Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Error 5 access denied, cannot install programs, Vista


  • This topic is locked This topic is locked
52 replies to this topic

#1 asleep

asleep

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 21 June 2014 - 07:16 PM

Dell D630/Vista

 

Just started getting Error 5

 

Setup was unable to create the directory

"C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware".

 

Error 5: Access is denied.

 

When I press "OK" 

Quote

Setup was not completed.

 

Please correct the problem and run Setup again.

 

Tried installing Malwarebytes & still got the above.

 

Right-clicked on TEMP file and made sure all 3 permissions were allowed.

 

Won't let me restore... so I'm out of ideas.

 

Funny I can download and run DDS from Chrome but not permissioned to double-click it on desktop.

 

I only got the single attached txt document.

 

Thanks for your help. :)



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:55 PM

Posted 21 June 2014 - 07:53 PM

:welcome:

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. mbam-clean.exe
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version as follows:
 
bf_new.gif Please download Malwarebytes' Anti-Malware from Here
 
Double Click mbam-setup-2.0..exe to install the application. (The revision number may vary.)
  • Select the language and click OK.
  • Accept the agreement
  • Make sure a checkmark is placed next to Enable the Free Trial and Launch
  • Malwarebytes' Anti-Malware, then click on finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Scan Now".
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click on Quanrantee All,.
  • When disinfection is completed, a dialog will open and you may be prompted to Restart.(See Extra Note)
  • Upon restart, launch Malwarebytes Antimalware and select History.
  • Double click on the last scan done, then on Copy to Clipboard.
  • Right click on your next reply and select Paste.
  • Submit your reply.
Extra Note:
 
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 asleep

asleep
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 21 June 2014 - 09:09 PM

:welcome:

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. mbam-clean.exe
...

 

 

 

I get this error, program stopped working: 

 

 

Problem signature:
  Problem Event Name: APPCRASH
  Application Name: mbam-clean-2.0.2.0 (1).exe
  Application Version: 2.0.2.0
  Application Timestamp: 53302f5f
  Fault Module Name: mbam-clean-2.0.2.0 (1).exe
  Fault Module Version: 2.0.2.0
  Fault Module Timestamp: 53302f5f
  Exception Code: 40000015
  Exception Offset: 00021ced
  OS Version: 6.0.6000.2.0.0.256.6
  Locale ID: 1033
  Additional Information 1: e8c9
  Additional Information 2: 35040fd84a2747cd915c6ff434c41593
  Additional Information 3: 35b7
  Additional Information 4: 14093dd7e36d42a1fb7c3e0a29e55136
 
Read our privacy statement:

Edited by asleep, 21 June 2014 - 09:13 PM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:55 PM

Posted 22 June 2014 - 11:13 AM

Please download Farbar Recovery Scan Tool and save it to your desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a checkmark on Addition.txt and Shortcut.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another two logs (Addition.txt and Shortcut.txt). Please attach these to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 asleep

asleep
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 22 June 2014 - 11:25 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:21-06-2014 01
Ran by Todd (administrator) on D630 on 22-06-2014 11:19:39
Running from C:\Users\Todd\Desktop
Platform: Microsoft® Windows Vista™ Business  (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
() C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\BCMWLTRY.EXE
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Broadcom Corporation) C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(CSR, plc) C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Sony Corporation) C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
(SigmaTel, Inc.) C:\Windows\System32\stacsv.exe
(Avanquest Software ) C:\Program Files\Digital Line Detect\DLG.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPoint\SetPoint.exe
(Dell Inc) C:\Program Files\Dell\QuickSet\quickset.exe
(Xorseoue) C:\Windows\System32\Windows Server\wserver.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
(Logitech, Inc.) C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKU\S-1-5-21-2391661356-1727468638-1468527204-1000\...\Winlogon: [Shell] C:\Windows\system32\Windows Server\wserver.exe [333312 2014-06-22] (Xorseoue) <==== ATTENTION 
IFEO\AvastSvc.exe: [Debugger] nqij.exe
IFEO\AvastUI.exe: [Debugger] nqij.exe
IFEO\avcenter.exe: [Debugger] nqij.exe
IFEO\avconfig.exe: [Debugger] nqij.exe
IFEO\avgcsrvx.exe: [Debugger] nqij.exe
IFEO\avgidsagent.exe: [Debugger] nqij.exe
IFEO\avgnt.exe: [Debugger] nqij.exe
IFEO\avgrsx.exe: [Debugger] nqij.exe
IFEO\avguard.exe: [Debugger] nqij.exe
IFEO\avgui.exe: [Debugger] nqij.exe
IFEO\avgwdsvc.exe: [Debugger] nqij.exe
IFEO\avp.exe: [Debugger] nqij.exe
IFEO\avscan.exe: [Debugger] nqij.exe
IFEO\bdagent.exe: [Debugger] nqij.exe
IFEO\blindman.exe: [Debugger] nqij.exe
IFEO\ccuac.exe: [Debugger] nqij.exe
IFEO\ComboFix.exe: [Debugger] nqij.exe
IFEO\egui.exe: [Debugger] nqij.exe
IFEO\hijackthis.exe: [Debugger] nqij.exe
IFEO\instup.exe: [Debugger] nqij.exe
IFEO\keyscrambler.exe: [Debugger] nqij.exe
IFEO\mbam.exe: [Debugger] nqij.exe
IFEO\mbamgui.exe: [Debugger] nqij.exe
IFEO\mbampt.exe: [Debugger] nqij.exe
IFEO\mbamscheduler.exe: [Debugger] nqij.exe
IFEO\mbamservice.exe: [Debugger] nqij.exe
IFEO\MpCmdRun.exe: [Debugger] nqij.exe
IFEO\MSASCui.exe: [Debugger] nqij.exe
IFEO\MsMpEng.exe: [Debugger] nqij.exe
IFEO\msseces.exe: [Debugger] nqij.exe
IFEO\rstrui.exe: [Debugger] nqij.exe
IFEO\SDFiles.exe: [Debugger] nqij.exe
IFEO\SDMain.exe: [Debugger] nqij.exe
IFEO\SDWinSec.exe: [Debugger] nqij.exe
IFEO\spybotsd.exe: [Debugger] nqij.exe
IFEO\wireshark.exe: [Debugger] nqij.exe
IFEO\zlclient.exe: [Debugger] nqij.exe
Lsa: [Authentication Packages] msv1_0 wvauth
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
ShortcutTarget: Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
ShortcutTarget: QuickSet.lnk -> C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe (Macrovision Corporation)
Startup: C:\Users\Todd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Check for TWS Updates.lnk
Startup: C:\Users\Todd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashSwitch.lnk
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: MyBHO Class - {46B9D770-1B7D-45D1-81B4-AC07B2F127EF} - C:\Program Files\FlashSwitch\FlashBHO.dll (FlashSwitch Group)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll No File
BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - &Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
Winsock: Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @java.com/DTPlugin,version=10.9.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.9.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @pages.tvunetworks.com/WebPlayer - C:\Windows\system32\TVUAx\npTVUAx.dll (TVU networks)
FF Plugin: @pandasecurity.com/activescan - C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll No File
FF Plugin: @veetle.com/vbp;version=0.9.17 - C:\Program Files\Veetle\VLCBroadcast\npvbp.dll No File
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Todd\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Todd\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Todd\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin HKCU: amazon.com/AmazonMP3DownloaderPlugin - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll (Amazon.com, Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-04-24]
 
