Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG keeps finding Win32/Zperm in temp folder


  • This topic is locked This topic is locked
22 replies to this topic

#1 Wheels of Steel

Wheels of Steel

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 22 November 2013 - 09:15 AM

Hello,

 

I have both AVG and Ad-Aware installed (Ad-Aware is in compatibility mode so the real-time protection is off). AVG resident shield keeps reporting that Win32/Zperm has been found in the temp folder and this is due to the Ad-Aware Service. I choose the action to remove it, which it says is successful but then it reports the same thing again a little while later. An actual scan by AVG does not find anything, neither does a scan by Ad-Aware.

 

AVG resident shield report: Virus found Win32/Zperm, c:\Windows\Temp\... (actual folder and file changes every time)

 

The process name: C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareService.exe

 

I have also tried scanning with Malwarebytes Anti-Malware and that too doesn't give any postives. Could you help me remove it please or is it a compatabilty issue between AVG and Ad-Aware?

 

Thanks

 

My DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16520  BrowserJavaVersion: 10.45.2
Run by Paulette at 13:17:06 on 2013-11-22
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2038.701 [GMT 0:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Ad-Aware Antivirus *Disabled/Outdated* {D87B6541-12A1-DAEA-0033-9B8057AAB996}
SP: Ad-Aware Antivirus *Disabled/Outdated* {631A84A5-349B-D564-3A83-A0F22C2DF32B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
FW: Ad-Aware Firewall *Disabled* {E040E464-58CE-DBB2-2B6C-32B5A979FEED}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2014\avgrsx.exe
C:\Program Files\AVG\AVG2014\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareService.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2014\avgidsagent.exe
C:\Program Files\AVG\AVG2014\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BT Broadband Desktop Help\btbb\MA\8.3.1.7.bt.1.3\ma\bin\MAHostService.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\BT Broadband Desktop Help\btbb\MA\8.3.1.7.bt.1.3\ma\bin\node.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\AVG\AVG2014\avgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Common Files\Motive\pcCMService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\AVG\AVG2014\avgnsx.exe
C:\Program Files\AVG\AVG2014\avgemcx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_9_900_152_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.co.uk/
mDefault_Page_URL = hxxp://www.thetechguys.com/welcome
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: {c585d593-e7f4-4852-a200-561686ee02e4} - <orphaned>
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [UpdateP2GShortCut] c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe "c:\program files\cyberlink\power2go" update "software\cyberlink\power2go\5.0"
mRun: [Skytel] Skytel.exe
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [NWEReboot] <no file>
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{FD85F85B-96D0-4D8D-B5F6-FBEDF408F3E2} : DHCPNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-9-2 145720]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-9-2 223032]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-8-20 102200]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-9-8 27448]
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-9-26 13560]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2013-8-15 28552]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2013-9-25 120632]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-9-2 209208]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-9-10 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-9-2 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-8-1 193848]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-9-24 37664]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2013-10-3 3538480]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2013-9-25 301152]
R2 BT Help Wizard;BT Help Wizard;c:\program files\bt broadband desktop help\btbb\ma\8.3.1.7.bt.1.3\ma\bin\MAHostService.exe [2013-10-2 321024]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-1-3 21504]
R2 LavasoftAdAwareService11;Ad-Aware Service 11;c:\program files\lavasoft\ad-aware antivirus\ad-aware antivirus\11.0.4555.0\AdAwareService.exe [2013-10-18 497744]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-11-20 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-11-20 701512]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-3-31 80896]
R2 pcCMService;pcCMService;c:\program files\common files\motive\pcCMService.exe [2012-9-25 376144]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2012-8-9 38608]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-11-20 22856]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [2010-2-24 494368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-10 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-1-3 21504]
S3 qcusbser;Qualcomm USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbser.sys [2013-9-18 298496]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2013-8-14 13464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2013-11-22 10:13:50 7772552 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{da30a9e0-e8fa-4dcf-8537-c97ee988888f}\mpengine.dll
2013-11-20 19:38:21 -------- d-----w- c:\program files\RealNetworks
2013-11-20 19:37:53 -------- d-----w- c:\users\paulette\appdata\roaming\RealNetworks
2013-11-20 19:36:25 -------- d-----w- c:\programdata\RealNetworks
2013-11-20 12:04:13 -------- d-----w- c:\program files\Audacity
2013-11-20 10:49:03 -------- d-----w- c:\users\paulette\appdata\roaming\Malwarebytes
2013-11-20 10:48:41 -------- d-----w- c:\programdata\Malwarebytes
2013-11-20 10:48:39 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-11-20 10:48:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-11-16 14:50:49 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2013-11-16 14:48:24 -------- d-----w- c:\program files\iPod
2013-11-16 14:48:15 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-11-16 14:40:37 -------- d-----w- c:\program files\Bonjour
2013-11-16 14:12:37 -------- d-----w- c:\users\paulette\appdata\roaming\Mp3tag
2013-11-16 14:12:02 -------- d-----w- c:\program files\Mp3tag
2013-11-13 21:07:55 297984 ----a-w- c:\windows\system32\gdi32.dll
2013-11-13 21:07:41 993792 ----a-w- c:\windows\system32\crypt32.dll
2013-11-13 21:07:34 596480 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2013-11-13 21:07:34 444928 ----a-w- c:\windows\system32\IKEEXT.DLL
2013-11-11 15:50:36 -------- d-----w- c:\program files\common files\Lavasoft
2013-10-25 15:56:40 -------- d-----w- C:\ccc3018c2729c609bb05191f41
2013-10-25 14:20:30 -------- d-----w- C:\AdwCleaner
2013-10-25 13:42:36 -------- d-----w- c:\programdata\Oracle
2013-10-25 13:40:56 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
==================== Find3M  ====================
.
2013-11-18 19:01:34 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-18 19:01:34 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-11 05:50:18 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-10-13 09:48:06 1806848 ----a-w- c:\windows\system32\jscript9.dll
2013-10-13 09:35:52 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-10-13 09:35:38 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 09:30:14 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-10-13 09:29:02 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-10-13 09:25:39 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-10-02 16:11:44 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-09-26 14:54:39 44424 ----a-w- c:\windows\system32\sbbd.exe
2013-09-26 14:54:38 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-09-25 19:57:14 120632 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2013-09-18 20:08:56 94208 ----a-w- c:\windows\system32\dpl100.dll
2013-09-10 21:11:44 22840 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-09-08 21:12:16 27448 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-09-02 09:39:32 176952 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-09-02 09:28:06 145720 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-09-02 09:28:04 209208 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-09-02 09:28:00 223032 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-08-29 07:36:04 2050048 ----a-w- c:\windows\system32\win32k.sys
2013-08-27 02:47:50 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-08-27 02:47:50 189952 ----a-w- c:\windows\system32\d3d10core.dll
2013-08-27 02:47:50 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2013-08-27 02:47:50 1029120 ----a-w- c:\windows\system32\d3d10.dll
2013-08-27 01:52:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2013-08-27 01:50:40 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2013-08-27 01:32:20 683008 ----a-w- c:\windows\system32\d2d1.dll
2013-08-27 01:28:36 1069056 ----a-w- c:\windows\system32\DWrite.dll
2013-08-27 01:28:35 798208 ----a-w- c:\windows\system32\FntCache.dll
2013-08-26 09:13:02 354656 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
.
============= FINISH: 13:18:51.27 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 Wheels of Steel

