 -------- d-----w- c:\users\jenny\appdata\local\Mozilla
2013-10-21 01:07:23 -------- d-----w- c:\users\jenny\appdata\local\{B82D4A1D-0A58-4782-8784-5C7AC05D00BB}
2013-10-20 06:08:24 -------- d-----w- c:\program files\Mozilla Firefox.bak
2013-10-20 06:07:11 -------- d-----w- c:\users\jenny\appdata\roaming\UpdaterEX
2013-10-20 06:05:12 -------- d-----w- c:\program files\Plus-HD-2.3
2013-10-20 05:14:34 -------- d-----w- c:\program files\FFMPEG
2013-10-20 05:10:26 -------- d-----w- c:\programdata\SPEEDbit
2013-10-18 07:04:34 -------- d-----w- c:\windows\en
2013-10-18 06:51:46 94040 ----a-w- c:\program files\common files\windows live\.cache\81663ea81cecbce07\DSETUP.dll
2013-10-18 06:51:46 525656 ----a-w- c:\program files\common files\windows live\.cache\81663ea81cecbce07\DXSETUP.exe
2013-10-18 06:51:46 1691480 ----a-w- c:\program files\common files\windows live\.cache\81663ea81cecbce07\dsetup32.dll
2013-10-18 06:51:22 525656 ----a-w- c:\program files\common files\windows live\.cache\73163f521cecbce01\DXSETUP.exe
2013-10-18 06:51:22 1691480 ----a-w- c:\program files\common files\windows live\.cache\73163f521cecbce01\dsetup32.dll
2013-10-18 06:51:21 94040 ----a-w- c:\program files\common files\windows live\.cache\73163f521cecbce01\DSETUP.dll
2013-10-18 06:50:14 -------- d-----w- c:\users\jenny\appdata\local\Windows Live
2013-10-12 02:33:05 514560 ----a-w- c:\windows\system32\qdvd.dll
2013-10-10 20:14:09 -------- d-----w- c:\program files\Clearwire
2013-10-10 19:20:58 76288 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-10-10 19:20:58 6016 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-10-10 19:20:58 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2013-10-10 19:20:58 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-10-10 19:20:58 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2013-10-10 19:20:58 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2013-10-10 19:20:58 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2013-10-10 14:14:59 -------- d-----w- c:\program files\TornTV.com
2013-10-10 10:39:10 -------- d-----w- c:\users\jenny\appdata\local\AVG SafeGuard toolbar
2013-10-10 08:57:58 86016 ----a-w- c:\windows\system32\drivers\usbcir.sys
2013-10-10 08:57:58 146816 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2013-10-10 08:57:57 527064 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-10-10 08:09:20 -------- d-----w- c:\program files\Object Browser
2013-10-10 08:09:01 -------- d-----w- c:\program files\YTDownloader
2013-10-10 08:08:55 -------- d-----w- c:\programdata\SearchModule
2013-10-10 08:08:51 -------- d-----w- c:\program files\common files\Goobzo
2013-10-10 08:07:56 -------- d-----w- c:\users\jenny\appdata\local\CrashRpt
2013-10-10 08:00:14 -------- d-----w- c:\program files\MyPC Backup
2013-10-10 07:58:48 -------- d-----w- c:\program files\weDownload Manager Pro
2013-10-10 07:58:30 -------- d-----w- c:\program files\Allyrics-2
2013-10-10 07:58:18 -------- d-----w- c:\programdata\AVG SafeGuard toolbar
2013-10-10 07:58:16 -------- d-----w- c:\program files\common files\AVG Secure Search
2013-10-10 07:58:12 -------- d-----w- c:\program files\AVG SafeGuard toolbar
.
==================== Find3M  ====================
.
2013-10-12 07:03:50 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-10-12 07:02:33 2877952 ----a-w- c:\windows\system32\jscript9.dll
2013-10-12 07:02:29 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-10-12 07:02:29 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-10-12 06:08:58 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-10-12 05:15:39 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-10-12 02:03:08 656896 ----a-w- c:\windows\system32\nshwfp.dll
2013-10-12 02:01:41 679424 ----a-w- c:\windows\system32\IKEEXT.DLL
2013-10-12 02:01:25 216576 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2013-10-10 09:22:35 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-10 09:22:35 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-10 07:57:55 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-10-05 19:57:25 1168384 ----a-w- c:\windows\system32\crypt32.dll
2013-10-04 01:58:50 152576 ----a-w- c:\windows\system32\SmartcardCredentialProvider.dll
2013-10-04 01:56:25 168960 ----a-w- c:\windows\system32\credui.dll
2013-10-03 01:58:07 305152 ----a-w- c:\windows\system32\gdi32.dll
2013-09-25 02:01:08 136640 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-09-25 02:01:06 67520 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2013-09-25 01:57:46 99840 ----a-w- c:\windows\system32\sspicli.dll
2013-09-25 01:57:26 22016 ----a-w- c:\windows\system32\secur32.dll
2013-09-25 01:57:24 247808 ----a-w- c:\windows\system32\schannel.dll
2013-09-25 01:56:42 220160 ----a-w- c:\windows\system32\ncrypt.dll
2013-09-25 01:56:02 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2013-09-25 00:49:20 22016 ----a-w- c:\windows\system32\lsass.exe
2013-09-25 00:49:18 15872 ----a-w- c:\windows\system32\sspisrv.dll
2013-09-14 00:48:58 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2013-09-08 02:07:12 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:03:58 231424 ----a-w- c:\windows\system32\mswsock.dll
2013-08-29 01:51:45 3969472 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-29 01:51:45 3914176 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-29 01:50:30 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-08-29 01:50:16 619520 ----a-w- c:\windows\system32\tdh.dll
2013-08-29 01:48:17 640512 ----a-w- c:\windows\system32\advapi32.dll
2013-08-28 01:04:30 2348544 ----a-w- c:\windows\system32\win32k.sys
2013-08-28 00:57:20 434688 ----a-w- c:\windows\system32\scavengeui.dll
.
============= FINISH:  7:17:44.48 ===============
Rkill 2.6.2 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 11/08/2013 02:02:18 PM in x86 mode. (Safe Mode)
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKLM\Software\Classes\exefile\shell\open\command\\IsolatedCommand was changed. It was reset to "%1" %*!
 
  * HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!
 
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)
 
 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Automatic (Delayed Start)
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 11/08/2013 02:04:50 PM
Execution time: 0 hours(s), 2 minute(s), and 31 seconds(s)
 

Edited by mactiegre, 17 November 2013 - 09:48 AM.


BC AdBot (Login to Remove)

 


#2 mactiegre

mactiegre
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:06:49 PM

Posted 16 November 2013 - 10:45 AM

The system date and time on the infected computer is wrong. Now it says 8:10am Nov 8, 2013. 



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:49 PM

Posted 21 November 2013 - 10:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download these tools using a good computer and copy the files to the Desktop of the problem computer.

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
==============

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.

Let me know what problem persists.

#4 mactiegre

mactiegre
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:06:49 PM

Posted 21 November 2013 - 03:29 PM

hello nasdaq. I understand your instructions, but I was waiting for this reply to avoid bumping the orig post. 

 

I have new data and 3 questions

1) NEW:  I did try running ADWCleaner and FixExec.com since I posted the above, but I had to rename AdwCleaner.exe to  .com and run it from a command.com window. Didn't help. Do I still need to run ADWCleaner again after roguekiller?   Never mind - see next response. 

 

2) I ran DDS again after the ADWkiller and have new logs. Do you want me to post these before running Roguekiller?   Never mind.

 

3) If I cannot run any EXE from desktop by double-clicking, will I be able to run an EXE from desktop using run as Administrator? If not, what, rename to .com?  Neve rmind. 

 

And I should inform you I also tried using Recovery mode to restore from the oldest restore point, but it failed and made no changes. Looked like the restore point was bogus and was about the time of the infection. The owner told me recently the System date and time appeared to have been modified by the infection. 

 

 

Update - When I right click on the Rougekiller.exe on desktop, there is no Run as Administrator option and opening it didn't work. So I renamed it to .com and ran it. 

Collecting info, will post. Also, ControlPanel>UninstallProgams fails on MySearchDial uninstall. Got errors.  

 

Thank you. 


Edited by mactiegre, 21 November 2013 - 11:25 PM.


#5 mactiegre

mactiegre
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:06:49 PM

Posted 21 November 2013 - 10:13 PM

Nasdaq, thank you, but there doesn't seem to be any change. .exes still won't run and can't launch any programs or browsers except command.com and Computer, ControlPanel from right side of start menu. Unable to use Run as Administrator. Option not shown. 

MySearchDial no longer shows up in the list of installed Programs on ProgramsandFeatures>UninstallPrograms. 

Steps performed

 1) ran Roguekiller (renamed as .com) couldn't find a RKReport[1] file Report[0] D... newest date attached below. RKReport[0] S... was created. 

 2) Downloaded new Awgcleaner (Renamed .com) Report ADWCleaner [S1] attached below (ADWCleaner[R1] also created, not attached]

 3) Unable to terminate AVG virus program using avggui.exe (runing from command.com window in the Progra~1\AVG\AVG10 folder ) > advanced option > termporary halt AVG ;  Got errors. 

 3b) Unable to kill any AVG* task using commandline TaskKill /F /FI Imagename eq avg* ; errors access denied. 

 3c) Unable to stop AVG from running by: 

        - Booting safe mode

        - Moving all the AVG*.sys files and files from AVG folder from Windows\system32\drivers to a thumb drive. 

        - rebooting

 Did not run JRT.exe since I could not stop AVG- waiting for reply. 

 

RogueKiller V8.7.8 [Nov 14 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Jenny [Admin rights]
Mode : Remove -- Date : 11/13/2013 18:36:13
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 4 ¤¤¤
[V1][SUSP PATH] GreatArcadeHits.job : C:\Users\Mario\AppData\Local\GreatArcadeHits\GAHUpdate.exe [7] -> DELETED
[V2][SUSP PATH] GreatArcadeHits : C:\Users\Mario\AppData\Local\GreatArcadeHits\GAHUpdate.exe [7] -> DELETED
[V2][SUSP PATH] IHUninstallTrackingTASK : CMD - /C DEL C:\windows\TEMP\IHU2866.tmp.exe [x][x] -> DELETED
[V2][SUSP PATH] SMW_UpdateTask_Time_323638393937333838332d3437415a556c2a3223346c41 : wscript.exe - //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 [x][-][x] -> DELETED
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) TOSHIBA MK3263GSX ATA Device +++++
--- User ---
[MBR] e2a42df7b920a2480088166d36acef33
[BSP] 2273afcae0e45151daed3637a2b7886d : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 295636 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 608536576 | Size: 8108 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_11132013_183613.txt >>
RKreport[0]_S_11132013_182511.txt
 
# AdwCleaner v3.012 - Report created 13/11/2013 at 18:42:28
# Updated 11/11/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)
# Username : Jenny - JENNY-PC
# Running from : C:\Users\Jenny\Desktop\adwcleaner.com
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\Jenny\AppData\Local\Google\Chrome\User Data\Default\Extensions\bicnnkjibmphdeigoodpjlcklcnaobdj
Folder Deleted : C:\Users\Mario\AppData\Local\Google\Chrome\User Data\Default\Extensions\bicnnkjibmphdeigoodpjlcklcnaobdj
Folder Deleted : C:\Users\Jenny\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Folder Deleted : C:\Users\Mario\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Folder Deleted : C:\Users\Jenny\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Folder Deleted : C:\Users\Mario\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Folder Deleted : C:\Users\Jenny\AppData\Local\Google\Chrome\User Data\Default\Extensions\pflphaooapbgpeakohlggbpidpppgdff
Folder Deleted : C:\Users\Mario\AppData\Local\Google\Chrome\User Data\Default\Extensions\pflphaooapbgpeakohlggbpidpppgdff
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16736
 