Chrome: 
=======
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Todd\AppData\Local\Google\Chrome\Application\36.0.1985.67\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Todd\AppData\Local\Google\Chrome\Application\36.0.1985.67\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Todd\AppData\Local\Google\Chrome\Application\36.0.1985.67\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.132\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Foxit Reader Plugin for Mozilla) - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
CHR Plugin: (Java™ Platform SE 6 U31) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (Panda ActiveScan 2.0) - C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Unity Player) - C:\Users\Todd\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
CHR Plugin: (Google Update) - C:\Users\Todd\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (TVU Web Player for FireFox) - C:\Windows\system32\TVUAx\npTVUAx.dll (TVU networks)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-21]
CHR Extension: (YouTube) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-12]
CHR Extension: (Google Search) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-12]
CHR Extension: (TimelineRemove) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnedfaenfnkikficknkklbdedlecmpgc [2012-08-21]
CHR Extension: (Disable Timeline on Facebook) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\efegkamagjpaioecemiekbhdgehlnaoe [2012-08-21]
CHR Extension: (Facebook Disconnect) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpepffjfmamnambagiibghpglaidiec [2011-07-08]
CHR Extension: (AdBlock) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2010-09-16]
CHR Extension: (Who What Wear: Post your CL Outfit Pics here - Page 19 - PurseForum) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkdapghjkanhnlnabjfjfmgjhaokohid [2012-03-23]
CHR Extension: (Chromium browser automation) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmbmjnojfkcohdpkpjmeeijckfbebbon [2014-04-14]
CHR Extension: (Google Wallet) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-25]
CHR Extension: (Page Monitor) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\pemhgklkefakciniebenbfclihhmmfcd [2012-09-30]
CHR Extension: (Gmail) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-12]
CHR StartMenuInternet: Google Chrome - C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
 