Wheels of Steel
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 23 November 2013 - 06:02 PM

Actually, I forgot that Malwarebytes did find some PUPs which I deleted but ir didn't seem to have any affect.

 

Here is the log:

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.20.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Paulette :: PAULETTE-PC [administrator]

Protection: Enabled

20/11/2013 10:50:45
mbam-log-2013-11-20 (10-50-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201716
Time elapsed: 13 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Users\Paulette\AppData\Local\Temp\ct3288691 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Paulette\AppData\Local\Temp\ct3297861 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

Files Detected: 9
C:\ProgramData\YouTube Downloader\ytd_installer.exe (PUP.Optional.Spigot.A) -> Quarantined and deleted successfully.
C:\ProgramData\YTD Video Downloader\ytd_installer.exe (PUP.Optional.Spigot.A) -> Quarantined and deleted successfully.
C:\Users\Paulette\Local Settings\Temporary Internet Files\Content.IE5\6BYH295E\checktbexist[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Paulette\Local Settings\Temporary Internet Files\Content.IE5\DJLXJJ60\mism[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Paulette\AppData\Local\Temp\ct3288691\chromeid.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Paulette\AppData\Local\Temp\ct3288691\ism.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Paulette\AppData\Local\Temp\ct3288691\setup.ini.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Paulette\AppData\Local\Temp\ct3297861\chromeid.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Paulette\AppData\Local\Temp\ct3297861\setup.ini.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end)



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 27 November 2013 - 09:20 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/515024 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Wheels of Steel

Wheels of Steel
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 27 November 2013 - 11:48 AM

AVG is still reporting that it is finding Zperm. Recently videos have been freezing also.

