Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very very sick computer I can't get clean


  • This topic is locked This topic is locked
21 replies to this topic

#1 aNEWvision

aNEWvision

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:33 AM

Posted 09 March 2014 - 09:28 PM

I have no idea what my sister did to infect her computer the way she did... buuuut she did it, so like a good brother I am out to fix it!

 

MBAM and Hijack logs incoming. As always, thank you in advanced to whoever decides to help me. Cheers.

 

Spoiler

EDIT: Spoiler...ed logs of old posts for easier navigation...


Edited by aNEWvision, 10 March 2014 - 10:22 AM.


BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:33 AM

Posted 10 March 2014 - 05:10 AM

Hi there,

yes the GMER-log brings unpleasant news..


Step 1

Please download TDSSKiller and save it to your Desktop.

  • Start tdsskiller.exe with administrator privileges.
  • Accept the EULA and the KSN Statement.
  • Click on Change parameters.
  • Make sure that all available options (except "Loaded modules") are checked and click OK.
  • Click on Start scan.
  • If any threats are found don't delete them but choose the Skip option for all of them.
  • Click on Report to open the log file. (It is also saved at C:\TDSSKiller.<version_date_time>_log.txt).
    Copy and paste its contents in your next reply.

 

 

 

Step 2

Please download Farbar Recovery Scan Tool and save it to your Desktop.

  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.


#3 aNEWvision

aNEWvision
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:33 AM

Posted 10 March 2014 - 07:41 AM

I am in safe mode using selective startup, by the way. I don't know if that matters, but I thought it wouldn't hurt to mention

Spoiler

 

EDIT: Spoiler...ed logs of old posts for easier navigation...


Edited by aNEWvision, 10 March 2014 - 10:22 AM.


#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:33 AM

Posted 10 March 2014 - 08:07 AM

But are you able to boot in normal mode or not?


Start TDSSKiller.exe again with administrator privileges.
  • Set the parameters like in the first scan and click on Start scan.
  • This time select for the threat Rootkit.Boot.Wistler.a (and only for that) the option Cure (or Delete).
  • Click on Continue and allow the reboot.
  • Copy and paste the log file (C:\TDSSKiller.<version_date_time>_log.txt) of this run in your next reply.


#5 aNEWvision

aNEWvision
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:33 AM

Posted 10 March 2014 - 08:57 AM

But are you able to boot in normal mode or not?

Absolutely, it's just a little easier to work without a bunch of crap popping up everywhere :lmao:

Spoiler

EDIT: Spoiler...ed logs of old posts for easier navigation...


Edited by aNEWvision, 10 March 2014 - 10:22 AM.


#6 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:33 AM

Posted 10 March 2014 - 09:14 AM

All right. Let's continue then:


Step 1

Please uninstall some programs:

  • Click on the Start Menu button, open Control Panel and click Uninstall a program.
  • Search and select the following programs one by one and click on Uninstall:

    QuickShare
    UpdaterEX

  • Reboot your computer.

 

 

 

Step 2

Please download AdwCleaner (by Xplode) and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select "Run As Administrator"
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • After rebooting, a log file (that is saved in C:\AdwCleaner[S#].txt) will open automatically.
    Copy and paste the contents of that logfile in your next reply.

 

 

 

Step 3

Boot the computer in normal mode now to run a fresh FRST scan there.
Start FRST with administator privileges.

  • Make sure the option Addition.txt (under Optional Scan) is checked.
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.


#7 aNEWvision

aNEWvision
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:33 AM

Posted 10 March 2014 - 09:59 AM

QuickShare uninstall FAILED - The Windows Installer Service could not be accessed.

 

UpdaterEx uninstall SUCCESSFUL

 

-----

Spoiler

EDIT: Spoiler...ed logs of old posts for easier navigation...


Edited by aNEWvision, 10 March 2014 - 11:00 AM.


#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:33 AM

Posted 10 March 2014 - 10:44 AM

Ok.


Step 1

Please download this attached Attached File  fixlist.txt   3.94KB   3 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

 

 

 

Step 2

Please download Combofix (by sUBs) and save it to your Desktop.

