Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wave volume keeps turning down by itself every minute or so.


  • This topic is locked This topic is locked
16 replies to this topic

#1 E.rummel

E.rummel

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 02 May 2014 - 05:14 AM

The Wave volume keeps muting itself every minute or so. It's been happening for the past few days. I'm not sure when it exactly started. I tried a system restor but all the restore points were gone besides the one from the day before, so i restored it back to that day anyways and nothing changed. I have tried unplugging the interent connection and running antivirus programs in Safe mode without networking as well disabled system restore before doing it so the virus cant reintroduce itself to the system through system restore. I've Ran Maleware Bytes, SuperAntiSpyware, and AVG 12 after doing this. Also lately I've been noticing a lot of windows updates that are prompted for updating & I will look over the names of the updates they say i need and the update them. After I turn my computer off and back on it tells me I need the same exact updates. So I've stopped the updating the last few times by manually stopping them in task manager. I've also used TddsKiller and HitmanPro while in normal Windows mode. I seen in another topic very similar to this one they said to d/l OTC and run that(it worked for the other person), so I downloaded it still to no prevail. I've also noticed when I run the Antivirus/Antimalware programs they are taking very long to run in safe mode. SAS took 7 hours, Malware Bytes took 5 hours, and AVG even took longer. I'm not sure what else to do. I use my computer for work and school and need the sound for many things, It's not only a distraction but it's putting a damper and time crunch on my work and school because of this problem. I would be very appreciative if someone would be willing to help fix this problem. I'm not what you would call a computer genius but I do know my way around a computer. I usually am able to fix it myself but this time has proven not to be as easy.

 

I also noticed if I turn off the computer and remove the internet cable and turn it back on there is no problem with the Wave volume. It works perfect. As soon as I plug the internet connection back in it goes back to malfunctioning. I always use the program CCleaner to clean temp files and things like this. I notcied A little while before all this started happening it would say it removed many temp files that are from IE. I never use IE. I always use firefox or chrome, so I found that to be a little suspicious as well. I hope I gave enough info or didnt over do it; I just really need some help lol.

 

The help will be very much appreciated. Thank You.

 

___________________________________

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 6.0.2900.5512
Run by asasa at 6:02:48 on 2014-05-02
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1406.720 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\HitmanPro\hmpsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer, optimized for Bing and MSN
BHO: {01D2335C-525E-4B64-8A19-872109B398Ee} - <orphaned>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: {0E919AE2-525E-4B64-8A19-872109B398Ee} - <orphaned>
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg2012\avgssie.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{E7D64356-16BA-424D-9E97-6F239A879DAA} : DHCPNameServer = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\34.0.1847.131\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\asasa\application data\mozilla\firefox\profiles\c7qkxeqz.default-1399017028359\
FF - plugin: c:\documents and settings\all users\application data\visan\plugins\npRLSecurePluginLayer.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\google\update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_43.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_44.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 AvgLdx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-3-8 230608]
R1 AvgMfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-3-8 40016]
R1 AvgTdiX;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-3-8 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-8-11 116608]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-12 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2012-9-12 90952]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-3-9 21104]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-9 398184]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-7-20 682344]
S2 SkypeUpdate;Skype Updater;"c:\program files\skype\updater\updater.exe" --> c:\program files\skype\updater\Updater.exe [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2014-5-2 26400]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [2014-2-10 34432]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [2014-2-10 22656]
S3 SRS_HDAL_Service;HD Audio Lab;c:\windows\system32\drivers\SRS_HDAL_i386.sys [2010-9-26 384752]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2014-05-02 08:58:34    --------    d-----w-    C:\072bafcdfad9c11c333dce679867e18d
2014-05-02 08:58:25    --------    d-----w-    C:\4f2fe8ffbc02a0b1f4c15006cd9fc034
2014-05-02 08:57:16    --------    d-----w-    C:\623c8a5db4094a2876ef0b
2014-05-02 05:45:03    26400    ----a-w-    c:\windows\system32\drivers\hitmanpro36.sys
2014-05-02 04:03:30    --------    d-----w-    C:\20176d5b0de71b8936
2014-05-02 03:52:24    --------    d-----w-    C:\126b920bd8fac62df92e11
2014-05-01 10:51:18    --------    d-----w-    c:\documents and settings\asasa\local settings\application data\ATI
2014-05-01 01:40:57    --------    d-----w-    C:\d313c00acbb1460cabcf14ac
2014-04-30 08:22:31    3072    -c----w-    c:\windows\system32\dllcache\iacenc.dll
2014-04-30 08:22:31    3072    ------w-    c:\windows\system32\iacenc.dll
2014-04-30 07:12:16    --------    d-----w-    C:\RegBackup
2014-04-30 06:13:08    --------    d-----w-    c:\program files\Tweaking.com
2014-04-30 02:10:02    10594416    ----a-w-    c:\program files\mozilla firefox\icudt52.dll
2014-04-30 02:10:01    965232    ----a-w-    c:\program files\mozilla firefox\icuuc52.dll
2014-04-30 02:10:01    1266800    ----a-w-    c:\program files\mozilla firefox\icuin52.dll
2014-04-11 08:10:21    --------    d-----w-    c:\program files\Paltalk Messenger
2014-04-10 02:36:58    --------    d-----w-    c:\windows\system32\wbem\repository\FS
2014-04-10 02:36:58    --------    d-----w-    c:\windows\system32\wbem\Repository
2014-04-07 06:38:02    --------    d-----w-    c:\documents and settings\asasa\application data\Paltalk
.
==================== Find3M  ====================
.
2014-02-11 05:50:31    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-02-11 05:50:30    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH:  6:04:36.90 ===============
 

Attached Files


Edited by E.rummel, 02 May 2014 - 05:29 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:32 AM

Posted 02 May 2014 - 06:08 AM





Hello E.rummel,

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I would like you to run this program for me.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 E.rummel

E.rummel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 02 May 2014 - 09:31 AM

Thank you for your fast reply. Here's everything you asked for.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:01-05-2014
Ran by asasa (administrator) on OWNER-B6F3BCAC0 on 02-05-2014 10:17:28
Running from C:\Documents and Settings\asasa\My Documents\Downloads
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 6
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgchsvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgwdsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
() C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgemcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgtray.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgemc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\system32\msiexec.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ATICCC] => C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [90112 2006-05-10] ()
HKLM\...\Run: [AVG_TRAY] => C:\Program Files\AVG\AVG2012\avgtray.exe [2416480 2012-01-24] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM\...\Run: [] => [X]
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
Winlogon\Notify\avgrsstarter: C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\.DEFAULT\...\RunOnce: [_nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\.DEFAULT\...\Policies\Explorer: [CDRAutoRun] 0
HKU\S-1-5-19\...\RunOnce: [_nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\S-1-5-20\...\RunOnce: [_nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?ocid=EIE8HP&PC=UP61
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=EIE8HP&PC=UP61
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
SearchScopes: HKLM - DefaultScope value is missing.
BHO: No Name - {01D2335C-525E-4B64-8A19-872109B398Ee} -  No File
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO: No Name - {0E919AE2-525E-4B64-8A19-872109B398Ee} -  No File
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [113024 2011-07-18] (SuperAdBlocker.com)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\asasa\Application Data\Mozilla\Firefox\Profiles\c7qkxeqz.default-1399017028359
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_44.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 - C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 - C:\Documents and Settings\All Users\Application Data\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF HKLM\...\Firefox\Extensions: [{3EF431BF-EE1E-492D-ACCE-F8D68F384B1D}] - C:\Documents and Settings\Administrator\Local Settings\Application Data\{3EF431BF-EE1E-492D-ACCE-F8D68F384B1D}
FF Extension: XULRunner - C:\Documents and Settings\Administrator\Local Settings\Application Data\{3EF431BF-EE1E-492D-ACCE-F8D68F384B1D} [2011-07-06]
FF HKLM\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files\AVG\AVG2012\Firefox4\
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG2012\Firefox4\ []

Chrome:
=======
CHR Extension: (AVG Safe Search) - C:\Documents and Settings\asasa\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla [2014-05-02]
CHR Extension: (Google Wallet) - C:\Documents and Settings\asasa\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-05-02]
CHR HKLM\...\Chrome\Extension: [cdjbnddbclciabnckgeahmneohjlahdm] - C:\Documents and Settings\Administrator\Local Settings\Application Data\chromeupdate.crx [2014-05-02]
CHR HKLM\...\Chrome\Extension: [jmfkcklnlgedgbglfkkgedjfmejoahla] - C:\Program Files\AVG\AVG2012\Chrome\safesearch.crx [2011-12-21]

