Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

need help removing Green Dot moneypak virus


  • This topic is locked This topic is locked
24 replies to this topic

#1 umptyscratch

umptyscratch

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 07 December 2013 - 04:22 PM

Its popping up on my screen but so is the firewall and it MIGHT be blocking it from completing everything. t it wants too.. Not sure!  But the page is posting none the least andI need to get it off of my laptop.  I did manage to get into another account and run my antivirus, malbytes anti malware and ccleaner.. it oviously didnt do much because its the other profile. I couldnt go into that profile in safe mode it reboots the computer.

 

 



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 PM

Posted 09 December 2013 - 03:00 AM


Hello umptyscratch

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe or e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First Press the Scan button.
  • It will make a log (FRST.txt)
I want you to poste the FRST.txt report into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 umptyscratch

umptyscratch
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 09 December 2013 - 11:26 AM

I was able to follow a guide on here and get past the ransom ware .. I ran hitmanpro and it got past it but when I ran malwarebytes anti malaware .. the wireless wouldnt come on even when I tried to push the button and the screen just froze after i rebooted.  I ended up doing a restore to a earlier point but I am still having an issue with the wireless not coming on ..  it flickers on when windows is starting and if i hold it then before windows comes all the way up it will stay on otherwise it will not come on at all.  I also have an issue with my AVG where the resident shield wont come on ..  so there may be something still wrong with the laptop.

 

here is the FRST file

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-12-2013 01
Ran by Benny (administrator) on FRAN-PC on 09-12-2013 10:02:36
Running from F:\virus removal info\programs to use\farbar recovery scan tool\32 bit
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Safe Mode (minimal)
 
==================== Processes (Whitelisted) ===================
 
(Commtouch, Inc.) C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
(Commtouch, Inc.) C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe
(Commtouch, Inc.) C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1049896 2008-04-17] (Synaptics, Inc.)
HKLM\...\Run: [QPService] - C:\Program Files\HP\QuickPlay\QPService.exe [468264 2008-09-23] (CyberLink Corp.)
HKLM\...\Run: [QlbCtrl.exe] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe [202032 2008-08-01] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [HP Health Check Scheduler] - C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-10-09] (Hewlett-Packard)
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [MSN Toolbar] - C:\Program Files\MSN Toolbar\Platform\4.0.0334.0\mswinext.exe [240976 2009-10-16] (Microsoft Corp.)
HKLM\...\Run: [Microsoft Default Manager] - C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288080 2009-07-17] (Microsoft Corporation)
HKLM\...\Run: [ArcSoft Connection Service] - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM\...\Run: [Conime] - C:\Windows\System32\conime.exe [69120 2009-04-11] (Microsoft Corporation)
HKLM\...\Run: [EKIJ5000StatusMonitor] - C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe [1638400 2010-05-07] (Eastman Kodak Company)
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\hpwuschd2.exe [49208 2011-02-18] (Hewlett-Packard)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [AVG_UI] - C:\Program Files\AVG\AVG2014\avgui.exe [4956176 2013-11-07] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [tvncontrol] - C:\Program Files\TightVNC\tvnserver.exe [1612784 2013-06-06] (GlavSoft LLC.)
HKLM\...\Run: [vProt] - C:\Program Files\AVG SafeGuard toolbar\vprot.exe [2471448 2013-12-08] ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
HKCU\...\Run: [Spotify Web Helper] - C:\Users\Benny\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1140736 2013-11-24] (Spotify Ltd)
HKCU\...\Run: [Pogoplug Backup] - C:\Program Files\PogoplugBackup\ppbrowser.exe [23312896 2013-05-07] (Cloud Engines, Inc.)
MountPoints2: {2795c9fa-a51b-11e2-a51f-001f16dc2fd7} - "G:\WD SmartWare.exe" autoplay=true
MountPoints2: {dc5f2db1-9682-11e2-a093-001f16dc2fd7} - F:\PC_ImageViewer4.exe
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2008-09-30] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2008-09-30] (Hewlett-Packard)
HKU\Fran\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [ 2008-06-09] (Hewlett-Packard Company)
HKU\Fran\...\Run: [HPAdvisor] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2008-09-30] (Hewlett-Packard)
HKU\Fran\...\Run: [ehTray.exe] - C:\Windows\ehome\ehtray.exe [ 2008-01-20] (Microsoft Corporation)
HKU\Guest\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [ 2008-09-30] (Hewlett-Packard)
HKU\Guest\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [ 2008-06-09] (Hewlett-Packard Company)
Startup: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
SearchScopes: HKLM - DefaultScope {7C09C7A3-0667-4071-A1A4-CBA68F153C0E} URL = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPNTDF
SearchScopes: HKLM - {2CF60031-E094-4373-BE4A-04A5626EE78B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM - {7C09C7A3-0667-4071-A1A4-CBA68F153C0E} URL = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPNTDF
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://mysearch.avg.com/search?cid={DD81E337-A72A-4053-A016-F599B87B007D}&mid=a626d22cde4147d68d26d1565038c624-f62973b994387bef06fbc2f938f62d6bf1229cd0&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2013-09-09 20:27:07&v=17.0.1.4&pid=safeguard&sg=0&sap=dsp&q={searchTerms}&cmpid=0913a
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0334.0\npwinext.dll (Microsoft Corporation)
BHO: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0334.0\npwinext.dll (Microsoft Corporation)
Toolbar: HKLM - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKLM - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKCU - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\17.2.0\ViProtocol.dll (AVG Secure Search)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)
Winsock: Catalog5 06 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 C:\Windows\system32\iavlsp.dll [118784] (iolo technologies, LLC)
Winsock: Catalog9 02 C:\Windows\system32\iavlsp.dll [118784] (iolo technologies, LLC)
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog9 11 mswsock.dll File Not found ()
Winsock: Catalog9 12 mswsock.dll File Not found ()
Winsock: Catalog9 13 C:\Windows\system32\iavlsp.dll [118784] (iolo technologies, LLC)
Winsock: Catalog9 14 mswsock.dll File Not found ()
Winsock: Catalog9 15 mswsock.dll File Not found ()
Winsock: Catalog9 16 mswsock.dll File Not found ()
Winsock: Catalog9 17 mswsock.dll File Not found ()
Winsock: Catalog9 18 mswsock.dll File Not found ()
Winsock: Catalog9 19 mswsock.dll File Not found ()
Winsock: Catalog9 20 mswsock.dll File Not found ()
Winsock: Catalog9 21 mswsock.dll File Not found ()
Winsock: Catalog9 22 mswsock.dll File Not found ()
Winsock: Catalog9 23 mswsock.dll File Not found ()
Winsock: Catalog9 24 mswsock.dll File Not found ()
Winsock: Catalog9 25 mswsock.dll File Not found ()
Winsock: Catalog9 26 mswsock.dll File Not found ()
Winsock: Catalog9 27 mswsock.dll File Not found ()
Winsock: Catalog9 28 mswsock.dll File Not found ()
Winsock: Catalog9 29 mswsock.dll File Not found ()
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
 
