Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HEUR/Modified.SystemFile trojan in user32.DLL


  • This topic is locked This topic is locked
26 replies to this topic

#1 Miyaka

Miyaka

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cahokia, IL
  • Local time:11:28 PM

Posted 19 April 2014 - 02:34 PM

For some reason, I couldn't put the DDS to the desktop (it went to my downloads) and couldn't paste the dds.txt here as asked.

Sorry, I couldn't copy and paste it here, but the files are  below.

Please advise.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 24 April 2014 - 02:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/531677 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:28 PM

Posted 26 April 2014 - 03:11 PM

Hello 

Miyaka

,

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

 

1.

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool .
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer.
  • After the scan has finished...
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

2.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 Miyaka

Miyaka
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cahokia, IL
  • Local time:11:28 PM

Posted 26 April 2014 - 09:04 PM

# AdwCleaner v3.204 - Report created 26/04/2014 at 20:59:17
# Updated 26/04/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : Image 17 - EAVIN
# Running from : C:\Users\Image 17\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Image 17\AppData\Local\Coupon Companion Plugin
Folder Deleted : C:\Users\IMAGE1~1\AppData\Local\Temp\AskSearch
Folder Deleted : C:\Users\Image 17\AppData\Roaming\DefaultTab

***** [ Shortcuts ] *****


***** [ Registry ] *****

[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D4272AAD-5B94-4988-A302-2A3A27C8AC26}
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\Default Tab
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKLM\Software\InstallIQ

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16521


-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Image 17\AppData\Roaming\Mozilla\Firefox\Profiles\n4do0ixe.default-1384808122510\prefs.js ]


*************************

AdwCleaner[R0].txt - [3899 octets] - [26/04/2014 20:55:10]
AdwCleaner[S0].txt - [3675 octets] - [26/04/2014 20:59:17]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3735 octets] ##########



#5 Miyaka

Miyaka
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cahokia, IL
  • Local time:11:28 PM

Posted 26 April 2014 - 09:21 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-04-2014 03

Ran by Image 17 (administrator) on EAVIN on 26-04-2014 21:10:22

Running from C:\Users\Image 17\Downloads

Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English(US)

Internet Explorer Version 11

Boot Mode: Normal

The only official download link for FRST:

Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Download link from any site other than Bleeping Computer is unpermitted or outdated.

See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe

(Cisco Systems, Inc.) C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe

(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe

(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.3.132.0\BBSvc.exe

(Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

(Intel Corporation) C:\Windows\System32\igfxtray.exe

(Intel Corporation) C:\Windows\System32\hkcmd.exe

(Intel Corporation) C:\Windows\System32\igfxpers.exe

(Intel Corporation) C:\Windows\system32\igfxsrvc.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe

(Veoh Networks) C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

(Yahoo! Inc.) C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe

(Microsoft Corporation) C:\Windows\system32\AUDIODG.EXE

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)

HKLM\...\Run: [avgnt] => C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [348664 2012-08-01] (Avira Operations GmbH & Co. KG)

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)

HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)

HKU\S-1-5-21-1698006204-2431324947-1330829467-1000\...\Run: [Messenger (Yahoo!)] => C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [6595928 2012-05-25] (Yahoo! Inc.)

HKU\S-1-5-21-1698006204-2431324947-1330829467-1000\...\Run: [VeohPlugin] => C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe [2590456 2009-11-20] (Veoh Networks)

Startup: C:\Users\Image 17\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 1050 J410 series.lnk

ShortcutTarget: Monitor Ink Alerts - HP Deskjet 1050 J410 series.lnk -> C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xD6F838818D43CD01

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US

SearchScopes: HKLM - DefaultScope value is missing.

SearchScopes: HKCU - {34F4A507-22FB-46D6-ABFF-D86071B597CA} URL = http://websearch.ask.com/redirect?client=ie&tb=AVR-3&o=APN10400&src=kw&q={searchTerms}&locale=&apn_ptnrs=^ABY&apn_dtid=^YYYYYY^YY^US&apn_uid=118dba88-2283-4ca8-82c5-010806afcd49&apn_sauid=691581A6-ACF0-4D9D-A269-57BCA75F5147

BHO: Bing Bar Helper - {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)

BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Toolbar: HKLM - Bing Bar - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)

Tcpip\Parameters: [DhcpNameServer] 10.0.0.1

FireFox:

========

FF ProfilePath: C:\Users\Image 17\AppData\Roaming\Mozilla\Firefox\Profiles\n4do0ixe.default-1384808122510

FF Homepage: https://www.yahoo.com/

FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_13_0_0_182.dll ()

FF Plugin: @java.com/DTPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.1 - C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)

FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 - C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)

FF Plugin: @microsoft.com/GENUINE - disabled No File

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF Plugin: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 - C:\ProgramData\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)

FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npBitCometAgent.dll (BitComet)

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)

FF Extension: Veoh Video Compass - C:\Users\Image 17\AppData\Roaming\Mozilla\Firefox\Profiles\n4do0ixe.default-1384808122510\Extensions\searchrecs@veoh.com [2013-11-26]

FF Extension: TimeLineRemove.Com - C:\Users\Image 17\AppData\Roaming\Mozilla\Firefox\Profiles\n4do0ixe.default-1384808122510\Extensions\tl_r@jetpack.xpi [2013-11-21]

========================== Services (Whitelisted) =================

R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [86224 2012-05-02] (Avira Operations GmbH & Co. KG)

R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [110032 2012-05-02] (Avira Operations GmbH & Co. KG)

R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)

R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)

S3 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]

==================== Drivers (Whitelisted) ====================

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [83392 2012-04-25] (Avira GmbH)

R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [137928 2012-04-27] (Avira GmbH)

R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [36000 2012-04-16] (Avira GmbH)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)

R1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2010-06-17] (Avira GmbH)

S1 ckzwrmyg; \??\C:\Windows\system32\drivers\ckzwrmyg.sys [X]

S1 dnuhswmo; \??\C:\Windows\system32\drivers\dnuhswmo.sys [X]

S1 ehkvqkci; \??\C:\Windows\system32\drivers\ehkvqkci.sys [X]

S1 exashbrc; \??\C:\Windows\system32\drivers\exashbrc.sys [X]

S1 hdpfguqc; \??\C:\Windows\system32\drivers\hdpfguqc.sys [X]

S1 jzjxdqrp; \??\C:\Windows\system32\drivers\jzjxdqrp.sys [X]

S1 mkiwjcrx; \??\C:\Windows\system32\drivers\mkiwjcrx.sys [X]

S1 MpKsl7842e45c; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C5096786-84AE-48F5-A7CA-C87EA23F229D}\MpKsl7842e45c.sys [X]

S3 VGPU; System32\drivers\rdvgkmd.sys [X]

S1 wojubfzg; \??\C:\Windows\system32\drivers\wojubfzg.sys [X]

==================== NetSvcs (Whitelisted) ===================

 

==================== One Month Created Files and Folders ========

 

2014-04-26 21:10 - 2014-04-26 21:10 - 00009371 _____ () C:\Users\Image 17\Downloads\FRST.txt

2014-04-26 21:07 - 2014-04-26 21:10 - 00000000 ____D () C:\FRST

2014-04-26 21:06 - 2014-04-26 21:07 - 01049088 _____ (Farbar) C:\Users\Image 17\Downloads\FRST.exe

2014-04-26 20:55 - 2014-04-26 20:59 - 00000000 ____D () C:\AdwCleaner

2014-04-26 20:52 - 2014-04-26 20:53 - 01329501 _____ () C:\Users\Image 17\Downloads\AdwCleaner.exe

2014-04-19 14:14 - 2014-04-19 14:18 - 00010691 _____ () C:\Users\Image 17\Desktop\dds.txt

2014-04-19 14:14 - 2014-04-19 14:14 - 00011885 _____ () C:\Users\Image 17\Desktop\attach.txt

