Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

some kind of malware on my Windows 7 system


  • This topic is locked This topic is locked
42 replies to this topic

#1 BadgerByBirth

BadgerByBirth

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 19 November 2013 - 04:42 AM

Hello,

 

This is a different computer than my recent thread on a Windows 8 machine. I have some kind of malware mucking up this Windows 7 system. I believe it might have been the FBI virus, but it got infected a long time ago. I stopped using it and am now trying to clean it. I have since stopped using utorrent and other risky programs. Anyway, what happens now is that when I start the computer, it goes to a blank white screen after the login screen. I can hit ctrl+alt+del and get to that screen just fine. If I select 'restart computer' it will go to the regular desktop temporarily. I have found that if I start a program, e.g. windows explorer, and then hit the 'cancel' button when it comes up telling me I have programs running and do I want to end the processes and restart or not, *sometimes* if I hit 'cancel' it will go to the regular desktop and let me use windows as usual, though windows explorer is very prone to crashing. I tried to run dds.com but it tells me 'The service cannot accept control messages at this time.'

 

Please help! I don't know how to fix this problem.


Edited by BadgerByBirth, 19 November 2013 - 04:43 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 19 November 2013 - 09:16 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 BadgerByBirth

BadgerByBirth
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 19 November 2013 - 02:43 PM

Thank you for the help! I am having trouble running either of those programs. A dialogue box pops up that says "The service cannot accept control messages at this time." I think the computer is pretty unstable :( I tried loading it in safemode and it just immediately restarts the machine after login before it goes to the desktop.



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 20 November 2013 - 03:04 AM

uh oh...

 

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 BadgerByBirth

BadgerByBirth
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 21 November 2013 - 07:40 PM

Ok...

 

C:\Users\Tim\windowsupdate.exe
C:\Users\Tim\winlogon.exe
C:\Windows\Tasks\{4A7D85F6-2145-42B1-A5F0-00E5771507B2}.job

Some content of TEMP:
====================
C:\Users\Tim\AppData\Local\Temp\errgdg0nnrtg.exe
C:\Users\Tim\AppData\Local\Temp\lowproc.exe
C:\Users\Tim\AppData\Local\Temp\notepad.exe
C:\Users\Tim\AppData\Local\Temp\stubhelper.dll
C:\Users\Tim\AppData\Local\Temp\vlc-2.0.4-win32.exe
C:\Users\Tim\AppData\Local\Temp\vlc-2.0.5-win32.exe

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

13
Restore point made on: 2013-03-08 23:02:19
Restore point made on: 2013-06-11 12:51:25
Restore point made on: 2013-06-13 20:20:29
Restore point made on: 2013-06-16 13:53:52
Restore point made on: 2013-06-17 07:32:01
Restore point made on: 2013-06-21 08:18:09
Restore point made on: 2013-06-22 21:14:17
Restore point made on: 2013-06-23 06:07:36
Restore point made on: 2013-06-26 19:05:11
Restore point made on: 2013-06-28 07:55:10
Restore point made on: 2013-06-29 09:23:19
Restore point made on: 2013-10-28 13:14:42
Restore point made on: 2013-10-30 09:08:07

==================== Memory info ===========================

Percentage of memory in use: 39%
Total physical RAM: 1021.97 MB
Available physical RAM: 615.57 MB
Total Pagefile: 1021.97 MB
Available Pagefile: 621.65 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.75 MB

==================== Drives ================================

Drive c: (Hank) (Fixed) (Total:109.7 GB) (Free:12.85 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive f: () (Removable) (Total:3.96 GB) (Free:1.08 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 112 GB) (Disk ID: 58000000)
Partition 1: (Not Active) - (Size=86 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=2 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=110 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 0D0C0B0A)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)

LastRegBack: 2013-03-07 10:49

==================== End Of Log ============================



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 22 November 2013 - 03:21 AM

The log is incomplete.

Please post up the whole content of FRST.txt.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 BadgerByBirth