Chrome: 
=======
CHR RestoreOnStartup: "translate_blocked_languages": [ "en"
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\31.0.1650.63\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\31.0.1650.63\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\31.0.1650.63\pdf.dll ()
CHR Plugin: (Java Deployment Toolkit 6.0.240.7) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\17.0.1\\npsitesafety.dll (AVG Technologies)
CHR Plugin: (Picasa) - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 6 U24) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (MSN\u00AE Toolbar) - C:\Program Files\MSN Toolbar\Platform\4.0.0334.0\npwinext.dll (Microsoft Corporation)
CHR Plugin: (Windows Presentation Foundation) - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw_1200112.dll (Adobe Systems, Inc.)
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
CHR Extension: (Gamers Unite! Snag Bar) - C:\Users\Benny\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncmdmcjifbkefpaijakdbgfjbpaonjhg\1.2.3_0
CHR Extension: (AVG SafeGuard) - C:\Users\Benny\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof\17.2.0.38_0
CHR Extension: (Google Wallet) - C:\Users\Benny\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0
CHR HKLM\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG SafeGuard toolbar\ChromeExt\17.2.0.38\avg.crx
 
========================== Services (Whitelisted) =================
 
S4 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2014\avgidsagent.exe [3478544 2013-11-11] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-24] (AVG Technologies CZ, s.r.o.)
S2 dlbc_device; C:\Windows\system32\dlbccoms.exe [538096 2007-03-01] ( )
S2 DokanCEMounter; C:\Program Files\PogoplugBackup\dokanmnt.exe [108320 2013-05-07] (Cloud Engines)
S2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-10-09] (Hewlett-Packard)
S2 ioloSystemService; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [1053184 2012-12-06] (iolo technologies, LLC)
S2 Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe [308592 2010-05-17] (Eastman Kodak Company)
S2 LexBceS; C:\Windows\System32\LEXBCES.EXE [311296 2004-03-04] (Lexmark International, Inc.)
S2 Recovery Service for Windows; C:\Program Files\SMINST\BLService.exe [365952 2008-10-06] ()
S2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [241734 2008-09-15] ()
S2 tvnserver; C:\Program Files\TightVNC\tvnserver.exe [1612784 2013-06-06] (GlavSoft LLC.)
R2 vseamps; C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe [97120 2012-08-24] (Commtouch, Inc.)
R2 vsedsps; C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe [97120 2012-08-24] (Commtouch, Inc.)
R2 vseqrts; C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe [142176 2012-08-24] (Commtouch, Inc.)
S2 vToolbarUpdater17.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\ToolbarUpdater.exe [1771544 2013-12-08] (AVG Secure Search)
 
==================== Drivers (Whitelisted) ====================
 
S2 AMP; C:\Windows\system32\Drivers\amp.sys [137568 2012-08-24] (Commtouch, Inc.)
S2 AMPSE; C:\Windows\system32\Drivers\ampse.sys [1210208 2012-08-24] (Commtouch, Inc.)
S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [120600 2013-11-05] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [209176 2013-11-04] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [147768 2013-10-24] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22840 2013-09-17] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [176952 2013-10-31] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [222520 2013-10-31] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [102712 2013-10-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27448 2013-09-10] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [193848 2013-08-01] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [37664 2013-11-15] (AVG Technologies)
S2 DokanCEDriver; C:\Program Files\PogoplugBackup\dokance.sys [58808 2013-05-07] (Cloud Engines)
S1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [26248 2012-12-06] (EldoS Corporation)
S1 FileDisk; C:\Windows\System32\Drivers\FileDisk.sys [9341 2010-06-29] (iolo technologies, LLC (based on original work by Bo Brantén))
S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-09] (Microsoft Corporation)
S2 PDFsFilter; C:\Windows\System32\DRIVERS\PDFsFilter.sys [68464 2012-12-06] (Raxco Software, Inc.)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S0 ywhuvdqg; System32\drivers\yojqfgq.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-12-09 09:56 - 2013-12-09 09:56 - 00000131 _____ C:\Users\Benny\Desktop\need help removing Green Dot moneypak virus - Virus, Trojan, Spyware, and Malware Removal Logs.url
2013-12-09 09:54 - 2013-12-09 09:55 - 00001428 _____ C:\Windows\setupact.log
2013-12-09 09:54 - 2013-12-09 09:54 - 00000000 _____ C:\Windows\setuperr.log
2013-12-09 09:37 - 2013-12-09 09:37 - 00011064 _____ C:\Users\Benny\Documents\cc_20131209_093723.reg
2013-12-09 08:38 - 2013-12-09 08:38 - 04618136 _____ (Piriform Ltd) C:\Users\Benny\Downloads\ccsetup408.exe
2013-12-08 20:18 - 2013-12-08 20:30 - 01125660 _____ C:\Users\Benny\Downloads\PogoplugBackupSetup5.2.7.exe
2013-12-08 15:04 - 2013-12-08 15:57 - 00000000 ____D C:\ProgramData\HitmanPro
2013-12-08 14:44 - 2013-12-08 19:57 - 00006805 _____ C:\Users\Benny\Desktop\attach.txt
2013-12-08 14:44 - 2013-12-08 19:56 - 00012899 _____ C:\Users\Benny\Desktop\dds.txt
2013-12-07 16:20 - 2013-12-07 16:20 - 00000000 ____D C:\FRST
2013-12-07 11:07 - 2013-12-07 19:45 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2013-12-07 05:34 - 2013-12-07 05:34 - 00000000 ____D C:\Users\Fran\AppData\Local\AVG SafeGuard toolbar
2013-12-07 05:22 - 2013-12-07 05:23 - 00000000 ____D C:\Users\Fran\AppData\Local\Avg2014
2013-12-07 05:15 - 2013-12-08 15:05 - 95025368 ____T C:\ProgramData\37tllwllf.fee
2013-12-07 05:15 - 2013-12-08 15:05 - 00000000 _____ C:\ProgramData\37tllwllf.odd
2013-12-02 23:16 - 2013-12-03 20:32 - 00000000 ____D C:\Users\Benny\Documents\Youcam
2013-12-02 23:01 - 2013-12-08 19:08 - 00000000 ____D C:\Users\Benny\AppData\Roaming\Skype
2013-12-02 23:00 - 2013-12-02 23:15 - 00000000 ____D C:\ProgramData\Skype
2013-12-02 23:00 - 2013-12-02 23:14 - 00000000 ____D C:\Program Files\Skype
2013-11-30 11:02 - 2013-11-30 11:49 - 00001004 _____ C:\Users\Benny\Downloads\notes.txt
2013-11-28 17:37 - 2013-11-30 17:18 - 00000122 _____ C:\Users\Benny\Downloads\buckwow.txt
2013-11-27 11:50 - 2013-11-27 11:50 - 00000121 _____ C:\Users\Benny\Desktop\Green Business People and Planet Award by Green America- Inn Serendipity.url
2013-11-24 12:00 - 2013-12-08 20:05 - 00000000 ____D C:\Program Files\Mozilla Thunderbird
2013-11-22 13:29 - 2013-11-22 13:29 - 01142864 _____ (BitTorrent Inc.) C:\Users\Benny\Downloads\utorrent (1).exe
2013-11-22 13:28 - 2013-11-22 13:28 - 01142864 _____ (BitTorrent Inc.) C:\Users\Benny\Downloads\utorrent.exe
2013-11-22 13:12 - 2013-11-22 13:12 - 04401299 _____ C:\Users\Benny\Downloads\map_isledread_hex.zip
2013-11-22 13:12 - 2013-11-22 13:12 - 03278020 _____ C:\Users\Benny\Downloads\map_isledread_nohex.zip
2013-11-21 09:05 - 2013-11-23 23:14 - 00002475 _____ C:\Users\Benny\Downloads\ioverpower cooking progress needs.txt
2013-11-18 19:21 - 2013-11-18 19:23 - 00000000 ____D C:\Users\Benny\Downloads\cellphone nov
 