========================== Services (Whitelisted) =================
 
R2 ASFIPmon; C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [79432 2006-12-19] (Broadcom Corporation)
R2 BthFilterHelper; C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe [127488 2006-11-07] (CSR, plc) [File not signed]
R2 nicconfigsvc; C:\Program Files\Dell\QuickSet\NicConfigSvc.exe [386592 2007-04-27] (Dell Inc.)
S3 SecureStorageService; C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [488448 2007-02-16] (Wave Systems Corp.) [File not signed]
R2 STacSV; C:\Windows\system32\STacSV.exe [90112 2007-05-07] (SigmaTel, Inc.) [File not signed]
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1466368 2007-02-01] () [File not signed]
R2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [4038656 2009-11-30] (Dell Inc.) [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
R2 BASFND; C:\Program Files\Broadcom\ASFIPMon\BASFND.sys [10480 2006-12-19] (Broadcom Corporation) [File not signed]
R3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2009-11-30] (Broadcom Corporation)
R3 BTHFILT; C:\Windows\System32\DRIVERS\BthFilt.sys [13824 2007-05-05] (CSR, plc)
S3 CSRBC; C:\Windows\System32\Drivers\csrbcxp.sys [31744 2007-01-16] (CSR, plc) [File not signed]
S4 DAdderFltr; C:\Windows\System32\drivers\dadder.sys [22784 2007-08-02] (Razer (Asia-Pacific) Pte Ltd)
R3 guardian2; C:\Windows\System32\Drivers\oz776.sys [56576 2007-02-23] (O2Micro)
S3 Netaapl; C:\Windows\System32\DRIVERS\netaapl.sys [18432 2010-04-19] (Apple Inc.) [File not signed]
R0 pavboot; C:\Windows\System32\drivers\pavboot.sys [28552 2009-06-30] (Panda Security, S.L.)
R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [19968 2006-08-28] (Dell Inc) [File not signed]
S3 Skyhawke-USBLAN; C:\Windows\System32\DRIVERS\skblan.sys [40560 2010-04-12] (Belcarra Technologies)
S3 SkyhawkeUSBLan; C:\Windows\System32\DRIVERS\btblan.sys [40560 2010-04-15] (Belcarra Technologies)
R3 STHDA; C:\Windows\System32\drivers\stwrt.sys [323584 2007-05-07] (SigmaTel, Inc.)
R2 WavxDMgr; C:\Windows\System32\DRIVERS\WavxDMgr.sys [121344 2007-02-15] (Wave Systems Corp.) [File not signed]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\Users\Todd\AppData\Local\Temp\catchme.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-06-22 11:19 - 2014-06-22 11:20 - 00016984 _____ () C:\Users\Todd\Desktop\FRST.txt
2014-06-22 11:19 - 2014-06-22 11:19 - 00000000 ____D () C:\FRST
2014-06-22 11:18 - 2014-06-22 11:18 - 01070592 _____ (Farbar) C:\Users\Todd\Desktop\FRST.exe
2014-06-21 21:06 - 2014-06-21 21:06 - 00000000 _____ () C:\Users\Todd\Desktop\mbam-clean-2.0.2.0 (1).exe
2014-06-21 19:04 - 2014-06-21 19:04 - 00000068 _____ () C:\Windows\wininit.ini
2014-06-21 19:03 - 2014-06-21 19:03 - 00688992 ____R (Swearware) C:\Users\Todd\Desktop\dds (1).com
2014-06-21 18:58 - 2014-06-21 19:04 - 00006023 _____ () C:\Users\Todd\Desktop\attach.txt
2014-06-21 18:55 - 2014-06-21 18:58 - 00000000 _____ () C:\Users\Todd\Desktop\dds.com
2014-06-21 18:38 - 2014-06-21 18:39 - 00000000 _____ () C:\Users\Todd\Desktop\mbam-clean-2.0.2.0.exe
2014-06-21 18:28 - 2014-06-21 18:28 - 00001143 _____ () C:\Users\Todd\Desktop\JRT.txt
2014-06-21 18:23 - 2014-06-21 18:23 - 00000000 ____D () C:\Windows\ERUNT
2014-06-21 18:22 - 2014-06-21 18:23 - 00000000 _____ () C:\Users\Todd\Desktop\JRT.exe
2014-06-21 18:02 - 2014-06-21 18:03 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Todd\Desktop\mbam-setup-2.0.2.1012.exe
2014-06-21 17:47 - 2014-06-21 17:50 - 00000000 ____D () C:\Windows\system32\MRT
2014-06-21 17:33 - 2014-06-22 11:18 - 00027328 _____ () C:\Users\Todd\AppData\Roaming\msconfig.ini
2014-06-21 17:33 - 2014-06-21 17:34 - 00000000 __SHD () C:\Windows\system32\Windows Server
2014-06-21 17:33 - 2014-06-21 17:33 - 00224670 _____ () C:\Users\Todd\Desktop\setup.rar
 
==================== One Month Modified Files and Folders =======
 
2014-06-22 11:20 - 2014-06-22 11:19 - 00016984 _____ () C:\Users\Todd\Desktop\FRST.txt
2014-06-22 11:19 - 2014-06-22 11:19 - 00000000 ____D () C:\FRST
2014-06-22 11:18 - 2014-06-22 11:18 - 01070592 _____ (Farbar) C:\Users\Todd\Desktop\FRST.exe
2014-06-22 11:18 - 2014-06-21 17:33 - 00027328 _____ () C:\Users\Todd\AppData\Roaming\msconfig.ini
2014-06-22 11:04 - 2006-11-02 07:47 - 00003456 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-22 11:04 - 2006-11-02 07:47 - 00003456 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-21 21:09 - 2006-11-02 05:33 - 00785214 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-06-21 21:08 - 2007-10-21 15:39 - 01120105 _____ () C:\Windows\WindowsUpdate.log
2014-06-21 21:06 - 2014-06-21 21:06 - 00000000 _____ () C:\Users\Todd\Desktop\mbam-clean-2.0.2.0 (1).exe
2014-06-21 21:04 - 2007-10-31 11:38 - 00000680 _____ () C:\Users\Todd\AppData\Local\d3d9caps.dat
2014-06-21 21:04 - 2007-10-21 16:05 - 00000012 _____ () C:\Windows\bthservsdp.dat
2014-06-21 21:00 - 2006-11-02 08:00 - 00094896 _____ () C:\Windows\PFRO.log
2014-06-21 19:04 - 2014-06-21 19:04 - 00000068 _____ () C:\Windows\wininit.ini
2014-06-21 19:04 - 2014-06-21 18:58 - 00006023 _____ () C:\Users\Todd\Desktop\attach.txt
2014-06-21 19:03 - 2014-06-21 19:03 - 00688992 ____R (Swearware) C:\Users\Todd\Desktop\dds (1).com
2014-06-21 18:58 - 2014-06-21 18:55 - 00000000 _____ () C:\Users\Todd\Desktop\dds.com
2014-06-21 18:39 - 2014-06-21 18:38 - 00000000 _____ () C:\Users\Todd\Desktop\mbam-clean-2.0.2.0.exe
2014-06-21 18:28 - 2014-06-21 18:28 - 00001143 _____ () C:\Users\Todd\Desktop\JRT.txt
2014-06-21 18:23 - 2014-06-21 18:23 - 00000000 ____D () C:\Windows\ERUNT
2014-06-21 18:23 - 2014-06-21 18:22 - 00000000 _____ () C:\Users\Todd\Desktop\JRT.exe
2014-06-21 18:03 - 2014-06-21 18:02 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Todd\Desktop\mbam-setup-2.0.2.1012.exe
2014-06-21 17:54 - 2008-04-27 18:48 - 00000000 ____D () C:\ProgramData\TEMP
2014-06-21 17:50 - 2014-06-21 17:47 - 00000000 ____D () C:\Windows\system32\MRT
2014-06-21 17:35 - 2006-11-02 08:01 - 00032646 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-06-21 17:35 - 2006-11-02 08:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-06-21 17:34 - 2014-06-21 17:33 - 00000000 __SHD () C:\Windows\system32\Windows Server
2014-06-21 17:34 - 2014-03-11 23:00 - 00000000 ____D () C:\Program Files\QuickTime
2014-06-21 17:34 - 2008-08-03 13:34 - 00000000 _____ () C:\Windows\system32\hkcmd.exe
2014-06-21 17:34 - 2007-12-02 10:14 - 00000000 _____ () C:\Users\Todd\Downloads\toggler.exe
2014-06-21 17:34 - 2007-11-13 21:51 - 00000000 ____D () C:\Program Files\DellTPad
2014-06-21 17:33 - 2014-06-21 17:33 - 00224670 _____ () C:\Users\Todd\Desktop\setup.rar
2014-06-21 17:28 - 2009-05-12 14:18 - 00000000 ____D () C:\MDT
2014-06-21 17:28 - 2007-10-30 15:16 - 00000000 _____ () C:\Users\Todd\AppData\Local\WavXMapDrive.bat
2014-06-01 17:18 - 2006-11-02 05:24 - 92708840 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-05-25 21:20 - 2011-12-10 23:51 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391661356-1727468638-1468527204-1000UA.job
 