 
-\\ Mozilla Firefox v
 
[ File : C:\Users\Jenny\AppData\Roaming\Mozilla\Firefox\Profiles\e94nebgi.default\prefs.js ]
 
 
[ File : C:\Users\Jenny\AppData\Roaming\Mozilla\Firefox\Profiles\extensions\prefs.js ]
 
 
[ File : C:\Users\Mario\AppData\Roaming\Mozilla\Firefox\Profiles\k6um9o7e.default\prefs.js ]
 
 
-\\ Google Chrome v31.0.1650.57
 
[ File : C:\Users\Jenny\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
[ File : C:\Users\Mario\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [54840 octets] - [10/11/2013 17:55:43]
AdwCleaner[R1].txt - [2254 octets] - [13/11/2013 18:39:35]
AdwCleaner[S0].txt - [54720 octets] - [10/11/2013 18:00:48]
AdwCleaner[S1].txt - [2191 octets] - [13/11/2013 18:42:28]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2251 octets] ##########
 

Edited by mactiegre, 21 November 2013 - 10:20 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:49 PM

Posted 22 November 2013 - 09:42 AM


File Association Fixer for Windows 7 & Vista Released
Download and run this program.
http://www.thewindowsclub.com/file-association-fixer-for-windows-7-vista-released

If that fails to restore you File Association run this tool. You may have to change the extention of the program to .com

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:
    :reg
    HKLM\Software\Classes\exefile\shell\open\command /sub

    HKLM\Software\Classes\exefile\shell\runas\command /sub

    HKCU\Software\Classes\exefile\shell\open\command /sub

    HKCU\Software\Classes\exefile\shell\open\command /sub
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.[/*
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.


#7 mactiegre

mactiegre
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:06:49 PM

Posted 22 November 2013 - 09:56 AM

Hello nasdaq, thank you for your super recommendations. I understand your instructions perfectly. 

 

I have two questions before I complete the new instructions: 

 

1) Should I still run the JRT.exe program? Will it do any harm if I do? 

 

2) Should I copy the .sys and AVG folder files I deleted from Windows\System32\drivers\ back to the HDD before (or after) running the file association fixer? 

 

Also, FYI - I plan to uninstall AVG and install MBAM-setup if the steps above restore normal operation. 

 

Thanks,

Mac



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:49 PM

Posted 22 November 2013 - 11:11 AM

1) Should I still run the JRT.exe program? Will it do any harm if I do?
You can do this scan at any time.

2) Should I copy the .sys and AVG folder files I deleted from Windows\System32\drivers\ back to the HDD before (or after) running the file association fixer?
Do not know what you deleted. Restore them and will take it from there.

Also, FYI - I plan to uninstall AVG and install MBAM-setup if the steps above restore normal operation
You should keek AVG. MBAM is for protection against Unwanted malware programs. AVG is for your virus protection.
They work well together.

#9 mactiegre

mactiegre
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:06:49 PM

Posted 22 November 2013 - 12:39 PM

Hello nasdaq,

let me clarify about AVG and JRT question. 

your 1st set of instructions for running JRT.EXE included this step: 

  • Please close your security software to avoid potential conflicts.

 before running JRT. I considered AVG a security software component and tried to disable it but couldn't. Since AVG wouldn't run its own advanced option to disable it, and I couldn't kill the process on the tasklist, I deleted some .sys files from the drivers folder not realizing that the driver was probably already installed and deleting the files there wouldn't do any good. 

 

Do I still need to disable AVG before running JRT.EXE? 

 

Regards,

Mac



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:49 PM

Posted 22 November 2013 - 02:17 PM

I do not this so but you never know when a new versions of protection software will prevent it to run.

We do have to remind them of such incidents.

#11 mactiegre

mactiegre
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:06:49 PM

Posted 22 November 2013 - 10:11 PM

Hello nasdaq.
 
We still have problems and a new unexpected problem. Systemlook results pasted below. 
 
I downloaded and failed to run the Win7 version of FileAssocationFixer on the infected machine but it looks like their page has been hijacked because the download link went to this link which downloaded a suspicious setup.exe file. htxxtp://www.anyprotect.com/lp/adw/home/scanner/ap_lp3.html?utm_source=GWA&utm_medium=dis&utm_term=free_download&utm_content=GreenMinTxtFD_300x250&utm_campaign=APUSADLcontent&gclid=CN2Gg4vt-boCFUVp7AodsmEATA
 
So I decided to try installing it on my PC and guess what, it started to install the known malware MySearchDial and would not let me abort the install, thankfully I was able to kill it before it got installed and ran some scans on my machine. Luckily they ran clean. It wouldn't run on the infected machine even if I renamed it to setup.com because it apparently attempted to run other .exe programs as part of the setup.  
 
I downloaded an older version of FileAssociationFixer in a .ZIP, renamed it .com, but it had no option for fixing .exe so I closed it. 
I tried running FixExec.com again. No help. 
PS. I can run FixNCR.reg but gets errors running exe_fix.reg in normal mode and safe mode. But it ran OK using Recovery mode command window mode. But system still not working and Systemlook gave same results.
Also JRT.exe will not run renamed as a .com from desktop or from a command.com window because it tries to launch the cmd.exe will fails. 
 
