Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Load32 causing issues with installing antivirus/antimalware.


  • This topic is locked This topic is locked
23 replies to this topic

#1 SquirrelWizard

SquirrelWizard

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 02 March 2014 - 03:00 AM

Just recently my Mcaffe subscription ran out, and I downloaded Avast to replace it. When I tried to install Avast, it errors out before getting to setup.

 

I checked my processes in taskmanager and googled the names of a few that I didn't recognize, and ended up on one of the processes which was Load32.exe.

 

I've tried downloading and running Malwarebytes, but it gets blocked. I downloaded the Microsoft Malicious Software Removal Tool to scan with, but that turned up empty.

 

I've tried this both with "Run as admin" and in Safe Mode, but haven't gotten anywhere. I cannot even access system restore information.

 

DDS Report

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.16518  BrowserJavaVersion: 10.51.2
Run by William R at 2:29:44 on 2014-03-02
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8175.6103 [GMT -5:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
C:\Program Files\SmartTechnology\Software\ProfilerU.exe
C:\Program Files\SmartTechnology\Software\SaiMfd.exe
C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\ProgramData\load32.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\SysWOW64\WScript.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uWinlogon: Shell = explorer.exe,"C:\ProgramData\load32.exe"
uWindows: Load = C:\Users\William R\Downloads\(18????) [080114] [????MAX] ?????~??????????~\RJ036706\savedata\data.exe
mWinlogon: Userinit = userinit.exe
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun: [NT Kernel Service] C:\ProgramData\load32.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows"
StartupFolder: C:\Users\William R\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{66AC90B4-5C75-46EB-B76B-DD5FEDFE9DB9} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{A303106A-0FC3-443E-91F5-3FDB2A08E021} : DHCPNameServer = 192.168.1.254
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.117\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
IFEO: AvastSvc.exe - C:\Users\William R\Documents\315load32.exe
IFEO: AvastUI.exe - C:\Users\William R\Documents\315load32.exe
IFEO: avcenter.exe - C:\Users\William R\Documents\315load32.exe
IFEO: avconfig.exe - C:\Users\William R\Documents\315load32.exe
IFEO: avgcsrvx.exe - C:\Users\William R\Documents\315load32.exe
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [Stage Remote] C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe -Quiet
x64-Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup
x64-Run: [ProfilerU] C:\Program Files\SmartTechnology\Software\ProfilerU.exe
x64-Run: [SaiMfd] C:\Program Files\SmartTechnology\Software\SaiMfd.exe
x64-DPF: {CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
x64-Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-IFEO: AvastSvc.exe - C:\Users\William R\Documents\315load32.exe
x64-IFEO: AvastUI.exe - C:\Users\William R\Documents\315load32.exe
x64-IFEO: avcenter.exe - C:\Users\William R\Documents\315load32.exe
x64-IFEO: avconfig.exe - C:\Users\William R\Documents\315load32.exe
x64-IFEO: avgcsrvx.exe - C:\Users\William R\Documents\315load32.exe
.
Note: multiple IFEO entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-2-15 55856]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-12-19 240640]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-11-25 687400]
R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2012-2-15 1692480]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-11-6 96256]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-2-15 539240]
R3 SaiK1708;SaiK1708;C:\Windows\System32\drivers\SaiK1708.sys [2012-9-20 180544]
R3 SaiU1708;SaiU1708;C:\Windows\System32\drivers\SaiU1708.sys [2012-9-20 47168]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]
S2 DellDigitalDelivery;Dell Digital Delivery Service;C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [2011-10-26 162816]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680]
S3 Desura Install Service;Desura Install Service;C:\Program Files (x86)\Common Files\Desura\desura_service.exe [2012-6-21 131912]
S3 efavdrv;efavdrv;C:\Windows\System32\drivers\efavdrv.sys [2014-3-2 139704]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-2-13 111616]
S3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-2-15 317440]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-2-25 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\notepad++.exe="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2014-03-02 06:19:22 -------- d-----w- C:\Program Files (x86)\ESET
2014-03-02 06:13:26 139704 ----a-w- C:\Windows\System32\drivers\efavdrv.sys
2014-03-02 05:35:55 -------- d-----w- C:\FRST
2014-03-02 05:23:26 -------- d-----w- C:\Windows\pss
2014-03-02 05:07:26 -------- d-----w- C:\ProgramData\Malwarebytes
2014-03-02 05:07:25 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-02 04:46:24 -------- d-----w- C:\AVGTemp
2014-03-02 04:26:25 -------- d-s---w- C:\Windows\SysWow64\Microsoft
2014-03-02 04:18:39 -------- d-----w- C:\Program Files\CCleaner
2014-03-02 03:52:46 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-03-02 03:16:16 -------- d--h--w- C:\NTKernel
2014-03-02 03:15:40 -------- d-----w- C:\ProgramData\AVAST Software
2014-02-26 08:03:00 -------- d-----w- C:\Windows\Migration
2014-02-23 05:54:07 251904 --sha-r- C:\ProgramData\load32.exe
2014-02-23 05:54:07 251904 --sha-r- C:\315load32.exe
2014-02-23 05:53:32 -------- d--h--w- C:\ProgramData\NTKernel
2014-02-21 19:40:35 -------- d-----w- C:\Users\William R\AppData\Local\Blizzard
2014-02-21 09:37:39 -------- d-----w- C:\Program Files (x86)\Hearthstone
2014-02-21 09:36:14 -------- d-----w- C:\Users\William R\AppData\Local\Blizzard Entertainment
2014-02-21 09:36:06 -------- d-----w- C:\Users\William R\AppData\Roaming\Battle.net
2014-02-21 09:36:06 -------- d-----w- C:\Users\William R\AppData\Local\Battle.net
2014-02-21 09:35:58 -------- d-----w- C:\Program Files (x86)\Battle.net
2014-02-20 01:41:30 -------- d-----w- C:\Users\William R\AppData\Local\Sonic_Solutions
2014-02-13 07:14:04 548864 ----a-w- C:\Windows\System32\vbscript.dll
2014-02-13 07:14:04 454656 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-02-13 01:09:47 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2014-02-13 01:07:53 3928064 ----a-w- C:\Windows\System32\d2d1.dll
2014-02-13 01:07:53 3419136 ----a-w- C:\Windows\SysWow64\d2d1.dll
2014-02-13 01:07:53 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
2014-02-13 01:07:53 1987584 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
.
==================== Find3M  ====================
.
2014-02-23 03:23:31 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-02-23 03:23:30 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-06 11:30:46 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-02-06 11:30:12 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-02-06 11:07:39 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-02-06 11:06:47 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-02-06 10:49:03 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-02-06 10:48:45 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-02-06 10:48:11 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-02-06 10:20:26 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-02-06 10:11:37 5768704 ----a-w- C:\Windows\System32\jscript9.dll
2014-02-06 10:01:36 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-02-06 10:00:46 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-02-06 09:50:32 2041856 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-02-06 09:47:22 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-02-06 09:46:27 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-02-06 09:25:36 4244480 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-02-06 09:24:52 2334208 ----a-w- C:\Windows\System32\wininet.dll
2014-02-06 09:09:30 1964032 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-02-06 08:41:35 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-12-12 21:54:57 108968 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2013-12-06 02:30:08 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2013-12-06 02:30:08 1882112 ----a-w- C:\Windows\System32\msxml3.dll
2013-12-06 02:02:08 1237504 ----a-w- C:\Windows\SysWow64\msxml3.dll
2013-12-04 02:27:33 485888 ----a-w- C:\Windows\System32\secproc_isv.dll
2013-12-04 02:27:33 123392 ----a-w- C:\Windows\System32\secproc_ssp_isv.dll
2013-12-04 02:27:33 123392 ----a-w- C:\Windows\System32\secproc_ssp.dll
2013-12-04 02:27:16 488448 ----a-w- C:\Windows\System32\secproc.dll
2013-12-04 02:26:32 528384 ----a-w- C:\Windows\System32\msdrm.dll
2013-12-04 02:16:51 658432 ----a-w- C:\Windows\System32\RMActivate_isv.exe
2013-12-04 02:16:51 626176 ----a-w- C:\Windows\System32\RMActivate.exe
2013-12-04 02:16:50 552960 ----a-w- C:\Windows\System32\RMActivate_ssp_isv.exe
2013-12-04 02:16:48 553984 ----a-w- C:\Windows\System32\RMActivate_ssp.exe
2013-12-04 02:03:20 87040 ----a-w- C:\Windows\SysWow64\secproc_ssp_isv.dll
2013-12-04 02:03:20 87040 ----a-w- C:\Windows\SysWow64\secproc_ssp.dll
2013-12-04 02:03:20 423936 ----a-w- C:\Windows\SysWow64\secproc_isv.dll
2013-12-04 02:03:08 428032 ----a-w- C:\Windows\SysWow64\secproc.dll
2013-12-04 02:02:06 390144 ----a-w- C:\Windows\SysWow64\msdrm.dll
2013-12-04 01:54:14 510976 ----a-w- C:\Windows\SysWow64\RMActivate_ssp.exe
2013-12-04 01:54:10 594944 ----a-w- C:\Windows\SysWow64\RMActivate_isv.exe
2013-12-04 01:54:09 572416 ----a-w- C:\Windows\SysWow64\RMActivate.exe
2013-12-04 01:54:06 508928 ----a-w- C:\Windows\SysWow64\RMActivate_ssp_isv.exe
.
============= FINISH:  2:30:04.59 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:38 AM