========================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2012-09-12] (SUPERAntiSpyware.com)
R2 avg9emc; C:\Program Files\AVG\AVG9\avgemc.exe [921952 2010-07-21] (AVG Technologies CZ, s.r.o.)
R2 avg9wd; C:\Program Files\AVG\AVG9\avgwdsvc.exe [308136 2011-04-14] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe [4433248 2011-10-12] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [192776 2011-08-02] (AVG Technologies CZ, s.r.o.)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [90952 2012-09-12] (SurfRight B.V.)
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [38912 2005-03-17] ()
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [398184 2012-12-14] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [682344 2012-12-14] (Malwarebytes Corporation)
S2 UStorage Server Service; C:\WINDOWS\system32\UStorSrv.exe [139264 2004-09-20] (OTi)
S2 Akamai; c:\program files\common files\akamai/netsession_win_6c825ce.dll [X]
S2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [X]

==================== Drivers (Whitelisted) ====================

R1 ASPI32; C:\WINDOWS\system32\Drivers\ASPI32.sys [25244 1999-09-10] (Adaptec)
R3 AVGIDSDriver; C:\WINDOWS\System32\DRIVERS\AVGIDSDriver.Sys [134608 2011-07-11] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSEH; C:\WINDOWS\System32\DRIVERS\AVGIDSEH.Sys [23120 2011-07-11] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSFilter; C:\WINDOWS\System32\DRIVERS\AVGIDSFilter.Sys [24272 2011-07-11] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\AVGIDSShim.Sys [16720 2011-10-04] (AVG Technologies CZ, s.r.o. )
R1 AvgLdx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [230608 2011-10-07] (AVG Technologies CZ, s.r.o.)
R1 AvgMfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [40016 2011-08-08] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [32592 2011-09-13] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiX; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [295248 2011-07-11] (AVG Technologies CZ, s.r.o.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
S1 Cdr4_xp; C:\WINDOWS\system32\Drivers\Cdr4_xp.sys [9072 2009-04-28] (Sonic Solutions)
S1 Cdralw2k; C:\WINDOWS\system32\Drivers\Cdralw2k.sys [9200 2009-04-28] (Sonic Solutions)
R1 cdudf_xp; C:\WINDOWS\system32\Drivers\cdudf_xp.sys [291456 2005-02-03] (Roxio)
S3 CoachUsb; C:\WINDOWS\System32\DRIVERS\CoachUsb.sys [51392 2009-04-06] (FotoNation Inc.)
R1 DVDVRRdr_xp; C:\WINDOWS\system32\Drivers\DVDVRRdr_xp.sys [141184 2005-02-03] (Windows ® 2000 DDK provider)
S3 dvd_2K; C:\WINDOWS\system32\Drivers\dvd_2K.sys [24064 2005-02-03] (Roxio)
S3 hitmanpro35; C:\WINDOWS\system32\drivers\hitmanpro36.sys [26400 2014-05-02] ()
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2008-10-28] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2008-10-28] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2008-10-28] (HP)
S3 ManyCam; C:\WINDOWS\System32\DRIVERS\mcvidrv.sys [34432 2012-10-10] (ManyCam LLC)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [21104 2012-12-14] (Malwarebytes Corporation)
S3 mcaudrv_simple; C:\WINDOWS\System32\drivers\mcaudrv.sys [22656 2013-01-31] (ManyCam LLC)
S3 mmc_2K; C:\WINDOWS\system32\Drivers\mmc_2K.sys [23808 2005-02-03] (Roxio)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R1 pwd_2k; C:\WINDOWS\system32\Drivers\pwd_2k.sys [117632 2005-02-03] (Roxio)
R3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2008-04-13] (Realtek Semiconductor Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SRS_HDAL_Service; C:\WINDOWS\System32\drivers\SRS_HDAL_i386.sys [384752 2010-07-02] ()
S4 IntelIde; No ImagePath
S2 StarOpen; No ImagePath
S1 UDFReadr; No ImagePath
U1 WS2IFSL;
U3 mbr; \??\C:\DOCUME~1\asasa\LOCALS~1\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-05-02 10:17 - 2014-05-02 10:17 - 00000000 ____D () C:\FRST
2014-05-02 06:05 - 2014-05-02 06:22 - 00043620 _____ () C:\Documents and Settings\asasa\My Documents\attach.txt
2014-05-02 06:05 - 2014-05-02 06:05 - 00008760 _____ () C:\Documents and Settings\asasa\My Documents\dds.txt
2014-05-02 06:04 - 2014-05-02 06:04 - 00043626 _____ () C:\Documents and Settings\asasa\Desktop\attach.txt
2014-05-02 06:04 - 2014-05-02 06:04 - 00008760 _____ () C:\Documents and Settings\asasa\Desktop\dds.txt
2014-05-02 04:58 - 2014-05-02 04:58 - 00000000 ____D () C:\4f2fe8ffbc02a0b1f4c15006cd9fc034
2014-05-02 04:58 - 2014-05-02 04:58 - 00000000 ____D () C:\072bafcdfad9c11c333dce679867e18d
2014-05-02 04:57 - 2014-05-02 04:58 - 00000000 ____D () C:\623c8a5db4094a2876ef0b
2014-05-02 01:45 - 2014-05-02 03:11 - 00026400 _____ () C:\WINDOWS\system32\Drivers\hitmanpro36.sys
2014-05-02 00:03 - 2014-05-02 00:03 - 00000000 ____D () C:\20176d5b0de71b8936
2014-05-01 23:52 - 2014-05-02 00:03 - 00000000 ____D () C:\126b920bd8fac62df92e11
2014-05-01 23:41 - 2014-05-01 23:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2584146$
2014-05-01 22:34 - 2014-05-01 22:41 - 00000000 ____D () C:\Documents and Settings\NetworkService\Application Data\Azureus
2014-05-01 14:48 - 2014-05-01 20:25 - 00002730 _____ () C:\Documents and Settings\asasa\Desktop\avgrep.txt
2014-05-01 06:51 - 2014-05-01 06:51 - 00000000 ____D () C:\Documents and Settings\asasa\Local Settings\Application Data\ATI
2014-05-01 06:51 - 2014-05-01 06:51 - 00000000 ____D () C:\Documents and Settings\asasa\Application Data\ATI
2014-04-30 21:40 - 2014-04-30 22:08 - 00000000 ____D () C:\d313c00acbb1460cabcf14ac
2014-04-30 21:40 - 2014-04-30 21:40 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2620712$
2014-04-30 21:39 - 2014-04-30 21:39 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2566454$
2014-04-30 21:38 - 2014-04-30 21:38 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2661637$
2014-04-30 21:37 - 2014-04-30 21:37 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2914368$
2014-04-30 04:22 - 2012-01-11 15:06 - 00003072 ____N () C:\WINDOWS\system32\iacenc.dll
2014-04-30 04:22 - 2012-01-11 15:06 - 00003072 ____C () C:\WINDOWS\system32\dllcache\iacenc.dll
2014-04-30 03:43 - 2014-04-30 03:43 - 00000855 _____ () C:\WINDOWS\system32\Drivers\etc\hosts_bak_945
2014-04-30 03:41 - 2014-04-30 03:41 - 00000000 ____D () C:\Documents and Settings\LocalService\Start Menu\Programs\Accessories
2014-04-30 03:13 - 2014-05-01 06:29 - 00181064 _____ (Sysinternals) C:\WINDOWS\PSEXESVC.EXE
2014-04-30 03:12 - 2014-04-30 03:12 - 00000000 ____D () C:\RegBackup
2014-04-30 02:13 - 2014-04-30 02:13 - 00001812 _____ () C:\Documents and Settings\asasa\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2014-04-30 02:13 - 2014-04-30 02:13 - 00000000 ____D () C:\Program Files\Tweaking.com
2014-04-30 02:13 - 2014-04-30 02:13 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Tweaking.com
2014-04-30 00:17 - 2014-05-02 08:11 - 01411641 _____ () C:\WINDOWS\WindowsUpdate.log
2014-04-29 22:09 - 2014-04-29 22:10 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-04-29 21:12 - 2014-05-02 10:13 - 00000069 _____ () C:\WINDOWS\system32\igfgcg.vgq
2014-04-29 21:00 - 2014-04-29 21:00 - 00000064 _____ () C:\WINDOWS\system32\irkyelq.jxy
2014-04-29 21:00 - 2014-04-29 21:00 - 00000000 _____ () C:\WINDOWS\system32\joha.arm
2014-04-28 02:12 - 2014-04-28 02:12 - 00239207 ____S () C:\WINDOWS\system32\eouz.jpy
2014-04-25 15:50 - 2014-04-25 15:50 - 00022432 _____ () C:\Documents and Settings\asasa\My Documents\newest.reg
2014-04-11 04:20 - 2014-04-11 04:37 - 00018672 _____ () C:\console.log
2014-04-11 04:10 - 2014-04-11 04:10 - 00000000 ____D () C:\Program Files\Paltalk Messenger
2014-04-11 04:10 - 2014-04-11 04:10 - 00000000 ____D () C:\Documents and Settings\asasa\Start Menu\Programs\Paltalk Messenger
2014-04-09 19:54 - 2014-04-09 19:54 - 00000082 _____ () C:\WINDOWS\system32\laelavu.djc
2014-04-09 19:39 - 2014-04-09 19:39 - 00000064 _____ () C:\WINDOWS\system32\hxbfp.lrn
2014-04-09 19:39 - 2014-04-09 19:39 - 00000000 _____ () C:\WINDOWS\system32\amhui.oii
2014-04-07 02:41 - 2014-04-07 02:41 - 00305834 ____S () C:\WINDOWS\system32\mmmj.wby
2014-04-07 02:38 - 2014-04-11 04:14 - 00000000 ____D () C:\Documents and Settings\asasa\Application Data\Paltalk
2014-04-05 15:26 - 2014-04-05 15:26 - 00011530 _____ () C:\Documents and Settings\asasa\My Documents\1222222222222.reg