2014-04-19 14:03 - 2014-04-19 14:03 - 00688992 ____R (Swearware) C:\Users\Image 17\Downloads\dds.com

2014-04-17 06:39 - 2014-04-17 06:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java

2014-04-17 06:39 - 2014-04-14 20:13 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll

2014-04-17 06:39 - 2014-04-14 20:05 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe

2014-04-17 06:39 - 2014-04-14 20:05 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe

2014-04-17 06:39 - 2014-04-14 20:04 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\java.exe

2014-04-17 06:38 - 2014-04-17 06:39 - 00004186 _____ () C:\Windows\system32\jupdate-1.7.0_55-b14.log

2014-04-11 02:44 - 2014-04-11 02:46 - 25907928 _____ (Microsoft Corporation) C:\Users\Image 17\Downloads\Windows-KB890830-V5.11.exe

2014-04-11 02:22 - 2014-04-11 02:22 - 00145000 _____ () C:\Windows\Minidump\041114-24819-01.dmp

2014-04-09 20:07 - 2014-03-30 19:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2014-04-09 20:07 - 2014-03-30 18:57 - 17073152 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2014-04-09 20:07 - 2014-03-04 04:17 - 00868352 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll

2014-04-09 20:07 - 2014-02-03 21:07 - 00234432 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msiscsi.sys

2014-04-09 20:07 - 2014-02-03 21:07 - 00149440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys

2014-04-09 20:07 - 2014-02-03 21:07 - 00027072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Diskdump.sys

2014-04-09 20:07 - 2014-02-03 21:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\iologmsg.dll

2014-04-09 20:07 - 2014-01-23 21:18 - 01212352 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys

2014-03-29 03:52 - 2014-03-29 03:53 - 00000000 ____D () C:\Program Files\Mozilla Firefox

 

==================== One Month Modified Files and Folders =======

 

2014-04-26 21:10 - 2014-04-26 21:10 - 00009371 _____ () C:\Users\Image 17\Downloads\FRST.txt

2014-04-26 21:10 - 2014-04-26 21:07 - 00000000 ____D () C:\FRST

2014-04-26 21:07 - 2014-04-26 21:06 - 01049088 _____ (Farbar) C:\Users\Image 17\Downloads\FRST.exe

2014-04-26 21:07 - 2009-07-13 23:39 - 00993205 _____ () C:\Windows\setupact.log

2014-04-26 21:05 - 2010-11-20 16:01 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-04-26 21:04 - 2012-06-06 09:31 - 01267455 _____ () C:\Windows\WindowsUpdate.log

2014-04-26 21:00 - 2010-11-20 16:48 - 00257918 _____ () C:\Windows\PFRO.log

2014-04-26 21:00 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-04-26 20:59 - 2014-04-26 20:55 - 00000000 ____D () C:\AdwCleaner

2014-04-26 20:59 - 2009-07-13 23:34 - 00020832 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-04-26 20:59 - 2009-07-13 23:34 - 00020832 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-04-26 20:56 - 2012-06-08 18:41 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job

2014-04-26 20:53 - 2014-04-26 20:52 - 01329501 _____ () C:\Users\Image 17\Downloads\AdwCleaner.exe

2014-04-21 21:23 - 2013-02-10 09:04 - 00000344 _____ () C:\Windows\Tasks\HP Photo Creations Communicator.job

2014-04-19 14:18 - 2014-04-19 14:14 - 00010691 _____ () C:\Users\Image 17\Desktop\dds.txt

2014-04-19 14:14 - 2014-04-19 14:14 - 00011885 _____ () C:\Users\Image 17\Desktop\attach.txt

2014-04-19 14:03 - 2014-04-19 14:03 - 00688992 ____R (Swearware) C:\Users\Image 17\Downloads\dds.com

2014-04-18 13:24 - 2012-06-12 10:11 - 00000000 ____D () C:\Users\Image 17\AppData\Roaming\TeamViewer

2014-04-18 08:08 - 2009-07-13 23:53 - 00032634 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

2014-04-17 10:45 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\NDF

2014-04-17 06:39 - 2014-04-17 06:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java

2014-04-17 06:39 - 2014-04-17 06:38 - 00004186 _____ () C:\Windows\system32\jupdate-1.7.0_55-b14.log

2014-04-17 06:39 - 2001-01-01 00:17 - 00000000 ____D () C:\ProgramData\Oracle

2014-04-17 06:39 - 2001-01-01 00:15 - 00000000 ____D () C:\Program Files\Java

2014-04-15 16:42 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache

2014-04-14 20:13 - 2014-04-17 06:39 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll

2014-04-14 20:05 - 2014-04-17 06:39 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe

2014-04-14 20:05 - 2014-04-17 06:39 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe

2014-04-14 20:04 - 2014-04-17 06:39 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\java.exe

2014-04-11 02:46 - 2014-04-11 02:44 - 25907928 _____ (Microsoft Corporation) C:\Users\Image 17\Downloads\Windows-KB890830-V5.11.exe

2014-04-11 02:22 - 2014-04-11 02:22 - 00145000 _____ () C:\Windows\Minidump\041114-24819-01.dmp

2014-04-11 02:22 - 2013-09-19 23:38 - 00000000 ____D () C:\Windows\Minidump

2014-04-11 02:21 - 2013-09-20 00:13 - 235052140 _____ () C:\Windows\MEMORY.DMP

2014-04-09 23:57 - 2012-06-05 21:40 - 00000000 ____D () C:\ProgramData\Microsoft Help

2014-04-09 23:55 - 2013-08-15 01:45 - 00000000 ____D () C:\Windows\system32\MRT

2014-04-08 23:21 - 2012-06-11 23:54 - 00000000 ____D () C:\Users\Image 17\AppData\Local\Adobe

2014-04-08 23:20 - 2012-06-08 18:41 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe

2014-04-08 23:20 - 2012-06-08 18:41 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl

2014-04-03 02:29 - 2012-06-06 07:00 - 00001945 _____ () C:\Windows\epplauncher.mif

2014-04-03 02:29 - 2012-06-06 06:59 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk

2014-04-03 02:28 - 2012-06-06 06:59 - 00000000 ____D () C:\Program Files\Microsoft Security Client

2014-03-31 03:51 - 2012-06-05 19:06 - 88028728 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

2014-03-31 03:07 - 2012-06-05 21:35 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service

2014-03-30 19:13 - 2014-04-09 20:07 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2014-03-30 18:57 - 2014-04-09 20:07 - 17073152 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2014-03-29 03:53 - 2014-03-29 03:52 - 00000000 ____D () C:\Program Files\Mozilla Firefox

Some content of TEMP:

====================

C:\Users\Image 17\AppData\Local\Temp\AskSLib.dll

C:\Users\Image 17\AppData\Local\Temp\BitDF29.tmp.exe

C:\Users\Image 17\AppData\Local\Temp\BI_RunOnce.exe

C:\Users\Image 17\AppData\Local\Temp\couponamazing.exe

C:\Users\Image 17\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit.exe

C:\Users\Image 17\AppData\Local\Temp\incredibar_installer.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u5-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u7-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\Quarantine.exe

C:\Users\Image 17\AppData\Local\Temp\Relay.dll

C:\Users\Image 17\AppData\Local\Temp\RelayL.dll

 

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\system32\winlogon.exe => MD5 is legit

C:\Windows\system32\wininit.exe => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\services.exe => MD5 is legit

C:\Windows\system32\User32.dll => MD5 is legit

C:\Windows\system32\userinit.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit

 

LastRegBack: 2014-04-21 18:19

 

==================== End Of Log ============================



#6 Miyaka

Miyaka
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cahokia, IL
  • Local time:11:28 PM