Files to move or delete:
====================
C:\Users\Todd\AppData\Roaming\msconfig.ini
 
 
Some content of TEMP:
====================
C:\Users\Todd\AppData\Local\temp\clean20.dll
C:\Users\Todd\AppData\Local\temp\instutil.dll
C:\Users\Todd\AppData\Local\temp\TSInstallCAUtils.dll
C:\Users\Todd\AppData\Local\temp\_is27B.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-06-22 09:13
 
==================== End Of Log ============================


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:55 PM

Posted 22 June 2014 - 11:39 AM

Download the enclosed file. [attachment=151575:fixlist.txt]

 

Save it in the same location FRST is saved.

 

Run FRST, except that this time around click on the Fix button and wait.

 

The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.
 

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 asleep

asleep
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 22 June 2014 - 11:49 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:21-06-2014 01
Ran by Todd at 2014-06-22 11:46:56 Run:1
Running from C:\Users\Todd\Desktop
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
Start
HKU\S-1-5-21-2391661356-1727468638-1468527204-1000\...\Winlogon: [Shell] C:\Windows\system32\Windows Server\wserver.exe [333312 2014-06-22] (Xorseoue) <==== ATTENTION 
IFEO\AvastSvc.exe: [Debugger] nqij.exe
IFEO\AvastUI.exe: [Debugger] nqij.exe
IFEO\avcenter.exe: [Debugger] nqij.exe
IFEO\avconfig.exe: [Debugger] nqij.exe
IFEO\avgcsrvx.exe: [Debugger] nqij.exe
IFEO\avgidsagent.exe: [Debugger] nqij.exe
IFEO\avgnt.exe: [Debugger] nqij.exe
IFEO\avgrsx.exe: [Debugger] nqij.exe
IFEO\avguard.exe: [Debugger] nqij.exe
IFEO\avgui.exe: [Debugger] nqij.exe
IFEO\avgwdsvc.exe: [Debugger] nqij.exe
IFEO\avp.exe: [Debugger] nqij.exe
IFEO\avscan.exe: [Debugger] nqij.exe
IFEO\bdagent.exe: [Debugger] nqij.exe
IFEO\blindman.exe: [Debugger] nqij.exe
IFEO\ccuac.exe: [Debugger] nqij.exe
IFEO\ComboFix.exe: [Debugger] nqij.exe
IFEO\egui.exe: [Debugger] nqij.exe
IFEO\hijackthis.exe: [Debugger] nqij.exe
IFEO\instup.exe: [Debugger] nqij.exe
IFEO\keyscrambler.exe: [Debugger] nqij.exe
IFEO\mbam.exe: [Debugger] nqij.exe
IFEO\mbamgui.exe: [Debugger] nqij.exe
IFEO\mbampt.exe: [Debugger] nqij.exe
IFEO\mbamscheduler.exe: [Debugger] nqij.exe
IFEO\mbamservice.exe: [Debugger] nqij.exe
IFEO\MpCmdRun.exe: [Debugger] nqij.exe
IFEO\MSASCui.exe: [Debugger] nqij.exe
IFEO\MsMpEng.exe: [Debugger] nqij.exe
IFEO\msseces.exe: [Debugger] nqij.exe
IFEO\rstrui.exe: [Debugger] nqij.exe
IFEO\SDFiles.exe: [Debugger] nqij.exe
IFEO\SDMain.exe: [Debugger] nqij.exe
IFEO\SDWinSec.exe: [Debugger] nqij.exe
IFEO\spybotsd.exe: [Debugger] nqij.exe
IFEO\wireshark.exe: [Debugger] nqij.exe
IFEO\zlclient.exe: [Debugger] nqij.exe
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
FF Plugin: @pandasecurity.com/activescan - C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll No File
FF Plugin: @veetle.com/vbp;version=0.9.17 - C:\Program Files\Veetle\VLCBroadcast\npvbp.dll No File
C:\Users\Todd\AppData\Roaming\msconfig.ini
C:\Users\Todd\AppData\Local\temp\clean20.dll
C:\Users\Todd\AppData\Local\temp\instutil.dll
C:\Users\Todd\AppData\Local\temp\TSInstallCAUtils.dll
C:\Users\Todd\AppData\Local\temp\_is27B.exe
End
*****************
 