==================== One Month Modified Files and Folders =======

2014-05-02 10:17 - 2014-05-02 10:17 - 00000000 ____D () C:\FRST
2014-05-02 10:13 - 2014-04-29 21:12 - 00000069 _____ () C:\WINDOWS\system32\igfgcg.vgq
2014-05-02 10:12 - 2012-10-16 18:09 - 00000000 ____D () C:\Documents and Settings\asasa\Application Data\Azureus
2014-05-02 10:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At35.job
2014-05-02 10:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At11.job
2014-05-02 09:48 - 2010-06-01 22:28 - 00000900 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-02 09:22 - 2013-12-26 06:44 - 00000490 _____ () C:\WINDOWS\Tasks\HP Photo Creations Communicator.job
2014-05-02 09:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At34.job
2014-05-02 09:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At10.job
2014-05-02 08:11 - 2014-04-30 00:17 - 01411641 _____ () C:\WINDOWS\WindowsUpdate.log
2014-05-02 08:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At33.job
2014-05-02 08:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At9.job
2014-05-02 07:08 - 2010-03-08 15:07 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-05-02 07:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At32.job
2014-05-02 07:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At8.job
2014-05-02 06:36 - 2012-10-16 18:27 - 00000000 ___SD () C:\Documents and Settings\asasa\UserData
2014-05-02 06:36 - 2012-10-12 12:52 - 00000000 ____D () C:\Documents and Settings\asasa
2014-05-02 06:22 - 2014-05-02 06:05 - 00043620 _____ () C:\Documents and Settings\asasa\My Documents\attach.txt
2014-05-02 06:05 - 2014-05-02 06:05 - 00008760 _____ () C:\Documents and Settings\asasa\My Documents\dds.txt
2014-05-02 06:04 - 2014-05-02 06:04 - 00043626 _____ () C:\Documents and Settings\asasa\Desktop\attach.txt
2014-05-02 06:04 - 2014-05-02 06:04 - 00008760 _____ () C:\Documents and Settings\asasa\Desktop\dds.txt
2014-05-02 06:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At31.job
2014-05-02 06:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At7.job
2014-05-02 05:04 - 2004-08-04 05:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2014-05-02 05:02 - 2013-06-01 15:21 - 00000159 ____N () C:\WINDOWS\wiadebug.log
2014-05-02 05:02 - 2011-07-06 01:22 - 00000340 ___SH () C:\WINDOWS\Tasks\DQKMTBLO.job
2014-05-02 05:02 - 2011-07-06 01:22 - 00000332 ___SH () C:\WINDOWS\Tasks\KBJSNDOA.job
2014-05-02 05:02 - 2010-03-08 15:20 - 00000000 ____D () C:\Program Files\NetMeeting
2014-05-02 05:01 - 2013-06-01 15:21 - 00000048 ____N () C:\WINDOWS\wiaservc.log
2014-05-02 05:01 - 2012-02-29 07:49 - 00000294 _____ () C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1482476501-308236825-1606980848-500.job
2014-05-02 05:01 - 2010-06-01 22:28 - 00000896 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-02 05:00 - 2010-03-08 15:29 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-05-02 04:58 - 2014-05-02 04:58 - 00000000 ____D () C:\4f2fe8ffbc02a0b1f4c15006cd9fc034
2014-05-02 04:58 - 2014-05-02 04:58 - 00000000 ____D () C:\072bafcdfad9c11c333dce679867e18d
2014-05-02 04:58 - 2014-05-02 04:57 - 00000000 ____D () C:\623c8a5db4094a2876ef0b
2014-05-02 04:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At29.job
2014-05-02 04:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At5.job
2014-05-02 03:11 - 2014-05-02 01:45 - 00026400 _____ () C:\WINDOWS\system32\Drivers\hitmanpro36.sys
2014-05-02 03:08 - 2013-06-01 15:20 - 00032656 ____N () C:\WINDOWS\SchedLgU.Txt
2014-05-02 03:07 - 2010-03-08 15:32 - 00524288 _____ () C:\WINDOWS\system32\config\ACEEvent.evt
2014-05-02 03:06 - 2012-10-12 12:52 - 00000178 ___SH () C:\Documents and Settings\asasa\ntuser.ini
2014-05-02 03:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At28.job
2014-05-02 03:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At4.job
2014-05-02 02:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At27.job
2014-05-02 02:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At3.job
2014-05-02 01:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At26.job
2014-05-02 01:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At2.job
2014-05-02 00:37 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At1.job
2014-05-02 00:33 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At25.job
2014-05-02 00:03 - 2014-05-02 00:03 - 00000000 ____D () C:\20176d5b0de71b8936
2014-05-02 00:03 - 2014-05-01 23:52 - 00000000 ____D () C:\126b920bd8fac62df92e11
2014-05-01 23:55 - 2010-03-08 10:00 - 00646258 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-05-01 23:41 - 2014-05-01 23:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2584146$
2014-05-01 23:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At48.job
2014-05-01 23:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At24.job
2014-05-01 22:41 - 2014-05-01 22:34 - 00000000 ____D () C:\Documents and Settings\NetworkService\Application Data\Azureus
2014-05-01 22:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At47.job
2014-05-01 22:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At23.job
2014-05-01 20:25 - 2014-05-01 14:48 - 00002730 _____ () C:\Documents and Settings\asasa\Desktop\avgrep.txt
2014-05-01 08:13 - 2012-10-16 04:04 - 00105472 _____ () C:\Documents and Settings\asasa\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-05-01 07:07 - 2012-10-16 07:18 - 00041768 _____ () C:\Documents and Settings\asasa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-05-01 06:58 - 2010-03-08 15:20 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-05-01 06:51 - 2014-05-01 06:51 - 00000000 ____D () C:\Documents and Settings\asasa\Local Settings\Application Data\ATI
2014-05-01 06:51 - 2014-05-01 06:51 - 00000000 ____D () C:\Documents and Settings\asasa\Application Data\ATI
2014-05-01 06:42 - 2010-03-08 09:58 - 03483736 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-05-01 06:29 - 2014-04-30 03:13 - 00181064 _____ (Sysinternals) C:\WINDOWS\PSEXESVC.EXE
2014-05-01 06:26 - 2010-03-08 15:19 - 00000000 ____D () C:\WINDOWS\Registration
2014-05-01 06:22 - 2010-03-08 15:23 - 00023392 _____ () C:\WINDOWS\system32\nscompat.tlb
2014-05-01 06:22 - 2010-03-08 15:23 - 00016832 _____ () C:\WINDOWS\system32\amcompat.tlb
2014-05-01 05:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At30.job
2014-05-01 05:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At6.job
2014-04-30 22:08 - 2014-04-30 21:40 - 00000000 ____D () C:\d313c00acbb1460cabcf14ac
2014-04-30 21:40 - 2014-04-30 21:40 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2620712$
