Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

shooting game across screen when I open new internet page, random ad links


  • This topic is locked This topic is locked
11 replies to this topic

#1 Auscat

Auscat

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:02:53 PM

Posted 14 January 2014 - 07:07 PM

I have transferred this post from "am I infected" forum on the advice of Mako. Also including logs.

 

(Posted yesterday) I seem to have a collection of malfunctions; when I open the internet, or sometimes go to a new website, a "shooting game" goes across the screen. On internet pages, including this site, random words are in green, as links. When I put the cursor over them I get a pop-up ad re "saveupto70%.com."

In my preview of this post, "shooting game" has a link to an ad for bingo, "Windows" has a link to an ad for Windows7 support, "Norton" has a link to an ad for Norton technical support. All the ads are in the same small box format, with "click here" in red. 

When I click on the 'back to previous page' arrow, on a webpage, nothing happens. I have to click again before it works.

At times I get the audio for an ad which I can't see. Today Windows crashed. Yesterday Firefox crashed several times, but hasn't since I took the actions below.

 

My PC is using Windows7

 

When I came back from a holiday I found my sweetie had downloaded Optimizer Pro which kept popping up to tell me the PC was infected. I Ran Norton but did not find anything. I looked for that Optimizer Pro on this site - couldn't find any reference to it so I just uninstalled it. I also ran Spambayes which I had on my PC from a previous episode. That got rid of the ALOT toolbar, Torch and something else.

I also downloaded and ran Adwcleaner and got rid of a lot of PUP somethings. Sorry I should take better notes next time  - ah, but I have saved the results of the scans so could send those.

 

Feeling a little foolish as these are self-inflicted injuries - but "what you can do?"

Thanks in advance for help

Auscat

 

Pasted in below is the  AdwCleaner   log.  Malwarebytes log is below that

 

# AdwCleaner v3.017 - Report created 13/01/2014 at 15:27:10
# Updated 12/01/2014 by Xplode
# Operating System : Windows 7 Enterprise Service Pack 1 (32 bits)
# Username : Peter Shanley - PETERSHANLEY-PC
# Running from : C:\Users\Peter Shanley\Downloads\AdwCleaner(1).exe
# Option : Clean

***** [ Services ] *****

[#] Service Deleted : AlotService
Service Deleted : DatamngrCoordinator
Service Deleted : torchcrashhandler

***** [ Files / Folders ] *****

[#] Folder Deleted : C:\ProgramData\BitGuard
[#] Folder Deleted : C:\ProgramData\Browser Manager
[#] Folder Deleted : C:\ProgramData\BrowserProtect
Folder Deleted : C:\ProgramData\PC Optimizer Pro
Folder Deleted : C:\ProgramData\RHelpers
Folder Deleted : C:\ProgramData\torchcrashhandler
Folder Deleted : C:\ProgramData\wincert
Folder Deleted : C:\Program Files\alotappbar
Folder Deleted : C:\Program Files\Movies Toolbar
Folder Deleted : C:\Program Files\Searchprotect
Folder Deleted : C:\Program Files\WinZip Registry Optimizer
Folder Deleted : C:\Users\Peter Shanley\AppData\Local\iLivid
Folder Deleted : C:\Users\Peter Shanley\AppData\Local\Searchprotect
Folder Deleted : C:\Users\Peter Shanley\AppData\Local\torch
Folder Deleted : C:\Users\Peter Shanley\AppData\LocalLow\alotappbar
Folder Deleted : C:\Users\Peter Shanley\AppData\LocalLow\alotservice
Folder Deleted : C:\Users\Peter Shanley\AppData\LocalLow\ilividmoviestoolbarha
Folder Deleted : C:\Users\Peter Shanley\AppData\LocalLow\searchresultstb
Folder Deleted : C:\Users\Peter Shanley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\torch
Folder Deleted : C:\Users\Peter Shanley\Documents\optimizer pro
Folder Deleted : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\alot-appbar
Folder Deleted : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\FilmFanatic
Folder Deleted : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\ilividmoviestoolbarha
Folder Deleted : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\UtilityChest_49
Folder Deleted : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions\{3d86a75b-cb6b-4764-885d-ca6336f04ba2}
Folder Deleted : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions\appbar@alot.com
Folder Deleted : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions\paffxtbr@FilmFanatic.com
Folder Deleted : C:\Users\Peter Shanley\AppData\Local\Google\Chrome\User Data\Default\Extensions\halffneccaebicfdfajnbfgpglahfgoe
Folder Deleted : C:\Users\Peter Shanley\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjjkeeamkpihpncmmbgdkhdnjpcfmfb
File Deleted : C:\alotserviceruntime.log
File Deleted : C:\Windows\system32\roboot.exe
File Deleted : C:\Users\Peter Shanley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\iLivid.lnk
File Deleted : C:\Users\Peter Shanley\Desktop\iLivid.lnk
File Deleted : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\invalidprefs.js
File Deleted : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\searchplugins\Ask.xml
File Deleted : C:\Program Files\Mozilla Firefox\browser\searchplugins\Ask.xml
File Deleted : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\searchplugins\ask-web-search.xml
File Deleted : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\searchplugins\bingp.xml
File Deleted : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\searchplugins\my-web-search.xml
File Deleted : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\searchplugins\safesearch.xml
File Deleted : C:\Users\Peter Shanley\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_eooncjejnppfjjklapaamhcdmjbilmde_0.localstorage
File Deleted : C:\Users\Peter Shanley\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_storage.conduit.com_0.localstorage
File Deleted : C:\Users\Peter Shanley\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_storage.conduit.com_0.localstorage-journal
File Deleted : C:\Users\Peter Shanley\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.delta-search.com_0.localstorage
File Deleted : C:\Users\Peter Shanley\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.delta-search.com_0.localstorage-journal
File Deleted : C:\Windows\Tasks\PC Optimizer Pro Updates.job
File Deleted : C:\Windows\System32\Tasks\PC Optimizer Pro Updates

***** [ Shortcuts ] *****


***** [ Registry ] *****

[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BBFDE59F-614E-4655-A437-23675610202D}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BBFDE59F-614E-4655-A437-23675610202D}
Key Deleted : HKCU\Software\Classes\iLivid.torrent
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [iLivid]
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Updater]
Key Deleted : HKLM\SOFTWARE\Classes\d
Key Deleted : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard
Key Deleted : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\alotservice_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\alotservice_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsemngr.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsermngr.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bundlesweetimsetup.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cltmngsvc.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\delta babylon.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\delta tb.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\delta2.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deltainstaller.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deltasetup.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deltatb.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deltatb_2501-c733154b.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iminentsetup.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweetimsetup.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbdelta.exetoolbar783881609.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\torch.exe
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Updater]
Value Deleted : HKLM\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls [x64]
Value Deleted : HKLM\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls [x86]
Value Deleted : HKLM\SYSTEM\ControlSet002\Control\Session Manager\AppCertDlls [x64]
Value Deleted : HKLM\SYSTEM\ControlSet002\Control\Session Manager\AppCertDlls [x86]
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3D86A75B-CB6B-4764-885D-CA6336F04BA2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{85F5CF95-EC8F-49FC-BB3F-38C79455CBA2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4CA8-A185-8FF989AF1115}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A531D99C-5A22-449B-83DA-872725C6D0ED}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220222182210}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1231839B-064E-4788-B865-465A1B5266FD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2DAC2231-CC35-482B-97C5-CED1D4185080}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F1CD84C-04A3-4EA0-9EA1-7D134FD66C82}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F83A9CA-B5F0-44EC-9357-35BB3E84B07F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{47E520EA-CAD2-4F51-8F30-613B3A1C33EB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{57C91446-8D81-4156-A70E-624551442DE9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{70AFB7B2-9FB5-4A70-905B-0E9576142E1D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7AD65FD1-79E0-406D-B03C-DD7C14726D69}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{97DD820D-2E20-40AD-B01E-6730B2FCE630}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B177446D-54A4-4869-BABC-8566110B4BE0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D9D1DFC5-502D-43E4-B1BB-4D0B7841489A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E0B07188-A528-4F9E-B2F7-C7FDE8680AE4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550255185510}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660266186610}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440244184410}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3D86A75B-CB6B-4764-885D-CA6336F04BA2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85F5CF95-EC8F-49FC-BB3F-38C79455CBA2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3D86A75B-CB6B-4764-885D-CA6336F04BA2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D79F641-C168-40DF-A32F-BACEA7509E75}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{85F5CF95-EC8F-49FC-BB3F-38C79455CBA2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A531D99C-5A22-449B-83DA-872725C6D0ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C98D5B61-B0EA-4D48-9839-1079D352D880}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CB41FC95-F1B3-4797-8BB6-1012FF62ABBA}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3D86A75B-CB6B-4764-885D-CA6336F04BA2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5D79F641-C168-40DF-A32F-BACEA7509E75}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{85F5CF95-EC8F-49FC-BB3F-38C79455CBA2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A40DC6C5-79D0-4CA8-A185-8FF989AF1115}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A531D99C-5A22-449B-83DA-872725C6D0ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C98D5B61-B0EA-4D48-9839-1079D352D880}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CB41FC95-F1B3-4797-8BB6-1012FF62ABBA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F0B76E1-4E46-427B-B55B-B90593468AC6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{343263AB-D732-4066-A274-4A487A07F108}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D86A75B-CB6B-4764-885D-CA6336F04BA2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C42103E4-7D10-4CC9-B2B4-C546BCCF8706}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{A531D99C-5A22-449B-83DA-872725C6D0ED}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{3D86A75B-CB6B-4764-885D-CA6336F04BA2}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{A531D99C-5A22-449B-83DA-872725C6D0ED}]
Key Deleted : HKCU\Software\alotservice
Key Deleted : HKCU\Software\APN DTX
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\pc optimizer pro
Key Deleted : HKCU\Software\torch
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\alotAppbar
Key Deleted : HKCU\Software\AppDataLow\Software\DynConIE
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\pc optimizer pro
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\torch
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\ilivid
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\torch
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\alotAppbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~2\wincert\win32c~1.dll
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~1\movies~1\datamngr\mgrldr.dll

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\prefs.js ]