Posted 26 April 2014 - 09:41 PM

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 26-04-2014 03

Ran by Image 17 at 2014-04-26 21:11:29

Running from C:\Users\Image 17\Downloads

Boot Mode: Normal

==========================================================

 

==================== Security Center ========================

AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}

AV: Avira Desktop (Enabled - Up to date) {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

AS: Avira Desktop (Enabled - Up to date) {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

==================== Installed Programs ======================

Adobe Flash Player 12 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 12.0.0.77 - Adobe Systems Incorporated)

Adobe Flash Player 13 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 13.0.0.182 - Adobe Systems Incorporated)

Adobe Reader X (10.1.9) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.9 - Adobe Systems Incorporated)

Avira Free Antivirus (HKLM\...\Avira AntiVir Desktop) (Version: 12.1.9.2500 - Avira)

Bing Bar (HKLM\...\{3365E735-48A6-4194-9988-CE59AC5AE503}) (Version: 7.3.132.0 - Microsoft Corporation)

Bing Rewards Client Installer (Version: 16.0.345.0 - Microsoft Corporation) Hidden

Cisco AnyConnect VPN Client (HKLM\...\{B571687A-1AE6-4C32-9B5B-678BECB556BE}) (Version: 2.5.3046 - Cisco Systems, Inc.)

Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 4.42.0.50 - Conexant)

Coupon Printer for Windows (HKLM\...\Coupon Printer for Windows5.0.0.0) (Version: 5.0.0.0 - Coupons.com Incorporated)

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{5971CA1F-6BDE-498F-952C-9F2BF94070A4}) (Version:  - Microsoft)

HDAUDIO Soft Data Fax Modem with SmartCP (HKLM\...\CNXT_MODEM_HDA_HSF) (Version: 7.80.4.50 - Conexant Systems)

Hewlett-Packard ACLM.NET v1.1.0.0 (Version: 1.00.0000 - Hewlett-Packard) Hidden

HP Connection Manager (HKLM\...\{22706ADC-74A1-43A0-ABAE-47F84966B909}) (Version: 4.2.50.1 - Hewlett-Packard Company)

HP Deskjet 1050 J410 series Basic Device Software (HKLM\...\{C111B73A-93EA-4A12-80E2-0460F11D431F}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)

HP Deskjet 1050 J410 series Help (HKLM\...\{5C90D8CF-F12A-41C6-9007-3B651A1F0D78}) (Version: 140.0.66.66 - Hewlett Packard)

HP Deskjet 1050 J410 series Product Improvement Study (HKLM\...\{5E83AB6E-2284-4468-BF97-A451904F186C}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)

HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.12412 - HP)

HP Product Detection (HKLM\...\{879F7C80-BCA3-4A11-BDB1-658252ECD7E0}) (Version: 11.15.0005 - HP)

HP Product Detection (HKLM\...\{A436F67F-687E-4736-BD2B-537121A804CF}) (Version: 11.14.0001 - HP)

HP Quick Launch Buttons (HKLM\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.14.1 - Hewlett-Packard Company)

HP Software Framework (HKLM\...\{962CB079-85E6-405F-8704-1C62365AE46F}) (Version: 4.5.10.1 - Hewlett-Packard Company)

HP Update (HKLM\...\{6F1C00D2-25C2-4CBA-8126-AE9A6E2E9CD5}) (Version: 5.003.003.001 - Hewlett-Packard)

Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)

Intel® TV Wizard (HKLM\...\TVWiz) (Version:  - Intel Corporation)

Java 7 Update 55 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217040FF}) (Version: 7.0.550 - Oracle)

Java Auto Updater (Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden

JavaFX 2.1.1 (HKLM\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)

LIAM² (HKLM\...\ST6UNST #1) (Version:  - )

Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)

Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden

Microsoft Office Access MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Excel MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Groove MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)

Microsoft Office Professional Plus 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Proof (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Proof (French) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Proof (Spanish) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Proofing (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Shared MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Word MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden

Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)

Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)

Mozilla Firefox 28.0 (x86 en-US) (HKLM\...\Mozilla Firefox 28.0 (x86 en-US)) (Version: 28.0 - Mozilla)

Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 28.0 - Mozilla)

QLBCASL (Version: 6.40.17.2 - Hewlett-Packard) Hidden

Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)

Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (Version:  - Microsoft) Hidden

System Requirements Lab for Intel (HKLM\...\{C5DA59CF-2BB8-48D5-8E5B-17F2E0F0FEE4}) (Version: 4.5.5.0 - Husdawg, LLC)

Touch Pad Driver (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version:  - )

Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version:  - Microsoft)

Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{D3C85176-ACCC-4AF0-817D-1BC803303B74}) (Version:  - Microsoft)

Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version:  - Microsoft)

Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{39767ECA-1731-45DB-AB5B-6BF40E151D66}) (Version:  - Microsoft)

Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version:  - Microsoft)

Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version:  - Microsoft)

Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version:  - Microsoft)

Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version:  - Microsoft)

Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version:  - Microsoft)

Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version:  - Microsoft)

Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version:  - Microsoft)

Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{BA610006-2C39-4419-9834-CF61AB24810A}) (Version:  - Microsoft)

Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{82F87E28-B18E-46D6-A399-E2F19CF5949B}) (Version:  - Microsoft)

Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUS_{5E8EB600-8B94-429E-873E-98369C6DC1BC}) (Version:  - Microsoft)

Update for Microsoft Office 2010 (KB2863818) 32-Bit Edition (HKLM\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{83B1B530-7D9E-4C6A-907F-E979CEE9C295}) (Version:  - Microsoft)

Update for Microsoft Office 2010 (KB2878225) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{EFF5EBA3-40AD-4859-85E7-3C1CF4F297EB}) (Version:  - Microsoft)

Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version:  - Microsoft)

Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version:  - Microsoft)

Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version:  - Microsoft)

Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{2BA40F82-F3A4-441C-BF1A-ED4C42FF4872}) (Version:  - Microsoft)

Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM\...\{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUS_{334AA0A1-2BB1-4D74-B66A-2B2C4D9C2C87}) (Version:  - Microsoft)

Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version:  - Microsoft)

Update for Microsoft Visio 2010 (KB2553444) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{799005D3-9B70-4219-AFE0-BC479614CC4D}) (Version:  - Microsoft)

Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{8C55AA83-54C2-4236-A622-78440A411DC5}) (Version:  - Microsoft)

Veoh Web Player (HKLM\...\Veoh Web Player Beta) (Version: 1.1.7.1176 - Veoh Networks, Inc.)

Yahoo! Messenger (HKLM\...\Yahoo! Messenger) (Version:  - Yahoo! Inc.)

Yahoo! Software Update (HKLM\...\Yahoo! Software Update) (Version:  - )

Yahoo! Toolbar (HKLM\...\Yahoo! Companion) (Version:  - Yahoo! Inc.)

 

==================== Restore Points  =========================

 

06-04-2014 15:36:33 Windows Update

10-04-2014 01:08:35 Windows Update

10-04-2014 04:52:34 Windows Update

14-04-2014 04:49:59 Windows Update

17-04-2014 11:38:13 Installed Java 7 Update 55

17-04-2014 11:54:48 Windows Update

21-04-2014 03:16:40 Windows Update

27-04-2014 01:50:32 Windows Update

==================== Hosts content: ==========================

2009-07-13 21:04 - 2009-06-10 16:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {33EB6AF5-1621-47B1-B450-1513D121194A} - System32\Tasks\HP Photo Creations Communicator => C:\ProgramData\HP Photo Creations\Communicator.exe [2014-02-10] ()

Task: {549EF712-1259-4625-A2C8-B1C841325AE1} - System32\Tasks\HPCustParticipation HP Deskjet 1050 J410 series => C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe [2012-10-02] (Hewlett-Packard Co.)