Posted 02 March 2014 - 03:19 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 SquirrelWizard

SquirrelWizard
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 02 March 2014 - 03:26 AM

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-03-2014 01
Ran by William R (administrator) on WILLIAMR-PC on 02-03-2014 03:23:54
Running from C:\Users\William R\Desktop\Malware Work
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Dell, Inc.) C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
() C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
() C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
(Saitek) C:\Program Files\SmartTechnology\Software\ProfilerU.exe
(Saitek) C:\Program Files\SmartTechnology\Software\SaiMfd.exe
() C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\ProgramData\load32.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\WScript.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Don HO don.h@free.fr) C:\Program Files (x86)\Notepad++\notepad++.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\William R\Desktop\Malware Work\FRST64 (1).exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Stage Remote] - C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
HKLM\...\Run: [DellStage] - C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe [2055016 2011-04-29] ()
HKLM\...\Run: [ProfilerU] - C:\Program Files\SmartTechnology\Software\ProfilerU.exe [454144 2013-04-16] (Saitek)
HKLM\...\Run: [SaiMfd] - C:\Program Files\SmartTechnology\Software\SaiMfd.exe [158208 2013-04-16] (Saitek)
HKLM-x32\...\Run: [NT Kernel Service] - C:\ProgramData\load32.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows"
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\.DEFAULT\...\CurrentVersion\Windows: [Load] C:\Users\William R\Documents\315load32.exe <===== ATTENTION
HKU\S-1-5-21-1935682118-3113963620-1279261437-1000\...\CurrentVersion\Windows: [Load] C:\Users\William R\Downloads\(18禁ゲーム) [080114] [バニラ堂MAX] 触手ペット~風紀委員長は触手の虜~\RJ036706\savedata\data.exe <===== ATTENTION
HKU\S-1-5-21-1935682118-3113963620-1279261437-1000\...\MountPoints2: {eb66a5fc-5831-11e1-9f85-806e6f6e6963} - D:\Setup.exe
HKU\S-1-5-21-1935682118-3113963620-1279261437-1000\...\Winlogon: [Shell] explorer.exe,"C:\ProgramData\load32.exe" [251904 2007-12-18] () <==== ATTENTION 
IFEO\AvastSvc.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\AvastUI.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\avcenter.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\avconfig.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\avgcsrvx.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\avgidsagent.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\avgnt.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\avgrsx.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\avguard.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\avgui.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\avgwdsvc.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\avp.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\avscan.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\bdagent.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\ccuac.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\ComboFix.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\egui.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\hijackthis.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\instup.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\keyscrambler.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\mbam.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\mbamgui.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\mbampt.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\mbamscheduler.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\mbamservice.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\MpCmdRun.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\MSASCui.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\MsMpEng.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\msseces.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\rstrui.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\spybotsd.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\wireshark.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
IFEO\zlclient.exe: [Debugger] C:\Users\William R\Documents\315load32.exe
InternetURL: C:\Users\William R\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url -> 0
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - DefaultScope {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = 
SearchScopes: HKCU - {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = 
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} -  No File
Handler-x32: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll (Cozi Group, Inc.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
 
Chrome: 
=======
CHR Extension: (Google Docs) - C:\Users\William R\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-12-12]
CHR Extension: (Google Drive) - C:\Users\William R\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-12-12]
CHR Extension: (YouTube) - C:\Users\William R\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-02-23]
CHR Extension: (Google Search) - C:\Users\William R\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-02-23]
CHR Extension: (Google Wallet) - C:\Users\William R\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (Gmail) - C:\Users\William R\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-02-23]
 
==================== Services (Whitelisted) =================
 
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2012-07-04] ()
 
