Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, rootkit removal help.


  • This topic is locked This topic is locked
16 replies to this topic

#1 TommyCockles

TommyCockles

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 14 December 2013 - 10:30 AM

Hi guys, i was recently a little stupid and downloaded a file without thinking. Something that i now believe may have infected my computer. Could anyone please talk me through the steps to check for malware and rootkits etc. please? Any Help would be greatly appreciated. Thank You.



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 15 December 2013 - 06:40 PM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 TommyCockles

TommyCockles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 19 December 2013 - 03:59 PM

Ok done.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-12-2013
Ran by James (administrator) on JAMES-PC on 19-12-2013 20:33:12
Running from C:\Users\James\Desktop
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Logitech Inc.) C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Seagate Technology LLC) C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
() C:\Program Files\CyberLink\Shared Files\RichVideo.exe
(Sonic Solutions) C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
(Sonic Solutions) C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Packard Bell BV) C:\Program Files\Packard Bell\FIJI\ABoard.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Packard Bell BV) C:\Program Files\Packard Bell\FIJI\AOSD.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(AppWork GmbH) C:\Users\James\AppData\Local\JDownloader v2.0\JDownloader2.exe
(TrueCrypt Foundation) C:\Program Files\TrueCrypt\TrueCrypt.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4468736 2007-05-10] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] - C:\Windows\SkyTel.exe [1826816 2007-05-07] (Realtek Semiconductor Corp.)
HKLM\...\Run: [ACTIVBOARD] - C:\Program Files\Packard Bell\FIJI\ABoard.exe [79416 2007-01-18] (Packard Bell BV)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [AvastUI.exe] - C:\Program Files\AVAST Software\Avast\AvastUI.exe [3568312 2013-11-26] (AVAST Software)
HKLM\...\Run: [20131121] - C:\Program Files\AVAST Software\Avast\Setup\emupdate\a5828da2-54b7-43d1-9446-0d8b2f9967ef.exe [180184 2013-11-23] (AVAST Software)
HKLM\...\runonceex: [Flags] - 128
HKLM\...\runonceex: [Title] - UnHackMe Rootkit Check
HKLM\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKCU\...\Run: [ehTray.exe] - C:\Windows\ehome\ehtray.exe [125952 2008-01-19] (Microsoft Corporation)
HKCU\...\Run: [AdobeBridge] - [x]
HKCU\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\wmpnscfg.exe [202240 2008-01-19] (Microsoft Corporation)
HKCU\...0c966feabec1\InprocServer32: [Default-shell32]  ATTENTION! ====> ZeroAccess?
HKCU\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Jayne & John\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\wmpnscfg.exe [ 2008-01-19] (Microsoft Corporation)
HKU\Mcx1\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Mcx1\...\Run: [ehTray.exe] - C:\Windows\ehome\ehtray.exe [ 2008-01-19] (Microsoft Corporation)
HKU\Mcx1\...\Winlogon: [Shell] EXPLORER.EXE [ 2009-04-11] (Microsoft Corporation) <==== ATTENTION

==================== Internet (Whitelisted) ====================

ProxyServer: 116.50.153.43:3128
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x7A831F5ED392CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.search.yahoo.com?type=714647&fr=spigot-yhp-ie
URLSearchHook: HKCU - (No Name) - {f999a48b-1950-4d81-9971-79018f807b4b} -  No File
URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {0B4A10D1-FBD6-451d-BFDA-F03252B05984} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50-ie-aim-chromesbox-en-us&tb_uuid=20120108023640249&tb_oid=08-01-2012&tb_mrud=08-01-2012
SearchScopes: HKCU - {0B4A10D1-FBD6-451d-BFDA-F03252B05984} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50-ie-aim-chromesbox-en-us&tb_uuid=20120108023640249&tb_oid=08-01-2012&tb_mrud=08-01-2012
SearchScopes: HKCU - {3C28D81D-2C9B-464F-AFC7-FB8BA89F6E8B} URL = http://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=714647&p={searchTerms}
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
ShellExecuteHooks:  - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} -  No File [ ]
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default
FF Homepage: hxxp://www.sky.com/
FF Keyword.URL: user_pref("keyword.URL", "");
FF NetworkProxy: "backup.ftp", "89.200.252.149"
FF NetworkProxy: "backup.ftp_port", 3128
FF NetworkProxy: "backup.gopher", "85.113.155.3"
FF NetworkProxy: "backup.gopher_port", 80
FF NetworkProxy: "backup.socks", "89.200.252.149"
FF NetworkProxy: "backup.socks_port", 3128
FF NetworkProxy: "backup.ssl", "89.200.252.149"
FF NetworkProxy: "backup.ssl_port", 3128
FF NetworkProxy: "ftp", "89.200.252.149"
FF NetworkProxy: "ftp_port", 3128
FF NetworkProxy: "gopher", "80.82.150.82"
FF NetworkProxy: "gopher_port", 8080
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "89.200.252.149"
FF NetworkProxy: "socks_port", 3128
FF NetworkProxy: "ssl", "89.200.252.149"
FF NetworkProxy: "ssl_port", 3128
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=10.13.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.13.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\searchplugins\ixquick-https---uk.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\amazon-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\chambers-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\eBay-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\yahoo-en-GB.xml
FF Extension: HTTPS-Everywhere - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\https-everywhere@eff.org
FF Extension: FireShot - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
FF Extension: Microsoft .NET Framework Assistant - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF Extension: NoScript - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}(150)
FF Extension: DownloadHelper - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF Extension: Adblock Plus Pop-up Addon - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\adblockpopups@jessehakanen.net.xpi
FF Extension: Exif Viewer - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\exif_viewer@mozilla.doslash.org.xpi
FF Extension: Ghostery - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\firefox@ghostery.com.xpi
FF Extension: Beef Taco (Targeted Advertising Cookie Opt-Out) - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\john@velvetcache.org.xpi
FF Extension: Priv3 - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\priv3@icsi.berkeley.edu.xpi
FF Extension: RequestPolicy - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\requestpolicy@requestpolicy.com.xpi
FF Extension: Scriptish - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\scriptish@erikvold.com.xpi
FF Extension: NoScript - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF Extension: Adblock Plus - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF Extension: BetterPrivacy - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\Extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
FF Extension: Google Toolbar for Firefox - C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF

Chrome:
=======
CHR HomePage: hxxp://www.google.com/
CHR RestoreOnStartup: "hxxp://www.google.com/"
CHR DefaultSearchKeyword: google.co.uk
CHR DefaultSearchProvider: Google
CHR DefaultSearchURL: {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR DefaultNewTabURL: {google:baseURL}_/chrome/newtab?{google:RLZ}{google:instantExtendedEnabledParameter}{google:ntpIsThemedParameter}ie={inputEncoding}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\31.0.1650.63\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\31.0.1650.63\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\31.0.1650.63\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.310.5) - C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U31) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll No File
CHR Plugin: (Microsoft\u00AE Windows Media Player Firefox Plugin) - C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll No File
CHR Plugin: (Windows Genuine Advantage) - C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll (Microsoft Corporation)
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll No File
CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Google Update) - C:\Users\James\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Adblock Plus) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.6.1_0
CHR Extension: (Grab Any Media) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkcaohgalmoefengeadahaaagpkbggok\3.2.1.5_0
CHR Extension: (Ghostery) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij\5.0.0_0
CHR Extension: (Google Wallet) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0
CHR HKLM\...\Chrome\Extension: [pmcmflmkceipgecmhoddphflfndnfbbe] - C:\Users\James\AppData\Local\CRE\pmcmflmkceipgecmhoddphflfndnfbbe.crx

========================== Services (Whitelisted) =================

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2013-11-26] (AVAST Software)
R2 FreeAgentGoNext Service; C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe [181544 2009-05-01] (Seagate Technology LLC)
R2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [247152 2009-04-17] ()
R2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)
S2 eID CRL Service;
S2 eID Privacy Service;
S3 IICV; C:\Users\James\AppData\Local\Temp\IICV.exe [x]
S3 NHTXAINBKY; C:\Users\James\AppData\Local\Temp\NHTXAINBKY.exe [x]

