Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Audio Commercial Rootkit Issues


  • This topic is locked This topic is locked
17 replies to this topic

#1 Centrifuze

Centrifuze

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 09 January 2014 - 06:59 PM

I'm working on my parents' computer right now, and I BELIEVE that they have a rootkit. There's commercials playing incessantly over their speakers, and it appears to be attached to the DCOM launcher / Plug n Play Controller. Every time I stop that process in task manager, the commercials stop, but it causes an error with one of those two processes, and forces Windows to restart.

 

I've tried running TDSSKiller, Malwarebytes Anti-Rootkit and McAfee's Rootkit Remover, all in normal mode and safe mode. In normal mode, errors get found, but the system's always forced to restart before the scans can finish doing their work, and in Safe Mode, no errors can be found. When running in Safe Mode, the commercials don't play at all, but they DO play in Safe Mode with Networking.

 

 

Here is the link to my original topic: http://www.bleepingcomputer.com/forums/t/520166/i-think-i-have-a-rootkit/

 

As per requested, here is a copy of my DDS report, and attached is the attach.txt file.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.19088  BrowserJavaVersion: 1.6.0_24
Run by Kirk at 15:45:23 on 2014-01-09
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.1918.99 [GMT -8:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\hasplms.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TeamViewer\Version6\TeamViewer.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Xfire\xfire.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\mozilla firefox\firefox.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.wow-heroes.com
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - <orphaned>
BHO: HP Print Clips: {053F9267-DC04-4294-A72C-58F732D338C0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - <orphaned>
BHO: <No Name>: {78DB238B-7DE6-4DF6-8BB7-7AD68A3F0DD7} -
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WhatPulse] c:\progra~1\whatpu~1\WHATPU~1.EXE
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SnapfishMediaDetector] c:\program files\snapfish media detector\SnapfishMediaDetector.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\users\kirk\appdata\roaming\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\users\kirk\appdata\roaming\micros~1\windows\startm~1\programs\startup\ventrilo.lnk - c:\program files\ventrilo\Ventrilo.exe
StartupFolder: c:\users\kirk\appdata\roaming\micros~1\windows\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\xfire.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.8.130\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish media detector\SnapfishMediaDetector.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{EDD5163D-B521-4107-B9DF-6652167CEFCC} : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: df2 - {219A97F3-D661-4766-B658-646A771AE49E} - c:\program files\run-time\dffav\df2proto.dll
Handler: df23chat - {219A97F3-D661-4766-B658-646A771AE49E} - c:\program files\run-time\dffav\df2proto.dll
Handler: df3 - {219A97F3-D661-4766-B658-646A771AE49E} - c:\program files\run-time\dffav\df2proto.dll
Handler: df4 - {219A97F3-D661-4766-B658-646A771AE49E} - c:\program files\run-time\dffav\df2proto.dll
Handler: df5 - {219A97F3-D661-4766-B658-646A771AE49E} - c:\program files\run-time\dffav\df2proto.dll
Handler: df5demo - {219A97F3-D661-4766-B658-646A771AE49E} - c:\program files\run-time\dffav\df2proto.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: ofpjoin - {219A97F3-D661-4766-B658-646A771AE49E} - c:\program files\run-time\dffav\df2proto.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages =  msv1_0 c:\windows\system32\awtrPGww
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kirk\appdata\roaming\mozilla\firefox\profiles\2oxu5gah.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\dyyno\dyyno player\npvlc.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\ksolo\npAVX.dll
FF - plugin: c:\program files\mcafee security scan\3.8.130\npMcAfeeMSS.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-9-24 226016]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-9-24 29712]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-9-24 243152]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-9-24 308136]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe  -run --> c:\windows\system32\hasplms.exe  -run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2009-1-29 6016]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2014-1-1 74456]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-1-1 40776]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2012-6-11 20864]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2012-1-25 8448]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2012-6-8 23808]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2011-11-8 11008]
.
=============== Created Last 30 ================
.
2014-01-09 02:47:47    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-01-09 02:47:47    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2014-01-08 01:40:18    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-01-08 01:23:37    --------    d-----w-    C:\TDSSKiller_Quarantine
2014-01-07 02:00:11    --------    d-----w-    c:\windows\system32\MpEngineStore
2014-01-01 22:41:10    --------    d-----w-    c:\programdata\Malwarebytes
2014-01-01 22:40:42    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2014-01-01 22:38:24    74456    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-12-28 20:06:43    --------    d-----w-    c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-12-27 19:39:30    --------    d-----w-    c:\program files\iPod
.
==================== Find3M  ====================
.
2013-12-11 12:23:09    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 12:23:09    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 15:51:20.51 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 11 January 2014 - 05:50 PM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Centrifuze