==================== Drivers (Whitelisted) ====================
 
S3 efavdrv; C:\Windows\system32\drivers\efavdrv.sys [139704 2014-03-02] (ESET)
S3 qiaelbxb; No ImagePath
R3 SaiK1708; C:\Windows\System32\DRIVERS\SaiK1708.sys [180544 2012-09-20] (Saitek)
R3 SaiMini; C:\Windows\System32\DRIVERS\SaiMini.sys [25120 2013-04-30] (Saitek)
R3 SaiNtBus; C:\Windows\System32\drivers\SaiBus.sys [52640 2013-04-30] (Saitek)
R3 SaiU1708; C:\Windows\System32\DRIVERS\SaiU1708.sys [47168 2012-09-20] (Saitek)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-03-02 02:34 - 2014-03-02 03:23 - 00000000 ____D () C:\Users\William R\Desktop\Malware Work
2014-03-02 02:30 - 2014-03-02 02:30 - 00018069 _____ () C:\Users\William R\Desktop\attach.txt
2014-03-02 02:30 - 2014-03-02 02:30 - 00017628 _____ () C:\Users\William R\Desktop\dds.txt
2014-03-02 02:05 - 2014-03-02 02:06 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\William R\Downloads\rkill.exe
2014-03-02 02:01 - 2014-03-02 02:01 - 00688992 ____R (Swearware) C:\Users\William R\Desktop\dds.com
2014-03-02 01:54 - 2014-03-02 02:05 - 224608616 _____ (Emsisoft GmbH ) C:\Users\William R\Downloads\EmsisoftAntiMalwareSetup.exe
2014-03-02 01:23 - 2014-03-02 01:23 - 00000000 _____ () C:\Users\William R\Downloads\eset_nod32_antivirus_live_installer.exe.c1ktzvz.partial
2014-03-02 01:19 - 2014-03-02 01:19 - 02347384 _____ (ESET) C:\Users\William R\Downloads\esetsmartinstaller_enu.exe
2014-03-02 01:19 - 2014-03-02 01:19 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-03-02 01:13 - 2014-03-02 01:13 - 00139704 _____ (ESET) C:\Windows\system32\Drivers\efavdrv.sys
2014-03-02 01:13 - 2014-03-02 01:13 - 00000000 ____D () C:\ProgramData\ESET
2014-03-02 01:11 - 2014-03-02 01:13 - 02991832 _____ (ESET) C:\Users\William R\Downloads\ERARemover_x64.exe
2014-03-02 01:10 - 2014-03-02 01:10 - 00005602 _____ () C:\Users\William R\Downloads\exe-fix.bat
2014-03-02 01:06 - 2014-02-04 19:09 - 88567024 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-02 01:05 - 2014-03-02 01:06 - 25640672 _____ (Microsoft Corporation) C:\Users\William R\Downloads\Windows-KB890830-x64-V5.9.exe
2014-03-02 00:50 - 2014-03-02 00:50 - 00085504 _____ () C:\Users\William R\Desktop\Inherit.exe
2014-03-02 00:48 - 2014-03-02 00:48 - 00080456 _____ (Malwarebytes Corporation) C:\Users\William R\Downloads\mbam-clean-1.60.2.0003.exe
2014-03-02 00:45 - 2014-03-02 00:45 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\William R\Downloads\mbam-setup-1.75.0.1300 (1).exe
2014-03-02 00:40 - 2014-03-02 00:40 - 00000000 _____ () C:\Windows\SysWOW64\config.nt
2014-03-02 00:37 - 2014-03-02 00:37 - 00030917 _____ () C:\Users\William R\Downloads\Addition.txt
2014-03-02 00:36 - 2014-03-02 00:37 - 00042062 _____ () C:\Users\William R\Downloads\FRST.txt
2014-03-02 00:35 - 2014-03-02 03:23 - 00000000 ____D () C:\FRST
2014-03-02 00:35 - 2014-03-02 00:35 - 02156544 _____ (Farbar) C:\Users\William R\Downloads\FRST64.exe
2014-03-02 00:23 - 2014-03-02 00:23 - 00000000 ____D () C:\Windows\pss
2014-03-02 00:11 - 2014-03-02 02:13 - 00000616 _____ () C:\Windows\setupact.log
2014-03-02 00:11 - 2014-03-02 00:55 - 00023898 _____ () C:\Windows\PFRO.log
2014-03-02 00:11 - 2014-03-02 00:11 - 00000000 _____ () C:\Windows\setuperr.log
2014-03-02 00:07 - 2014-03-02 00:07 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-02 00:07 - 2014-03-02 00:07 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-02 00:05 - 2014-03-02 00:06 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\William R\Downloads\mbam-setup-1.75.0.1300.exe
2014-03-02 00:02 - 2014-03-02 00:03 - 04697744 _____ (AVAST Software) C:\Users\William R\Downloads\avast_free_antivirus_setup_online.exe
2014-03-02 00:01 - 2014-03-02 00:01 - 00278012 _____ () C:\Users\William R\Documents\cc_20140302_000107.reg
2014-03-01 23:50 - 2014-03-01 23:52 - 88504776 _____ (AVAST Software) C:\Users\William R\Downloads\avast_free_antivirus_setup (3).exe
2014-03-01 23:46 - 2014-03-01 23:46 - 00000000 _____ () C:\Users\William R\Downloads\reset_access_avg9_en.exe
2014-03-01 23:42 - 2014-03-01 23:42 - 04462384 _____ (AVG Technologies) C:\Users\William R\Downloads\avg_free_stb_all_2014_4335_cnet.exe
2014-03-01 23:34 - 2014-03-01 23:37 - 90578216 _____ (AVAST Software) C:\Users\William R\Downloads\avast_free_antivirus_setup (2).exe
2014-03-01 23:21 - 2014-03-01 23:23 - 03218352 _____ (McAfee, Inc.) C:\Users\William R\Downloads\MCPR.exe
2014-03-01 23:18 - 2014-03-01 23:18 - 00000784 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-03-01 23:18 - 2014-03-01 23:18 - 00000000 ____D () C:\Program Files\CCleaner
2014-03-01 23:17 - 2014-03-01 23:18 - 04765152 _____ (Piriform Ltd) C:\Users\William R\Downloads\ccsetup411.exe
2014-03-01 22:55 - 2014-03-01 23:03 - 90578216 _____ (AVAST Software) C:\Users\William R\Downloads\avast_free_antivirus_setup (1).exe
2014-03-01 22:52 - 2013-12-18 21:09 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-03-01 22:52 - 2013-12-18 21:04 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-03-01 22:52 - 2013-12-18 21:04 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-03-01 22:52 - 2013-12-18 21:03 - 00174504 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-03-01 22:51 - 2014-03-01 22:52 - 00005146 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_51-b13.log
2014-03-01 22:23 - 2014-03-01 22:23 - 00000068 _____ () C:\Update.Microsoft.com.url
2014-03-01 22:16 - 2014-03-02 01:00 - 00000000 ___HD () C:\NTKernel
2014-03-01 22:15 - 2014-03-01 22:15 - 00000000 ____D () C:\ProgramData\AVAST Software
2014-03-01 22:13 - 2014-03-01 22:15 - 90578216 _____ (AVAST Software) C:\Users\William R\Downloads\avast_free_antivirus_setup.exe
2014-02-25 20:06 - 2014-02-28 23:02 - 00000222 _____ () C:\Users\William R\Desktop\Spacebase DF-9.url
2014-02-25 19:33 - 2014-02-25 19:33 - 00000000 ____D () C:\Users\William R\Documents\SpacebaseDF9
2014-02-23 16:21 - 2014-02-23 16:21 - 00000000 ____D () C:\Users\William R\Downloads\SoTP
2014-02-23 16:20 - 2014-02-23 16:20 - 00000000 ____D () C:\Users\William R\Downloads\CassidyOriginRev1
2014-02-23 16:19 - 2014-02-23 16:20 - 30914975 _____ () C:\Users\William R\Downloads\SoTP.zip
2014-02-23 16:18 - 2014-02-23 16:19 - 61986111 _____ () C:\Users\William R\Downloads\CassidyOriginRev1.zip
2014-02-23 16:16 - 2014-02-23 16:16 - 00000000 ____D () C:\Users\William R\Downloads\Sylvia_Tentatwo
2014-02-23 16:15 - 2014-02-23 16:15 - 09704345 _____ () C:\Users\William R\Downloads\Sylvia_Tentatwo.zip
2014-02-23 16:09 - 2014-02-23 16:09 - 00000000 ____D () C:\Users\William R\Downloads\TroubleInTheLab 2
2014-02-23 16:07 - 2014-02-23 16:09 - 10063267 _____ () C:\Users\William R\Downloads\TroubleInTheLab 2.zip
2014-02-23 00:54 - 2014-03-02 00:26 - 00000000 _____ () C:\Users\William R\Documents\315load32.exe
2014-02-23 00:54 - 2007-12-18 13:41 - 00251904 __RSH () C:\ProgramData\load32.exe
2014-02-23 00:54 - 2007-12-18 13:41 - 00251904 __RSH () C:\315load32.exe
2014-02-23 00:53 - 2014-03-02 02:14 - 00000000 ___HD () C:\ProgramData\NTKernel
2014-02-23 00:53 - 2014-02-23 00:53 - 00000000 ____D () C:\Users\William R\AppData\Roaming\Winamp
2014-02-21 14:40 - 2014-02-21 14:40 - 00000000 ____D () C:\Users\William R\AppData\Local\Blizzard
2014-02-21 04:37 - 2014-02-21 14:40 - 00000000 ____D () C:\Program Files (x86)\Hearthstone
2014-02-21 04:37 - 2014-02-21 04:37 - 00001189 _____ () C:\Users\Public\Desktop\Hearthstone.lnk
2014-02-21 04:36 - 2014-02-28 04:27 - 00000000 ____D () C:\Users\William R\AppData\Local\Battle.net
2014-02-21 04:36 - 2014-02-21 04:38 - 00000000 ____D () C:\Users\William R\AppData\Roaming\Battle.net
2014-02-21 04:36 - 2014-02-21 04:36 - 00001152 _____ () C:\Users\Public\Desktop\Battle.net.lnk
2014-02-21 04:36 - 2014-02-21 04:36 - 00000000 ____D () C:\Users\William R\AppData\Local\Blizzard Entertainment
2014-02-21 04:35 - 2014-02-21 04:36 - 00000000 ____D () C:\Program Files (x86)\Battle.net
2014-02-21 04:32 - 2014-02-21 04:32 - 05971136 _____ (Blizzard Entertainment) C:\Users\William R\Downloads\Hearthstone-Beta-Setup-enUS.exe