HKU\S-1-5-21-2391661356-1727468638-1468527204-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastSvc.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastUI.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avcenter.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avconfig.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgcsrvx.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgidsagent.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgnt.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgrsx.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avguard.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgui.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgwdsvc.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avscan.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\blindman.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ccuac.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ComboFix.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\hijackthis.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\instup.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\keyscrambler.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbam.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamgui.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbampt.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamscheduler.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamservice.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpCmdRun.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MSASCui.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MsMpEng.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\rstrui.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SDFiles.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SDMain.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SDWinSec.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spybotsd.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wireshark.exe' => Key deleted successfully.
'HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\zlclient.exe' => Key deleted successfully.
'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
'HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
'HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}'=> Key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => value deleted successfully.
'HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}'=> Key not found.
'HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan' => Key deleted successfully.
C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll not found.
'HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17' => Key deleted successfully.
C:\Program Files\Veetle\VLCBroadcast\npvbp.dll not found.
C:\Users\Todd\AppData\Roaming\msconfig.ini => Moved successfully.
C:\Users\Todd\AppData\Local\temp\clean20.dll => Moved successfully.
C:\Users\Todd\AppData\Local\temp\instutil.dll => Moved successfully.
C:\Users\Todd\AppData\Local\temp\TSInstallCAUtils.dll => Moved successfully.
C:\Users\Todd\AppData\Local\temp\_is27B.exe => Moved successfully.
 
==== End of Fixlog ====


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:55 PM

Posted 22 June 2014 - 11:52 AM

bf_new.gif Please download Malwarebytes' Anti-Malware from Here
 
Double Click mbam-setup-2.0..exe to install the application. (The revision number may vary.)
  • Select the language and click OK.
  • Accept the agreement
  • Make sure a checkmark is placed next to Enable the Free Trial and Launch
  • Malwarebytes' Anti-Malware, then click on finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Scan Now".
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click on Quanrantee All,.
  • When disinfection is completed, a dialog will open and you may be prompted to Restart.(See Extra Note)
  • Upon restart, launch Malwarebytes Antimalware and select History.
  • Double click on the last scan done, then on Copy to Clipboard.
  • Right click on your next reply and select Paste.
  • Submit your reply.
  •  
    Extra Note:
     
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif


    #9 asleep

    asleep
    • Topic Starter

    • Members
    • 71 posts
    • OFFLINE
    •  
    • Local time:01:55 PM

    Posted 22 June 2014 - 12:01 PM

    During the install process, a popup said I needed to restart to finish an earlier removal.

     

    I restarted, now am back to Error 5 errors again.

     

    Also, I did not see a "free trial" option... but that may come after installation...?


    Edited by asleep, 22 June 2014 - 12:02 PM.


    #10 JSntgRvr

    JSntgRvr

      Master Surgeon General


    • Malware Response Team
    • 11,929 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Puerto Rico
    • Local time:01:55 PM

    Posted 22 June 2014 - 12:03 PM

    Re-scan with FRST and post its report.


    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif


    #11 asleep

    asleep
    • Topic Starter

    • Members
    • 71 posts
    • OFFLINE
    •  
    • Local time:01:55 PM

    Posted 22 June 2014 - 12:12 PM

     
     
    LastRegBack: 2014-06-22 12:03
     
    ==================== End Of Log ============================
     
    ^^That's all that shows in the FRST.txt ?

    Edited by asleep, 22 June 2014 - 12:14 PM.


    #12 JSntgRvr

    JSntgRvr

      Master Surgeon General


    • Malware Response Team
    • 11,929 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Puerto Rico
    • Local time:01:55 PM

    Posted 22 June 2014 - 12:16 PM

    Remove the check marks for the additional and Shortcut reports and re-scan with FRST. The First report is incomplete.


    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif


    #13 asleep

    asleep
    • Topic Starter

    • Members
    • 71 posts
    • OFFLINE
    •  
    • Local time:01:55 PM

    Posted 22 June 2014 - 12:18 PM

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:21-06-2014 01
    Ran by Todd (administrator) on D630 on 22-06-2014 12:16:43
    Running from C:\Users\Todd\Desktop
    Platform: Microsoft® Windows Vista™ Business  (X86) OS Language: English (United States)
    Internet Explorer Version 8
    Boot Mode: Normal
     
    The only official download link for FRST:
    Download link from any site other than Bleeping Computer is unpermitted or outdated.
     
    ==================== Processes (Whitelisted) =================
     
    (Microsoft Corporation) C:\Windows\System32\SLsvc.exe
    () C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
    (Dell Inc.) C:\Program Files\Dell\DW WLAN Card\BCMWLTRY.EXE
    (Microsoft Corporation) C:\Windows\System32\wlanext.exe
    (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (Broadcom Corporation) C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (CSR, plc) C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
    (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    (Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    (Sony Corporation) C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
    (SigmaTel, Inc.) C:\Windows\System32\stacsv.exe
    (Xorseoue) C:\Windows\System32\Windows Server\wserver.exe
    (Avanquest Software ) C:\Program Files\Digital Line Detect\DLG.exe
    (Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe
    (Dell Inc.) C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
    (Logitech, Inc.) C:\Program Files\Logitech\SetPoint\SetPoint.exe
    (Dell Inc) C:\Program Files\Dell\QuickSet\quickset.exe
    (Logitech, Inc.) C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
    (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    (Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
    (Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
     