Thank you for working on this.
Mac 
 
 
SystemLook 30.07.11 by jpshortstuff
Log created at 18:59 on 14/11/2013 by Jenny
Administrator - Elevation successful
 
========== reg ==========
 
[HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command]
@=""%1" %*"
"IsolatedCommand"=""%1" %*"
 
 
[HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\runas\command]
@=""%1" %*"
"IsolatedCommand"=""%1" %*"
 
 
[HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command]
(Unable to open key - key not found)
 
[HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command]
(Unable to open key - key not found)
 
-= EOF =-

Edited by nasdaq, 23 November 2013 - 09:05 AM.
Bad link obfuscated.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:49 PM

Posted 23 November 2013 - 09:08 AM

I downloaded and failed to run the Win7 version of FileAssocationFixer on the infected machine but it looks like their page has been hijacked because the download link went to this link which downloaded a suspicious setup.exe

I tried the link I gave you and did not get redirected. There is still some work to do to eliminate this redirect. Which browser did you use when trying to download the file?

Also JRT.exe will not run renamed as a .com from desktop or from a command.com window because it tries to launch the cmd.exe will fails.


From the Start > RUN box execute cmd.exe

Let me know if you get to a DOS PROMPT of get an error message.

#13 mactiegre

mactiegre
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:06:49 PM

Posted 23 November 2013 - 10:01 AM

It looks now my Win7-x64 desktop PC has been infected. Luckily I backed up my important files a few days ago. 

Is there something I can do to fix the HKCU registry issue on my friends laptop?

 

There is no RUN on my Start menu. But I can launch CMD.exe and it opens a Command window OK. I always have CMD.exe pinned to my start menu. 

I had used my Chrome browser to download and unzip the FileAssociationFixer.ZIP and the files from the link that was redirected. 

As I was typing this response to your post on my desktop, my computer began logging off on it's own. 

I logged back in and ran RKILL as administrator from desktop and it here is the log. I sent the log to my Winx64 laptop by opening IE and using email. I am typing this on my laptop.

On my desktop, I checked the IE internet settings > manage Add-ons and found nothing suspicious. I haven't tried chrome yet. I also have the DDS log. Will attach below. And I checked Chrome advanced settings and didn't see any bad add-ons or home pages or search engines. 

 

More new info. I used my laptop to open your FileAssociationFixer link in CHROME on my laptop which has never had any files from the infected PCs, and clicking download latest (on the advertisement by mistake) goes to a different page, but when I select my OS and site, it downloads 7-zip.exe and my download security flagged it as suspicious from this link. http://www.download-21.com/7zip/21/content/rbqi/18/7zip.html#

 

Program started at: 11/23/2013 08:42:36 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * C:\Windows\SysWOW64\WinMsgBalloonServer.exe (PID: 3848) [WD-HEUR]
 * C:\Windows\SysWOW64\WinMsgBalloonClient.exe (PID: 3872) [WD-HEUR]
2 proccesses terminated!
Checking Registry for malware related settings:
 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]
Backup Registry file created at:
 C:\Users\mactiegre\Desktop\rkill\rkill-11-23-2013-08-42-59.reg
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKCU\SOFTWARE\Classes\.com "@" exists and is set to !
  * HKCU\SOFTWARE\Classes\.com has been deleted!
Performing miscellaneous checks:
 * No issues found.
Checking Windows Service Integrity:
 * No issues found.
Searching for Missing Digital Signatures:
 * No issues found.
Checking HOSTS File:
 * No issues found.
Program finished at: 11/23/2013 08:44:58 AM

Execution time: 0 hours(s), 2 minute(s), and 21 seconds(s)


Edited by mactiegre, 23 November 2013 - 01:30 PM.