Centrifuze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 11 January 2014 - 06:05 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-01-2014 03
Ran by Karla (administrator) on KIRK-PC on 11-01-2014 14:58:42
Running from C:\Users\Karla\Desktop
Microsoft® Windows Vista™ Home Premium  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Symantec Corporation) C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Aladdin Knowledge Systems Ltd.) C:\Windows\System32\hasplms.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
(Motorola Mobility LLC) C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
() C:\Windows\System32\PnkBstrA.exe
(Motorola) C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgnsx.exe
(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgchsvx.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Motorola Mobility LLC) C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version6\TeamViewer.exe
(Hewlett-Packard Company) C:\hp\support\hpsysdrv.exe
(OsdMaestro) C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgtray.exe
(Apple Inc.) C:\Program Files\QuickTime\QTTask.exe
(Safer Networking Limited) C:\Spybot - Search & Destroy\TeaTimer.exe
() C:\Users\Karla\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jucheck.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-18] (Microsoft Corporation)
HKLM\...\Run: [hpsysdrv] - c:\hp\support\hpsysdrv.exe [65536 2006-09-28] (Hewlett-Packard Company)
HKLM\...\Run: [OsdMaestro] - C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe [118784 2007-02-15] (OsdMaestro)
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4874240 2008-01-15] (Realtek Semiconductor)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [SnapfishMediaDetector] - C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe [1441792 2007-03-02] ()
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-03-11] (Hewlett-Packard Co.)
HKLM\...\Run: [Symantec PIF AlertEng] - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [583048 2007-11-28] (Symantec Corporation)
HKLM\...\Run: [GrooveMonitor] - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [TkBellExe] - C:\Program Files\Common Files\Real\Update_OB\realsched.exe [185896 2007-09-07] (RealNetworks, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [39792 2008-01-11] (Adobe Systems Incorporated)
HKLM\...\Run: [AppleSyncNotifier] - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [47904 2010-12-14] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM\...\Run: [AVG9_TRAY] - C:\Program Files\AVG\AVG9\avgtray.exe [2077536 2012-01-26] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [NvCplDaemon] - C:\Windows\system32\NvCpl.dll [13539872 2008-05-22] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] - C:\Windows\system32\NvMcTray.dll [92704 2008-05-22] (NVIDIA Corporation)
HKCU\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
HKCU\...\Run: [SpybotSD TeaTimer] - C:\Spybot - Search & Destroy\TeaTimer.exe [2144088 2009-01-26] (Safer Networking Limited)
HKCU\...\Run: [Spotify Web Helper] - C:\Users\Karla\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1193176 2012-08-24] ()
HKCU\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKCU\...\Policies\system: [LogonHoursAction] 2
HKCU\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKCU\...\Policies\Explorer: [HideSCAHealth] 1
MountPoints2: {4fc43527-582b-11e2-98a8-001bfcb5a3d1} - G:\VZW_Software_upgrade_assistant.exe
MountPoints2: {84b97939-859a-11e0-ac2a-001bfcb5a3d1} - G:\SetUp.exe
MountPoints2: {e04e4104-2070-11e1-916d-001bfcb5a3d1} - G:\TL_Bootstrap.exe
MountPoints2: {f20335e2-3a8d-11e2-97a0-001bfcb5a3d1} - G:\MotorolaDeviceManagerSetup.exe -a
HKU\Default\...\Run: [WindowsWelcomeCenter] - C:\Windows\system32\oobefldr.dll [ 2008-01-18] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
HKU\Default User\...\Run: [WindowsWelcomeCenter] - C:\Windows\system32\oobefldr.dll [ 2008-01-18] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
HKU\Family\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-18] (Microsoft Corporation)
HKU\Family\...\Run: [FreeRAM XP] - C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe [ 2006-03-22] (YourWare Solutions ™)
HKU\Family\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [ 2010-11-29] (Apple Inc.)
HKU\Family\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY
HKU\Family\...\Run: [swg] - "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
HKU\Family\...\Run: [DW6] - "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
HKU\Family\...\Run: [MusicParadiseLayoutsUpdt.exe] - C:\Program Files\Music Paradise Layouts\MusicParadiseLayoutsUpdt.exe
HKU\Family\...\Run: [MusicParadiseSearchUpdt.exe] - C:\Program Files\Music Paradise Search\MusicParadiseSearchUpdt.exe
HKU\Family\...\Run: [Skype] - C:\Program Files\Skype\Phone\Skype.exe [ 2011-10-13] (Skype Technologies S.A.)
HKU\Family\...\Run: [Facebook Update] - C:\Users\Family\AppData\Local\Facebook\Update\FacebookUpdate.exe [ 2012-08-04] (Facebook Inc.)
HKU\Family\...\Run: [Spotify] - C:\Users\Family\AppData\Roaming\Spotify\Spotify.exe [ 2012-08-24] (Spotify Ltd)
HKU\Family\...\Run: [Spotify Web Helper] - C:\Users\Family\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [ 2012-08-24] ()
HKU\Family\...\Run: [Apple] - rundll32.exe "C:\Users\Family\AppData\Local\Apple Computer\Apple\alslqq.dll",CreateInstance <===== ATTENTION
HKU\Family\...\Policies\system: [LogonHoursAction] 2
HKU\Family\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Guest\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [ 2010-11-29] (Apple Inc.)
HKU\Guest\...\Run: [Yahoo! Pager] - "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
HKU\Guest\...\RunOnce: [avg_spchecker] - C:\Program Files\AVG\AVG9\Notification\SPChecker1.exe [ 2011-05-09] ()
HKU\Kirk\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-18] (Microsoft Corporation)
HKU\Kirk\...\Run: [swg] - "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
HKU\Kirk\...\Run: [WhatPulse] - C:\Program Files\WhatPulse\WhatPulse.exe [ 2004-12-05] ()
HKU\Kirk\...\Run: [FreeRAM XP] - C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe [ 2006-03-22] (YourWare Solutions ™)
HKU\Kirk\...\Run: [SpybotSD TeaTimer] - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [ 2009-01-26] (Safer Networking Limited)
HKU\Kirk\...\Run: [Pando Media Booster] - C:\Program Files\Pando Networks\Media Booster\PMB.exe [ 2010-02-18] ()
HKU\Kirk\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-18] (Microsoft Corporation)
HKU\Kirk\...\Policies\system: [LogonHoursAction] 2
HKU\Kirk\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Mcx1\...\Run: [WindowsWelcomeCenter] - C:\Windows\system32\oobefldr.dll [ 2008-01-18] (Microsoft Corporation)
HKU\Mcx1\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-18] (Microsoft Corporation)
HKU\Mcx1\...\RunOnce: [avg_spchecker] - C:\Program Files\AVG\AVG9\Notification\SPChecker1.exe [ 2011-05-09] ()
HKU\Mcx1\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [ 2008-01-18] (Microsoft Corporation) <==== ATTENTION
Lsa: [Authentication Packages] msv1_0 C:\Windows\system32\awtrPGww
Startup: C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launch Utility Application.lnk
ShortcutTarget: Launch Utility Application.lnk -> C:\Users\Karla\AppData\Roaming\Verizon\UA_ar\UtilityApplication.exe (No File)
Startup: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
ShortcutTarget: iWin Desktop Alerts.lnk -> C:\ProgramData\iWin Games\DesktopAlerts\DesktopAlerts.exe (No File)
Startup: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Karla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Kirk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
ShortcutTarget: HotSync Manager.lnk -> C:\Program Files\Palm\Hotsync.exe (No File)
Startup: C:\Users\Kirk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ventrilo.lnk
ShortcutTarget: Ventrilo.lnk -> C:\Program Files\Ventrilo\Ventrilo.exe ()
Startup: C:\Users\Kirk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xfire.lnk
ShortcutTarget: Xfire.lnk -> C:\Program Files\Xfire\xfire.exe (Xfire Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
StartMenuInternet: IEXPLORE.EXE -  C:\Program Files\Internet Explorer\iexplore.exe
SearchScopes: HKLM - Backup.Old.DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
SearchScopes: HKLM - {CF739809-1C6C-47C0-85B9-569DBB141420} URL = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q={searchTerms}&crm=1
SearchScopes: HKCU - {CF739809-1C6C-47C0-85B9-569DBB141420} URL = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q={searchTerms}&crm=1
BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} -  No File
BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: No Name - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} -  No File
BHO: No Name - {78DB238B-7DE6-4DF6-8BB7-7AD68A3F0DD7} - C:\Windows\system32\awtrPGww.dll No File
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: df2 - {219A97F3-D661-4766-B658-646A771AE49E} - C:\Program Files\Run-Time\dffav\df2proto.dll (DeadBolt)
Handler: df23chat - {219A97F3-D661-4766-B658-646A771AE49E} - C:\Program Files\Run-Time\dffav\df2proto.dll (DeadBolt)
Handler: df3 - {219A97F3-D661-4766-B658-646A771AE49E} - C:\Program Files\Run-Time\dffav\df2proto.dll (DeadBolt)
Handler: df4 - {219A97F3-D661-4766-B658-646A771AE49E} - C:\Program Files\Run-Time\dffav\df2proto.dll (DeadBolt)
Handler: df5 - {219A97F3-D661-4766-B658-646A771AE49E} - C:\Program Files\Run-Time\dffav\df2proto.dll (DeadBolt)
Handler: df5demo - {219A97F3-D661-4766-B658-646A771AE49E} - C:\Program Files\Run-Time\dffav\df2proto.dll (DeadBolt)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler: ofpjoin - {219A97F3-D661-4766-B658-646A771AE49E} - C:\Program Files\Run-Time\dffav\df2proto.dll (DeadBolt)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 02 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 03 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 04 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 05 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 06 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 07 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 08 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 19 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF ProfilePath: C:\Users\Karla\AppData\Roaming\Mozilla\Firefox\Profiles\ot3vn0d1.default
FF Homepage: www.google.com
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF Plugin: @divx.com/DivX Content Upload Plugin,version=1.0.0 - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF Plugin: @dyyno.com/vlc;version=0.8.6f - C:\Program Files\Dyyno\Dyyno Player\npvlc.dll (Dyyno)
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @idsoftware.com/QuakeLive - C:\ProgramData\id Software\QuakeLive\npquakezero.dll (id Software Inc.)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @ksolo.com/AVX - C:\Program Files\kSolo\npAVX.dll (kSolo, Inc.)
FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8081.0709 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.11.2571 - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=1.0.2.2629 - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.1739 - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin: @real.com/RhapsodyPlayerEngine,version=1.0 - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @unity3d.com/UnityPlayer - C:\Program Files\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npdivx32.dll (DivX,Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npPandoWebInst.dll (Pando Networks)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\wyeke125.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\wyeke127.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\wyeke131.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\wyeke135.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\wyeke139.xml
FF Extension: System.Reflection.ObfuscationAttribute - C:\Users\Karla\AppData\Roaming\Mozilla\Firefox\Profiles\ot3vn0d1.default\Extensions\{93C68A98-ECC7-DE49-CC4C-16890A1D8E44} [2013-12-30]
FF Extension: Adblock Plus - C:\Users\Karla\AppData\Roaming\Mozilla\Firefox\Profiles\ot3vn0d1.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-05-13]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2013-12-25]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2013-12-25]
FF HKLM\...\Firefox\Extensions: [{3f963a5b-e555-4543-90e2-c3908898db71}] - C:\Program Files\AVG\AVG9\Firefox
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG9\Firefox [2010-09-24]

Chrome:
=======
CHR HomePage: hxxp://www.google.com/
CHR DefaultSearchURL: {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\10.0.648.204\pdf.dll No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files\Google\Chrome\Application\10.0.648.204\gears.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\10.0.648.204\gcswf32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java™ Platform SE 6 U14) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft\u00AE Windows Media Player Firefox Plugin) - C:\Program Files\mozilla firefox\plugins\np-mswmp.dll (Microsoft Corporation)
CHR Plugin: (Hotbar Firefox Plugin) - C:\Program Files\mozilla firefox\plugins\npclntax_HotbarSA.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.140.8) - C:\Program Files\mozilla firefox\plugins\npdeploytk.dll No File
CHR Plugin: (DivX Web Player) - C:\Program Files\mozilla firefox\plugins\npdivx32.dll (DivX,Inc.)
CHR Plugin: (2007 Microsoft Office system) - C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
CHR Plugin: (Pando Web Installer) - C:\Program Files\mozilla firefox\plugins\npPandoWebInst.dll (Pando Networks)
CHR Plugin: (PalmSource Package Installer) - C:\PROGRA~1\Palm\PACKAG~1\NPInstal.dll No File
CHR Plugin: (DivX\u00AE Content Upload Plugin) - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
CHR Plugin: (Dyyno Player Plugin) - C:\Program Files\Dyyno\Dyyno Player\npvlc.dll (Dyyno)
CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\4.0.51204.0\npctrl.dll No File
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
CHR Plugin: (RealNetworks Rhapsody Player Engine) - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
CHR Plugin: (Unity Player) - C:\Program Files\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
CHR Plugin: (Windows Live\u00AE Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (kSolo Recorder) - C:\Program Files\kSolo\npAVX.dll (kSolo, Inc.)
CHR Plugin: (Quake Live) - C:\ProgramData\id Software\QuakeLive\npquakezero.dll (id Software Inc.)
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Extension: (Entanglement) - C:\Users\Karla\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.1.1_0 [2011-02-21]
CHR Extension: (Poppit) - C:\Users\Karla\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0 [2011-02-21]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-10-09]

========================== Services (Whitelisted) =================

R2 Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [554352 2007-09-12] (Symantec Corporation)
R2 avg9wd; C:\Program Files\AVG\AVG9\avgwdsvc.exe [308136 2010-09-24] (AVG Technologies CZ, s.r.o.)
R2 hasplms; C:\Windows\system32\hasplms.exe [2549248 2008-07-17] (Aladdin Knowledge Systems Ltd.)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE [2999664 2007-09-12] (Symantec Corporation)
R2 LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [583048 2007-11-28] (Symantec Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
R2 Motorola Device Manager; C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [121144 2013-03-25] (Motorola Mobility LLC)
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75064 2009-04-03] ()
R2 PST Service; C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola)
R2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136 2013-10-09] (Skype Technologies S.A.)
S3 VundoFixSvc; C:\Windows\system32\VundoFixSVC.exe [24576 2009-07-24] (Atribune.org)
S3 GameConsoleService; "C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe" [x]
S2 LiveUpdate Notice Ex; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]