  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start Combofix.exe and follow its instructions.
  • Do not use the computer while the scan is running. This may cause the program to stall.
  • When finished, a log file will be displayed (that can also be found at C:\Combofix.txt).
    Please copy and paste the contents of this file into your next post.

Note: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." after the scan, just restart the computer.
(You can find more detailed instructions in this guide on using Combofix.)



#9 aNEWvision

aNEWvision
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:33 AM

Posted 10 March 2014 - 11:04 AM

Fixlog

Spoiler

-----

 

ComboFix run FAILED! - Not Admin

 

Ran as admin, checked run as admin in combatibility, no dice

 

EDIT: nomnomnom! long logs


Edited by aNEWvision, 10 March 2014 - 03:32 PM.


#10 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:33 AM

Posted 10 March 2014 - 11:15 AM

Hm, then try this instead:


Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit to your desktop.
  • Double-click "mbar.exe" to start the tool.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"


#11 aNEWvision

aNEWvision
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:33 AM

Posted 10 March 2014 - 03:30 PM

Sorry for the delay... work and such

 

No Detections

Spoiler

EDIT: Hiding all the logs all the log long day


Edited by aNEWvision, 10 March 2014 - 11:57 PM.


#12 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:33 AM

Posted 10 March 2014 - 05:05 PM

All right.
How is the computer running now? What problems and symptomes are still present?


Step 1

Please download the ESET Online Scanner and save it to your Desktop.

  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.

Note: Do not forget to re-enable your antivirus application after running the above scan!



Step 2

Start FRST with administator privileges.

  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.


#13 aNEWvision

aNEWvision
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:33 AM

Posted 10 March 2014 - 11:55 PM

Well, no programs and random popups are opening anymore, but it still hangs a bit after logging in and it's a bit slow... but it's progress

 

ESET

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbarUpdater.exe.vir    Win32/Toolbar.Zugo potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Heather\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll.vir    Win32/Toolbar.Conduit.Y potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Heather\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.2.dll.vir    Win32/Toolbar.Conduit.Y potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Heather\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie2.2.1.zip.vir    a variant of Win32/Mobogenie.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Heather\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\DaemonProcess.exe.vir    a variant of Win32/Mobogenie.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Heather\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\Mobogenie.exe.vir    a variant of Win32/Mobogenie.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Heather\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\nengine.dll.vir    Win32/NextLive.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Heather\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\New_UpdateMoboGenie.exe.vir    a variant of Win32/Mobogenie.A potentially unwanted application
C:\FRST\Quarantine\C\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\gs7gjdg2.default\Extensions\0c822a17-a68f-4066-9257-d229458d21ca@9c178d17-dc61-4aaf-b2da-1425ac7300ac.com\extensionData\plugins\91_monetizationLoader.js.js    JS/Toolbar.Crossrider.B potentially unwanted application
C:\FRST\Quarantine\C\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\gs7gjdg2.default\Extensions\58ad0086-1cfb-48bb-8ad2-33a8905572bc@5715d2be-69b9-4930-8f7e-64bdeb961cfd.com\extensionData\plugins\91_monetizationLoader.js.js    JS/Toolbar.Crossrider.B potentially unwanted application
C:\FRST\Quarantine\C\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\gs7gjdg2.default\Extensions\dgetvo6e@avsflktdwk.co.uk\content\bg.js    Win32/Adware.MultiPlug.H application
C:\FRST\Quarantine\C\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\gs7gjdg2.default\Extensions\u.uiy@hdrcljfc-.edu\content\bg.js    Win32/Adware.MultiPlug.H application
C:\FRST\Quarantine\C\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\gs7gjdg2.default\Extensions\{044597fc-e660-4c7f-9097-83b51dd08e70}\components\SmartbarFireFoxRemotePlugin_20.dll    Win32/Toolbar.Linkury.D potentially unwanted application
C:\FRST\Quarantine\C\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\gs7gjdg2.default\Extensions\{044597fc-e660-4c7f-9097-83b51dd08e70}\components\SmartbarFireFoxRemotePlugin_21.dll    Win32/Toolbar.Linkury.D potentially unwanted application
C:\FRST\Quarantine\C\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\gs7gjdg2.default\Extensions\{044597fc-e660-4c7f-9097-83b51dd08e70}\components\SmartbarFireFoxRemotePlugin_22.dll    a variant of Win32/Toolbar.Linkury.D potentially unwanted application
C:\FRST\Quarantine\C\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\gs7gjdg2.default\Extensions\{044597fc-e660-4c7f-9097-83b51dd08e70}\components\SmartbarFireFoxRemotePlugin_23.dll    a variant of Win32/Toolbar.Linkury.D potentially unwanted application
C:\FRST\Quarantine\C\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\gs7gjdg2.default\Extensions\{044597fc-e660-4c7f-9097-83b51dd08e70}\components\SmartbarFireFoxRemotePlugin_24.dll    a variant of Win32/Toolbar.Linkury.D potentially unwanted application
C:\FRST\Quarantine\C\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\gs7gjdg2.default\Extensions\{044597fc-e660-4c7f-9097-83b51dd08e70}\components\SmartbarFireFoxRemotePlugin_25.dll    a variant of Win32/Toolbar.Linkury.D potentially unwanted application
C:\FRST\Quarantine\C\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\gs7gjdg2.default\Extensions\{044597fc-e660-4c7f-9097-83b51dd08e70}\components\SmartbarFireFoxRemotePlugin_26.dll    a variant of Win32/Toolbar.Linkury.D potentially unwanted application
C:\Program Files\Uninstaller\Uninstall.exe    a variant of MSIL/DomaIQ.A potentially unwanted application

