Jump to content

AndyH24

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Thank You very much for all of your help! I followed your instructions in the last post. I am going to read through the links you provided. Also, I am going to start using firefox and i downloaded the add ons you suggested. I truly appreciate all the help you gave me, thanks again!
  2. Hi, I uninstalled BitLord and updated java and adobe acrobat reader. Here is the log from combofix. ComboFix 13-03-30.01 - Andy 03/30/2013 7:07.2.2 - x86 Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2047.1088 [GMT -4:00] Running from: c:\users\Andy\Desktop\ComboFix.exe Command switches used :: c:\users\Andy\Desktop\CFScript.txt AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9} SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664} . . ((((((((((((((((((((((((( Files Created from 2013-02-28 to 2013-03-30 ))))))))))))))))))))))))))))))) . . 2013-03-30 11:17 . 2013-03-30 11:17 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2013-03-30 11:17 . 2013-03-30 11:17 -------- d-----w- c:\users\Mcx1\AppData\Local\temp 2013-03-30 11:17 . 2013-03-30 11:17 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-03-30 11:17 . 2013-03-30 11:17 -------- d-----w- c:\users\Ali\AppData\Local\temp 2013-03-30 10:59 . 2013-03-30 10:59 -------- d-----w- c:\program files\Common Files\Adobe 2013-03-30 10:51 . 2013-03-30 10:51 -------- d-----w- c:\program files\Common Files\Java 2013-03-30 10:50 . 2013-03-30 10:49 861088 ----a-w- c:\windows\system32\npDeployJava1.dll 2013-03-30 10:50 . 2013-03-30 10:49 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2013-03-28 17:03 . 2013-03-28 17:03 -------- d-----w- c:\program files\ESET 2013-03-28 12:31 . 2013-03-30 11:18 -------- d-----w- c:\users\Andy\AppData\Local\temp 2013-03-27 19:39 . 2013-03-27 19:51 -------- d-----w- C:\FRST 2013-03-27 02:01 . 2013-03-27 02:01 -------- d-----w- c:\users\Ali\AppData\Roaming\Malwarebytes 2013-03-27 00:54 . 2013-03-27 00:54 -------- d-----w- c:\users\Ali\AppData\Local\Macromedia 2013-03-27 00:53 . 2013-03-27 00:53 -------- d-----w- c:\users\Ali\AppData\Local\Mozilla 2013-03-25 20:39 . 2013-03-25 20:39 4546560 ----a-w- c:\windows\system32\GPhotos.scr 2013-03-21 18:21 . 2013-02-12 01:57 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys 2013-03-01 14:32 . 2013-03-01 14:32 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-03-30 10:49 . 2011-05-23 17:57 782240 ----a-w- c:\windows\system32\deployJava1.dll 2013-03-13 01:35 . 2012-03-29 19:27 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-03-13 01:35 . 2011-06-19 18:19 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-02-27 03:40 . 2013-02-27 03:40 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys 2013-02-14 07:52 . 2013-02-14 07:52 182072 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2013-02-08 08:37 . 2013-02-08 08:37 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2013-02-08 08:37 . 2013-02-08 08:37 245048 ----a-w- c:\windows\system32\drivers\avglogx.sys 2013-02-08 08:37 . 2013-02-08 08:37 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys 2013-02-08 08:37 . 2013-02-08 08:37 170808 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2013-02-08 08:37 . 2013-02-08 08:37 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys 2013-01-05 05:26 . 2013-02-12 21:46 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-01-05 05:26 . 2013-02-12 21:46 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-01-04 11:28 . 2013-02-12 21:46 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys 2013-01-04 01:38 . 2013-02-12 21:46 2048512 ----a-w- c:\windows\system32\win32k.sys 2012-10-09 03:32 . 2011-04-25 01:05 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 247728] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888] "Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-03-27 1686528] "AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-03-13 4394032] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3916923604-2398097945-3001843192-1002] "EnableNotificationsRef"=dword:00000002 . R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3ABv.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}] 2008-04-11 22:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}] 2008-08-28 15:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe . Contents of the 'Scheduled Tasks' folder . 2013-03-30 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 01:35] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.com/ uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 24.177.176.38 DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab FF - ProfilePath - c:\users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\3ucdh5rj.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=994519&p= FF - prefs.js: network.proxy.type - 0 FF - ExtSQL: !HIDDEN! 2010-12-15 21:28; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 user_pref('extensions.dealply.partner', 'dpknlg'); user_pref('extensions.dealply.channel', 'dpknlgadk'); user_pref('extensions.dealply.installId', 'v24300219291542231288232012092918291920'); user_pref('extensions.dealply.installIdSource', 'inst'); user_pref('extensions.dealply.sampleGroup', '0'); FF - user.js: extensions.autoDisableScopes - 14//iBryte . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-03-30 07:18 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0] "0"=hex:64,00,31,00,00,00,00,00,04,41,65,b8,10,00,44,49,41,4e,41,27,7e,31,00, 00,4c,00,07,00,04,00,ef,be,04,41,fd,b3,04,41,65,b8,26,00,00,00,8c,cc,00,00,\ "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff . [HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0] @Class="Shell" . [HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0\OpenWithList] @Class="Shell" "a"="Corel PaintShop Pro.exe" "MRUList"="a" . [HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0] "0"=hex:45,00,34,00,30,00,20,00,34,00,78,00,31,00,30,00,2e,00,6a,70,67,00,fe, ff,ff,ff,8a,9c,4c,75,8a,9c,4c,75,60,5e,74,5d,a4,7f,be,30,10,01,00,00,a2,00,\ "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . Completion time: 2013-03-30 07:21:40 ComboFix-quarantined-files.txt 2013-03-30 11:21 ComboFix2.txt 2013-03-28 12:31 . Pre-Run: 73,257,160,704 bytes free Post-Run: 72,640,905,216 bytes free . - - End Of File - - 69FD9D553D7B23F35AB199D7B00C8539