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16520  BrowserJavaVersion: 10.45.2
Run by Paulette at 16:35:38 on 2013-11-27
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2038.661 [GMT 0:00]
.
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Ad-Aware Antivirus *Disabled/Outdated* {D87B6541-12A1-DAEA-0033-9B8057AAB996}
SP: Ad-Aware Antivirus *Disabled/Outdated* {631A84A5-349B-D564-3A83-A0F22C2DF32B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
FW: Ad-Aware Firewall *Disabled* {E040E464-58CE-DBB2-2B6C-32B5A979FEED}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareService.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2014\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BT Broadband Desktop Help\btbb\MA\8.3.1.7.bt.1.3\ma\bin\MAHostService.exe
C:\Program Files\BT Broadband Desktop Help\btbb\MA\8.3.1.7.bt.1.3\ma\bin\node.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Common Files\Motive\pcCMService.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\AVG\AVG2014\avgui.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_9_900_152_ActiveX.exe
C:\Program Files\BT Broadband Desktop Help\btbb\MA\8.3.1.7.bt.1.3\ma\bin\node.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.co.uk/
mDefault_Page_URL = hxxp://www.thetechguys.com/welcome
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: {c585d593-e7f4-4852-a200-561686ee02e4} - <orphaned>
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [UpdateP2GShortCut] c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe "c:\program files\cyberlink\power2go" update "software\cyberlink\power2go\5.0"
mRun: [Skytel] Skytel.exe
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [NWEReboot] <no file>
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{FD85F85B-96D0-4D8D-B5F6-FBEDF408F3E2} : DHCPNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-10-24 147768]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-10-31 222520]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-10-1 102712]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-9-10 27448]
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-9-26 13560]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2013-8-15 28552]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2013-11-5 120600]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-11-4 209176]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-9-17 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-10-31 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-8-1 193848]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-9-24 37664]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2013-9-24 348008]
R2 BT Help Wizard;BT Help Wizard;c:\program files\bt broadband desktop help\btbb\ma\8.3.1.7.bt.1.3\ma\bin\MAHostService.exe [2013-10-2 321024]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-1-3 21504]
R2 LavasoftAdAwareService11;Ad-Aware Service 11;c:\program files\lavasoft\ad-aware antivirus\ad-aware antivirus\11.0.4555.0\AdAwareService.exe [2013-10-18 497744]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-11-20 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-11-20 701512]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-3-31 80896]
R2 pcCMService;pcCMService;c:\program files\common files\motive\pcCMService.exe [2012-9-25 376144]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2012-8-9 38608]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-11-20 22856]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [2010-2-24 494368]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2013-11-11 3478544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-10 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-1-3 21504]
S3 qcusbser;Qualcomm USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbser.sys [2013-9-18 298496]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2013-8-14 13464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2013-11-23 22:26:42 -------- d-----w- c:\users\paulette\appdata\local\ElevatedDiagnostics
2013-11-22 10:13:50 7772552 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{da30a9e0-e8fa-4dcf-8537-c97ee988888f}\mpengine.dll
2013-11-20 19:38:21 -------- d-----w- c:\program files\RealNetworks
2013-11-20 19:37:53 -------- d-----w- c:\users\paulette\appdata\roaming\RealNetworks
2013-11-20 19:36:25 -------- d-----w- c:\programdata\RealNetworks
2013-11-20 12:04:13 -------- d-----w- c:\program files\Audacity
2013-11-20 10:49:03 -------- d-----w- c:\users\paulette\appdata\roaming\Malwarebytes
2013-11-20 10:48:41 -------- d-----w- c:\programdata\Malwarebytes
2013-11-20 10:48:39 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-11-20 10:48:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-11-16 14:50:49 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2013-11-16 14:48:24 -------- d-----w- c:\program files\iPod
2013-11-16 14:48:15 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-11-16 14:40:37 -------- d-----w- c:\program files\Bonjour
2013-11-16 14:12:37 -------- d-----w- c:\users\paulette\appdata\roaming\Mp3tag
2013-11-16 14:12:02 -------- d-----w- c:\program files\Mp3tag
2013-11-13 21:07:55 297984 ----a-w- c:\windows\system32\gdi32.dll
2013-11-13 21:07:41 993792 ----a-w- c:\windows\system32\crypt32.dll
2013-11-13 21:07:34 596480 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2013-11-13 21:07:34 444928 ----a-w- c:\windows\system32\IKEEXT.DLL
2013-11-11 15:50:36 -------- d-----w- c:\program files\common files\Lavasoft
2013-11-05 21:50:48 120600 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2013-11-04 21:57:30 209176 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-10-31 23:00:28 176952 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-10-31 22:30:08 222520 ----a-w- c:\windows\system32\drivers\avglogx.sys
.
==================== Find3M  ====================
.
2013-11-18 19:01:34 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-18 19:01:34 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-11 05:50:18 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-10-24 22:28:32 147768 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-10-13 09:48:06 1806848 ----a-w- c:\windows\system32\jscript9.dll
2013-10-13 09:35:52 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-10-13 09:35:38 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 09:30:14 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-10-13 09:29:02 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-10-13 09:25:39 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-10-08 06:50:41 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-02 16:11:44 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-09-26 14:54:39 44424 ----a-w- c:\windows\system32\sbbd.exe
2013-09-26 14:54:38 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-09-18 20:08:56 94208 ----a-w- c:\windows\system32\dpl100.dll
2013-09-17 00:57:26 22840 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-09-10 00:43:20 27448 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
.
============= FINISH: 16:35:57.87 ===============
 