2014-02-19 22:30 - 2014-02-19 22:30 - 01337627 _____ () C:\Users\William R\Downloads\TITS_0.02.6.swf
2014-02-19 20:41 - 2014-02-19 20:41 - 00000000 ____D () C:\Users\William R\AppData\Local\Sonic_Solutions
2014-02-19 20:35 - 2014-02-19 20:35 - 00000000 ____D () C:\Users\William R\Desktop\ppsspp_win
2014-02-19 20:33 - 2014-02-19 20:34 - 12237791 _____ () C:\Users\William R\Desktop\ppsspp_win.zip
2014-02-19 00:41 - 2014-02-19 00:41 - 00000000 ____D () C:\Users\William R\Desktop\jpcsp-1772-windows-x86
2014-02-19 00:38 - 2014-02-19 00:38 - 10857603 _____ () C:\Users\William R\Desktop\jpcsp-1772-windows-x86.7z
2014-02-19 00:04 - 2014-02-20 00:49 - 00000000 ____D () C:\Users\William R\Downloads\Zooskool
2014-02-17 21:31 - 2014-02-17 21:31 - 00000000 ____D () C:\Users\William R\Downloads\Pretty Warrior May Cry - Enhanced Edition
2014-02-17 21:29 - 2014-02-17 21:29 - 1071620926 _____ () C:\Users\William R\Downloads\Pretty Warrior May Cry - Enhanced Edition.rar
2014-02-17 20:55 - 2014-02-17 20:55 - 00004999 _____ () C:\Users\William R\Downloads\codenamepwmc (1).txt
2014-02-17 20:51 - 2014-02-17 20:51 - 00004999 _____ () C:\Users\William R\Downloads\codenamepwmc.txt
2014-02-13 02:14 - 2013-12-21 04:53 - 00548864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-02-13 02:14 - 2013-12-21 03:56 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-02-13 02:13 - 2014-02-06 07:16 - 23170048 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-13 02:13 - 2014-02-06 06:30 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-02-13 02:13 - 2014-02-06 06:30 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-02-13 02:13 - 2014-02-06 06:12 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-13 02:13 - 2014-02-06 06:07 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-02-13 02:13 - 2014-02-06 06:06 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-02-13 02:13 - 2014-02-06 05:57 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-13 02:13 - 2014-02-06 05:56 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-02-13 02:13 - 2014-02-06 05:52 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-13 02:13 - 2014-02-06 05:49 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-02-13 02:13 - 2014-02-06 05:48 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-02-13 02:13 - 2014-02-06 05:48 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-02-13 02:13 - 2014-02-06 05:38 - 17103872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-02-13 02:13 - 2014-02-06 05:32 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-02-13 02:13 - 2014-02-06 05:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-02-13 02:13 - 2014-02-06 05:17 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-13 02:13 - 2014-02-06 05:11 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-13 02:13 - 2014-02-06 05:01 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-13 02:13 - 2014-02-06 05:00 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-13 02:13 - 2014-02-06 04:57 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-13 02:13 - 2014-02-06 04:57 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-13 02:13 - 2014-02-06 04:52 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-13 02:13 - 2014-02-06 04:52 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-13 02:13 - 2014-02-06 04:50 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-13 02:13 - 2014-02-06 04:49 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-13 02:13 - 2014-02-06 04:47 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-13 02:13 - 2014-02-06 04:46 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-13 02:13 - 2014-02-06 04:25 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-13 02:13 - 2014-02-06 04:25 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-13 02:13 - 2014-02-06 04:24 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-13 02:13 - 2014-02-06 04:22 - 13051392 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-13 02:13 - 2014-02-06 04:13 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-13 02:13 - 2014-02-06 04:09 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-13 02:13 - 2014-02-06 04:03 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-13 02:13 - 2014-02-06 03:55 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-13 02:13 - 2014-02-06 03:41 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-13 02:13 - 2014-02-06 03:40 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-02-13 02:13 - 2014-02-06 03:36 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-13 02:13 - 2014-02-06 03:34 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-02-12 20:57 - 2014-02-12 20:57 - 07005741 _____ () C:\Users\William R\Downloads\CoC_0.8.4.6.swf
2014-02-12 20:09 - 2013-12-31 18:05 - 00420008 _____ () C:\Windows\SysWOW64\locale.nls
2014-02-12 20:09 - 2013-12-31 18:04 - 00420008 _____ () C:\Windows\system32\locale.nls
2014-02-12 20:09 - 2013-12-05 21:30 - 01882112 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-02-12 20:09 - 2013-12-05 21:30 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-02-12 20:09 - 2013-12-05 21:02 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-02-12 20:09 - 2013-12-05 21:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2014-02-12 20:09 - 2013-12-03 21:27 - 00488448 _____ (Microsoft Corporation) C:\Windows\system32\secproc.dll
2014-02-12 20:09 - 2013-12-03 21:27 - 00485888 _____ (Microsoft Corporation) C:\Windows\system32\secproc_isv.dll
2014-02-12 20:09 - 2013-12-03 21:27 - 00123392 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp_isv.dll
2014-02-12 20:09 - 2013-12-03 21:27 - 00123392 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp.dll
2014-02-12 20:09 - 2013-12-03 21:26 - 00528384 _____ (Microsoft Corporation) C:\Windows\system32\msdrm.dll
2014-02-12 20:09 - 2013-12-03 21:16 - 00658432 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_isv.exe
2014-02-12 20:09 - 2013-12-03 21:16 - 00626176 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate.exe
2014-02-12 20:09 - 2013-12-03 21:16 - 00553984 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp.exe
2014-02-12 20:09 - 2013-12-03 21:16 - 00552960 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp_isv.exe
2014-02-12 20:09 - 2013-12-03 21:03 - 00428032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc.dll
2014-02-12 20:09 - 2013-12-03 21:03 - 00423936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_isv.dll
2014-02-12 20:09 - 2013-12-03 21:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_ssp_isv.dll
2014-02-12 20:09 - 2013-12-03 21:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_ssp.dll
2014-02-12 20:09 - 2013-12-03 21:02 - 00390144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdrm.dll
2014-02-12 20:09 - 2013-12-03 20:54 - 00594944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_isv.exe
2014-02-12 20:09 - 2013-12-03 20:54 - 00572416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate.exe
2014-02-12 20:09 - 2013-12-03 20:54 - 00510976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_ssp.exe
2014-02-12 20:09 - 2013-12-03 20:54 - 00508928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
2014-02-12 20:07 - 2013-12-24 18:09 - 01987584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2014-02-12 20:07 - 2013-12-24 17:48 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-02-12 20:07 - 2013-11-26 03:16 - 03419136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2014-02-12 20:07 - 2013-11-22 17:48 - 03928064 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2014-02-11 23:52 - 2014-02-11 23:52 - 00000000 ____D () C:\Users\William R\Downloads\Jay Naylor - The Rise of the Wolf Queen part 2
2014-02-11 23:51 - 2014-02-11 23:52 - 06152466 _____ () C:\Users\William R\Downloads\Jay Naylor - The Rise of the Wolf Queen part 2.rar
2014-02-08 05:12 - 2014-02-08 05:54 - 00000481 _____ () C:\Users\William R\Desktop\EVILE.txt
2014-02-07 22:28 - 2014-02-08 03:40 - 00000000 ____D () C:\Users\William R\Downloads\Yosino 3D loli animations, Hentai
2014-02-07 00:38 - 2014-02-07 00:38 - 00126868 _____ () C:\Users\William R\Downloads\SS_Enh.zip
 