==================== Drivers (Whitelisted) ====================

R1 ASPI32; C:\Windows\System32\Drivers\ASPI32.sys [25244 1999-09-10] (Adaptec)
R2 aswFsBlk; C:\Windows\system32\drivers\aswFsBlk.sys [35656 2013-11-26] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [70384 2013-11-26] (AVAST Software)
R1 AswRdr; C:\Windows\system32\drivers\aswRdr.sys [54832 2013-11-26] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49944 2013-11-09] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [774392 2013-11-26] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [403440 2013-11-09] (AVAST Software)
R1 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [57672 2013-11-26] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [178304 2013-11-09] ()
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [721904 2009-07-26] ()
R1 StarOpen; C:\Windows\System32\Drivers\StarOpen.sys [5632 2009-07-04] ()
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S0 Lbd; system32\DRIVERS\Lbd.sys [x]
S3 MFE_RR; \??\C:\Users\James\AppData\Local\Temp\mfe_rr.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
U0 Partizan; system32\drivers\Partizan.sys [x]
S1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [x]
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] ()

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-12-19 20:33 - 2013-12-19 20:33 - 00018273 _____ C:\Users\James\Desktop\FRST.txt
2013-12-19 20:32 - 2013-12-19 20:32 - 00000000 ____D C:\FRST
2013-12-19 20:31 - 2013-12-19 20:31 - 01325422 _____ (Farbar) C:\Users\James\Desktop\FRST.exe
2013-12-14 15:25 - 2013-12-14 15:25 - 00688992 _____ (Swearware) C:\Users\James\Desktop\dds.com
2013-12-14 14:47 - 2013-12-14 14:47 - 00000000 ____D C:\Program Files\CCleaner
2013-12-14 00:08 - 2013-12-14 00:08 - 00000000 ____D C:\Users\James\AppData\Roaming\SUPERAntiSpyware.com
2013-12-14 00:01 - 2013-12-14 14:30 - 00000000 ____D C:\ProgramData\AVG Security Toolbar
2013-12-13 20:13 - 2013-12-13 20:13 - 00000000 ____D C:\ProgramData\Sophos
2013-12-12 21:00 - 2013-12-12 22:30 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-12-12 21:00 - 2013-12-12 21:00 - 00104664 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2013-12-12 17:58 - 2013-12-12 18:27 - 00000073 _____ C:\Windows\system32\Partizan.RRI
2013-12-12 17:38 - 2013-12-12 20:55 - 00000000 ____D C:\ProgramData\RegRun
2013-12-12 17:38 - 2013-12-12 17:38 - 00000002 RSHOT C:\Windows\winstart.bat
2013-12-12 17:37 - 2013-12-12 20:56 - 00000000 ____D C:\Program Files\UnHackMe
2013-12-12 17:12 - 2013-12-12 17:12 - 00000000 ____D C:\Users\James\AppData\Roaming\TuneUp Software
2013-12-12 17:06 - 2013-12-14 14:36 - 00000000 ____D C:\ProgramData\MFAData
2013-12-12 17:06 - 2013-12-12 17:06 - 00000000 ____D C:\Users\James\AppData\Local\MFAData
2013-12-12 16:48 - 2013-12-19 16:30 - 00136477 ____N C:\Windows\WindowsUpdate.log
2013-12-12 16:30 - 2013-11-14 23:13 - 12344320 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-12-12 16:30 - 2013-11-14 22:50 - 09739264 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-12-12 16:30 - 2013-11-14 22:50 - 01806848 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-12-12 16:30 - 2013-11-14 22:43 - 01105408 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-12-12 16:30 - 2013-11-14 22:42 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-12-12 16:30 - 2013-11-14 22:42 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-12-12 16:30 - 2013-11-14 22:41 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-12-12 16:30 - 2013-11-14 22:40 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-12-12 16:30 - 2013-11-14 22:38 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-12-12 16:30 - 2013-11-14 22:38 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-12-12 16:30 - 2013-11-14 22:38 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-12-12 16:30 - 2013-11-14 22:37 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-12-12 16:30 - 2013-11-14 22:36 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-12-12 16:30 - 2013-11-14 22:36 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-12-12 16:30 - 2013-11-14 22:35 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-12-12 16:30 - 2013-11-14 22:32 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-12-12 16:29 - 2013-10-30 02:12 - 00335360 _____ (Microsoft Corporation) C:\Windows\system32\SysFxUI.dll
2013-12-12 16:29 - 2013-10-30 01:43 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys
2013-12-12 16:29 - 2013-10-30 00:43 - 00167936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\portcls.sys
2013-12-12 16:29 - 2013-10-30 00:35 - 02050560 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-12-12 16:28 - 2013-10-22 07:19 - 00158208 _____ (Microsoft Corporation) C:\Windows\system32\imagehlp.dll
2013-12-12 16:28 - 2013-10-11 02:08 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\scrrun.dll
2013-12-12 16:28 - 2013-10-11 02:08 - 00131072 _____ (Microsoft Corporation) C:\Windows\system32\wshom.ocx
2013-12-12 16:28 - 2013-10-11 02:08 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wshcon.dll
2013-12-12 16:28 - 2013-10-11 00:35 - 00155648 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe
2013-12-12 16:28 - 2013-10-11 00:35 - 00135168 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2013-12-10 22:01 - 2013-12-10 22:01 - 00000933 _____ C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\GOM Player.lnk
2013-12-10 22:01 - 2013-12-10 22:01 - 00000000 ____D C:\Users\James\AppData\Roaming\GRETECH
2013-12-10 22:01 - 2013-12-10 22:01 - 00000000 ____D C:\Program Files\GRETECH
2013-12-04 19:55 - 2013-12-05 06:12 - 00000000 ____D C:\Windows\Jaksta
2013-12-04 19:55 - 2013-12-04 19:57 - 00000000 ____D C:\Users\James\AppData\Local\Jaksta_Technologies_Pty_L
2013-12-04 19:55 - 2013-12-04 19:55 - 00000000 ____D C:\Users\James\Documents\Applian
2013-12-04 19:01 - 2013-12-04 19:23 - 00000000 ____D C:\Program Files\GetFLV
2013-11-25 21:45 - 2013-12-12 19:25 - 00000000 ____D C:\AdwCleaner
2013-11-24 20:08 - 2013-11-24 20:08 - 00000944 _____ C:\Users\James\Desktop\ID3Remover.lnk
2013-11-24 02:23 - 2013-11-24 02:23 - 00000000 ____D C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FullScreen Photo Viewer
2013-11-24 02:23 - 2013-11-24 02:23 - 00000000 ____D C:\Program Files\FullScreen Photo Viewer
2013-11-23 13:33 - 2013-12-14 00:01 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-11-21 23:39 - 2013-11-21 23:39 - 00000000 ____D C:\Users\James\AppData\Roaming\DVDVideoSoft
2013-11-21 23:39 - 2013-11-21 23:39 - 00000000 ____D C:\Program Files\DVDVideoSoft
2013-11-21 23:39 - 2013-11-21 23:39 - 00000000 ____D C:\Program Files\Common Files\DVDVideoSoft