BadgerByBirth
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 22 November 2013 - 10:48 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-11-2013
Ran by SYSTEM on MININT-8E866LO on 21-11-2013 19:33:01
Running from F:\
Windows 7 Ultimate (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NvSvc] - RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] - RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [NVHotkey] - rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [159744 2007-07-02] (Alps Electric Co., Ltd.)
HKLM\...\Run: [TkBellExe] - C:\Program Files\Real\RealPlayer\Update\realsched.exe [295512 2013-05-09] (RealNetworks, Inc.)
HKU\Tim\...\Run: [SansaDispatch] - C:\Users\Tim\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [ 2012-08-30] (SanDisk Corporation)
HKU\Tim\...\Run: [Apps] - rundll32 "C:\Users\Tim\AppData\Local\Jaksta_Technologies_Pty_L\Apps\jkgjxz.dll",DllRegisterServer <===== ATTENTION
HKU\Tim\...\Run: [GetFLV] - Rundll32.exe C:\Users\Tim\AppData\Local\GetFLV\nogqfxxx.dll,CompressEnd <===== ATTENTION
HKU\Tim\...\Run: [wabEventSupport16] - rundll32.exe "C:\Users\Tim\AppData\Roaming\wabEventSupport16\wabEventSupport16.dll",AwPath KernelUtilLibs <===== ATTENTION
HKU\Tim\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Tim\AppData\Local\8d903fbe-8fa6-4343-80a8-55437ae11abead\dfbefaaaeabead.exe [ 2013-06-07] () <===== ATTENTION
HKU\Tim\...\Run: [] - C:\Users\Tim\flashplayer.exe [ 2013-06-07] (IEInspector Software)
HKU\Tim\...\Run: [netObjUsb64] - rundll32.exe "C:\Users\Tim\AppData\Roaming\netObjUsb64\netObjUsb64.dll",Uspsvc90 AvpServices90 <===== ATTENTION
HKU\Tim\...\RunOnce: [Adobe CSS5.1 Manager] - C:\Users\Tim\AppData\Local\8d903fbe-8fa6-4343-80a8-55437ae11abead\dfbefaaaeabead.exe [ 2013-06-07] ()
HKU\Tim\...\Winlogon: [Shell] explorer.exe,C:\Users\Tim\AppData\Roaming\skype.dat [ 2011-11-16] (OOB Software Lab.) <==== ATTENTION
BootExecute: autocheck autochk /p \??\C:autocheck autochk *

========================== Services (Whitelisted) =================

S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093880 2009-07-13] (Symantec Corporation)
S2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-03-05] ()

==================== Drivers (Whitelisted) ====================

S3 guardian2; C:\Windows\System32\Drivers\oz776.sys [69664 2009-09-09] (O2Micro)
S3 TrueSight; c:\windows\system32\drivers\TrueSight.sys [13824 2012-03-23] ()
S3 .csc; \? [x]
S3 catchme; \??\C:\Users\Tim\AppData\Local\Temp\catchme.sys [x]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-11-21 19:24 - 2013-11-21 19:24 - 00000000 ____D C:\FRST
2013-11-19 00:41 - 2013-11-19 00:41 - 00000000 ____D C:\Users\Tim\Desktop\malware
2013-11-16 20:49 - 2013-11-16 23:45 - 00000000 ____D C:\Users\Tim\Downloads\Bella's ties
2013-11-15 21:06 - 2013-11-19 00:18 - 00017408 _____ C:\Windows\System32\rpcnetp.dll
2013-11-15 21:05 - 2013-11-19 00:18 - 00017408 _____ C:\Windows\System32\rpcnetp.exe
2013-11-06 22:20 - 2013-11-06 22:20 - 00145208 _____ C:\Windows\Minidump\110713-24772-01.dmp
2013-10-30 09:25 - 2013-10-30 09:25 - 14335488 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 13761024 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 02876928 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-10-30 09:25 - 2013-10-30 09:25 - 02048512 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 01441280 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-10-30 09:25 - 2013-10-30 09:25 - 01400416 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2013-10-30 09:25 - 2013-10-30 09:25 - 01141248 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00745472 _____ (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00719360 _____ (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00629248 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00523264 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00391168 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00361984 _____ (Microsoft Corporation) C:\Windows\System32\html.iec
2013-10-30 09:25 - 2013-10-30 09:25 - 00357888 _____ (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00242200 _____ (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00232960 _____ (Microsoft Corporation) C:\Windows\System32\url.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00226816 _____ (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00204800 _____ (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00185344 _____ (Microsoft Corporation) C:\Windows\System32\elshyph.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00163840 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00158720 _____ (Microsoft Corporation) C:\Windows\System32\msls31.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00150528 _____ (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00138752 _____ (Microsoft Corporation) C:\Windows\System32\wextract.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00137216 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00125440 _____ (Microsoft Corporation) C:\Windows\System32\occache.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00117248 _____ (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00110592 _____ (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00082432 _____ (Microsoft Corporation) C:\Windows\System32\inseng.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00079872 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00073728 _____ (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00069120 _____ (Microsoft Corporation) C:\Windows\System32\icardie.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00061952 _____ (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2013-10-30 09:25 - 2013-10-30 09:25 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00057344 _____ (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00048640 _____ (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00041984 _____ (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00039424 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00038400 _____ (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00023040 _____ (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00012800 _____ (Microsoft Corporation) C:\Windows\System32\mshta.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00011776 _____ (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2013-10-30 09:23 - 2013-10-30 09:23 - 03419136 _____ (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 02284544 _____ (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 01988096 _____ (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 01247744 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 01230336 _____ (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 01158144 _____ (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 01080832 _____ (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00906240 _____ (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00604160 _____ (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00417792 _____ (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00364544 _____ (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00293376 _____ (Microsoft Corporation) C:\Windows\System32\dxgi.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00249856 _____ (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00220160 _____ (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00207872 _____ (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00187392 _____ (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00161792 _____ (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00010752 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00009728 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00005632 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00005632 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00002560 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-10-30 09:12 - 2013-10-30 09:12 - 01505280 _____ (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-10-30 09:10 - 2013-10-30 09:27 - 00009176 _____ C:\Windows\IE10_main.log
2013-10-25 09:56 - 2013-03-18 21:04 - 03968856 _____ (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-10-25 09:56 - 2013-03-18 21:04 - 03913560 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-10-25 09:56 - 2013-03-18 20:48 - 00038912 _____ (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-10-25 09:56 - 2013-03-18 18:49 - 00069632 _____ (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-10-25 09:56 - 2013-01-23 20:47 - 00196328 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys
2013-10-25 09:55 - 2013-04-12 05:45 - 01211752 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-10-25 09:55 - 2013-02-14 20:37 - 03217408 _____ (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-10-25 09:55 - 2013-02-14 20:34 - 00131584 _____ (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-10-25 09:55 - 2013-02-14 19:25 - 00036864 _____ (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-10-25 09:55 - 2013-02-11 19:32 - 00015872 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
2013-10-25 09:54 - 2013-02-28 19:09 - 02347008 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys

==================== One Month Modified Files and Folders =======

2013-11-21 19:24 - 2013-11-21 19:24 - 00000000 ____D C:\FRST
2013-11-20 12:01 - 2012-05-18 20:06 - 00000000 ____D C:\Users\Tim\AppData\Roaming\vlc
2013-11-19 11:39 - 2009-11-06 20:03 - 00010048 _____ C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-19 11:39 - 2009-11-06 20:03 - 00010048 _____ C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-19 11:35 - 2012-11-27 15:44 - 00000000 ____D C:\Users\Tim\Desktop\antimalware
2013-11-19 00:41 - 2013-11-19 00:41 - 00000000 ____D C:\Users\Tim\Desktop\malware
2013-11-19 00:41 - 2009-08-25 16:05 - 00068179 _____ C:\Users\Tim\AppData\Roaming\nvModes.001
2013-11-19 00:19 - 2013-06-28 09:57 - 00000004 _____ C:\Users\Tim\AppData\Roaming\skype.ini
2013-11-19 00:18 - 2013-11-15 21:06 - 00017408 _____ C:\Windows\System32\rpcnetp.dll
2013-11-19 00:18 - 2013-11-15 21:05 - 00017408 _____ C:\Windows\System32\rpcnetp.exe
2013-11-19 00:18 - 2009-07-13 20:39 - 00319611 _____ C:\Windows\setupact.log
2013-11-18 23:14 - 2009-11-06 20:56 - 01867070 _____ C:\Windows\WindowsUpdate.log
2013-11-17 00:16 - 2009-11-06 21:05 - 00726316 _____ C:\Windows\System32\PerfStringBackup.INI
2013-11-16 23:46 - 2013-06-22 21:52 - 00000000 ____D C:\Users\Tim\Downloads\POF ties
2013-11-16 23:45 - 2013-11-16 20:49 - 00000000 ____D C:\Users\Tim\Downloads\Bella's ties
2013-11-16 20:49 - 2013-02-13 23:14 - 00000000 ____D C:\Users\Tim\Downloads\na 3
2013-11-16 20:49 - 2013-02-13 23:14 - 00000000 ____D C:\Users\Tim\Downloads\na
2013-11-16 20:49 - 2013-02-13 23:08 - 00000000 ____D C:\Users\Tim\Downloads\tricia na
2013-11-10 22:49 - 2011-12-16 12:46 - 00044544 _____ (Absolute Software Corp.) C:\Windows\System32\agremove.exe
2013-11-06 22:20 - 2013-11-06 22:20 - 00145208 _____ C:\Windows\Minidump\110713-24772-01.dmp
2013-11-06 22:20 - 2012-11-16 18:14 - 172000199 _____ C:\Windows\MEMORY.DMP
2013-11-06 22:20 - 2010-05-17 14:59 - 00000000 ____D C:\Windows\Minidump
2013-11-06 12:01 - 2012-07-11 08:44 - 00000000 ____D C:\Users\Tim\Downloads\shexview
2013-10-30 21:31 - 2009-07-13 20:33 - 00319008 _____ C:\Windows\System32\FNTCACHE.DAT
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-TW
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-HK
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-CN
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\tr-TR
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\sv-SE
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ru-RU
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pt-PT
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pt-BR
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pl-PL
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\nl-NL
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\nb-NO
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ko-KR
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ja-JP
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\it-IT
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\hu-HU
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\fr-FR
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\fi-FI
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\el-GR
2013-10-30 09:31 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\de-DE
2013-10-30 09:27 - 2013-10-30 09:10 - 00009176 _____ C:\Windows\IE10_main.log
2013-10-30 09:25 - 2013-10-30 09:25 - 14335488 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 13761024 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 02876928 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-10-30 09:25 - 2013-10-30 09:25 - 02048512 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 01441280 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-10-30 09:25 - 2013-10-30 09:25 - 01400416 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2013-10-30 09:25 - 2013-10-30 09:25 - 01141248 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00745472 _____ (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00719360 _____ (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00629248 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00523264 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00391168 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00361984 _____ (Microsoft Corporation) C:\Windows\System32\html.iec
2013-10-30 09:25 - 2013-10-30 09:25 - 00357888 _____ (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00242200 _____ (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00232960 _____ (Microsoft Corporation) C:\Windows\System32\url.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00226816 _____ (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00204800 _____ (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00185344 _____ (Microsoft Corporation) C:\Windows\System32\elshyph.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00163840 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00158720 _____ (Microsoft Corporation) C:\Windows\System32\msls31.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00150528 _____ (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00138752 _____ (Microsoft Corporation) C:\Windows\System32\wextract.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00137216 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00125440 _____ (Microsoft Corporation) C:\Windows\System32\occache.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00117248 _____ (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00110592 _____ (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00082432 _____ (Microsoft Corporation) C:\Windows\System32\inseng.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00079872 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00073728 _____ (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00069120 _____ (Microsoft Corporation) C:\Windows\System32\icardie.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00061952 _____ (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2013-10-30 09:25 - 2013-10-30 09:25 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00057344 _____ (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00048640 _____ (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00041984 _____ (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00039424 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00038400 _____ (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00023040 _____ (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2013-10-30 09:25 - 2013-10-30 09:25 - 00012800 _____ (Microsoft Corporation) C:\Windows\System32\mshta.exe
2013-10-30 09:25 - 2013-10-30 09:25 - 00011776 _____ (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2013-10-30 09:23 - 2013-10-30 09:23 - 03419136 _____ (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 02284544 _____ (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 01988096 _____ (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 01247744 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 01230336 _____ (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 01158144 _____ (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 01080832 _____ (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00906240 _____ (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00604160 _____ (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00417792 _____ (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00364544 _____ (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00293376 _____ (Microsoft Corporation) C:\Windows\System32\dxgi.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00249856 _____ (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00220160 _____ (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00207872 _____ (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00187392 _____ (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00161792 _____ (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00010752 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00009728 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00005632 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00005632 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-10-30 09:23 - 2013-10-30 09:23 - 00002560 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-10-30 09:12 - 2013-10-30 09:12 - 01505280 _____ (Microsoft Corporation) C:\Windows\System32\d3d11.dll