  3. I'm back. Sorry it took so long. Eset took 3 hours to scan. Here are my logs. 1. Malwarebytes log Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Database version: v2013.03.28.10 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 Andy :: MAIN-PC [administrator] 3/28/2013 12:54:04 PM mbam-log-2013-03-28 (12-54-04).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 278217 Time elapsed: 6 minute(s), 27 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) 2. Eset log C:\Program Files\AWS\WeatherBug\Local\askToolbarInstaller-1.9.1.0.exe a variant of Win32/Bundled.Toolbar.Ask application C:\Qoobox\Quarantine\C\Users\Andy\AppData\Roaming\skype.dat.vir a variant of Win32/Kryptik.AXPR trojan C:\Users\Ali\AppData\Local\32f8aa03-247c-4192-b075-ee9eef1e23e0.crx JS/Redirector.NCG trojan C:\Users\Ali\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\581c70da-1b586c4f multiple threats C:\Users\Ali\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\581c70da-31326f70 multiple threats C:\Users\Ali\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\581c70da-6982c5c5 multiple threats C:\Users\Andy\AppData\Local\32f8aa03-247c-4192-b075-ee9eef1e23e0.crx JS/Redirector.NCG trojan C:\Users\Andy\AppData\Local\{54464204-0291-11E2-8271-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan C:\Users\Andy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\36e023ca-321cc33f probably a variant of Java/Exploit.CVE-2012-1723.EB trojan C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\3ucdh5rj.default\extensions\{32f8aa03-247c-4192-b075-ee9eef1e23e0}.xpi JS/Redirector.NCL trojan E:\Downloads\gimp_31.exe probably a variant of Win32/InstallIQ application E:\Downloads\GraboidVideoSetup-1.73m-complete.exe Win32/Graboid application E:\Downloads\serial_key_of_card_recovery_v6.10_build_1210_evaluation_version.rar_downloader_224.exe a variant of Win32/YourFileDownloader.A application E:\Downloads\SetupImgBurn_2.5.6.0.exe a variant of Win32/Bundled.Toolbar.Ask application E:\Downloads\The_Dark_Knight_Rises_2012_DVDRip_XviD-NeDiVx.exe Win32/Adware.1ClickDownload.J application E:\Downloads\WeatherBugSetup.msi a variant of Win32/Bundled.Toolbar.Ask.A application 3. Qoobox log 32 Bit HP CIO Components Installer 3DVIA player 5.0 AC3Filter 1.63b Adobe AIR Adobe Flash Player 11 ActiveX Adobe Flash Player 11 Plugin Adobe Reader 9.5.3 Adobe Shockwave Player 11.6 Apple Application Support Apple Mobile Device Support Apple Software Update AVG 2013 Avi2Dvd 0.6.4 AviSynth 2.5 Battlefield 2 BitLord 2.2 Bonjour BufferChm C309g-m CDBurnerXP CoreAAC Audio Decoder (remove only) D3DX10 Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition Delta Force - Black Hawk Down Delta Force Task Force Dagger Destinations DeviceDiscovery DVD Photo Slideshow Professional 8.05 ffdshow [rev 3299] [2010-03-03] FileZilla Client 3.5.1 Finding Nemo: Nemo's Underwater World of Fun Special Edition Flickr Uploadr 3.2.1 GIMP 2.6.11 GPBaseService2 Haali Media Splitter Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) HP Customer Participation Program 14.0 HP Imaging Device Functions 14.0 HP Photo Creations HP Photosmart Premium C309g-m All-in-One Driver Software 14.0 Rel. 6 HP Product Detection HP Smart Web Printing 4.60 HP Solution Center 14.0 HP Update HPDiagnosticAlert HPPhotoGadget HPProductAssistant iCloud ImgBurn IrfanView (remove only) iTunes Java Auto Updater Java 6 Update 26 Joint Operations: Typhoon Rising Junk Mail filter update Malwarebytes Anti-Malware version 1.70.0.1100 MarketResearch Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 4 Client Profile Microsoft Application Error Reporting Microsoft Forefront UAG endpoint components v4.0.0 Microsoft IntelliType Pro 8.0 Microsoft Office 2010 Service Pack 1 (SP1) Microsoft Office Access MUI (English) 2010 Microsoft Office Access Setup Metadata MUI (English) 2010 Microsoft Office Excel MUI (English) 2010 Microsoft Office File Validation Add-In Microsoft Office Groove MUI (English) 2010 Microsoft Office InfoPath MUI (English) 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook Connector Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Professional Plus 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 Microsoft Office Proofing (English) 2010 Microsoft Office Publisher MUI (English) 2010 Microsoft Office Shared MUI (English) 2010 Microsoft Office Shared Setup Metadata MUI (English) 2010 Microsoft Office Word MUI (English) 2010 Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit Microsoft Silverlight Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Microsoft Windows SDK for Windows 7 (7.1) Microsoft Windows SDK for Windows 7 Common Utilities (30514) Microsoft Windows SDK for Windows 7 