Jump to content

Google Redirect Virus


dipset

Recommended Posts

I have a virus where anytime I click a link from a Google search, I'm redirected to a spam website. I had this issue this past weekend, but Maniac helped me get rid of it (see: http://forums.malwarebytes.org/index.php?showtopic=116257). Unfortunately, the issue came back - I don't know how this happened.

Can someone please help me permaneately remove this annoying, invasive virus? I've included the Malwarebytes Antivirus log, DDS.txt, and Attach.txt below. Thank you for your help and support!

  • Malwarebytes Antivirus Log:

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.26.10

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Bobby :: BOBBY-THINK [administrator]

9/26/2012 2:55:37 PM

mbam-log-2012-09-26 (14-55-37).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 200092

Time elapsed: 2 minute(s), 53 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Users\Bobby\AppData\Local\Temp\0.48053279246894465 (Trojan.Happili) -> Quarantined and deleted successfully.

(end)

  • DDS.txt:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.6.2

Run by Bobby at 20:34:17 on 2012-09-26

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3690.1624 [GMT -4:00]

.

AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}

.

============== Running Processes ===============

.

C:\PROGRA~2\AVG\AVG2013\avgrsa.exe

C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\ibmpmsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe

C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe

C:\Windows\system32\CxAudMsg64.exe

C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Intel\iCLS Client\HeciServer.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe

C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe

C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe

C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe

C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe

C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe

C:\Windows\SysWOW64\NLSSRV32.EXE

C:\Windows\SysWOW64\SAsrv.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe

C:\Program Files (x86)\BlueStacks\HD-Service.exe

C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe

C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\BlueStacks\HD-Network.exe

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\BlueStacks\HD-BlockDevice.exe

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\BlueStacks\HD-SharedFolder.exe

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe

C:\Program Files\CONEXANT\ForteConfig\fmapp.exe

C:\Windows\System32\TpShocks.exe

C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\System32\StikyNot.exe

C:\Windows\System32\rundll32.exe

C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe

C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe

C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\AVG\AVG2013\avgui.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files (x86)\BlueStacks\HD-Agent.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE

C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe

C:\Windows\system32\rundll32.exe

C:\PROGRA~1\Lenovo\HOTKEY\MKRMSG.EXE

C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE

C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\SearchIndexer.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files (x86)\Lenovo\System Update\SUService.exe

C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\DllHost.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Users\Bobby\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=CKMB&bmod=CKMB

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=CKMB&bmod=CKMB

uInternet Settings,ProxyOverride = *.local

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL

BHO: Symantec VIP Access Add-On: {c63cd127-a1cb-4d49-a4f7-d6f88a917be6} - C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [Google Update] "C:\Users\Bobby\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe

uRun: [Absolute_Software] rundll32.exe "C:\Users\Bobby\AppData\Local\Apple\Absolute_Software\fqnqx.dll",DllRegisterServerW

mRun: [iMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"

mRun: [uSB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"

mRun: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe

mRun: [Dolby Advanced Audio v2] "C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe" -autostart

mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [Fastboot] C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe

mRun: [Lenovo Registration] C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY

mRun: [blueStacks Agent] C:\Program Files (x86)\BlueStacks\HD-Agent.exe

StartupFolder: C:\Users\Bobby\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{30942EEA-CE1B-4449-8002-F3980D50D482} : DhcpNameServer = 0.0.0.0

TCP: Interfaces\{95CD91B6-D923-4899-9AD3-4E2FE87348B9} : DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{95CD91B6-D923-4899-9AD3-4E2FE87348B9}\25564625F6675627 : DhcpNameServer = 132.236.56.250 128.253.180.2 192.35.82.50

TCP: Interfaces\{95CD91B6-D923-4899-9AD3-4E2FE87348B9}\3603F6B4963302D603E653473327 : DhcpNameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Symantec VIP Access Add-On: {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} - C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll

BHO-X64: IEPlugin - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

mRun-x64: [iMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"

mRun-x64: [uSB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"

mRun-x64: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe

mRun-x64: [Dolby Advanced Audio v2] "C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe" -autostart

mRun-x64: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [Fastboot] C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe

mRun-x64: [Lenovo Registration] C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY

mRun-x64: [blueStacks Agent] C:\Program Files (x86)\BlueStacks\HD-Agent.exe

IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Bobby\AppData\Roaming\Mozilla\Firefox\Profiles\phgeso05.default-1348354658048\

FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll

FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll

FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Nitro PDF\Professional 7\npdf.dll

FF - plugin: C:\Program Files (x86)\Nitro PDF\Professional 7\npnitroie.dll

FF - plugin: C:\Program Files (x86)\Nitro PDF\Professional 7\npnitromozilla.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Bobby\AppData\Local\Citrix\Plugins\60\npappdetector.dll

FF - plugin: C:\Users\Bobby\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: C:\Users\Bobby\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

FF - plugin: C:\Users\Bobby\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_268.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]

R0 Avgloga;AVG Logging Driver;C:\Windows\system32\DRIVERS\avgloga.sys --> C:\Windows\system32\DRIVERS\avgloga.sys [?]

R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]

R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\system32\DRIVERS\iusb3hcs.sys --> C:\Windows\system32\DRIVERS\iusb3hcs.sys [?]

R0 TPDIGIMN;TPDIGIMN;C:\Windows\system32\DRIVERS\ApsHM64.sys --> C:\Windows\system32\DRIVERS\ApsHM64.sys [?]

R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?]

R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]

R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]

R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]

R1 PHCORE;PHCORE;C:\Program Files\Lenovo\RapidBoot\PHCORE64.sys [2012-3-26 33344]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 BstHdDrv;BlueStacks Hypervisor;C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [2012-9-18 71032]

R3 5U877;5U877;C:\Windows\system32\DRIVERS\5U877.sys --> C:\Windows\system32\DRIVERS\5U877.sys [?]

R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]

R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\iusb3hub.sys --> C:\Windows\system32\DRIVERS\iusb3hub.sys [?]

R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\system32\DRIVERS\iusb3xhc.sys --> C:\Windows\system32\DRIVERS\iusb3xhc.sys [?]

R3 MEIx64;Intel® Management Engine Interface ;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 RSP2STOR;Realtek PCIE CardReader Driver - P2;C:\Windows\system32\DRIVERS\RtsP2Stor.sys --> C:\Windows\system32\DRIVERS\RtsP2Stor.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\system32\DRIVERS\rtl8192Ce.sys --> C:\Windows\system32\DRIVERS\rtl8192Ce.sys [?]

R3 SmbDrvIntel;SmbDrvIntel;C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys --> C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [?]

R3 TVTI2C;Lenovo SM bus driver;C:\Windows\system32\DRIVERS\Tvti2c.sys --> C:\Windows\system32\DRIVERS\Tvti2c.sys [?]

R3 tvtvcamd;ThinkVantage Virtual Camera;C:\Windows\system32\DRIVERS\tvtvcamd.sys --> C:\Windows\system32\DRIVERS\tvtvcamd.sys [?]

S3 Fastboot;Fastboot;C:\Windows\system32\DRIVERS\Fastboot.sys --> C:\Windows\system32\DRIVERS\Fastboot.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]

.

=============== Created Last 30 ================

.

2012-09-25 01:31:11 -------- d-----w- C:\Program Files (x86)\Citrix

2012-09-25 01:30:50 -------- d-----w- C:\Users\Bobby\AppData\Local\Citrix

2012-09-24 19:55:01 -------- d-----w- C:\ProgramData\BlueStacksSetup

2012-09-24 19:54:45 -------- d-----w- C:\ProgramData\BlueStacks

2012-09-24 19:54:45 -------- d-----w- C:\Program Files (x86)\BlueStacks

2012-09-24 18:57:24 -------- d-----w- C:\Users\Bobby\.android

2012-09-24 18:56:23 -------- d-----w- C:\Program Files (x86)\Android

2012-09-22 20:41:32 -------- d-----w- C:\Users\Bobby\AppData\Roaming\Malwarebytes

2012-09-22 20:41:22 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-09-22 20:41:22 -------- d-----w- C:\ProgramData\Malwarebytes

2012-09-22 20:41:21 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-09-22 15:01:08 -------- d-----w- C:\Users\Bobby\AppData\Local\Diagnostics