Line Deleted : user_pref("browser.search.order.1", "Ask.com");
Line Deleted : user_pref("browser.startup.homepage", "hxxp://www.search.ask.com/?o=APN10645A&gct=hp&d=406-641&v=n10781-218&t=4");
Line Deleted : user_pref("extensions.dynconff.cache.www.search.ask.com.content", "<package expire=\"3600\" es=\"914\" pcdids=\"_1500_1520_1718_1477_1169_1539_1348_1482_1521_1619_1717\">\r\n  <content id=\"us810_comm[...]
Line Deleted : user_pref("extensions.dynconff.cache.www.search.ask.com.expires", "1389590433161");
Line Deleted : user_pref("extensions.mywebsearch.prevDefaultEngine", "Google");
Line Deleted : user_pref("extensions.mywebsearch.prevSelectedEngine", "Google");
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.BUTTON_STRUCTURE", "[{\"b\":220746345,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":220746346,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.firstKnownVersion", "5.75.2.64278");
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.homepage", "hxxp://home.tb.ask.com/index.jhtml?n=780b5d55&p2=^ZO^xpi000^S07867^");
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.initialized", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installation.contextKey", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installation.installDate", "2014010709");
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installation.partnerId", "^ZO^xpi000^S07867^");
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installation.partnerSubId", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installation.success", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.isCompliantUninstallImplementation", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.lastKnownVersion", "5.75.2.64278");
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.options.defaultSearch", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.options.homePageEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.options.keywordEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.options.tabEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.partnerPixelFired", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.toolbarCollapsed", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.weather.location", "10001");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.homepage", "hxxp://home.mywebsearch.com/index.jhtml?ptb=94CB667B-CA05-4AA4-B16E-EE88669DA93E&n=77fcdcdf&p2=^XP^xdm114^LENAU^au&si=CIKusN_Px7cCFUpZpQ[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.hp.enabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.hp.lastGuardTime", -1992186115);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.hp.numGuards", 1);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.initialized", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.installation.contextKey", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.installation.installDate", "2013060319");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.installation.partnerId", "^XP^xdm114^LENAU^au");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.installation.partnerSubId", "CIKusN_Px7cCFUpZpQodqnkAjw");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.installation.success", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.installation.toolbarId", "94CB667B-CA05-4AA4-B16E-EE88669DA93E");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.lastActivePing", "1389576503032");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.options.defaultSearch", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.options.homePageEnabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.options.keywordEnabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.options.tabEnabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.searchHistory", "kiwi brands inc. Aust plug in air freshener||Wht time is dawn tomorrow?||Moorabbin Bike shops||Atlantic Jewel||Luvyamadly||Mick Pri[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.weather.location", "10001");
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.BUTTON_STRUCTURE", "[{\"b\":212153155,\"p\":\"L.0\"},{\"b\":212153156,\"p\":\"L.0.0\"},{\"b\":212153158,\"p\":\"L.0.1\"},{\"b\":212153159,\"p\":\"L.[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.firstKnownVersion", "5.75.3.11410");
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.homepage", "hxxp://home.tb.ask.com/index.jhtml?n=780b5e84&p2=^Z1^xpi000^LAENAU^");
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.initialized", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installation.contextKey", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installation.installDate", "2014011012");
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installation.partnerId", "^Z1^xpi000^LAENAU^");
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installation.partnerSubId", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installation.success", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.isCompliantUninstallImplementation", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.lastKnownVersion", "5.79.3.17029");
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.options.defaultSearch", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.options.homePageEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.options.keywordEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.options.tabEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.partnerPixelFired", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.toolbarCollapsed", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.weather.location", "10001");
Line Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "");
Line Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "filmfanatic2@mindspark.com");

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\Peter Shanley\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [23430 octets] - [13/01/2014 15:18:22]
AdwCleaner[R1].txt - [23553 octets] - [13/01/2014 15:25:27]
AdwCleaner[S0].txt - [321 octets] - [13/01/2014 15:19:53]
AdwCleaner[S1].txt - [23787 octets] - [13/01/2014 15:27:10]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [23848 octets] ##########

 

 

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org


Database version: v2014.01.13.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16476
Peter Shanley :: PETERSHANLEY-PC [administrator]

Protection: Enabled

13/01/2014 4:28:20 PM
mbam-log-2014-01-13 (16-28-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208821
Time elapsed: 10 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 7
HKCR\AppID\{384997EE-E3BE-49C4-9ECA-C62B7C08128A} (PUP.Optional.DynConIE.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6} (PUP.Optional.DynConIE.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Websteroids (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
HKCR\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54} (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
HKCR\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85} (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
HKCU\Software\ilividmoviestoolbarha (PUP.Optional.MoviesToolBar.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Classes\AppID\DynConIE.DLL (PUP.Optional.DynConIE.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 11
C:\ProgramData\Websteroids (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Chrome (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Chrome\unzip (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Firefox (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Firefox\chrome (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Firefox\chrome\content (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\IE (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Datamngr (PUP.Optional.Datamngr.A) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\CT3319613 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjjkeeamkpihpncmmbgdkhdnjpcfmfb (PUP.Optional.MultiIE) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\AppData\Local\Updater21810 (PUP.Optional.Dealspy) -> Quarantined and deleted successfully.

Files Detected: 36
C:\Users\Peter Shanley\AppData\Local\Temp\nst3874.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\nst8EFE.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\nst9788.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\nsy93B0.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\nsd33D1.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\nso3BFE.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\Downloads\rcpsetup_marim_mapp(1).exe (PUP.Optional.RegCleanerPro) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\Downloads\rcpsetup_marim_mapp(2).exe (PUP.Optional.RegCleanerPro) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\Downloads\rcpsetup_marim_mapp.exe (PUP.Optional.RegCleanerPro) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\Downloads\oi_ie6setupoeexe.exe (PUP.BundleInstaller.OI) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\Downloads\openfreely_1296.exe (PUP.Optional.InstallIQ.A) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\Downloads\iLividSetup-r641-n-bf.exe (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\Windows 7 Loader + Activator v2.0.6 Reloaded - DAZ [Team Rjaa]\Windows.7.Loader.v2.0.6 Reloaded -DAZ [Team Rjaa].rar (Hacktool.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\app.dat (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Uninstall.exe (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Websteroids.ico (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Chrome\common.crx (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Chrome\unzip\announce.js (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Chrome\unzip\background.html (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Chrome\unzip\common.js (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Chrome\unzip\contentscript.js (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Chrome\unzip\icon.png (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Chrome\unzip\icon128.png (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Chrome\unzip\icon16.png (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Chrome\unzip\icon48.png (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Chrome\unzip\iframecontentscript.js (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Chrome\unzip\manifest.json (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Firefox\chrome.manifest (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Firefox\install.rdf (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Firefox\chrome\content\main.js (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\Firefox\chrome\content\overlay.xul (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Websteroids\IE\common.dll (PUP.Optional.Websteroids.A) -> Quarantined and deleted successfully.
C:\ProgramData\Datamngr\coordinator.cfg (PUP.Optional.Datamngr.A) -> Quarantined and deleted successfully.
C:\ProgramData\Datamngr\general.cfg (PUP.Optional.Datamngr.A) -> Quarantined and deleted successfully.
C:\ProgramData\Datamngr\S-1-5-21-2413845113-2591735491-3737137277-1000.cfg (PUP.Optional.Datamngr.A) -> Quarantined and deleted successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\CT3319613\ddt.csf (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end)


 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:53 PM

Posted 19 January 2014 - 09:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
  • =======

    Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.

    1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
    2: DDS.pif
    3: DDS.COM

    Double click on the DDS icon, allow it to run.
    A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    Notepad will open with the results.
    Follow the instructions that pop up for posting the results.[/list]Please note: You may have to disable any script protection running if the scan fails to run.

    dds_scr.gif

    Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

    Please let me know if the problem persists.


#3 Auscat

Auscat
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:02:53 PM

Posted 22 January 2014 - 02:56 AM

Hi Nasdaq, thanks for your help. I ran Rogue Killer and then dds yesterday, 21 January. The problems persisted. I hoped when I turned restarted today they might have gone. No.

Re-reading your detailed instructions I realised I had not run Roguekiller as administrator (for Windows7) so I did that today. Also checked all tabs and deleted what I found. Then ran dds again.

 

I'll paste in the logs from today, 22 Jan, and then from yesterday below.

 

Logs from today:

RogueKiller V8.8.2 [Jan 17 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Peter Shanley [Admin rights]
Mode : Remove -- Date : 01/22/2014 18:30:23
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[13] : NtAlertResumeThread @ 0x82D26DA3 -> HOOKED (Unknown @ 0x8632F5F8)
[Address] SSDT[14] : NtAlertThread @ 0x82C79CC7 -> HOOKED (Unknown @ 0x8632F690)
[Address] SSDT[19] : NtAllocateVirtualMemory @ 0x82C72CBC -> HOOKED (Unknown @ 0x8632FCF0)
[Address] SSDT[22] : NtAlpcConnectPort @ 0x82CBE59E -> HOOKED (Unknown @ 0x8625A708)
[Address] SSDT[43] : NtAssignProcessToJobObject @ 0x82C480CC -> HOOKED (Unknown @ 0x8632EE20)
[Address] SSDT[74] : NtCreateMutant @ 0x82C5935A -> HOOKED (Unknown @ 0x8632F420)
[Address] SSDT[86] : NtCreateSymbolicLinkObject @ 0x82C4A9D4 -> HOOKED (Unknown @ 0x8632EC18)
[Address] SSDT[87] : NtCreateThread @ 0x82D24FDA -> HOOKED (Unknown @ 0x863320B0)
[Address] SSDT[88] : NtCreateThreadEx @ 0x82CB94AB -> HOOKED (Unknown @ 0x8632ECC0)
[Address] SSDT[96] : NtDebugActiveProcess @ 0x82CF6EDA -> HOOKED (Unknown @ 0x8632EEB8)
[Address] SSDT[111] : NtDuplicateObject @ 0x82C7A761 -> HOOKED (Unknown @ 0x8632FE30)
[Address] SSDT[131] : NtFreeVirtualMemory @ 0x82B0182C -> HOOKED (Unknown @ 0x8632FB80)
[Address] SSDT[145] : NtImpersonateAnonymousToken @ 0x82C3E970 -> HOOKED (Unknown @ 0x8632F4C8)
[Address] SSDT[147] : NtImpersonateThread @ 0x82CC2992 -> HOOKED (Unknown @ 0x8632F560)
[Address] SSDT[155] : NtLoadDriver @ 0x82C0EC40 -> HOOKED (Unknown @ 0x86250D70)
[Address] SSDT[168] : NtMapViewOfSection @ 0x82C8F5F1 -> HOOKED (Unknown @ 0x8632FAC8)
[Address] SSDT[177] : NtOpenEvent @ 0x82C58D56 -> HOOKED (Unknown @ 0x8632F388)
[Address] SSDT[191] : NtOpenProcessToken @ 0x82CAD37F -> HOOKED (Unknown @ 0x8632FD98)
[Address] SSDT[194] : NtOpenSection @ 0x82CB29FB -> HOOKED (Unknown @ 0x8632E008)
[Address] SSDT[198] : NtOpenThread @ 0x82CA7102 -> HOOKED (Unknown @ 0x8632FED8)
[Address] SSDT[215] : NtProtectVirtualMemory @ 0x82C8B651 -> HOOKED (Unknown @ 0x8632ED78)
[Address] SSDT[304] : NtResumeThread @ 0x82CB96D2 -> HOOKED (Unknown @ 0x8632F728)
[Address] SSDT[316] : NtSetContextThread @ 0x82D2684F -> HOOKED (Unknown @ 0x8632F8F0)
[Address] SSDT[333] : NtSetInformationProcess @ 0x82C81875 -> HOOKED (Unknown @ 0x8632F988)
[Address] SSDT[350] : NtSetSystemInformation @ 0x82C9737A -> HOOKED (Unknown @ 0x8632EF50)
[Address] SSDT[366] : NtSuspendProcess @ 0x82D26CDF -> HOOKED (Unknown @ 0x8632F2F0)
[Address] SSDT[367] : NtSuspendThread @ 0x82CDE1CB -> HOOKED (Unknown @ 0x8632F7C0)
[Address] SSDT[385] : NtUnmapViewOfSection @ 0x82CAD9BA -> HOOKED (Unknown @ 0x8632FA30)
[Address] Shadow SSDT[318] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x86AA1310)
[Address] Shadow SSDT[448] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x869D6328)
[Address] Shadow SSDT[490] : NtUserMessageCall -> HOOKED (Unknown @ 0x86951110)
[Address] Shadow SSDT[508] : NtUserPostMessage -> HOOKED (Unknown @ 0x86951220)
[Address] Shadow SSDT[509] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x86951198)
[Address] Shadow SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x86949140)
[Inline] EAT @explorer.exe (?MILLIS_PER_SECOND@GCDate@@2JB) : GrooveUtil.DLL -> HOOKED (Unknown @ 0xCEF6333C)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST3160812AS ATA Device +++++
--- User ---
[MBR] bf80c61e58b0624a02692a016b800cda
[BSP] 4d4960292c1f2038a3f199f1f7ed56e5 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152578 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_01222014_183023.txt >>
RKreport[0]_D_01212014_172943.txt;RKreport[0]_S_01212014_172840.txt;RKreport[0]_S_01222014_182914.txt