==================== One Month Modified Files and Folders =======

2013-12-19 20:33 - 2013-12-19 20:33 - 00018273 _____ C:\Users\James\Desktop\FRST.txt
2013-12-19 20:32 - 2013-12-19 20:32 - 00000000 ____D C:\FRST
2013-12-19 20:31 - 2013-12-19 20:31 - 01325422 _____ (Farbar) C:\Users\James\Desktop\FRST.exe
2013-12-19 20:30 - 2008-12-22 16:17 - 00000340 _____ C:\Windows\Tasks\Recovery DVD Creator.job
2013-12-19 20:26 - 2012-11-03 12:42 - 00000884 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-12-19 20:24 - 2012-10-30 22:08 - 00002032 _____ C:\Users\James\AppData\Local\d3d9caps.dat
2013-12-19 20:24 - 2012-04-09 16:37 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-12-19 20:23 - 2006-11-02 12:47 - 00003296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-12-19 20:23 - 2006-11-02 12:47 - 00003296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-12-19 18:32 - 2013-11-11 17:13 - 00000000 ____D C:\Users\James\AppData\Local\JDownloader v2.0
2013-12-19 16:36 - 2012-11-03 12:42 - 00000880 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-12-19 16:30 - 2013-12-12 16:48 - 00136477 ____N C:\Windows\WindowsUpdate.log
2013-12-19 16:28 - 2006-11-02 10:33 - 00772070 _____ C:\Windows\system32\PerfStringBackup.INI
2013-12-19 16:23 - 2006-11-02 13:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-12-18 23:54 - 2006-11-02 13:01 - 00032646 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-12-18 23:46 - 2013-08-31 16:37 - 00000000 ____D C:\Users\James\AppData\Roaming\Media Player Classic
2013-12-18 23:46 - 2009-01-31 17:25 - 00000000 ____D C:\Users\James\AppData\Roaming\uTorrent
2013-12-15 17:59 - 2009-04-15 19:10 - 00000000 ____D C:\Users\James\Downloads\Software
2013-12-15 17:51 - 2012-09-20 21:55 - 00106096 _____ C:\Users\James\AppData\Local\GDIPFONTCACHEV1.DAT
2013-12-14 15:25 - 2013-12-14 15:25 - 00688992 _____ (Swearware) C:\Users\James\Desktop\dds.com
2013-12-14 14:53 - 2010-04-23 21:44 - 00000000 ____D C:\Users\James\AppData\Local\CrashDumps
2013-12-14 14:47 - 2013-12-14 14:47 - 00000000 ____D C:\Program Files\CCleaner
2013-12-14 14:36 - 2013-12-12 17:06 - 00000000 ____D C:\ProgramData\MFAData
2013-12-14 14:30 - 2013-12-14 00:01 - 00000000 ____D C:\ProgramData\AVG Security Toolbar
2013-12-14 00:08 - 2013-12-14 00:08 - 00000000 ____D C:\Users\James\AppData\Roaming\SUPERAntiSpyware.com
2013-12-14 00:01 - 2013-11-23 13:33 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-12-13 20:13 - 2013-12-13 20:13 - 00000000 ____D C:\ProgramData\Sophos
2013-12-12 22:30 - 2013-12-12 21:00 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-12-12 21:00 - 2013-12-12 21:00 - 00104664 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2013-12-12 20:56 - 2013-12-12 17:37 - 00000000 ____D C:\Program Files\UnHackMe
2013-12-12 20:55 - 2013-12-12 17:38 - 00000000 ____D C:\ProgramData\RegRun
2013-12-12 20:27 - 2008-12-22 16:06 - 00000000 ____D C:\Users\James
2013-12-12 19:25 - 2013-11-25 21:45 - 00000000 ____D C:\AdwCleaner
2013-12-12 18:27 - 2013-12-12 17:58 - 00000073 _____ C:\Windows\system32\Partizan.RRI
2013-12-12 17:38 - 2013-12-12 17:38 - 00000002 RSHOT C:\Windows\winstart.bat
2013-12-12 17:38 - 2006-11-02 10:23 - 00002577 _____ C:\Windows\system32\config.nt
2013-12-12 17:38 - 2006-11-02 10:23 - 00001688 _____ C:\Windows\system32\autoexec.nt
2013-12-12 17:12 - 2013-12-12 17:12 - 00000000 ____D C:\Users\James\AppData\Roaming\TuneUp Software
2013-12-12 17:06 - 2013-12-12 17:06 - 00000000 ____D C:\Users\James\AppData\Local\MFAData
2013-12-12 16:44 - 2006-11-02 12:47 - 02309136 _____ C:\Windows\system32\FNTCACHE.DAT
2013-12-12 16:37 - 2012-09-21 21:52 - 00006595 _____ C:\Windows\system32\lvcoinst.log
2013-12-12 16:37 - 2008-12-22 14:50 - 00000000 ____D C:\Windows\system32\RTCOM
2013-12-12 16:35 - 2013-08-15 15:28 - 00000000 ____D C:\Windows\system32\MRT
2013-12-12 16:32 - 2006-11-02 10:24 - 88123800 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2013-12-12 00:05 - 2011-06-09 21:46 - 00000000 ____D C:\Users\James\Documents\Camtasia Studio
2013-12-11 16:29 - 2012-04-09 16:37 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-12-11 16:29 - 2011-05-25 11:47 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-12-10 23:14 - 2013-07-07 22:36 - 00000000 ____D C:\Users\James\Soc
2013-12-10 22:20 - 2009-11-17 01:25 - 00000000 ____D C:\Program Files\VideoLAN
2013-12-10 22:01 - 2013-12-10 22:01 - 00000933 _____ C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\GOM Player.lnk
2013-12-10 22:01 - 2013-12-10 22:01 - 00000000 ____D C:\Users\James\AppData\Roaming\GRETECH
2013-12-10 22:01 - 2013-12-10 22:01 - 00000000 ____D C:\Program Files\GRETECH
2013-12-10 21:51 - 2009-01-12 14:28 - 00000000 ____D C:\ProgramData\Apple Computer
2013-12-05 06:12 - 2013-12-04 19:55 - 00000000 ____D C:\Windows\Jaksta
2013-12-04 19:57 - 2013-12-04 19:55 - 00000000 ____D C:\Users\James\AppData\Local\Jaksta_Technologies_Pty_L
2013-12-04 19:55 - 2013-12-04 19:55 - 00000000 ____D C:\Users\James\Documents\Applian
2013-12-04 19:55 - 2011-10-03 19:50 - 00000000 ____D C:\Program Files\Applian Technologies
2013-12-04 19:23 - 2013-12-04 19:01 - 00000000 ____D C:\Program Files\GetFLV
2013-11-27 21:06 - 2006-11-02 11:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-11-26 19:24 - 2013-11-09 15:15 - 00001836 _____ C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2013-11-26 19:23 - 2013-04-14 17:55 - 00774392 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2013-11-26 19:23 - 2013-04-14 17:55 - 00269216 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2013-11-26 19:23 - 2013-04-14 17:55 - 00070384 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2013-11-26 19:23 - 2013-04-14 17:55 - 00057672 _____ (AVAST Software) C:\Windows\system32\Drivers\aswTdi.sys
2013-11-26 19:23 - 2013-04-14 17:55 - 00054832 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr.sys
2013-11-26 19:23 - 2013-04-14 17:55 - 00035656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswFsBlk.sys
2013-11-26 19:23 - 2013-04-14 17:54 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2013-11-26 19:09 - 2009-07-26 16:59 - 00006054 _____ C:\Users\James\AppData\Roaming\wklnhst.dat
2013-11-25 19:55 - 2006-11-02 11:18 - 00000000 ____D C:\Windows\Web
2013-11-25 17:36 - 2010-06-11 20:32 - 00000000 ____D C:\ProgramData\Yahoo!
2013-11-24 20:08 - 2013-11-24 20:08 - 00000944 _____ C:\Users\James\Desktop\ID3Remover.lnk
2013-11-24 13:55 - 2013-04-30 15:32 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-11-24 02:23 - 2013-11-24 02:23 - 00000000 ____D C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FullScreen Photo Viewer
2013-11-24 02:23 - 2013-11-24 02:23 - 00000000 ____D C:\Program Files\FullScreen Photo Viewer
2013-11-21 23:39 - 2013-11-21 23:39 - 00000000 ____D C:\Users\James\AppData\Roaming\DVDVideoSoft
2013-11-21 23:39 - 2013-11-21 23:39 - 00000000 ____D C:\Program Files\DVDVideoSoft
2013-11-21 23:39 - 2013-11-21 23:39 - 00000000 ____D C:\Program Files\Common Files\DVDVideoSoft

Files to move or delete:
====================
C:\Users\James\AppData\Roaming\desktop.ini


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-12-19 16:38

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 19-12-2013
Ran by James at 2013-12-19 20:34:23
Running from C:\Users\James\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