==================== One Month Modified Files and Folders =======
 
2014-03-02 03:23 - 2014-03-02 02:34 - 00000000 ____D () C:\Users\William R\Desktop\Malware Work
2014-03-02 03:23 - 2014-03-02 00:35 - 00000000 ____D () C:\FRST
2014-03-02 03:14 - 2012-03-18 03:27 - 00000000 ____D () C:\Users\William R\AppData\Roaming\BitTorrent
2014-03-02 03:00 - 2012-02-15 19:08 - 01171353 _____ () C:\Windows\WindowsUpdate.log
2014-03-02 02:30 - 2014-03-02 02:30 - 00018069 _____ () C:\Users\William R\Desktop\attach.txt
2014-03-02 02:30 - 2014-03-02 02:30 - 00017628 _____ () C:\Users\William R\Desktop\dds.txt
2014-03-02 02:20 - 2012-05-29 22:15 - 00001171 _____ () C:\Users\William R\Desktop\supportbank.txt
2014-03-02 02:20 - 2009-07-13 23:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-02 02:20 - 2009-07-13 23:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-02 02:17 - 2009-07-14 00:13 - 00783424 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-02 02:14 - 2014-02-23 00:53 - 00000000 ___HD () C:\ProgramData\NTKernel
2014-03-02 02:13 - 2014-03-02 00:11 - 00000616 _____ () C:\Windows\setupact.log
2014-03-02 02:13 - 2012-02-15 18:01 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2014-03-02 02:13 - 2012-02-15 18:01 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2014-03-02 02:13 - 2012-02-15 17:31 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-03-02 02:06 - 2014-03-02 02:05 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\William R\Downloads\rkill.exe
2014-03-02 02:05 - 2014-03-02 01:54 - 224608616 _____ (Emsisoft GmbH ) C:\Users\William R\Downloads\EmsisoftAntiMalwareSetup.exe
2014-03-02 02:01 - 2014-03-02 02:01 - 00688992 ____R (Swearware) C:\Users\William R\Desktop\dds.com
2014-03-02 01:23 - 2014-03-02 01:23 - 00000000 _____ () C:\Users\William R\Downloads\eset_nod32_antivirus_live_installer.exe.c1ktzvz.partial
2014-03-02 01:19 - 2014-03-02 01:19 - 02347384 _____ (ESET) C:\Users\William R\Downloads\esetsmartinstaller_enu.exe
2014-03-02 01:19 - 2014-03-02 01:19 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-03-02 01:13 - 2014-03-02 01:13 - 00139704 _____ (ESET) C:\Windows\system32\Drivers\efavdrv.sys
2014-03-02 01:13 - 2014-03-02 01:13 - 00000000 ____D () C:\ProgramData\ESET
2014-03-02 01:13 - 2014-03-02 01:11 - 02991832 _____ (ESET) C:\Users\William R\Downloads\ERARemover_x64.exe
2014-03-02 01:10 - 2014-03-02 01:10 - 00005602 _____ () C:\Users\William R\Downloads\exe-fix.bat
2014-03-02 01:06 - 2014-03-02 01:05 - 25640672 _____ (Microsoft Corporation) C:\Users\William R\Downloads\Windows-KB890830-x64-V5.9.exe
2014-03-02 01:00 - 2014-03-01 22:16 - 00000000 ___HD () C:\NTKernel
2014-03-02 00:55 - 2014-03-02 00:11 - 00023898 _____ () C:\Windows\PFRO.log
2014-03-02 00:50 - 2014-03-02 00:50 - 00085504 _____ () C:\Users\William R\Desktop\Inherit.exe
2014-03-02 00:48 - 2014-03-02 00:48 - 00080456 _____ (Malwarebytes Corporation) C:\Users\William R\Downloads\mbam-clean-1.60.2.0003.exe
2014-03-02 00:45 - 2014-03-02 00:45 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\William R\Downloads\mbam-setup-1.75.0.1300 (1).exe
2014-03-02 00:40 - 2014-03-02 00:40 - 00000000 _____ () C:\Windows\SysWOW64\config.nt
2014-03-02 00:37 - 2014-03-02 00:37 - 00030917 _____ () C:\Users\William R\Downloads\Addition.txt
2014-03-02 00:37 - 2014-03-02 00:36 - 00042062 _____ () C:\Users\William R\Downloads\FRST.txt
2014-03-02 00:35 - 2014-03-02 00:35 - 02156544 _____ (Farbar) C:\Users\William R\Downloads\FRST64.exe
2014-03-02 00:26 - 2014-02-23 00:54 - 00000000 _____ () C:\Users\William R\Documents\315load32.exe
2014-03-02 00:23 - 2014-03-02 00:23 - 00000000 ____D () C:\Windows\pss
2014-03-02 00:11 - 2014-03-02 00:11 - 00000000 _____ () C:\Windows\setuperr.log
2014-03-02 00:11 - 2012-02-23 23:04 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-03-02 00:07 - 2014-03-02 00:07 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-02 00:07 - 2014-03-02 00:07 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-02 00:06 - 2014-03-02 00:05 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\William R\Downloads\mbam-setup-1.75.0.1300.exe
2014-03-02 00:03 - 2014-03-02 00:02 - 04697744 _____ (AVAST Software) C:\Users\William R\Downloads\avast_free_antivirus_setup_online.exe
2014-03-02 00:01 - 2014-03-02 00:01 - 00278012 _____ () C:\Users\William R\Documents\cc_20140302_000107.reg
2014-03-01 23:52 - 2014-03-01 23:50 - 88504776 _____ (AVAST Software) C:\Users\William R\Downloads\avast_free_antivirus_setup (3).exe
2014-03-01 23:46 - 2014-03-01 23:46 - 00000000 _____ () C:\Users\William R\Downloads\reset_access_avg9_en.exe
2014-03-01 23:42 - 2014-03-01 23:42 - 04462384 _____ (AVG Technologies) C:\Users\William R\Downloads\avg_free_stb_all_2014_4335_cnet.exe
2014-03-01 23:37 - 2014-03-01 23:34 - 90578216 _____ (AVAST Software) C:\Users\William R\Downloads\avast_free_antivirus_setup (2).exe
2014-03-01 23:36 - 2012-02-15 17:55 - 00000000 ____D () C:\ProgramData\McAfee
2014-03-01 23:23 - 2014-03-01 23:21 - 03218352 _____ (McAfee, Inc.) C:\Users\William R\Downloads\MCPR.exe
2014-03-01 23:22 - 2012-10-03 19:58 - 00000000 ____D () C:\Users\William R\AppData\Roaming\TS3Client
2014-03-01 23:22 - 2012-09-14 19:30 - 00000000 ____D () C:\Users\William R\AppData\Roaming\Ventrilo
2014-03-01 23:22 - 2012-02-28 20:27 - 00000000 ____D () C:\Users\William R\Tracing
2014-03-01 23:22 - 2011-02-10 09:02 - 00000000 ____D () C:\Windows\panther
2014-03-01 23:18 - 2014-03-01 23:18 - 00000784 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-03-01 23:18 - 2014-03-01 23:18 - 00000000 ____D () C:\Program Files\CCleaner