#14 mactiegre

mactiegre
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:06:49 PM

Posted 23 November 2013 - 10:15 AM

DDS log on my Win7x64 desktop: DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 10.0.9200.16736 BrowserJavaVersion: 10.11.2 Run by mactiegre at 9:04:06 on 2013-11-23 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6136.3547 [GMT -6:00] . AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2} . ============== Running Processes =============== . C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS c:\Program Files\Microsoft Security Client\MsMpEng.exe C:\Windows\system32\atiesrxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k netsvcs C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe C:\Windows\system32\atieclxx.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe C:\Program Files (x86)\Kodak\AiO\Center\ekdiscovery.exe c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE c:\Program Files\Microsoft Security Client\NisSrv.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\System32\WUDFHost.exe C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler.exe C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler64.exe C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe C:\Program Files\Hewlett-Packard\HP Wireless Deluxe Desktop Combo\TSR\xDaemon.exe C:\Windows\System32\spool\drivers\x64\3\EKIJ5000MUI.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files (x86)\Logitech\Vid HD\Vid.exe C:\Program Files (x86)\Lexmark S410 Series\LMADGmon.exe C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe C:\MSOffice97\Office\FINDFAST.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Windows\ehome\ehRecvr.exe C:\Windows\system32\svchost.exe -k SDRSVC C:\Program Files (x86)\Internet Explorer\IELowutil.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\ehome\mcGlidHost.exe C:\Program Files\HitmanPro\hmpsched.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\system32\Macromed\Flash\FlashUtil64_11_9_900_152_ActiveX.exe C:\Windows\System32\MsSpellCheckingFacility.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.yahoo.com/ uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q306&bd=presario&pf=laptop mWinlogon: Userinit = userinit.exe BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll BHO: DivX Plus Web Player HTML5 : {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - BHO: Foxit Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll TB: Foxit Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll TB: Foxit Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun uRun: [Logitech Vid] "C:\Program Files (x86)\Logitech\Vid HD\Vid.exe" -bootmode uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart uRun: [LMab1err] "C:\Program Files (x86)\Lexmark\ErrorApp\LMab1err.exe" uRun: [LMADGmon] "C:\Program Files (x86)\Lexmark S410 Series\LMADGmon.exe" uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun uRun: [Google Update] "C:\Users\mactiegre\AppData\Local\Google\Update\GoogleUpdate.exe" /c mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume mRun: [Conime] C:\Windows\System32\conime.exe mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW mRun: [DivXMediaServer] C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe mRun: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized StartupFolder: C:\Users\MACTIE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DING!.lnk - C:\Program Files (x86)\Southwest Airlines\Ding\Ding.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~2.LNK - C:\MSOffice97\Office\FASTBOOT.EXE StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\MSOffice97\Office\FINDFAST.EXE StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe mPolicies-Explorer: NoActiveDesktop = dword:1 mPolicies-System: ConsentPromptBehaviorAdmin = dword:5 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 mPolicies-System: PromptOnSecureDesktop = dword:0 IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://samsclubus.pnimedia.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: NameServer = 192.168.1.1 TCP: Interfaces\{8B9C327F-7409-4CCE-877F-6F3139342BA4} : DHCPNameServer = 192.168.1.1 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - C:\Program Files (x86)\Microsoft\Outlook Web Access SMIME Client\mimectl.dll SSODL: WebCheck - mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll x64-Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe x64-Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background x64-Run: [HP Input Device Main Program] C:\Program Files\Hewlett-Packard\HP Wireless Deluxe Desktop Combo\TSR\xDaemon.exe x64-Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - x64-Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - x64-SSODL: WebCheck - . ============= SERVICES / DRIVERS =============== . R0 ahcix64s;ahcix64s;C:\Windows\System32\drivers\ahcix64s.sys [2009-5-18 231224] R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240] R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-7-9 237056] R2 AMD_RAIDXpert;AMD RAIDXpert;C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-12-15 122880] R2 CinemaNow Service;CinemaNow Service;C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2010-2-26 127984] R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504] R2 HitmanProScheduler;HitmanPro Scheduler;C:\Program Files\HitmanPro\hmpsched.exe [2013-11-23 109352] R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-9-27 86528] R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;C:\Program Files (x86)\Kodak\AiO\Center\ekdiscovery.exe [2010-9-13 308656] R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-1-20 134944] R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2010-11-27 398176] R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944] R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-10-9 3275136] R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [2012-1-18 450848] R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [2013-6-19 557968] R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\System32\drivers\HCW85BDA.sys [2013-4-10 1907440] R3 HpStkm01;USB Style Packet K + M Filter Driver;C:\Windows\System32\drivers\HpStkm01.sys [2010-7-13 14336] R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-1-18 351136] R3 LVUVC64;Logitech Webcam C260(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-1-18 4865568] R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-12-29 412776] R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2013-6-26 767144] R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576] R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840] R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2013-6-26 23208] R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528] R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2010-7-8 39480] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680] S3 acsock;acsock;C:\Windows\System32\drivers\acsock64.sys [2012-12-10 112080] S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560] S3 lvpopf64;Logitech POP Suppression Filter;C:\Windows\System32\drivers\lvpopf64.sys [2010-5-7 271712] S3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\System32\drivers\LVPr2M64.sys [2010-5-7 30304] S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [2013-9-6 288776] S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136] S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-27 59392] S3 usbcamcl;Driver for video Device;C:\Windows\System32\drivers\usbcamcl.sys [2010-11-26 54216] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-7-15 1255736] . =============== Created Last 30 ================ . 2013-11-23 14:41:30 -------- d-----w- C:\Program Files\HitmanPro 2013-11-23 12:53:56 10285968 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AA608B49-6463-4958-84B1-5BD365A402B6}\mpengine.dll 2013-11-22 12:54:52 10285968 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2013-11-22 05:15:50 -------- d-----w- C:\Users\mactiegre\AppData\Local\{61F37C6A-D72F-4090-B3F5-874C069E94DC} 2013-11-20 05:27:16 -------- d-----w- C:\Program Files\McAfee Security Scan 2013-11-19 13:02:59 -------- d-----w- C:\ProgramData\McAfee Security Scan 2013-11-12 19:09:45 1474048 ----a-w- C:\Windows\System32\crypt32.dll 2013-11-09 23:09:49 736952 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll 2013-11-09 06:00:53 -------- d-----w- C:\Users\mactiegre\AppData\Local\{D80DC49C-E78D-438F-9E7A-EFB2F15E5851} 2013-11-07 02:16:56 -------- d-----w- C:\Users\mactiegre\AppData\Local\HP MediaSmart Video 2013-11-07 01:52:42 -------- d-----w- C:\Users\mactiegre\AppData\Local\{C9C54730-DE23-4507-AD2F-4EC049F1ED32} 2013-11-06 17:11:40 965000 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{74BEE724-3133-43B7-B4CD-082FC72EC328}\gapaengine.dll . ==================== Find3M ==================== . 2013-11-19 13:02:50 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2013-11-19 13:02:50 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2013-11-19 10:21:41 267936 ------w- C:\Windows\System32\MpSigStub.exe 2013-10-12 08:45:20 2241536 ----a-w- C:\Windows\System32\wininet.dll 2013-10-12 08:43:37 3959808 ----a-w- C:\Windows\System32\jscript9.dll 2013-10-12 08:43:32 67072 ----a-w- C:\Windows\System32\iesetup.dll 2013-10-12 08:43:32 136704 ----a-w- C:\Windows\System32\iesysprep.dll 2013-10-12 07:03:50 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll 2013-10-12 07:02:33 2877952 ----a-w- C:\Windows\SysWow64\jscript9.dll 2013-10-12 07:02:29 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll 2013-10-12 07:02:29 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll 2013-10-12 06:35:26 2706432 ----a-w- C:\Windows\System32\mshtml.tlb 2013-10-12 06:08:58 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2013-10-12 05:44:38 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe 2013-10-12 05:15:39 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe 2013-10-12 02:30:42 830464 ----a-w- C:\Windows\System32\nshwfp.dll 2013-10-12 02:29:21 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL 2013-10-12 02:29:08 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL 2013-10-12 02:03:08 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll 2013-10-12 02:01:25 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL 2013-10-05 19:57:25 1168384 ----a-w- C:\Windows\SysWow64\crypt32.dll 2013-10-04 02:28:31 190464 ----a-w- C:\Windows\System32\SmartcardCredentialProvider.dll 2013-10-04 02:25:17 197120 ----a-w- C:\Windows\System32\credui.dll 2013-10-04 02:24:49 1930752 ----a-w- C:\Windows\System32\authui.dll 2013-10-04 01:58:50 152576 ----a-w- C:\Windows\SysWow64\SmartcardCredentialProvider.dll 2013-10-04 01:56:25 168960 ----a-w- C:\Windows\SysWow64\credui.dll 2013-10-04 01:56:00 1796096 ----a-w- C:\Windows\SysWow64\authui.dll 2013-10-03 02:23:48 404480 ----a-w- C:\Windows\System32\gdi32.dll 2013-10-03 02:00:44 311808 ----a-w- C:\Windows\SysWow64\gdi32.dll 2013-09-28 01:09:10 497152 ----a-w- C:\Windows\System32\drivers\afd.sys 2013-09-27 15:53:06 248240 ----a-w- C:\Windows\System32\drivers\MpFilter.sys 2013-09-27 15:53:06 134944 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys 2013-09-25 02:26:40 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys 2013-09-25 02:26:40 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys 2013-09-25 02:23:33 28672 ----a-w- C:\Windows\System32\sspisrv.dll 2013-09-25 02:23:33 135680 ----a-w- C:\Windows\System32\sspicli.dll 2013-09-25 02:23:01 28160 ----a-w- C:\Windows\System32\secur32.dll 2013-09-25 02:22:59 340992 ----a-w- C:\Windows\System32\schannel.dll 2013-09-25 02:21:50 307200 ----a-w- C:\Windows\System32\ncrypt.dll 2013-09-25 02:21:07 1447936 ----a-w- C:\Windows\System32\lsasrv.dll 2013-09-25 01:58:17 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll 2013-09-25 01:57:26 22016 ----a-w- C:\Windows\SysWow64\secur32.dll 2013-09-25 01:57:24 247808 ----a-w- C:\Windows\SysWow64\schannel.dll 2013-09-25 01:56:42 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll 2013-09-25 01:03:24 30720 ----a-w- C:\Windows\System32\lsass.exe 2013-09-08 02:30:37 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys 2013-09-08 02:27:14 327168 ----a-w- C:\Windows\System32\mswsock.dll 2013-09-08 02:03:58 231424 ----a-w- C:\Windows\SysWow64\mswsock.dll 2013-09-04 12:12:11 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys 2013-09-04 12:11:51 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys 2013-09-04 12:11:49 99840 ----a-w- C:\Windows\System32\drivers\usbccgp.sys 2013-09-04 12:11:43 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys 2013-09-04 12:11:43 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys 2013-09-04 12:11:42 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys 2013-09-04 12:11:40 7808 ----a-w- C:\Windows\System32\drivers\usbd.sys 2013-08-29 02:17:48 5549504 ----a-w- C:\Windows\System32\ntoskrnl.exe 2013-08-29 02:16:35 1732032 ----a-w- C:\Windows\System32\ntdll.dll 2013-08-29 02:16:28 243712 ----a-w- C:\Windows\System32\wow64.dll 2013-08-29 02:16:14 859648 ----a-w- C:\Windows\System32\tdh.dll 2013-08-29 02:13:28 878080 ----a-w- C:\Windows\System32\advapi32.dll 2013-08-29 01:51:45 3969472 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe 2013-08-29 01:51:45 3914176 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe 2013-08-29 01:50:31 5120 ----a-w- C:\Windows\SysWow64\wow32.dll 2013-08-29 01:50:30 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll 2013-08-29 01:50:16 619520 ----a-w- C:\Windows\SysWow64\tdh.dll 2013-08-29 01:48:17 640512 ----a-w- C:\Windows\SysWow64\advapi32.dll 2013-08-29 01:48:15 44032 ----a-w- C:\Windows\apppatch\acwow64.dll 2013-08-29 00:49:53 25600 ----a-w- C:\Windows\SysWow64\setup16.exe 2013-08-29 00:49:52 7680 ----a-w- C:\Windows\SysWow64\instnm.exe 2013-08-29 00:49:52 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll 2013-08-29 00:49:49 2048 ----a-w- C:\Windows\SysWow64\user.exe 2013-08-28 01:21:06 3155968 ----a-w- C:\Windows\System32\win32k.sys 2013-08-28 01:12:33 461312 ----a-w- C:\Windows\System32\scavengeui.dll . ============= FINISH: 9:04:49.72 ===============