     
    ==================== Registry (Whitelisted) ==================
     
    HKU\S-1-5-21-2391661356-1727468638-1468527204-1000\...\Winlogon: [Shell] C:\Windows\system32\Windows Server\wserver.exe [333312 2014-06-22] (Xorseoue) <==== ATTENTION 
    IFEO\AvastSvc.exe: [Debugger] nqij.exe
    IFEO\AvastUI.exe: [Debugger] nqij.exe
    IFEO\avcenter.exe: [Debugger] nqij.exe
    IFEO\avconfig.exe: [Debugger] nqij.exe
    IFEO\avgcsrvx.exe: [Debugger] nqij.exe
    IFEO\avgidsagent.exe: [Debugger] nqij.exe
    IFEO\avgnt.exe: [Debugger] nqij.exe
    IFEO\avgrsx.exe: [Debugger] nqij.exe
    IFEO\avguard.exe: [Debugger] nqij.exe
    IFEO\avgui.exe: [Debugger] nqij.exe
    IFEO\avgwdsvc.exe: [Debugger] nqij.exe
    IFEO\avp.exe: [Debugger] nqij.exe
    IFEO\avscan.exe: [Debugger] nqij.exe
    IFEO\bdagent.exe: [Debugger] nqij.exe
    IFEO\blindman.exe: [Debugger] nqij.exe
    IFEO\ccuac.exe: [Debugger] nqij.exe
    IFEO\ComboFix.exe: [Debugger] nqij.exe
    IFEO\egui.exe: [Debugger] nqij.exe
    IFEO\hijackthis.exe: [Debugger] nqij.exe
    IFEO\instup.exe: [Debugger] nqij.exe
    IFEO\keyscrambler.exe: [Debugger] nqij.exe
    IFEO\mbam.exe: [Debugger] nqij.exe
    IFEO\mbamgui.exe: [Debugger] nqij.exe
    IFEO\mbampt.exe: [Debugger] nqij.exe
    IFEO\mbamscheduler.exe: [Debugger] nqij.exe
    IFEO\mbamservice.exe: [Debugger] nqij.exe
    IFEO\MpCmdRun.exe: [Debugger] nqij.exe
    IFEO\MSASCui.exe: [Debugger] nqij.exe
    IFEO\MsMpEng.exe: [Debugger] nqij.exe
    IFEO\msseces.exe: [Debugger] nqij.exe
    IFEO\rstrui.exe: [Debugger] nqij.exe
    IFEO\SDFiles.exe: [Debugger] nqij.exe
    IFEO\SDMain.exe: [Debugger] nqij.exe
    IFEO\SDWinSec.exe: [Debugger] nqij.exe
    IFEO\spybotsd.exe: [Debugger] nqij.exe
    IFEO\wireshark.exe: [Debugger] nqij.exe
    IFEO\zlclient.exe: [Debugger] nqij.exe
    Lsa: [Authentication Packages] msv1_0 wvauth
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled ()
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
    ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
    ShortcutTarget: Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
    ShortcutTarget: QuickSet.lnk -> C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe (Macrovision Corporation)
    Startup: C:\Users\Todd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Check for TWS Updates.lnk
    Startup: C:\Users\Todd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashSwitch.lnk
     
    ==================== Internet (Whitelisted) ====================
     
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
    SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
    BHO: MyBHO Class - {46B9D770-1B7D-45D1-81B4-AC07B2F127EF} - C:\Program Files\FlashSwitch\FlashBHO.dll (FlashSwitch Group)
    BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
    BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll No File
    BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
    BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    Toolbar: HKCU - &Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Winsock: Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
     
    FireFox:
    ========
    FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
    FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
    FF Plugin: @java.com/DTPlugin,version=10.9.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
    FF Plugin: @java.com/JavaPlugin,version=10.9.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF Plugin: @pages.tvunetworks.com/WebPlayer - C:\Windows\system32\TVUAx\npTVUAx.dll (TVU networks)
    FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Todd\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Todd\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Todd\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
    FF Plugin HKCU: amazon.com/AmazonMP3DownloaderPlugin - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll (Amazon.com, Inc.)
    FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-04-24]
     
    Chrome: 
    =======
    CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
    CHR Plugin: (Native Client) - C:\Users\Todd\AppData\Local\Google\Chrome\Application\36.0.1985.67\ppGoogleNaClPluginChrome.dll ()
    CHR Plugin: (Chrome PDF Viewer) - C:\Users\Todd\AppData\Local\Google\Chrome\Application\36.0.1985.67\pdf.dll ()
    CHR Plugin: (Shockwave Flash) - C:\Users\Todd\AppData\Local\Google\Chrome\Application\36.0.1985.67\gcswf32.dll No File
    CHR Plugin: (Shockwave Flash) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.132\pepflashplayer.dll No File
    CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
    CHR Plugin: (Foxit Reader Plugin for Mozilla) - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
    CHR Plugin: (Java™ Platform SE 6 U31) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    CHR Plugin: (Panda ActiveScan 2.0) - C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll No File
    CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    CHR Plugin: (Unity Player) - C:\Users\Todd\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
    CHR Plugin: (Google Update) - C:\Users\Todd\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
    CHR Plugin: (TVU Web Player for FireFox) - C:\Windows\system32\TVUAx\npTVUAx.dll (TVU networks)
    CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll No File
    CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-21]
    CHR Extension: (YouTube) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-12]
    CHR Extension: (Google Search) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-12]
    CHR Extension: (TimelineRemove) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnedfaenfnkikficknkklbdedlecmpgc [2012-08-21]
    CHR Extension: (Disable Timeline on Facebook) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\efegkamagjpaioecemiekbhdgehlnaoe [2012-08-21]
    CHR Extension: (Facebook Disconnect) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpepffjfmamnambagiibghpglaidiec [2011-07-08]
    CHR Extension: (AdBlock) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2010-09-16]
    CHR Extension: (Who What Wear: Post your CL Outfit Pics here - Page 19 - PurseForum) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkdapghjkanhnlnabjfjfmgjhaokohid [2012-03-23]
    CHR Extension: (Google Wallet) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-25]
    CHR Extension: (Page Monitor) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\pemhgklkefakciniebenbfclihhmmfcd [2012-09-30]
    CHR Extension: (Gmail) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-12]
    CHR StartMenuInternet: Google Chrome - C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe
     