µTorrent (HKCU Version: 3.3.2.30180)
32 Bit HP CIO Components Installer (Version: 2.1.5)
7-Zip 9.20
Adobe Anchor Service CS4 (Version: 2.0)
Adobe Bridge CS4 (Version: 3)
Adobe CMaps CS4 (Version: 2.0)
Adobe Color - Photoshop Specific CS4 (Version: 2.0)
Adobe Color EU Recommended Settings CS4 (Version: 2.0)
Adobe Color JA Extra Settings CS4 (Version: 2.0)
Adobe Color NA Extra Settings CS4 (Version: 2.0)
Adobe Color Video Profiles CS CS4 (Version: 2.0)
Adobe CSI CS4 (Version: 1)
Adobe Default Language CS4 (Version: 2.0)
Adobe Device Central CS4 (Version: 2)
Adobe Drive CS4 (Version: 1)
Adobe ExtendScript Toolkit CS4 (Version: 3.0.0)
Adobe Extension Manager CS4 (Version: 2.0)
Adobe Flash Player 11 ActiveX (Version: 11.9.900.170)
Adobe Flash Player 11 Plugin (Version: 11.9.900.170)
Adobe Fonts All (Version: 2.0)
Adobe Linguistics CS4 (Version: 4.0.0)
Adobe Output Module (Version: 2.0)
Adobe PDF Library Files CS4 (Version: 9.0)
Adobe Photoshop CS4 (Version: 11.0)
Adobe Photoshop CS4 Support (Version: 11.0)
Adobe Reader X (10.1.8) (Version: 10.1.8)
Adobe Search for Help (Version: 1.0)
Adobe Service Manager Extension (Version: 1.0)
Adobe Setup (Version: 2.0)
Adobe Shockwave Player (Version: 10.2.0.023)
Adobe Type Support CS4 (Version: 9.0)
Adobe Update Manager CS4 (Version: 6.0.0)
Adobe WinSoft Linguistics Plugin (Version: 1.1)
Adobe XMP Panels CS4 (Version: 2.0)
AdobeColorCommonSetCMYK (Version: 2.0)
AdobeColorCommonSetRGB (Version: 2.0)
AIO_CDA_ProductContext (Version: 82.0.233.000)
AIO_CDA_Software (Version: 82.0.233.000)
AIO_Scan (Version: 82.0.173.000)
Alt.Binz 0.39.4 (Version: 0.39.4)
AOL Messaging Toolbar
Apple Application Support (Version: 2.3.6)
Apple Mobile Device Support (Version: 7.0.0.117)
Apple Software Update (Version: 2.1.3.127)
avast! Free Antivirus (Version: 9.0.2008)
Avidemux 2.6 (32-bit) (Version: 2.6.5.8897)
AVS Update Manager 1.0
AVS Video Converter 8
Boilsoft Video Joiner 6.56
Boilsoft Video Splitter 6.33
Bonjour (Version: 3.0.0.10)
BufferChm (Version: 82.0.173.000)
C4100 (Version: 82.0.233.000)
c4100_Help (Version: 82.0.233.000)
CameraHelperMsi (Version: 13.31.1038.0)
Camtasia Studio 8 (Version: 8.0.4.1060)
CCleaner (Version: 4.08)
Combined Community Codec Pack 2013-08-01 (Version: 2013.08.01.0)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Connect (Version: 1.0.0.1)
Copy (Version: 120.0.214.000)
CPUID CPU-Z 1.67
Creator 9
CustomerResearchQFolder (Version: 1.00.0000)
Defraggler (Version: 2.15)
Destination Component (Version: 090.000.091.086)
DeviceDiscovery (Version: 110.0.180.000)
DeviceManagementQFolder (Version: 1.00.0000)
DocProc (Version: 8.1.0.0)
DocProcQFolder (Version: 1.00.0000)
Dropbox (HKCU Version: 2.0.22)
erLT (Version: 1.20.138.34)
eSupportQFolder (Version: 1.00.0000)
Fax (Version: 120.0.194.000)
Flash Player 9 Internet Explorer
Free M4a to MP3 Converter 8.0
Free Video Flip and Rotate version 2.1.9.827 (Version: 2.1.9.827)
FullScreen Photo Viewer 2.2 (Version: 2.2)
GearDrvs (Version: 1)
GearDrvs (Version: 1.00.0000)
Gigaflat
Gmask 1.70 English
GOM Player (Version: 2.2.56.5181)
Google Chrome (Version: 31.0.1650.63)
Google Update Helper (Version: 1.3.22.3)
HDReg (Version: 2.0.0)
HP Customer Participation Program 8.0 (Version: 8.0)
HP Imaging Device Functions 8.0 (Version: 8.0)
HP OCR Software 8.0 (Version: 8.0)
HP Photosmart Essential (Version: 1.12.0.46)
HP Photosmart.All-In-One Driver Software 8.0 .A (Version: 8.0)
HP Product Assistant (Version: 100.000.001.000)
HP Solution Center 8.0 (Version: 8.0)
HP Update (Version: 5.002.000.010)
HPProductAssistant (Version: 82.0.173.000)
HPSSupply (Version: 2.1.3.0000)
Infocentre Rev. 2.0
Internet From BT
iTunes (Version: 11.1.0.126)
Java 7 Update 13 (Version: 7.0.130)
Java Auto Updater (Version: 2.1.9.0)
Keyboard FIJI
kuler (Version: 2.0)
LightScribe  1.4.124.1 (Version: 1.4.124.1)
Logitech Vid HD (Version: 7.2 (7259))
Logitech Webcam Software (Version: 2.30)
Logitech Webcam Software Driver Package (Version: 12.10.1110)
LWS Facebook (Version: 13.31.1038.0)
LWS Gallery (Version: 13.31.1038.0)
LWS Help_main (Version: 13.31.1044.0)
LWS Launcher (Version: 13.31.1038.0)
LWS Motion Detection (Version: 13.30.1395.0)
LWS Pictures And Video (Version: 13.31.1038.0)
LWS Twitter (Version: 13.30.1346.0)
LWS Video Mask Maker (Version: 13.30.1379.0)
LWS VideoEffects (Version: 13.30.1379.0)
LWS Webcam Software (Version: 13.31.1038.0)
LWS WLM Plugin (Version: 1.30.1201.0)
LWS YouTube Plugin (Version: 13.31.1038.0)
MarketResearch (Version: 82.0.174.000)
Media Preview (Version: 1.3.1.343)
MediaInfo 0.7.64 (Version: 0.7.64)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft VC9 runtime libraries (Version: 2.0.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Works (Version: 9.7.0621)
Microsoft Works 9
MKVToolNix 6.3.0 (Version: 6.3.0)
Mozilla Firefox 25.0.1 (x86 en-GB) (Version: 25.0.1)
Mozilla Maintenance Service (Version: 25.0.1)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML4 Parser (Version: 1.0.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
OpenAL
Packard Bell ImageWriter
Packard Bell LCD Test
Packard Bell Updator
PDF Settings CS4 (Version: 9.0)
Photoshop Camera Raw (Version: 5.0)
PVSonyDll (Version: 1.00.0001)
QuickTime (Version: 7.74.80.86)
Realtek HD Audio V6.0.1.5413
Realtek High Definition Audio Driver (Version: 6.0.1.5413)
Roxio Creator 9 LE (Version: 9.0.180)
Scan (Version: 8.1.0.0)
Seagate Manager Installer (Version: 2.02.0109)
SeaTools for Windows (Version: 1.1.3.2)
SetUp My PC
Shockwave
Skype™ 6.6 (Version: 6.6.106)
SolutionCenter (Version: 82.0.188.000)
SolveigMM AVI Trimmer (Version: 2.1.1307.29)
Status (Version: 110.0.180.000)
Suite Shared Configuration CS4 (Version: 1.0)
Toolbox (Version: 82.0.173.000)
TrayApp (Version: 110.0.180.000)
TrueCrypt (Version: 6.3a)
TumblRipper (Version: 0.87)
Ulead GIF Animator 5
Ultra Video Joiner 6.2.0411
Ultra Video Splitter 6.2.0411
UnloadSupport (Version: 1.00.0000)
Unlocker 1.9.1 (Version: 1.9.1)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Video Thumbnails Maker by Scorp (remove only)
Visual C++ 2008 x86 Runtime - (v9.0.30729) (Version: 9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (Version: 9.0.30729.01)
Visual Studio 2012 x86 Redistributables (Version: 14.0.0.1)
WebReg (Version: 82.0.173.000)
Windows Installer Clean Up (Version: 3.00.00.0000)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series (Version: 9.00.3374)
WinRAR 5.00 (32-bit) (Version: 5.00.0)

==================== Restore Points  =========================


==================== Hosts content: ==========================

2006-11-02 10:23 - 2013-03-13 20:35 - 00001692 ___RA C:\Windows\system32\Drivers\etc\hosts
127.0.0.1                activate.adobe.com
127.0.0.1                practivate.adobe.com
127.0.0.1                ereg.adobe.com
127.0.0.1                activate.wip3.adobe.com
127.0.0.1                wip3.adobe.com
127.0.0.1                3dns-3.adobe.com
127.0.0.1                3dns-2.adobe.com
127.0.0.1                adobe-dns.adobe.com
127.0.0.1                adobe-dns-2.adobe.com
127.0.0.1                adobe-dns-3.adobe.com
127.0.0.1                ereg.wip3.adobe.com
127.0.0.1                activate-sea.adobe.com
127.0.0.1                wwis-dubc1-vip60.adobe.com
127.0.0.1                activate-sjc0.adobe.com
127.0.0.1                               adobe.activate.com
127.0.0.1                               applian.securesites.com
127.0.0.1                               applianorders.securesites.net
127.0.0.1                               google-analytics.com
127.0.0.1                               65.52.240.48
127.0.0.1                               activation.cloud.techsmith.com
82.192.86.132     oron.com     www.oron.com