#15 mactiegre

mactiegre
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:06:49 PM

Posted 23 November 2013 - 11:52 AM

FYI - On the new infection (Desktop)  I ran the full scan on the thumbdrive and removed all the adware and pups which generated this log. HitManProx64 found 137 threats. log attached below. nothing was altered due to trial expired.Ran MBAM full on All drives. 17 threats. Log attached below.

Good news, my laptop ran clean MBAM quick scan. 

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.23.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16736
mactiegre :: MC4GOLF2 [administrator]

Protection: Enabled

11/23/2013 10:43:47 AM
mbam-log-2013-11-23 (10-43-47).txt

Scan type: Full scan (J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198770
Time elapsed: 1 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 8
HKCR\ClickPotatoLiteAx.Info (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\ClickPotatoLiteAx.Info.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\ClickPotatoLiteAX.UserProfiles (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\ClickPotatoLiteAX.UserProfiles.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\DataMngr_Toolbar (PUP.Optional.DataMngr.A) -> Quarantined and deleted successfully.
HKCU\Software\DataMngr (PUP.Optional.DataMngr.A) -> Quarantined and deleted successfully.
HKCU\Software\BabSolution\Updater (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings (PUP.Optional.BProtector.A) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|bProtector Start Page (PUP.BProtector) -> Data:  -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes|bProtectorDefaultScope (PUP.BProtector) -> Data: {D616DA98-330C-4713-A2A8-D893823F9FE3} -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Mozilla\Firefox\extensions|ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) -> Data: C:\Program Files (x86)\ClickPotatoLite\bin\10.0.646.0\firefox\extensions -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 11
C:\Users\mactiegre\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) -> No action taken.
C:\Users\mactiegre\AppData\Roaming\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite\bin (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite\bin\10.0.646.0 (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite\bin\10.0.646.0\firefox (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite\bin\10.0.646.0\firefox\extensions (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite\bin\10.0.646.0\firefox\extensions\plugins (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Roaming\File Scout (PUP.Optional.FileScout.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Temp\ct3288691 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Temp\ct3297861 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