Task: {A8085652-7DE5-4A8B-BE27-61AEE02F697E} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-04-08] (Adobe Systems Incorporated)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

Task: C:\Windows\Tasks\HP Photo Creations Communicator.job => C:\ProgramData\HP Photo Creations\Communicator.exe

==================== Loaded Modules (whitelisted) =============

2012-06-09 02:23 - 2012-04-16 23:11 - 00398288 _____ () C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll

2013-09-05 01:14 - 2013-09-05 01:14 - 04300456 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF

2010-10-20 15:45 - 2010-10-20 15:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

2009-11-20 13:47 - 2009-11-20 13:47 - 08472576 _____ () C:\Program Files\Veoh Networks\VeohWebPlayer\QtWebKit4.dll

2009-11-20 13:47 - 2009-11-20 13:47 - 00241664 _____ () C:\Program Files\Veoh Networks\VeohWebPlayer\phonon4.dll

2009-11-20 13:47 - 2009-11-20 13:47 - 07235584 _____ () C:\Program Files\Veoh Networks\VeohWebPlayer\QtGui4.dll

2009-11-20 13:47 - 2009-11-20 13:47 - 01967616 _____ () C:\Program Files\Veoh Networks\VeohWebPlayer\QtCore4.dll

2009-11-20 13:47 - 2009-11-20 13:47 - 00873472 _____ () C:\Program Files\Veoh Networks\VeohWebPlayer\QtNetwork4.dll

2009-11-20 13:47 - 2009-11-20 13:47 - 00022016 _____ () C:\Program Files\Veoh Networks\VeohWebPlayer\imageformats\qgif4.dll

2009-11-20 13:47 - 2009-11-20 13:47 - 00120320 _____ () C:\Program Files\Veoh Networks\VeohWebPlayer\imageformats\qjpeg4.dll

2014-04-08 23:20 - 2014-04-08 23:20 - 16351920 _____ () C:\Windows\system32\Macromed\Flash\NPSWF32_13_0_0_182.dll

2012-06-12 04:00 - 2012-05-25 04:25 - 00921600 _____ () C:\Program Files\Yahoo!\Messenger\yui.dll

2014-03-29 03:52 - 2014-03-29 03:52 - 03642480 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

 

==================== Safe Mode (whitelisted) ===================

 

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Disabled items from MSCONFIG ==============

MSCONFIG\startupreg: Apoint => C:\Program Files\Apoint2K\Apoint.exe

MSCONFIG\startupreg: BCSSync => "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

MSCONFIG\startupreg: BitComet => "C:\Program Files\BitComet\BitComet.exe" /tray

MSCONFIG\startupreg: HP Software Update => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

MSCONFIG\startupreg: HPConnectionManager => C:\Program Files\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe

MSCONFIG\startupreg: QlbCtrl.exe => C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

 

==================== Faulty Device Manager Devices =============

 

Name: MpKsl7842e45c

Description: MpKsl7842e45c

Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Manufacturer:

Service: MpKsl7842e45c

Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)

Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.

Devices stay in this state if they have been prepared for removal.

After you remove the device, this error disappears.Remove the device, and this error should be resolved.

 

Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows

Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows

Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}

Manufacturer: Cisco Systems

Service: vpnva

Problem: : This device is disabled. (Code 22)

Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

 

==================== Event log errors: =========================

Application errors:

==================

Error: (04/26/2014 09:02:11 PM) (Source: WinMgmt) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (04/26/2014 09:00:46 PM) (Source: Winlogon) (User: )

Description: Windows license activation failed. Error 0x80070005.

Error: (04/26/2014 08:39:52 PM) (Source: WinMgmt) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (04/26/2014 08:38:22 PM) (Source: Winlogon) (User: )

Description: Windows license activation failed. Error 0x80070005.

Error: (04/21/2014 06:24:23 PM) (Source: SideBySide) (User: )

Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".

Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.

Please use sxstrace.exe for detailed diagnosis.

 

Error: (04/21/2014 05:11:12 PM) (Source: WinMgmt) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/21/2014 05:09:44 PM) (Source: Winlogon) (User: )

Description: Windows license activation failed. Error 0x80070005.

 

Error: (04/21/2014 00:01:00 AM) (Source: WinMgmt) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/20/2014 11:59:30 PM) (Source: Winlogon) (User: )

Description: Windows license activation failed. Error 0x80070005.

 

Error: (04/20/2014 11:02:18 PM) (Source: Application Error) (User: )

Description: Faulting application name: firefox.exe, version: 28.0.0.5186, time stamp: 0x53240e37

Faulting module name: xul.dll, version: 28.0.0.5186, time stamp: 0x53240e04

Exception code: 0xc0000005

Fault offset: 0x00184729

Faulting process id: 0x1b0

Faulting application start time: 0xfirefox.exe0

Faulting application path: firefox.exe1

Faulting module path: firefox.exe2

Report Id: firefox.exe3

 

System errors:

=============

Error: (04/26/2014 08:42:49 PM) (Source: DCOM) (User: )

Description: C:\Windows\System32\slui.exe -Embedding5{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

Error: (04/26/2014 08:41:33 PM) (Source: Service Control Manager) (User: )

Description: A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.

 

Error: (04/26/2014 08:40:38 PM) (Source: Service Control Manager) (User: )

Description: The Peer Name Resolution Protocol service depends on the Peer Networking Identity Manager service which failed to start because of the following error:

%%1053

 

Error: (04/26/2014 08:40:38 PM) (Source: Service Control Manager) (User: )

Description: The Peer Networking Grouping service depends on the Peer Networking Identity Manager service which failed to start because of the following error:

%%1053

 

Error: (04/26/2014 08:40:38 PM) (Source: Service Control Manager) (User: )

Description: The Peer Networking Identity Manager service failed to start due to the following error:

%%1053

 

Error: (04/26/2014 08:40:38 PM) (Source: Service Control Manager) (User: )

Description: A timeout was reached (30000 milliseconds) while waiting for the Peer Networking Identity Manager service to connect.

Error: (04/21/2014 06:08:44 PM) (Source: DCOM) (User: )

Description: C:\Windows\System32\slui.exe -Embedding5{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

 

Error: (04/21/2014 05:13:02 PM) (Source: WMPNetworkSvc) (User: )

Description: WMPNetworkSvc0x80004005

Error: (04/21/2014 05:12:57 PM) (Source: Service Control Manager) (User: )

Description: A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.

 

Error: (04/21/2014 05:12:01 PM) (Source: Service Control Manager) (User: )

Description: The Windows Media Player Network Sharing Service service failed to start due to the following error:

%%1053

 

Microsoft Office Sessions:

=========================

Error: (04/26/2014 09:02:11 PM) (Source: WinMgmt)(User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (04/26/2014 09:00:46 PM) (Source: Winlogon)(User: )

Description: 0x800700050x00000000

Error: (04/26/2014 08:39:52 PM) (Source: WinMgmt)(User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (04/26/2014 08:38:22 PM) (Source: Winlogon)(User: )

Description: 0x800700050x00000000

Error: (04/21/2014 06:24:23 PM) (Source: SideBySide)(User: )

Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Program Files\HP\HP Deskjet 1050 J410 series\DriverStore\Pipeline\amd64\hpinkins8911.exe

 

Error: (04/21/2014 05:11:12 PM) (Source: WinMgmt)(User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/21/2014 05:09:44 PM) (Source: Winlogon)(User: )

Description: 0x800700050x00000000

 

Error: (04/21/2014 00:01:00 AM) (Source: WinMgmt)(User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/20/2014 11:59:30 PM) (Source: Winlogon)(User: )

Description: 0x800700050x00000000

 

Error: (04/20/2014 11:02:18 PM) (Source: Application Error)(User: )

Description: firefox.exe28.0.0.518653240e37xul.dll28.0.0.518653240e04c0000005001847291b001cf5d0dd2dc00e3C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dllba982afd-c909-11e3-9e9d-001eec6b996c

 

==================== Memory info ===========================

 

Percentage of memory in use: 35%

Total physical RAM: 3062.02 MB

Available physical RAM: 1974.32 MB

Total Pagefile: 6122.32 MB

Available Pagefile: 4872.33 MB

Total Virtual: 2047.88 MB

Available Virtual: 1905.24 MB

 

==================== Drives ================================

 

Drive c: () (Fixed) (Total:297.99 GB) (Free:259.8 GB) NTFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 88C77EF8)

Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

 

P.S. I shut this laptop down for a few days before, simply because it was doing things it shouldn't. (minimizing game windows when I commanded it not to, being really slow, and bringing out this message: "Server busy (This action cannot be completed because the other program is busy)  when I just opened the laptop, or "Failure to display security and shut down options (The logon process was unable to display security and logon options when CTRL+ALT+DELETE was pressed. If the operating system does not respond, press ESC or restart the computer by pressing the power switch)last week.