#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:06 AM

Posted 28 November 2013 - 01:10 AM


Hello Wheels of Steel

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Wheels of Steel

Wheels of Steel
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 28 November 2013 - 05:06 AM

Hi Gringo,

 

thanks for helping me. I should say that I have used Awcleaner before. Sorry if this confuses things, it was before I joined this forum. I checked my logs and I first used it the day before I got my first notification from AVG about Win32/Zperm so that may have something to do with the alert. I downloaded it from download.cnet.com but it came with its own malware. It then removed some of it at least as well as a lot more. I have since deleted it but I still have the logs saved. Would you need to see an older log as well or shall I run it and just post a new log?



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:06 AM

Posted 28 November 2013 - 10:28 AM

Hello

If you Downloaded it from somewhere else like C-net then most likely you clicked on an ad

Go ahead and use my links and run it again for me


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Wheels of Steel

Wheels of Steel
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 28 November 2013 - 01:12 PM

I ran both programs, so far I have had no alerts from AVG Resident Shield. All program icons on the system tray disappeared after running JRT but they returned after a restart.

 

# AdwCleaner v3.013 - Report created 28/11/2013 at 17:23:48
# Updated 24/11/2013 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Paulette - PAULETTE-PC
# Running from : C:\Users\Paulette\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Paulette\AppData\LocalLow\boost_interprocess
File Deleted : C:\END

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7854F00C-DC77-477E-A10E-603F48442D3B}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKLM\Software\DivX\Install\Setup\WizardLayout\ConduitToolbar
Key Deleted : HKLM\Software\Uniblue
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\43C098337DB065A49B665D4EA7F16D1C
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A71991503412AEB42838B02C5ED9F9CD
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F7652513C62FF63448CFF05163719DB7

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16520

*************************

AdwCleaner[R0].txt - [11764 octets] - [25/10/2013 14:20:34]
AdwCleaner[R1].txt - [798 octets] - [25/10/2013 14:31:00]
AdwCleaner[R2].txt - [811 octets] - [25/10/2013 14:51:32]
AdwCleaner[R3].txt - [893 octets] - [25/10/2013 15:15:17]
AdwCleaner[R4].txt - [1061 octets] - [29/10/2013 16:29:57]
AdwCleaner[R5].txt - [1774 octets] - [17/11/2013 13:35:01]
AdwCleaner[R6].txt - [1954 octets] - [28/11/2013 17:22:27]
AdwCleaner[S0].txt - [12136 octets] - [25/10/2013 14:22:05]
AdwCleaner[S1].txt - [1125 octets] - [29/10/2013 16:31:31]
AdwCleaner[S2].txt - [1897 octets] - [28/11/2013 17:23:48]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1957 octets] ##########

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows Vista ™ Home Premium x86
Ran by Paulette on 28/11/2013 at 17:35:26.88
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\theseaapp
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\adawarebp
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E3AF9100-C09E-4E3F-92E5-9CCD514158A0}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\ytd video downloader"
Successfully deleted: [Folder] "C:\Users\Paulette\appdata\local\adawarebp"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 28/11/2013 at 17:40:02.44
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:06 AM

Posted 29 November 2013 - 10:30 AM


Hello Wheels of Steel

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Wheels of Steel

Wheels of Steel
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 30 November 2013 - 05:01 PM

I received another report from AVG saying that the virus has been found again. I think this happens while Ad-Aware is scanning.