Headers and Libraries (30514) Microsoft Windows SDK for Windows 7 Utilities for Win32 Development (30514) Mozilla Firefox 12.0 (x86 en-US) Mozilla Maintenance Service Mozilla Thunderbird (3.1.7) MSVCRT MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Network Network Stumbler 0.4.0 (remove only) NVIDIA 3D Vision Controller Driver NVIDIA 3D Vision Controller Driver 301.42 NVIDIA Control Panel 306.97 NVIDIA Graphics Driver 306.97 NVIDIA Install Application NVIDIA Update 1.10.8 NVIDIA Update Components Picasa 3 PS_AIO_06_C309g-m_SW_Min PunkBuster for Joint Operations: Typhoon Rising PVSonyDll QuickTime QuickTransfer Scan Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449) Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019) Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595) Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642) Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition Security Update for Microsoft Filter Pack 2.0 (KB2553501) 32-Bit Edition Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition Security Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2553091) Security Update for Microsoft Office 2010 (KB2553096) Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition Security Update for Microsoft OneNote 2010 (KB2760600) 32-Bit Edition Security Update for Microsoft Visio 2010 (KB2760762) 32-Bit Edition Security Update for Microsoft Visio Viewer 2010 (KB2687505) 32-Bit Edition Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition Segoe UI SketchUp 8 SmartWebPrinting SolutionCenter Status swMSM TomTom HOME 2.8.3.2499 TomTom HOME Visual Studio Merge Modules Toolbox TrayApp Ultimate Extras sounds from Microsoft® Tinker™ Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) Update for Microsoft Office 2010 (KB2553065) Update for Microsoft Office 2010 (KB2553092) Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition Update for Microsoft Office 2010 (KB2566458) Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition WeatherBug WebReg Windows Driver Package - FTDI CDM Driver Package (10/22/2009 2.06.00) Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012) Windows Live Communications Platform Windows Live Essentials Windows Live ID Sign-in Assistant Windows Live Installer Windows Live Mail Windows Live MIME IFilter Windows Live Movie Maker Windows Live Photo Common Windows Live Photo Gallery Windows Live PIMT Platform Windows Live SOXE Windows Live SOXE Definitions Windows Live UX Platform Windows Live UX Platform Language Pack Windows Live Writer Windows Live Writer Resources Windows Sound Schemes WinPcap 4.1.2 Wireshark 1.8.2 (32-bit) Wondershare DVD Creator(Build 2.6.5) Xvid 1.2.2 final uninstall
  4. Thank you so much! I am now logged into the previously infected account! Here is the fixlog Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2013 Ran by SYSTEM at 2013-03-28 08:03:49 Run:1 Running from G:\ ============================================== HKEY_USERS\Andy\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully. ==== End of Fixlog ==== Ok, I ran combofix from the desktop after disabling antivirus and security software. Here is the log. ComboFix 13-03-27.01 - Andy 03/28/2013 8:14.1.2 - x86 Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2047.1163 [GMT -4:00] Running from: c:\users\Andy\Desktop\ComboFix.exe AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9} SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Andy\AppData\Roaming\Fuobu c:\users\Andy\AppData\Roaming\Fuobu\efxui.faz c:\users\Andy\AppData\Roaming\Naumty c:\users\Andy\AppData\Roaming\Naumty\qooci.sem c:\users\Andy\AppData\Roaming\skype.dat c:\users\Andy\AppData\Roaming\Ubka c:\users\Andy\AppData\Roaming\Ubka\veos.exe E:\install.exe . . ((((((((((((((((((((((((( Files Created from 2013-02-28 to 2013-03-28 ))))))))))))))))))))))))))))))) . . 2013-03-28 12:25 . 2013-03-28 12:25 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2013-03-28 12:25 . 2013-03-28 12:27 -------- d-----w- c:\users\Andy\AppData\Local\temp 2013-03-28 12:25 . 2013-03-28 12:25 -------- d-----w- c:\users\Mcx1\AppData\Local\temp 2013-03-28 12:25 . 2013-03-28 12:25 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-03-28 12:25 . 2013-03-28 12:25 -------- d-----w- c:\users\Ali\AppData\Local\temp 2013-03-27 19:39 . 2013-03-27 19:51 -------- d-----w- C:\FRST 2013-03-27 02:01 . 2013-03-27 02:01 -------- d-----w- c:\users\Ali\AppData\Roaming\Malwarebytes 2013-03-27 00:54 . 2013-03-27 00:54 -------- d-----w- c:\users\Ali\AppData\Local\Macromedia 2013-03-27 00:53 . 2013-03-27 00:53 -------- d-----w- c:\users\Ali\AppData\Local\Mozilla 2013-03-25 20:39 . 2013-03-25 20:39 4546560 ----a-w- c:\windows\system32\GPhotos.scr 2013-03-21 18:21 . 2013-02-12 01:57 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys 2013-03-01 14:32 . 2013-03-01 14:32 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys 2013-02-27 03:40 . 2013-02-27 03:40 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-03-13 01:35 . 2012-03-29 19:27 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-03-13 01:35 . 2011-06-19 18:19 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-02-14 07:52 . 2013-02-14 07:52 182072 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2013-02-08 08:37 . 2013-02-08 08:37 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2013-02-08 08:37 . 2013-02-08 08:37 245048 ----a-w- c:\windows\system32\drivers\avglogx.sys 2013-02-08 08:37 . 2013-02-08 08:37 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys 2013-02-08 08:37 . 