Thank you in advance, and waiting for further instructions.


Edited by Miyaka, 26 April 2014 - 09:53 PM.


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:28 PM

Posted 27 April 2014 - 10:58 AM

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Attached File  fixlist.txt   2.42KB   9 downloads

 

 

Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop

Link 1
Link 2

  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • RcAuto1.gif
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 Miyaka

Miyaka
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cahokia, IL
  • Local time:11:28 PM

Posted 28 April 2014 - 05:01 AM

(First scan)

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-04-2014

Ran by Image 17 (administrator) on EAVIN on 28-04-2014 04:51:56

Running from C:\Users\Image 17\Downloads

Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English(US)

Internet Explorer Version 11

Boot Mode: Normal

The only official download link for FRST:

Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Download link from any site other than Bleeping Computer is unpermitted or outdated.

See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe

(Microsoft Corporation) C:\Windows\system32\AUDIODG.EXE

(Cisco Systems, Inc.) C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe

(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe

(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.3.132.0\BBSvc.exe

(Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

(Intel Corporation) C:\Windows\System32\igfxtray.exe

(Intel Corporation) C:\Windows\System32\hkcmd.exe

(Intel Corporation) C:\Windows\System32\igfxpers.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe

(Intel Corporation) C:\Windows\system32\igfxsrvc.exe

(Veoh Networks) C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

(Yahoo! Inc.) C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe

(Adobe Systems, Inc.) C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_182.exe

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe

(Adobe Systems, Inc.) C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_182.exe

 

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)

HKLM\...\Run: [avgnt] => C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [348664 2012-08-01] (Avira Operations GmbH & Co. KG)

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)

HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)

HKU\S-1-5-21-1698006204-2431324947-1330829467-1000\...\Run: [Messenger (Yahoo!)] => C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [6595928 2012-05-25] (Yahoo! Inc.)

HKU\S-1-5-21-1698006204-2431324947-1330829467-1000\...\Run: [VeohPlugin] => C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe [2590456 2009-11-20] (Veoh Networks)

Startup: C:\Users\Image 17\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 1050 J410 series.lnk

ShortcutTarget: Monitor Ink Alerts - HP Deskjet 1050 J410 series.lnk -> C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)

 

==================== Internet (Whitelisted) ====================

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xD6F838818D43CD01

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US

SearchScopes: HKLM - DefaultScope value is missing.

SearchScopes: HKCU - {34F4A507-22FB-46D6-ABFF-D86071B597CA} URL = http://websearch.ask.com/redirect?client=ie&tb=AVR-3&o=APN10400&src=kw&q={searchTerms}&locale=&apn_ptnrs=^ABY&apn_dtid=^YYYYYY^YY^US&apn_uid=118dba88-2283-4ca8-82c5-010806afcd49&apn_sauid=691581A6-ACF0-4D9D-A269-57BCA75F5147

BHO: Bing Bar Helper - {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)

BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Toolbar: HKLM - Bing Bar - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)

Tcpip\Parameters: [DhcpNameServer] 10.0.0.1

 

FireFox:

========

FF ProfilePath: C:\Users\Image 17\AppData\Roaming\Mozilla\Firefox\Profiles\n4do0ixe.default-1384808122510

FF Homepage: https://www.yahoo.com/

FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_13_0_0_182.dll ()

FF Plugin: @java.com/DTPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.1 - C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)

FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 - C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)

FF Plugin: @microsoft.com/GENUINE - disabled No File

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF Plugin: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 - C:\ProgramData\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)

FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npBitCometAgent.dll (BitComet)

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)

FF Extension: Veoh Video Compass - C:\Users\Image 17\AppData\Roaming\Mozilla\Firefox\Profiles\n4do0ixe.default-1384808122510\Extensions\searchrecs@veoh.com [2013-11-26]

FF Extension: TimeLineRemove.Com - C:\Users\Image 17\AppData\Roaming\Mozilla\Firefox\Profiles\n4do0ixe.default-1384808122510\Extensions\tl_r@jetpack.xpi [2013-11-21]

 

========================== Services (Whitelisted) =================

 

R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [86224 2012-05-02] (Avira Operations GmbH & Co. KG)

R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [110032 2012-05-02] (Avira Operations GmbH & Co. KG)

R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)

R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)

S3 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]

 

==================== Drivers (Whitelisted) ====================

 

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [83392 2012-04-25] (Avira GmbH)

R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [137928 2012-04-27] (Avira GmbH)

R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [36000 2012-04-16] (Avira GmbH)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)

R1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2010-06-17] (Avira GmbH)

S1 ckzwrmyg; \??\C:\Windows\system32\drivers\ckzwrmyg.sys [X]

S1 dnuhswmo; \??\C:\Windows\system32\drivers\dnuhswmo.sys [X]

S1 ehkvqkci; \??\C:\Windows\system32\drivers\ehkvqkci.sys [X]

S1 exashbrc; \??\C:\Windows\system32\drivers\exashbrc.sys [X]

S1 hdpfguqc; \??\C:\Windows\system32\drivers\hdpfguqc.sys [X]

S1 jzjxdqrp; \??\C:\Windows\system32\drivers\jzjxdqrp.sys [X]

S1 mkiwjcrx; \??\C:\Windows\system32\drivers\mkiwjcrx.sys [X]

S1 MpKsl7842e45c; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C5096786-84AE-48F5-A7CA-C87EA23F229D}\MpKsl7842e45c.sys [X]

S3 VGPU; System32\drivers\rdvgkmd.sys [X]

S1 wojubfzg; \??\C:\Windows\system32\drivers\wojubfzg.sys [X]

 

==================== NetSvcs (Whitelisted) ===================

 

==================== One Month Created Files and Folders ========

2014-04-28 04:51 - 2014-04-28 04:51 - 00000000 ____D () C:\Users\Image 17\Downloads\FRST-OlderVersion

2014-04-28 04:46 - 2014-04-28 04:46 - 00002480 _____ () C:\Users\Image 17\Downloads\fixlist.txt

2014-04-26 21:11 - 2014-04-26 21:12 - 00024513 _____ () C:\Users\Image 17\Downloads\Addition.txt

2014-04-26 21:10 - 2014-04-28 04:51 - 00009627 _____ () C:\Users\Image 17\Downloads\FRST.txt

2014-04-26 21:07 - 2014-04-28 04:51 - 00000000 ____D () C:\FRST

2014-04-26 21:06 - 2014-04-28 04:51 - 01049600 _____ (Farbar) C:\Users\Image 17\Downloads\FRST.exe

2014-04-26 20:55 - 2014-04-26 20:59 - 00000000 ____D () C:\AdwCleaner

2014-04-26 20:52 - 2014-04-26 20:53 - 01329501 _____ () C:\Users\Image 17\Downloads\AdwCleaner.exe

2014-04-19 14:14 - 2014-04-19 14:18 - 00010691 _____ () C:\Users\Image 17\Desktop\dds.txt

2014-04-19 14:14 - 2014-04-19 14:14 - 00011885 _____ () C:\Users\Image 17\Desktop\attach.txt