Files Detected: 10
C:\Users\mactiegre\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> No action taken.
C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\bprotector web data (PUP.Optional.BProtector.A) -> No action taken.
C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\bprotectorpreferences (PUP.Optional.BProtector.A) -> No action taken.
C:\Program Files (x86)\ClickPotatoLite\bin\10.0.646.0\firefox\extensions\install.rdf (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Roaming\File Scout\filescout.exe (PUP.Optional.FileScout.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Roaming\File Scout\uninst.exe (PUP.Optional.FileScout.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Temp\ct3288691\chromeid.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Temp\ct3288691\setup.ini.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Temp\ct3297861\chromeid.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Temp\ct3297861\setup.ini.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end)

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.23.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16736
mactiegre :: MC4GOLF2 [administrator]

Protection: Enabled

11/23/2013 10:56:44 AM
mbam-log-2013-11-23 (10-56-44).txt

Scan type: Full scan (C:\|D:\|Q:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 608256
Time elapsed: 1 hour(s), 55 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\mactiegre\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.

Files Detected: 20
C:\Users\mactiegre\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1BNSJKUF\checktbexist[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3T5YA54Q\pack[1].7z (PUP.Optional.BProtector) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83QNLOLE\pack[1].7z (PUP.Optional.BProtector) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CM352876\pack[1].7z (PUP.Optional.BProtector) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DGZLASDU\pack[1].7z (PUP.Optional.PerformerSoft.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JDEQ1U9C\pack[1].7z (PUP.Optional.PerformerSoft.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Temp\5C66.tmp (PUP.Optional.FileScout.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Temp\9B11.tmp (PUP.Optional.PerformerSoft.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Temp\B33F.tmp (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Temp\D5B.tmp (PUP.Optional.PerformerSoft.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Temp\setup_fsu_cid.exe (Trojan.Sefnit) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Temp\01329E6E-BAB0-7891-B99B-D5D34456E341\Latest\Setup.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Roaming\SpringPublisher\MyBabylonTB.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\Downloads\SoftonicDownloader_for_electronic-piano.exe (PUP.Optional.Softonic.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\Downloads\SoftonicDownloader_for_is-contact.exe (PUP.Optional.Softonic.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\Downloads\sp_setup.msi (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Windows\Installer\16ddfee2.msi (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\bprotector web data (PUP.Optional.BProtector.A) -> Quarantined and deleted successfully.
C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\bprotectorpreferences (PUP.Optional.BProtector.A) -> Quarantined and deleted successfully.

(end)

HitmanPro 3.7.8.208
www.hitmanpro.com
   Computer name . . . . : MC4GOLF2
   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : MC4GOLF2\mactiegre
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (Expired)
   Scan date . . . . . . : 2013-11-23 10:57:13
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 12m 27s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
   Threats . . . . . . . : 3
   Traces  . . . . . . . : 129
   Objects scanned . . . : 2,194,156
   Files scanned . . . . : 132,870
   Remnants scanned  . . : 927,342 files / 1,133,944 keys
Malware _____________________________________________________________________
   C:\Users\mactiegre\AppData\Local\Temp\9B11.tmp
      Size . . . . . . . : 1,650,080 bytes
      Age  . . . . . . . : 69.1 days (2013-09-15 08:40:22)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 3B571793821AC9B460D4816D14BEDDBA734FBB74C24D1EF10CE19B8DEB8B27AB
      Description
      Version  . . . . . : 2.6.1673.238
      Copyright
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
    > G Data . . . . . . : Gen:Variant.Adware.BHO.Bprotector.1
    > Kaspersky  . . . . : Trojan-Downloader.Win32.MultiDL.r
      Fuzzy  . . . . . . : 108.0
   C:\Users\mactiegre\AppData\Local\Temp\D5B.tmp
      Size . . . . . . . : 1,656,896 bytes
      Age  . . . . . . . : 45.6 days (2013-10-08 21:14:48)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : A7ACA1FF7F76766E424B07E44D55CC7FCEB9AFC97BD3AEC45B8B634D23F27C2E
      Description
      Version  . . . . . : 2.6.1694.246
      Copyright
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
    > G Data . . . . . . : Gen:Variant.Adware.BHO.Bprotector.1
    > Bitdefender  . . . : Gen:Variant.Adware.BHO.Bprotector.1
    > Kaspersky  . . . . : HEUR:Trojan.Win32.Generic
      Fuzzy  . . . . . . : 108.0
   C:\Users\mactiegre\AppData\Local\Temp\setup_fsu_cid.exe
      Size . . . . . . . : 251,299 bytes
      Age  . . . . . . . : 143.8 days (2013-07-02 14:59:05)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : D101DE2F14EEDC021957AB651F336F95E2B401B58C478AF816EA3C6A4D92A572
    > Bitdefender  . . . : Trojan.Downloader.JQAC
    > Kaspersky  . . . . : Trojan-Downloader.Win32.MultiDL.c
      Fuzzy  . . . . . . : 116.0