==================== Drivers (Whitelisted) ====================

R2 aksfridge; C:\Windows\system32\drivers\aksfridge.sys [350720 2008-03-27] (Aladdin Knowledge Systems Ltd.)
R1 AvgLdx86; C:\Windows\System32\Drivers\avgldx86.sys [226016 2013-01-15] (AVG Technologies CZ, s.r.o.)
R1 AvgMfx86; C:\Windows\System32\Drivers\avgmfx86.sys [29712 2011-09-12] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiX; C:\Windows\System32\Drivers\avgtdix.sys [243152 2011-05-05] (AVG Technologies CZ, s.r.o.)
R2 Hardlock; C:\Windows\system32\drivers\hardlock.sys [586240 2008-02-11] (Aladdin Knowledge Systems Ltd.)
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [74456 2014-01-01] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2014-01-08] (Malwarebytes Corporation)
R0 sfvfs02; C:\Windows\System32\drivers\sfvfs02.sys [83320 2007-02-08] (Protection Technology (StarForce))
S3 usbbus; C:\Windows\System32\DRIVERS\lgusbbus.sys [21344 2005-05-26] (LG Electronics Inc.)
S3 UsbDiag; C:\Windows\System32\DRIVERS\lgusbdiag.sys [38144 2005-05-26] (LG Electronics Inc.)
S3 USBModem; C:\Windows\System32\DRIVERS\lgusbmodem.sys [39036 2005-06-24] (LG Electronics Inc.)
S3 xnacc; C:\Windows\System32\DRIVERS\xnacc.sys [521216 2008-01-18] (Microsoft Corporation)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S1 cyqetyew; \??\C:\Windows\system32\drivers\cyqetyew.sys [x]
S3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S2 MCSTRM; No ImagePath
S3 MFE_RR; \??\C:\Users\Karla\AppData\Local\Temp\mfe_rr.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 PalmUSBD; system32\drivers\PalmUSBD.sys [x]
S1 rahqszyq; \??\C:\Windows\system32\drivers\rahqszyq.sys [x]
S1 VClone; system32\DRIVERS\VClone.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-01-11 14:58 - 2014-01-11 14:59 - 00032043 _____ C:\Users\Karla\Desktop\FRST.txt
2014-01-11 14:58 - 2014-01-11 14:58 - 00000000 ____D C:\FRST
2014-01-11 14:57 - 2014-01-11 14:55 - 01220096 _____ (Farbar) C:\Users\Karla\Desktop\FRST.exe
2014-01-09 15:51 - 2014-01-09 15:51 - 00018597 _____ C:\Users\Kirk\Desktop\attach.txt
2014-01-09 15:51 - 2014-01-09 15:51 - 00015801 _____ C:\Users\Kirk\Desktop\dds.txt
2014-01-09 15:40 - 2014-01-09 15:40 - 00688992 ____R (Swearware) C:\Users\Kirk\Desktop\dds.com
2014-01-08 18:53 - 2014-01-08 19:30 - 00008004 _____ C:\Users\Karla\Desktop\Rkill.txt
2014-01-08 18:49 - 2014-01-08 18:49 - 00000000 ____D C:\Users\Karla\AppData\Roaming\Malwarebytes
2014-01-08 18:48 - 2014-01-08 18:48 - 00000868 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-08 18:47 - 2014-01-08 18:48 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2014-01-08 18:47 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-01-07 17:40 - 2014-01-07 18:23 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-01-07 17:39 - 2014-01-07 17:39 - 00000404 _____ C:\Users\Karla\Desktop\RootkitRemover_20140107_173928.log
2014-01-07 17:39 - 2014-01-07 17:39 - 00000404 _____ C:\Users\Karla\Desktop\RootkitRemover_20140107_173916.log
2014-01-07 17:32 - 2014-01-07 17:32 - 00483927 _____ C:\Users\Karla\Desktop\rootkitremover.rar
2014-01-07 17:32 - 2014-01-07 17:09 - 00782640 _____ (McAfee, Inc.) C:\Users\Karla\Desktop\rootkitremover.exe
2014-01-07 17:23 - 2014-01-07 17:23 - 00000000 ____D C:\TDSSKiller_Quarantine
2014-01-07 17:16 - 2014-01-07 17:16 - 00782640 _____ (McAfee, Inc.) C:\Users\Karla\Downloads\rootkitremover.exe
2014-01-07 17:16 - 2014-01-07 17:16 - 00000310 _____ C:\Users\Karla\Downloads\RootkitRemover_20140107_171645.log
2014-01-06 18:00 - 2014-01-06 18:00 - 00000000 ____D C:\Windows\system32\MpEngineStore
2014-01-06 17:58 - 2014-01-06 17:58 - 24805592 _____ (Microsoft Corporation) C:\Users\Karla\Downloads\Windows-KB890830-V5.7.exe
2014-01-06 17:57 - 2014-01-06 17:57 - 00915368 _____ (Oracle Corporation) C:\Users\Karla\Downloads\jxpiinstall.exe
2014-01-01 14:41 - 2014-01-01 14:41 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-01 14:40 - 2014-01-08 18:52 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2014-01-01 14:38 - 2014-01-01 14:38 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-01-01 14:36 - 2014-01-07 18:23 - 00000000 ____D C:\Users\Karla\Desktop\mbar
2014-01-01 14:35 - 2014-01-01 14:35 - 12582688 _____ (Malwarebytes Corp.) C:\Users\Karla\Downloads\mbar-1.07.0.1008.exe
2014-01-01 13:49 - 2013-11-18 09:28 - 04121952 _____ (Kaspersky Lab ZAO) C:\Users\Karla\Desktop\TDSSKiller.exe
2014-01-01 13:48 - 2014-01-01 13:48 - 04101441 _____ C:\Users\Karla\Downloads\tdsskiller.zip
2013-12-30 21:54 - 2013-12-30 21:54 - 00028672 _____ C:\Windows\system32\wekp.ajz
2013-12-30 21:43 - 2014-01-10 18:31 - 00000090 _____ C:\Windows\system32\emlujof.fzw
2013-12-30 21:41 - 2013-12-30 21:54 - 00000094 _____ C:\Windows\system32\sslsso.eaw
2013-12-30 21:41 - 2013-12-30 21:41 - 00000064 _____ C:\Windows\system32\fckhi.goe
2013-12-30 21:25 - 2013-12-30 21:25 - 00101213 ____S C:\Windows\system32\gggmvk.izb
2013-12-30 18:21 - 2013-12-30 18:21 - 00000000 ____D C:\Users\Karla\AppData\Local\Asmlworks
2013-12-28 14:00 - 2013-12-28 14:00 - 00546816 _____ C:\Users\Karla\Documents\Member Appreciation.pub
2013-12-28 13:47 - 2013-12-29 16:44 - 13795328 _____ C:\Users\Karla\Documents\January 14 Bulletin.pub
2013-12-28 12:06 - 2013-12-28 12:06 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-12-27 11:41 - 2013-12-28 12:07 - 00001626 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-12-27 11:39 - 2013-12-27 11:39 - 00000000 ____D C:\Program Files\iPod
2013-12-25 09:16 - 2013-12-25 09:17 - 00000000 ____D C:\Program Files\mozilla firefox
2013-12-16 17:37 - 2013-12-16 17:37 - 00002035 _____ C:\Users\Public\Desktop\Google Earth.lnk