2012-09-22 06:00:26 388096 ----a-r- C:\Users\Bobby\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-09-22 06:00:26 -------- d-----w- C:\Program Files (x86)\Trend Micro

2012-09-22 05:09:39 -------- d-----w- C:\Users\Bobby\AppData\Roaming\AVG2013

2012-09-22 05:08:43 -------- d-----w- C:\Users\Bobby\AppData\Roaming\TuneUp Software

2012-09-22 05:08:10 -------- d--h--w- C:\$AVG

2012-09-22 05:08:10 -------- d-----w- C:\ProgramData\AVG2013

2012-09-22 05:03:19 -------- d-----w- C:\Users\Bobby\AppData\Local\MFAData

2012-09-22 05:03:19 -------- d-----w- C:\Users\Bobby\AppData\Local\Avg2013

2012-09-17 22:58:54 56672 ----a-w- C:\Windows\System32\drivers\avgidsha.sys

2012-09-14 09:34:34 105312 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys

2012-09-12 15:47:20 199520 ----a-w- C:\Windows\System32\drivers\avgtdia.sys

2012-09-12 15:47:02 175968 ----a-w- C:\Windows\System32\drivers\avgldx64.sys

2012-09-09 17:28:52 73696 ----a-w- C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll

2012-09-03 02:06:34 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E09D6D33-4E5E-4663-94B3-5F4E721DF429}\offreg.dll

2012-08-31 12:37:27 9310152 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E09D6D33-4E5E-4663-94B3-5F4E721DF429}\mpengine.dll

2012-08-30 01:05:54 -------- d-----w- C:\Users\Bobby\AppData\Roaming\texstudio

2012-08-30 01:04:45 -------- d-----w- C:\Users\Bobby\AppData\Roaming\MiKTeX

2012-08-30 01:04:16 -------- d-----w- C:\Users\Bobby\AppData\Local\MiKTeX

2012-08-30 00:48:48 -------- d-----w- C:\ProgramData\MiKTeX

2012-08-30 00:46:21 -------- d-----w- C:\Program Files\MiKTeX 2.9

2012-08-30 00:44:23 -------- d-----w- C:\Program Files (x86)\TeXstudio

2012-08-30 00:29:11 2188288 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ProTeXt\gsv\gsv491w64.exe

2012-08-30 00:29:11 1502208 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ProTeXt\gsv\gsv49w32.exe

2012-08-30 00:29:10 2042368 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ProTeXt\gsv\gsv491w32.exe

2012-08-30 00:29:08 12592939 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ProTeXt\gsv\gs902w64.exe

2012-08-30 00:29:00 12317403 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ProTeXt\gsv\gs902w32.exe

2012-08-30 00:25:06 7360000 ------w- C:\Program Files (x86)\Mozilla Firefox\ProTeXt\MiKTeX\setup\setup-2.9.4503.exe

2012-08-30 00:25:05 9728000 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ProTeXt\MiKTeX\setup\setup-2.9.4503-x64.exe

2012-08-30 00:25:04 16457073 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ProTeXt\TeXstudio\texstudio23_win32.exe

2012-08-30 00:25:03 655872 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ProTeXt\Microsoft.VC90.CRT\msvcr90.dll

2012-08-30 00:25:03 568832 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ProTeXt\Microsoft.VC90.CRT\msvcp90.dll

2012-08-30 00:25:03 224768 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ProTeXt\Microsoft.VC90.CRT\msvcm90.dll

2012-08-30 00:24:58 2303488 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ProTeXt\python27.dll

2012-08-30 00:24:57 133120 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ProTeXt\Setup.exe

2012-08-29 14:28:59 92672 ----a-w- C:\Windows\System32\redmonnt.dll

2012-08-29 14:28:59 49664 ----a-w- C:\Windows\System32\unredmon.exe

2012-08-29 14:28:58 -------- d-----w- C:\Program Files\Cornell University

2012-08-29 14:28:37 40960 ----a-r- C:\Users\Bobby\AppData\Roaming\Microsoft\Installer\{5A6403D3-E177-42FD-AA16-2FBD441EA26E}\KerberosViewer.exe_2AF0AD33EBDF4A58B3D9A41DD1C1011D.exe

2012-08-28 14:47:50 -------- d-----w- C:\Users\Bobby\AppData\Local\Western Digital

.