DDS logs

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 10.51.2
Run by Peter Shanley at 18:39:47 on 2014-01-22
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.61.1033.18.3062.1640 [GMT 11:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton Identity Safe\Engine\2013.1.0.32\ccSvcHst.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe
C:\Program Files\Google\Update\1.3.22.3\GoogleCrashHandler.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\loggingserver.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe
C:\Program Files\Sony\Sony PC Companion\PCCompanionInfo.exe
C:\Users\Peter Shanley\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\AVG\AVG2012\avgidsagent.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Sony\Sony PC Companion\PCCService.exe
C:\Program Files\Norton Internet Security\Engine\21.1.0.18\NIS.exe
C:\Program Files\Norton Internet Security\Engine\21.1.0.18\NIS.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\AUDIODG.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.tpg.com.au/
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\21.1.0.18\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\21.1.0.18\ips\ipsbho.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: {95B7759C-8C7F-4BF1-B163-73684A933233} - <orphaned>
BHO: Norton Identity Protection: {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - c:\program files\norton identity safe\engine\2013.1.0.32\CoIEPlg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Norton Identity Safe Toolbar: {A13C2648-91D4-4bf3-BC6D-0079707C4389} - c:\program files\norton identity safe\engine\2013.1.0.32\CoIEPlg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\21.1.0.18\coieplg.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [Sony PC Companion] "c:\program files\sony\sony pc companion\PCCompanion.exe" /Background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ROC_ROC_JULY_P1] "c:\program files\avg secure search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\peters~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\peter shanley\appdata\roaming\dropbox\bin\Dropbox.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{9E374F32-5526-4A8F-85FA-0CAD5D83DA90} : DHCPNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\17.3.0\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\peter shanley\appdata\roaming\mozilla\firefox\profiles\82pzcok2.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\17.3.0\npsitesafety.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\program files\sony\media go\npmediago.dll
FF - plugin: c:\program files\sony\playstation network downloader\nppsndl.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_43.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
FF - ExtSQL: 2013-12-18 09:07; clickclean@hotcleaner.com; c:\users\peter shanley\appdata\roaming\mozilla\firefox\profiles\82pzcok2.default\extensions\clickclean@hotcleaner.com
FF - ExtSQL: !HIDDEN! 2013-06-03 19:58; 64ffxtbr@TelevisionFanatic.com; c:\program files\televisionfanatic\bar\1.bin
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1501000.012\SymDS.sys [2013-11-21 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1501000.012\SymEFA.sys [2013-11-21 935512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-11-8 250080]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-4-11 302368]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2014-1-14 37664]
R1 BHDrvx86;BHDrvx86;c:\program files\norton internet security\nortondata\21.1.0.18\definitions\bashdefs\20140110.001\BHDrvx86.sys [2014-1-14 1098968]
R1 ccSet_NIS;NIS Settings Manager;c:\windows\system32\drivers\nis\1501000.012\ccSetx86.sys [2013-11-21 127064]
R1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\nst\7dd01000.020\ccSetx86.sys [2012-11-30 134304]
R1 IDSVix86;IDSVix86;c:\program files\norton internet security\nortondata\21.1.0.18\definitions\ipsdefs\20140121.001\IDSvix86.sys [2014-1-22 394456]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1501000.012\Ironx86.sys [2013-11-21 206936]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\nis\1501000.012\symnets.sys [2013-11-21 446552]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2013-10-16 5175856]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2014-1-13 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2014-1-13 701512]
R2 NCO;Norton Identity Safe;c:\program files\norton identity safe\engine\2013.1.0.32\ccSvcHst.exe [2012-11-30 143928]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\21.1.0.18\NIS.exe [2013-11-21 275696]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-10-9 3275136]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2012-1-18 450848]
R2 vToolbarUpdater17.3.0;vToolbarUpdater17.3.0;c:\program files\common files\avg secure search\vtoolbarupdater\17.3.0\ToolbarUpdater.exe [2014-1-15 1771544]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-12-10 142176]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-11-21 108120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-1-13 22856]
R3 Sony PC Companion;Sony PC Companion;c:\program files\sony\sony pc companion\PCCService.exe [2013-3-6 155824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-9-5 171680]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 62464]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2013-12-12 108032]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 15872]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2008-10-21 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2008-10-21 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2008-10-21 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2008-10-21 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2008-10-21 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2008-10-21 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2008-10-21 109736]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-21 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 27264]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 112640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-6-17 1343400]
.
=============== Created Last 30 ================
.
2014-01-15 04:33:17    2349056    ----a-w-    c:\windows\system32\win32k.sys
2014-01-15 04:33:15    240576    ----a-w-    c:\windows\system32\drivers\netio.sys
2014-01-15 04:33:12    76288    ----a-w-    c:\windows\system32\drivers\usbccgp.sys
2014-01-15 04:33:12    6016    ----a-w-    c:\windows\system32\drivers\usbd.sys
2014-01-15 04:33:12    43520    ----a-w-    c:\windows\system32\drivers\usbehci.sys
2014-01-15 04:33:12    284672    ----a-w-    c:\windows\system32\drivers\usbport.sys
2014-01-15 04:33:12    258560    ----a-w-    c:\windows\system32\drivers\usbhub.sys
2014-01-15 04:33:12    24064    ----a-w-    c:\windows\system32\drivers\usbuhci.sys
2014-01-15 04:33:12    20480    ----a-w-    c:\windows\system32\drivers\usbohci.sys
2014-01-15 00:27:48    --------    d-----w-    c:\programdata\Oracle
2014-01-15 00:26:59    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-01-14 13:01:21    --------    d-----w-    c:\program files\Microsoft Mouse and Keyboard Center
2014-01-14 12:55:04    514560    ----a-w-    c:\windows\system32\qdvd.dll
2014-01-14 11:48:47    --------    d-----w-    c:\windows\Migration
2014-01-14 07:25:28    --------    d-----w-    c:\users\peter shanley\appdata\roaming\AVG2012
2014-01-14 07:25:10    --------    d-----w-    c:\users\peter shanley\appdata\local\AVG Secure Search
2014-01-14 07:24:05    37664    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
2014-01-14 07:23:52    --------    d-----w-    c:\program files\common files\AVG Secure Search
2014-01-14 07:23:51    --------    d-----w-    c:\programdata\AVG Secure Search
2014-01-14 07:23:50    --------    d-----w-    c:\program files\AVG Secure Search
2014-01-14 07:22:07    --------    d--h--w-    C:\$AVG
2014-01-14 07:22:07    --------    d-----w-    c:\windows\system32\drivers\AVG
2014-01-14 07:22:07    --------    d-----w-    c:\programdata\AVG2012
2014-01-13 05:25:59    --------    d-----w-    c:\users\peter shanley\appdata\roaming\Malwarebytes
2014-01-13 05:25:49    --------    d-----w-    c:\programdata\Malwarebytes
2014-01-13 05:25:47    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-01-13 05:25:47    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2014-01-13 04:18:05    --------    d-----w-    C:\AdwCleaner
2014-01-10 23:09:15    --------    d-----w-    c:\users\peter shanley\appdata\local\Programs
2014-01-10 23:09:04    --------    d-----w-    c:\programdata\Updater
2014-01-10 23:08:46    --------    d-----w-    c:\program files\InstallConverter
2014-01-10 01:41:12    --------    d-----w-    c:\users\peter shanley\appdata\local\CrashDumps
.
==================== Find3M  ====================
.
2014-01-15 00:58:49    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-15 00:58:49    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-11-26 09:23:02    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2013-11-26 09:22:11    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2013-11-26 08:53:56    61952    ----a-w-    c:\windows\system32\iesetup.dll
2013-11-26 08:52:26    51200    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2013-11-26 08:29:55    112128    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-11-26 08:29:52    108032    ----a-w-    c:\windows\system32\ieetwcollector.exe
2013-11-26 08:28:16    553472    ----a-w-    c:\windows\system32\jscript9diag.dll
2013-11-26 08:16:12    4243968    ----a-w-    c:\windows\system32\jscript9.dll
2013-11-26 07:32:06    1928192    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-11-26 06:33:33    1820160    ----a-w-    c:\windows\system32\wininet.dll
2013-11-23 18:26:20    417792    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-11-21 03:36:58    142936    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2013-11-12 02:07:29    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-10-30 02:19:52    301568    ----a-w-    c:\windows\system32\msieftp.dll
.
============= FINISH: 18:40:27.51 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 13/06/2012 12:05:47 PM
System Uptime: 22/01/2014 12:44:30 PM (6 hours ago)
.
Motherboard: Dell Inc.           |  | 0GX297
Processor: Intel® Pentium® D CPU 3.40GHz | Microprocessor | 3389/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 99.414 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP103: 12/12/2013 8:41:43 PM - Windows Update
RP104: 20/12/2013 2:31:09 PM - Scheduled Checkpoint
RP105: 2/01/2014 6:39:50 PM - Scheduled Checkpoint
RP106: 14/01/2014 2:54:53 PM - Scheduled Checkpoint
RP107: 14/01/2014 6:20:55 PM - Installed AVG 2012
RP108: 14/01/2014 6:21:35 PM - Installed AVG 2012
RP109: 14/01/2014 10:46:49 PM - Windows Update
RP110: 14/01/2014 11:55:08 PM - Windows Update
RP112: 15/01/2014 12:00:39 AM - DCInstallRestorePoint
RP113: 15/01/2014 10:44:14 AM - Sony PC Companion
RP114: 15/01/2014 11:26:13 AM - Installed Java 7 Update 51
RP115: 15/01/2014 8:16:42 PM - Windows Update
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Digital Editions
Adobe Flash Player 12 ActiveX
Adobe Flash Player 12 Plugin
Adobe Reader X (10.1.9)
AVG 2012
BitTorrent
Dropbox
Google Chrome
Google Earth
Google Earth Packages
Google Update Helper
InstallConverter
Intel® Graphics Media Accelerator Driver
Java 7 Update 51
Java Auto Updater
K-Lite Codec Pack 7.0.0 (Standard)
Malwarebytes Anti-Malware version 1.75.0.1300
Media Go
Media Go Video Playback Engine 1.96.121.08270
Microsoft .NET Framework 4.5.1
Microsoft Mouse and Keyboard Center
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Movies Toolbar for Firefox (Dist. by Bandoo Media, Inc.)
Movies Toolbar for Internet Explorer (Dist. by Bandoo Media, Inc.)
Mozilla Firefox 26.0 (x86 en-US)
Mozilla Maintenance Service
Norton Identity Safe
Norton Internet Security
Open Freely
PlayStation®Network Downloader
PlayStation®Store
RACV Fuel Monitor
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596825) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597973) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760411) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760415) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760585) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760591) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2817641) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2827326) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2837615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2850022) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2827324) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office Outlook 2007 (KB2825644) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2837617) 32-Bit Edition
Skype Click to Call
Skype™ 6.11
Sony Ericsson Update Engine
Sony PC Companion 2.10.188
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2850085) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Updater
VLC media player 2.0.8
.
==== Event Viewer Messages From Past Week ========
.
22/01/2014 6:15:35 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
22/01/2014 10:11:48 AM, Error: Microsoft-Windows-DistributedCOM [10001]  - Unable to start a DCOM Server: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} as /. The error: "5" Happened while starting this command: C:\Windows\System32\slui.exe -Embedding
21/01/2014 5:43:54 PM, Error: Service Control Manager [7043]  - The AVGIDSAgent service did not shut down properly after receiving a preshutdown control.
17/01/2014 7:31:07 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the AVGIDSAgent service to connect.
17/01/2014 7:31:07 PM, Error: Service Control Manager [7000]  - The AVGIDSAgent service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
16/01/2014 7:42:38 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
.
==== End Of File ===========================
 