Files to move or delete:
====================
C:\Users\Tim\AppData\Local\8d903fbe-8fa6-4343-80a8-55437ae11abead\dfbefaaaeabead.exe
C:\Users\Tim\AppData\Roaming\skype.dat
C:\Users\Tim\AppData\Roaming\skype.ini
C:\ProgramData\E32J2bSj.dat
C:\Users\Tim\alg.exe
C:\Users\Tim\chrome.exe
C:\Users\Tim\csrss.exe
C:\Users\Tim\ctfmon.exe
C:\Users\Tim\firefox.exe
C:\Users\Tim\flashplayer.exe
C:\Users\Tim\googleupdate.exe
C:\Users\Tim\icq.exe
C:\Users\Tim\iexplore.exe
C:\Users\Tim\jucheck.exe
C:\Users\Tim\msconfig.exe
C:\Users\Tim\mstsc.exe
C:\Users\Tim\opera.exe
C:\Users\Tim\rundll32.exe
C:\Users\Tim\skype.exe
C:\Users\Tim\spoolsv.exe
C:\Users\Tim\teamviewer.exe
C:\Users\Tim\vlcplayer.exe
C:\Users\Tim\windowsupdate.exe
C:\Users\Tim\winlogon.exe
C:\Windows\Tasks\{4A7D85F6-2145-42B1-A5F0-00E5771507B2}.job

Some content of TEMP:
====================
C:\Users\Tim\AppData\Local\Temp\errgdg0nnrtg.exe
C:\Users\Tim\AppData\Local\Temp\lowproc.exe
C:\Users\Tim\AppData\Local\Temp\notepad.exe
C:\Users\Tim\AppData\Local\Temp\stubhelper.dll
C:\Users\Tim\AppData\Local\Temp\vlc-2.0.4-win32.exe
C:\Users\Tim\AppData\Local\Temp\vlc-2.0.5-win32.exe

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

13
Restore point made on: 2013-03-08 23:02:19
Restore point made on: 2013-06-11 12:51:25
Restore point made on: 2013-06-13 20:20:29
Restore point made on: 2013-06-16 13:53:52
Restore point made on: 2013-06-17 07:32:01
Restore point made on: 2013-06-21 08:18:09
Restore point made on: 2013-06-22 21:14:17
Restore point made on: 2013-06-23 06:07:36
Restore point made on: 2013-06-26 19:05:11
Restore point made on: 2013-06-28 07:55:10
Restore point made on: 2013-06-29 09:23:19
Restore point made on: 2013-10-28 13:14:42
Restore point made on: 2013-10-30 09:08:07

==================== Memory info ===========================

Percentage of memory in use: 39%
Total physical RAM: 1021.97 MB
Available physical RAM: 615.57 MB
Total Pagefile: 1021.97 MB
Available Pagefile: 621.65 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.75 MB