2014-04-30 21:39 - 2014-04-30 21:39 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2566454$
2014-04-30 21:39 - 2010-03-08 16:31 - 00000000 ____D () C:\WINDOWS\$hf_mig$
2014-04-30 21:38 - 2014-04-30 21:38 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2661637$
2014-04-30 21:37 - 2014-04-30 21:37 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2914368$
2014-04-30 21:17 - 2010-07-29 03:46 - 00000000 ____D () C:\WINDOWS\pss
2014-04-30 06:52 - 2012-01-22 13:09 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-04-30 03:43 - 2014-04-30 03:43 - 00000855 _____ () C:\WINDOWS\system32\Drivers\etc\hosts_bak_945
2014-04-30 03:43 - 2012-10-12 12:52 - 00000738 _____ () C:\Documents and Settings\asasa\Start Menu\Programs\Outlook Express.lnk
2014-04-30 03:41 - 2014-04-30 03:41 - 00000000 ____D () C:\Documents and Settings\LocalService\Start Menu\Programs\Accessories
2014-04-30 03:41 - 2010-03-08 15:29 - 00000000 __SHD () C:\Documents and Settings\LocalService
2014-04-30 03:12 - 2014-04-30 03:12 - 00000000 ____D () C:\RegBackup
2014-04-30 03:12 - 2010-03-08 09:50 - 00000000 ____D () C:\WINDOWS\repair
2014-04-30 02:13 - 2014-04-30 02:13 - 00001812 _____ () C:\Documents and Settings\asasa\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2014-04-30 02:13 - 2014-04-30 02:13 - 00000000 ____D () C:\Program Files\Tweaking.com
2014-04-30 02:13 - 2014-04-30 02:13 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Tweaking.com
2014-04-29 23:41 - 2012-07-18 07:22 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-04-29 22:10 - 2014-04-29 22:09 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-04-29 21:15 - 2012-01-14 13:28 - 00000000 ____D () C:\Program Files\Java
2014-04-29 21:01 - 2012-10-12 12:52 - 00000803 _____ () C:\Documents and Settings\asasa\Start Menu\Programs\Internet Explorer.lnk
2014-04-29 21:01 - 2012-10-12 12:52 - 00000000 ___RD () C:\Documents and Settings\asasa\Start Menu\Programs\Accessories
2014-04-29 21:00 - 2014-04-29 21:00 - 00000064 _____ () C:\WINDOWS\system32\irkyelq.jxy
2014-04-29 21:00 - 2014-04-29 21:00 - 00000000 _____ () C:\WINDOWS\system32\joha.arm
2014-04-29 21:00 - 2010-03-08 09:50 - 00000000 ____D () C:\WINDOWS\Help
2014-04-29 20:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At45.job
2014-04-29 20:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At21.job
2014-04-29 19:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At44.job
2014-04-29 19:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At20.job
2014-04-29 18:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At43.job
2014-04-29 18:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At19.job
2014-04-29 17:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At42.job
2014-04-29 17:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At18.job
2014-04-29 16:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At41.job
2014-04-29 16:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At17.job
2014-04-29 15:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At40.job
2014-04-29 15:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At16.job
2014-04-29 14:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At39.job
2014-04-29 14:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At15.job
2014-04-29 13:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At38.job
2014-04-29 13:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At14.job
2014-04-29 12:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At37.job
2014-04-29 12:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At13.job
2014-04-29 11:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At36.job
2014-04-29 11:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At12.job
2014-04-29 00:39 - 2013-01-25 07:46 - 00000000 ____D () C:\Documents and Settings\asasa\My Documents\Mixcraft Projects
2014-04-28 21:00 - 2012-08-09 05:33 - 00000418 _____ () C:\WINDOWS\Tasks\At46.job
2014-04-28 21:00 - 2012-08-09 05:33 - 00000416 _____ () C:\WINDOWS\Tasks\At22.job
2014-04-28 02:12 - 2014-04-28 02:12 - 00239207 ____S () C:\WINDOWS\system32\eouz.jpy
2014-04-25 15:50 - 2014-04-25 15:50 - 00022432 _____ () C:\Documents and Settings\asasa\My Documents\newest.reg
2014-04-24 07:48 - 2013-05-19 06:32 - 00000000 ____D () C:\Documents and Settings\asasa\My Documents\New Folder (2)
2014-04-23 06:50 - 2012-02-29 07:49 - 00000302 _____ () C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1482476501-308236825-1606980848-500.job
2014-04-13 01:03 - 2010-03-08 09:50 - 00000000 ____D () C:\WINDOWS\Media
2014-04-11 04:37 - 2014-04-11 04:20 - 00018672 _____ () C:\console.log
2014-04-11 04:14 - 2014-04-07 02:38 - 00000000 ____D () C:\Documents and Settings\asasa\Application Data\Paltalk
2014-04-11 04:10 - 2014-04-11 04:10 - 00000000 ____D () C:\Program Files\Paltalk Messenger
2014-04-11 04:10 - 2014-04-11 04:10 - 00000000 ____D () C:\Documents and Settings\asasa\Start Menu\Programs\Paltalk Messenger
2014-04-09 22:37 - 2013-01-21 06:05 - 00000000 ____D () C:\Documents and Settings\lololololl
2014-04-09 22:37 - 2013-01-03 06:07 - 00000000 ____D () C:\Documents and Settings\Guest
2014-04-09 22:37 - 2010-03-08 15:29 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-04-09 22:37 - 2010-03-08 15:27 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2014-04-09 20:23 - 2012-01-09 03:14 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-04-09 19:54 - 2014-04-09 19:54 - 00000082 _____ () C:\WINDOWS\system32\laelavu.djc
2014-04-09 19:39 - 2014-04-09 19:39 - 00000064 _____ () C:\WINDOWS\system32\hxbfp.lrn
2014-04-09 19:39 - 2014-04-09 19:39 - 00000000 _____ () C:\WINDOWS\system32\amhui.oii
2014-04-07 02:41 - 2014-04-07 02:41 - 00305834 ____S () C:\WINDOWS\system32\mmmj.wby
2014-04-05 15:26 - 2014-04-05 15:26 - 00011530 _____ () C:\Documents and Settings\asasa\My Documents\1222222222222.reg
2014-04-05 15:24 - 2010-03-08 16:29 - 00000000 ____D () C:\Program Files\CCleaner
2014-04-04 17:17 - 2013-01-03 05:32 - 00000000 ____D () C:\Documents and Settings\asasa\Desktop\New Folder

ZeroAccess:
C:\Windows\Installer\{d64e4b6c-69f1-2354-8038-9a2d489f76e4}
C:\Windows\Installer\{d64e4b6c-69f1-2354-8038-9a2d489f76e4}\@

ZeroAccess:
C:\RECYCLER\S-1-5-21-1482476501-308236825-1606980848-500\$d64e4b6c69f1235480389a2d489f76e4

ZeroAccess:
C:\Documents and Settings\Administrator\Local Settings\Application Data\{d64e4b6c-69f1-2354-8038-9a2d489f76e4}
C:\Documents and Settings\Administrator\Local Settings\Application Data\{d64e4b6c-69f1-2354-8038-9a2d489f76e4}\@