2014-03-01 23:18 - 2014-03-01 23:17 - 04765152 _____ (Piriform Ltd) C:\Users\William R\Downloads\ccsetup411.exe
2014-03-01 23:03 - 2014-03-01 22:55 - 90578216 _____ (AVAST Software) C:\Users\William R\Downloads\avast_free_antivirus_setup (1).exe
2014-03-01 23:03 - 2012-02-23 23:03 - 00000000 ____D () C:\Users\William R\AppData\Local\Nero
2014-03-01 22:53 - 2013-09-27 23:32 - 00000000 ____D () C:\ProgramData\Oracle
2014-03-01 22:52 - 2014-03-01 22:51 - 00005146 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_51-b13.log
2014-03-01 22:52 - 2013-12-12 16:57 - 00000000 ____D () C:\Program Files (x86)\Java
2014-03-01 22:48 - 2012-02-23 16:38 - 00074856 _____ () C:\Users\William R\AppData\Local\GDIPFONTCACHEV1.DAT
2014-03-01 22:47 - 2009-07-13 23:45 - 00322280 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-01 22:23 - 2014-03-01 22:23 - 00000068 _____ () C:\Update.Microsoft.com.url
2014-03-01 22:15 - 2014-03-01 22:15 - 00000000 ____D () C:\ProgramData\AVAST Software
2014-03-01 22:15 - 2014-03-01 22:13 - 90578216 _____ (AVAST Software) C:\Users\William R\Downloads\avast_free_antivirus_setup.exe
2014-02-28 23:02 - 2014-02-25 20:06 - 00000222 _____ () C:\Users\William R\Desktop\Spacebase DF-9.url
2014-02-28 04:27 - 2014-02-21 04:36 - 00000000 ____D () C:\Users\William R\AppData\Local\Battle.net
2014-02-28 03:02 - 2011-02-10 11:10 - 00775546 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-02-26 22:21 - 2014-01-27 01:34 - 00000000 _____ () C:\Users\William R\Downloads\BreedingSeason4.2.exe
2014-02-26 08:20 - 2012-02-28 20:40 - 00000000 ____D () C:\Users\William R\AppData\Roaming\SoftGrid Client
2014-02-25 19:33 - 2014-02-25 19:33 - 00000000 ____D () C:\Users\William R\Documents\SpacebaseDF9
2014-02-24 19:19 - 2012-11-24 16:15 - 00000000 ____D () C:\Users\William R\AppData\Roaming\ftblauncher
2014-02-24 19:18 - 2012-09-16 16:53 - 00000000 ____D () C:\Users\William R\Desktop\Minecraft
2014-02-23 16:21 - 2014-02-23 16:21 - 00000000 ____D () C:\Users\William R\Downloads\SoTP
2014-02-23 16:20 - 2014-02-23 16:20 - 00000000 ____D () C:\Users\William R\Downloads\CassidyOriginRev1
2014-02-23 16:20 - 2014-02-23 16:19 - 30914975 _____ () C:\Users\William R\Downloads\SoTP.zip
2014-02-23 16:19 - 2014-02-23 16:18 - 61986111 _____ () C:\Users\William R\Downloads\CassidyOriginRev1.zip
2014-02-23 16:16 - 2014-02-23 16:16 - 00000000 ____D () C:\Users\William R\Downloads\Sylvia_Tentatwo
2014-02-23 16:15 - 2014-02-23 16:15 - 09704345 _____ () C:\Users\William R\Downloads\Sylvia_Tentatwo.zip
2014-02-23 16:09 - 2014-02-23 16:09 - 00000000 ____D () C:\Users\William R\Downloads\TroubleInTheLab 2
2014-02-23 16:09 - 2014-02-23 16:07 - 10063267 _____ () C:\Users\William R\Downloads\TroubleInTheLab 2.zip
2014-02-23 00:54 - 2012-02-23 16:39 - 00000000 ___RD () C:\Users\William R\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-02-23 00:53 - 2014-02-23 00:53 - 00000000 ____D () C:\Users\William R\AppData\Roaming\Winamp
2014-02-23 00:48 - 2013-05-21 18:06 - 00003440 _____ () C:\Windows\System32\Tasks\PCDEventLauncherTask
2014-02-23 00:43 - 2012-07-22 15:31 - 00000000 ____D () C:\Users\William R\AppData\Roaming\Skype
2014-02-23 00:23 - 2012-04-03 14:03 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-23 00:04 - 2013-12-12 16:47 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-02-22 22:23 - 2012-04-03 14:03 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-02-22 22:23 - 2012-04-03 14:02 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-02-22 22:23 - 2012-02-15 17:13 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-02-22 21:39 - 2013-12-12 16:47 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-02-22 21:38 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-21 14:40 - 2014-02-21 14:40 - 00000000 ____D () C:\Users\William R\AppData\Local\Blizzard
2014-02-21 14:40 - 2014-02-21 04:37 - 00000000 ____D () C:\Program Files (x86)\Hearthstone
2014-02-21 12:09 - 2013-05-21 18:05 - 00000000 ____D () C:\Program Files\My Dell
2014-02-21 12:09 - 2012-02-25 13:00 - 00000000 ____D () C:\ProgramData\PCDr
2014-02-21 04:38 - 2014-02-21 04:36 - 00000000 ____D () C:\Users\William R\AppData\Roaming\Battle.net
2014-02-21 04:37 - 2014-02-21 04:37 - 00001189 _____ () C:\Users\Public\Desktop\Hearthstone.lnk
2014-02-21 04:36 - 2014-02-21 04:36 - 00001152 _____ () C:\Users\Public\Desktop\Battle.net.lnk
2014-02-21 04:36 - 2014-02-21 04:36 - 00000000 ____D () C:\Users\William R\AppData\Local\Blizzard Entertainment
2014-02-21 04:36 - 2014-02-21 04:35 - 00000000 ____D () C:\Program Files (x86)\Battle.net
2014-02-21 04:32 - 2014-02-21 04:32 - 05971136 _____ (Blizzard Entertainment) C:\Users\William R\Downloads\Hearthstone-Beta-Setup-enUS.exe
2014-02-20 22:57 - 2013-09-17 20:59 - 00000000 ____D () C:\ProgramData\Package Cache
2014-02-20 22:49 - 2013-04-12 11:22 - 00000000 ____D () C:\Users\William R\AppData\Local\Warframe
2014-02-20 21:48 - 2012-03-04 14:56 - 00000000 ____D () C:\Program Files (x86)\Origin
2014-02-20 21:47 - 2012-02-15 17:49 - 00000000 ____D () C:\ProgramData\Sonic
2014-02-20 14:12 - 2013-12-12 16:48 - 00002185 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-02-20 00:49 - 2014-02-19 00:04 - 00000000 ____D () C:\Users\William R\Downloads\Zooskool
2014-02-19 22:30 - 2014-02-19 22:30 - 01337627 _____ () C:\Users\William R\Downloads\TITS_0.02.6.swf
2014-02-19 20:41 - 2014-02-19 20:41 - 00000000 ____D () C:\Users\William R\AppData\Local\Sonic_Solutions
2014-02-19 20:41 - 2012-02-23 16:39 - 00000000 ____D () C:\Users\William R\AppData\Roaming\Roxio