==================== Drives ================================

Drive c: (Hank) (Fixed) (Total:109.7 GB) (Free:12.85 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive f: () (Removable) (Total:3.96 GB) (Free:1.08 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 112 GB) (Disk ID: 58000000)
Partition 1: (Not Active) - (Size=86 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=2 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=110 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 0D0C0B0A)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)

LastRegBack: 2013-03-07 10:49

==================== End Of Log ============================



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 24 November 2013 - 06:15 AM

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKU\Tim\...\Run: [Apps] - rundll32 "C:\Users\Tim\AppData\Local\Jaksta_Technologies_Pty_L\Apps\jkgjxz.dll",DllRegisterServer <===== ATTENTION
    HKU\Tim\...\Run: [GetFLV] - Rundll32.exe C:\Users\Tim\AppData\Local\GetFLV\nogqfxxx.dll,CompressEnd <===== ATTENTION
    HKU\Tim\...\Run: [wabEventSupport16] - rundll32.exe "C:\Users\Tim\AppData\Roaming\wabEventSupport16\wabEventSupport16.dll",AwPath KernelUtilLibs <===== ATTENTION
    HKU\Tim\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Tim\AppData\Local\8d903fbe-8fa6-4343-80a8-55437ae11abead\dfbefaaaeabead.exe [ 2013-06-07] () <===== ATTENTION
    HKU\Tim\...\Run: [] - C:\Users\Tim\flashplayer.exe [ 2013-06-07] (IEInspector Software)
    HKU\Tim\...\Run: [netObjUsb64] - rundll32.exe "C:\Users\Tim\AppData\Roaming\netObjUsb64\netObjUsb64.dll",Uspsvc90 AvpServices90 <===== ATTENTION
    HKU\Tim\...\RunOnce: [Adobe CSS5.1 Manager] - C:\Users\Tim\AppData\Local\8d903fbe-8fa6-4343-80a8-55437ae11abead\dfbefaaaeabead.exe [ 2013-06-07] ()
    HKU\Tim\...\Winlogon: [Shell] explorer.exe,C:\Users\Tim\AppData\Roaming\skype.dat [ 2011-11-16] (OOB Software Lab.) <==== ATTENTION
    
    S3 .csc; \? [x]
    
    C:\Users\Tim\AppData\Local\Jaksta_Technologies_Pty_L\Apps\jkgjxz.dll
    C:\Users\Tim\AppData\Local\GetFLV\nogqfxxx.dll
    C:\Users\Tim\AppData\Roaming\wabEventSupport16\wabEventSupport16.dll
    C:\Users\Tim\AppData\Local\8d903fbe-8fa6-4343-80a8-55437ae11abead\dfbefaaaeabead.exe
    C:\Users\Tim\flashplayer.exe
    C:\Users\Tim\AppData\Roaming\netObjUsb64\netObjUsb64.dll
    C:\Users\Tim\AppData\Local\8d903fbe-8fa6-4343-80a8-55437ae11abead\dfbefaaaeabead.exe
    C:\Users\Tim\AppData\Roaming\skype.dat
    C:\Users\Tim\AppData\Roaming\skype.ini
    C:\ProgramData\E32J2bSj.dat
    C:\Users\Tim\alg.exe
    C:\Users\Tim\chrome.exe
    C:\Users\Tim\csrss.exe
    C:\Users\Tim\ctfmon.exe
    C:\Users\Tim\firefox.exe
    C:\Users\Tim\flashplayer.exe
    C:\Users\Tim\googleupdate.exe
    C:\Users\Tim\icq.exe
    C:\Users\Tim\iexplore.exe
    C:\Users\Tim\jucheck.exe
    C:\Users\Tim\msconfig.exe
    C:\Users\Tim\mstsc.exe
    C:\Users\Tim\opera.exe
    C:\Users\Tim\rundll32.exe
    C:\Users\Tim\skype.exe
    C:\Users\Tim\spoolsv.exe
    C:\Users\Tim\teamviewer.exe
    C:\Users\Tim\vlcplayer.exe
    C:\Users\Tim\windowsupdate.exe
    C:\Users\Tim\winlogon.exe
    C:\Windows\Tasks\{4A7D85F6-2145-42B1-A5F0-00E5771507B2}.job
    C:\Users\Tim\AppData\Local\Temp\errgdg0nnrtg.exe
    C:\Users\Tim\AppData\Local\Temp\lowproc.exe
    C:\Users\Tim\AppData\Local\Temp\notepad.exe
    C:\Users\Tim\AppData\Local\Temp\stubhelper.dll
    C:\Users\Tim\AppData\Local\Temp\vlc-2.0.4-win32.exe
    C:\Users\Tim\AppData\Local\Temp\vlc-2.0.5-win32.exe

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

 

System File Check (offline mode)

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

Select Command Prompt
  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your system drive letter and system path (for example, D:\windows\) and close the notepad.
  • enter the following command:


sfc /scannow /offbootdir=d:\ /offwindir=d:\windows


Replace the red and pink parts with the informations you obtained from the last step of this tutorial.