Files to move or delete:
====================
C:\Documents and Settings\asasa\lametritonus_en.dll
C:\Documents and Settings\asasa\lame_enc_en.dll
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At10.job
C:\Windows\Tasks\At11.job
C:\Windows\Tasks\At12.job
C:\Windows\Tasks\At13.job
C:\Windows\Tasks\At14.job
C:\Windows\Tasks\At15.job
C:\Windows\Tasks\At16.job
C:\Windows\Tasks\At17.job
C:\Windows\Tasks\At18.job
C:\Windows\Tasks\At19.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At20.job
C:\Windows\Tasks\At21.job
C:\Windows\Tasks\At22.job
C:\Windows\Tasks\At23.job
C:\Windows\Tasks\At24.job
C:\Windows\Tasks\At25.job
C:\Windows\Tasks\At26.job
C:\Windows\Tasks\At27.job
C:\Windows\Tasks\At28.job
C:\Windows\Tasks\At29.job
C:\Windows\Tasks\At3.job
C:\Windows\Tasks\At30.job
C:\Windows\Tasks\At31.job
C:\Windows\Tasks\At32.job
C:\Windows\Tasks\At33.job
C:\Windows\Tasks\At34.job
C:\Windows\Tasks\At35.job
C:\Windows\Tasks\At36.job
C:\Windows\Tasks\At37.job
C:\Windows\Tasks\At38.job
C:\Windows\Tasks\At39.job
C:\Windows\Tasks\At4.job
C:\Windows\Tasks\At40.job
C:\Windows\Tasks\At41.job
C:\Windows\Tasks\At42.job
C:\Windows\Tasks\At43.job
C:\Windows\Tasks\At44.job
C:\Windows\Tasks\At45.job
C:\Windows\Tasks\At46.job
C:\Windows\Tasks\At47.job
C:\Windows\Tasks\At48.job
C:\Windows\Tasks\At5.job
C:\Windows\Tasks\At6.job
C:\Windows\Tasks\At7.job
C:\Windows\Tasks\At8.job
C:\Windows\Tasks\At9.job


Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\AskSLib.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\i4jdel0.exe
C:\Documents and Settings\asasa\Local Settings\Temp\i4jdel0.exe
C:\Documents and Settings\asasa\Local Settings\Temp\jre-7u55-windows-i586-iftw.exe


==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll
[2008-04-14 05:42] - [2009-02-09 08:10] - 0404992 ____A (Microsoft Corporation) 7e6d9dbdacb8d1d36120bfc9754b0ef2

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:32 AM

Posted 02 May 2014 - 02:08 PM



I would also like to get some extra information on one of the files on the computer

Run FRST like you did before and Type the following in the edit box after "Search:".

rpcss.dll

It then should look like:

Search: rpcss.dll

Click Search button and post the log (Search.txt) it makes to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 E.rummel

E.rummel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 02 May 2014 - 07:13 PM

Thanks again. Here it is.

 

 

_____________________________________________

 

Farbar Recovery Scan Tool (x86) Version:01-05-2014
Ran by asasa at 2014-05-02 20:09:33
Running from C:\Documents and Settings\asasa\My Documents\Downloads
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\WINDOWS\system32\rpcss.dll
[2008-04-14 05:42] - [2009-02-09 08:10] - 0404992 ____A (Microsoft Corporation) 7e6d9dbdacb8d1d36120bfc9754b0ef2

C:\WINDOWS\system32\dllcache\rpcss.dll
[2008-04-14 05:42] - [2009-02-09 08:10] - 0404992 ___AC (Microsoft Corporation) 4dced496c1e92c0719ed51aa8a63fcf5

C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
[2010-03-08 16:48] - [2008-04-14 05:42] - 0399360 ____C (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2010-03-08 16:36] - [2009-02-09 06:56] - 0401408 ___AC (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2

=== End Of Search ===



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:32 AM

Posted 03 May 2014 - 03:49 PM

Hello E.rummel



I need you to download this script I have made for you --> Attached File  fixlist.txt   1.88KB   2 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 E.rummel

E.rummel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 04 May 2014 - 01:46 AM

When you say it needs to be saved NEXT to FRST. You mean to the same folder that was saved to (the desktop)?


Edited by E.rummel, 04 May 2014 - 01:50 AM.


#8 E.rummel

E.rummel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 04 May 2014 - 01:57 AM

So here it is. I clicked fix once and the program made this file than stopped responding. Did it do what it should have? The problem still persist.

 

result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:01-05-2014
Ran by asasa at 2014-05-04 02:51:04 Run:1
Running from C:\Documents and Settings\asasa\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Replace: C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll C:\WINDOWS\System32\rpcss.dll
Replace: C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll C:\WINDOWS\system32\dllcache\rpcss.dll
CMD: Del /q C:\Windows\Tasks\At*.job
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
FF Extension: XULRunner - C:\Documents and Settings\Administrator\Local Settings\Application Data\{3EF431BF-EE1E-492D-ACCE-F8D68F384B1D} [2011-07-06]
2014-04-29 21:12 - 2014-05-02 10:13 - 00000069 _____ () C:\WINDOWS\system32\igfgcg.vgq
2014-04-29 21:00 - 2014-04-29 21:00 - 00000064 _____ () C:\WINDOWS\system32\irkyelq.jxy
2014-04-29 21:00 - 2014-04-29 21:00 - 00000000 _____ () C:\WINDOWS\system32\joha.arm
2014-04-28 02:12 - 2014-04-28 02:12 - 00239207 ____S () C:\WINDOWS\system32\eouz.jpy
2014-04-09 19:54 - 2014-04-09 19:54 - 00000082 _____ () C:\WINDOWS\system32\laelavu.djc
2014-04-09 19:39 - 2014-04-09 19:39 - 00000064 _____ () C:\WINDOWS\system32\hxbfp.lrn
2014-04-09 19:39 - 2014-04-09 19:39 - 00000000 _____ () C:\WINDOWS\system32\amhui.oii
2014-04-07 02:41 - 2014-04-07 02:41 - 00305834 ____S () C:\WINDOWS\system32\mmmj.wby
2014-05-02 05:02 - 2011-07-06 01:22 - 00000340 ___SH () C:\WINDOWS\Tasks\DQKMTBLO.job
2014-05-02 05:02 - 2011-07-06 01:22 - 00000332 ___SH () C:\WINDOWS\Tasks\KBJSNDOA.job
C:\Windows\Installer\{d64e4b6c-69f1-2354-8038-9a2d489f76e4}
C:\Windows\Installer\{d64e4b6c-69f1-2354-8038-9a2d489f76e4}\@
C:\RECYCLER\S-1-5-21-1482476501-308236825-1606980848-500\$d64e4b6c69f1235480389a2d489f76e4
C:\Documents and Settings\Administrator\Local Settings\Application Data\{d64e4b6c-69f1-2354-8038-9a2d489f76e4}
C:\Documents and Settings\Administrator\Local Settings\Application Data\{d64e4b6c-69f1-2354-8038-9a2d489f76e4}\@


*****************

C:\WINDOWS\System32\rpcss.dll => Moved successfully.
C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll copied successfully to C:\WINDOWS\System32\rpcss.dll
C:\WINDOWS\system32\dllcache\rpcss.dll => Moved successfully.
C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll copied successfully to C:\WINDOWS\system32\dllcache\rpcss.dll

=========  Del /q C:\Windows\Tasks\At*.job =========


========= End of CMD: =========

Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5 entry 000000000003\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
C:\Documents and Settings\Administrator\Local Settings\Application Data\{3EF431BF-EE1E-492D-ACCE-F8D68F384B1D} => Moved successfully.
C:\WINDOWS\system32\igfgcg.vgq => Moved successfully.
C:\WINDOWS\system32\irkyelq.jxy => Moved successfully.
Could not move "C:\WINDOWS\system32\joha.arm" => Scheduled to move on reboot.
Could not move "C:\WINDOWS\system32\eouz.jpy" => Scheduled to move on reboot.
C:\WINDOWS\system32\laelavu.djc => Moved successfully.
C:\WINDOWS\system32\hxbfp.lrn => Moved successfully.
C:\WINDOWS\system32\amhui.oii => Moved successfully.
C:\WINDOWS\system32\mmmj.wby => Moved successfully.
C:\WINDOWS\Tasks\DQKMTBLO.job => Moved successfully.
C:\WINDOWS\Tasks\KBJSNDOA.job => Moved successfully.
C:\WINDOWS\Installer\{d64e4b6c-69f1-2354-8038-9a2d489f76e4} => Moved successfully.
"C:\Windows\Installer\{d64e4b6c-69f1-2354-8038-9a2d489f76e4}\@" => File/Directory not found.
C:\RECYCLER\S-1-5-21-1482476501-308236825-1606980848-500\$d64e4b6c69f1235480389a2d489f76e4 => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\{d64e4b6c-69f1-2354-8038-9a2d489f76e4} => Moved successfully.
"C:\Documents and Settings\Administrator\Local Settings\Application Data\{d64e4b6c-69f1-2354-8038-9a2d489f76e4}\@" => File/Directory not found.
 