==================== One Month Modified Files and Folders =======

2014-01-11 15:00 - 2012-07-11 13:55 - 00000932 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3535378450-533572598-751281867-1001UA.job
2014-01-11 15:00 - 2012-01-17 20:20 - 00000910 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3535378450-533572598-751281867-1001Core.job
2014-01-11 14:59 - 2014-01-11 14:58 - 00032043 _____ C:\Users\Karla\Desktop\FRST.txt
2014-01-11 14:58 - 2014-01-11 14:58 - 00000000 ____D C:\FRST
2014-01-11 14:58 - 2007-09-15 14:40 - 00000416 ____H C:\Windows\Tasks\User_Feed_Synchronization-{C69EB655-B0DF-4697-B184-7A9C84EC7C9E}.job
2014-01-11 14:55 - 2014-01-11 14:57 - 01220096 _____ (Farbar) C:\Users\Karla\Desktop\FRST.exe
2014-01-11 14:35 - 2009-12-13 14:51 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-11 14:30 - 2006-11-02 04:47 - 00004080 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-11 14:30 - 2006-11-02 04:47 - 00004080 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-11 14:23 - 2012-09-15 22:22 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-11 12:41 - 2009-12-13 14:51 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-11 12:30 - 2006-11-02 05:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-10 19:08 - 2006-11-02 05:01 - 00032576 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-10 18:38 - 2012-06-14 09:04 - 00000000 ____D C:\Users\Family\AppData\Roaming\Spotify
2014-01-10 18:34 - 2013-04-04 18:42 - 00000000 ____D C:\Users\Public\Documents\Verizon_Android
2014-01-10 18:31 - 2013-12-30 21:43 - 00000090 _____ C:\Windows\system32\emlujof.fzw
2014-01-10 16:43 - 2010-09-24 16:47 - 00000000 ____D C:\Windows\system32\Drivers\Avg
2014-01-09 17:37 - 2010-02-18 20:07 - 00000000 ____D C:\Users\Kirk\AppData\Local\PMB Files
2014-01-09 17:09 - 2007-09-15 15:08 - 00000000 ____D C:\ProgramData\Xfire
2014-01-09 16:36 - 2007-09-15 15:08 - 00000000 ____D C:\Users\Kirk\AppData\Roaming\Xfire
2014-01-09 15:51 - 2014-01-09 15:51 - 00018597 _____ C:\Users\Kirk\Desktop\attach.txt
2014-01-09 15:51 - 2014-01-09 15:51 - 00015801 _____ C:\Users\Kirk\Desktop\dds.txt
2014-01-09 15:40 - 2014-01-09 15:40 - 00688992 ____R (Swearware) C:\Users\Kirk\Desktop\dds.com
2014-01-08 19:30 - 2014-01-08 18:53 - 00008004 _____ C:\Users\Karla\Desktop\Rkill.txt
2014-01-08 18:52 - 2014-01-01 14:40 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2014-01-08 18:49 - 2014-01-08 18:49 - 00000000 ____D C:\Users\Karla\AppData\Roaming\Malwarebytes
2014-01-08 18:48 - 2014-01-08 18:48 - 00000868 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-08 18:48 - 2014-01-08 18:47 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2014-01-07 18:23 - 2014-01-07 17:40 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-01-07 18:23 - 2014-01-01 14:36 - 00000000 ____D C:\Users\Karla\Desktop\mbar
2014-01-07 17:39 - 2014-01-07 17:39 - 00000404 _____ C:\Users\Karla\Desktop\RootkitRemover_20140107_173928.log
2014-01-07 17:39 - 2014-01-07 17:39 - 00000404 _____ C:\Users\Karla\Desktop\RootkitRemover_20140107_173916.log
2014-01-07 17:32 - 2014-01-07 17:32 - 00483927 _____ C:\Users\Karla\Desktop\rootkitremover.rar
2014-01-07 17:23 - 2014-01-07 17:23 - 00000000 ____D C:\TDSSKiller_Quarantine
2014-01-07 17:16 - 2014-01-07 17:16 - 00782640 _____ (McAfee, Inc.) C:\Users\Karla\Downloads\rootkitremover.exe
2014-01-07 17:16 - 2014-01-07 17:16 - 00000310 _____ C:\Users\Karla\Downloads\RootkitRemover_20140107_171645.log
2014-01-07 17:09 - 2014-01-07 17:32 - 00782640 _____ (McAfee, Inc.) C:\Users\Karla\Desktop\rootkitremover.exe
2014-01-06 18:00 - 2014-01-06 18:00 - 00000000 ____D C:\Windows\system32\MpEngineStore
2014-01-06 17:58 - 2014-01-06 17:58 - 24805592 _____ (Microsoft Corporation) C:\Users\Karla\Downloads\Windows-KB890830-V5.7.exe
2014-01-06 17:57 - 2014-01-06 17:57 - 00915368 _____ (Oracle Corporation) C:\Users\Karla\Downloads\jxpiinstall.exe
2014-01-05 19:48 - 2007-09-15 13:48 - 00153088 _____ C:\Users\Kirk\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-01-04 12:22 - 2007-12-13 16:43 - 00000000 ____D C:\Windows\Minidump
2014-01-02 18:23 - 2007-09-07 16:56 - 00473436 _____ C:\Windows\PFRO.log
2014-01-02 18:23 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\nap
2014-01-01 14:41 - 2014-01-01 14:41 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-01 14:38 - 2014-01-01 14:38 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-01-01 14:35 - 2014-01-01 14:35 - 12582688 _____ (Malwarebytes Corp.) C:\Users\Karla\Downloads\mbar-1.07.0.1008.exe
2014-01-01 13:48 - 2014-01-01 13:48 - 04101441 _____ C:\Users\Karla\Downloads\tdsskiller.zip
2014-01-01 12:37 - 2012-06-13 14:34 - 00000000 ____D C:\Users\Karla\AppData\Local\Spotify
2014-01-01 12:37 - 2012-06-13 14:33 - 00000000 ____D C:\Users\Karla\AppData\Roaming\Spotify
2013-12-31 14:16 - 2011-12-25 17:45 - 00000000 ____D C:\Users\Karla\AppData\Roaming\Skype
2013-12-30 21:54 - 2013-12-30 21:54 - 00028672 _____ C:\Windows\system32\wekp.ajz
2013-12-30 21:54 - 2013-12-30 21:41 - 00000094 _____ C:\Windows\system32\sslsso.eaw
2013-12-30 21:41 - 2013-12-30 21:41 - 00000064 _____ C:\Windows\system32\fckhi.goe
2013-12-30 21:25 - 2013-12-30 21:25 - 00101213 ____S C:\Windows\system32\gggmvk.izb
2013-12-30 18:21 - 2013-12-30 18:21 - 00000000 ____D C:\Users\Karla\AppData\Local\Asmlworks
2013-12-29 16:46 - 2006-11-02 02:33 - 00720866 _____ C:\Windows\system32\PerfStringBackup.INI
2013-12-29 16:44 - 2013-12-28 13:47 - 13795328 _____ C:\Users\Karla\Documents\January 14 Bulletin.pub
2013-12-28 14:00 - 2013-12-28 14:00 - 00546816 _____ C:\Users\Karla\Documents\Member Appreciation.pub
2013-12-28 12:57 - 2011-12-25 17:46 - 00000000 ____D C:\Users\Family\AppData\Roaming\Skype
2013-12-28 12:07 - 2013-12-27 11:41 - 00001626 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-12-28 12:06 - 2013-12-28 12:06 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-12-27 11:50 - 2012-05-13 16:42 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-12-27 11:49 - 2006-11-02 04:52 - 01846963 _____ C:\Windows\WindowsUpdate.log
2013-12-27 11:40 - 2007-09-15 12:10 - 00000000 ____D C:\Program Files\itunes
2013-12-27 11:39 - 2013-12-27 11:39 - 00000000 ____D C:\Program Files\iPod
2013-12-27 11:39 - 2007-09-18 12:37 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-12-27 11:31 - 2010-09-24 16:57 - 00000000 ____D C:\Users\Karla
2013-12-25 09:17 - 2013-12-25 09:16 - 00000000 ____D C:\Program Files\mozilla firefox
2013-12-16 17:37 - 2013-12-16 17:37 - 00002035 _____ C:\Users\Public\Desktop\Google Earth.lnk
2013-12-16 17:37 - 2007-09-15 15:28 - 00000000 ____D C:\Program Files\Google

Files to move or delete:
====================
C:\Users\Family\IntranetLogin.exe
C:\Users\Family\jagex_runescape_preferences.dat
C:\Users\Family\jagex_runescape_preferences2.dat
C:\Users\Family\jagex__preferences3.dat
C:\Users\Family\SilkroadOnline_GlobalOfficial_v1_150.exe
C:\Users\Kirk\jagex_runescape_preferences.dat


Some content of TEMP:
====================
C:\Users\Family\AppData\Local\Temp\BearShare_setup.exe
C:\Users\Family\AppData\Local\Temp\dogpile_sub_installer.exe
C:\Users\Family\AppData\Local\Temp\DWPUpgradeInstaller.exe
C:\Users\Family\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Family\AppData\Local\Temp\gamevanceif_StubInstaller.exe
C:\Users\Family\AppData\Local\Temp\i4jdel0.exe
C:\Users\Family\AppData\Local\Temp\iMesh_setup.exe
C:\Users\Family\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Family\AppData\Local\Temp\MP3 Rocket FileBulldog.exe
C:\Users\Family\AppData\Local\Temp\mp3rocket.exe
C:\Users\Family\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Family\AppData\Local\Temp\softonic-us-silent.exe
C:\Users\Family\AppData\Local\Temp\The_Weather_Channel_Application.exe
C:\Users\Family\AppData\Local\Temp\_unps.exe
C:\Users\Family\AppData\Local\Temp\_WUTL95.DLL
C:\Users\Kirk\AppData\Local\Temp\i4jdel0.exe
C:\Users\Kirk\AppData\Local\Temp\jre-6u14-windows-i586-iftw.exe
C:\Users\Kirk\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Kirk\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe
C:\Users\Kirk\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Kirk\AppData\Local\Temp\uninstall.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-05-19 22:08] - [2009-03-02 20:39] - 0551424 ____A (Microsoft Corporation) EE5F84DA814D8585E0CA0E49C4B912CE

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-01-11 12:45

==================== End Of Log ============================

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 11 January 2014 - 06:31 PM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt
 

S1 cyqetyew; \??\C:\Windows\system32\drivers\cyqetyew.sys [x]
S1 rahqszyq; \??\C:\Windows\system32\drivers\rahqszyq.sys [x]
C:\Windows\system32\drivers\cyqetyew.sys
C:\Windows\system32\drivers\rahqszyq.sys
2013-12-30 21:54 - 2013-12-30 21:54 - 00028672 _____ C:\Windows\system32\wekp.ajz
2013-12-30 21:43 - 2014-01-10 18:31 - 00000090 _____ C:\Windows\system32\emlujof.fzw
2013-12-30 21:41 - 2013-12-30 21:54 - 00000094 _____ C:\Windows\system32\sslsso.eaw
2013-12-30 21:41 - 2013-12-30 21:41 - 00000064 _____ C:\Windows\system32\fckhi.goe
2013-12-30 21:25 - 2013-12-30 21:25 - 00101213 ____S C:\Windows\system32\gggmvk.izb
AlternateDataStreams: C:\ProgramData\TEMP:07B3CD1E
AlternateDataStreams: C:\ProgramData\TEMP:27EEEB5C
AlternateDataStreams: C:\ProgramData\TEMP:2B99FE60
AlternateDataStreams: C:\ProgramData\TEMP:4B970D7A
AlternateDataStreams: C:\ProgramData\TEMP:52067872
AlternateDataStreams: C:\ProgramData\TEMP:522EA216
AlternateDataStreams: C:\ProgramData\TEMP:6B803FAA
AlternateDataStreams: C:\ProgramData\TEMP:6C350063
AlternateDataStreams: C:\ProgramData\TEMP:6FDD5C6E
AlternateDataStreams: C:\ProgramData\TEMP:7C017FB1
AlternateDataStreams: C:\ProgramData\TEMP:904251FD
AlternateDataStreams: C:\ProgramData\TEMP:98F0614F
AlternateDataStreams: C:\ProgramData\TEMP:B4DEF139
AlternateDataStreams: C:\ProgramData\TEMP:BBE01348
AlternateDataStreams: C:\ProgramData\TEMP:BF0B4A17
AlternateDataStreams: C:\ProgramData\TEMP:C4870D32
AlternateDataStreams: C:\ProgramData\TEMP:D0570058
AlternateDataStreams: C:\ProgramData\TEMP:E027C556
AlternateDataStreams: C:\ProgramData\TEMP:F69BB936
AlternateDataStreams: C:\ProgramData\TEMP:FA8B212D
Replace: C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988\rpcss.dll C:\Windows\System32\rpcss.dll

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.