2013-02-08 08:37 170808 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2013-02-08 08:37 . 2013-02-08 08:37 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys 2013-01-05 05:26 . 2013-02-12 21:46 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-01-05 05:26 . 2013-02-12 21:46 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-01-04 11:28 . 2013-02-12 21:46 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys 2013-01-04 01:38 . 2013-02-12 21:46 2048512 ----a-w- c:\windows\system32\win32k.sys 2012-10-09 03:32 . 2011-04-25 01:05 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 247728] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888] "Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-03-27 1686528] "AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-03-13 4394032] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3916923604-2398097945-3001843192-1002] "EnableNotificationsRef"=dword:00000002 . R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3ABv.sys [x] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}] 2008-04-11 22:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}] 2008-08-28 15:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe . Contents of the 'Scheduled Tasks' folder . 2013-03-28 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 01:35] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.com/ uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 24.177.176.38 DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab FF - ProfilePath - c:\users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\3ucdh5rj.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=994519&p= FF - prefs.js: network.proxy.type - 0 FF - ExtSQL: !HIDDEN! 2010-12-15 21:28; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 user_pref('extensions.dealply.partner', 'dpknlg'); user_pref('extensions.dealply.channel', 'dpknlgadk'); user_pref('extensions.dealply.installId', 'v24300219291542231288232012092918291920'); user_pref('extensions.dealply.installIdSource', 'inst'); user_pref('extensions.dealply.sampleGroup', '0'); FF - user.js: extensions.autoDisableScopes - 14//iBryte . . ------- File Associations ------- . JSEFile=NOTEPAD.EXE %1 . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) HKCU-Run-MobileDocuments - c:\program files\Common Files\Apple\Internet Services\ubd.exe SafeBoot-WudfPf SafeBoot-WudfRd . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-03-28 08:27 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0] "0"=hex:64,00,31,00,00,00,00,00,04,41,65,b8,10,00,44,49,41,4e,41,27,7e,31,00, 00,4c,00,07,00,04,00,ef,be,04,41,fd,b3,04,41,65,b8,26,00,00,00,8c,cc,00,00,\ "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff . [HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0] @Class="Shell" . [HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0\OpenWithList] @Class="Shell" "a"="Corel PaintShop Pro.exe" "MRUList"="a" . [HKEY_USERS\S-1-5-21-3916923604-2398097945-3001843192-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*jpg*þÿÿÿŠœLuŠœLu`^t]¤¾0] "0"=hex:45,00,34,00,30,00,20,00,34,00,78,00,31,00,30,00,2e,00,6a,70,67,00,fe, ff,ff,ff,8a,9c,4c,75,8a,9c,4c,75,60,5e,74,5d,a4,7f,be,30,10,01,00,00,a2,00,\ "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . Completion time: 2013-03-28 08:31:08 ComboFix-quarantined-files.txt 2013-03-28 12:31 . Pre-Run: 70,978,289,664 bytes free Post-Run: 72,547,049,472 bytes free . - - End Of File - - 105E53BF998A4D00524301362D7CE732
  5. Sorry, I think I got it this time. Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2013 (ATTENTION: FRST version is 14 days old) Ran by SYSTEM at 27-03-2013 16:55:32 Running from G:\ Windows Vista Ultimate (X86) OS Language: English(US) The current controlset is ControlSet001 ==================== Registry (Whitelisted) =================== HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-18] (Microsoft Corporation) HKLM\...\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" [1778064 2010-07-21] (Microsoft Corporation) HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard) HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.) HKLM\...\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation) HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [41208 2012-12-19] (Adobe Systems Incorporated) HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated) HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.) HKLM\...\Run: [Wondershare Helper Compact.exe] C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [1686528 2012-03-27] (Wondershare) HKLM\...\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY [4394032 2013-03-13] (AVG Technologies CZ, s.r.o.) HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.) HKU\Ali\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.) HKU\Ali\...\Policies\system: [LogonHoursAction] 2 HKU\Ali\...\Policies\system: [DontDisplayLogonHoursWarnings] 1 HKU\Andy\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation) HKU\Andy\...\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" [247728 2012-01-22] (TomTom) HKU\Andy\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [x] HKU\Andy\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation) HKU\Andy\...\Policies\system: [LogonHoursAction] 2 HKU\Andy\...\Policies\system: [DontDisplayLogonHoursWarnings] 1 HKU\Andy\...\Winlogon: [shell] explorer.exe,C:\Users\Andy\AppData\Roaming\skype.dat [94208 2011-11-18] () HKU\Mcx1\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation) HKU\Mcx1\...