==================== Scheduled Tasks (whitelisted) =============

Task: {1CC81347-6204-4B83-900C-01E02F50F067} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {2711378F-C22C-424E-A442-673B14919331} - System32\Tasks\PBRegbk => C:\Program Files\HDReg\HDRegApp.exe [2005-06-21] (Altwood Systems Ltd)
Task: {3BCDF251-CA5C-4045-A1FC-8FCEF9FBDC93} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {44980BEE-7809-44A9-AC24-D6E578A3B7DF} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\System32\RacAgent.exe [2008-01-19] (Microsoft Corporation)
Task: {4AA58AA9-6FCC-4FCE-86F7-1415337B9102} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {4F665E5F-83DF-413A-8E8D-806B9C43B636} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2012-11-03] (Google Inc.)
Task: {573194AE-7696-4747-BF43-0FD068A88B62} - System32\Tasks\Ad-Aware Update (Weekly) => C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: {742FFE7B-3E2F-471A-9CAD-0C384B3A7113} - System32\Tasks\Recovery DVD Creator => C:\Program Files\Packard Bell\SetUpMyPC\MCDCheck.exe [2006-11-21] (Packard Bell BV)
Task: {76D5C149-BBF1-44FB-89A5-5F928AC7FCC0} - System32\Tasks\PBReg => C:\Program Files\HDReg\HDRegApp.exe [2005-06-21] (Altwood Systems Ltd)
Task: {B7EEC1E9-54B0-445C-84A5-F256EE19A89F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2012-11-03] (Google Inc.)
Task: {C0C3E115-5723-4587-80C8-3FC379D9E540} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2013-11-26] (AVAST Software)
Task: {E5150B95-F9B4-4D5D-95A2-7EC1ACBA95F8} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\System32\gatherWirelessInfo.vbs [2008-01-05] ()
Task: {E8237BD2-E8DE-4FFC-874F-C4F82D627C43} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {ED2F1968-D131-4879-8C75-E6309BB8898D} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-11-22] (Piriform Ltd)
Task: {FE187470-719A-4286-A7A6-A975C9200324} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-11] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\PBReg.job => C:\Program Files\HDReg\HDRegApp.exe
Task: C:\Windows\Tasks\PBRegbk.job => C:\Program Files\HDReg\HDRegApp.exe
Task: C:\Windows\Tasks\Recovery DVD Creator.job => C:\Program Files\Packard Bell\SetupMyPc\MCDCheck.exe

==================== Loaded Modules (whitelisted) =============

2013-08-31 16:36 - 2013-07-29 10:17 - 07333376 _____ () C:\Program Files\Combined Community Codec Pack\Filters\LAVFilters\avcodec-lav-55.dll
2013-08-31 16:36 - 2013-07-29 10:17 - 00247296 _____ () C:\Program Files\Combined Community Codec Pack\Filters\LAVFilters\avutil-lav-52.dll
2013-08-31 16:36 - 2013-07-29 10:17 - 00382976 _____ () C:\Program Files\Combined Community Codec Pack\Filters\LAVFilters\swscale-lav-2.dll
2013-08-31 16:36 - 2013-07-29 10:17 - 00207872 _____ () C:\Program Files\Combined Community Codec Pack\Filters\LAVFilters\avfilter-lav-3.dll
2013-11-09 15:15 - 2013-11-09 15:15 - 19336120 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2013-11-23 13:33 - 2013-11-23 13:33 - 03363952 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\ProgramData\TEMP:4BF2F6B5
AlternateDataStreams: C:\ProgramData\TEMP:661DFA1C
AlternateDataStreams: C:\Users\James\Celebrity:Roxio EMC Stream
AlternateDataStreams: C:\Users\James\Documents\Adobe:Roxio EMC Stream
AlternateDataStreams: C:\Users\James\Documents\Camtasia Studio:Roxio EMC Stream
AlternateDataStreams: C:\Users\James\Documents\DVDVideoSoft:Roxio EMC Stream
AlternateDataStreams: C:\Users\James\Documents\My Games:Roxio EMC Stream
AlternateDataStreams: C:\Users\James\Documents\My Scans:Roxio EMC Stream
AlternateDataStreams: C:\Users\James\Documents\Updater5:Roxio EMC Stream
AlternateDataStreams: C:\Users\James\Documents\Watched Threads:Roxio EMC Stream
AlternateDataStreams: C:\Users\Jayne & John\Documents\My Scans:Roxio EMC Stream
AlternateDataStreams: C:\Users\Jayne & John\Documents\Updater5:Roxio EMC Stream

==================== Safe Mode (whitelisted) ===================


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/19/2013 04:26:05 PM) (Source: Windows Search Service) (User: )
Description: The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.

Context:  Application, SystemIndex Catalog

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-PHISH-SHAVAR.CACHE> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR.SBSTORE> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR.SBSTORE> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR.PSET> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR.PSET> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR.CACHE> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR.CACHE> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR-1.SBSTORE> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-PHISH-SHAVAR.SBSTORE> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)


System errors:
=============
Error: (12/19/2013 05:03:59 PM) (Source: Ntfs) (User: )
Description: The default transaction resource manager on volume L: encountered a non-retryable error and could not start.  The data contains the error code.

Error: (12/19/2013 04:26:01 PM) (Source: Service Control Manager) (User: )
Description: Terminal Services ConfigurationWorkstation%%1058

Error: (12/19/2013 04:25:49 PM) (Source: Service Control Manager) (User: )
Description: Lbd
SBRE

Error: (12/19/2013 04:25:49 PM) (Source: Service Control Manager) (User: )
Description: HP CUE DeviceDiscovery Service

Error: (12/19/2013 04:24:33 PM) (Source: Service Control Manager) (User: )
Description: eID CRL Service%%3

Error: (12/19/2013 04:24:33 PM) (Source: Service Control Manager) (User: )
Description: Computer BrowserWorkstation%%1058

Error: (12/19/2013 04:23:30 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.0.5 for the Network Card with network address 001D7D5B0B7B has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Error: (12/18/2013 09:34:57 PM) (Source: volsnap) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage failed to grow.

Error: (12/18/2013 03:51:44 PM) (Source: Ntfs) (User: )
Description: The default transaction resource manager on volume L: encountered a non-retryable error and could not start.  The data contains the error code.

Error: (12/18/2013 11:36:25 AM) (Source: Service Control Manager) (User: )
Description: Terminal Services ConfigurationWorkstation%%1058


Microsoft Office Sessions:
=========================
Error: (12/19/2013 04:26:05 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-PHISH-SHAVAR.CACHE

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR.SBSTORE

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR.SBSTORE

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR.PSET

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR.PSET

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR.CACHE

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR.CACHE

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-MALWARE-SHAVAR-1.SBSTORE

Error: (12/18/2013 05:25:21 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\JAMES\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\2764P4KS.DEFAULT\SAFEBROWSING\GOOG-PHISH-SHAVAR.SBSTORE


CodeIntegrity Errors:
===================================
  Date: 2013-12-14 14:32:32.252
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2014\Drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-14 14:32:31.847
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2014\Drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-14 14:32:31.441
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2014\Drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-14 14:32:31.051
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2014\Drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-14 14:32:28.680
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2014\Drivers\avgidsdriverx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-14 14:32:28.305
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2014\Drivers\avgidsdriverx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-14 14:32:27.884
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2014\Drivers\avgidsdriverx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-14 14:32:27.479
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2014\Drivers\avgidsdriverx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-14 00:13:27.289
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-14 00:13:26.837
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 59%
Total physical RAM: 2046.83 MB
Available physical RAM: 834.26 MB
Total Pagefile: 4350.92 MB
Available Pagefile: 2891.38 MB
Total Virtual: 2047.88 MB
Available Virtual: 1909.91 MB