==================== One Month Modified Files and Folders =======
 
2013-12-09 09:56 - 2013-12-09 09:56 - 00000131 _____ C:\Users\Benny\Desktop\need help removing Green Dot moneypak virus - Virus, Trojan, Spyware, and Malware Removal Logs.url
2013-12-09 09:56 - 2006-11-02 04:33 - 00690786 _____ C:\Windows\system32\PerfStringBackup.INI
2013-12-09 09:55 - 2013-12-09 09:54 - 00001428 _____ C:\Windows\setupact.log
2013-12-09 09:54 - 2013-12-09 09:54 - 00000000 _____ C:\Windows\setuperr.log
2013-12-09 09:37 - 2013-12-09 09:37 - 00011064 _____ C:\Users\Benny\Documents\cc_20131209_093723.reg
2013-12-09 09:34 - 2006-11-02 06:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-12-09 09:34 - 2006-11-02 06:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-12-09 09:29 - 2012-08-12 21:23 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-12-09 09:28 - 2013-05-03 09:29 - 00000000 ____D C:\Windows\Minidump
2013-12-09 09:14 - 2013-02-15 19:30 - 00000884 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-12-09 08:41 - 2012-06-17 19:49 - 00000804 _____ C:\Users\Public\Desktop\CCleaner.lnk
2013-12-09 08:41 - 2012-06-17 19:49 - 00000000 ____D C:\Program Files\CCleaner
2013-12-09 08:38 - 2013-12-09 08:38 - 04618136 _____ (Piriform Ltd) C:\Users\Benny\Downloads\ccsetup408.exe
2013-12-09 08:25 - 2013-02-18 07:35 - 00018352 ____H C:\Users\Benny\Downloads\.picasa.ini
2013-12-09 08:21 - 2013-02-15 19:42 - 00001971 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-12-09 08:14 - 2013-02-15 19:30 - 00000880 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-12-09 08:13 - 2010-11-04 12:28 - 00000000 ____D C:\ProgramData\MFAData
2013-12-09 07:37 - 2009-07-07 09:24 - 00000246 _____ C:\ProgramData\hpqp.ini
2013-12-09 07:34 - 2009-12-05 20:57 - 00000000 ____D C:\ProgramData\Kodak
2013-12-09 07:34 - 2009-11-12 15:28 - 00064319 _____ C:\ProgramData\nvModes.001
2013-12-09 07:34 - 2009-11-12 15:27 - 00064319 _____ C:\ProgramData\nvModes.dat
2013-12-09 07:34 - 2006-11-02 07:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-12-08 22:01 - 2012-09-09 16:41 - 00000000 ____D C:\Users\Benny
2013-12-08 22:01 - 2006-11-02 07:01 - 00032562 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-12-08 22:00 - 2013-10-19 03:52 - 00000000 ____D C:\Users\Benny\AppData\Local\Battle.net
2013-12-08 20:30 - 2013-12-08 20:18 - 01125660 _____ C:\Users\Benny\Downloads\PogoplugBackupSetup5.2.7.exe
2013-12-08 20:28 - 2013-10-19 03:52 - 00000000 ____D C:\Program Files\Battle.net
2013-12-08 20:15 - 2013-09-09 19:26 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2013-12-08 20:14 - 2013-09-20 09:01 - 00000000 ____D C:\Program Files\AVG SafeGuard toolbar
2013-12-08 20:14 - 2013-09-09 19:26 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
2013-12-08 20:07 - 2010-07-13 15:28 - 00000000 ____D C:\Users\Guest
2013-12-08 20:07 - 2009-08-23 15:22 - 00000000 ____D C:\Users\Fran
2013-12-08 20:07 - 2006-11-02 04:22 - 44826624 _____ C:\Windows\system32\config\software_previous
2013-12-08 20:07 - 2006-11-02 04:22 - 35913728 _____ C:\Windows\system32\config\components_previous
2013-12-08 20:07 - 2006-11-02 04:22 - 20185088 _____ C:\Windows\system32\config\system_previous
2013-12-08 20:07 - 2006-11-02 04:22 - 00524288 _____ C:\Windows\system32\config\default_previous
2013-12-08 20:07 - 2006-11-02 04:22 - 00262144 _____ C:\Windows\system32\config\sam_previous
2013-12-08 20:07 - 2006-11-02 04:22 - 00024576 _____ C:\Windows\system32\config\security_previous
2013-12-08 20:06 - 2013-10-19 03:52 - 00000000 ____D C:\Users\Benny\AppData\Roaming\Battle.net
2013-12-08 20:06 - 2013-10-11 16:13 - 00000000 ____D C:\Users\Benny\Downloads\FFXIV-ARR-Bench-Character
2013-12-08 20:06 - 2013-08-30 05:45 - 00000000 ____D C:\Users\Benny\web graphics msic
2013-12-08 20:06 - 2013-07-17 14:28 - 00000000 ____D C:\Program Files\TightVNC
2013-12-08 20:06 - 2013-04-01 21:11 - 00000000 ____D C:\Users\Benny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
2013-12-08 20:06 - 2013-04-01 21:11 - 00000000 ____D C:\Program Files\FileZilla FTP Client
2013-12-08 20:06 - 2013-02-24 11:05 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-12-08 20:06 - 2013-02-21 07:19 - 00000000 ____D C:\Users\Benny\AppData\Roaming\Spotify
2013-12-08 20:06 - 2013-02-19 21:28 - 00000000 ____D C:\Users\Benny\AppData\Roaming\Thunderbird
2013-12-08 20:06 - 2013-02-16 08:03 - 00000000 ____D C:\Users\Benny\AppData\Roaming\Gamers Unite! Snag Bar
2013-12-08 20:06 - 2012-09-09 16:41 - 00000000 ___RD C:\Users\Benny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-12-08 20:06 - 2012-09-09 16:41 - 00000000 ___RD C:\Users\Benny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-12-08 20:06 - 2012-09-09 16:41 - 00000000 ____D C:\Users\Benny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink YouCam