    ========================== Services (Whitelisted) =================
     
    R2 ASFIPmon; C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [79432 2006-12-19] (Broadcom Corporation)
    R2 BthFilterHelper; C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe [127488 2006-11-07] (CSR, plc) [File not signed]
    R2 nicconfigsvc; C:\Program Files\Dell\QuickSet\NicConfigSvc.exe [386592 2007-04-27] (Dell Inc.)
    S3 SecureStorageService; C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [488448 2007-02-16] (Wave Systems Corp.) [File not signed]
    R2 STacSV; C:\Windows\system32\STacSV.exe [90112 2007-05-07] (SigmaTel, Inc.) [File not signed]
    S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1466368 2007-02-01] () [File not signed]
    R2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [4038656 2009-11-30] (Dell Inc.) [File not signed]
     
    ==================== Drivers (Whitelisted) ====================
     
    R2 BASFND; C:\Program Files\Broadcom\ASFIPMon\BASFND.sys [10480 2006-12-19] (Broadcom Corporation) [File not signed]
    R3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2009-11-30] (Broadcom Corporation)
    R3 BTHFILT; C:\Windows\System32\DRIVERS\BthFilt.sys [13824 2007-05-05] (CSR, plc)
    S3 CSRBC; C:\Windows\System32\Drivers\csrbcxp.sys [31744 2007-01-16] (CSR, plc) [File not signed]
    S4 DAdderFltr; C:\Windows\System32\drivers\dadder.sys [22784 2007-08-02] (Razer (Asia-Pacific) Pte Ltd)
    R3 guardian2; C:\Windows\System32\Drivers\oz776.sys [56576 2007-02-23] (O2Micro)
    S3 Netaapl; C:\Windows\System32\DRIVERS\netaapl.sys [18432 2010-04-19] (Apple Inc.) [File not signed]
    R0 pavboot; C:\Windows\System32\drivers\pavboot.sys [28552 2009-06-30] (Panda Security, S.L.)
    R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [19968 2006-08-28] (Dell Inc) [File not signed]
    S3 Skyhawke-USBLAN; C:\Windows\System32\DRIVERS\skblan.sys [40560 2010-04-12] (Belcarra Technologies)
    S3 SkyhawkeUSBLan; C:\Windows\System32\DRIVERS\btblan.sys [40560 2010-04-15] (Belcarra Technologies)
    R3 STHDA; C:\Windows\System32\drivers\stwrt.sys [323584 2007-05-07] (SigmaTel, Inc.)
    R2 WavxDMgr; C:\Windows\System32\DRIVERS\WavxDMgr.sys [121344 2007-02-15] (Wave Systems Corp.) [File not signed]
    S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
    S3 catchme; \??\C:\Users\Todd\AppData\Local\Temp\catchme.sys [X]
    S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
    S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
    S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
     
    ==================== NetSvcs (Whitelisted) ===================
     
     
    ==================== One Month Created Files and Folders ========
     
    2014-06-22 12:16 - 2014-06-22 12:16 - 00016227 _____ () C:\Users\Todd\Desktop\FRST.txt
    2014-06-22 11:57 - 2014-06-22 12:16 - 00004544 _____ () C:\Users\Todd\AppData\Roaming\msconfig.ini
    2014-06-22 11:54 - 2014-06-22 11:55 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Todd\Desktop\mbam-setup-2.0.2.1012.exe
    2014-06-22 11:21 - 2014-06-22 11:21 - 00000000 ____D () C:\Users\Todd\Desktop\DESKT
    2014-06-22 11:19 - 2014-06-22 12:16 - 00000000 ____D () C:\FRST
    2014-06-22 11:18 - 2014-06-22 11:18 - 01070592 _____ (Farbar) C:\Users\Todd\Desktop\FRST.exe
    2014-06-21 21:06 - 2014-06-21 21:06 - 00000000 _____ () C:\Users\Todd\Desktop\mbam-clean-2.0.2.0 (1).exe
    2014-06-21 19:04 - 2014-06-21 19:04 - 00000068 _____ () C:\Windows\wininit.ini
    2014-06-21 19:03 - 2014-06-21 19:03 - 00688992 ____R (Swearware) C:\Users\Todd\Desktop\dds (1).com
    2014-06-21 18:55 - 2014-06-21 18:58 - 00000000 _____ () C:\Users\Todd\Desktop\dds.com
    2014-06-21 18:38 - 2014-06-21 18:39 - 00000000 _____ () C:\Users\Todd\Desktop\mbam-clean-2.0.2.0.exe
    2014-06-21 18:28 - 2014-06-21 18:28 - 00001143 _____ () C:\Users\Todd\Desktop\JRT.txt
    2014-06-21 18:23 - 2014-06-21 18:23 - 00000000 ____D () C:\Windows\ERUNT
    2014-06-21 18:22 - 2014-06-21 18:23 - 00000000 _____ () C:\Users\Todd\Desktop\JRT.exe
    2014-06-21 17:47 - 2014-06-21 17:50 - 00000000 ____D () C:\Windows\system32\MRT
    2014-06-21 17:33 - 2014-06-21 17:34 - 00000000 __SHD () C:\Windows\system32\Windows Server
    2014-06-21 17:33 - 2014-06-21 17:33 - 00224670 _____ () C:\Users\Todd\Desktop\setup.rar
     