I ran Combofix but I didn't see if a log was produced by it. Do you know the name of the file I'm looking for or should I try running it again? The Combofix icon has a blue, red, green and yellow shield on it, does this mean I should run it as administrator?



#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:06 AM

Posted 30 November 2013 - 08:20 PM


Hello Wheels of Steel

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Wheels of Steel

Wheels of Steel
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 01 December 2013 - 10:34 AM

Hi,

 

I tried running Combofix in safe mode but it did not produce a report this time either. I get error messages while it is attemping to backup the registry that say:

 

 

Error saving file

 

C:\windows\ernt\Hiv-backup\...<filename>

 

continue with next file?

 

[RegCreateKeyEx:5 - Access is denied]

 

 

I tried restarting and running the program again but I get the same errors. If I select yes to continue to the next file I get another error relating to another file (11 in total) then the program closes at this stage without producing a report. If I run the program and I select no instead it just closes the program and again there is no report.



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:06 AM

Posted 01 December 2013 - 12:14 PM



Hello Wheels of Steel

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Wheels of Steel

Wheels of Steel
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 01 December 2013 - 01:59 PM

Here's OTL.txt

 

OTL logfile created on: 01/12/2013 18:29:55 - Run 1

OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Paulette\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
 
1.99 Gb Total Physical Memory | 0.67 Gb Available Physical Memory | 33.72% Memory free
4.22 Gb Paging File | 2.59 Gb Available in Paging File | 61.51% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 142.21 Gb Total Space | 62.15 Gb Free Space | 43.71% Space Free | Partition Type: NTFS
Drive S: | 1.46 Gb Total Space | 1.41 Gb Free Space | 96.05% Space Free | Partition Type: NTFS
 
Computer Name: PAULETTE-PC | User Name: Paulette | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Paulette\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\AVG\AVG2014\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Windows\System32\Macromed\Flash\FlashUtil32_11_9_900_152_ActiveX.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\AVG\AVG2014\avgidsagent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2014\avgui.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2014\avgemcx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2014\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2014\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareTray.exe ()
PRC - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareService.exe ()
PRC - C:\Program Files\BT Broadband Desktop Help\btbb\MA\8.3.1.7.bt.1.3\ma\bin\node.exe (Joyent, Inc)
PRC - C:\Program Files\BT Broadband Desktop Help\btbb\MA\8.3.1.7.bt.1.3\ma\bin\MAHostService.exe (Alcatel-Lucent)
PRC - C:\Program Files\AVG\AVG2014\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
PRC - C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe (Alcatel-Lucent)
PRC - C:\Program Files\Common Files\Motive\pcCMService.exe (Alcatel-Lucent)
PRC - C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe (RealNetworks, Inc.)
PRC - C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe ()
PRC - C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe ()
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\pugixml.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\boost_thread-vc100-mt-1_53.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\boost_system-vc100-mt-1_53.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\boost_locale-vc100-mt-1_53.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\boost_filesystem-vc100-mt-1_53.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\boost_date_time-vc100-mt-1_53.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\SQLite.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\RCF.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\Logger.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\Localization.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\HtmlFramework.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\DllStorage.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareTrayDefaultSkin.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareTray.exe ()
MOD - C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll ()
MOD - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
 