 

-----

 

FRST

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-03-2014 02
Ran by Heather (administrator) on HEATHER-VAIO on 11-03-2014 00:50:36
Running from C:\Users\Heather\Desktop
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe
(PasswordBox, Inc.) C:\Program Files (x86)\PasswordBox\pbbtnService.exe
(ArcSoft, Inc.) C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
(Sony Corporation) C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
(Sony Corporation) C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Sony Corporation) C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
() C:\Program Files (x86)\Sony\SmartWi Connection Utility\CCP.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Sony Corporation) C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
() C:\Program Files (x86)\Sony\SmartWi Connection Utility\ThirdPartyAppMgr.exe
() C:\Program Files (x86)\Sony\SmartWi Connection Utility\PowerManager.exe
(Sony Electronics, Inc.) C:\Program Files\Sony\VAIO Care\VCsystray.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Power Management\SPMService.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
(Microsoft Corporation) C:\Windows\SysWOW64\DllHost.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Skytel] - C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-07-24] (Realtek Semiconductor Corp.)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7938080 2009-07-24] (Realtek Semiconductor)
HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [Apoint] - C:\Program Files\Apoint\Apoint.exe [208384 2009-08-03] (Alps Electric Co., Ltd.)
HKLM-x32\...\Run: [SmartWiHelper] - C:\Program Files (x86)\Sony\SmartWi Connection Utility\SmartWiHelper.exe [79872 2009-08-26] (Sony Electronics Corporation)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-09-17] (Apple Inc.)
HKLM-x32\...\Run: [ISBMgr.exe] - C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe [317288 2009-05-26] (Sony Corporation)
HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\VESWinlogon-x32: VESWinlogon.dll [X]
HKU\.DEFAULT\...\RunOnce: [SPReview] - C:\Windows\System32\SPReview\SPReview.exe [301568 2014-01-16] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
URLSearchHook: HKLM-x32 - (No Name) - {b3420a9c-a397-4409-b90d-bcf22da1a08a} - No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\gs7gjdg2.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_70.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_70.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8051.1204 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @facebook.com/FBPlugin,version=1.0.3 - C:\Users\Heather\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll ( )
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF HKLM-x32\...\Firefox\Extensions: [firefox@passwordbox.com] - C:\Program Files (x86)\PasswordBox\Firefox
FF Extension: PasswordBox - C:\Program Files (x86)\PasswordBox\Firefox [2013-11-20]