    ==================== One Month Modified Files and Folders =======
     
    2014-06-22 12:16 - 2014-06-22 12:16 - 00016227 _____ () C:\Users\Todd\Desktop\FRST.txt
    2014-06-22 12:16 - 2014-06-22 11:57 - 00004544 _____ () C:\Users\Todd\AppData\Roaming\msconfig.ini
    2014-06-22 12:16 - 2014-06-22 11:19 - 00000000 ____D () C:\FRST
    2014-06-22 12:01 - 2006-11-02 05:33 - 00785214 _____ () C:\Windows\system32\PerfStringBackup.INI
    2014-06-22 12:00 - 2007-10-21 15:39 - 01123520 _____ () C:\Windows\WindowsUpdate.log
    2014-06-22 11:57 - 2007-10-31 11:38 - 00000680 _____ () C:\Users\Todd\AppData\Local\d3d9caps.dat
    2014-06-22 11:57 - 2006-11-02 08:00 - 00100218 _____ () C:\Windows\PFRO.log
    2014-06-22 11:57 - 2006-11-02 07:47 - 00003456 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2014-06-22 11:57 - 2006-11-02 07:47 - 00003456 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2014-06-22 11:56 - 2007-10-21 16:05 - 00000012 _____ () C:\Windows\bthservsdp.dat
    2014-06-22 11:55 - 2014-06-22 11:54 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Todd\Desktop\mbam-setup-2.0.2.1012.exe
    2014-06-22 11:21 - 2014-06-22 11:21 - 00000000 ____D () C:\Users\Todd\Desktop\DESKT
    2014-06-22 11:18 - 2014-06-22 11:18 - 01070592 _____ (Farbar) C:\Users\Todd\Desktop\FRST.exe
    2014-06-21 21:06 - 2014-06-21 21:06 - 00000000 _____ () C:\Users\Todd\Desktop\mbam-clean-2.0.2.0 (1).exe
    2014-06-21 19:04 - 2014-06-21 19:04 - 00000068 _____ () C:\Windows\wininit.ini
    2014-06-21 19:03 - 2014-06-21 19:03 - 00688992 ____R (Swearware) C:\Users\Todd\Desktop\dds (1).com
    2014-06-21 18:58 - 2014-06-21 18:55 - 00000000 _____ () C:\Users\Todd\Desktop\dds.com
    2014-06-21 18:39 - 2014-06-21 18:38 - 00000000 _____ () C:\Users\Todd\Desktop\mbam-clean-2.0.2.0.exe
    2014-06-21 18:28 - 2014-06-21 18:28 - 00001143 _____ () C:\Users\Todd\Desktop\JRT.txt
    2014-06-21 18:23 - 2014-06-21 18:23 - 00000000 ____D () C:\Windows\ERUNT
    2014-06-21 18:23 - 2014-06-21 18:22 - 00000000 _____ () C:\Users\Todd\Desktop\JRT.exe
    2014-06-21 17:54 - 2008-04-27 18:48 - 00000000 ____D () C:\ProgramData\TEMP
    2014-06-21 17:50 - 2014-06-21 17:47 - 00000000 ____D () C:\Windows\system32\MRT
    2014-06-21 17:35 - 2006-11-02 08:01 - 00032646 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
    2014-06-21 17:35 - 2006-11-02 08:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2014-06-21 17:34 - 2014-06-21 17:33 - 00000000 __SHD () C:\Windows\system32\Windows Server
    2014-06-21 17:34 - 2014-03-11 23:00 - 00000000 ____D () C:\Program Files\QuickTime
    2014-06-21 17:34 - 2008-08-03 13:34 - 00000000 _____ () C:\Windows\system32\hkcmd.exe
    2014-06-21 17:34 - 2007-12-02 10:14 - 00000000 _____ () C:\Users\Todd\Downloads\toggler.exe
    2014-06-21 17:34 - 2007-11-13 21:51 - 00000000 ____D () C:\Program Files\DellTPad
    2014-06-21 17:33 - 2014-06-21 17:33 - 00224670 _____ () C:\Users\Todd\Desktop\setup.rar
    2014-06-21 17:28 - 2009-05-12 14:18 - 00000000 ____D () C:\MDT
    2014-06-21 17:28 - 2007-10-30 15:16 - 00000000 _____ () C:\Users\Todd\AppData\Local\WavXMapDrive.bat
    2014-06-01 17:18 - 2006-11-02 05:24 - 92708840 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
    2014-05-25 21:20 - 2011-12-10 23:51 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391661356-1727468638-1468527204-1000UA.job
     
    Files to move or delete:
    ====================
    C:\Users\Todd\AppData\Roaming\msconfig.ini
     
     
    ==================== Bamital & volsnap Check =================
     
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
     
     
    LastRegBack: 2014-06-22 12:03
     
    ==================== End Of Log ============================


    #14 JSntgRvr

    JSntgRvr

      Master Surgeon General


    • Malware Response Team
    • 11,929 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Puerto Rico
    • Local time:01:55 PM

    Posted 22 June 2014 - 12:43 PM

    If you have Spybot Search and destroy, please remove that program as it will intervene with the fix.

     

    Download the enclosed file. [attachment=151579:fixlist.txt]
     
    Save it in the same location FRST is saved.
     
    Run FRST, except that this time around click on the Fix button and wait.
     
    The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.

     

    Restart the computer if FRST does not.
     

    Please download ComboFix from Here to your Desktop.
     
    **Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

    • If you are using Firefox, make sure that your download settings are as follows:
      • Tools->Options->Main tab
      • Set to "Always ask me where to Save the files".
    • During the download, rename Combofix to MyPoppy as follows:
       
      CF_download_FF.gif
       
      CF_download_rename.gif
    • It is important you rename Combofix during the download, but not after.
    • Please do not rename Combofix to other names, but only to the one indicated.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

      -----------------------------------------------------------

      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

    • Double click on MyPoppy.exe & follow the prompts.
    • Install the Recovery Console if prompted.
    • When finished, it will produce a report for you.
    • Please post the "C:\MyPoppy.txt" . ( I believe Combofix will also rename the report)
    • **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
       
       
      Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
      Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
       
      Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif


    #15 asleep

    asleep
    • Topic Starter

    • Members
    • 71 posts
    • OFFLINE
    •  
    • Local time:01:55 PM

    Posted 22 June 2014 - 12:51 PM

    I have SS&D, but the uninstall & add/remove attempts just say it's a bad link, do I want to remove the link?

     

    If I try to go into the folder it says I don't have permission.

     

    I don't think it's a running program for me... just a scan that was used some time ago.


    Edited by asleep, 22 June 2014 - 12:55 PM.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users