  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

 


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Centrifuze

Centrifuze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 11 January 2014 - 06:39 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-01-2014 03
Ran by Karla at 2014-01-11 15:34:52 Run:1
Running from C:\Users\Karla\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
S1 cyqetyew; \??\C:\Windows\system32\drivers\cyqetyew.sys [x]
S1 rahqszyq; \??\C:\Windows\system32\drivers\rahqszyq.sys [x]
C:\Windows\system32\drivers\cyqetyew.sys
C:\Windows\system32\drivers\rahqszyq.sys
2013-12-30 21:54 - 2013-12-30 21:54 - 00028672 _____ C:\Windows\system32\wekp.ajz
2013-12-30 21:43 - 2014-01-10 18:31 - 00000090 _____ C:\Windows\system32\emlujof.fzw
2013-12-30 21:41 - 2013-12-30 21:54 - 00000094 _____ C:\Windows\system32\sslsso.eaw
2013-12-30 21:41 - 2013-12-30 21:41 - 00000064 _____ C:\Windows\system32\fckhi.goe
2013-12-30 21:25 - 2013-12-30 21:25 - 00101213 ____S C:\Windows\system32\gggmvk.izb
AlternateDataStreams: C:\ProgramData\TEMP:07B3CD1E
AlternateDataStreams: C:\ProgramData\TEMP:27EEEB5C
AlternateDataStreams: C:\ProgramData\TEMP:2B99FE60
AlternateDataStreams: C:\ProgramData\TEMP:4B970D7A
AlternateDataStreams: C:\ProgramData\TEMP:52067872
AlternateDataStreams: C:\ProgramData\TEMP:522EA216
AlternateDataStreams: C:\ProgramData\TEMP:6B803FAA
AlternateDataStreams: C:\ProgramData\TEMP:6C350063
AlternateDataStreams: C:\ProgramData\TEMP:6FDD5C6E
AlternateDataStreams: C:\ProgramData\TEMP:7C017FB1
AlternateDataStreams: C:\ProgramData\TEMP:904251FD
AlternateDataStreams: C:\ProgramData\TEMP:98F0614F
AlternateDataStreams: C:\ProgramData\TEMP:B4DEF139
AlternateDataStreams: C:\ProgramData\TEMP:BBE01348
AlternateDataStreams: C:\ProgramData\TEMP:BF0B4A17
AlternateDataStreams: C:\ProgramData\TEMP:C4870D32
AlternateDataStreams: C:\ProgramData\TEMP:D0570058
AlternateDataStreams: C:\ProgramData\TEMP:E027C556
AlternateDataStreams: C:\ProgramData\TEMP:F69BB936
AlternateDataStreams: C:\ProgramData\TEMP:FA8B212D
Replace: C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988\rpcss.dll C:\Windows\System32\rpcss.dll
*****************

cyqetyew => Service deleted successfully.
rahqszyq => Service deleted successfully.
"C:\Windows\system32\drivers\cyqetyew.sys" => File/Directory not found.
"C:\Windows\system32\drivers\rahqszyq.sys" => File/Directory not found.
C:\Windows\system32\wekp.ajz => Moved successfully.
C:\Windows\system32\emlujof.fzw => Moved successfully.
Could not move "C:\Windows\system32\sslsso.eaw" => Scheduled to move on reboot.
C:\Windows\system32\fckhi.goe => Moved successfully.
Could not move "C:\Windows\system32\gggmvk.izb" => Scheduled to move on reboot.
C:\ProgramData\TEMP => ":07B3CD1E" ADS removed successfully.
C:\ProgramData\TEMP => ":27EEEB5C" ADS removed successfully.
C:\ProgramData\TEMP => ":2B99FE60" ADS removed successfully.
C:\ProgramData\TEMP => ":4B970D7A" ADS removed successfully.
C:\ProgramData\TEMP => ":52067872" ADS removed successfully.
C:\ProgramData\TEMP => ":522EA216" ADS removed successfully.
C:\ProgramData\TEMP => ":6B803FAA" ADS removed successfully.
C:\ProgramData\TEMP => ":6C350063" ADS removed successfully.
C:\ProgramData\TEMP => ":6FDD5C6E" ADS removed successfully.
C:\ProgramData\TEMP => ":7C017FB1" ADS removed successfully.
C:\ProgramData\TEMP => ":904251FD" ADS removed successfully.
C:\ProgramData\TEMP => ":98F0614F" ADS removed successfully.
C:\ProgramData\TEMP => ":B4DEF139" ADS removed successfully.
C:\ProgramData\TEMP => ":BBE01348" ADS removed successfully.
C:\ProgramData\TEMP => ":BF0B4A17" ADS removed successfully.
C:\ProgramData\TEMP => ":C4870D32" ADS removed successfully.
C:\ProgramData\TEMP => ":D0570058" ADS removed successfully.
C:\ProgramData\TEMP => ":E027C556" ADS removed successfully.
C:\ProgramData\TEMP => ":F69BB936" ADS removed successfully.
C:\ProgramData\TEMP => ":FA8B212D" ADS removed successfully.
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-01-11 15:38:05)<=

C:\Windows\system32\sslsso.eaw => Moved successfully.
C:\Windows\system32\gggmvk.izb => Moved successfully.

==== End of Fixlog ====


Edited by Centrifuze, 11 January 2014 - 06:40 PM.


#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 11 January 2014 - 07:11 PM

Please do this next:

icon11.gif  Download Combofix from HERE, and save it to your desktop.  

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back.  Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • ComboFix log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Centrifuze

Centrifuze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 11 January 2014 - 07:20 PM

I think I may have caused ComboFix to close somehow. The window closed, no report was generated, and Windows produced a beeping sound like I'd hit a button on the keyboard (I think I may have hit Ctrl...)

 

EDIT: NM, there was just a delay before the DOS window opened. All is running fine.


Edited by Centrifuze, 11 January 2014 - 07:21 PM.


#8 Centrifuze

Centrifuze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 11 January 2014 - 11:20 PM

ComboFix 14-01-08.03 - Karla 01/11/2014  16:27:09.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.1918.800 [GMT -8:00]
Running from: c:\users\Karla\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Blinkx
c:\program files\Blinkx\blinkx.ico
c:\program files\Blinkx\blinkxss.exe
c:\program files\Blinkx\blinkxstop.exe
c:\program files\Blinkx\lang.dll
c:\program files\Blinkx\templates\index.html
c:\program files\Blinkx\templates\logo.bmp
c:\program files\Blinkx\templates\noflash.html
c:\program files\Blinkx\templates\offline.html
c:\program files\Blinkx\templates\offline.swf
c:\program files\Blinkx\templates\saver.ico
c:\program files\Blinkx\templates\uninstall.exe
c:\program files\Mozilla Firefox\searchplugins\wyeke127.xml
c:\programdata\Microsoft\Windows\DRM\7618.tmp
c:\users\Family\AppData\Local\TempDIR
c:\users\Family\AppData\Local\TempDIR\BetterInstaller.exe
c:\users\Family\AppData\Roaming\BD5BB7
c:\users\Family\IntranetLogin.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\EKSAyJlm.ini
c:\windows\system32\IOWGijlm.ini
c:\windows\system32\iRYyxyay.ini
c:\windows\system32\jRqBdJjl.ini
c:\windows\system32\kSutAcdd.ini
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-12 to 2014-01-12  )))))))))))))))))))))))))))))))
.
.
2014-01-12 01:06 . 2014-01-12 01:06    --------    d-----w-    c:\users\Mcx1\AppData\Local\temp
2014-01-12 01:06 . 2014-01-12 01:06    --------    d-----w-    c:\users\Kirk\AppData\Local\temp
2014-01-12 01:06 . 2014-01-12 01:06    --------    d-----w-    c:\users\Guest\AppData\Local\temp
2014-01-12 01:06 . 2014-01-12 01:06    --------    d-----w-    c:\users\Family\AppData\Local\temp
2014-01-12 01:05 . 2014-01-12 03:26    --------    d-----w-    c:\users\Karla\AppData\Local\temp
2014-01-12 01:05 . 2014-01-12 01:05    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-01-11 22:58 . 2014-01-11 23:38    --------    d-----w-    C:\FRST
2014-01-09 02:49 . 2014-01-09 02:49    --------    d-----w-    c:\users\Karla\AppData\Roaming\Malwarebytes
2014-01-09 02:47 . 2014-01-09 02:48    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2014-01-09 02:47 . 2013-04-04 22:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-01-08 01:40 . 2014-01-08 02:23    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-01-08 01:23 . 2014-01-08 01:23    --------    d-----w-    C:\TDSSKiller_Quarantine
2014-01-07 02:00 . 2014-01-07 02:00    --------    d-----w-    c:\windows\system32\MpEngineStore
2014-01-01 22:41 . 2014-01-01 22:41    --------    d-----w-    c:\programdata\Malwarebytes
2014-01-01 22:40 . 2014-01-09 02:52    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2014-01-01 22:38 . 2014-01-01 22:38    74456    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-12-31 02:21 . 2013-12-31 02:21    --------    d-----w-    c:\users\Karla\AppData\Local\Asmlworks
2013-12-28 20:06 . 2013-12-28 20:06    --------    d-----w-    c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-12-27 19:39 . 2013-12-27 19:39    --------    d-----w-    c:\program files\iPod
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-11 12:23 . 2012-09-16 06:22    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-12-11 12:23 . 2011-12-27 06:09    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-06 03:45 . 2013-11-06 03:45    650936    ----a-w-    c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\spybot - search & destroy\TeaTimer.exe" [2009-01-26 2144088]
"Spotify Web Helper"="c:\users\Karla\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-08-24 1193176]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SnapfishMediaDetector"="c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 1441792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-08 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2012-01-26 2077536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-14 59720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
.
c:\users\Karla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-6 273296]
Snapfish Media Detector.lnk - c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe [2007-3-2 1441792]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-11-02 08:29    152392    ----a-w-    c:\program files\itunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 01:38    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3535378450-533572598-751281867-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3535378450-533572598-751281867-1001]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-16 12:23]
.
2014-01-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3535378450-533572598-751281867-1001Core.job
- c:\users\Family\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-04 15:44]
.
2014-01-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3535378450-533572598-751281867-1001UA.job
- c:\users\Family\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-04 15:44]
.
2014-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 22:51]
.
2014-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 22:51]
.
2014-01-12 c:\windows\Tasks\User_Feed_Synchronization-{C69EB655-B0DF-4697-B184-7A9C84EC7C9E}.job
- c:\windows\system32\msfeedssync.exe [2011-06-20 04:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\Karla\AppData\Roaming\Mozilla\Firefox\Profiles\ot3vn0d1.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - (no file)
BHO-{78DB238B-7DE6-4DF6-8BB7-7AD68A3F0DD7} - c:\windows\system32\awtrPGww.dll
HKCU-Run-HPADVISOR - c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
SafeBoot-48124174.sys
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-VirtualCloneDrive - c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
AddRemove-blinkx beat - c:\program files\Blinkx\templates\uninstall.exe
AddRemove-Move Networks Player - IE - c:\users\Family\AppData\Roaming\Move Networks\ie_bin\Uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-11 19:26
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\AVG\AVG9\avgwdsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\hasplms.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Motorola\MotForwardDaemon\ForwardDaemon.exe
c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\program files\TeamViewer\Version6\TeamViewer_Service.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
c:\program files\TeamViewer\Version6\TeamViewer.exe
c:\windows\RtHDVCpl.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Microsoft Office\Office12\ONENOTEM.EXE
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2014-01-11  19:32:17 - machine was rebooted
ComboFix-quarantined-files.txt  2014-01-12 03:32
.
Pre-Run: 3,711,201,280 bytes free
Post-Run: 14,024,208,384 bytes free
.
- - End Of File - - F601F57DD8914BC796591905D645FBCC
8913823FF508CCF109DB74B636C301DA
 