Note: Depending on how your computer is setup, the Command Prompt, when used from outside of Windows, doesn't always assign drive letters in the same way that you see them from inside Windows. In other words, Windows might be at C:\Windows when you're using it, but D:\Windows from the Command Prompt in System Recovery Options.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 BadgerByBirth

BadgerByBirth
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 24 November 2013 - 10:07 AM

I ran FRST. The log is below. The other scan (sfc /scannow /offbootdir=d:\ /offwindir=d:\windows) is running on the machine right now. Was there a log I am supposed to post from this other scan?

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-11-2013
Ran by SYSTEM at 2013-11-24 10:00:07 Run:1
Running from F:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
HKU\Tim\...\Run: [Apps] - rundll32 "C:\Users\Tim\AppData\Local\Jaksta_Technologies_Pty_L\Apps\jkgjxz.dll",DllRegisterServer <===== ATTENTION
HKU\Tim\...\Run: [GetFLV] - Rundll32.exe C:\Users\Tim\AppData\Local\GetFLV\nogqfxxx.dll,CompressEnd <===== ATTENTION
HKU\Tim\...\Run: [wabEventSupport16] - rundll32.exe "C:\Users\Tim\AppData\Roaming\wabEventSupport16\wabEventSupport16.dll",AwPath KernelUtilLibs <===== ATTENTION
HKU\Tim\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Tim\AppData\Local\8d903fbe-8fa6-4343-80a8-55437ae11abead\dfbefaaaeabead.exe [ 2013-06-07] () <===== ATTENTION
HKU\Tim\...\Run: [] - C:\Users\Tim\flashplayer.exe [ 2013-06-07] (IEInspector Software)
HKU\Tim\...\Run: [netObjUsb64] - rundll32.exe "C:\Users\Tim\AppData\Roaming\netObjUsb64\netObjUsb64.dll",Uspsvc90 AvpServices90 <===== ATTENTION
HKU\Tim\...\RunOnce: [Adobe CSS5.1 Manager] - C:\Users\Tim\AppData\Local\8d903fbe-8fa6-4343-80a8-55437ae11abead\dfbefaaaeabead.exe [ 2013-06-07] ()
HKU\Tim\...\Winlogon: [Shell] explorer.exe,C:\Users\Tim\AppData\Roaming\skype.dat [ 2011-11-16] (OOB Software Lab.) <==== ATTENTION

S3 .csc; \? [x]

C:\Users\Tim\AppData\Local\Jaksta_Technologies_Pty_L\Apps\jkgjxz.dll
C:\Users\Tim\AppData\Local\GetFLV\nogqfxxx.dll
C:\Users\Tim\AppData\Roaming\wabEventSupport16\wabEventSupport16.dll
C:\Users\Tim\AppData\Local\8d903fbe-8fa6-4343-80a8-55437ae11abead\dfbefaaaeabead.exe
C:\Users\Tim\flashplayer.exe
C:\Users\Tim\AppData\Roaming\netObjUsb64\netObjUsb64.dll
C:\Users\Tim\AppData\Local\8d903fbe-8fa6-4343-80a8-55437ae11abead\dfbefaaaeabead.exe
C:\Users\Tim\AppData\Roaming\skype.dat
C:\Users\Tim\AppData\Roaming\skype.ini
C:\ProgramData\E32J2bSj.dat
C:\Users\Tim\alg.exe
C:\Users\Tim\chrome.exe
C:\Users\Tim\csrss.exe
C:\Users\Tim\ctfmon.exe
C:\Users\Tim\firefox.exe
C:\Users\Tim\flashplayer.exe
C:\Users\Tim\googleupdate.exe
C:\Users\Tim\icq.exe
C:\Users\Tim\iexplore.exe
C:\Users\Tim\jucheck.exe
C:\Users\Tim\msconfig.exe
C:\Users\Tim\mstsc.exe
C:\Users\Tim\opera.exe
C:\Users\Tim\rundll32.exe
C:\Users\Tim\skype.exe
C:\Users\Tim\spoolsv.exe
C:\Users\Tim\teamviewer.exe
C:\Users\Tim\vlcplayer.exe
C:\Users\Tim\windowsupdate.exe
C:\Users\Tim\winlogon.exe
C:\Windows\Tasks\{4A7D85F6-2145-42B1-A5F0-00E5771507B2}.job
C:\Users\Tim\AppData\Local\Temp\errgdg0nnrtg.exe
C:\Users\Tim\AppData\Local\Temp\lowproc.exe
C:\Users\Tim\AppData\Local\Temp\notepad.exe
C:\Users\Tim\AppData\Local\Temp\stubhelper.dll
C:\Users\Tim\AppData\Local\Temp\vlc-2.0.4-win32.exe
C:\Users\Tim\AppData\Local\Temp\vlc-2.0.5-win32.exe
*****************