Reports from yesterday. 21/1/14

 

RogueKiller V8.8.2 [Jan 17 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Peter Shanley [Admin rights]
Mode : Remove -- Date : 01/21/2014 17:29:44
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 11 ¤¤¤
[IFEO] HKLM\[...]\bpsvc.exe : Debugger (tasklist.exe [x]) -> DELETED
[IFEO] HKLM\[...]\browsersafeguard.exe : Debugger (tasklist.exe [x]) -> DELETED
[IFEO] HKLM\[...]\protectedsearch.exe : Debugger (tasklist.exe [x]) -> DELETED
[IFEO] HKLM\[...]\rjatydimofu.exe : Debugger (tasklist.exe [x]) -> DELETED
[IFEO] HKLM\[...]\searchprotection.exe : Debugger (tasklist.exe [x]) -> DELETED
[IFEO] HKLM\[...]\snapdo.exe : Debugger (tasklist.exe [x]) -> DELETED
[IFEO] HKLM\[...]\stinst32.exe : Debugger (tasklist.exe [x]) -> DELETED
[IFEO] HKLM\[...]\stinst64.exe : Debugger (tasklist.exe [x]) -> DELETED
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][SUSP PATH] Updater21810.exe : C:\Users\Peter - Shanley\AppData\Local\Updater21810\Updater21810.exe /extensionid=21810 /extensionname="Giant Savings Extension" /chromeid=halffneccaebicfdfajnbfgpglahfgoe [x][x][x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[13] : NtAlertResumeThread @ 0x82CF5DA3 -> HOOKED (Unknown @ 0x869222B0)
[Address] SSDT[14] : NtAlertThread @ 0x82C48CC7 -> HOOKED (Unknown @ 0x86922348)
[Address] SSDT[19] : NtAllocateVirtualMemory @ 0x82C41CBC -> HOOKED (Unknown @ 0x869229A8)
[Address] SSDT[22] : NtAlpcConnectPort @ 0x82C8D59E -> HOOKED (Unknown @ 0x8620B6E0)
[Address] SSDT[43] : NtAssignProcessToJobObject @ 0x82C170CC -> HOOKED (Unknown @ 0x86927C98)
[Address] SSDT[74] : NtCreateMutant @ 0x82C2835A -> HOOKED (Unknown @ 0x86927008)
[Address] SSDT[86] : NtCreateSymbolicLinkObject @ 0x82C199D4 -> HOOKED (Unknown @ 0x86927A90)
[Address] SSDT[87] : NtCreateThread @ 0x82CF3FDA -> HOOKED (Unknown @ 0x86922C40)
[Address] SSDT[88] : NtCreateThreadEx @ 0x82C884AB -> HOOKED (Unknown @ 0x86927B38)
[Address] SSDT[96] : NtDebugActiveProcess @ 0x82CC5EDA -> HOOKED (Unknown @ 0x86927D30)
[Address] SSDT[111] : NtDuplicateObject @ 0x82C49761 -> HOOKED (Unknown @ 0x86922AA8)
[Address] SSDT[131] : NtFreeVirtualMemory @ 0x82AD082C -> HOOKED (Unknown @ 0x86922838)
[Address] SSDT[145] : NtImpersonateAnonymousToken @ 0x82C0D970 -> HOOKED (Unknown @ 0x86922180)
[Address] SSDT[147] : NtImpersonateThread @ 0x82C91992 -> HOOKED (Unknown @ 0x86922218)
[Address] SSDT[155] : NtLoadDriver @ 0x82BDDC40 -> HOOKED (Unknown @ 0x862192F8)
[Address] SSDT[168] : NtMapViewOfSection @ 0x82C5E5F1 -> HOOKED (Unknown @ 0x86922780)
[Address] SSDT[177] : NtOpenEvent @ 0x82C27D56 -> HOOKED (Unknown @ 0x86927F90)
[Address] SSDT[191] : NtOpenProcessToken @ 0x82C7C37F -> HOOKED (Unknown @ 0x86922A30)
[Address] SSDT[194] : NtOpenSection @ 0x82C819FB -> HOOKED (Unknown @ 0x86927E80)
[Address] SSDT[198] : NtOpenThread @ 0x82C76102 -> HOOKED (Unknown @ 0x86922B30)
[Address] SSDT[215] : NtProtectVirtualMemory @ 0x82C5A651 -> HOOKED (Unknown @ 0x86927BF0)
[Address] SSDT[304] : NtResumeThread @ 0x82C886D2 -> HOOKED (Unknown @ 0x869223E0)
[Address] SSDT[316] : NtSetContextThread @ 0x82CF584F -> HOOKED (Unknown @ 0x869225A8)
[Address] SSDT[333] : NtSetInformationProcess @ 0x82C50875 -> HOOKED (Unknown @ 0x86922640)
[Address] SSDT[350] : NtSetSystemInformation @ 0x82C6637A -> HOOKED (Unknown @ 0x86927DC8)
[Address] SSDT[366] : NtSuspendProcess @ 0x82CF5CDF -> HOOKED (Unknown @ 0x86927F18)
[Address] SSDT[367] : NtSuspendThread @ 0x82CAD1CB -> HOOKED (Unknown @ 0x86922478)
[Address] SSDT[385] : NtUnmapViewOfSection @ 0x82C7C9BA -> HOOKED (Unknown @ 0x869226E8)
[Address] Shadow SSDT[318] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x86C8B620)
[Address] Shadow SSDT[448] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x873F27D0)
[Address] Shadow SSDT[490] : NtUserMessageCall -> HOOKED (Unknown @ 0x873F26F8)
[Address] Shadow SSDT[508] : NtUserPostMessage -> HOOKED (Unknown @ 0x873F2788)
[Address] Shadow SSDT[509] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x873F2740)
[Address] Shadow SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x873F2818)
[Inline] EAT @explorer.exe (?MILLIS_PER_SECOND@GCDate@@2JB) : GrooveUtil.DLL -> HOOKED (Unknown @ 0xCF58333C)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST3160812AS ATA Device +++++
--- User ---
[MBR] bf80c61e58b0624a02692a016b800cda
[BSP] 4d4960292c1f2038a3f199f1f7ed56e5 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152578 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_01212014_172943.txt >>
RKreport[0]_S_01212014_172840.txt



DDS logs

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 13/06/2012 12:05:47 PM
System Uptime: 21/01/2014 1:59:55 PM (4 hours ago)
.
Motherboard: Dell Inc.           |  | 0GX297
Processor: Intel® Pentium® D CPU 3.40GHz | Microprocessor | 3389/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 99.659 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP103: 12/12/2013 8:41:43 PM - Windows Update
RP104: 20/12/2013 2:31:09 PM - Scheduled Checkpoint
RP105: 2/01/2014 6:39:50 PM - Scheduled Checkpoint
RP106: 14/01/2014 2:54:53 PM - Scheduled Checkpoint
RP107: 14/01/2014 6:20:55 PM - Installed AVG 2012
RP108: 14/01/2014 6:21:35 PM - Installed AVG 2012
RP109: 14/01/2014 10:46:49 PM - Windows Update
RP110: 14/01/2014 11:55:08 PM - Windows Update
RP112: 15/01/2014 12:00:39 AM - DCInstallRestorePoint
RP113: 15/01/2014 10:44:14 AM - Sony PC Companion
RP114: 15/01/2014 11:26:13 AM - Installed Java 7 Update 51
RP115: 15/01/2014 8:16:42 PM - Windows Update
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Digital Editions
Adobe Flash Player 12 ActiveX
Adobe Flash Player 12 Plugin
Adobe Reader X (10.1.9)
AVG 2012
BitTorrent
Dropbox
Google Chrome
Google Earth
Google Earth Packages
Google Update Helper
InstallConverter
Intel® Graphics Media Accelerator Driver
Java 7 Update 51
Java Auto Updater
K-Lite Codec Pack 7.0.0 (Standard)
Malwarebytes Anti-Malware version 1.75.0.1300
Media Go
Media Go Video Playback Engine 1.96.121.08270
Microsoft .NET Framework 4.5.1
Microsoft Mouse and Keyboard Center
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Movies Toolbar for Firefox (Dist. by Bandoo Media, Inc.)
Movies Toolbar for Internet Explorer (Dist. by Bandoo Media, Inc.)
Mozilla Firefox 26.0 (x86 en-US)
Mozilla Maintenance Service
Norton Identity Safe
Norton Internet Security
Open Freely
PlayStation®Network Downloader
PlayStation®Store
RACV Fuel Monitor
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596825) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597973) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760411) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760415) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760585) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760591) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2817641) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2827326) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2837615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2850022) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2827324) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office Outlook 2007 (KB2825644) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2837617) 32-Bit Edition
Skype Click to Call
Skype™ 6.11
Sony Ericsson Update Engine
Sony PC Companion 2.10.188
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2850085) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Updater
VLC media player 2.0.8
.
==== Event Viewer Messages From Past Week ========
.
21/01/2014 7:58:09 AM, Error: Microsoft-Windows-DistributedCOM [10001]  - Unable to start a DCOM Server: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} as /. The error: "5" Happened while starting this command: C:\Windows\System32\slui.exe -Embedding
21/01/2014 4:21:46 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
17/01/2014 7:31:07 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the AVGIDSAgent service to connect.
17/01/2014 7:31:07 PM, Error: Service Control Manager [7000]  - The AVGIDSAgent service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
16/01/2014 7:42:38 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
.
==== End Of File ===========================