#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 12 January 2014 - 12:00 AM

Please do this next:

icon11.gif   Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

icon11.gif  You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information, C:FRST\Quarantine or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • adwCleaner log
  • MBAM log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 Centrifuze

Centrifuze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 12 January 2014 - 06:24 PM

# AdwCleaner v3.016 - Report created 11/01/2014 at 21:05:56
# Updated 23/12/2013 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 1 (32 bits)
# Username : Karla - KIRK-PC
# Running from : C:\Users\Karla\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Program Files\Mozilla Firefox\Components\AskSearch.js
File Found : C:\Users\Family\AppData\Local\funmoods.crx
File Found : C:\Users\Family\AppData\Local\funmoods-speeddial.crx
File Found : C:\Users\Family\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage
File Found : C:\Users\Family\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cjpglkicenollcignonpgiafdgfeehoj_0.localstorage
File Found : C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\8vem5zca.default\searchplugins\Ask.xml
File Found : C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\8vem5zca.default\searchplugins\fast-browser-search.xml
File Found : C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\8vem5zca.default\searchplugins\mywebsearch.xml
File Found : C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\8vem5zca.default\searchplugins\search.xml
File Found : C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\8vem5zca.default\user.js
File Found : C:\Windows\System32\Tasks\NCH Software
Folder Found : C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\8vem5zca.default\Extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}
Folder Found : C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\8vem5zca.default\Extensions\ffxtlbr@funmoods.com
Folder Found C:\Program Files\Azureus
Folder Found C:\ProgramData\Azureus
Folder Found C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Freeze.com
Folder Found C:\ProgramData\NCH Software
Folder Found C:\ProgramData\Trymedia
Folder Found C:\Users\Family\AppData\Local\apn
Folder Found C:\Users\Family\AppData\Local\PackageAware
Folder Found C:\Users\Family\AppData\LocalLow\AskToolbar
Folder Found C:\Users\Family\AppData\LocalLow\ShoppingReport
Folder Found C:\Users\Family\AppData\Roaming\Azureus
Folder Found C:\Users\Family\AppData\Roaming\iWin
Folder Found C:\Users\Family\AppData\Roaming\NCH Software
Folder Found C:\Users\Family\Funmoods
Folder Found C:\Users\Karla\AppData\LocalLow\ShoppingReport
Folder Found C:\Users\Kirk\AppData\LocalLow\ShoppingReport
Folder Found C:\Users\Kirk\AppData\Roaming\Azureus

***** [ Shortcuts ] *****

Shortcut Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NovaLogic\Delta Force 2\Uninstall.lnk ( -f"C:\Program Files\NovaLogic\Delta Force 2\Uninst.isu" )

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\ShoppingReport
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\FLV Player
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ShoppingReport
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\Software\Azureus
Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{0702A2B6-13AA-4090-9E01-BCDC85DD933F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{08993A7C-E764-4172-9627-BFB5EA6897B2}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{128A6C66-AC6A-4617-8268-AB7F47B7215E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{201F27D4-3704-41D6-89C1-AA35E39143ED}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{571715D7-3395-4DF0-B43C-784836209E60}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{622FD888-4E91-4D68-84D4-7262FD0811BF}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Found : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FLV Player
Key Found : HKLM\Software\NCH Software
Key Found : HKLM\Software\Trymedia Systems

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.19088


-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Users\Kirk\AppData\Roaming\Mozilla\Firefox\Profiles\2oxu5gah.default\prefs.js ]


[ File : C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\8vem5zca.default\prefs.js ]

Line Found : user_pref("backup.old.browser.search.defaultenginename", "Fast Browser Search");
Line Found : user_pref("browser.search.defaultthis.engineName", "Fast Browser Search");
Line Found : user_pref("browser.search.defaulturl", "hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=");
Line Found : user_pref("browser.search.order.1", "Fast Browser Search");
Line Found : user_pref("browser.startup.homepage", "hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtC0B0F0C0ByD0AtA0DtCtC0AtBtAtN0D0Tzu0CtBtCtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=253699509");
Line Found : user_pref("extensions.enabledAddons", "extension%40MusicParadiseLayouts.com:1.4,extension%40MusicParadiseSearch.com:1.3,ffxtlbr%40funmoods.com:1.5.1,tlshzwcivh%40tlshzwcivh.org:1.0,%7B75656794-AB59-47[...]
Line Found : user_pref("extensions.funmoods.aflt", "adknlg");
Line Found : user_pref("extensions.funmoods.autoRvrt", false);
Line Found : user_pref("extensions.funmoods.cntry", "US");
Line Found : user_pref("extensions.funmoods.cv", "cv5");
Line Found : user_pref("extensions.funmoods.dfltLng", "");
Line Found : user_pref("extensions.funmoods.dfltSrch", true);
Line Found : user_pref("extensions.funmoods.dnsErr", true);
Line Found : user_pref("extensions.funmoods.envrmnt", "production");
Line Found : user_pref("extensions.funmoods.excTlbr", false);
Line Found : user_pref("extensions.funmoods.hdrMd5", "348EC694F2A3670A07CDBBF603301B74");
Line Found : user_pref("extensions.funmoods.hmpg", true);
Line Found : user_pref("extensions.funmoods.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtC0B0F0C0ByD0AtA0DtCtC0AtBtAtN0D0Tzu0CtBtCtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=253699509[...]
Line Found : user_pref("extensions.funmoods.id", "001BFCB5A3D11A23");
Line Found : user_pref("extensions.funmoods.instlDay", "15552");
Line Found : user_pref("extensions.funmoods.instlRef", "adknlg");
Line Found : user_pref("extensions.funmoods.isdcmntcmplt", true);
Line Found : user_pref("extensions.funmoods.lastVrsnTs", "1.5.23.2220:8:23");
Line Found : user_pref("extensions.funmoods.mntrvrsn", "1.3.0");
Line Found : user_pref("extensions.funmoods.newTab", true);
Line Found : user_pref("extensions.funmoods.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtC0B0F0C0ByD0AtA0DtCtC0AtBtAtN0D0Tzu0CtBtCtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2536995[...]
Line Found : user_pref("extensions.funmoods.pnu_base", "{\"newVrsn\":\"254\",\"lastVrsn\":\"254\",\"vrsnLoad\":\"\",\"showMsg\":\"false\",\"showSilent\":\"false\",\"msgTs\":0,\"lstMsgTs\":\"0\"}");
Line Found : user_pref("extensions.funmoods.prdct", "funmoods");
Line Found : user_pref("extensions.funmoods.prtnrId", "funmoods");
Line Found : user_pref("extensions.funmoods.sg", "none");
Line Found : user_pref("extensions.funmoods.smplGrp", "none");
Line Found : user_pref("extensions.funmoods.srchPrvdr", "Search");
Line Found : user_pref("extensions.funmoods.tlbrId", "base");
Line Found : user_pref("extensions.funmoods.tlbrSrchUrl", "hxxp://start.funmoods.com/?f=3&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtC0B0F0C0ByD0AtA0DtCtC0AtBtAtN0D0Tzu0CtBtCtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=25369[...]
Line Found : user_pref("extensions.funmoods.vrsn", "1.5.23.22");
Line Found : user_pref("extensions.funmoods.vrsnTs", "1.5.23.2220:8:23");
Line Found : user_pref("extensions.funmoods.vrsni", "1.5.23.22");
Line Found : user_pref("extensions.funmoods_i.newTab", true);
Line Found : user_pref("extensions.funmoods_i.smplGrp", "none");
Line Found : user_pref("extensions.funmoods_i.vrsnTs", "1.5.23.2220:8:23");
Line Found : user_pref("extensions.mywebsearch.openSearchURL", "hxxp://search.mywebsearch.com/mywebsearch/opensearch.jhtml?id=ZJfox000&ptb=vsGE5qlEYUbbBhKqfuBCjw");
Line Found : user_pref("extensions.mywebsearch.prevKwdEnabled", true);
Line Found : user_pref("extensions.mywebsearch.prevKwdURL", "hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=");
Line Found : user_pref("extensions.snipit.askTbInstalled", true);
Line Found : user_pref("extensions.snipit.chromeURL", "hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q={searchTerms}&crm=1");
Line Found : user_pref("keyword.URL", "hxxp://www.bigseekpro.com/search/toolbar/mp3rocket/{9DEF92EB-9DEA-144A-2E37-0A26FE9B0126}?q=");
Line Found : user_pref("somoto.dnscatch", "hxxp://www.bigseekpro.com/search/toolbar/mp3rocket/{9DEF92EB-9DEA-144A-2E37-0A26FE9B0126}?q=");
Line Found : user_pref("somoto.homepage", "hxxp://www.bigseekpro.com/mp3rocket/{9DEF92EB-9DEA-144A-2E37-0A26FE9B0126}");
Line Found : user_pref("startup.homepage_override_url", "hxxp://www.ask.com/?o=20011&l=dis");