\Winlogon: [shell] C:\Windows\eHome\McrMgr.exe [173056 2009-04-10] (Microsoft Corporation) HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x] Tcpip\Parameters: [DhcpNameServer] 24.159.64.23 24.217.201.67 24.177.176.38 ==================== Services (Whitelisted) =================== 2 AVGIDSAgent; "C:\Program Files\AVG\AVG2013\avgidsagent.exe" [4937264 2013-02-27] (AVG Technologies CZ, s.r.o.) 2 avgwd; "C:\Program Files\AVG\AVG2013\avgwdsvc.exe" [282624 2013-02-19] (AVG Technologies CZ, s.r.o.) 3 DMService; C:\Windows\DOWNLO~1\DMService.exe [468368 2011-01-01] (Microsoft ® Corporation) 2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75064 2011-09-12] () 2 uagqecsvc; C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [149904 2009-12-14] (Microsoft ® Corporation) 3 rpcapd; "C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini" [x] ==================== Drivers (Whitelisted) ==================== 3 A3AB; C:\Windows\System32\DRIVERS\A3ABv.sys [738304 2007-06-30] (D-Link Corporation) 1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-02-26] (AVG Technologies CZ, s.r.o.) 0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-02-08] (AVG Technologies CZ, s.r.o.) 1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-03-01] (AVG Technologies CZ, s.r.o.) 1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [170808 2013-02-08] (AVG Technologies CZ, s.r.o.) 0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [245048 2013-02-08] (AVG Technologies CZ, s.r.o.) 0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-02-08] (AVG Technologies CZ, s.r.o.) 0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [39224 2013-02-08] (AVG Technologies CZ, s.r.o.) 1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2013-02-13] (AVG Technologies CZ, s.r.o.) 3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [62216 2012-04-13] (FTDI Ltd.) 2 NPF; C:\Windows\System32\drivers\npf.sys [35088 2010-06-25] (CACE Technologies, Inc.) 3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [21520 2010-07-21] (Microsoft Corporation) 4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x] 3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x] 3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x] 3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x] 3 RimUsb; C:\Windows\System32\Drivers\RimUsb.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-03-27 11:39 - 2013-03-27 11:51 - 00000000 ____D C:\FRST 2013-03-27 11:39 - 2013-03-27 11:39 - 00911462 ____A (Farbar) C:\Users\Ali\Downloads\FRST.exe 2013-03-27 11:38 - 2013-03-27 11:38 - 00000000 ____D C:\Users\Ali\Desktop\usb card drive 2013-03-27 06:42 - 2013-03-27 06:42 - 00000066 ____A C:\Users\Ali\Desktop\New Text Document.txt 2013-03-26 18:01 - 2013-03-26 18:01 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Malwarebytes 2013-03-26 16:54 - 2013-03-26 16:54 - 00000000 ____D C:\Users\Ali\AppData\Local\Macromedia 2013-03-26 16:53 - 2013-03-26 16:53 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Mozilla 2013-03-26 16:53 - 2013-03-26 16:53 - 00000000 ____D C:\Users\Ali\AppData\Local\Mozilla 2013-03-26 16:41 - 2013-03-27 06:39 - 00000004 ____A C:\Users\Andy\AppData\Roaming\skype.ini 2013-03-25 15:17 - 2013-03-25 15:17 - 00000000 ____D C:\Users\Andy\Desktop\stand pics 2013-03-25 12:39 - 2013-03-25 12:39 - 04546560 ____A (Google Inc.) C:\Windows\System32\GPhotos.scr 2013-03-25 08:49 - 2013-03-25 08:49 - 00001902 ____A C:\Users\Public\Desktop\SketchUp 8.lnk 2013-03-21 10:21 - 2013-02-11 17:57 - 00015872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys 2013-03-13 23:02 - 2013-02-01 20:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-03-13 23:02 - 2013-02-01 19:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-03-13 23:02 - 2013-02-01 19:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-03-13 23:02 - 2013-02-01 19:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-03-13 23:02 - 2013-02-01 19:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2013-03-13 23:02 - 2013-02-01 19:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-03-13 23:02 - 2013-02-01 19:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2013-03-13 23:02 - 2013-02-01 19:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-03-13 23:02 - 2013-02-01 19:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-03-13 23:02 - 2013-02-01 19:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll 2013-03-13 23:02 - 2013-02-01 19:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2013-03-13 23:02 - 2013-02-01 19:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-03-13 23:02 - 2013-02-01 19:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-03-13 23:02 - 2013-02-01 19:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-03-13 23:02 - 2013-02-01 19:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2013-03-13 23:02 - 2013-02-01 19:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-03-01 06:32 - 2013-03-01 06:32 - 00022328 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsshimx.sys 2013-02-26 19:40 - 2013-02-26 19:40 - 00208184 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsdriverx.sys 2013-02-26 07:10 - 2013-02-26 07:18 - 00000000 ____D C:\Users\Andy\Desktop\tank2 ==================== One Month Modified Files and Folders ======== 2013-03-27 12:45 - 2006-11-02 05:00 - 00032548 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2013-03-27 12:45 - 2006-11-02 05:00 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-03-27 12:45 - 2006-11-02 04:46 - 00003648 