==================== Find3M ====================

.

2012-08-22 02:31:38 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2012-08-22 02:31:38 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-08-22 02:31:38 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-08-17 04:41:48 126944 ----a-w- C:\Windows\System32\drivers\scdemu.sys

2012-08-16 02:23:20 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-16 02:23:20 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-08-13 20:40:52 150880 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys

2012-08-10 08:52:16 40288 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys

2012-08-09 17:56:42 230240 ----a-w- C:\Windows\System32\drivers\avgloga.sys

2012-07-19 22:25:28 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys

2012-07-19 22:25:22 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-07-19 22:23:42 509952 ----a-w- C:\Windows\System32\ntshrui.dll

2012-07-19 22:23:42 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll

2012-07-19 22:23:26 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-07-19 22:23:26 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-07-19 22:23:12 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll

2012-07-19 22:23:12 366592 ----a-w- C:\Windows\System32\qdvd.dll

2012-07-19 22:23:12 1572864 ----a-w- C:\Windows\System32\quartz.dll

2012-07-19 22:23:12 1328128 ----a-w- C:\Windows\SysWow64\quartz.dll

2012-07-19 22:23:05 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll

2012-07-19 22:23:05 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys

2012-07-19 22:23:05 1031680 ----a-w- C:\Windows\System32\rdpcore.dll

2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll

2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll

2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll

2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

.

============= FINISH: 20:35:30.52 ===============

  • Attach.txt:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 8/15/2012 9:14:14 AM

System Uptime: 9/26/2012 5:49:21 PM (3 hours ago)

.

Motherboard: LENOVO | | 3254CTO

Processor: Intel® Core i5-3210M CPU @ 2.50GHz | CPU Socket - U3E1 | 2501/100mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 279 GiB total, 188.679 GiB free.

D: is CDROM ()

Q: is FIXED (NTFS) - 18 GiB total, 6.576 GiB free.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP41: 9/22/2012 12:54:08 AM - Removed AVG 2012

RP42: 9/22/2012 12:55:12 AM - Removed AVG 2012

RP43: 9/22/2012 1:07:28 AM - Installed AVG 2013

RP44: 9/22/2012 1:07:48 AM - Installed AVG 2013

RP45: 9/22/2012 2:00:13 AM - Installed HiJackThis

RP46: 9/24/2012 3:54:08 PM - Installed BlueStacks

.

==== Installed Programs ======================

.

Absolute Reminder

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.4) MUI

Android SDK Tools

Apple Application Support

Apple Software Update

BlueStacks

Burn.Now 4.5

Cisco EAP-FAST Module

Cisco LEAP Module

Cisco PEAP Module

Corel Burn.Now Lenovo Edition

Corel WinDVD

Create Recovery Media

D3DX10

Dropbox

Evernote v. 4.5.8

Google Chrome

Google Talk Plugin

Google Update Helper

GoToMeeting 5.3.0.1010

HiJackThis

Integrated Camera Driver Installer Package Ver.1.2.1.18

Intel® Control Center

Intel® Manageability Engine Firmware Recovery Agent

Intel® Management Engine Components

Intel® OpenCL CPU Runtime

Intel® Processor Graphics

Intel® USB 3.0 eXtensible Host Controller Driver

Java 7 Update 6

Java Auto Updater

Java SE Development Kit 7 Update 6

Junk Mail filter update

Kerberos Ticket Viewer

Lenovo Patch Utility

Lenovo Registration

Lenovo User Guide

Lenovo Warranty Information

Malwarebytes Anti-Malware version 1.65.0.1400

Mesh Runtime

Microsoft Office

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Mozilla Firefox 15.0.1 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NetBeans IDE 7.2

Notepad++

Power Manager

PowerISO

QuickTime

RapidBoot HDD Accelerator

Realtek Ethernet Controller Driver

Realtek PCIE Card Reader

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Skype™ 5.10

Spotify

SugarSync Manager

System Update

TeXstudio 2.3

ThinkPad Wireless LAN Adapter Software

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

VIP Access

Visual Studio 2008 x64 Redistributables

VLC media player 2.0.3

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

.

==== Event Viewer Messages From Past Week ========

.