Chrome:
=======
CHR Extension: (No Name) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\aipfmkinhleccnodemkoofnnofpbbpac [2013-10-30]
CHR Extension: (Docs) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-10-30]
CHR Extension: (Google Drive) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-10-30]
CHR Extension: (deal4me) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncckggbcdlilkkfbhlkggjmlnefofomc [2014-02-26]
CHR Extension: (Chrome In-App Payments service) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-30]
CHR Extension: (Gmail) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-10-30]

==================== Services (Whitelisted) =================

S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
R2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe [132504 2013-03-24] (Symantec Corporation)
R2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2013-11-01] (PasswordBox, Inc.)
S3 Roxio UPnP Renderer 10; C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [313840 2009-06-26] (Sonic Solutions)
S2 Roxio Upnp Server 10; C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe [362992 2009-06-26] (Sonic Solutions)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [189984 2009-07-24] (Realtek Semiconductor)
S3 SampleCollector; C:\Program Files\Sony\VAIO Care\collsvc.exe [167424 2008-09-29] (Intel Corporation)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
S3 SOHDBSvr; C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe [70952 2009-07-27] (Sony Corporation)
S3 SOHPlMgr; C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe [91432 2009-07-27] (Sony Corporation)
R2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [104960 2008-09-18] (ArcSoft, Inc.)
S3 VAIO Entertainment TV Device Arbitration Service; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe [69632 2009-07-23] (Sony Corporation)
R2 VCFw; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [642920 2009-07-22] (Sony Corporation)
R3 Vcsw; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe [313264 2009-07-23] (Sony Corporation)
R2 VzCdbSvc; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe [206336 2009-07-23] (Sony Corporation)

==================== Drivers (Whitelisted) ====================

R3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [19968 2009-05-26] (ArcSoft, Inc.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [46368 2013-11-20] (AVG Technologies)
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)
R2 risdptsk; C:\Windows\system32\DRIVERS\risdsn64.sys [76288 2009-07-31] (REDC)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-10 19:16 - 2014-03-10 19:16 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-03-10 19:16 - 2014-03-10 19:15 - 02347384 _____ (ESET) C:\Users\Heather\Desktop\esetsmartinstaller_enu.exe
2014-03-10 16:04 - 2014-03-10 16:28 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-03-10 16:04 - 2014-03-10 16:04 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-03-10 16:03 - 2014-03-10 16:28 - 00000000 ____D () C:\Users\Heather\Desktop\mbar
2014-03-10 16:03 - 2014-03-10 16:03 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-03-10 16:03 - 2014-03-10 14:04 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Heather\Desktop\mbar-1.07.0.1009.exe
2014-03-10 11:58 - 2014-03-10 11:58 - 00000008 __RSH () C:\ProgramData\ntuser.pol
2014-03-10 10:42 - 2014-03-10 10:45 - 00000000 ____D () C:\AdwCleaner
2014-03-10 10:39 - 2014-03-10 10:37 - 01244192 _____ () C:\Users\Heather\Desktop\AdwCleaner.exe
2014-03-10 09:53 - 2014-03-10 09:53 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-03-10 08:36 - 2014-03-11 00:50 - 00012897 _____ () C:\Users\Heather\Desktop\FRST.txt
2014-03-10 08:36 - 2014-03-10 10:54 - 00029752 _____ () C:\Users\Heather\Desktop\Addition.txt
2014-03-10 08:35 - 2014-03-11 00:50 - 00000000 ____D () C:\FRST
2014-03-10 08:25 - 2014-03-10 08:26 - 02157056 _____ (Farbar) C:\Users\Heather\Desktop\FRST64.exe
2014-03-10 08:25 - 2014-03-10 08:25 - 04130656 _____ (Kaspersky Lab ZAO) C:\Users\Heather\Desktop\tdsskiller.exe
2014-03-09 22:27 - 2014-03-09 22:27 - 00388608 _____ (Trend Micro Inc.) C:\Users\Heather\Desktop\HijackThis.exe
2014-03-09 22:27 - 2014-03-09 22:27 - 00005837 _____ () C:\Users\Heather\Desktop\hijackthis.log
2014-03-09 21:48 - 2014-03-09 21:48 - 00050688 _____ (Atribune.org) C:\Users\Heather\Desktop\ATF-Cleaner.exe
2014-03-09 21:40 - 2014-03-10 10:48 - 00000000 ____D () C:\Windows\pss
2014-03-09 21:38 - 2014-03-09 21:38 - 00000000 ____D () C:\Qoobox
2014-03-09 21:37 - 2014-03-09 21:37 - 05187267 ____R (Swearware) C:\Users\Heather\Desktop\ComboFix.exe
2014-03-09 21:37 - 2014-03-09 21:37 - 00000000 ____D () C:\Windows\erdnt
2014-03-09 19:45 - 2014-03-09 19:45 - 00000213 _____ () C:\Windows\wininit.ini
2014-03-09 19:21 - 2014-02-13 13:48 - 00000426 _____ () C:\AVScanner.ini
2014-03-09 19:00 - 2014-03-09 19:00 - 00000000 ____D () C:\Users\Heather\AppData\Roaming\Malwarebytes
2014-03-09 19:00 - 2014-03-09 19:00 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-09 19:00 - 2014-03-09 19:00 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-09 19:00 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-02-22 23:06 - 2014-02-22 23:06 - 00000076 _____ () C:\Users\Heather\AppData\Local\DVDPATH.TXT
2014-02-13 22:18 - 2014-03-09 21:53 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified Files and Folders =======