 
========== Services (SafeList) ==========
 
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2014\avgidsagent.exe (AVG Technologies CZ, s.r.o.)
SRV - (LavasoftAdAwareService11) -- C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareService.exe ()
SRV - (BT Help Wizard) -- C:\Program Files\BT Broadband Desktop Help\btbb\MA\8.3.1.7.bt.1.3\ma\bin\MAHostService.exe (Alcatel-Lucent)
SRV - (avgwd) -- C:\Program Files\AVG\AVG2014\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (pcCMService) -- C:\Program Files\Common Files\Motive\pcCMService.exe (Alcatel-Lucent)
SRV - (RealNetworks Downloader Resolver Service) -- C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe ()
SRV - (GoToAssist) -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)
SRV - (PassThru Service) -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe ()
SRV - (nosGetPlusHelper) -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll (NOS Microsystems Ltd.)
SRV - (getPlusHelper) -- C:\Program Files\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (Tosrfusb) -- system32\DRIVERS\tosrfusb.sys File not found
DRV - (TosRfSnd) -- system32\drivers\tosrfsnd.sys File not found
DRV - (tosrfnds) -- system32\DRIVERS\tosrfnds.sys File not found
DRV - (Tosrfhid) -- system32\DRIVERS\Tosrfhid.sys File not found
DRV - (Tosrfcom) -- System32\Drivers\tosrfcom.sys File not found
DRV - (tosrfbnp) -- System32\Drivers\tosrfbnp.sys File not found
DRV - (tosrfbd) -- system32\DRIVERS\tosrfbd.sys File not found
DRV - (tosporte) -- system32\DRIVERS\tosporte.sys File not found
DRV - (smserial) -- system32\DRIVERS\smserial.sys File not found
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (MRENDIS5) -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS File not found
DRV - (MREMPR5) -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS File not found
DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found
DRV - (Avgdiskx) -- C:\Windows\System32\drivers\avgdiskx.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSDriver) -- C:\Windows\System32\drivers\avgidsdriverx.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgldx86) -- C:\Windows\System32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avglogx) -- C:\Windows\System32\drivers\avglogx.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSHX) -- C:\Windows\System32\drivers\avgidshx.sys (AVG Technologies CZ, s.r.o.)
DRV - (avgtp) -- C:\Windows\System32\drivers\avgtpx86.sys (AVG Technologies)
DRV - (Avgmfx86) -- C:\Windows\System32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (gfibto) -- C:\Windows\System32\drivers\gfibto.sys (GFI Software)
DRV - (AVGIDSShim) -- C:\Windows\System32\drivers\avgidsshimx.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgrkx86) -- C:\Windows\System32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (SWDUMon) -- C:\Windows\System32\drivers\SWDUMon.sys ()
DRV - (Avgtdix) -- C:\Windows\System32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (Trufos) -- C:\Windows\System32\drivers\Trufos.sys (BitDefender S.R.L.)
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (htcnprot) -- C:\Windows\System32\drivers\htcnprot.sys (Windows ® Win 7 DDK provider)
DRV - (netr73) -- C:\Windows\System32\drivers\netr73.sys (Ralink Technology, Corp.)
DRV - (qcusbser) -- C:\Windows\System32\drivers\qcusbser.sys (QUALCOMM Incorporated)
DRV - (pavboot) -- C:\Windows\System32\drivers\pavboot.sys (Panda Security, S.L.)
DRV - (HTCAND32) -- C:\Windows\System32\drivers\ANDROIDUSB.sys (HTC, Corporation)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (NETw3v32) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel® Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thetechguys.com/welcome
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-21-1579097283-781329844-1780871519-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/
IE - HKU\S-1-5-21-1579097283-781329844-1780871519-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1579097283-781329844-1780871519-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1579097283-781329844-1780871519-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1579097283-781329844-1780871519-1000\..\SearchScopes\{FCDA7C66-C8C7-4F80-972B-8FBE5239B4D6}: "URL" = http://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
IE - HKU\S-1-5-21-1579097283-781329844-1780871519-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1579097283-781329844-1780871519-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Web Player Plug-In,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@Motive.com/npMotiveRequest,version=1.0: C:\Program Files\Common Files\Motive\npMotiveRequest.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.2.0: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.2.0: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B1FC07E1-E05B-4567-8891-E63FBE545BA8}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ [2013/11/20 19:38:33 | 000,000,000 | ---D | M]
 
[2013/09/11 12:07:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paulette\AppData\Roaming\Mozilla\Extensions
 