Edited by E.rummel, 04 May 2014 - 01:57 AM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:32 AM

Posted 04 May 2014 - 05:37 AM

I would like you to rerun FRST for me and send me a new report

If you cannot find it here is the link again.

Please download the Farbar Recovery Scan Tool from here:
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ - Click on the BLUE download buttons only - ( The GREEN ones are ads)

save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it.
When the tool opens click Yes to disclaimer.
Press the Scan button.
It will make a log (FRST.txt) in the same directory the tool is run.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 E.rummel

E.rummel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 04 May 2014 - 06:05 AM

Heres the scan results you've asked for.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:01-05-2014
Ran by asasa (administrator) on OWNER-B6F3BCAC0 on 04-05-2014 06:54:52
Running from C:\Documents and Settings\asasa\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 6
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgcsrvx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgchsvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgrsx.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgtray.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgwdsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
() C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgemcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgnsx.exe
(OTi) C:\WINDOWS\system32\UStorSrv.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgemc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\system32\sndvol32.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ATICCC] => C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [90112 2006-05-10] ()
HKLM\...\Run: [AVG_TRAY] => C:\Program Files\AVG\AVG2012\avgtray.exe [2416480 2012-01-24] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM\...\Run: [] => [X]
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
Winlogon\Notify\avgrsstarter: C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\.DEFAULT\...\RunOnce: [_nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\.DEFAULT\...\Policies\Explorer: [CDRAutoRun] 0
HKU\S-1-5-19\...\RunOnce: [_nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\S-1-5-20\...\RunOnce: [_nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?ocid=EIE8HP&PC=UP61
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=EIE8HP&PC=UP61
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
SearchScopes: HKLM - DefaultScope value is missing.
BHO: No Name - {01D2335C-525E-4B64-8A19-872109B398Ee} -  No File
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO: No Name - {0E919AE2-525E-4B64-8A19-872109B398Ee} -  No File
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [113024 2011-07-18] (SuperAdBlocker.com)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\asasa\Application Data\Mozilla\Firefox\Profiles\c7qkxeqz.default-1399017028359
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_44.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 - C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 - C:\Documents and Settings\All Users\Application Data\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF HKLM\...\Firefox\Extensions: [{3EF431BF-EE1E-492D-ACCE-F8D68F384B1D}] - C:\Documents and Settings\Administrator\Local Settings\Application Data\{3EF431BF-EE1E-492D-ACCE-F8D68F384B1D}
FF HKLM\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files\AVG\AVG2012\Firefox4\
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG2012\Firefox4\ []

Chrome:
=======
CHR Extension: (AVG Safe Search) - C:\Documents and Settings\asasa\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla [2014-05-04]
CHR Extension: (Google Wallet) - C:\Documents and Settings\asasa\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-05-02]
CHR HKLM\...\Chrome\Extension: [cdjbnddbclciabnckgeahmneohjlahdm] - C:\Documents and Settings\Administrator\Local Settings\Application Data\chromeupdate.crx [2014-05-02]
CHR HKLM\...\Chrome\Extension: [jmfkcklnlgedgbglfkkgedjfmejoahla] - C:\Program Files\AVG\AVG2012\Chrome\safesearch.crx [2011-12-21]

========================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2012-09-12] (SUPERAntiSpyware.com)
R2 avg9emc; C:\Program Files\AVG\AVG9\avgemc.exe [921952 2010-07-21] (AVG Technologies CZ, s.r.o.)
R2 avg9wd; C:\Program Files\AVG\AVG9\avgwdsvc.exe [308136 2011-04-14] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe [4433248 2011-10-12] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [192776 2011-08-02] (AVG Technologies CZ, s.r.o.)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [90952 2012-09-12] (SurfRight B.V.)
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [38912 2005-03-17] ()
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [398184 2012-12-14] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [682344 2012-12-14] (Malwarebytes Corporation)
R2 UStorage Server Service; C:\WINDOWS\system32\UStorSrv.exe [139264 2004-09-20] (OTi)
S2 Akamai; c:\program files\common files\akamai/netsession_win_6c825ce.dll [X]
S2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [X]

==================== Drivers (Whitelisted) ====================

R1 ASPI32; C:\WINDOWS\system32\Drivers\ASPI32.sys [25244 1999-09-10] (Adaptec)
R3 AVGIDSDriver; C:\WINDOWS\System32\DRIVERS\AVGIDSDriver.Sys [134608 2011-07-11] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSEH; C:\WINDOWS\System32\DRIVERS\AVGIDSEH.Sys [23120 2011-07-11] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSFilter; C:\WINDOWS\System32\DRIVERS\AVGIDSFilter.Sys [24272 2011-07-11] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\AVGIDSShim.Sys [16720 2011-10-04] (AVG Technologies CZ, s.r.o. )
R1 AvgLdx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [230608 2011-10-07] (AVG Technologies CZ, s.r.o.)
R1 AvgMfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [40016 2011-08-08] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [32592 2011-09-13] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiX; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [295248 2011-07-11] (AVG Technologies CZ, s.r.o.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
S1 Cdr4_xp; C:\WINDOWS\system32\Drivers\Cdr4_xp.sys [9072 2009-04-28] (Sonic Solutions)
S1 Cdralw2k; C:\WINDOWS\system32\Drivers\Cdralw2k.sys [9200 2009-04-28] (Sonic Solutions)
R1 cdudf_xp; C:\WINDOWS\system32\Drivers\cdudf_xp.sys [291456 2005-02-03] (Roxio)
S3 CoachUsb; C:\WINDOWS\System32\DRIVERS\CoachUsb.sys [51392 2009-04-06] (FotoNation Inc.)
R1 DVDVRRdr_xp; C:\WINDOWS\system32\Drivers\DVDVRRdr_xp.sys [141184 2005-02-03] (Windows ® 2000 DDK provider)
S3 dvd_2K; C:\WINDOWS\system32\Drivers\dvd_2K.sys [24064 2005-02-03] (Roxio)
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2008-10-28] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2008-10-28] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2008-10-28] (HP)
S3 ManyCam; C:\WINDOWS\System32\DRIVERS\mcvidrv.sys [34432 2012-10-10] (ManyCam LLC)
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [21104 2012-12-14] (Malwarebytes Corporation)
S3 mcaudrv_simple; C:\WINDOWS\System32\drivers\mcaudrv.sys [22656 2013-01-31] (ManyCam LLC)
S3 mmc_2K; C:\WINDOWS\system32\Drivers\mmc_2K.sys [23808 2005-02-03] (Roxio)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R1 pwd_2k; C:\WINDOWS\system32\Drivers\pwd_2k.sys [117632 2005-02-03] (Roxio)
R3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2008-04-13] (Realtek Semiconductor Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SRS_HDAL_Service; C:\WINDOWS\System32\drivers\SRS_HDAL_i386.sys [384752 2010-07-02] ()
S4 IntelIde; No ImagePath
S2 StarOpen; No ImagePath
S1 UDFReadr; No ImagePath
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-05-04 06:54 - 2014-05-04 06:55 - 00012962 _____ () C:\Documents and Settings\asasa\Desktop\FRST.txt
2014-05-04 03:15 - 2014-05-04 06:42 - 00000072 _____ () C:\WINDOWS\system32\igfgcg.vgq
2014-05-02 10:17 - 2014-05-04 06:54 - 00000000 ____D () C:\FRST
2014-05-02 10:16 - 2014-05-02 10:16 - 01050624 _____ (Farbar) C:\Documents and Settings\asasa\Desktop\FRST.exe
2014-05-02 06:05 - 2014-05-02 06:22 - 00043620 _____ () C:\Documents and Settings\asasa\My Documents\attach.txt
2014-05-02 06:05 - 2014-05-02 06:05 - 00008760 _____ () C:\Documents and Settings\asasa\My Documents\dds.txt
2014-05-02 06:04 - 2014-05-02 06:04 - 00043626 _____ () C:\Documents and Settings\asasa\Desktop\attach.txt
2014-05-02 06:04 - 2014-05-02 06:04 - 00008760 _____ () C:\Documents and Settings\asasa\Desktop\dds.txt
2014-05-02 04:58 - 2014-05-02 04:58 - 00000000 ____D () C:\4f2fe8ffbc02a0b1f4c15006cd9fc034
2014-05-02 04:58 - 2014-05-02 04:58 - 00000000 ____D () C:\072bafcdfad9c11c333dce679867e18d
2014-05-02 04:57 - 2014-05-02 04:58 - 00000000 ____D () C:\623c8a5db4094a2876ef0b
2014-05-02 00:03 - 2014-05-02 00:03 - 00000000 ____D () C:\20176d5b0de71b8936
2014-05-01 23:52 - 2014-05-02 00:03 - 00000000 ____D () C:\126b920bd8fac62df92e11
2014-05-01 23:41 - 2014-05-01 23:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2584146$
2014-05-01 14:48 - 2014-05-01 20:25 - 00002730 _____ () C:\Documents and Settings\asasa\Desktop\avgrep.txt
2014-05-01 06:51 - 2014-05-01 06:51 - 00000000 ____D () C:\Documents and Settings\asasa\Local Settings\Application Data\ATI
2014-05-01 06:51 - 2014-05-01 06:51 - 00000000 ____D () C:\Documents and Settings\asasa\Application Data\ATI
2014-04-30 21:40 - 2014-04-30 22:08 - 00000000 ____D () C:\d313c00acbb1460cabcf14ac
2014-04-30 21:40 - 2014-04-30 21:40 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2620712$
2014-04-30 21:39 - 2014-04-30 21:39 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2566454$
2014-04-30 21:38 - 2014-04-30 21:38 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2661637$
2014-04-30 21:37 - 2014-04-30 21:37 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2914368$
2014-04-30 04:22 - 2012-01-11 15:06 - 00003072 ____N () C:\WINDOWS\system32\iacenc.dll
2014-04-30 04:22 - 2012-01-11 15:06 - 00003072 ____C () C:\WINDOWS\system32\dllcache\iacenc.dll
2014-04-30 03:43 - 2014-04-30 03:43 - 00000855 _____ () C:\WINDOWS\system32\Drivers\etc\hosts_bak_945
2014-04-30 03:41 - 2014-04-30 03:41 - 00000000 ____D () C:\Documents and Settings\LocalService\Start Menu\Programs\Accessories
2014-04-30 03:13 - 2014-05-01 06:29 - 00181064 _____ (Sysinternals) C:\WINDOWS\PSEXESVC.EXE
2014-04-30 03:12 - 2014-04-30 03:12 - 00000000 ____D () C:\RegBackup
2014-04-30 02:13 - 2014-04-30 02:13 - 00001812 _____ () C:\Documents and Settings\asasa\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2014-04-30 02:13 - 2014-04-30 02:13 - 00000000 ____D () C:\Program Files\Tweaking.com
2014-04-30 02:13 - 2014-04-30 02:13 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Tweaking.com
2014-04-30 00:17 - 2014-05-03 23:17 - 01477865 ____N () C:\WINDOWS\WindowsUpdate.log
2014-04-29 22:09 - 2014-04-29 22:10 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-04-29 21:00 - 2014-04-29 21:00 - 00000000 _____ () C:\WINDOWS\system32\joha.arm
2014-04-28 02:12 - 2014-04-28 02:12 - 00239207 _____ () C:\WINDOWS\system32\eouz.jpy
2014-04-25 15:50 - 2014-04-25 15:50 - 00022432 _____ () C:\Documents and Settings\asasa\My Documents\newest.reg
2014-04-11 04:20 - 2014-04-11 04:37 - 00018672 _____ () C:\console.log
2014-04-11 04:10 - 2014-04-11 04:10 - 00000000 ____D () C:\Program Files\Paltalk Messenger
2014-04-11 04:10 - 2014-04-11 04:10 - 00000000 ____D () C:\Documents and Settings\asasa\Start Menu\Programs\Paltalk Messenger
2014-04-07 02:38 - 2014-04-11 04:14 - 00000000 ____D () C:\Documents and Settings\asasa\Application Data\Paltalk
2014-04-05 15:26 - 2014-04-05 15:26 - 00011530 _____ () C:\Documents and Settings\asasa\My Documents\1222222222222.reg