2014-03-11 00:50 - 2014-03-10 08:36 - 00012897 _____ () C:\Users\Heather\Desktop\FRST.txt
2014-03-11 00:50 - 2014-03-10 08:35 - 00000000 ____D () C:\FRST
2014-03-11 00:46 - 2009-12-26 02:11 - 00003950 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{A825E16A-8D69-4866-A9EC-346E792953F5}
2014-03-11 00:05 - 2013-05-19 17:34 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-10 23:52 - 2013-05-19 17:34 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-10 19:16 - 2014-03-10 19:16 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-03-10 19:15 - 2014-03-10 19:16 - 02347384 _____ (ESET) C:\Users\Heather\Desktop\esetsmartinstaller_enu.exe
2014-03-10 16:28 - 2014-03-10 16:04 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-03-10 16:28 - 2014-03-10 16:03 - 00000000 ____D () C:\Users\Heather\Desktop\mbar
2014-03-10 16:13 - 2009-09-25 18:01 - 01930208 _____ () C:\Windows\WindowsUpdate.log
2014-03-10 16:07 - 2009-07-14 01:13 - 00779266 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-10 16:04 - 2014-03-10 16:04 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-03-10 16:03 - 2014-03-10 16:03 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-03-10 14:04 - 2014-03-10 16:03 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Heather\Desktop\mbar-1.07.0.1009.exe
2014-03-10 12:05 - 2013-05-19 17:34 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-10 12:05 - 2009-07-14 00:45 - 00020032 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-10 12:05 - 2009-07-14 00:45 - 00020032 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-10 12:00 - 2013-05-19 17:34 - 00003896 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-03-10 12:00 - 2013-05-19 17:34 - 00003644 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-10 11:58 - 2014-03-10 11:58 - 00000008 __RSH () C:\ProgramData\ntuser.pol
2014-03-10 11:58 - 2013-10-30 23:24 - 00000008 __RSH () C:\Users\Heather\ntuser.pol
2014-03-10 11:58 - 2009-12-26 02:05 - 00000000 ____D () C:\Users\Heather
2014-03-10 11:57 - 2013-07-05 17:55 - 00000498 _____ () C:\Windows\Tasks\ParetoLogic Update Version3 Startup Task.job
2014-03-10 11:57 - 2011-06-28 19:34 - 00032600 _____ () C:\Windows\setupact.log
2014-03-10 11:57 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-10 11:56 - 2011-06-28 19:34 - 00806538 _____ () C:\Windows\PFRO.log
2014-03-10 11:56 - 2009-07-13 23:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-03-10 10:54 - 2014-03-10 08:36 - 00029752 _____ () C:\Users\Heather\Desktop\Addition.txt
2014-03-10 10:48 - 2014-03-09 21:40 - 00000000 ____D () C:\Windows\pss
2014-03-10 10:45 - 2014-03-10 10:42 - 00000000 ____D () C:\AdwCleaner
2014-03-10 10:37 - 2014-03-10 10:39 - 01244192 _____ () C:\Users\Heather\Desktop\AdwCleaner.exe
2014-03-10 09:53 - 2014-03-10 09:53 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-03-10 08:26 - 2014-03-10 08:25 - 02157056 _____ (Farbar) C:\Users\Heather\Desktop\FRST64.exe