2013-12-08 20:06 - 2012-09-09 16:41 - 00000000 ____D C:\Users\Benny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink DVD Suite
2013-12-08 20:06 - 2011-06-26 18:29 - 00000000 ____D C:\Users\Fran\AppData\Roaming\iolo
2013-12-08 20:06 - 2010-05-17 13:07 - 00000000 ____D C:\Users\Fran\AppData\Roaming\W Photo Studio Viewer
2013-12-08 20:06 - 2010-05-04 21:55 - 00000000 ____D C:\Users\Fran\AppData\Local\QuickPlay
2013-12-08 20:06 - 2009-08-23 15:22 - 00000000 ___RD C:\Users\Fran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-12-08 20:06 - 2009-08-23 15:22 - 00000000 ___RD C:\Users\Fran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-12-08 20:06 - 2009-08-23 15:22 - 00000000 ____D C:\Users\Fran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink YouCam
2013-12-08 20:06 - 2009-08-23 15:22 - 00000000 ____D C:\Users\Fran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink DVD Suite
2013-12-08 20:06 - 2006-11-02 05:18 - 00000000 ____D C:\Windows\system32\spool
2013-12-08 20:06 - 2006-11-02 05:18 - 00000000 ____D C:\Windows\system32\Msdtc
2013-12-08 20:05 - 2013-11-24 12:00 - 00000000 ____D C:\Program Files\Mozilla Thunderbird
2013-12-08 20:05 - 2013-09-20 08:55 - 00000000 ____D C:\ProgramData\AVG2014
2013-12-08 20:05 - 2006-11-02 05:18 - 00000000 ____D C:\Windows\registration
2013-12-08 19:57 - 2013-12-08 14:44 - 00006805 _____ C:\Users\Benny\Desktop\attach.txt
2013-12-08 19:56 - 2013-12-08 14:44 - 00012899 _____ C:\Users\Benny\Desktop\dds.txt
2013-12-08 19:08 - 2013-12-02 23:01 - 00000000 ____D C:\Users\Benny\AppData\Roaming\Skype
2013-12-08 15:57 - 2013-12-08 15:04 - 00000000 ____D C:\ProgramData\HitmanPro
2013-12-08 15:05 - 2013-12-07 05:15 - 95025368 ____T C:\ProgramData\37tllwllf.fee
2013-12-08 15:05 - 2013-12-07 05:15 - 00000000 _____ C:\ProgramData\37tllwllf.odd
2013-12-08 15:05 - 2013-05-20 08:32 - 00000680 _____ C:\Users\Benny\AppData\Local\d3d9caps.dat
2013-12-07 19:45 - 2013-12-07 11:07 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2013-12-07 16:20 - 2013-12-07 16:20 - 00000000 ____D C:\FRST
2013-12-07 05:34 - 2013-12-07 05:34 - 00000000 ____D C:\Users\Fran\AppData\Local\AVG SafeGuard toolbar
2013-12-07 05:24 - 2010-04-05 16:27 - 00001356 _____ C:\Users\Fran\AppData\Local\d3d9caps.dat
2013-12-07 05:23 - 2013-12-07 05:22 - 00000000 ____D C:\Users\Fran\AppData\Local\Avg2014
2013-12-05 20:54 - 2013-07-11 23:01 - 00000000 ____D C:\Users\Benny\AppData\Local\Pogoplug
2013-12-05 04:58 - 2009-12-05 21:12 - 00406528 ____R C:\Users\Public\Documents\ESBK.mbb
2013-12-05 04:58 - 2009-12-05 21:12 - 00248832 ____R C:\Users\Public\Documents\ESBK.mb
2013-12-04 05:58 - 2013-02-15 20:01 - 00000000 ____D C:\Program Files\World of Warcraft
2013-12-03 20:32 - 2013-12-02 23:16 - 00000000 ____D C:\Users\Benny\Documents\Youcam
2013-12-02 23:16 - 2009-04-20 12:09 - 00000000 ____D C:\ProgramData\CyberLink
2013-12-02 23:15 - 2013-12-02 23:00 - 00000000 ____D C:\ProgramData\Skype
2013-12-02 23:14 - 2013-12-02 23:00 - 00000000 ____D C:\Program Files\Skype
2013-11-30 17:18 - 2013-11-28 17:37 - 00000122 _____ C:\Users\Benny\Downloads\buckwow.txt
2013-11-30 11:49 - 2013-11-30 11:02 - 00001004 _____ C:\Users\Benny\Downloads\notes.txt
2013-11-27 11:50 - 2013-11-27 11:50 - 00000121 _____ C:\Users\Benny\Desktop\Green Business People and Planet Award by Green America- Inn Serendipity.url
2013-11-27 07:03 - 2013-02-16 13:17 - 00000000 ____D C:\Users\Benny\AppData\Local\Adobe
2013-11-27 06:58 - 2012-08-12 21:23 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-11-27 06:58 - 2012-08-12 21:23 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-11-26 18:39 - 2013-09-20 09:02 - 00000842 _____ C:\Users\Public\Desktop\AVG 2014.lnk
2013-11-26 05:14 - 2013-02-19 21:28 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-11-24 16:20 - 2013-02-21 07:19 - 00000000 ____D C:\Users\Benny\AppData\Local\Spotify
2013-11-23 23:14 - 2013-11-21 09:05 - 00002475 _____ C:\Users\Benny\Downloads\ioverpower cooking progress needs.txt
2013-11-22 19:42 - 2006-11-02 06:42 - 00000000 ____D C:\Windows\WindowsMobile
2013-11-22 13:29 - 2013-11-22 13:29 - 01142864 _____ (BitTorrent Inc.) C:\Users\Benny\Downloads\utorrent (1).exe
2013-11-22 13:28 - 2013-11-22 13:28 - 01142864 _____ (BitTorrent Inc.) C:\Users\Benny\Downloads\utorrent.exe
2013-11-22 13:12 - 2013-11-22 13:12 - 04401299 _____ C:\Users\Benny\Downloads\map_isledread_hex.zip
2013-11-22 13:12 - 2013-11-22 13:12 - 03278020 _____ C:\Users\Benny\Downloads\map_isledread_nohex.zip
2013-11-18 19:23 - 2013-11-18 19:21 - 00000000 ____D C:\Users\Benny\Downloads\cellphone nov
2013-11-15 06:31 - 2013-09-09 19:26 - 00037664 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx86.sys
 