==================== One Month Modified Files and Folders =======

2014-05-04 06:55 - 2014-05-04 06:54 - 00012962 _____ () C:\Documents and Settings\asasa\Desktop\FRST.txt
2014-05-04 06:54 - 2014-05-02 10:17 - 00000000 ____D () C:\FRST
2014-05-04 06:48 - 2010-06-01 22:28 - 00000900 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-04 06:42 - 2014-05-04 03:15 - 00000072 _____ () C:\WINDOWS\system32\igfgcg.vgq
2014-05-04 06:22 - 2013-12-26 06:44 - 00000490 _____ () C:\WINDOWS\Tasks\HP Photo Creations Communicator.job
2014-05-04 05:26 - 2012-10-12 12:52 - 00000000 ____D () C:\Documents and Settings\asasa
2014-05-04 05:25 - 2012-10-16 18:27 - 00000000 ___SD () C:\Documents and Settings\asasa\UserData
2014-05-03 23:17 - 2014-04-30 00:17 - 01477865 ____N () C:\WINDOWS\WindowsUpdate.log
2014-05-03 21:48 - 2010-06-01 22:28 - 00000896 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-03 18:34 - 2010-03-08 16:06 - 00000000 ____D () C:\WINDOWS\system32\Drivers\Avg
2014-05-03 13:16 - 2012-10-16 04:04 - 00105984 _____ () C:\Documents and Settings\asasa\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-05-03 12:48 - 2013-06-01 15:20 - 00032496 ____N () C:\WINDOWS\SchedLgU.Txt
2014-05-03 11:33 - 2010-03-08 15:20 - 00000000 ____D () C:\Program Files\NetMeeting
2014-05-03 11:32 - 2013-06-01 15:21 - 00000159 ____N () C:\WINDOWS\wiadebug.log
2014-05-03 11:32 - 2004-08-04 05:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2014-05-03 11:31 - 2013-06-01 15:21 - 00000048 ____N () C:\WINDOWS\wiaservc.log
2014-05-03 11:31 - 2012-02-29 07:49 - 00000294 _____ () C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1482476501-308236825-1606980848-500.job
2014-05-03 11:31 - 2010-03-08 15:29 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-05-02 10:16 - 2014-05-02 10:16 - 01050624 _____ (Farbar) C:\Documents and Settings\asasa\Desktop\FRST.exe
2014-05-02 07:08 - 2010-03-08 15:07 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-05-02 06:22 - 2014-05-02 06:05 - 00043620 _____ () C:\Documents and Settings\asasa\My Documents\attach.txt
2014-05-02 06:05 - 2014-05-02 06:05 - 00008760 _____ () C:\Documents and Settings\asasa\My Documents\dds.txt
2014-05-02 06:04 - 2014-05-02 06:04 - 00043626 _____ () C:\Documents and Settings\asasa\Desktop\attach.txt
2014-05-02 06:04 - 2014-05-02 06:04 - 00008760 _____ () C:\Documents and Settings\asasa\Desktop\dds.txt
2014-05-02 04:58 - 2014-05-02 04:58 - 00000000 ____D () C:\4f2fe8ffbc02a0b1f4c15006cd9fc034
2014-05-02 04:58 - 2014-05-02 04:58 - 00000000 ____D () C:\072bafcdfad9c11c333dce679867e18d
2014-05-02 04:58 - 2014-05-02 04:57 - 00000000 ____D () C:\623c8a5db4094a2876ef0b
2014-05-02 03:07 - 2010-03-08 15:32 - 00524288 _____ () C:\WINDOWS\system32\config\ACEEvent.evt
2014-05-02 03:06 - 2012-10-12 12:52 - 00000178 ___SH () C:\Documents and Settings\asasa\ntuser.ini
2014-05-02 00:03 - 2014-05-02 00:03 - 00000000 ____D () C:\20176d5b0de71b8936
2014-05-02 00:03 - 2014-05-01 23:52 - 00000000 ____D () C:\126b920bd8fac62df92e11
2014-05-01 23:55 - 2010-03-08 10:00 - 00646258 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-05-01 23:41 - 2014-05-01 23:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2584146$
2014-05-01 20:25 - 2014-05-01 14:48 - 00002730 _____ () C:\Documents and Settings\asasa\Desktop\avgrep.txt
2014-05-01 07:07 - 2012-10-16 07:18 - 00041768 _____ () C:\Documents and Settings\asasa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-05-01 06:58 - 2010-03-08 15:20 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-05-01 06:51 - 2014-05-01 06:51 - 00000000 ____D () C:\Documents and Settings\asasa\Local Settings\Application Data\ATI
2014-05-01 06:51 - 2014-05-01 06:51 - 00000000 ____D () C:\Documents and Settings\asasa\Application Data\ATI
2014-05-01 06:42 - 2010-03-08 09:58 - 03483736 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-05-01 06:29 - 2014-04-30 03:13 - 00181064 _____ (Sysinternals) C:\WINDOWS\PSEXESVC.EXE
2014-05-01 06:26 - 2010-03-08 15:19 - 00000000 ____D () C:\WINDOWS\Registration
2014-05-01 06:22 - 2010-03-08 15:23 - 00023392 _____ () C:\WINDOWS\system32\nscompat.tlb
2014-05-01 06:22 - 2010-03-08 15:23 - 00016832 _____ () C:\WINDOWS\system32\amcompat.tlb
2014-04-30 22:08 - 2014-04-30 21:40 - 00000000 ____D () C:\d313c00acbb1460cabcf14ac
2014-04-30 21:40 - 2014-04-30 21:40 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2620712$
2014-04-30 21:39 - 2014-04-30 21:39 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2566454$
2014-04-30 21:39 - 2010-03-08 16:31 - 00000000 ____D () C:\WINDOWS\$hf_mig$
2014-04-30 21:38 - 2014-04-30 21:38 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2661637$
2014-04-30 21:37 - 2014-04-30 21:37 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2914368$
2014-04-30 21:17 - 2010-07-29 03:46 - 00000000 ____D () C:\WINDOWS\pss
2014-04-30 06:52 - 2012-01-22 13:09 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-04-30 03:43 - 2014-04-30 03:43 - 00000855 _____ () C:\WINDOWS\system32\Drivers\etc\hosts_bak_945
2014-04-30 03:43 - 2012-10-12 12:52 - 00000738 _____ () C:\Documents and Settings\asasa\Start Menu\Programs\Outlook Express.lnk
2014-04-30 03:41 - 2014-04-30 03:41 - 00000000 ____D () C:\Documents and Settings\LocalService\Start Menu\Programs\Accessories
2014-04-30 03:41 - 2010-03-08 15:29 - 00000000 __SHD () C:\Documents and Settings\LocalService
2014-04-30 03:12 - 2014-04-30 03:12 - 00000000 ____D () C:\RegBackup
2014-04-30 03:12 - 2010-03-08 09:50 - 00000000 ____D () C:\WINDOWS\repair