2014-04-19 14:03 - 2014-04-19 14:03 - 00688992 ____R (Swearware) C:\Users\Image 17\Downloads\dds.com

2014-04-17 06:39 - 2014-04-17 06:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java

2014-04-17 06:39 - 2014-04-14 20:13 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll

2014-04-17 06:39 - 2014-04-14 20:05 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe

2014-04-17 06:39 - 2014-04-14 20:05 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe

2014-04-17 06:39 - 2014-04-14 20:04 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\java.exe

2014-04-17 06:38 - 2014-04-17 06:39 - 00004186 _____ () C:\Windows\system32\jupdate-1.7.0_55-b14.log

2014-04-11 02:44 - 2014-04-11 02:46 - 25907928 _____ (Microsoft Corporation) C:\Users\Image 17\Downloads\Windows-KB890830-V5.11.exe

2014-04-11 02:22 - 2014-04-11 02:22 - 00145000 _____ () C:\Windows\Minidump\041114-24819-01.dmp

2014-04-09 20:07 - 2014-03-30 19:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2014-04-09 20:07 - 2014-03-30 18:57 - 17073152 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2014-04-09 20:07 - 2014-03-04 04:17 - 00868352 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll

2014-04-09 20:07 - 2014-02-03 21:07 - 00234432 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msiscsi.sys

2014-04-09 20:07 - 2014-02-03 21:07 - 00149440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys

2014-04-09 20:07 - 2014-02-03 21:07 - 00027072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Diskdump.sys

2014-04-09 20:07 - 2014-02-03 21:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\iologmsg.dll

2014-04-09 20:07 - 2014-01-23 21:18 - 01212352 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys

2014-03-29 03:52 - 2014-03-29 03:53 - 00000000 ____D () C:\Program Files\Mozilla Firefox

 

==================== One Month Modified Files and Folders =======

 

2014-04-28 04:52 - 2014-04-26 21:10 - 00009627 _____ () C:\Users\Image 17\Downloads\FRST.txt

2014-04-28 04:51 - 2014-04-28 04:51 - 00000000 ____D () C:\Users\Image 17\Downloads\FRST-OlderVersion

2014-04-28 04:51 - 2014-04-26 21:07 - 00000000 ____D () C:\FRST

2014-04-28 04:51 - 2014-04-26 21:06 - 01049600 _____ (Farbar) C:\Users\Image 17\Downloads\FRST.exe

2014-04-28 04:48 - 2010-11-20 16:01 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-04-28 04:46 - 2014-04-28 04:46 - 00002480 _____ () C:\Users\Image 17\Downloads\fixlist.txt

2014-04-28 04:42 - 2009-07-13 23:39 - 00994381 _____ () C:\Windows\setupact.log

2014-04-28 04:41 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-04-28 01:25 - 2013-02-10 09:04 - 00000344 _____ () C:\Windows\Tasks\HP Photo Creations Communicator.job

2014-04-28 01:25 - 2012-06-06 09:31 - 01327206 _____ () C:\Windows\WindowsUpdate.log

2014-04-28 00:56 - 2012-06-08 18:41 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job

2014-04-26 21:12 - 2014-04-26 21:11 - 00024513 _____ () C:\Users\Image 17\Downloads\Addition.txt

2014-04-26 21:00 - 2010-11-20 16:48 - 00257918 _____ () C:\Windows\PFRO.log

2014-04-26 20:59 - 2014-04-26 20:55 - 00000000 ____D () C:\AdwCleaner

2014-04-26 20:59 - 2009-07-13 23:34 - 00020832 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-04-26 20:59 - 2009-07-13 23:34 - 00020832 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-04-26 20:53 - 2014-04-26 20:52 - 01329501 _____ () C:\Users\Image 17\Downloads\AdwCleaner.exe

2014-04-19 14:18 - 2014-04-19 14:14 - 00010691 _____ () C:\Users\Image 17\Desktop\dds.txt

2014-04-19 14:14 - 2014-04-19 14:14 - 00011885 _____ () C:\Users\Image 17\Desktop\attach.txt

2014-04-19 14:03 - 2014-04-19 14:03 - 00688992 ____R (Swearware) C:\Users\Image 17\Downloads\dds.com

2014-04-18 13:24 - 2012-06-12 10:11 - 00000000 ____D () C:\Users\Image 17\AppData\Roaming\TeamViewer

2014-04-18 08:08 - 2009-07-13 23:53 - 00032634 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

2014-04-17 10:45 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\NDF

2014-04-17 06:39 - 2014-04-17 06:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java

2014-04-17 06:39 - 2014-04-17 06:38 - 00004186 _____ () C:\Windows\system32\jupdate-1.7.0_55-b14.log

2014-04-17 06:39 - 2001-01-01 00:17 - 00000000 ____D () C:\ProgramData\Oracle

2014-04-17 06:39 - 2001-01-01 00:15 - 00000000 ____D () C:\Program Files\Java

2014-04-15 16:42 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache

2014-04-14 20:13 - 2014-04-17 06:39 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll

2014-04-14 20:05 - 2014-04-17 06:39 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe

2014-04-14 20:05 - 2014-04-17 06:39 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe

2014-04-14 20:04 - 2014-04-17 06:39 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\java.exe

2014-04-11 02:46 - 2014-04-11 02:44 - 25907928 _____ (Microsoft Corporation) C:\Users\Image 17\Downloads\Windows-KB890830-V5.11.exe

2014-04-11 02:22 - 2014-04-11 02:22 - 00145000 _____ () C:\Windows\Minidump\041114-24819-01.dmp

2014-04-11 02:22 - 2013-09-19 23:38 - 00000000 ____D () C:\Windows\Minidump

2014-04-11 02:21 - 2013-09-20 00:13 - 235052140 _____ () C:\Windows\MEMORY.DMP

2014-04-09 23:57 - 2012-06-05 21:40 - 00000000 ____D () C:\ProgramData\Microsoft Help

2014-04-09 23:55 - 2013-08-15 01:45 - 00000000 ____D () C:\Windows\system32\MRT

2014-04-08 23:21 - 2012-06-11 23:54 - 00000000 ____D () C:\Users\Image 17\AppData\Local\Adobe

2014-04-08 23:20 - 2012-06-08 18:41 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe

2014-04-08 23:20 - 2012-06-08 18:41 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl

2014-04-03 02:29 - 2012-06-06 07:00 - 00001945 _____ () C:\Windows\epplauncher.mif

2014-04-03 02:29 - 2012-06-06 06:59 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk

2014-04-03 02:28 - 2012-06-06 06:59 - 00000000 ____D () C:\Program Files\Microsoft Security Client

2014-03-31 03:51 - 2012-06-05 19:06 - 88028728 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

2014-03-31 03:07 - 2012-06-05 21:35 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service

2014-03-30 19:13 - 2014-04-09 20:07 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2014-03-30 18:57 - 2014-04-09 20:07 - 17073152 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2014-03-29 03:53 - 2014-03-29 03:52 - 00000000 ____D () C:\Program Files\Mozilla Firefox

 

Some content of TEMP:

====================

C:\Users\Image 17\AppData\Local\Temp\AskSLib.dll

C:\Users\Image 17\AppData\Local\Temp\BitDF29.tmp.exe

C:\Users\Image 17\AppData\Local\Temp\BI_RunOnce.exe

C:\Users\Image 17\AppData\Local\Temp\couponamazing.exe

C:\Users\Image 17\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit.exe

C:\Users\Image 17\AppData\Local\Temp\incredibar_installer.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u5-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u7-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe

C:\Users\Image 17\AppData\Local\Temp\Quarantine.exe

C:\Users\Image 17\AppData\Local\Temp\Relay.dll

C:\Users\Image 17\AppData\Local\Temp\RelayL.dll

 

==================== Bamital & volsnap Check =================

 

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\system32\winlogon.exe => MD5 is legit

C:\Windows\system32\wininit.exe => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\services.exe => MD5 is legit

C:\Windows\system32\User32.dll => MD5 is legit

C:\Windows\system32\userinit.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit

 

LastRegBack: 2014-04-21 18:19

==================== End Of Log ============================

 

(Finally figured out how to get this here... sorry for the wait.)