HKU\Tim\Software\Microsoft\Windows\CurrentVersion\Run\\Apps => Value deleted successfully.
HKU\Tim\Software\Microsoft\Windows\CurrentVersion\Run\\GetFLV => Value deleted successfully.
HKU\Tim\Software\Microsoft\Windows\CurrentVersion\Run\\wabEventSupport16 => Value deleted successfully.
HKU\Tim\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSS5.1 Manager => Value deleted successfully.
HKU\Tim\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKU\Tim\Software\Microsoft\Windows\CurrentVersion\Run\\netObjUsb64 => Value deleted successfully.
HKU\Tim\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Adobe CSS5.1 Manager => Value not found.
HKU\Tim\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
.csc => Service not found.
C:\Users\Tim\AppData\Local\Jaksta_Technologies_Pty_L\Apps\jkgjxz.dll => Moved successfully.
C:\Users\Tim\AppData\Local\GetFLV\nogqfxxx.dll => Moved successfully.
C:\Users\Tim\AppData\Roaming\wabEventSupport16\wabEventSupport16.dll => Moved successfully.
C:\Users\Tim\AppData\Local\8d903fbe-8fa6-4343-80a8-55437ae11abead\dfbefaaaeabead.exe => Moved successfully.
C:\Users\Tim\flashplayer.exe => Moved successfully.
C:\Users\Tim\AppData\Roaming\netObjUsb64\netObjUsb64.dll => Moved successfully.
"C:\Users\Tim\AppData\Local\8d903fbe-8fa6-4343-80a8-55437ae11abead\dfbefaaaeabead.exe" => File/Directory not found.
C:\Users\Tim\AppData\Roaming\skype.dat => Moved successfully.
C:\Users\Tim\AppData\Roaming\skype.ini => Moved successfully.
C:\ProgramData\E32J2bSj.dat => Moved successfully.
C:\Users\Tim\alg.exe => Moved successfully.
C:\Users\Tim\chrome.exe => Moved successfully.
C:\Users\Tim\csrss.exe => Moved successfully.
C:\Users\Tim\ctfmon.exe => Moved successfully.
C:\Users\Tim\firefox.exe => Moved successfully.
"C:\Users\Tim\flashplayer.exe" => File/Directory not found.
C:\Users\Tim\googleupdate.exe => Moved successfully.
C:\Users\Tim\icq.exe => Moved successfully.
C:\Users\Tim\iexplore.exe => Moved successfully.
C:\Users\Tim\jucheck.exe => Moved successfully.
C:\Users\Tim\msconfig.exe => Moved successfully.
C:\Users\Tim\mstsc.exe => Moved successfully.
C:\Users\Tim\opera.exe => Moved successfully.
C:\Users\Tim\rundll32.exe => Moved successfully.
C:\Users\Tim\skype.exe => Moved successfully.
C:\Users\Tim\spoolsv.exe => Moved successfully.
C:\Users\Tim\teamviewer.exe => Moved successfully.
C:\Users\Tim\vlcplayer.exe => Moved successfully.
C:\Users\Tim\windowsupdate.exe => Moved successfully.
C:\Users\Tim\winlogon.exe => Moved successfully.
C:\Windows\Tasks\{4A7D85F6-2145-42B1-A5F0-00E5771507B2}.job => Moved successfully.
C:\Users\Tim\AppData\Local\Temp\errgdg0nnrtg.exe => Moved successfully.
C:\Users\Tim\AppData\Local\Temp\lowproc.exe => Moved successfully.
C:\Users\Tim\AppData\Local\Temp\notepad.exe => Moved successfully.
C:\Users\Tim\AppData\Local\Temp\stubhelper.dll => Moved successfully.
C:\Users\Tim\AppData\Local\Temp\vlc-2.0.4-win32.exe => Moved successfully.
C:\Users\Tim\AppData\Local\Temp\vlc-2.0.5-win32.exe => Moved successfully.

==== End of Fixlog ====



#10 BadgerByBirth

BadgerByBirth
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 24 November 2013 - 10:27 AM

Ok, the other scan finished. It said it saved a log file somewhere in c:\windows I believe but I can't recall the name of it. The system appears usable now! At least I can boot it up and run programs without having to mess around with it.



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 25 November 2013 - 03:20 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 BadgerByBirth

BadgerByBirth
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 25 November 2013 - 10:16 AM

Whew, that took a while.

 