O1 HOSTS File: ([2006/09/18 21:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (RealNetworks Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKU\S-1-5-21-1579097283-781329844-1780871519-1000\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1579097283-781329844-1780871519-1000\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKLM..\Run: [AdAwareTray] C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.0.4555.0\AdAwareTray.exe ()
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_UI] C:\Program Files\AVG\AVG2014\avgui.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [DivXMediaServer] C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe (DivX, LLC)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [NWEReboot]  File not found
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [UpdateP2GShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 10.45.2)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 10.45.2)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FD85F85B-96D0-4D8D-B5F6-FBEDF408F3E2}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner - No CLSID value found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/12/01 18:27:49 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Paulette\Desktop\OTL.exe
[2013/12/01 15:55:16 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/12/01 15:17:26 | 000,000,000 | ---D | C] -- C:\ComboFix
[2013/12/01 12:41:59 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2013/11/30 21:46:01 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/11/30 21:45:06 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/11/30 21:42:36 | 005,150,163 | R--- | C] (Swearware) -- C:\Users\Paulette\Desktop\ComboFix.exe
[2013/11/28 17:54:44 | 000,000,000 | ---D | C] -- C:\Users\Paulette\AppData\Local\adawarebp
[2013/11/28 17:35:20 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2013/11/28 09:58:28 | 001,034,531 | ---- | C] (Thisisu) -- C:\Users\Paulette\Desktop\JRT.exe
[2013/11/27 10:13:48 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2013/11/27 10:12:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
[2013/11/23 22:26:42 | 000,000,000 | ---D | C] -- C:\Users\Paulette\AppData\Local\ElevatedDiagnostics
[2013/11/20 19:38:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealNetworks
[2013/11/20 19:38:21 | 000,000,000 | ---D | C] -- C:\Program Files\RealNetworks
[2013/11/20 19:37:53 | 000,000,000 | ---D | C] -- C:\Users\Paulette\AppData\Roaming\RealNetworks
[2013/11/20 19:36:25 | 000,000,000 | ---D | C] -- C:\ProgramData\RealNetworks
[2013/11/20 12:05:46 | 000,000,000 | ---D | C] -- C:\Users\Paulette\AppData\Roaming\Audacity
[2013/11/20 12:04:13 | 000,000,000 | ---D | C] -- C:\Program Files\Audacity
[2013/11/20 10:49:03 | 000,000,000 | ---D | C] -- C:\Users\Paulette\AppData\Roaming\Malwarebytes
[2013/11/20 10:48:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/11/20 10:48:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/11/20 10:48:39 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013/11/20 10:48:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/11/16 14:51:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2013/11/16 14:48:24 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2013/11/16 14:48:15 | 000,000,000 | ---D | C] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2013/11/16 14:40:37 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2013/11/16 14:12:37 | 000,000,000 | ---D | C] -- C:\Users\Paulette\AppData\Roaming\Mp3tag
[2013/11/16 14:12:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mp3tag
[2013/11/16 14:12:02 | 000,000,000 | ---D | C] -- C:\Program Files\Mp3tag
[2013/11/14 03:08:25 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/11/14 03:08:24 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/11/14 03:08:24 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/11/14 03:08:24 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/11/14 03:08:23 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/11/14 03:08:22 | 001,806,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/11/14 03:08:22 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/11/14 03:08:20 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/11/13 21:07:34 | 000,596,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\FWPUCLNT.DLL
[2013/11/12 12:00:51 | 000,000,000 | ---D | C] -- C:\Users\Paulette\AppData\Roaming\Lavasoft
[2013/11/11 15:53:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ad-Aware Antivirus
[2013/11/11 15:50:36 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Lavasoft
[2013/11/05 21:50:48 | 000,120,600 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgdiskx.sys
[2013/11/04 21:57:30 | 000,209,176 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgidsdriverx.sys
 
========== Files - Modified Within 30 Days ==========
 
[2013/12/01 18:28:14 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Paulette\Desktop\OTL.exe
[2013/12/01 18:15:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/12/01 18:00:00 | 000,000,448 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Registration.job
[2013/12/01 17:59:36 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/12/01 17:59:36 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/12/01 17:59:35 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/12/01 15:55:00 | 2135,388,160 | -HS- | M] () -- C:\hiberfil.sys
[2013/12/01 15:12:27 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2013/11/30 21:42:37 | 005,150,163 | R--- | M] (Swearware) -- C:\Users\Paulette\Desktop\ComboFix.exe
[2013/11/28 09:58:28 | 001,034,531 | ---- | M] (Thisisu) -- C:\Users\Paulette\Desktop\JRT.exe
[2013/11/28 09:57:33 | 001,091,882 | ---- | M] () -- C:\Users\Paulette\Desktop\AdwCleaner.exe
[2013/11/27 10:12:00 | 000,000,847 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2014.lnk
[2013/11/26 18:57:09 | 000,609,642 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/11/26 18:57:09 | 000,109,118 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/11/24 15:02:38 | 018,584,975 | ---- | M] () -- C:\Users\Paulette\Documents\Meditation for Beginners.mp4
[2013/11/24 14:58:15 | 000,000,848 | ---- | M] () -- C:\Users\Public\Desktop\YTD Video Downloader.lnk
[2013/11/22 13:41:05 | 000,034,304 | ---- | M] () -- C:\Users\Paulette\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/11/22 13:40:30 | 000,013,456 | ---- | M] () -- C:\Users\Paulette\Documents\zperm2.csv
[2013/11/22 11:27:54 | 000,000,809 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2013/11/20 23:28:16 | 040,745,134 | ---- | M] () -- C:\Users\Paulette\Documents\Creativity Activation & Chakra Healing - Guided Meditation.mp4
[2013/11/20 19:18:48 | 708,369,255 | ---- | M] () -- C:\Users\Paulette\Documents\Princess Diana_ The Hidden Evidence 1080p HD.mp4
[2013/11/20 10:48:45 | 000,000,911 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/11/18 19:01:34 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/11/18 19:01:34 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/11/16 14:12:07 | 000,000,781 | ---- | M] () -- C:\Users\Public\Desktop\Mp3tag.lnk
[2013/11/14 13:07:15 | 000,008,882 | ---- | M] () -- C:\Users\Paulette\Documents\Zperm.csv
[2013/11/11 15:53:06 | 000,001,231 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
[2013/11/11 05:50:18 | 000,230,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2013/11/05 21:50:48 | 000,120,600 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgdiskx.sys
[2013/11/04 23:40:41 | 000,000,546 | ---- | M] () -- C:\Users\Paulette\Desktop\Canon PowerShot S95 - Shortcut.lnk
[2013/11/04 21:57:30 | 000,209,176 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgidsdriverx.sys
 