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 27-04-2014
Ran by Image 17 at 2014-04-28 05:00:03 Run:1
Running from C:\Users\Image 17\Downloads
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {34F4A507-22FB-46D6-ABFF-D86071B597CA} URL = http://websearch.ask.com/redirect?client=ie&tb=AVR-3&o=APN10400&src=kw&q={searchTerms}&locale=&apn_ptnrs=^ABY&apn_dtid=^YYYYYY^YY^US&apn_uid=118dba88-2283-4ca8-82c5-010806afcd49&apn_sauid=691581A6-ACF0-4D9D-A269-57BCA75F5147
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npBitCometAgent.dll (BitComet)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
S1 ckzwrmyg; \??\C:\Windows\system32\drivers\ckzwrmyg.sys [X]
S1 dnuhswmo; \??\C:\Windows\system32\drivers\dnuhswmo.sys [X]
S1 ehkvqkci; \??\C:\Windows\system32\drivers\ehkvqkci.sys [X]
S1 exashbrc; \??\C:\Windows\system32\drivers\exashbrc.sys [X]
S1 hdpfguqc; \??\C:\Windows\system32\drivers\hdpfguqc.sys [X]
S1 jzjxdqrp; \??\C:\Windows\system32\drivers\jzjxdqrp.sys [X]
S1 mkiwjcrx; \??\C:\Windows\system32\drivers\mkiwjcrx.sys [X]
S1 MpKsl7842e45c; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C5096786-84AE-48F5-A7CA-C87EA23F229D}\MpKsl7842e45c.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S1 wojubfzg; \??\C:\Windows\system32\drivers\wojubfzg.sys [X]
C:\Users\Image 17\AppData\Local\Temp\AskSLib.dll
C:\Users\Image 17\AppData\Local\Temp\BitDF29.tmp.exe
C:\Users\Image 17\AppData\Local\Temp\BI_RunOnce.exe
C:\Users\Image 17\AppData\Local\Temp\couponamazing.exe
C:\Users\Image 17\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit.exe
C:\Users\Image 17\AppData\Local\Temp\incredibar_installer.exe
C:\Users\Image 17\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe
C:\Users\Image 17\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe
C:\Users\Image 17\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\Image 17\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Image 17\AppData\Local\Temp\jre-7u5-windows-i586-iftw.exe
C:\Users\Image 17\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Image 17\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\Image 17\AppData\Local\Temp\jre-7u7-windows-i586-iftw.exe
C:\Users\Image 17\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe
C:\Users\Image 17\AppData\Local\Temp\Quarantine.exe
C:\Users\Image 17\AppData\Local\Temp\Relay.dll
C:\Users\Image 17\AppData\Local\Temp\RelayL.dll
*****************

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{34F4A507-22FB-46D6-ABFF-D86071B597CA} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{34F4A507-22FB-46D6-ABFF-D86071B597CA} => Key not found.
ckzwrmyg => Service deleted successfully.
dnuhswmo => Service deleted successfully.
ehkvqkci => Service deleted successfully.
exashbrc => Service deleted successfully.
hdpfguqc => Service deleted successfully.
jzjxdqrp => Service deleted successfully.
mkiwjcrx => Service deleted successfully.
MpKsl7842e45c => Service deleted successfully.
VGPU => Service deleted successfully.
wojubfzg => Service deleted successfully.
C:\Users\Image 17\AppData\Local\Temp\AskSLib.dll => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\BitDF29.tmp.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\BI_RunOnce.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\couponamazing.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\incredibar_installer.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\jre-7u5-windows-i586-iftw.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\jre-7u7-windows-i586-iftw.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\Relay.dll => Moved successfully.
C:\Users\Image 17\AppData\Local\Temp\RelayL.dll => Moved successfully.

==== End of Fixlog ====

 

 



#9 Miyaka

Miyaka
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cahokia, IL
  • Local time:11:28 PM

Posted 28 April 2014 - 06:49 AM

Btw, I don't know if this is relevant, but I did download Combo Fix earlier, and it just totally hanged.

I haven't been to the part yet about running it, because I've never turned Avira! off... It only gives me the option of  "Deactivating" it, and yes, I did go through the help files of Avira and the "how to deactivate your antivirus" thing beforehand..... It only showed an older version of Avira! antivirus, so please, please guide me through this as well.



#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:28 PM

Posted 28 April 2014 - 10:13 AM

Run Combofix from Safemode.

 

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 Miyaka

Miyaka
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cahokia, IL
  • Local time:11:28 PM

Posted 29 April 2014 - 01:50 AM

ComboFix 14-04-26.01 - Image 17 04/29/2014   1:21.1.2 - x86 MINIMAL
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3062.2625 [GMT -5:00]
Running from: c:\users\Image 17\Downloads\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\ST6UNST.000
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_vpnagent
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-28 to 2014-04-29  )))))))))))))))))))))))))))))))
.
.
2014-04-28 06:02 . 2014-04-16 09:25    8050496    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A3AE8D3B-34CB-4E1A-A0BA-3E6EAA583E29}\mpengine.dll
2014-04-27 02:07 . 2014-04-28 10:00    --------    d-----w-    C:\FRST
2014-04-27 01:55 . 2014-04-27 01:59    --------    d-----w-    C:\AdwCleaner
2014-04-27 01:50 . 2014-04-16 09:25    8050496    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-04-21 03:22 . 2014-02-20 04:45    765968    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{45BBB7D7-2CFA-4C55-A808-63C640BC0426}\gapaengine.dll
2014-04-17 11:39 . 2014-04-15 01:13    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-04-10 01:07 . 2014-02-04 02:07    149440    ----a-w-    c:\windows\system32\drivers\storport.sys
2014-04-10 01:07 . 2014-02-04 02:07    234432    ----a-w-    c:\windows\system32\drivers\msiscsi.sys
2014-04-10 01:07 . 2014-02-04 02:07    27072    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2014-04-10 01:07 . 2014-02-04 02:00    2048    ----a-w-    c:\windows\system32\iologmsg.dll
2014-04-10 01:07 . 2014-01-24 02:18    1212352    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2014-04-10 01:07 . 2014-03-31 00:13    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-04-08 21:17 . 2014-04-08 21:17    2876528    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2014-04-08 21:16 . 2014-04-08 21:16    539984    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2014-04-01 09:31 . 2014-04-01 09:31    736952    ----a-w-    c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2014-03-31 09:49 . 2014-03-31 09:49    42168    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-29 05:57 . 2012-06-08 23:41    70832    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-29 05:57 . 2012-06-08 23:41    692400    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-04-08 21:17 . 2014-03-24 16:40    736952    ----a-w-    c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2014-04-08 21:16 . 2014-03-24 16:33    42168    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2014-03-24 16:37 . 2014-03-24 16:37    2876528    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2014-03-24 16:33 . 2014-03-24 16:33    539984    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2014-03-11 14:52 . 2012-03-21 01:44    104264    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-01 04:10 . 2014-03-13 03:06    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-03-01 03:52 . 2014-03-13 03:06    61952    ----a-w-    c:\windows\system32\iesetup.dll
2014-03-01 03:51 . 2014-03-13 03:06    51200    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-03-01 03:38 . 2014-03-13 03:06    112128    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-01 03:38 . 2014-03-13 03:06    108032    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-03-01 03:37 . 2014-03-13 03:06    553472    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-03-01 03:31 . 2014-03-13 03:06    646144    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-01 03:14 . 2014-03-13 03:06    4244480    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-01 03:00 . 2014-03-13 03:06    1964032    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-01 02:32 . 2014-03-13 03:06    1820160    ----a-w-    c:\windows\system32\wininet.dll
2014-02-20 04:45 . 2012-06-13 08:41    765968    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-02-07 01:07 . 2014-03-13 02:59    2349056    ----a-w-    c:\windows\system32\win32k.sys
2014-02-04 02:04 . 2014-03-13 02:59    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-02-04 02:04 . 2014-03-13 03:04    509440    ----a-w-    c:\windows\system32\qedit.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-06-06 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-05-25 6595928]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-11-20 2590456]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 951576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-01 348664]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
c:\users\Image 17\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Deskjet 1050 J410 series.lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Deskjet 1050 J410 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN1961B3QB05QT;CONNECTION=USB;MONITOR=1; [2009-7-13 44544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 09:44    212992    ----a-w-    c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2012-11-05 20:27    89184    ----a-w-    c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-10-28 17:18    49208    ----a-w-    c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPConnectionManager]
2012-03-15 20:17    184704    ----a-w-    c:\program files\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2009-11-24 16:07    323640    ----a-w-    c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
.
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.3.132.0\SeaPort.exe [2014-03-12 247968]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-01-12 227896]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 hpCMSrv;HP Connection Manager 4 Service;c:\program files\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2012-03-15 1420160]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-03-01 108032]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-06 1343400]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2012-04-17 36000]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2012-05-02 86224]
S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.3.132.0\BBSvc.exe [2014-03-12 193696]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2014-03-11 104264]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2014-03-11 279776]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService    REG_MULTI_SZ       HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-08 05:57]
.
2014-04-28 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\programdata\HP Photo Creations\Communicator.exe [2014-02-10 12:55]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Image 17\AppData\Roaming\Mozilla\Firefox\Profiles\n4do0ixe.default-1384808122510\
FF - prefs.js: browser.startup.homepage - hxxps://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-BitComet - c:\program files\BitComet\BitComet.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\taskhost.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2014-04-29  01:39:21 - machine was rebooted
ComboFix-quarantined-files.txt  2014-04-29 06:39
.
Pre-Run: 278,898,413,568 bytes free
Post-Run: 279,437,565,952 bytes free
.
- - End Of File - - 7A750AFA868FC59D14656D37F8671622
A36C5E4F47E84449FF07ED3517B43A31