Potential Unwanted Programs _________________________________________________
   C:\Program Files (x86)\Ask.com\ (AskBar)
   C:\Program Files (x86)\Ask.com\cb_3fce.ico (AskBar)
   C:\Program Files (x86)\Ask.com\cobrand.ico (AskBar)
   C:\Program Files (x86)\Ask.com\config.xml (AskBar)
   C:\Program Files (x86)\Ask.com\favicon.ico (AskBar)
   C:\Program Files (x86)\Ask.com\fv_3ec4.ico (AskBar)
   C:\Program Files (x86)\Ask.com\mupcfg.xml (AskBar)
   C:\ProgramData\Babylon\ (Babylon)
   C:\Users\mactiegre\AppData\Local\AskToolbar\ (AskBar)
   C:\Users\mactiegre\AppData\Local\AskToolbar\Downloaded Program Files\ (AskBar)
   C:\Users\mactiegre\AppData\Local\AskToolbar\Downloaded Program Files\xaddon.inf (AskBar)
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\bprotector web data (Claro)
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\bprotectorpreferences (Claro)
   C:\Users\mactiegre\AppData\LocalLow\AskToolbar\ (AskBar)
   C:\Users\mactiegre\AppData\LocalLow\AskToolbar\cache.dat (AskBar)
   C:\Users\mactiegre\AppData\LocalLow\AskToolbar\config.xml (AskBar)
   C:\Users\mactiegre\AppData\LocalLow\AskToolbar\xaddon.cab (AskBar)
   C:\Users\mactiegre\AppData\Roaming\Babylon\ (Babylon)
   C:\Users\mactiegre\AppData\Roaming\Babylon\log_file.txt (Babylon)
   C:\Users\mactiegre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BitGuard\ (SpeedUpMyPC)
   C:\Users\mactiegre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BitGuard\Uninstall BitGuard.lnk (SpeedUpMyPC)
   C:\Users\mactiegre\Local Settings\Temp\AskSearch\ (AskBar)
   C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ (AskBar)
   C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\1033.MST (AskBar)
   C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe (AskBar)
      Size . . . . . . . : 102,400 bytes
      Age  . . . . . . . : 1227.5 days (2010-07-14 22:26:10)
      Entropy  . . . . . : 6.1
      SHA-256  . . . . . : 092D64E5DB4FA21D6719B3A6A30AD06A2CB0E1F897357CD4935BECA52E921274
      Product  . . . . . : InstallShield
      Publisher  . . . . : Acresso Software Inc.
      Description  . . . : InstallShield
      Version  . . . . . : 16.0.328
      Copyright  . . . . : Copyright (C) 2009 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved.
      Fuzzy  . . . . . . : 0.0
   HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1\ (AskBar)
   HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd\ (AskBar)
   HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9\ (AskBar)
   HKLM\SOFTWARE\Classes\Prod.cap\ (Claro)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF\ (AskBar)
   HKLM\SOFTWARE\Wow6432Node\Babylon\ (Babylon)
   HKLM\SOFTWARE\Wow6432Node\DataMngr\ (SearchQU)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}\ (AskBar)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{D4027C7F-154A-4066-A1AD-4243D8127440} (AskBar)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ (AskBar)
   HKU\.DEFAULT\Software\DataMngr\ (SearchQU)
   HKU\.DEFAULT\Software\DataMngr_Toolbar\ (SearchQU)
   HKU\S-1-5-18\Software\DataMngr\ (SearchQU)
   HKU\S-1-5-18\Software\DataMngr_Toolbar\ (SearchQU)
   HKU\S-1-5-21-2136001761-1572149564-658252675-1000\Software\AppDataLow\AskToolbarInfo\ (AskBar)
   HKU\S-1-5-21-2136001761-1572149564-658252675-1000\Software\Ask.com\ (AskBar)
   HKU\S-1-5-21-2136001761-1572149564-658252675-1000\Software\AskToolbar\ (AskBar)
   HKU\S-1-5-21-2136001761-1572149564-658252675-1000\Software\BabSolution\ (SpeedUpMyPC)
   HKU\S-1-5-21-2136001761-1572149564-658252675-1000\Software\Conduit\ (Conduit)
   HKU\S-1-5-21-2136001761-1572149564-658252675-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{2EECD738-5844-4A99-B4B6-146BF802613B} (Claro)
   HKU\S-1-5-21-2136001761-1572149564-658252675-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975} (Claro)
   HKU\S-1-5-21-2136001761-1572149564-658252675-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{98889811-442D-49DD-99D7-DC866BE87DBC} (Claro)
   HKU\S-1-5-21-2136001761-1572149564-658252675-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}\ (AskBar)
   HKU\S-1-5-21-2136001761-1572149564-658252675-1000\Software\Softonic\ (Softonic)
Cookies _____________________________________________________________________
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:122.2o7.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:247realmedia.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:2o7.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:a1.interclick.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.360yield.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.e-kolay.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.mlnadvertising.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:adinterax.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.batpmturner.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.bridgetrack.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.cnn.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.p161.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.plos.org
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pointroll.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pubmatic.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pureleads.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.undertone.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.yahoo.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechus.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:adultfriendfinder.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:apmebf.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ar.atwola.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:atwola.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:burstnet.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:c1.atdmt.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:chitika.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:discounttire.122.2o7.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:drwaynedyer.122.2o7.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:emjcd.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ewstv.112.2o7.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:fastclick.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:hayhouse.122.2o7.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:hayhouseradio.122.2o7.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:idgenterprise.112.2o7.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:in.getclicky.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:interclick.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:kontera.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:mediaplex.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:overture.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:pointroll.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:prnewswire.122.2o7.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:questionmarket.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:realmedia.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:server.cpmstar.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:smartadserver.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:specificclick.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:statcounter.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:stats.paypal.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:statse.webtrendslive.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:synacor.112.2o7.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:tacoda.at.atwola.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.adform.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:ww251.smartadserver.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.googleadservices.com
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:yieldmanager.net
   C:\Users\mactiegre\AppData\Local\Google\Chrome\User Data\Default\Cookies:zedo.com

Edited by mactiegre, 23 November 2013 - 02:13 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users