Files to move or delete:
====================
C:\Users\Fran\AppData\Roaming\desktop.ini
C:\Users\Benny\libgcc_s_dw2-1.dll
C:\Users\Benny\libstdc++-6.dll
C:\Users\Benny\mingwm10.dll
C:\Users\Benny\QtCore4.dll
C:\Users\Benny\QtGui4.dll
C:\Users\Benny\Win32DiskImager.exe
C:\Users\Fran\jagex_cl_runescape_LIVE.dat
C:\Users\Fran\jagex_cl_runescape_LIVE1.dat
C:\Users\Fran\random.dat
C:\Users\Guest\jagex_cl_runescape_LIVE.dat
C:\Users\Guest\jagex_cl_runescape_LIVE1.dat
C:\Users\Guest\jagex_cl_runescape_LIVE2.dat
C:\Users\Guest\random.dat
 
 
Some content of TEMP:
====================
C:\Users\Fran\AppData\Local\Temp\setup.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2013-12-09 07:41
 
==================== End Of Log ============================


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 PM

Posted 09 December 2013 - 12:48 PM

Hello umptyscratch



I need you to download this script I have made for you --> Attached File  fixlist.txt   937bytes   3 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 umptyscratch

umptyscratch
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 09 December 2013 - 01:13 PM

The wireless is now working normally.  the AVG still wont enable resident shield.

 

Here is the Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 07-12-2013 01
Ran by Benny at 2013-12-09 12:02:29 Run:1
Running from F:\virus removal info\programs to use\farbar recovery scan tool\32 bit
Boot Mode: Safe Mode (minimal)
 
==============================================
 
Content of fixlist:
*****************
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 06 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
S0 ywhuvdqg; System32\drivers\yojqfgq.sys [x]
C:\Users\Fran\AppData\Roaming\desktop.ini
C:\Users\Benny\libgcc_s_dw2-1.dll
C:\Users\Benny\libstdc++-6.dll
C:\Users\Benny\mingwm10.dll
C:\Users\Benny\QtCore4.dll
C:\Users\Benny\QtGui4.dll
C:\Users\Benny\Win32DiskImager.exe
C:\Users\Fran\jagex_cl_runescape_LIVE.dat
C:\Users\Fran\jagex_cl_runescape_LIVE1.dat
C:\Users\Fran\random.dat
C:\Users\Guest\jagex_cl_runescape_LIVE.dat
C:\Users\Guest\jagex_cl_runescape_LIVE1.dat
C:\Users\Guest\jagex_cl_runescape_LIVE2.dat
C:\Users\Guest\random.dat
C:\Users\Fran\AppData\Local\Temp\setup.exe
 
 
 
 
*****************
 
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000006\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
ywhuvdqg => Service deleted successfully.
C:\Users\Fran\AppData\Roaming\desktop.ini => Moved successfully.
C:\Users\Benny\libgcc_s_dw2-1.dll => Moved successfully.
C:\Users\Benny\libstdc++-6.dll => Moved successfully.
C:\Users\Benny\mingwm10.dll => Moved successfully.
C:\Users\Benny\QtCore4.dll => Moved successfully.
C:\Users\Benny\QtGui4.dll => Moved successfully.
C:\Users\Benny\Win32DiskImager.exe => Moved successfully.
C:\Users\Fran\jagex_cl_runescape_LIVE.dat => Moved successfully.
C:\Users\Fran\jagex_cl_runescape_LIVE1.dat => Moved successfully.
C:\Users\Fran\random.dat => Moved successfully.
C:\Users\Guest\jagex_cl_runescape_LIVE.dat => Moved successfully.
C:\Users\Guest\jagex_cl_runescape_LIVE1.dat => Moved successfully.
C:\Users\Guest\jagex_cl_runescape_LIVE2.dat => Moved successfully.
C:\Users\Guest\random.dat => Moved successfully.
C:\Users\Fran\AppData\Local\Temp\setup.exe => Moved successfully.
 
==== End of Fixlog ====


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 PM

Posted 09 December 2013 - 04:09 PM



Hello umptyscratch

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 umptyscratch

umptyscratch
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 09 December 2013 - 10:03 PM

everything seems good except for the AVG hopefully it will just take a reinstall.

 

Adwcleaner log (there is three logs but i think this is the correct one!)

 

 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\AVG SafeGuard toolbar
Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\Program Files\Ask.com
Folder Deleted : C:\Program Files\AVG SafeGuard toolbar
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}
Folder Deleted : C:\Users\Fran\AppData\Local\AVG SafeGuard toolbar
Folder Deleted : C:\Users\Fran\AppData\Local\PackageAware
Folder Deleted : C:\Users\Fran\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Fran\AppData\LocalLow\AVG SafeGuard toolbar
[!] Folder Deleted : C:\Users\Benny\AppData\Local\AVG SafeGuard toolbar
Folder Deleted : C:\Users\Benny\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Benny\AppData\LocalLow\AVG SafeGuard toolbar
Folder Deleted : C:\Users\Fran\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Folder Deleted : C:\Users\Benny\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Windows\System32\Tasks\Scheduled Update for Ask Toolbar
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1663ECD7-25EC-4600-A9BD-A5AD6FDBFF8D}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1663ECD7-25EC-4600-A9BD-A5AD6FDBFF8D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG SafeGuard toolbar.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG SafeGuard toolbar.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG SafeGuard toolbar.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG SafeGuard toolbar.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Key Deleted : HKCU\Software\AVG SafeGuard toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\Software\AVG SafeGuard toolbar
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG SafeGuard toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16470
 