==================== Drives ================================

Drive c: (HDD) (Fixed) (Total:364.61 GB) (Free:6.09 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive j: (Expansion Drive) (Fixed) (Total:931.51 GB) (Free:1.46 GB) NTFS
Drive k: (Expansion Drive) (Fixed) (Total:1863.01 GB) (Free:0.54 GB) NTFS
Drive l: () (Fixed) (Total:1860 GB) (Free:11.25 GB) NTFS
Drive m: () (Fixed) (Total:499.94 GB) (Free:0.02 GB) FAT32
Drive n: () (Fixed) (Total:399.95 GB) (Free:1.19 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 373 GB) (Disk ID: C126547D)
Partition 1: (Not Active) - (Size=8 GB) - (Type=27)
Partition 2: (Active) - (Size=365 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 1863 GB) (Disk ID: 3EA8EEF8)
Partition 1: (Not Active) - (Size=-198626966528) - (Type=07 NTFS)

========================================================
Disk: 6 (Size: 932 GB) (Disk ID: 0405FEB6)
Partition 1: (Active) - (Size=932 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 19 December 2013 - 05:20 PM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

HKCU\...0c966feabec1\InprocServer32: [Default-shell32]  ATTENTION! ====> ZeroAccess?
HKU\Mcx1\...\Winlogon: [Shell] EXPLORER.EXE [ 2009-04-11] (Microsoft Corporation) <==== ATTENTION
S3 IICV; C:\Users\James\AppData\Local\Temp\IICV.exe [x]
S3 NHTXAINBKY; C:\Users\James\AppData\Local\Temp\NHTXAINBKY.exe [x]
C:\Users\James\AppData\Roaming\desktop.ini
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 TommyCockles

TommyCockles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 21 December 2013 - 02:40 PM

Ok thank you i've done that.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 20-12-2013 02
Ran by James at 2013-12-21 19:38:37 Run:1
Running from C:\Users\James\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKCU\...0c966feabec1\InprocServer32: [Default-shell32]  ATTENTION! ====> ZeroAccess?
HKU\Mcx1\...\Winlogon: [Shell] EXPLORER.EXE [ 2009-04-11] (Microsoft Corporation) <==== ATTENTION
S3 IICV; C:\Users\James\AppData\Local\Temp\IICV.exe [x]
S3 NHTXAINBKY; C:\Users\James\AppData\Local\Temp\NHTXAINBKY.exe [x]
C:\Users\James\AppData\Roaming\desktop.ini
*****************

HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} => Key deleted successfully.
HKU\Mcx1\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
IICV => Service deleted successfully.
NHTXAINBKY => Service deleted successfully.
C:\Users\James\AppData\Roaming\desktop.ini => Moved successfully.

==== End of Fixlog ====



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 21 December 2013 - 03:02 PM

Please do this next:

icon11.gif  Download Combofix from HERE, and save it to your desktop.  

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back.  Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • ComboFix log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 TommyCockles

TommyCockles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 24 December 2013 - 12:21 PM

Combofix done, thanks. I didn't realise windows defender was still enabled, i thought i disabled it months ago. Is that ok? I can run again if needs be.

 

ComboFix 13-12-24.01 - James 24/12/2013  16:46:36.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2047.1209 [GMT 0:00]
Running from: c:\users\James\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\UA000104.DLL
c:\windows\UA000106.DLL
K:\autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-24 to 2013-12-24  )))))))))))))))))))))))))))))))
.
.
2013-12-24 01:53 . 2013-12-24 01:53    62576    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{4263BD0A-1332-47C6-8BDD-55AF9043B8C5}\offreg.dll
2013-12-21 18:59 . 2013-12-04 02:57    7760024    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{4263BD0A-1332-47C6-8BDD-55AF9043B8C5}\mpengine.dll
2013-12-21 01:19 . 2013-12-21 01:21    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-12-21 01:19 . 2013-12-21 01:19    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2013-12-21 01:18 . 2013-04-04 14:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-12-21 01:18 . 2013-12-21 01:18    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-12-19 20:32 . 2013-12-21 19:38    --------    d-----w-    C:\FRST
2013-12-14 14:47 . 2013-12-14 14:47    --------    d-----w-    c:\program files\CCleaner
2013-12-14 00:08 . 2013-12-14 00:08    --------    d-----w-    c:\users\James\AppData\Roaming\SUPERAntiSpyware.com
2013-12-14 00:01 . 2013-12-14 14:30    --------    d-----w-    c:\programdata\AVG Security Toolbar
2013-12-13 20:13 . 2013-12-13 20:13    --------    d-----w-    c:\programdata\Sophos
2013-12-12 21:00 . 2013-12-12 22:30    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-12-12 17:38 . 2013-12-12 20:55    --------    d-----w-    c:\programdata\RegRun
2013-12-12 17:38 . 2013-12-12 17:38    2    --shatr-    c:\windows\winstart.bat
2013-12-12 17:37 . 2013-12-12 20:56    --------    d-----w-    c:\program files\UnHackMe
2013-12-12 17:12 . 2013-12-12 17:12    --------    d-----w-    c:\users\James\AppData\Roaming\TuneUp Software
2013-12-12 17:06 . 2013-12-14 14:36    --------    d-----w-    c:\programdata\MFAData
2013-12-12 17:06 . 2013-12-12 17:06    --------    d-----w-    c:\users\James\AppData\Local\MFAData
2013-12-12 16:29 . 2013-10-30 02:12    335360    ----a-w-    c:\windows\system32\SysFxUI.dll
2013-12-12 16:29 . 2013-10-30 01:43    130048    ----a-w-    c:\windows\system32\drivers\drmk.sys
2013-12-12 16:29 . 2013-10-30 00:43    167936    ----a-w-    c:\windows\system32\drivers\portcls.sys
2013-12-12 16:29 . 2013-10-30 00:35    2050560    ----a-w-    c:\windows\system32\win32k.sys
2013-12-12 16:28 . 2013-10-11 02:08    36864    ----a-w-    c:\windows\system32\wshcon.dll
2013-12-12 16:28 . 2013-10-11 02:08    131072    ----a-w-    c:\windows\system32\wshom.ocx
2013-12-12 16:28 . 2013-10-11 02:08    172032    ----a-w-    c:\windows\system32\scrrun.dll
2013-12-12 16:28 . 2013-10-11 00:35    135168    ----a-w-    c:\windows\system32\cscript.exe
2013-12-12 16:28 . 2013-10-11 00:35    155648    ----a-w-    c:\windows\system32\wscript.exe
2013-12-12 16:28 . 2013-10-22 07:19    158208    ----a-w-    c:\windows\system32\imagehlp.dll
2013-12-10 22:01 . 2013-12-10 22:01    --------    d-----w-    c:\users\James\AppData\Roaming\GRETECH
2013-12-10 22:01 . 2013-12-10 22:01    --------    d-----w-    c:\program files\GRETECH
2013-12-04 19:55 . 2013-12-04 19:57    --------    d-----w-    c:\users\James\AppData\Local\Jaksta_Technologies_Pty_L
2013-12-04 19:55 . 2013-12-05 06:12    --------    d-----w-    c:\windows\Jaksta
2013-12-04 19:01 . 2013-12-04 19:23    --------    d-----w-    c:\program files\GetFLV
2013-11-27 19:09 . 2013-11-27 19:09    --------    d-----w-    c:\windows\Migration
2013-11-25 21:45 . 2013-12-12 19:25    --------    d-----w-    C:\AdwCleaner
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-11 16:29 . 2012-04-09 16:37    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-12-11 16:29 . 2011-05-25 11:47    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-26 19:23 . 2013-04-14 17:55    57672    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-11-26 19:23 . 2013-04-14 17:55    774392    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-11-26 19:23 . 2013-04-14 17:55    70384    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-11-26 19:23 . 2013-04-14 17:55    35656    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2013-11-26 19:23 . 2013-04-14 17:55    54832    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2013-11-26 19:23 . 2013-04-14 17:55    269216    ----a-w-    c:\windows\system32\aswBoot.exe
2013-11-26 19:23 . 2013-04-14 17:54    43152    ----a-w-    c:\windows\avastSS.scr
2013-11-26 12:25 . 2009-10-02 17:16    230048    ------w-    c:\windows\system32\MpSigStub.exe
2013-11-09 15:45 . 2013-04-14 17:55    403440    ----a-w-    c:\windows\system32\drivers\aswsp.sys
2013-11-09 15:15 . 2013-03-28 14:05    178304    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-11-09 15:15 . 2013-03-28 14:05    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-10-30 02:13 . 2006-11-02 10:25    1304064    ----a-w-    c:\windows\system32\WMALFXGFXDSP.dll
2013-10-11 02:08 . 2013-11-17 12:54    444928    ----a-w-    c:\windows\system32\IKEEXT.DLL
2013-10-11 02:07 . 2013-11-17 12:54    596480    ----a-w-    c:\windows\system32\FWPUCLNT.DLL
2013-10-03 12:45 . 2013-11-17 12:55    297984    ----a-w-    c:\windows\system32\gdi32.dll
2013-10-03 12:45 . 2013-11-17 12:55    993792    ----a-w-    c:\windows\system32\crypt32.dll
2013-10-02 21:41 . 2013-10-02 21:41    119438    ----a-w-    c:\windows\system32\Registry Backup cc_20131002_224050.reg
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-11-26 19:23    321752    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 4468736]
"Skytel"="Skytel.exe" [2007-05-07 1826816]
"ACTIVBOARD"="c:\program files\Packard Bell\FIJI\aboard.exe" [2007-01-18 79416]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-11-26 3568312]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ExifLauncher2.lnk]
backup=c:\windows\pss\ExifLauncher2.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06    958576    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2009-06-08 05:52    611712    ----a-w-    c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 20:52    49152    ----a-w-    c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-09-17 22:45    152392    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-05-01 14:35    185640    ----a-w-    c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 02:59    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-01-11 11:40    232184    ----a-w-    c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmpcSys]
2007-07-19 13:32    1120568    ----a-w-    c:\program files\Packard Bell\SetUpMyPC\SmpSys.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2013-12-21 01:21    5625624    ----a-w-    c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\toolbar_eula_launcher]
2007-02-20 16:20    28672    ----a-w-    c:\program files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38    1008184    ----a-w-    c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-10-10 120088]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-05 21:26    1210320    ----a-w-    c:\program files\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 16:29]
.
2013-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-03 12:41]
.
2013-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-03 12:41]
.
2008-12-29 c:\windows\Tasks\PBReg.job
- c:\program files\HDReg\HDRegApp.exe [2005-06-21 13:05]
.
2009-02-06 c:\windows\Tasks\PBRegbk.job
- c:\program files\HDReg\HDRegApp.exe [2005-06-21 13:05]
.
2013-12-24 c:\windows\Tasks\Recovery DVD Creator.job
- c:\program files\Packard Bell\SetupMyPc\MCDCheck.exe [2008-12-22 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.search.yahoo.com?type=714647&fr=spigot-yhp-ie
uInternet Settings,ProxyServer = 116.50.153.43:3128
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.sky.com/
FF - prefs.js: keyword.URL -
FF - prefs.js: network.proxy.ftp - 217.66.20.245
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 80.82.150.82
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.socks - 217.66.20.245
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 217.66.20.245
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-11-10 15:36; {0b457cAA-602d-484a-8fe7-c1d894a011ba}; c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
FF - ExtSQL: 2013-11-26 15:20; https-everywhere@eff.org; c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\extensions\https-everywhere@eff.org
FF - ExtSQL: 2013-12-04 19:58; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: !HIDDEN! 2009-07-21 13:07; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{f999a48b-1950-4d81-9971-79018f807b4b} - (no file)
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
HKCU-Run-AdobeBridge - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-Nvtmru - c:\program files\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe
MSConfigStartUp-PWRISOVM - c:\program files\PowerISO\PWRISOVM.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-24 16:55
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet011\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-12-24  16:59:45
ComboFix-quarantined-files.txt  2013-12-24 16:59
.
Pre-Run: 3,098,189,824 bytes free
Post-Run: 2,919,419,904 bytes free
.
- - End Of File - - 9601AB1A2F219D6F7E8E0CC0F539FC6E
5C616939100B85E558DA92B899A0FC36
 