========== Files Created - No Company Name ==========
 
[2013/12/01 15:55:00 | 2135,388,160 | -HS- | C] () -- C:\hiberfil.sys
[2013/11/28 09:57:33 | 001,091,882 | ---- | C] () -- C:\Users\Paulette\Desktop\AdwCleaner.exe
[2013/11/24 15:02:37 | 018,584,975 | ---- | C] () -- C:\Users\Paulette\Documents\Meditation for Beginners.mp4
[2013/11/22 13:40:29 | 000,013,456 | ---- | C] () -- C:\Users\Paulette\Documents\zperm2.csv
[2013/11/20 23:27:56 | 040,745,134 | ---- | C] () -- C:\Users\Paulette\Documents\Creativity Activation & Chakra Healing - Guided Meditation.mp4
[2013/11/20 19:12:27 | 708,369,255 | ---- | C] () -- C:\Users\Paulette\Documents\Princess Diana_ The Hidden Evidence 1080p HD.mp4
[2013/11/20 12:04:35 | 000,000,821 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk
[2013/11/20 10:48:45 | 000,000,911 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/11/16 14:12:07 | 000,000,781 | ---- | C] () -- C:\Users\Public\Desktop\Mp3tag.lnk
[2013/11/14 12:46:55 | 000,008,882 | ---- | C] () -- C:\Users\Paulette\Documents\Zperm.csv
[2013/11/13 21:07:34 | 000,218,228 | ---- | C] () -- C:\Windows\System32\WFP.TMF
[2013/11/11 15:53:06 | 000,001,231 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
[2013/11/04 23:40:41 | 000,000,546 | ---- | C] () -- C:\Users\Paulette\Desktop\Canon PowerShot S95 - Shortcut.lnk
[2013/09/24 20:16:37 | 000,234,282 | ---- | C] () -- C:\Users\Paulette\AppData\Local\census.cache
[2013/09/24 20:16:15 | 000,170,603 | ---- | C] () -- C:\Users\Paulette\AppData\Local\ars.cache
[2013/09/24 19:48:30 | 000,000,036 | ---- | C] () -- C:\Users\Paulette\AppData\Local\housecall.guid.cache
[2013/09/11 12:08:05 | 000,165,376 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2013/08/14 11:37:38 | 000,013,464 | ---- | C] () -- C:\Windows\System32\drivers\SWDUMon.sys
[2011/02/27 17:49:17 | 000,024,206 | ---- | C] () -- C:\Users\Paulette\AppData\Roaming\UserTile.png
[2010/01/28 20:30:13 | 000,000,680 | ---- | C] () -- C:\Users\Paulette\AppData\Local\d3d9caps.dat
[2008/12/29 13:52:43 | 000,034,304 | ---- | C] () -- C:\Users\Paulette\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
========== ZeroAccess Check ==========
 
[2006/11/02 12:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 17:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 06:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 06:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 137 bytes -> C:\ProgramData\Temp:07F6D9E4
@Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:5C321E34

< End of report >



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:06 AM

Posted 01 December 2013 - 03:42 PM


Hello Wheels of Steel

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script
  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png text box.
    :OTL
    IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
    O3 - HKU\S-1-5-21-1579097283-781329844-1780871519-1000\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKU\S-1-5-21-1579097283-781329844-1780871519-1000\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
    O4 - HKLM..\Run: []  File not found
    O4 - HKLM..\Run: [NWEReboot]  File not found
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O18 - Protocol\Handler\linkscanner - No CLSID value found
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.


Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users