 
*************************
 
AdwCleaner[R0].txt - [9753 octets] - [09/12/2013 20:27:57]
AdwCleaner[R1].txt - [9787 octets] - [09/12/2013 20:34:06]
AdwCleaner[S0].txt - [9621 octets] - [09/12/2013 20:35:56]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9681 octets] ##########
 
JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows Vista ™ Home Premium x86
Ran by Benny on Mon 12/09/2013 at 20:47:39.25
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{7C09C7A3-0667-4071-A1A4-CBA68F153C0E}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 12/09/2013 at 20:53:21.69
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 PM

Posted 09 December 2013 - 10:15 PM


Hello umptyscratch

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 umptyscratch

umptyscratch
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 10 December 2013 - 10:00 PM

I tried to run combofix and I am pretty sure it ran as it got hung on Preparing Log Report. and after at least 3 hours it never went away nor wrote a log.. Everything pretty much appears to be the same.. except for the fact that now  System Mechanic popped up on my screen (which it never did before - didnt even know I had it until ComboFix told me so I dropped its processes but it came ack up when it rebooted)  I am thinking perhaps it is fighting my AVG and thats why the resident shield wont come on.  I figured out why my wireless wouldnt come back on and fixed that .. there is apparently something you have to start back up when it is shut down by someone else (which was the ransom virus)

 

Should I try to disable my Virus again and run try to run combofix again???? or something else??



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 PM

Posted 10 December 2013 - 10:22 PM


Hello umptyscratch

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 umptyscratch

umptyscratch
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 11 December 2013 - 05:49 PM

Combofix went all the way through this time.  I did notice when I logged into my computer the volume icon had a red x and wouldnt let me enable it says  The Audio Service is not running.  When I tried to run ComboFIx it still said that the Mechanic was on so I disbled everything in it and stopped the proccess.  I noticed when it was running that it had some admistration issues and some things and it skipped a couple things but I wasnt sure if i was suppose to right click and run as admin .. if so I might need to redo it again ..  Here is the log :

 

.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe
c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe
c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe
c:\program files\iolo\Common\Lib\ioloServiceManager.exe
c:\program files\iolo\Common\Lib\wscRmd.exe
c:\program files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe
c:\program files\iolo\Common\Lib\wscRmd.exe
c:\program files\iolo\Common\Lib\wscRmd.exe
c:\program files\iolo\Common\Lib\wscRmd.exe
c:\program files\Windows Media Player\wmpnscfg.exe
.
**************************************************************************
.
Completion time: 2013-12-11  16:35:54 - machine was rebooted
ComboFix-quarantined-files.txt  2013-12-11 22:35
.
Pre-Run: 169,651,478,528 bytes free
Post-Run: 169,621,544,960 bytes free
.
- - End Of File - - E5D19F79B6D7ED975B753E2920076C56
588AE8F0C685C02BA11F30D9CD7E61A0


#12 umptyscratch

umptyscratch
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 11 December 2013 - 05:56 PM

oops i think i missed some of the log here it is again this time it should be complete:

 