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 24 December 2013 - 01:23 PM

You have several proxy settings in place in both IE and Firefox.  Did you set those intentionally?  Please do this next:

icon11.gif   Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

icon11.gif  Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.

Please include the following in your next post:
  • Did you purposely set those proxys?
  • adwCleaner log
  • MBAM log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 TommyCockles

TommyCockles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 25 December 2013 - 10:06 AM

Errrr, i have used proxies to bypass certain 'filtered' content from isp's. I 'm not sure if that's the remains of me doing that. Or are those proxies still active? In which case they shouldn't be. Here are the logs you requested.

 

# AdwCleaner v3.016 - Report created 25/12/2013 at 00:37:37
# Updated 23/12/2013 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : James - JAMES-PC
# Running from : C:\Users\James\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Found C:\ProgramData\AVG Security Toolbar

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526


-\\ Mozilla Firefox v25.0.1 (en-GB)

[ File : C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\prefs.js ]


[ File : C:\Users\Jayne & John\AppData\Roaming\Mozilla\Firefox\Profiles\zu6p0d4j.default\prefs.js ]


-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Users\Jayne & John\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R4].txt - [1348 octets] - [25/12/2013 00:37:37]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1408 octets] ##########
 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.24.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
James :: JAMES-PC [administrator]

25/12/2013 00:52:57
mbam-log-2013-12-25 (00-52-57).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|J:\|K:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 548423
Time elapsed: 3 hour(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 



#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 25 December 2013 - 01:33 PM

Please do this next:

icon11.gif  Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard,  then paste it into Notepad, make sure there is no space before and above DDS::

DDS::
uInternet Settings,ProxyServer = 116.50.153.43:3128
Firefox::
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\
FF - prefs.js: network.proxy.ftp - 217.66.20.245
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 80.82.150.82
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.socks - 217.66.20.245
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 217.66.20.245
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
ClearJavaCache::
Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

icon11.gif  Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.  Please go to www.java.com and press the "Free Java Download" button near the center of the page.  Follow the prompts to install the latest version. Once it completes a web page should open that will verify that you have the latest version.  Below that is a box with a link to remove older, insecure versions.  Click that and follow the prompts.

Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 TommyCockles

TommyCockles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 25 December 2013 - 05:36 PM

Okay, done as instructed. Here's the log.

 