RogueKiller V8.8.2 [Jan 17 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Peter Shanley [Admin rights]
Mode : Scan -- Date : 01/21/2014 17:28:40
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 11 ¤¤¤
[IFEO] HKLM\[...]\bpsvc.exe : Debugger (tasklist.exe [x]) -> FOUND
[IFEO] HKLM\[...]\browsersafeguard.exe : Debugger (tasklist.exe [x]) -> FOUND
[IFEO] HKLM\[...]\protectedsearch.exe : Debugger (tasklist.exe [x]) -> FOUND
[IFEO] HKLM\[...]\rjatydimofu.exe : Debugger (tasklist.exe [x]) -> FOUND
[IFEO] HKLM\[...]\searchprotection.exe : Debugger (tasklist.exe [x]) -> FOUND
[IFEO] HKLM\[...]\snapdo.exe : Debugger (tasklist.exe [x]) -> FOUND
[IFEO] HKLM\[...]\stinst32.exe : Debugger (tasklist.exe [x]) -> FOUND
[IFEO] HKLM\[...]\stinst64.exe : Debugger (tasklist.exe [x]) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][SUSP PATH] Updater21810.exe : C:\Users\Peter - Shanley\AppData\Local\Updater21810\Updater21810.exe /extensionid=21810 /extensionname="Giant Savings Extension" /chromeid=halffneccaebicfdfajnbfgpglahfgoe [x][x][x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[13] : NtAlertResumeThread @ 0x82CF5DA3 -> HOOKED (Unknown @ 0x869222B0)
[Address] SSDT[14] : NtAlertThread @ 0x82C48CC7 -> HOOKED (Unknown @ 0x86922348)
[Address] SSDT[19] : NtAllocateVirtualMemory @ 0x82C41CBC -> HOOKED (Unknown @ 0x869229A8)
[Address] SSDT[22] : NtAlpcConnectPort @ 0x82C8D59E -> HOOKED (Unknown @ 0x8620B6E0)
[Address] SSDT[43] : NtAssignProcessToJobObject @ 0x82C170CC -> HOOKED (Unknown @ 0x86927C98)
[Address] SSDT[74] : NtCreateMutant @ 0x82C2835A -> HOOKED (Unknown @ 0x86927008)
[Address] SSDT[86] : NtCreateSymbolicLinkObject @ 0x82C199D4 -> HOOKED (Unknown @ 0x86927A90)
[Address] SSDT[87] : NtCreateThread @ 0x82CF3FDA -> HOOKED (Unknown @ 0x86922C40)
[Address] SSDT[88] : NtCreateThreadEx @ 0x82C884AB -> HOOKED (Unknown @ 0x86927B38)
[Address] SSDT[96] : NtDebugActiveProcess @ 0x82CC5EDA -> HOOKED (Unknown @ 0x86927D30)
[Address] SSDT[111] : NtDuplicateObject @ 0x82C49761 -> HOOKED (Unknown @ 0x86922AA8)
[Address] SSDT[131] : NtFreeVirtualMemory @ 0x82AD082C -> HOOKED (Unknown @ 0x86922838)
[Address] SSDT[145] : NtImpersonateAnonymousToken @ 0x82C0D970 -> HOOKED (Unknown @ 0x86922180)
[Address] SSDT[147] : NtImpersonateThread @ 0x82C91992 -> HOOKED (Unknown @ 0x86922218)
[Address] SSDT[155] : NtLoadDriver @ 0x82BDDC40 -> HOOKED (Unknown @ 0x862192F8)
[Address] SSDT[168] : NtMapViewOfSection @ 0x82C5E5F1 -> HOOKED (Unknown @ 0x86922780)
[Address] SSDT[177] : NtOpenEvent @ 0x82C27D56 -> HOOKED (Unknown @ 0x86927F90)
[Address] SSDT[191] : NtOpenProcessToken @ 0x82C7C37F -> HOOKED (Unknown @ 0x86922A30)
[Address] SSDT[194] : NtOpenSection @ 0x82C819FB -> HOOKED (Unknown @ 0x86927E80)
[Address] SSDT[198] : NtOpenThread @ 0x82C76102 -> HOOKED (Unknown @ 0x86922B30)
[Address] SSDT[215] : NtProtectVirtualMemory @ 0x82C5A651 -> HOOKED (Unknown @ 0x86927BF0)
[Address] SSDT[304] : NtResumeThread @ 0x82C886D2 -> HOOKED (Unknown @ 0x869223E0)
[Address] SSDT[316] : NtSetContextThread @ 0x82CF584F -> HOOKED (Unknown @ 0x869225A8)
[Address] SSDT[333] : NtSetInformationProcess @ 0x82C50875 -> HOOKED (Unknown @ 0x86922640)
[Address] SSDT[350] : NtSetSystemInformation @ 0x82C6637A -> HOOKED (Unknown @ 0x86927DC8)
[Address] SSDT[366] : NtSuspendProcess @ 0x82CF5CDF -> HOOKED (Unknown @ 0x86927F18)
[Address] SSDT[367] : NtSuspendThread @ 0x82CAD1CB -> HOOKED (Unknown @ 0x86922478)
[Address] SSDT[385] : NtUnmapViewOfSection @ 0x82C7C9BA -> HOOKED (Unknown @ 0x869226E8)
[Address] Shadow SSDT[318] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x86C8B620)
[Address] Shadow SSDT[448] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x873F27D0)
[Address] Shadow SSDT[490] : NtUserMessageCall -> HOOKED (Unknown @ 0x873F26F8)
[Address] Shadow SSDT[508] : NtUserPostMessage -> HOOKED (Unknown @ 0x873F2788)
[Address] Shadow SSDT[509] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x873F2740)
[Address] Shadow SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x873F2818)
[Inline] EAT @explorer.exe (?MILLIS_PER_SECOND@GCDate@@2JB) : GrooveUtil.DLL -> HOOKED (Unknown @ 0xCF58333C)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST3160812AS ATA Device +++++
--- User ---
[MBR] bf80c61e58b0624a02692a016b800cda
[BSP] 4d4960292c1f2038a3f199f1f7ed56e5 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152578 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_01212014_172840.txt >>



 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:53 PM

Posted 22 January 2014 - 09:01 AM

Still some work to do.

Download correct tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

#5 Auscat

Auscat
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:02:53 PM

Posted 23 January 2014 - 02:02 AM

Thanks nasdaq.

 

FRST log pasted in,  . . . but I can't see an option to attach a file, for the Addition txt.

 

Yesterday I had a new development - a new tab (prevented by Firefox, but I had a look) with a "survey" relating to the website I was looking at. i.e. when I was in the ABC radio website, the "survey" was from ABC (with my suburb names). When I was in Bleeping computer, the "survey" was from Bleeping Computer (with my suburb). I just closed the tab quickly!

 

cheers

Catherine

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-01-2014
Ran by Peter Shanley (administrator) on PETERSHANLEY-PC on 23-01-2014 17:44:05
Running from C:\Users\Peter Shanley\Desktop
Microsoft Windows 7 Enterprise  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) ===================

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgcsrvx.exe
(Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(Symantec Corporation) C:\Program Files\Norton Identity Safe\Engine\2013.1.0.32\ccSvcHst.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.1.0.18\NIS.exe
(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(AVG Secure Search) C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.1.0.18\NIS.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgtray.exe
() C:\Program Files\AVG Secure Search\vprot.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgidsagent.exe
() C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\loggingserver.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.22.3\GoogleCrashHandler.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Sony) C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgnsx.exe
(Dropbox, Inc.) C:\Users\Peter Shanley\AppData\Roaming\Dropbox\bin\Dropbox.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgemcx.exe
() C:\Program Files\Sony\Sony PC Companion\PCCompanionInfo.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Microsoft Corporation) C:\Windows\System32\audiodg.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [GrooveMonitor] - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft

Corporation)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-22] (Adobe Systems

Incorporated)
HKLM\...\Run: [ROC_ROC_JULY_P1] - "C:\Program Files\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1
HKLM\...\Run: [AVG_TRAY] - C:\Program Files\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [vProt] - C:\Program Files\AVG Secure Search\vprot.exe [2486296 2014-01-15] ()
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle

Corporation)
HKCU\...\Run: [Skype] - C:\Program Files\Skype\Phone\Skype.exe [20584608 2013-11-14] (Skype Technologies S.A.)
HKCU\...\Run: [Sony PC Companion] - C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe [449760 2013-10-31] (Sony)
Startup: C:\Users\Peter Shanley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Peter Shanley\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tpg.com.au/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ninemsn.com.au/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x2E3557426E4CCD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-AU
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {5EB702C6-1A2B-4BCF-92BE-F26F80DB26CF} URL = http://websearch.ask.com/redirect?

client=ie&tb=W3I4&o=99999993&src=kw&q={searchTerms}&locale=&apn_ptnrs=^A9N&apn_dtid=^YYYYYY^YY^AU&apn_uid=A4039904-E6AA-

4FAB-AA02-1D491C5A9A66&apn_sauid=E08D8AC6-0CD6-4A09-858A-ACBF18FAFABF
BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine

\21.1.0.18\coIEPlg.dll (Symantec Corporation)
BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security

\Engine\21.1.0.18\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office

\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle

Corporation)
BHO: No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
BHO: Norton Identity Protection - {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - C:\Program Files\Norton Identity Safe\Engine

\2013.1.0.32\coIEPlg.dll (Symantec Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

(Oracle Corporation)
Toolbar: HKLM - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files\Norton Identity

Safe\Engine\2013.1.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine

\21.1.0.18\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office

\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ,

s.r.o.)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer

\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype

Technologies)
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search

\ViProtocolInstaller\17.3.0\ViProtocol.dll (AVG Secure Search)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default
FF DefaultSearchEngine: AVG Secure Search
FF SearchEngineOrder.3: Bing
FF SelectedSearchEngine: AVG Secure Search
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_43.dll ()
FF Plugin: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin - C:\Program Files\Common

Files\AVG Secure Search\SiteSafetyInstaller\17.3.0\\npsitesafety.dll (AVG Technologies)
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle

Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft

Corporation)
FF Plugin: @playstation.com/PsndlCheck,version=1.00 - C:\Program Files\Sony\PLAYSTATION Network Downloader\nppsndl.dll (Sony

Computer Entertainment Inc.)
FF Plugin: @SonyCreativeSoftware.com/Media Go,version=1.0 - C:\Program Files\Sony\Media Go\npmediago.dll (Sony Network

Entertainment International LLC)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google

Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google

Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.8 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\avg-secure-search.xml
FF Extension: Click&amp;Clean - C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions

\clickclean@hotcleaner.com [2013-12-18]
FF Extension: Giant Savings Extension - C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default

\Extensions\extension21810@extension21810.com [2013-11-07]
FF Extension: Websteroids - C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions

\support@websteroidsapp.com [2014-01-11]
FF Extension: New tab - C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions

\{49B1506F-964B-5E2F-B103-39E9F58AA52E} [2014-01-05]
FF Extension: Lightbeam - C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions\jid1-

F9UJ2thwoAm5gQ@jetpack.xpi [2013-11-20]
FF Extension: Webutation - C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions

\{15fe27f3-e5ab-2d59-4c5c-dadc7945bdbd}.xpi [2014-01-07]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

[2013-12-21]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-

43525BDAD38A} [2013-12-21]
FF HKLM\...\Firefox\Extensions: [{F04D2D30-776C-4d02-8627-8E4385ECA58D}] - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-

765CE1E929FB}\NST_2013.1.0.32\coFFPlgn\
FF Extension: Norton Identity Safe Toolbar - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-

765CE1E929FB}\NST_2013.1.0.32\coFFPlgn\ []
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-

85EF591126E7}\NIS_21.1.0.18\coFFPlgn\
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\coFFPlgn\ []
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-

85EF591126E7}\NIS_21.1.0.18\IPSFF
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-

85EF591126E7}\NIS_21.1.0.18\IPSFF [2013-11-21]
FF HKLM\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\17.3.0.49
FF Extension: AVG Security Toolbar - C:\ProgramData\AVG Secure Search\FireFoxExt\17.3.0.49 [2014-01-15]

Chrome:
=======
CHR HomePage: hxxp://ninemsn.com.au/?pc=UP97&ocid=UP97DHP
CHR RestoreOnStartup: "hxxp://ninemsn.com.au/?pc=UP97&ocid=UP97DHP",
            "hxxp://www.delta-search.com/?affID=119370&babsrc=HP_ss&mntrId=00776b32000000000000001aa0486f2e"
CHR Extension: (Skype Click to Call) - C:\Users\Peter Shanley\AppData\Local\Google\Chrome\User Data\Default\Extensions

\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2013-08-18]
CHR Extension: (Norton Identity Protection) - C:\Users\Peter Shanley\AppData\Local\Google\Chrome\User Data\Default

\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [2013-08-18]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium

\skype_chrome_extension.crx [2013-10-09]
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files\Norton Internet Security\Engine

\21.1.0.18\Exts\Chrome.crx [2014-01-22]
CHR HKLM\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\Program Files\AVG\AVG2012\Chrome\donottrack.crx

[2012-04-20]
CHR HKLM\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files\Norton Identity Safe\Engine

\2013.1.0.32\Exts\Chrome.crx [2012-04-20]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

========================== Services (Whitelisted) =================

R2 AVGIDSAgent; C:\Program Files\AVG\AVG2012\avgidsagent.exe [5175856 2013-10-16] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes

Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 NCO; C:\Program Files\Norton Identity Safe\Engine\2013.1.0.32\ccSvcHst.exe [143928 2012-08-19] (Symantec Corporation)
R2 NIS; C:\Program Files\Norton Internet Security\Engine\21.1.0.18\NIS.exe [275696 2013-10-08] (Symantec Corporation)
R2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136 2013-10-09] (Skype

Technologies S.A.)
S3 Sony PC Companion; C:\Program Files\Sony\Sony PC Companion\PCCService.exe [155824 2013-02-04] (Avanquest Software)
R2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)
R2 vToolbarUpdater17.3.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe [1771544

2014-01-15] (AVG Secure Search)

==================== Drivers (Whitelisted) ====================

R3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [142176 2012-12-10] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [24896 2012-04-19] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. )
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [250080 2012-11-08] (AVG Technologies CZ, s.r.o.)
R1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [31952 2012-01-31] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [302368 2013-04-11] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [37664 2014-01-14] (AVG Technologies)
R1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\21.1.0.18\Definitions\BASHDefs\20140121.001\BHDrvx86.sys

[1098968 2013-12-18] (Symantec Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1501000.012\ccSetx86.sys [127064 2013-09-26] (Symantec Corporation)
R1 ccSet_NST; C:\Windows\system32\drivers\NST\7DD01000.020\ccSetx86.sys [134304 2012-08-07] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376920 2013-11-20] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [108120 2013-11-21]

(Symantec Corporation)
R1 IDSVix86; C:\Program Files\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\20140122.001\IDSvix86.sys

[394456 2014-01-21] (Symantec Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20140122.009\NAVENG.SYS

[93272 2013-12-24] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20140122.009\NAVEX15.SYS

[1612376 2013-12-24] (Symantec Corporation)
S3 s0017bus; C:\Windows\System32\DRIVERS\s0017bus.sys [86824 2008-10-21] (MCCI Corporation)
S3 s0017mdfl; C:\Windows\System32\DRIVERS\s0017mdfl.sys [15016 2008-10-21] (MCCI Corporation)
S3 s0017mdm; C:\Windows\System32\DRIVERS\s0017mdm.sys [114600 2008-10-21] (MCCI Corporation)
S3 s0017mgmt; C:\Windows\System32\DRIVERS\s0017mgmt.sys [108328 2008-10-21] (MCCI Corporation)
S3 s0017nd5; C:\Windows\System32\DRIVERS\s0017nd5.sys [26024 2008-10-21] (MCCI Corporation)
S3 s0017obex; C:\Windows\System32\DRIVERS\s0017obex.sys [104616 2008-10-21] (MCCI Corporation)
S3 s0017unic; C:\Windows\System32\DRIVERS\s0017unic.sys [109736 2008-10-21] (MCCI Corporation)
R3 SRTSP; C:\Windows\System32\Drivers\NIS\1501000.012\SRTSP.SYS [651352 2013-09-27] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NIS\1501000.012\SRTSPX.SYS [32344 2013-09-10] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NIS\1501000.012\SYMDS.SYS [367704 2013-09-10] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NIS\1501000.012\SYMEFA.SYS [935512 2013-09-27] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2013-11-21] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NIS\1501000.012\Ironx86.SYS [206936 2013-09-27] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NIS\1501000.012\SYMNETS.SYS [446552 2013-09-26] (Symantec Corporation)
S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-01-23 17:44 - 2014-01-23 17:44 - 00018751 _____ C:\Users\Peter Shanley\Desktop\FRST.txt
2014-01-23 17:43 - 2014-01-23 17:43 - 00000000 ____D C:\FRST
2014-01-23 17:42 - 2014-01-23 17:43 - 01222144 _____ (Farbar) C:\Users\Peter Shanley\Desktop\FRST.exe
2014-01-22 18:39 - 2014-01-22 18:39 - 00688992 ____R (Swearware) C:\Users\Peter Shanley\Desktop\dds.scr
2014-01-22 18:30 - 2014-01-22 18:30 - 00004446 _____ C:\Users\Peter Shanley\Desktop\RKreport[0]_D_01222014_183023.txt
2014-01-22 18:29 - 2014-01-22 18:29 - 00004408 _____ C:\Users\Peter Shanley\Desktop\RKreport[0]_S_01222014_182914.txt
2014-01-21 17:36 - 2014-01-22 18:40 - 00018852 _____ C:\Users\Peter Shanley\Desktop\dds.txt
2014-01-21 17:36 - 2014-01-22 18:40 - 00007628 _____ C:\Users\Peter Shanley\Desktop\attach.txt
2014-01-21 17:29 - 2014-01-21 17:29 - 00005492 _____ C:\Users\Peter Shanley\Desktop\RKreport[0]_D_01212014_172943.txt
2014-01-21 17:28 - 2014-01-21 17:28 - 00005418 _____ C:\Users\Peter Shanley\Desktop\RKreport[0]_S_01212014_172840.txt
2014-01-21 17:24 - 2014-01-21 17:34 - 00000000 ____D C:\Users\Peter Shanley\Desktop\RK_Quarantine
2014-01-21 17:23 - 2014-01-21 17:23 - 03809280 _____ C:\Users\Peter Shanley\Desktop\RogueKiller.exe
2014-01-15 15:33 - 2013-11-27 12:14 - 00258560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2014-01-15 15:33 - 2013-11-27 12:13 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2014-01-15 15:33 - 2013-11-27 12:13 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2014-01-15 15:33 - 2013-11-27 12:13 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2014-01-15 15:33 - 2013-11-27 12:13 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2014-01-15 15:33 - 2013-11-27 12:13 - 00020480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2014-01-15 15:33 - 2013-11-27 12:13 - 00006016 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2014-01-15 15:33 - 2013-11-26 22:11 - 00240576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2014-01-15 15:33 - 2013-11-26 21:10 - 02349056 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-01-15 11:30 - 2014-01-15 11:30 - 00000000 ____D C:\Users\Peter Shanley\AppData\Roaming\Oracle
2014-01-15 11:27 - 2014-01-15 11:27 - 00000000 ____D C:\ProgramData\Sun
2014-01-15 11:27 - 2014-01-15 11:27 - 00000000 ____D C:\ProgramData\Oracle
2014-01-15 11:27 - 2014-01-15 11:27 - 00000000 ____D C:\Program Files\Common Files\Java
2014-01-15 11:27 - 2014-01-15 11:26 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-01-15 11:26 - 2014-01-15 11:26 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-01-15 11:26 - 2014-01-15 11:26 - 00174504 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-01-15 11:26 - 2014-01-15 11:26 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-01-15 11:26 - 2014-01-15 11:26 - 00000000 ____D C:\Program Files\Java
2014-01-15 00:02 - 2014-01-15 00:02 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_point32_01011.Wdf
2014-01-15 00:01 - 2014-01-17 21:15 - 00000000 ____D C:\Program Files\Microsoft Mouse and Keyboard Center
2014-01-14 23:55 - 2012-05-04 20:59 - 00514560 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-01-14 19:35 - 2013-04-02 17:23 - 00448512 _____ (OldTimer Tools) C:\Users\Peter Shanley\Documents\TFC.exe
2014-01-14 19:34 - 2014-01-14 19:34 - 00001146 _____ C:\Users\Peter Shanley\Desktop\TFC - Shortcut.lnk
2014-01-14 18:25 - 2014-01-14 18:27 - 00000000 ____D C:\Users\Peter Shanley\AppData\Local\AVG Secure Search
2014-01-14 18:25 - 2014-01-14 18:25 - 00000000 ____D C:\Users\Peter Shanley\AppData\Roaming\AVG2012
2014-01-14 18:24 - 2014-01-14 18:24 - 00000935 _____ C:\Users\Public\Desktop\AVG 2012.lnk
2014-01-14 18:24 - 2014-01-14 18:23 - 00037664 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx86.sys
2014-01-14 18:23 - 2014-01-15 19:28 - 00003735 _____ C:\Program Files\Mozilla Firefoxavg-secure-search.xml
2014-01-14 18:23 - 2014-01-15 19:27 - 00000000 ____D C:\Program Files\AVG Secure Search
2014-01-14 18:23 - 2014-01-14 18:24 - 00000000 ____D C:\ProgramData\AVG Secure Search
2014-01-14 18:23 - 2014-01-14 18:24 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2014-01-14 18:22 - 2014-01-23 09:45 - 00000000 ____D C:\Windows\system32\Drivers\AVG
2014-01-14 18:22 - 2014-01-14 18:38 - 00000000 ____D C:\ProgramData\AVG2012
2014-01-14 18:22 - 2014-01-14 18:22 - 00000000 ___HD C:\$AVG
2014-01-13 16:25 - 2014-01-13 16:25 - 00001071 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-13 16:25 - 2014-01-13 16:25 - 00000000 ____D C:\Users\Peter Shanley\AppData\Roaming\Malwarebytes
2014-01-13 16:25 - 2014-01-13 16:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-13 16:25 - 2014-01-13 16:25 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2014-01-13 16:25 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-01-13 16:15 - 2014-01-13 16:22 - 10284816 _____ (Malwarebytes Corporation                                    ) C:

\Users\Peter Shanley\Desktop\Malwarebytes setup mbam-setup.exe
2014-01-13 15:18 - 2014-01-13 15:27 - 00000000 ____D C:\AdwCleaner
2014-01-13 15:16 - 2014-01-13 15:16 - 01236282 _____ C:\Users\Peter Shanley\Downloads\adwcleaner.exe
2014-01-13 14:28 - 2014-01-13 14:28 - 00019968 _____ C:\Users\Peter Shanley\Downloads\Result.txt
2014-01-11 10:09 - 2014-01-11 10:09 - 00000000 ____D C:\ProgramData\Updater
2014-01-11 10:08 - 2014-01-11 10:08 - 00001914 _____ C:\Users\Public\Desktop\InstallConverter.lnk
2014-01-11 10:08 - 2014-01-11 10:08 - 00000000 ____D C:\Program Files\InstallConverter
2014-01-10 12:41 - 2014-01-13 15:20 - 00000000 ____D C:\Users\Peter Shanley\AppData\Local\CrashDumps

==================== One Month Modified Files and Folders =======

2014-01-23 17:44 - 2014-01-23 17:44 - 00018751 _____ C:\Users\Peter Shanley\Desktop\FRST.txt
2014-01-23 17:43 - 2014-01-23 17:43 - 00000000 ____D C:\FRST
2014-01-23 17:43 - 2014-01-23 17:42 - 01222144 _____ (Farbar) C:\Users\Peter Shanley\Desktop\FRST.exe
2014-01-23 17:25 - 2012-06-13 19:01 - 00000000 ____D C:\Users\Peter Shanley\AppData\Roaming\Skype
2014-01-23 17:24 - 2013-02-19 08:54 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-23 16:53 - 2012-06-13 13:52 - 01922795 _____ C:\Windows\WindowsUpdate.log
2014-01-23 16:51 - 2013-06-14 20:31 - 00000000 ____D C:\Users\Peter Shanley\AppData\Roaming\Dropbox
2014-01-23 16:50 - 2013-06-14 20:34 - 00000000 ___RD C:\Users\Peter Shanley\Dropbox
2014-01-23 16:50 - 2013-02-19 08:54 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-23 16:50 - 2012-06-20 22:02 - 00000426 _____ C:\Windows\Tasks\PC Optimizer Pro startups.job
2014-01-23 16:50 - 2009-07-14 15:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-23 16:50 - 2009-07-14 15:39 - 00292676 _____ C:\Windows\setupact.log
2014-01-23 10:22 - 2009-07-14 15:34 - 00016848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456

-A289-439d-8115-601632D005A0
2014-01-23 10:22 - 2009-07-14 15:34 - 00016848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456

-A289-439d-8115-601632D005A0
2014-01-23 10:19 - 2013-03-25 21:31 - 00271360 _____ C:\Users\Peter Shanley\Documents\Outlook.pst
2014-01-23 09:45 - 2014-01-14 18:22 - 00000000 ____D C:\Windows\system32\Drivers\AVG
2014-01-23 09:28 - 2010-11-21 08:48 - 00165596 _____ C:\Windows\PFRO.log
2014-01-22 18:40 - 2014-01-21 17:36 - 00018852 _____ C:\Users\Peter Shanley\Desktop\dds.txt
2014-01-22 18:40 - 2014-01-21 17:36 - 00007628 _____ C:\Users\Peter Shanley\Desktop\attach.txt
2014-01-22 18:39 - 2014-01-22 18:39 - 00688992 ____R (Swearware) C:\Users\Peter Shanley\Desktop\dds.scr
2014-01-22 18:30 - 2014-01-22 18:30 - 00004446 _____ C:\Users\Peter Shanley\Desktop\RKreport[0]_D_01222014_183023.txt
2014-01-22 18:29 - 2014-01-22 18:29 - 00004408 _____ C:\Users\Peter Shanley\Desktop\RKreport[0]_S_01222014_182914.txt
2014-01-21 17:35 - 2012-09-19 23:31 - 00000000 ____D C:\Users\Peter Shanley\Documents\Peter
2014-01-21 17:34 - 2014-01-21 17:24 - 00000000 ____D C:\Users\Peter Shanley\Desktop\RK_Quarantine
2014-01-21 17:29 - 2014-01-21 17:29 - 00005492 _____ C:\Users\Peter Shanley\Desktop\RKreport[0]_D_01212014_172943.txt
2014-01-21 17:28 - 2014-01-21 17:28 - 00005418 _____ C:\Users\Peter Shanley\Desktop\RKreport[0]_S_01212014_172840.txt
2014-01-21 17:23 - 2014-01-21 17:23 - 03809280 _____ C:\Users\Peter Shanley\Desktop\RogueKiller.exe
2014-01-20 10:58 - 2009-07-14 15:53 - 00032652 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-17 21:15 - 2014-01-15 00:01 - 00000000 ____D C:\Program Files\Microsoft Mouse and Keyboard Center
2014-01-16 14:08 - 2013-06-14 20:34 - 00001048 _____ C:\Users\Peter Shanley\Desktop\Dropbox.lnk
2014-01-16 14:08 - 2013-06-14 20:32 - 00000000 ____D C:\Users\Peter Shanley\AppData\Roaming\Microsoft\Windows\Start Menu

\Programs\Dropbox
2014-01-16 13:48 - 2012-06-13 18:26 - 00000000 ____D C:\Program Files\Common Files\Adobe
2014-01-16 12:03 - 2009-07-14 15:33 - 00412720 _____ C:\Windows\system32\FNTCACHE.DAT
2014-01-15 20:30 - 2012-06-13 16:25 - 00000000 ____D C:\ProgramData\Microsoft Help
2014-01-15 20:26 - 2013-08-15 20:10 - 00000000 ____D C:\Windows\system32\MRT
2014-01-15 20:19 - 2012-08-24 12:23 - 83425928 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-01-15 19:28 - 2014-01-14 18:23 - 00003735 _____ C:\Program Files\Mozilla Firefoxavg-secure-search.xml
2014-01-15 19:27 - 2014-01-14 18:23 - 00000000 ____D C:\Program Files\AVG Secure Search
2014-01-15 15:41 - 2012-06-28 09:29 - 00000000 ____D C:\Users\Peter Shanley\Documents\Peter's Outlook
2014-01-15 14:29 - 2012-06-21 21:37 - 00000000 ____D C:\Users\Peter Shanley\Documents\My Digital Editions
2014-01-15 13:45 - 2013-12-21 12:25 - 00000000 ____D C:\Program Files\Mozilla Firefox
2014-01-15 12:34 - 2012-06-13 14:24 - 00109672 _____ C:\Users\Peter Shanley\AppData\Local\GDIPFONTCACHEV1.DAT
2014-01-15 11:58 - 2012-06-14 10:28 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-01-15 11:58 - 2012-06-14 10:28 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-01-15 11:30 - 2014-01-15 11:30 - 00000000 ____D C:\Users\Peter Shanley\AppData\Roaming\Oracle
2014-01-15 11:27 - 2014-01-15 11:27 - 00000000 ____D C:\ProgramData\Sun
2014-01-15 11:27 - 2014-01-15 11:27 - 00000000 ____D C:\ProgramData\Oracle
2014-01-15 11:27 - 2014-01-15 11:27 - 00000000 ____D C:\Program Files\Common Files\Java
2014-01-15 11:26 - 2014-01-15 11:27 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-01-15 11:26 - 2014-01-15 11:26 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-01-15 11:26 - 2014-01-15 11:26 - 00174504 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-01-15 11:26 - 2014-01-15 11:26 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-01-15 11:26 - 2014-01-15 11:26 - 00000000 ____D C:\Program Files\Java
2014-01-15 10:45 - 2013-03-06 18:42 - 00253686 _____ C:\Windows\DPINST.LOG
2014-01-15 10:42 - 2013-03-06 18:41 - 00001972 _____ C:\Users\Public\Desktop\Sony PC Companion 2.1.lnk
2014-01-15 10:41 - 2013-03-06 18:41 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2014-01-15 00:02 - 2014-01-15 00:02 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_point32_01011.Wdf
2014-01-14 23:12 - 2009-07-14 13:37 - 00000000 ____D C:\Windows\Microsoft.NET
2014-01-14 22:51 - 2010-11-21 08:01 - 00790348 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-14 19:34 - 2014-01-14 19:34 - 00001146 _____ C:\Users\Peter Shanley\Desktop\TFC - Shortcut.lnk
2014-01-14 18:38 - 2014-01-14 18:22 - 00000000 ____D C:\ProgramData\AVG2012
2014-01-14 18:27 - 2014-01-14 18:25 - 00000000 ____D C:\Users\Peter Shanley\AppData\Local\AVG Secure Search
2014-01-14 18:25 - 2014-01-14 18:25 - 00000000 ____D C:\Users\Peter Shanley\AppData\Roaming\AVG2012
2014-01-14 18:25 - 2012-06-13 18:43 - 00000000 ____D C:\ProgramData\MFAData
2014-01-14 18:24 - 2014-01-14 18:24 - 00000935 _____ C:\Users\Public\Desktop\AVG 2012.lnk
2014-01-14 18:24 - 2014-01-14 18:23 - 00000000 ____D C:\ProgramData\AVG Secure Search
2014-01-14 18:24 - 2014-01-14 18:23 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2014-01-14 18:23 - 2014-01-14 18:24 - 00037664 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx86.sys
2014-01-14 18:22 - 2014-01-14 18:22 - 00000000 ___HD C:\$AVG
2014-01-14 18:21 - 2012-06-13 18:46 - 00000000 ____D C:\Program Files\AVG
2014-01-13 16:45 - 2009-07-14 13:37 - 00000000 ____D C:\Windows\Globalization
2014-01-13 16:43 - 2012-07-12 19:24 - 00000000 ____D C:\Users\Peter Shanley\Windows 7 Loader + Activator v2.0.6 Reloaded -

DAZ [Team Rjaa]
2014-01-13 16:25 - 2014-01-13 16:25 - 00001071 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-13 16:25 - 2014-01-13 16:25 - 00000000 ____D C:\Users\Peter Shanley\AppData\Roaming\Malwarebytes
2014-01-13 16:25 - 2014-01-13 16:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-13 16:25 - 2014-01-13 16:25 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2014-01-13 16:22 - 2014-01-13 16:15 - 10284816 _____ (Malwarebytes Corporation                                    ) C:

\Users\Peter Shanley\Desktop\Malwarebytes setup mbam-setup.exe
2014-01-13 15:27 - 2014-01-13 15:18 - 00000000 ____D C:\AdwCleaner
2014-01-13 15:20 - 2014-01-10 12:41 - 00000000 ____D C:\Users\Peter Shanley\AppData\Local\CrashDumps
2014-01-13 15:16 - 2014-01-13 15:16 - 01236282 _____ C:\Users\Peter Shanley\Downloads\adwcleaner.exe
2014-01-13 15:03 - 2012-06-28 09:28 - 00000000 ____D C:\Users\Peter Shanley\Documents\Catherine 2011 amd beyond
2014-01-13 14:28 - 2014-01-13 14:28 - 00019968 _____ C:\Users\Peter Shanley\Downloads\Result.txt
2014-01-11 10:09 - 2014-01-11 10:09 - 00000000 ____D C:\ProgramData\Updater
2014-01-11 10:08 - 2014-01-11 10:08 - 00001914 _____ C:\Users\Public\Desktop\InstallConverter.lnk
2014-01-11 10:08 - 2014-01-11 10:08 - 00000000 ____D C:\Program Files\InstallConverter
2014-01-10 01:03 - 2013-06-30 19:46 - 00031232 _____ C:\Users\Peter Shanley\Downloads\130630

Some content of TEMP:
====================
C:\Users\Peter Shanley\AppData\Local\Temp\avguidx.dll
C:\Users\Peter Shanley\AppData\Local\Temp\BundleSweetIMSetup.exe
C:\Users\Peter Shanley\AppData\Local\Temp\Delta.exe
C:\Users\Peter Shanley\AppData\Local\Temp\DeltaTB.exe
C:\Users\Peter Shanley\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Peter Shanley\AppData\Local\Temp\MouseKeyboardCenterx86_1033.exe
C:\Users\Peter Shanley\AppData\Local\Temp\MybabylonTB.exe
C:\Users\Peter Shanley\AppData\Local\Temp\ntdll_dump.dll
C:\Users\Peter Shanley\AppData\Local\Temp\oi_{439AE9DE-7850-4A84-9181-FF28AAAB2539}.exe
C:\Users\Peter Shanley\AppData\Local\Temp\Quarantine.exe
C:\Users\Peter Shanley\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Peter Shanley\AppData\Local\Temp\vlc-2.0.7-win32.exe
C:\Users\Peter Shanley\AppData\Local\Temp\vlc-2.0.8-win32.exe
C:\Users\Peter Shanley\AppData\Local\Temp\WSSetup.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-01-20 19:04

==================== End Of Log ============================



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:53 PM

Posted 23 January 2014 - 11:26 AM


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start

BHO: No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKLM - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
FF Extension: Giant Savings Extension - C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions\extension21810@extension21810.com [2013-11-07]
FF Extension: Websteroids - C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions\support@websteroidsapp.com [2014-01-11]
FF Extension: New tab - C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions\{49B1506F-964B-5E2F-B103-39E9F58AA52E} [2014-01-05]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION[/B]

C:\Users\Peter Shanley\AppData\Local\Temp\avguidx.dll
C:\Users\Peter Shanley\AppData\Local\Temp\BundleSweetIMSetup.exe
C:\Users\Peter Shanley\AppData\Local\Temp\Delta.exe
C:\Users\Peter Shanley\AppData\Local\Temp\DeltaTB.exe
C:\Users\Peter Shanley\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Peter Shanley\AppData\Local\Temp\MouseKeyboardCenterx86_1033.exe
C:\Users\Peter Shanley\AppData\Local\Temp\MybabylonTB.exe
C:\Users\Peter Shanley\AppData\Local\Temp\ntdll_dump.dll
C:\Users\Peter Shanley\AppData\Local\Temp\oi_{439AE9DE-7850-4A84-9181-FF28AAAB2539}.exe
C:\Users\Peter Shanley\AppData\Local\Temp\Quarantine.exe
C:\Users\Peter Shanley\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Peter Shanley\AppData\Local\Temp\vlc-2.0.7-win32.exe
C:\Users\Peter Shanley\AppData\Local\Temp\vlc-2.0.8-win32.exe
C:\Users\Peter Shanley\AppData\Local\Temp\WSSetup.exe

end

Save the files as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait
The tool will create a log (Fixlog.txt) please post it to your reply.

p.s.
Before you run this fix remove the WordWrap function from NotePad.
You will find this under the Format Menu.
This will eliminate all the blank lines in your log and make is possible for me to better analyse your log.

=================

Please let me know what problem persists.

#7 Auscat

Auscat
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:02:53 PM

Posted 23 January 2014 - 11:48 PM

Hi nasdaq, thanks for your persistence. I think you've found the solution. I ran FRST again. Fixlog.txt pasted in below.

No more shooting game, no more random links to popup ads, no more "surveys."

Great! Many thanks.

:clapping:

 

As a novice,looking at the fixlog, I'm wondering about the BundleSweet setup - was that a source of the problems?

Do you have any suggestions for what to avoid doing in the future?

 

cheers

auscat

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 23-01-2014
Ran by Peter Shanley at 2014-01-24 15:02:09 Run:1
Running from C:\Users\Peter Shanley\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start

BHO: No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKLM - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
FF
Extension: Giant Savings Extension - C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions\extension21810@extension21810.com [2013-11-07]
FF Extension: Websteroids - C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions\support@websteroidsapp.com [2014-01-11]
FF Extension: New tab - C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions\{49B1506F-964B-5E2F-B103-39E9F58AA52E} [2014-01-05]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION[/B]

C:\Users\Peter Shanley\AppData\Local\Temp\avguidx.dll
C:\Users\Peter Shanley\AppData\Local\Temp\BundleSweetIMSetup.exe
C:\Users\Peter Shanley\AppData\Local\Temp\Delta.exe
C:\Users\Peter Shanley\AppData\Local\Temp\DeltaTB.exe
C:\Users\Peter Shanley\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Peter Shanley\AppData\Local\Temp\MouseKeyboardCenterx86_1033.exe
C:\Users\Peter
Shanley\AppData\Local\Temp\MybabylonTB.exe
C:\Users\Peter Shanley\AppData\Local\Temp\ntdll_dump.dll
C:\Users\Peter Shanley\AppData\Local\Temp\oi_{439AE9DE-7850-4A84-9181-FF28AAAB2539}.exe
C:\Users\Peter Shanley\AppData\Local\Temp\Quarantine.exe
C:\Users\Peter Shanley\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Peter Shanley\AppData\Local\Temp\vlc-2.0.7-win32.exe
C:\Users\Peter Shanley\AppData\Local\Temp\vlc-2.0.8-win32.exe
C:\Users\Peter Shanley\AppData\Local\Temp\WSSetup.exe

end
*****************

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key deleted successfully.
HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{95B7759C-8C7F-4BF1-B163-73684A933233} => Value deleted successfully.
HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found.
C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions\support@websteroidsapp.com => Moved successfully.
C:\Users\Peter Shanley\AppData\Roaming\Mozilla\Firefox\Profiles\82pzcok2.default\Extensions\{49B1506F-964B-5E2F-B103-39E9F58AA52E} => Moved successfully.
HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\avguidx.dll => Moved successfully.
Could not move "C:\Users\Peter Shanley\AppData\Local\Temp\BundleSweetIMSetup.exe" => Scheduled to move on reboot.
C:\Users\Peter Shanley\AppData\Local\Temp\Delta.exe => Moved successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\DeltaTB.exe => Moved successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\MachineIdCreator.exe => Moved successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\MouseKeyboardCenterx86_1033.exe => Moved successfully.
"C:\Users\Peter" => File/Directory not found.
C:\Users\Peter Shanley\AppData\Local\Temp\ntdll_dump.dll => Moved successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\oi_{439AE9DE-7850-4A84-9181-FF28AAAB2539}.exe => Moved successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\vlc-2.0.7-win32.exe => Moved successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\vlc-2.0.8-win32.exe => Moved successfully.
C:\Users\Peter Shanley\AppData\Local\Temp\WSSetup.exe => Moved successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-01-24 15:05:02)<=

C:\Users\Peter Shanley\AppData\Local\Temp\BundleSweetIMSetup.exe => Is moved successfully.

==== End of Fixlog ====



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:53 PM

Posted 24 January 2014 - 10:10 AM


It's certainly part of the problem.

http://www.greatis.com/appdata/d/PROGRAM_FILES/s/sweetim_messenger_bundlesweetimsetup.exe.htm

Most of the malware found are installed without you consent.
Normally installed by free programs you download.
There is less and less free bees on the Internet.
===

One last scan.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#9 Auscat

Auscat
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:02:53 PM

Posted 24 January 2014 - 09:41 PM

Thanks nasdaq.

 

Can I ask a couple more questions? I have on the desktop a folder called RK_Quarantine. What should I do with this?

And my free Malwarebytes will expire in a few days. Should I subscribe to this or is there another program (free or subscription) that you would recommend?

asucat

 

Checkup.txt follows

 Results of screen317's Security Check version 0.99.79  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Norton Internet Security           
AVG Anti-Virus Free Edition 2012   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 51  
 Adobe Flash Player     12.0.0.43  
 Adobe Reader 10.1.9 Adobe Reader out of Date!  
 Mozilla Firefox (26.0)
 Google Chrome 31.0.1650.63  
 Google Chrome 32.0.1700.76  
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes Anti-Malware mbam.exe  
 AVG avgwdsvc.exe
 AVG avgtray.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:53 PM

Posted 25 January 2014 - 10:23 AM

I have on the desktop a folder called RK_Quarantine. What should I do with this?

That folder was created by the RogueKiller tool.
When all is well you can delete the program and the folder.
===
 

And my free Malwarebytes will expire in a few days. Should I subscribe to this or is there another program (free or subscription) that you would recommend?

There is no similar programs that I know will do the same. It's nice to have it's your call.
See my closing speech.

===

Adobe Reader/Acrobat v11.0.05 was released Oct 8, 2013

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>

If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful add-ons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

#11 Auscat

Auscat
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:02:53 PM

Posted 27 January 2014 - 03:23 AM

Hi nasdaq,

 

RE your housekeeping instructions - I struck a problem with ComboFix /Uninstall because we had not run combofix on this PC.

 

thanks for the useful suggestions re protection programs.

After I asked the question I realised there would be info in forums on Bleeping Computer so I checked there too.

I hadn't realised before that I should only have on resident program of each type, and just run another as needed.

 

I've got Norton Anti-virus and had also installed AVG Antivirus free.

I have now disabled AVG as "resident" and will run scans occasionally.

 

I'll install a firewall and pay for Malwarebytes and run another eg ESET as a backup.

thanks

auscat



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:53 PM

Posted 27 January 2014 - 10:34 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users