ComboFix 13-12-10.01 - Benny 12/11/2013  16:13:07.2.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2814.2310 [GMT -6:00]
Running from: c:\users\Benny\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: System Shield *Enabled/Updated* {3030810C-E2AC-B12D-8BB1-B1B8C0193798}
SP: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: System Shield *Enabled/Updated* {8B5160E8-C496-BEA3-B101-8ACABB9E7D25}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Install.exe
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected 
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!services.exe 
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-11 to 2013-12-11  )))))))))))))))))))))))))))))))
.
.
2013-12-11 22:24 . 2013-12-11 22:30 -------- d-----w- c:\users\Benny\AppData\Local\temp
2013-12-11 22:24 . 2013-12-11 22:24 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-12-11 22:24 . 2013-12-11 22:24 -------- d-----w- c:\users\Fran\AppData\Local\temp
2013-12-11 22:24 . 2013-12-11 22:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-12-11 14:11 . 2013-10-13 09:29 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-12-11 14:11 . 2013-10-13 09:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-12-11 14:11 . 2013-10-13 10:49 149744 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2013-12-11 14:11 . 2013-10-13 09:33 768512 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2013-12-11 14:11 . 2013-10-13 09:32 194560 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2013-12-11 14:11 . 2013-10-13 09:30 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-12-11 13:18 . 2013-12-11 13:30 -------- d-----w- c:\windows\system32\MRT
2013-12-10 17:50 . 2013-08-27 01:52 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2013-12-10 17:50 . 2013-08-27 01:32 683008 ----a-w- c:\windows\system32\d2d1.dll
2013-12-10 17:50 . 2013-08-27 02:47 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-12-10 17:50 . 2013-08-27 02:47 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2013-12-10 17:50 . 2013-08-27 01:50 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2013-12-10 17:50 . 2013-08-27 01:28 1069056 ----a-w- c:\windows\system32\DWrite.dll
2013-12-10 17:50 . 2013-08-27 01:28 798208 ----a-w- c:\windows\system32\FntCache.dll
2013-12-10 17:50 . 2013-08-27 02:47 189952 ----a-w- c:\windows\system32\d3d10core.dll
2013-12-10 17:50 . 2013-08-27 02:47 1029120 ----a-w- c:\windows\system32\d3d10.dll
2013-12-10 17:49 . 2013-08-01 03:16 638400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-12-10 17:49 . 2013-08-01 02:49 37376 ----a-w- c:\windows\system32\cdd.dll
2013-12-10 17:49 . 2013-06-15 13:22 15872 ----a-w- c:\windows\system32\icaapi.dll
2013-12-10 17:49 . 2013-06-15 11:23 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-12-10 17:48 . 2013-07-20 10:44 102608 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-12-10 17:48 . 2013-08-29 07:36 2050048 ----a-w- c:\windows\system32\win32k.sys
2013-12-10 17:48 . 2013-07-05 04:53 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-12-10 17:47 . 2013-07-17 19:41 2048 ----a-w- c:\windows\system32\tzres.dll
2013-12-10 17:45 . 2013-10-03 12:45 993792 ----a-w- c:\windows\system32\crypt32.dll
2013-12-10 17:43 . 2013-03-08 03:53 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-12-10 17:43 . 2013-07-03 02:33 35328 ----a-w- c:\windows\system32\drivers\usbscan.sys
2013-12-10 17:43 . 2013-07-03 02:10 25472 ----a-w- c:\windows\system32\drivers\hidparse.sys
2013-12-10 17:43 . 2013-04-09 03:51 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-12-10 17:43 . 2013-04-09 03:52 1218048 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2013-12-10 17:43 . 2013-04-09 03:51 983552 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2013-12-10 17:43 . 2013-04-09 03:51 964608 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-12-10 17:43 . 2013-07-08 04:20 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-12-10 17:43 . 2013-07-08 04:16 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-12-10 17:43 . 2013-07-08 04:16 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2013-12-10 17:41 . 2013-11-18 07:28 7772552 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5A2D3F7B-58EA-4E5E-9F32-BC2AA3F5EBF8}\mpengine.dll
2013-12-10 02:47 . 2013-12-10 02:47 -------- d-----w- c:\windows\ERUNT
2013-12-10 02:26 . 2013-12-10 02:40 -------- d-----w- C:\AdwCleaner
2013-12-09 16:13 . 2013-12-09 16:14 -------- d-----w- c:\program files\PogoplugBackup
2013-12-08 21:04 . 2013-12-08 21:57 -------- d-----w- c:\programdata\HitmanPro
2013-12-07 22:20 . 2013-12-07 22:20 -------- d-----w- C:\FRST
2013-12-07 17:07 . 2013-12-08 01:45 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2013-12-07 11:22 . 2013-12-07 11:23 -------- d-----w- c:\users\Fran\AppData\Local\Avg2014
2013-12-03 05:01 . 2013-12-09 01:08 -------- d-----w- c:\users\Benny\AppData\Roaming\Skype
2013-12-03 05:00 . 2013-12-03 05:14 -------- d-----w- c:\program files\Skype
2013-12-03 05:00 . 2013-12-03 05:15 -------- d-----w- c:\programdata\Skype
2013-11-24 18:00 . 2013-12-10 23:40 -------- d-----w- c:\program files\Mozilla Thunderbird
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-11 05:29 . 2012-08-13 03:23 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 05:29 . 2012-08-13 03:23 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-19 09:33 . 2009-11-02 18:13 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-11-15 12:31 . 2013-09-10 01:26 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-11-06 03:50 . 2013-11-06 03:50 120600 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2013-11-05 03:57 . 2013-11-05 03:57 209176 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-11-01 05:00 . 2013-11-01 05:00 176952 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-11-01 04:30 . 2013-11-01 04:30 222520 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-10-25 04:28 . 2013-10-25 04:28 147768 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-10-01 06:49 . 2013-10-01 06:49 102712 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2013-09-20 15:13 . 2013-09-20 15:13 74703 ----a-w- c:\windows\system32\mfc45.dat
2013-09-17 06:57 . 2013-09-17 06:57 22840 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"="c:\users\Benny\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-11-24 1140736]
"Pogoplug Backup"="c:\program files\PogoplugBackup\ppbrowser.exe" [2013-12-02 24422400]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0334.0\mswinext.exe" [2009-10-16 240976]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-05-07 1638400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2013-11-08 4956176]
"tvncontrol"="c:\program files\TightVNC\tvnserver.exe" [2013-06-06 1612784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -hx [2009-7-10 323584]
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventSystem]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseamps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vsedsps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseqrts]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-09 14:15 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-13 05:29]
.
2013-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-16 01:30]
.
2013-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-16 01:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
SafeBoot-AMP
SafeBoot-AMPSE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-11 16:32
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe
c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe
c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe
c:\program files\iolo\Common\Lib\ioloServiceManager.exe
c:\program files\iolo\Common\Lib\wscRmd.exe
c:\program files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe
c:\program files\iolo\Common\Lib\wscRmd.exe
c:\program files\iolo\Common\Lib\wscRmd.exe
c:\program files\iolo\Common\Lib\wscRmd.exe
c:\program files\Windows Media Player\wmpnscfg.exe
.
**************************************************************************
.
Completion time: 2013-12-11  16:35:54 - machine was rebooted
ComboFix-quarantined-files.txt  2013-12-11 22:35
.
Pre-Run: 169,651,478,528 bytes free
Post-Run: 169,621,544,960 bytes free
.
- - End Of File - - E5D19F79B6D7ED975B753E2920076C56
588AE8F0C685C02BA11F30D9CD7E61A0


#13 umptyscratch

umptyscratch
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 11 December 2013 - 06:10 PM

back in regular mode and the speakers work..  they didnt before in regular mode before I ran combofix.. and I realize they probably wouldnt in safe mode but they didnt in regular mode before i went to safe mode to run combofix.. oh well something fixed it !!



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 PM

Posted 12 December 2013 - 12:18 PM


Hello umptyscratch

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 umptyscratch

umptyscratch
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 12 December 2013 - 03:50 PM

Computer seems to be fine.  The AVG still resident shield wont come on but I think that isnt caused this and will work on getting it to work or remove it and try something else.   I plan to get system's mechanics off of there all together so if you have any tips for that it would be appreciated I am sure I can find something online that will work.

 

ComboFix Log :

 