 

(I followed your instruction, even if it took me awhile... sorry for the delay. .. and yes, I understand quite nothing of this..)

Waiting for your next instructions.

Thank you.



#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:28 PM

Posted 29 April 2014 - 10:34 PM

1.

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit to your desktop.

  • Extract the ZIP archive and double-click "mbar.exe" to start the tool.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"


[/*]

 

 

 

2.

 ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

 

  • Please go >>HERE<< then click on: ESET1st.jpg

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on the ESETexe.jpg icon to install.

    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: ESETsave.jpg
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is  checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
  • Now click on: EOLS3.gif
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at [b]C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.
  • Now click on: EOLS4.gif
    (Selecting Uninstall application on close if you so wish)

Edited by fireman4it, 29 April 2014 - 10:35 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 Miyaka

Miyaka
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cahokia, IL
  • Local time:11:28 PM

Posted 02 May 2014 - 12:01 AM

~Results of mbar log and system log~

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2013.10.02.12

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.17041
Image 17 :: EAVIN [administrator]

5/1/2014 11:22:49 PM
mbar-log-2014-05-01 (23-22-49).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 199696
Time elapsed: 27 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)


Malwarebytes Anti-Rootkit BETA 1.07.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 11.0.9600.17041

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.729000 GHz
Memory total: 3210756096, free: 2092232704

Downloaded database version: v2014.05.02.01
Downloaded database version: v2014.03.27.01
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 11.0.9600.17041

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.729000 GHz
Memory total: 3210756096, free: 2048888832

=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 11.0.9600.17041

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.729000 GHz
Memory total: 3210756096, free: 2075426816

=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 11.0.9600.17041

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.729000 GHz
Memory total: 3210756096, free: 2252439552

=======================================
Initializing...
------------ Kernel report ------------
     05/01/2014 23:22:37
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\ssmdrv.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\avkmgr.sys
\SystemRoot\system32\DRIVERS\avipbb.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\cpqbttn.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\athr.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\Rtnicxp.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\Apfiltr.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\CHDRT32.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\HSXHWAZL.sys
\SystemRoot\system32\DRIVERS\HSX_DPV.sys
\SystemRoot\system32\DRIVERS\HSX_CNXT.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\drivers\hidusb.sys
\SystemRoot\system32\drivers\USBD.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\avgntflt.sys
\SystemRoot\system32\DRIVERS\RMCAST.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\XAudio32.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\nsi.dll
\Windows\System32\imm32.dll
\Windows\System32\shell32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\shlwapi.dll
\Windows\System32\usp10.dll
\Windows\System32\Wldap32.dll
\Windows\System32\gdi32.dll
\Windows\System32\iertutil.dll
\Windows\System32\oleaut32.dll
\Windows\System32\psapi.dll
\Windows\System32\kernel32.dll
\Windows\System32\user32.dll
\Windows\System32\sechost.dll
\Windows\System32\normaliz.dll
\Windows\System32\lpk.dll
\Windows\System32\wininet.dll
\Windows\System32\ole32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\difxapi.dll
\Windows\System32\setupapi.dll
\Windows\System32\advapi32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\clbcatq.dll
\Windows\System32\urlmon.dll
\Windows\System32\msctf.dll
\Windows\System32\ws2_32.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\crypt32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\devobj.dll
\Windows\System32\wintrust.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\comctl32.dll
\Windows\System32\msasn1.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff8609dac8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000076\
Lower Device Object: 0xffffffff867c6720
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff85d71030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-4\
Lower Device Object: 0xffffffff85c7b908
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85d71030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85d71d10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85d71030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff85c64828, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff85c7b908, DeviceName: \Device\Ide\IdeDeviceP2T0L0-4\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 88C77EF8

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 624932864

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff8609dac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff84f9cd10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8609dac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff867c6720, DeviceName: \Device\00000076\, DriverName: \Driver\USBSTOR\
------------ End ----------
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished



#14 Miyaka

Miyaka
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cahokia, IL
  • Local time:11:28 PM

Posted 02 May 2014 - 02:51 AM

I made sure to close my antivirus system programs, just as you instructed me to...

(not understanding why Avira! appears to be infected... maybe because I turned it off and turned it back on after the scan?

I do have a  clean copy of Avira! saved on a separate drive)

 

ESETSmartInstaller@High as downloader log:

all ok

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=e06e111f68844b4f978431b86eb580e6

# engine=18105

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2014-05-02 07:09:52

# local_time=2014-05-02 02:09:52 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=1799 16775165 100 99 0 168739097 0 0

# compatibility_mode=5893 16776574 100 94 24403544 150559383 0 0

# scanned=95324

# found=2

# cleaned=2

# scan_time=2478

sh=40E49124AD0B55A25F947333CA88E9D0BC30A7E3 ft=1 fh=e26ad988592b2af9 vn="a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application (deleted (after the next restart) - quarantined)" ac=C fn="C:\Program Files\Avira\AntiVir Desktop\apnic.dll"

sh=261145D1AE47EE86F60E2A4B65A5FB3A56CD4057 ft=1 fh=ccde4a0ecc812467 vn="a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application (deleted (after the next restart) - quarantined)" ac=C fn="C:\Program Files\Avira\AntiVir Desktop\apntoolbarinstaller.exe"



#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:28 PM

Posted 02 May 2014 - 04:28 PM

Avira installs ask toolbar if your not careful and many antivirus and malware programs pick it up as malware. How is the machine running other wise?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users