2014-04-30 02:13 - 2014-04-30 02:13 - 00001812 _____ () C:\Documents and Settings\asasa\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2014-04-30 02:13 - 2014-04-30 02:13 - 00000000 ____D () C:\Program Files\Tweaking.com
2014-04-30 02:13 - 2014-04-30 02:13 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Tweaking.com
2014-04-29 23:41 - 2012-07-18 07:22 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-04-29 22:10 - 2014-04-29 22:09 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-04-29 21:15 - 2012-01-14 13:28 - 00000000 ____D () C:\Program Files\Java
2014-04-29 21:01 - 2012-10-12 12:52 - 00000803 _____ () C:\Documents and Settings\asasa\Start Menu\Programs\Internet Explorer.lnk
2014-04-29 21:01 - 2012-10-12 12:52 - 00000000 ___RD () C:\Documents and Settings\asasa\Start Menu\Programs\Accessories
2014-04-29 21:00 - 2014-04-29 21:00 - 00000000 _____ () C:\WINDOWS\system32\joha.arm
2014-04-29 21:00 - 2010-03-08 09:50 - 00000000 ____D () C:\WINDOWS\Help
2014-04-29 00:39 - 2013-01-25 07:46 - 00000000 ____D () C:\Documents and Settings\asasa\My Documents\Mixcraft Projects
2014-04-28 02:12 - 2014-04-28 02:12 - 00239207 _____ () C:\WINDOWS\system32\eouz.jpy
2014-04-25 15:50 - 2014-04-25 15:50 - 00022432 _____ () C:\Documents and Settings\asasa\My Documents\newest.reg
2014-04-24 07:48 - 2013-05-19 06:32 - 00000000 ____D () C:\Documents and Settings\asasa\My Documents\New Folder (2)
2014-04-23 06:50 - 2012-02-29 07:49 - 00000302 _____ () C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1482476501-308236825-1606980848-500.job
2014-04-13 01:03 - 2010-03-08 09:50 - 00000000 ____D () C:\WINDOWS\Media
2014-04-11 04:37 - 2014-04-11 04:20 - 00018672 _____ () C:\console.log
2014-04-11 04:14 - 2014-04-07 02:38 - 00000000 ____D () C:\Documents and Settings\asasa\Application Data\Paltalk
2014-04-11 04:10 - 2014-04-11 04:10 - 00000000 ____D () C:\Program Files\Paltalk Messenger
2014-04-11 04:10 - 2014-04-11 04:10 - 00000000 ____D () C:\Documents and Settings\asasa\Start Menu\Programs\Paltalk Messenger
2014-04-09 22:37 - 2013-01-21 06:05 - 00000000 ____D () C:\Documents and Settings\lololololl
2014-04-09 22:37 - 2013-01-03 06:07 - 00000000 ____D () C:\Documents and Settings\Guest
2014-04-09 22:37 - 2010-03-08 15:29 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-04-09 22:37 - 2010-03-08 15:27 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2014-04-09 20:23 - 2012-01-09 03:14 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-04-05 15:26 - 2014-04-05 15:26 - 00011530 _____ () C:\Documents and Settings\asasa\My Documents\1222222222222.reg
2014-04-05 15:24 - 2010-03-08 16:29 - 00000000 ____D () C:\Program Files\CCleaner
2014-04-04 17:17 - 2013-01-03 05:32 - 00000000 ____D () C:\Documents and Settings\asasa\Desktop\New Folder

Files to move or delete:
====================
C:\Documents and Settings\asasa\lametritonus_en.dll
C:\Documents and Settings\asasa\lame_enc_en.dll


Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\AskSLib.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\i4jdel0.exe
C:\Documents and Settings\asasa\Local Settings\Temp\i4jdel0.exe
C:\Documents and Settings\asasa\Local Settings\Temp\jre-7u55-windows-i586-iftw.exe


==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================



#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:32 AM

Posted 05 May 2014 - 07:20 AM

Hello E.rummel



I need you to download this script I have made for you --> Attached File  fixlist.txt   329bytes   1 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 E.rummel

E.rummel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 05 May 2014 - 09:31 AM

Here are the scan results

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:04-05-2014
Ran by asasa at 2014-05-05 10:24:23 Run:2
Running from C:\Documents and Settings\asasa\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
2014-05-04 03:15 - 2014-05-04 06:42 - 00000072 _____ () C:\WINDOWS\system32\igfgcg.vgq
2014-04-29 21:00 - 2014-04-29 21:00 - 00000000 _____ () C:\WINDOWS\system32\joha.arm
2014-04-28 02:12 - 2014-04-28 02:12 - 00239207 _____ () C:\WINDOWS\system32\eouz.jpy
C:\Documents and Settings\asasa
C:\Documents and Settings\lololololl
*****************

C:\WINDOWS\system32\igfgcg.vgq => Moved successfully.
Could not move "C:\WINDOWS\system32\joha.arm" => Scheduled to move on reboot.
Could not move "C:\WINDOWS\system32\eouz.jpy" => Scheduled to move on reboot.
"C:\Documents and Settings\asasa" => Warning: FRST is scripted not to move this directory.
C:\Documents and Settings\lololololl => Moved successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-05-05 10:26:37)<=

C:\WINDOWS\system32\joha.arm => Is moved successfully.
C:\WINDOWS\system32\eouz.jpy => Is moved successfully.

==== End of Fixlog ====



#13 E.rummel

E.rummel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 05 May 2014 - 09:44 AM

The wave volume problem seems to be fixed now! Thank you Gringo for your help, your a life saver. It's very much appreicatied; really. What caused it to malfunction? Also do you think the "windows updates" that keep popping up could be a virus or malware? I've downloaded them before and after the reboot it says i need to download the same exact updates. Again, Thank you for your time, effort, and help.



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:32 AM

Posted 05 May 2014 - 10:02 AM



Hello E.rummel

For the updates try to do them one at a time.

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:32 AM

Posted 13 May 2014 - 07:50 AM


Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users