ComboFix 13-12-12.03 - Benny 12/12/2013  14:29:26.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2814.1893 [GMT -6:00]
Running from: c:\users\Benny\Desktop\ComboFix.exe
Command switches used :: c:\users\Benny\Desktop\CFScript.txt
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-12 to 2013-12-12  )))))))))))))))))))))))))))))))
.
.
2013-12-12 20:42 . 2013-12-12 20:42 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-12-12 20:42 . 2013-12-12 20:42 -------- d-----w- c:\users\Fran\AppData\Local\temp
2013-12-12 20:42 . 2013-12-12 20:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-12-12 12:43 . 2013-11-14 22:38 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-12-11 22:36 . 2013-12-12 20:42 -------- d-----w- c:\users\Benny\AppData\Local\temp
2013-12-11 13:34 . 2013-10-30 00:35 2050560 ----a-w- c:\windows\system32\win32k.sys
2013-12-11 13:34 . 2013-10-30 02:12 335360 ----a-w- c:\windows\system32\SysFxUI.dll
2013-12-11 13:34 . 2013-10-30 01:43 130048 ----a-w- c:\windows\system32\drivers\drmk.sys
2013-12-11 13:34 . 2013-10-30 00:43 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2013-12-11 13:34 . 2013-10-11 02:08 131072 ----a-w- c:\windows\system32\wshom.ocx
2013-12-11 13:34 . 2013-10-11 00:35 155648 ----a-w- c:\windows\system32\wscript.exe
2013-12-11 13:34 . 2013-10-11 02:08 36864 ----a-w- c:\windows\system32\wshcon.dll
2013-12-11 13:34 . 2013-10-11 02:08 172032 ----a-w- c:\windows\system32\scrrun.dll
2013-12-11 13:34 . 2013-10-11 00:35 135168 ----a-w- c:\windows\system32\cscript.exe
2013-12-11 13:34 . 2013-10-22 07:19 158208 ----a-w- c:\windows\system32\imagehlp.dll
2013-12-11 13:18 . 2013-12-12 12:50 -------- d-----w- c:\windows\system32\MRT
2013-12-10 17:50 . 2013-08-27 01:52 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2013-12-10 17:50 . 2013-08-27 01:32 683008 ----a-w- c:\windows\system32\d2d1.dll
2013-12-10 17:50 . 2013-08-27 02:47 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-12-10 17:50 . 2013-08-27 02:47 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2013-12-10 17:50 . 2013-08-27 01:50 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2013-12-10 17:50 . 2013-08-27 01:28 1069056 ----a-w- c:\windows\system32\DWrite.dll
2013-12-10 17:50 . 2013-08-27 01:28 798208 ----a-w- c:\windows\system32\FntCache.dll
2013-12-10 17:50 . 2013-08-27 02:47 189952 ----a-w- c:\windows\system32\d3d10core.dll
2013-12-10 17:50 . 2013-08-27 02:47 1029120 ----a-w- c:\windows\system32\d3d10.dll
2013-12-10 17:49 . 2013-08-01 03:16 638400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-12-10 17:49 . 2013-08-01 02:49 37376 ----a-w- c:\windows\system32\cdd.dll
2013-12-10 17:49 . 2013-06-15 13:22 15872 ----a-w- c:\windows\system32\icaapi.dll
2013-12-10 17:49 . 2013-06-15 11:23 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-12-10 17:48 . 2013-07-20 10:44 102608 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-12-10 17:48 . 2013-07-05 04:53 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-12-10 17:47 . 2013-07-17 19:41 2048 ----a-w- c:\windows\system32\tzres.dll
2013-12-10 17:45 . 2013-10-03 12:45 993792 ----a-w- c:\windows\system32\crypt32.dll
2013-12-10 17:43 . 2013-03-08 03:53 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-12-10 17:43 . 2013-07-03 02:33 35328 ----a-w- c:\windows\system32\drivers\usbscan.sys
2013-12-10 17:43 . 2013-07-03 02:10 25472 ----a-w- c:\windows\system32\drivers\hidparse.sys
2013-12-10 17:43 . 2013-04-09 03:51 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-12-10 17:43 . 2013-04-09 03:52 1218048 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2013-12-10 17:43 . 2013-04-09 03:51 983552 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2013-12-10 17:43 . 2013-04-09 03:51 964608 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-12-10 17:43 . 2013-07-08 04:20 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-12-10 17:43 . 2013-07-08 04:16 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-12-10 17:43 . 2013-07-08 04:16 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2013-12-10 17:41 . 2013-11-18 07:28 7772552 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5A2D3F7B-58EA-4E5E-9F32-BC2AA3F5EBF8}\mpengine.dll
2013-12-10 02:47 . 2013-12-10 02:47 -------- d-----w- c:\windows\ERUNT
2013-12-10 02:26 . 2013-12-10 02:40 -------- d-----w- C:\AdwCleaner
2013-12-09 16:13 . 2013-12-09 16:14 -------- d-----w- c:\program files\PogoplugBackup
2013-12-08 21:04 . 2013-12-08 21:57 -------- d-----w- c:\programdata\HitmanPro
2013-12-07 22:20 . 2013-12-07 22:20 -------- d-----w- C:\FRST
2013-12-07 17:07 . 2013-12-08 01:45 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2013-12-07 11:22 . 2013-12-07 11:23 -------- d-----w- c:\users\Fran\AppData\Local\Avg2014
2013-12-03 05:01 . 2013-12-09 01:08 -------- d-----w- c:\users\Benny\AppData\Roaming\Skype
2013-12-03 05:00 . 2013-12-03 05:14 -------- d-----w- c:\program files\Skype
2013-12-03 05:00 . 2013-12-03 05:15 -------- d-----w- c:\programdata\Skype
2013-11-24 18:00 . 2013-12-10 23:40 -------- d-----w- c:\program files\Mozilla Thunderbird
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-11 05:29 . 2012-08-13 03:23 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 05:29 . 2012-08-13 03:23 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-19 09:33 . 2009-11-02 18:13 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-11-15 12:31 . 2013-09-10 01:26 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-11-06 03:50 . 2013-11-06 03:50 120600 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2013-11-05 03:57 . 2013-11-05 03:57 209176 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-11-01 05:00 . 2013-11-01 05:00 176952 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-11-01 04:30 . 2013-11-01 04:30 222520 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-10-30 02:13 . 2008-01-21 02:23 1304064 ----a-w- c:\windows\system32\WMALFXGFXDSP.dll
2013-10-25 04:28 . 2013-10-25 04:28 147768 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-10-01 06:49 . 2013-10-01 06:49 102712 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2013-09-20 15:13 . 2013-09-20 15:13 74703 ----a-w- c:\windows\system32\mfc45.dat
2013-09-17 06:57 . 2013-09-17 06:57 22840 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventSystem]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseamps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vsedsps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseqrts]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 12:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-10-28 01:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_UI]
2013-11-08 04:03 4956176 ----a-w- c:\program files\AVG\AVG2014\avgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2010-05-07 15:42 1638400 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-10-09 14:58 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-02-18 19:49 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
2009-10-16 21:08 240976 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0334.0\mswinext.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pogoplug Backup]
2013-12-02 18:15 24422400 ----a-w- c:\program files\PogoplugBackup\ppbrowser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-08-01 23:14 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2008-09-24 00:21 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2013-11-24 22:19 1140736 ----a-w- c:\users\Benny\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvncontrol]
2013-06-06 21:07 1612784 ----a-w- c:\program files\TightVNC\tvnserver.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-09 14:15 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-13 05:29]
.
2013-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-16 01:30]
.
2013-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-16 01:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AVG-Secure-Search-Update_1113a - c:\users\Benny\AppData\Roaming\AVG 1113a Campaign\AVG-Secure-Search-Update-1113a.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-12 14:43
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-12-12  14:45:06
ComboFix-quarantined-files.txt  2013-12-12 20:44
ComboFix2.txt  2013-12-11 22:35
.
Pre-Run: 167,377,264,640 bytes free
Post-Run: 167,430,946,816 bytes free
.
- - End Of File - - A75F2928450F94ED11D951DEF825E48C
588AE8F0C685C02BA11F30D9CD7E61A0





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users