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2013-03-27 12:45 - 2006-11-02 04:46 - 00003648 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2013-03-27 12:30 - 2006-11-02 04:51 - 01371753 ____A C:\Windows\WindowsUpdate.log 2013-03-27 12:00 - 2006-11-02 02:33 - 00707520 ____A C:\Windows\System32\PerfStringBackup.INI 2013-03-27 11:51 - 2013-03-27 11:39 - 00000000 ____D C:\FRST 2013-03-27 11:39 - 2013-03-27 11:39 - 00911462 ____A (Farbar) C:\Users\Ali\Downloads\FRST.exe 2013-03-27 11:38 - 2013-03-27 11:38 - 00000000 ____D C:\Users\Ali\Desktop\usb card drive 2013-03-27 11:35 - 2012-03-29 11:27 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-03-27 06:42 - 2013-03-27 06:42 - 00000066 ____A C:\Users\Ali\Desktop\New Text Document.txt 2013-03-27 06:39 - 2013-03-26 16:41 - 00000004 ____A C:\Users\Andy\AppData\Roaming\skype.ini 2013-03-27 06:33 - 2010-12-12 23:03 - 00000000 ____D C:\users\Andy 2013-03-27 05:47 - 2010-12-13 15:58 - 00000000 ____D C:\ProgramData\MFAData 2013-03-26 18:01 - 2013-03-26 18:01 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Malwarebytes 2013-03-26 17:08 - 2012-12-31 11:15 - 00000000 ____D C:\Users\Ali\AppData\Local\Avg2013 2013-03-26 16:54 - 2013-03-26 16:54 - 00000000 ____D C:\Users\Ali\AppData\Local\Macromedia 2013-03-26 16:53 - 2013-03-26 16:53 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Mozilla 2013-03-26 16:53 - 2013-03-26 16:53 - 00000000 ____D C:\Users\Ali\AppData\Local\Mozilla 2013-03-26 16:43 - 2006-11-02 04:59 - 00066570 ____A C:\Windows\PFRO.log 2013-03-25 15:17 - 2013-03-25 15:17 - 00000000 ____D C:\Users\Andy\Desktop\stand pics 2013-03-25 15:17 - 2012-12-11 18:15 - 00000842 ____A C:\Users\Public\Desktop\AVG 2013.lnk 2013-03-25 12:39 - 2013-03-25 12:39 - 04546560 ____A (Google Inc.) C:\Windows\System32\GPhotos.scr 2013-03-25 08:49 - 2013-03-25 08:49 - 00001902 ____A C:\Users\Public\Desktop\SketchUp 8.lnk 2013-03-25 05:14 - 2011-04-24 17:05 - 00000000 ____D C:\Program Files\Mozilla Firefox 2013-03-13 23:28 - 2011-04-12 10:35 - 00000000 ____D C:\Program Files\Microsoft Silverlight 2013-03-13 23:11 - 2010-12-14 18:54 - 00000000 ____D C:\ProgramData\Microsoft Help 2013-03-13 23:07 - 2006-11-02 02:24 - 69796088 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe 2013-03-12 17:35 - 2012-03-29 11:27 - 00693976 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe 2013-03-12 17:35 - 2011-06-19 10:19 - 00073432 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl 2013-03-12 10:17 - 2012-01-24 16:17 - 00002619 ____A C:\Users\Andy\Desktop\Microsoft Outlook 2010.lnk 2013-03-04 15:02 - 2010-12-12 23:20 - 00000000 ____D C:\Users\Andy\AppData\Local\Apple Computer 2013-03-01 06:32 - 2013-03-01 06:32 - 00022328 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsshimx.sys 2013-02-26 19:40 - 2013-02-26 19:40 - 00208184 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsdriverx.sys 2013-02-26 07:18 - 2013-02-26 07:10 - 00000000 ____D C:\Users\Andy\Desktop\tank2 ==================== Known DLLs (Whitelisted) ================= ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys [2012-12-11 14:31] - [2012-08-21 03:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-03-14 20:00:18 Restore point made on: 2013-03-15 20:00:20 Restore point made on: 2013-03-16 20:18:39 Restore point made on: 2013-03-17 15:00:22 Restore point made on: 2013-03-21 23:00:26 Restore point made on: 2013-03-22 18:43:39 Restore point made on: 2013-03-23 20:00:23 Restore point made on: 2013-03-24 15:00:39 Restore point made on: 2013-03-25 08:47:36 Restore point made on: 2013-03-25 15:11:10 Restore point made on: 2013-03-25 15:13:31 Restore point made on: 2013-03-26 08:34:36 Restore point made on: 2013-03-27 08:26:45 ==================== Memory info =========================== Percentage of memory in use: 20% Total physical RAM: 2046.69 MB Available physical RAM: 1627.75 MB Total Pagefile: 1865.01 MB Available Pagefile: 1694.81 MB Total Virtual: 2047.88 MB Available Virtual: 1982.35 MB ==================== Partitions ============================= 1 Drive c: () (Fixed) (Total:149.05 GB) (Free:65.89 GB) NTFS ==>[Drive with boot components (obtained from BCD)] 2 Drive d: () (Fixed) (Total:74.52 GB) (Free:23.03 GB) NTFS 3 Drive e: () (Fixed) (Total:316.71 GB) (Free:110.13 GB) NTFS 4 Drive f: (LRMCFRE_EN_DVD) (CDROM) (Total:2.49 GB) (Free:0 GB) UDF 5 Drive g: () (Removable) (Total:0.06 GB) (Free:0.06 GB) FAT32 6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Disk ### Status Size Free Dyn Gpt -------- ---------- ------- ------- --- --- Disk 0 Online 75 GB 9 MB Disk 1 Online 466 GB 1021 KB Disk 2 Online 63 MB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 75 GB 32 KB ========================================================= Disk: 0 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 D NTFS Partition 75 GB Healthy ========================================================= Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 149 GB 1024 KB Partition 2 Primary 317 GB 149 GB ========================================================= Disk: 1 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 0 C NTFS Partition 149 GB Healthy ========================================================= Disk: 1 Partition 2 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 E NTFS Partition 317 GB Healthy ========================================================= Partitions of Disk 2: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 62 MB 16 KB ========================================================= Disk: 2 