2014-02-19 20:35 - 2014-02-19 20:35 - 00000000 ____D () C:\Users\William R\Desktop\ppsspp_win
2014-02-19 20:34 - 2014-02-19 20:33 - 12237791 _____ () C:\Users\William R\Desktop\ppsspp_win.zip
2014-02-19 00:41 - 2014-02-19 00:41 - 00000000 ____D () C:\Users\William R\Desktop\jpcsp-1772-windows-x86
2014-02-19 00:38 - 2014-02-19 00:38 - 10857603 _____ () C:\Users\William R\Desktop\jpcsp-1772-windows-x86.7z
2014-02-17 21:31 - 2014-02-17 21:31 - 00000000 ____D () C:\Users\William R\Downloads\Pretty Warrior May Cry - Enhanced Edition
2014-02-17 21:29 - 2014-02-17 21:29 - 1071620926 _____ () C:\Users\William R\Downloads\Pretty Warrior May Cry - Enhanced Edition.rar
2014-02-17 20:55 - 2014-02-17 20:55 - 00004999 _____ () C:\Users\William R\Downloads\codenamepwmc (1).txt
2014-02-17 20:51 - 2014-02-17 20:51 - 00004999 _____ () C:\Users\William R\Downloads\codenamepwmc.txt
2014-02-15 13:59 - 2013-12-12 16:47 - 00003900 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-02-15 13:59 - 2013-12-12 16:47 - 00003648 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-02-14 17:58 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2014-02-14 14:46 - 2012-02-23 16:38 - 00000000 ____D () C:\Users\William R\AppData\Local\VirtualStore
2014-02-13 00:06 - 2012-08-29 16:46 - 00000000 ____D () C:\Users\William R\Downloads\DND Books
2014-02-12 20:57 - 2014-02-12 20:57 - 07005741 _____ () C:\Users\William R\Downloads\CoC_0.8.4.6.swf
2014-02-11 23:52 - 2014-02-11 23:52 - 00000000 ____D () C:\Users\William R\Downloads\Jay Naylor - The Rise of the Wolf Queen part 2
2014-02-11 23:52 - 2014-02-11 23:51 - 06152466 _____ () C:\Users\William R\Downloads\Jay Naylor - The Rise of the Wolf Queen part 2.rar
2014-02-11 16:19 - 2009-07-14 00:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2014-02-11 16:15 - 2009-07-14 00:08 - 00032548 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-02-08 05:54 - 2014-02-08 05:12 - 00000481 _____ () C:\Users\William R\Desktop\EVILE.txt
2014-02-08 03:40 - 2014-02-07 22:28 - 00000000 ____D () C:\Users\William R\Downloads\Yosino 3D loli animations, Hentai
2014-02-07 00:38 - 2014-02-07 00:38 - 00126868 _____ () C:\Users\William R\Downloads\SS_Enh.zip
2014-02-06 07:16 - 2014-02-13 02:13 - 23170048 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-06 06:30 - 2014-02-13 02:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-02-06 06:30 - 2014-02-13 02:13 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-02-06 06:12 - 2014-02-13 02:13 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-06 06:07 - 2014-02-13 02:13 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-02-06 06:06 - 2014-02-13 02:13 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-02-06 05:57 - 2014-02-13 02:13 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-06 05:56 - 2014-02-13 02:13 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-02-06 05:52 - 2014-02-13 02:13 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-06 05:49 - 2014-02-13 02:13 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-02-06 05:48 - 2014-02-13 02:13 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-02-06 05:48 - 2014-02-13 02:13 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-02-06 05:38 - 2014-02-13 02:13 - 17103872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-02-06 05:32 - 2014-02-13 02:13 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-02-06 05:20 - 2014-02-13 02:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-02-06 05:17 - 2014-02-13 02:13 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-06 05:11 - 2014-02-13 02:13 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-06 05:01 - 2014-02-13 02:13 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-06 05:00 - 2014-02-13 02:13 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-06 04:57 - 2014-02-13 02:13 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-06 04:57 - 2014-02-13 02:13 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-06 04:52 - 2014-02-13 02:13 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-06 04:52 - 2014-02-13 02:13 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-06 04:50 - 2014-02-13 02:13 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-06 04:49 - 2014-02-13 02:13 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-06 04:47 - 2014-02-13 02:13 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-06 04:46 - 2014-02-13 02:13 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-06 04:25 - 2014-02-13 02:13 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-06 04:25 - 2014-02-13 02:13 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-06 04:24 - 2014-02-13 02:13 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-06 04:22 - 2014-02-13 02:13 - 13051392 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-06 04:13 - 2014-02-13 02:13 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-06 04:09 - 2014-02-13 02:13 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-06 04:03 - 2014-02-13 02:13 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-06 03:55 - 2014-02-13 02:13 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-06 03:41 - 2014-02-13 02:13 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-06 03:40 - 2014-02-13 02:13 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-02-06 03:36 - 2014-02-13 02:13 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-06 03:34 - 2014-02-13 02:13 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-02-04 19:09 - 2014-03-02 01:06 - 88567024 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-02-01 18:48 - 2012-03-04 14:57 - 00000000 ____D () C:\ProgramData\Origin
 