[ File : C:\Users\Karla\AppData\Roaming\Mozilla\Firefox\Profiles\ot3vn0d1.default\prefs.js ]


-\\ Google Chrome v

[ File : C:\Users\Family\AppData\Local\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Users\Karla\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [13438 octets] - [11/01/2014 21:05:56]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [13499 octets] ##########
 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.12.03

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
Karla :: KIRK-PC [administrator]

1/11/2014 11:14:47 PM
mbam-log-2014-01-11 (23-14-47).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 686267
Time elapsed: 4 hour(s), 32 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCR\Typelib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Optional.Funmoods.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 22
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\7618.tmp.vir (Trojan.Agent.MRGGen) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Family\AppData\Local\TempDIR\BetterInstaller.exe.vir (PUP.Optional.Somoto.A) -> No action taken.
C:\Users\Family\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cjpglkicenollcignonpgiafdgfeehoj_0.localstorage (PUP.Optional.FunMoods.A) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\funmoods.crx (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Users\Family\Documents\Downloads\MP3 Rocket\OpenCandy\OCSetupHlp.dll (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Family\Downloads\MightyMagoo.exe (PUP.MightyMagoo) -> Quarantined and deleted successfully.
C:\Users\Family\Downloads\Mixxx_Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.
C:\Users\Family\Funmoods\1.5.23.22\bh\escort.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Users\Family\Funmoods\1.5.23.22\escorTlbr.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\Users\Family\Funmoods\1.5.23.22\escortApp.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\Users\Family\Funmoods\1.5.23.22\escortEng.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\Users\Family\Funmoods\1.5.23.22\funmoodssrv.exe (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\Users\Family\Funmoods\1.5.23.22\uninstall.exe (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\Users\Family\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Users\Family\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cjpglkicenollcignonpgiafdgfeehoj_0.localstorage (PUP.Optional.FunMoods.A) -> Quarantined and deleted successfully.
C:\Users\Family\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Users\Family\Music\Pictures\SetupPlaySushi.exe (PUP.PlaySushi) -> Quarantined and deleted successfully.
C:\Users\Family\Shared\Cant Live Without You Justin B 2010.rar (Trojan.P2P.Agent) -> Quarantined and deleted successfully.
C:\Users\Family\Shared\Full cant live without you justin b.rar (Trojan.P2P.Agent) -> Quarantined and deleted successfully.
C:\Users\Family\Shared\Sos Rico Love [release from torrentresource.com].rar (Trojan.P2P.Agent) -> Quarantined and deleted successfully.
C:\Users\Family\Shared\Sos Rico Love[thepiratebay.org].rar (Trojan.P2P.Agent) -> Quarantined and deleted successfully.

(end)



#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 12 January 2014 - 07:21 PM

How is the computer running now?  Please do this next:

icon11.gif  Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.  Please go to www.java.com and press the "Free Java Download" button near the center of the page.  Follow the prompts to install the latest version. Once it completes a web page should open that will verify that you have the latest version.  Below that is a box with a link to remove older, insecure versions.  Click that and follow the prompts.

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:
  • How is the computer running now?
  • ESET log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 Centrifuze

Centrifuze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 14 January 2014 - 07:39 PM

Computer has been seemingly back to normal since running FRST with the fixlist. Processing speeds have increased, and the commercials have stopped. No more noticable issues (as far as I can tell anyhow).

 

Here's the results from ESET:

 

C:\FRST\Quarantine\rpcss.dll    Win32/Patched.IB trojan
C:\Program Files\Windows Live\Messenger\msimg32.dll    Win32/Toolbar.MyWebSearch application
C:\Program Files\Windows Live\Messenger\riched20.dll    Win32/Toolbar.MyWebSearch application
C:\ProgramData\Spybot - Search & Destroy\Recovery\GameVance6.zip    Win32/Bagle.gen.zip worm
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\7618.tmp.vir    a variant of Win32/Kryptik.ANII trojan
C:\Qoobox\Quarantine\C\Users\Family\AppData\Local\TempDIR\BetterInstaller.exe.vir    a variant of Win32/Somoto.A application
C:\Qoobox\Quarantine\C\Windows\System32\EKSAyJlm.ini.vir    Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\Windows\System32\IOWGijlm.ini.vir    Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\Windows\System32\iRYyxyay.ini.vir    Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\Windows\System32\jRqBdJjl.ini.vir    Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\Windows\System32\kSutAcdd.ini.vir    Win32/Adware.Virtumonde.NEO application
C:\Users\All Users\Spybot - Search & Destroy\Recovery\GameVance6.zip    Win32/Bagle.gen.zip worm
C:\Users\Family\AppData\Local\Google\Chrome\User Data\Default\Default\aagedcgfgbdedgdedcdidagddegcdbgb\background.html    Win32/BHO.OEI trojan
C:\Users\Family\AppData\Local\Google\Chrome\User Data\Default\Default\aagedcgfgbdedgdedcdidagddegcdbgb\ContentScript.js    Win32/TrojanDownloader.Tracur.AD trojan
C:\Users\Family\AppData\Local\{309C802B-A076-4563-B164-B62C0C145153}\BRAND_FILES\5459C276\10021D18\SetupDataMngr_BearShare.exe    multiple threats
C:\Users\Family\AppData\Local\{71C01C2D-E157-4490-AEA7-088A4E791A2E}\BRAND_FILES\65038823\216567D5\SetupDataMngr_iMesh.exe    multiple threats
C:\Users\Family\AppData\Local\{A9673E80-81F2-43CB-AC03-29F47370B98A}\BRAND_FILES\F9A8E141\CD47D6EC\SetupDataMngr_iMesh.exe    multiple threats
C:\Users\Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\175835cc-3bc9f99d    multiple threats
C:\Users\Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\38bc7a55-3a26dfad    multiple threats
C:\Users\Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\b047964-29e59e25    a variant of Java/Exploit.CVE-2010-0840.NAN trojan
C:\Users\Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\62d70a6c-76f4d2f7    multiple threats
C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\8vem5zca.default\extensions\tlshzwcivh@tlshzwcivh.org.xpi    JS/Redirector.NCA trojan
C:\Users\Family\Desktop\mp3rocket.exe    multiple threats
C:\Users\Family\Documents\Azureus Downloads\Lady Gaga - Paparazzi ([TorrentGod]).zip    probably a variant of Win32/Injector.APK trojan
C:\Users\Family\Documents\LimeWire\Incomplete\T-4380953-independent.snd    a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Users\Family\Downloads\FlvtoYoutubeDownloaderSetup.exe    Win32/InstallMonetizer.AN application
C:\Users\Family\Downloads\iLivid_Setup.exe    Win32/Toolbar.Zugo application
C:\Users\Family\Downloads\mp3rocket (1).exe    multiple threats
C:\Users\Family\Downloads\mp3rocket.exe    multiple threats
C:\Users\Family\Downloads\SetupGamevance.exe    a variant of Win32/Adware.Gamevance.BB application
C:\Users\Family\Funmoods\1.5.23.22\escortShld.dll    Win32/Toolbar.Funmoods application
C:\Users\Family\Music\Pictures\ZwinkySetup2.3.67.1.ZJman000.exe    Win32/Toolbar.MyWebSearch application
C:\Users\Family\Shared\thunderhorse.mp3    WMA/TrojanDownloader.GetCodec.C trojan
C:\Users\Karla\AppData\Local\Asmlworks\hcwCcServ.dll    a variant of Win32/Sefnit.CV trojan
C:\Users\Karla\AppData\Local\Google\Chrome\User Data\Default\jiikmgjdmhomejnommembgijakbnioee\6.0.0\background.js    Win32/Boaxxe.BE trojan
C:\Users\Karla\AppData\Roaming\Mozilla\Firefox\Profiles\ot3vn0d1.default\extensions\{93C68A98-ECC7-DE49-CC4C-16890A1D8E44}\components\SystemReflectionObfuscationAttribute.js    Win32/Boaxxe.BE trojan
C:\Users\Kirk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\17adf0b1-1bcfd096    a variant of Java/JShrink.A application
C:\Users\Kirk\Incomplete\T-5745425-heartless remix.mp3    a variant of WMA/TrojanDownloader.GetCodec.gen trojan



#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 14 January 2014 - 09:00 PM

Please do this next:

icon11.gif  Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard,  then paste it into Notepad, make sure there is no space before and above File::