ComboFix 13-12-24.02 - James 25/12/2013  22:19:59.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2047.1249 [GMT 0:00]
Running from: c:\users\James\Desktop\ComboFix.exe
Command switches used :: c:\users\James\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
K:\autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-25 to 2013-12-25  )))))))))))))))))))))))))))))))
.
.
2013-12-25 22:30 . 2013-12-25 22:30    --------    d-----w-    c:\users\James\AppData\Local\temp
2013-12-25 22:30 . 2013-12-25 22:30    --------    d-----w-    c:\users\Mcx1\AppData\Local\temp
2013-12-25 22:30 . 2013-12-25 22:30    --------    d-----w-    c:\users\Jayne & John\AppData\Local\temp
2013-12-25 22:30 . 2013-12-25 22:30    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-12-25 00:49 . 2013-12-25 00:49    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-12-25 00:49 . 2013-04-04 14:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-12-24 21:32 . 2013-12-24 21:32    --------    d-----w-    c:\program files\Common Files\Java
2013-12-24 21:31 . 2013-12-24 21:31    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-12-24 17:20 . 2013-12-04 02:57    7760024    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{F2ECC97B-1168-4D41-BCE1-54FE445F0467}\mpengine.dll
2013-12-21 01:19 . 2013-12-21 01:21    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-12-21 01:19 . 2013-12-21 01:19    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2013-12-19 20:32 . 2013-12-21 19:38    --------    d-----w-    C:\FRST
2013-12-14 14:47 . 2013-12-14 14:47    --------    d-----w-    c:\program files\CCleaner
2013-12-14 00:08 . 2013-12-14 00:08    --------    d-----w-    c:\users\James\AppData\Roaming\SUPERAntiSpyware.com
2013-12-13 20:13 . 2013-12-13 20:13    --------    d-----w-    c:\programdata\Sophos
2013-12-12 21:00 . 2013-12-12 22:30    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-12-12 17:38 . 2013-12-12 20:55    --------    d-----w-    c:\programdata\RegRun
2013-12-12 17:38 . 2013-12-12 17:38    2    --shatr-    c:\windows\winstart.bat
2013-12-12 17:37 . 2013-12-12 20:56    --------    d-----w-    c:\program files\UnHackMe
2013-12-12 17:12 . 2013-12-12 17:12    --------    d-----w-    c:\users\James\AppData\Roaming\TuneUp Software
2013-12-12 17:06 . 2013-12-14 14:36    --------    d-----w-    c:\programdata\MFAData
2013-12-12 17:06 . 2013-12-12 17:06    --------    d-----w-    c:\users\James\AppData\Local\MFAData
2013-12-12 16:29 . 2013-10-30 02:12    335360    ----a-w-    c:\windows\system32\SysFxUI.dll
2013-12-12 16:29 . 2013-10-30 01:43    130048    ----a-w-    c:\windows\system32\drivers\drmk.sys
2013-12-12 16:29 . 2013-10-30 00:43    167936    ----a-w-    c:\windows\system32\drivers\portcls.sys
2013-12-12 16:29 . 2013-10-30 00:35    2050560    ----a-w-    c:\windows\system32\win32k.sys
2013-12-12 16:28 . 2013-10-11 02:08    36864    ----a-w-    c:\windows\system32\wshcon.dll
2013-12-12 16:28 . 2013-10-11 02:08    131072    ----a-w-    c:\windows\system32\wshom.ocx
2013-12-12 16:28 . 2013-10-11 02:08    172032    ----a-w-    c:\windows\system32\scrrun.dll
2013-12-12 16:28 . 2013-10-11 00:35    135168    ----a-w-    c:\windows\system32\cscript.exe
2013-12-12 16:28 . 2013-10-11 00:35    155648    ----a-w-    c:\windows\system32\wscript.exe
2013-12-12 16:28 . 2013-10-22 07:19    158208    ----a-w-    c:\windows\system32\imagehlp.dll
2013-12-10 22:01 . 2013-12-10 22:01    --------    d-----w-    c:\users\James\AppData\Roaming\GRETECH
2013-12-10 22:01 . 2013-12-10 22:01    --------    d-----w-    c:\program files\GRETECH
2013-12-04 19:55 . 2013-12-04 19:57    --------    d-----w-    c:\users\James\AppData\Local\Jaksta_Technologies_Pty_L
2013-12-04 19:55 . 2013-12-05 06:12    --------    d-----w-    c:\windows\Jaksta
2013-12-04 19:01 . 2013-12-04 19:23    --------    d-----w-    c:\program files\GetFLV
2013-11-27 19:09 . 2013-11-27 19:09    --------    d-----w-    c:\windows\Migration
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-11 16:29 . 2012-04-09 16:37    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-12-11 16:29 . 2011-05-25 11:47    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-26 19:23 . 2013-04-14 17:55    57672    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-11-26 19:23 . 2013-04-14 17:55    774392    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-11-26 19:23 . 2013-04-14 17:55    70384    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-11-26 19:23 . 2013-04-14 17:55    35656    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2013-11-26 19:23 . 2013-04-14 17:55    54832    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2013-11-26 19:23 . 2013-04-14 17:55    269216    ----a-w-    c:\windows\system32\aswBoot.exe
2013-11-26 19:23 . 2013-04-14 17:54    43152    ----a-w-    c:\windows\avastSS.scr
2013-11-26 12:25 . 2009-10-02 17:16    230048    ------w-    c:\windows\system32\MpSigStub.exe
2013-11-09 15:45 . 2013-04-14 17:55    403440    ----a-w-    c:\windows\system32\drivers\aswsp.sys
2013-11-09 15:15 . 2013-03-28 14:05    178304    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-11-09 15:15 . 2013-03-28 14:05    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-10-30 02:13 . 2006-11-02 10:25    1304064    ----a-w-    c:\windows\system32\WMALFXGFXDSP.dll
2013-10-11 02:08 . 2013-11-17 12:54    444928    ----a-w-    c:\windows\system32\IKEEXT.DLL
2013-10-11 02:07 . 2013-11-17 12:54    596480    ----a-w-    c:\windows\system32\FWPUCLNT.DLL
2013-10-03 12:45 . 2013-11-17 12:55    297984    ----a-w-    c:\windows\system32\gdi32.dll
2013-10-03 12:45 . 2013-11-17 12:55    993792    ----a-w-    c:\windows\system32\crypt32.dll
2013-10-02 21:41 . 2013-10-02 21:41    119438    ----a-w-    c:\windows\system32\Registry Backup cc_20131002_224050.reg
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-11-26 19:23    321752    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 4468736]
"Skytel"="Skytel.exe" [2007-05-07 1826816]
"ACTIVBOARD"="c:\program files\Packard Bell\FIJI\aboard.exe" [2007-01-18 79416]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-11-26 3568312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ExifLauncher2.lnk]
backup=c:\windows\pss\ExifLauncher2.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06    958576    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2009-06-08 05:52    611712    ----a-w-    c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 20:52    49152    ----a-w-    c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-09-17 22:45    152392    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-05-01 14:35    185640    ----a-w-    c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 02:59    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-01-11 11:40    232184    ----a-w-    c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmpcSys]
2007-07-19 13:32    1120568    ----a-w-    c:\program files\Packard Bell\SetUpMyPC\SmpSys.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2013-12-21 01:21    5625624    ----a-w-    c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\toolbar_eula_launcher]
2007-02-20 16:20    28672    ----a-w-    c:\program files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38    1008184    ----a-w-    c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-10-10 120088]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-05 21:26    1210320    ----a-w-    c:\program files\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 16:29]
.
2013-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-03 12:41]
.
2013-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-03 12:41]
.
2008-12-29 c:\windows\Tasks\PBReg.job
- c:\program files\HDReg\HDRegApp.exe [2005-06-21 13:05]
.
2009-02-06 c:\windows\Tasks\PBRegbk.job
- c:\program files\HDReg\HDRegApp.exe [2005-06-21 13:05]
.
2013-12-25 c:\windows\Tasks\Recovery DVD Creator.job
- c:\program files\Packard Bell\SetupMyPc\MCDCheck.exe [2008-12-22 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.search.yahoo.com?type=714647&fr=spigot-yhp-ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.sky.com/
FF - prefs.js: keyword.URL -
FF - ExtSQL: 2013-11-10 15:36; {0b457cAA-602d-484a-8fe7-c1d894a011ba}; c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
FF - ExtSQL: 2013-11-26 15:20; https-everywhere@eff.org; c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\extensions\https-everywhere@eff.org
FF - ExtSQL: 2013-12-04 19:58; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\2764p4ks.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: !HIDDEN! 2009-07-21 13:07; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-25 22:30
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet011\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-12-25  22:32:53
ComboFix-quarantined-files.txt  2013-12-25 22:32
.
Pre-Run: 1,907,900,416 bytes free
Post-Run: 1,921,921,024 bytes free
.
- - End Of File - - 03EFEE94860CBDF225906768599A0F1D
5C616939100B85E558DA92B899A0FC36
 



#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 25 December 2013 - 06:40 PM

How is your computer running now?  Please do this next:

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:
  • How is the computer running now?
  • ESET log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 TommyCockles

TommyCockles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 28 December 2013 - 12:59 PM

Yeah, the computer seems to be running fine. I've not noticed anything out of the ordinary. Here's the log :-

 

C:\Users\James\Downloads\Software\Tools, Utilities\Piriform CCleaner\ccsetup408.exe    Win32/Bundled.Toolbar.Google.D application
C:\Users\James\Downloads\Software\Tools, Utilities\Piriform Defraggler\dfsetup215.exe    Win32/Bundled.Toolbar.Google.D application
 



#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 28 December 2013 - 02:31 PM

Your logs look good. Those ESET detections are nothing to worry about, they just flag CCleaner and Defraggler because of the optional toolbar they come packaged with.  All I have left for you is another update and some very important cleanup:

icon11.gif  Your Adobe reader needs to be updated.  Please visit Adobe's site and grab the newest version.  Be sure to watch for and uncheck any boxes offering to install other software.

icon11.gif  Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run.  Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif  Download OTC to your desktop and run it


  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
  • Manually delete any remaining logs or tools from our fixes

icon11.gif  Double click on AdwCleaner.exe to run the tool again.


  • Click on the Uninstall button.
  • Click Yes when asked are you sure you want to uninstall.
  • Both AdwCleaner.exe, its folder and all logs will be removed.

icon11.gif  Download TFC to your desktop


  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't,  manually reboot to ensure a complete clean

 

icon11.gif  Finally, I'd like to make a couple of suggestions to help you stay clean in the future:


  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated.  Scan with them at least weekly.
  • Please read this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

 


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 TommyCockles

TommyCockles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 31 December 2013 - 07:42 PM

Okay done that. Thank you for the advice and all the help you've provided. It's very kind of you, and happy new year. Cheers.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users