Files to move or delete:
====================
C:\ProgramData\load32.exe
C:\ProgramData\NTKernel
C:\Users\William R\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url
C:\NTKernel
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-02-21 05:24
 
==================== End Of Log ============================

 

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:38 AM

Posted 02 March 2014 - 03:39 PM

Hi,
 
 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
 
Regards,
Georgi


cXfZ4wS.png


#5 SquirrelWizard

SquirrelWizard
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 02 March 2014 - 05:27 PM

Sorry I couldn't get this uploaded any other way. forums attachments were too small and putting it in the post causes my browser to time out.
 


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:38 AM

Posted 03 March 2014 - 05:08 AM

Hi,

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#7 SquirrelWizard

SquirrelWizard
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 03 March 2014 - 07:49 PM

fixlog attached.

Attached Files



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:38 AM

Posted 03 March 2014 - 08:17 PM

Hello,

 

 

Ahhh I forgot to add cmd: before the dir command in the script above...anyway I'll use OTL to see if I missed something else.

How are the things now? Is there any improvement in the system behaviour...?

 

 

  • Please download OTL from the link below:
  • Save it to your desktop/
  • Double click on the otlDesktopIcon.png icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the customFix.png textbox.
  • Don't copy the word "quoted"

    Quote

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %SYSTEMDRIVE%\*.
    %USERPROFILE%\*.*
    %USERPROFILE%\*.
    %USERPROFILE%\*.exe /s
    %USERPROFILE%\Documents\*.*
    %USERPROFILE%\Downloads\*.*
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Local\*.
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\*.*
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\*.
    %USERPROFILE%\AppData\Local\temp\*.exe
    %USERPROFILE%\AppData\Roaming\*.*
    %USERPROFILE%\AppData\Roaming\*.
    %ProgramData%\*.*
    %ProgramData%\*.
    %programdata%\Microsoft\Windows\DRM\*.tmp
    %programdata%\Microsoft\DRM\*.tmp
    C:\Users\All Users\*.exe /s
    C:\Users\Default\*.exe /s
    C:\Users\Public\*.exe /s
    %CommonProgramFiles%\*.*
    %CommonProgramFiles%\*.
    %CommonProgramFiles%\ComObjects\*.*
    %ProgramFiles%\*.*
    %ProgramFiles%\*.
    %Public%\Documents\*.*
    %Public%\Documents\*.
    %systemroot%\System32\config\systemprofile\*.exe /s
    %systemroot%\System32\config\systemprofile\*.*
    %systemroot%\System32\config\systemprofile\*.
    %systemroot%\system32\config\systemprofile\AppData\Local\*.*
    %systemroot%\system32\config\systemprofile\AppData\Local\*.
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.*
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.
    %systemroot%\SysWow64\config\systemprofile\*.exe /s
    %systemroot%\SysWow64\config\systemprofile\*.*
    %systemroot%\SysWow64\config\systemprofile\*.
    %systemroot%\SysWOW64\config\systemprofile\AppData\Local\*.*
    %systemroot%\SysWOW64\config\systemprofile\AppData\Local\*.
    %systemroot%\SysWOW64\config\systemprofile\AppData\Roaming\*.*
    %systemroot%\SysWOW64\config\systemprofile\AppData\Roaming\*.
    %systemroot%\ServiceProfiles\*.exe /s
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\*.*
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\*.
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
    %systemroot%\ServiceProfiles\LocalService\AppData\Roaming\*.*
    %systemroot%\ServiceProfiles\LocalService\AppData\Roaming\*.
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\*.*
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\*.
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
    %systemroot%\ServiceProfiles\NetworkService\AppData\Roaming\*.*
    %systemroot%\ServiceProfiles\NetworkService\AppData\Roaming\*.
    %windir%\temp\*.exe
    %windir%\*.
    %windir%\AppPatch\*.exe /s
    %windir%\ShellNew\*.*
    %windir%\installer\*.
    %windir%\system32\*.
    %windir%\sysnative\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\syswow64\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\syswow64\drivers\*.sys /90
    %systemroot%\syswow64\drivers\*.sys /lockedfiles
    %SYSTEMDRIVE%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor /s
    HKCU\Software\Classes\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\InprocServer32 /s
    HKLM\Software\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}\InprocServer32 /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\scsimap /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BED3C-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{212B3DCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{A12BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188F} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188B} /s
    HKEY_CLASSES_ROOT\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A} /s
    HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers /s
    HKEY_CLASSES_ROOT\Directory\Shellex\CopyHookHandlers\MSCopy /s
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    type C:\WINDOWS\system.ini >> test.txt /c
    bcdedit /enum all /v >C:\boot.txt /c
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    consrv.dll
    services.exe
    explorer.exe
    lsass.exe
    svchost.exe
    wininit.exe
    winlogon.exe
    userinit.exe
    smss.exe
    fastfat.sys
    atapi.sys
    serial.sys
    volsnap.sys
    disk.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    csc.sys
    tcpip.sys
    kbdclass.sys
    kbdhid.sys
    mouclass.sys
    mouhid.sys
    spldr.sys
    dfsc.sys
    hlp.dat
    str.sys
    cerxvx.ocx
    crexv.ocx
    msseedir.dll
    msdr.dll
    lmbd.dll
    wsse.dll
    intel.exe
    WService.dll

    iTunesHelper.dll
    /md5stop

  • Push the runscanbutton.png button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Regards,

Georgi


cXfZ4wS.png


#9 SquirrelWizard

SquirrelWizard
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 04 March 2014 - 09:33 PM

So far I've avoided trying to install anything on the computer to avoid screwing up things with the troubleshooting.

 

I tried running the OTL like your post said, but it ends up freezing up mid scan after telling me it cannot create a CMD.BAT file on my desktop.



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:38 AM

Posted 05 March 2014 - 01:19 AM

Hi,

 

Restart the computer and try again. The error should disappear after restart.

 

 

Regards,

Georgi


cXfZ4wS.png


#11 SquirrelWizard

SquirrelWizard
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 05 March 2014 - 10:01 PM

I restarted the computer and got the same "cannot make cmd.bat" error when running the utility.

 

On another note, I've managed to install Avast! on my computer, but malwarebytes still thinks it is already installed on the computer and refuses to install.



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:38 AM

Posted 05 March 2014 - 10:49 PM

Hi,

 

Please do not run any programs on your own...

 

  • Create a Restore Point
  • Please download a fresh copy of Combofix from here.
  • Save it to your Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Please refer to this link for instructions.
  • Double click it & follow the prompts.
  • If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
  • Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.

 

 

Regards,
Georgi


cXfZ4wS.png


#13 SquirrelWizard

SquirrelWizard
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 06 March 2014 - 12:26 AM

here is the log

Attached Files



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:38 AM

Posted 09 March 2014 - 03:08 AM

Hello,

 

I am sorry about the delay. I was out of town for a few days.

Combofix log is clean...about the MBAM issue can you please try the following.

Next download and install the latest version from here and let me know about the results.

 

 

Regards,

Georgi


cXfZ4wS.png


#15 SquirrelWizard

SquirrelWizard
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 09 March 2014 - 04:04 PM

I followed the instructions on the page, ran the malwarebytes uninstaller and restarted my computer.

 

After trying to install malwarebytes again, I get the same error, CreateFile failed; code 80. the file exist.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users