ComboFix 13-11-23.02 - Tim 11/25/2013   9:28.5.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.1022.416 [GMT -5:00]
Running from: c:\users\Tim\Desktop\malware\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\H85KwOa0.exe_.b
c:\users\Tim\AppData\Roaming\6A29.tmp
c:\users\Tim\AppData\Roaming\C12E.tmp
c:\users\Tim\AppData\Roaming\C295.tmp
.
c:\windows\System32\autochk.exe . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-25 to 2013-11-25  )))))))))))))))))))))))))))))))
.
.
2013-11-25 15:07 . 2013-11-25 15:07 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2013-11-25 15:07 . 2013-11-25 15:07 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2013-11-25 15:01 . 2013-11-25 15:08 -------- d-----w- c:\users\Tim\AppData\Local\temp
2013-11-25 15:01 . 2013-11-25 15:01 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-11-25 15:01 . 2013-11-25 15:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-24 18:10 . 2013-11-24 18:10 388096 ----a-w- c:\windows\system32\drivers\csc.sys
2013-11-22 03:24 . 2013-11-22 03:24 -------- d-----w- C:\FRST
2013-10-30 17:23 . 2013-10-30 17:23 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-10-30 17:12 . 2013-10-30 17:12 1505280 ----a-w- c:\windows\system32\d3d11.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-25 14:21 . 2011-12-16 20:46 44544 ----a-w- c:\windows\system32\agremove.exe
2013-09-12 16:21 . 2012-10-19 20:39 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\users\Tim\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2012-08-30 79872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-10-05 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-05 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-05 81920]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-10-05 86016]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2013-05-10 295512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk /p \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AprvRemoveLegacyExcelKeys]
c:\program files\ApproveIt\Support\Tools\AprvClean.exe -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn.OfficeAddIn [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AprvRemoveLegacyWordKeys]
c:\program files\ApproveIt\Support\Tools\AprvClean.exe -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn.OfficeAddIn [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 02:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 06:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-02 18:05 946352 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-12-19 14:39 41208 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApproveItForOfficeSetup]
2009-04-30 03:12 155648 ----a-w- c:\program files\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\masqform.exe]
2005-07-04 13:50 643072 ----a-w- c:\program files\PureEdge\Viewer 6.5\masqform.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2007-10-05 01:24 86016 ----a-w- c:\windows\System32\nvhotkey.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-10-05 01:24 81920 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2007-10-05 01:24 86016 ----a-w- c:\windows\System32\nvsvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-05-10 02:57 295512 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S0 rpcnetp;rpcnetp; [x]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-03-06 39056]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ    HPSLPSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-11-24 15:25 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ced14e2ec2b801.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-03 02:41]
.
2013-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-03 02:41]
.
2013-11-11 c:\windows\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-3178925919-3063591098-2084195045-1000.job
- c:\program files\RealNetworks\RealDownloader\recordingmanager.exe [2013-03-06 06:23]
.
2013-11-11 c:\windows\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-3178925919-3063591098-2084195045-1000.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-03-06 06:21]
.
2013-11-24 c:\windows\Tasks\ReclaimerResumeInstall_Tim.job
- c:\users\Tim\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.70\agent\rnupgagent.exe [2013-11-24 15:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -
FF - ProfilePath - c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\m58jnm5n.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z039&form=ZGAADF&q=
FF - ExtSQL: !HIDDEN! 1970-05-29 04:51; {FB300CBB-FFFA-ED03-8E52-BA4EC159DC64}; -
FF - ExtSQL: !HIDDEN! 2009-11-06 23:10; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil11c_Plugin.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\.csc]
"ImagePath"="\?"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\rpcnetp.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2013-11-25  10:13:27 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-25 15:13
ComboFix2.txt  2012-11-30 02:52
ComboFix3.txt  2012-03-26 04:22
ComboFix4.txt  2012-03-25 05:00
.
Pre-Run: 20,533,133,312 bytes free
Post-Run: 21,193,916,416 bytes free
.
- - End Of File - - CB2FD18B691C5BCF734A923C070227B4
A36C5E4F47E84449FF07ED3517B43A31
 



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 25 November 2013 - 10:55 AM

Search for files with FRST (Recovery Environment)


Run FRST.

Type the following in the edit box after "Search:"

autochk.exe

Click Search button and post the log (Search.txt) it makes to your reply.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 BadgerByBirth

BadgerByBirth
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 25 November 2013 - 11:12 AM

Farbar Recovery Scan Tool (x86) Version: 24-11-2013
Ran by Tim at 2013-11-25 11:06:59
Running from C:\Users\Tim\Desktop\malware
Boot Mode: Normal

================== Search: "autochk.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_e3fb573520033bfa\autochk.exe
[2011-03-06 15:11] - [2010-11-20 07:16] - 0668160 ____A () BE690C8FC89A64EBE67629851B866BCD

C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.16385_none_e1ca436d2314b860\autochk.exe
[2009-07-13 18:15] - [2009-07-13 20:14] - 0668160 ____A () 8470F472B8EEA8DC1645240A81D56DD5

C:\Windows\System32\autochk.exe
[2011-03-06 15:11] - [2010-11-20 07:16] - 0668160 ____A () BE690C8FC89A64EBE67629851B866BCD

C:\$WINDOWS.~BT\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.16385_none_e1ca436d2314b860\autochk.exe
[2009-07-13 18:15] - [2009-07-13 20:14] - 0668160 ____A (Microsoft Corporation) 41E4C8EBA464E7D6A5BA5E8827732AEB

C:\$WINDOWS.~BT\Windows\System32\autochk.exe
[2009-07-13 18:15] - [2009-07-13 20:14] - 0668160 ____A (Microsoft Corporation) 41E4C8EBA464E7D6A5BA5E8827732AEB

=== End Of Search ===



#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 26 November 2013 - 09:12 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users