2014-03-10 08:25 - 2014-03-10 08:25 - 04130656 _____ (Kaspersky Lab ZAO) C:\Users\Heather\Desktop\tdsskiller.exe
2014-03-09 22:27 - 2014-03-09 22:27 - 00388608 _____ (Trend Micro Inc.) C:\Users\Heather\Desktop\HijackThis.exe
2014-03-09 22:27 - 2014-03-09 22:27 - 00005837 _____ () C:\Users\Heather\Desktop\hijackthis.log
2014-03-09 21:53 - 2014-02-13 22:18 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-09 21:48 - 2014-03-09 21:48 - 00050688 _____ (Atribune.org) C:\Users\Heather\Desktop\ATF-Cleaner.exe
2014-03-09 21:38 - 2014-03-09 21:38 - 00000000 ____D () C:\Qoobox
2014-03-09 21:37 - 2014-03-09 21:37 - 05187267 ____R (Swearware) C:\Users\Heather\Desktop\ComboFix.exe
2014-03-09 21:37 - 2014-03-09 21:37 - 00000000 ____D () C:\Windows\erdnt
2014-03-09 19:45 - 2014-03-09 19:45 - 00000213 _____ () C:\Windows\wininit.ini
2014-03-09 19:23 - 2013-07-01 22:25 - 00000000 ____D () C:\Program Files\InterActual
2014-03-09 19:22 - 2009-12-26 02:07 - 00000000 ___RD () C:\Users\Heather\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-09 19:00 - 2014-03-09 19:00 - 00000000 ____D () C:\Users\Heather\AppData\Roaming\Malwarebytes
2014-03-09 19:00 - 2014-03-09 19:00 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-09 19:00 - 2014-03-09 19:00 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-08 13:23 - 2013-12-18 22:33 - 00000151 _____ () C:\Users\Heather\AppData\Roaming\WB.CFG
2014-03-01 21:25 - 2013-11-20 12:07 - 00000000 ____D () C:\Program Files (x86)\PasswordBox
2014-02-22 23:06 - 2014-02-22 23:06 - 00000076 _____ () C:\Users\Heather\AppData\Local\DVDPATH.TXT
2014-02-22 22:32 - 2012-05-03 14:25 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-02-22 22:32 - 2009-07-14 01:08 - 00032620 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-02-22 22:20 - 2013-05-19 17:34 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-02-22 22:19 - 2012-05-30 12:04 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-02-22 22:19 - 2012-05-30 12:04 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-02-13 13:48 - 2014-03-09 19:21 - 00000426 _____ () C:\AVScanner.ini

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-03-10 11:12

==================== End Of Log ============================


#14 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:33 AM

Posted 11 March 2014 - 02:46 AM

I don't see a running anti-virus program on your computer. I highly recommend that you download and install one anti-virus software (e.g. avast or MSE).
Then run a full scan with this newly installed antivirus program and post the log.

#15 aNEWvision

aNEWvision
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:33 AM

Posted 11 March 2014 - 11:46 AM

I did a full scan with MSE and no threats were detected... how do I export a log?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users