File::
C:\Users\Family\AppData\Local\Google\Chrome\User Data\Default\Default\aagedcgfgbdedgdedcdidagddegcdbgb\background.html
C:\Users\Family\AppData\Local\Google\Chrome\User Data\Default\Default\aagedcgfgbdedgdedcdidagddegcdbgb\ContentScript.js    
C:\Users\Family\AppData\Local\{309C802B-A076-4563-B164-B62C0C145153}\BRAND_FILES\5459C276\10021D18\SetupDataMngr_BearShare.exe    
C:\Users\Family\AppData\Local\{71C01C2D-E157-4490-AEA7-088A4E791A2E}\BRAND_FILES\65038823\216567D5\SetupDataMngr_iMesh.exe    
C:\Users\Family\AppData\Local\{A9673E80-81F2-43CB-AC03-29F47370B98A}\BRAND_FILES\F9A8E141\CD47D6EC\SetupDataMngr_iMesh.exe    
C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\8vem5zca.default\extensions\tlshzwcivh@tlshzwcivh.org.xpi    
C:\Users\Family\Desktop\mp3rocket.exe   
C:\Users\Family\Documents\Azureus Downloads\Lady Gaga - Paparazzi ([TorrentGod]).zip    C:\Users\Family\Documents\LimeWire\Incomplete\T-4380953-independent.snd    
C:\Users\Family\Downloads\mp3rocket (1).exe    
C:\Users\Family\Downloads\mp3rocket.exe    
C:\Users\Family\Shared\thunderhorse.mp3    
C:\Users\Karla\AppData\Local\Asmlworks\hcwCcServ.dll    
C:\Users\Karla\AppData\Local\Google\Chrome\User Data\Default\jiikmgjdmhomejnommembgijakbnioee\6.0.0\background.js    
C:\Users\Karla\AppData\Roaming\Mozilla\Firefox\Profiles\ot3vn0d1.default\extensions\{93C68A98-ECC7-DE49-CC4C-16890A1D8E44}\components\SystemReflectionObfuscationAttribute.js    
C:\Users\Kirk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\17adf0b1-1bcfd096    C:\Users\Kirk\Incomplete\T-5745425-heartless remix.mp3    
ClearJavaCache::
Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 Centrifuze

Centrifuze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 14 January 2014 - 10:41 PM

ComboFix 14-01-14.02 - Karla 01/14/2014  18:13:01.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.1918.1008 [GMT -8:00]
Running from: c:\users\Karla\Desktop\ComboFix.exe
Command switches used :: c:\users\Karla\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Family\AppData\Local\{309C802B-A076-4563-B164-B62C0C145153}\BRAND_FILES\5459C276\10021D18\SetupDataMngr_BearShare.exe"
"c:\users\Family\AppData\Local\{71C01C2D-E157-4490-AEA7-088A4E791A2E}\BRAND_FILES\65038823\216567D5\SetupDataMngr_iMesh.exe"
"c:\users\Family\AppData\Local\{A9673E80-81F2-43CB-AC03-29F47370B98A}\BRAND_FILES\F9A8E141\CD47D6EC\SetupDataMngr_iMesh.exe"
"c:\users\Family\AppData\Local\Google\Chrome\User Data\Default\Default\aagedcgfgbdedgdedcdidagddegcdbgb\background.html"
"c:\users\Family\AppData\Local\Google\Chrome\User Data\Default\Default\aagedcgfgbdedgdedcdidagddegcdbgb\ContentScript.js"
"c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\8vem5zca.default\extensions\tlshzwcivh@tlshzwcivh.org.xpi"
"c:\users\Family\Desktop\mp3rocket.exe"
"c:\users\Family\Documents\Azureus Downloads\Lady Gaga - Paparazzi ([TorrentGod]).zip    c:\users\Family\Documents\LimeWire\Incomplete\T-4380953-independent.snd"
"c:\users\Family\Downloads\mp3rocket (1).exe"
"c:\users\Family\Downloads\mp3rocket.exe"
"c:\users\Family\Shared\thunderhorse.mp3"
"c:\users\Karla\AppData\Local\Asmlworks\hcwCcServ.dll"
"c:\users\Karla\AppData\Local\Google\Chrome\User Data\Default\jiikmgjdmhomejnommembgijakbnioee\6.0.0\background.js"
"c:\users\Karla\AppData\Roaming\Mozilla\Firefox\Profiles\ot3vn0d1.default\extensions\{93C68A98-ECC7-DE49-CC4C-16890A1D8E44}\components\SystemReflectionObfuscationAttribute.js"
"c:\users\Kirk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\17adf0b1-1bcfd096    c:\users\Kirk\Incomplete\T-5745425-heartless remix.mp3"
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-15 to 2014-01-15  )))))))))))))))))))))))))))))))
.
.
2014-01-15 02:36 . 2014-01-15 02:36    --------    d-----w-    c:\users\Karla\AppData\Local\temp
2014-01-15 02:36 . 2014-01-15 02:36    --------    d-----w-    c:\users\Mcx1\AppData\Local\temp
2014-01-15 02:36 . 2014-01-15 02:36    --------    d-----w-    c:\users\Kirk\AppData\Local\temp
2014-01-15 02:36 . 2014-01-15 02:36    --------    d-----w-    c:\users\Guest\AppData\Local\temp
2014-01-15 02:36 . 2014-01-15 02:36    --------    d-----w-    c:\users\Family\AppData\Local\temp
2014-01-15 02:36 . 2014-01-15 02:36    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-01-14 04:03 . 2014-01-14 04:03    --------    d-----w-    c:\program files\ESET
2014-01-14 03:58 . 2014-01-14 03:58    --------    d-----w-    c:\users\Karla\AppData\Roaming\Oracle
2014-01-14 03:56 . 2014-01-14 03:56    --------    d-----w-    c:\programdata\Oracle
2014-01-14 03:54 . 2014-01-14 03:54    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-01-12 05:05 . 2014-01-12 05:07    --------    d-----w-    C:\AdwCleaner
2014-01-11 22:58 . 2014-01-11 23:38    --------    d-----w-    C:\FRST
2014-01-09 02:49 . 2014-01-09 02:49    --------    d-----w-    c:\users\Karla\AppData\Roaming\Malwarebytes
2014-01-09 02:47 . 2014-01-09 02:48    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2014-01-09 02:47 . 2013-04-04 22:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-01-08 01:40 . 2014-01-08 02:23    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-01-08 01:23 . 2014-01-08 01:23    --------    d-----w-    C:\TDSSKiller_Quarantine
2014-01-07 02:00 . 2014-01-07 02:00    --------    d-----w-    c:\windows\system32\MpEngineStore
2014-01-01 22:41 . 2014-01-01 22:41    --------    d-----w-    c:\programdata\Malwarebytes
2014-01-01 22:40 . 2014-01-12 07:12    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2014-01-01 22:38 . 2014-01-01 22:38    74456    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-12-31 02:21 . 2013-12-31 02:21    --------    d-----w-    c:\users\Karla\AppData\Local\Asmlworks
2013-12-28 20:06 . 2013-12-28 20:06    --------    d-----w-    c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-12-27 19:39 . 2013-12-27 19:39    --------    d-----w-    c:\program files\iPod
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-11 12:23 . 2012-09-16 06:22    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-12-11 12:23 . 2011-12-27 06:09    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-06 03:45 . 2013-11-06 03:45    650936    ----a-w-    c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\spybot - search & destroy\TeaTimer.exe" [2009-01-26 2144088]
"Spotify Web Helper"="c:\users\Karla\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-08-24 1193176]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SnapfishMediaDetector"="c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 1441792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-08 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2012-01-26 2077536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-14 59720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
.
c:\users\Karla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-6 273296]
Snapfish Media Detector.lnk - c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe [2007-3-2 1441792]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-11-02 08:29    152392    ----a-w-    c:\program files\itunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 01:38    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3535378450-533572598-751281867-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3535378450-533572598-751281867-1001]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-16 12:23]
.
2014-01-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3535378450-533572598-751281867-1001Core.job
- c:\users\Family\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-04 15:44]
.
2014-01-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3535378450-533572598-751281867-1001UA.job
- c:\users\Family\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-04 15:44]
.
2014-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 22:51]
.
2014-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 22:51]
.
2014-01-15 c:\windows\Tasks\User_Feed_Synchronization-{C69EB655-B0DF-4697-B184-7A9C84EC7C9E}.job
- c:\windows\system32\msfeedssync.exe [2011-06-20 04:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\Karla\AppData\Roaming\Mozilla\Firefox\Profiles\ot3vn0d1.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{78DB238B-7DE6-4DF6-8BB7-7AD68A3F0DD7} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-14 18:36
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2014-01-14  18:39:22
ComboFix-quarantined-files.txt  2014-01-15 02:39
ComboFix2.txt  2014-01-12 03:32
.
Pre-Run: 6,826,500,096 bytes free
Post-Run: 7,107,317,760 bytes free
.
- - End Of File - - 853D1AA5C2F2BDF6B422A87653111022
8913823FF508CCF109DB74B636C301DA



#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 PM

Posted 15 January 2014 - 11:33 AM

Thatlooks good!  All I have left for you is another update and some very important cleanup:

icon11.gif  Your Adobe reader needs to be updated.  Please visit Adobe's site and grab the newest version.  Be sure to watch for and uncheck any boxes offering to install other software.

icon11.gif  Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run.  Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif  Download OTC to your desktop and run it
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
  • Manually delete any remaining logs or tools from our fixes

icon11.gif  Double click on AdwCleaner.exe to run the tool again.
  • Click on the Uninstall button.
  • Click Yes when asked are you sure you want to uninstall.
  • Both AdwCleaner.exe, its folder and all logs will be removed.

icon11.gif  Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't,  manually reboot to ensure a complete clean

icon11.gif  Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated.  Scan with them at least weekly.
  • Please read this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users