Partition 1 Type : 0B Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 4 G FAT32 Removable 62 MB Healthy ========================================================= ============================== MBR Partition Table ================== ============================== Partitions of Disk 0: =============== Disk ID: 1CE11CE0 Partition 1: ========= Hex: 8001010007FEFFFF3F000000C1A55009 Active: YES Type: 07 (NTFS) Size: 75 GB ============================== Partitions of Disk 1: =============== Disk ID: 12A812A7 Partition 1: ========= Hex: 8020210007FEFFFF000800000088A112 Active: YES Type: 07 (NTFS) Size: 149 GB Partition 2: ========= Hex: 00FEFFFF07FEFFFF0090A112F8C79627 Active: NO Type: 07 (NTFS) Size: 317 GB ============================== Partitions of Disk 2: =============== Disk ID: 09D5E9CB Partition 1: ========= Hex: 800101000B0F20F820000000E0F10100 Active: YES Type: 0B Size: 62 MB Last Boot: 2013-03-27 12:01 ==================== End Of Log ============================
  6. Thank you so much for your help! Here is the log from FRST. Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2013 (ATTENTION: FRST version is 14 days old) Ran by Andy at 27-03-2013 15:51:01 Running from D:\ Service Pack 2 (X86) OS Language: English(US) Attention: Could not load system hive. ERROR: The process cannot access the file because it is being used by another process. ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY. ==================== One Month Created Files and Folders ======== 2013-03-27 15:39 - 2013-03-27 15:51 - 00000000 ____D C:\FRST 2013-03-27 15:39 - 2013-03-27 15:39 - 00911462 ____A (Farbar) C:\Users\Ali\Downloads\FRST.exe 2013-03-27 15:38 - 2013-03-27 15:38 - 00000000 ____D C:\Users\Ali\Desktop\usb card drive 2013-03-27 10:42 - 2013-03-27 10:42 - 00000066 ____A C:\Users\Ali\Desktop\New Text Document.txt 2013-03-26 22:01 - 2013-03-26 22:01 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Malwarebytes 2013-03-26 20:54 - 2013-03-26 20:54 - 00000000 ____D C:\Users\Ali\AppData\Local\Macromedia 2013-03-26 20:53 - 2013-03-26 20:53 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Mozilla 2013-03-26 20:53 - 2013-03-26 20:53 - 00000000 ____D C:\Users\Ali\AppData\Local\Mozilla 2013-03-26 20:41 - 2013-03-27 10:39 - 00000004 ____A C:\Users\Andy\AppData\Roaming\skype.ini 2013-03-25 19:17 - 2013-03-25 19:17 - 00000000 ____D C:\Users\Andy\Desktop\stand pics 2013-03-25 16:39 - 2013-03-25 16:39 - 04546560 ____A (Google Inc.) C:\Windows\System32\GPhotos.scr 2013-03-25 12:49 - 2013-03-25 12:49 - 00001902 ____A C:\Users\Public\Desktop\SketchUp 8.lnk 2013-03-21 14:21 - 2013-02-11 21:57 - 00015872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys 2013-03-14 03:02 - 2013-02-02 00:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-03-14 03:02 - 2013-02-01 23:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-03-14 03:02 - 2013-02-01 23:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-03-14 03:02 - 2013-02-01 23:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-03-14 03:02 - 2013-02-01 23:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2013-03-14 03:02 - 2013-02-01 23:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-03-14 03:02 - 2013-02-01 23:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2013-03-14 03:02 - 2013-02-01 23:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-03-14 03:02 - 2013-02-01 23:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-03-14 03:02 - 2013-02-01 23:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll 2013-03-14 03:02 - 2013-02-01 23:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2013-03-14 03:02 - 2013-02-01 23:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-03-14 03:02 - 2013-02-01 23:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-03-14 03:02 - 2013-02-01 23:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-03-14 03:02 - 2013-02-01 23:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2013-03-14 03:02 - 2013-02-01 23:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-03-01 10:32 - 2013-03-01 10:32 - 00022328 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsshimx.sys 2013-02-26 23:40 - 2013-02-26 23:40 - 00208184 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsdriverx.sys 2013-02-26 11:10 - 2013-02-26 11:18 - 00000000 ____D C:\Users\Andy\Desktop\tank2 ==================== One Month Modified Files and Folders ======== 2013-03-27 15:44 - 2006-11-02 08:46 - 00003648 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2013-03-27 15:44 - 2006-11-02 08:46 - 00003648 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2013-03-27 15:43 - 2006-11-02 09:00 - 00032548 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2013-03-27 15:43 - 2006-11-02 09:00 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-03-27 15:43 - 2006-11-02 08:51 - 01367204 ____A C:\Windows\WindowsUpdate.log 2013-03-27 15:39 - 2013-03-27 15:39 - 00911462 ____A (Farbar) C:\Users\Ali\Downloads\FRST.exe 2013-03-27 15:39 - 2006-11-02 06:33 - 00707520 ____A C:\Windows\System32\PerfStringBackup.INI 2013-03-27 15:38 - 2013-03-27 15:38 - 00000000 ____D C:\Users\Ali\Desktop\usb card drive 2013-03-27 15:35 - 2012-03-29 15:27 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-03-27 10:42 - 2013-03-27 10:42 - 00000066 ____A C:\Users\Ali\Desktop\New Text Document.txt 2013-03-27 10:39 - 2013-03-26 20:41 - 00000004 ____A C:\Users\Andy\AppData\Roaming\skype.ini 2013-03-27 10:33 - 2010-12-13 03:03 - 00000000 ____D C:\users\Andy 2013-03-27 09:47 - 2010-12-13 19:58 - 00000000 ____D C:\ProgramData\MFAData 2013-03-26 22:01 - 2013-03-26 22:01 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Malwarebytes 2013-03-26 21:08 - 2012-12-31 15:15 - 00000000 ____D C:\Users\Ali\AppData\Local\Avg2013 2013-03-26 20:54 - 2013-03-26 20:54 - 00000000 ____D C:\Users\Ali\AppData\Local\Macromedia 2013-03-26 20:53 - 2013-03-26 20:53 - 00000000 ____D C:\Users\Ali\AppData\Roaming\Mozilla 2013-03-26 20:53 - 2013-03-26 20:53 - 00000000 ____D C:\Users\Ali\AppData\Local\Mozilla 2013-03-26 20:43 - 2006-11-02 08:59 - 00066570 ____A C:\Windows\PFRO.log 2013-03-25 19:17 - 2013-03-25 19:17 - 00000000 ____D C:\Users\Andy\Desktop\stand pics 2013-03-25 19:17 - 2012-12-11 22:15 - 00000842 ____A C:\Users\Public\Desktop\AVG 2013.lnk 2013-03-25 16:39 - 2013-03-25 16:39 - 04546560 ____A (Google Inc.) C:\Windows\System32\GPhotos.scr 2013-03-25 12:49 - 2013-03-25 12:49 - 00001902 ____A C:\Users\Public\Desktop\SketchUp 8.lnk 2013-03-25 09:14 - 2011-04-24 21:05 - 00000000 ____D C:\Program Files\Mozilla Firefox 2013-03-14 03:28 - 2011-04-12 14:35 - 00000000 ____D C:\Program Files\Microsoft Silverlight 2013-03-14 03:11 - 2010-12-14 22:54 - 00000000 ____D C:\ProgramData\Microsoft Help 2013-03-14 03:07 - 2006-11-02 06:24 - 69796088 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe 2013-03-12 21:35 - 2012-03-29 15:27 - 00693976 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe 2013-03-12 21:35 - 2011-06-19 14:19 - 00073432 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl 2013-03-12 14:17 - 2012-01-24 20:17 - 00002619 ____A C:\Users\Andy\Desktop\Microsoft Outlook 2010.lnk 2013-03-04 19:02 - 2010-12-13 03:20 - 00000000 ____D C:\Users\Andy\AppData\Local\Apple Computer 2013-03-01 10:32 - 2013-03-01 10:32 - 00022328 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsshimx.sys 2013-02-26 23:40 - 2013-02-26 23:40 - 00208184 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsdriverx.sys 2013-02-26 11:18 - 2013-02-26 11:10 - 00000000 ____D C:\Users\Andy\Desktop\tank2 ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys [2012-12-11 18:31] - [2012-08-21 07:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A ==================== Memory info =========================== Percentage of memory in use: 17% Total physical RAM: 2046.58 MB Available physical RAM: 1681.34 MB Total Pagefile: 4330.42 MB Available Pagefile: 4124.72 MB Total Virtual: 2047.88 MB Available Virtual: 1969.39 MB ==================== Partitions ============================= 1 Drive c: () (Fixed) (Total:149.05 GB) (Free:67.96 GB) NTFS ==>[Drive with boot components (obtained from BCD)] 2 Drive d: () (Removable) (Total:0.06 GB) (Free:0.06 GB) FAT32 3 Drive e: () (Fixed) (Total:316.71 GB) (Free:109.74 GB) NTFS 5 Drive g: () (Fixed) (Total:74.52 GB) (Free:23.03 GB) NTFS Disk ### Status Size Free Dyn Gpt -------- ---------- ------- ------- --- --- Disk 0 Online 75 GB 8 MB Disk 1 Online 466 GB 0 B Disk 2 Online 63 MB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 75 GB 32 KB ========================================================= Disk: 0 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 G NTFS Partition 75 GB Healthy ========================================================= Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 149 GB 1024 KB Partition 2 Primary 317 GB 149 GB ========================================================= Disk: 1 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C NTFS Partition 149 GB Healthy System (partition with boot components) ========================================================= Disk: 1 Partition 2 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 E NTFS Partition 317 GB Healthy ========================================================= Partitions of Disk 2: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 62 MB 16 KB ========================================================= Disk: 2 Partition 1 Type : 0B Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 4 D FAT32 Removable 62 MB Healthy ========================================================= ============================== MBR Partition Table ================== ============================== Partitions of Disk 0: =============== Disk ID: 1CE11CE0 Partition 1: ========= Hex: 8001010007FEFFFF3F000000C1A55009 Active: YES Type: 07 (NTFS) Size: 75 GB ============================== Partitions of Disk 1: =============== Disk ID: 12A812A7 Partition 1: ========= Hex: 8020210007FEFFFF000800000088A112 Active: YES Type: 07 (NTFS) Size: 149 GB Partition 2: ========= Hex: 00FEFFFF07FEFFFF0090A112F8C79627 Active: NO Type: 07 (NTFS) Size: 317 GB ============================== Partitions of Disk 2: =============== Disk ID: 09D5E9CB Partition 1: ========= Hex: 800101000B0F20F820000000E0F10100 Active: YES Type: 0B Size: 62 MB Last Boot: 2013-03-27 11:06 ==================== End Of Log ============================
  7. btw, I'm running windows vista ultimate 32bit service pack 2 with all the updates.
  8. The administrator account (my account) on my pc is infected with the fbi moneypak virus. It will not let me in safe mode. I am currently logged on another account but it does not have administrative rights. I have tried accessing files on my admin account so I can delete the infected files but It won't let me access them. I was running avg when I was infected and still got the virus. I have run malwarebytes from this standard account but it does not find anything. any help would be greatly appreciated! thanks, Andy
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.