9/26/2012 8:34:50 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AVGIDSAgent service.

9/26/2012 3:03:07 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.

9/26/2012 3:02:55 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\Rtlihvs.dll Error Code: 126

9/24/2012 12:23:38 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the BFE service.

9/24/2012 12:23:05 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IKEEXT service.

9/24/2012 12:22:35 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the iphlpsvc service.

9/22/2012 4:51:11 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.

.

==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum.

What browsers are affected?

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

Thanks for the quick response, MrCharlie. I use Mozilla Firefox and Google Chrome and both of them are infected.

I tried downloading and running RougeKiller.exe as an administrator, but I got an error that said "...\Desktop\RogueKiller.exe is not a valid Win32 Application."

Any ideas on how I can get around this? Or maybe there is another program I can run to scan my machine?

Again, thanks for helping me figure this out.

Link to post
Share on other sites

Hi MrC- I just tried in safe mode and I got the same error: "...\Desktop\RogueKiller.exe is not a valid Win32 Application." I think this has to do with me running a 64-bit version of Windows, not a 32-bit version.

Any other applications I can use to scan my machine for you?

Thanks so much for your help!

Link to post
Share on other sites

RogueKiller should run on the system. Please do this:

See if you can find and delete this file:

C:\Users\Bobby\AppData\Local\Apple\Absolute_Software\fqnqx.dll

Then............

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites

Hi MrC,

First, I deleted C:\Users\Bobby\AppData\Local\Apple\Absolute_Software\fqnqx.dll,

but upon restarting I got the following pop-up:

post-118414-0-43153300-1348776939.png

Second, I ran TDSSKiller and everything came back clean. Here is the result from TDSSKiller:

post-118414-0-89965600-1348776939.png

Any idea on what to do next? Thanks again for the help, MrC!

Link to post
Share on other sites

Attached is a zipped up copy of RogueKiller.

Please download and unzip it to your desktop.

Don't update it!!

Now run it......

Please remove any usb or external drives from the computer before you run this scan!

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

Hi MrC-

I followed your instructions exactly - here is the report that appeared on my Desktop:

RogueKiller V8.0.3 [09/13/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Bobby [Admin rights]

Mode : Scan -- Date : 09/27/2012 16:53:56

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤

[RUN][bLACKLIST DLL] HKCU\[...]\Run : Absolute_Software (rundll32.exe "C:\Users\Bobby\AppData\Local\Apple\Absolute_Software\fqnqx.dll",DllRegisterServerW) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-21-2450884636-1247048604-675393396-1000[...]\Run : Absolute_Software (rundll32.exe "C:\Users\Bobby\AppData\Local\Apple\Absolute_Software\fqnqx.dll",DllRegisterServerW) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST320LT007-9ZV142 +++++

--- User ---

[MBR] 1a32068ead43316df46083136dcc5a14

[bSP] 1c4800de452768b6d964d568f52efec0 : Lenovo tatooed MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 285743 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 588275712 | Size: 18000 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] d234c43d41647f376d614833f0ee9aae

[bSP] 2ef9cc4afb18b71bca3360572191f969 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 285743 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 588275712 | Size: 18000 Mo

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Great......

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][bLACKLIST DLL] HKCU\[...]\Run : Absolute_Software (rundll32.exe "C:\Users\Bobby\AppData\Local\Apple\Absolute_Software\fqnqx.dll",DllRegisterServerW) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-21-2450884636-1247048604-675393396-1000[...]\Run : Absolute_Software (rundll32.exe "C:\Users\Bobby\AppData\Local\Apple\Absolute_Software\fqnqx.dll",DllRegisterServerW) -> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~~

Then..................

Download aswMBR to your desktop.

http://public.avast....erek/aswMBR.exe

Double click the aswMBR.exe to run it.

If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".

Click the "Scan" button to start scan.

On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

MrC

Link to post
Share on other sites

Okay, awesome!! I've attached the following:

  1. RougeKiller file created on my desktop *AFTER* deleting the files you told me to.
  2. aswMBR log

1. RougeKiller file created on my desktop *AFTER* deleting the files you told me to

RogueKiller V8.0.3 [09/13/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Bobby [Admin rights]

Mode : Remove -- Date : 09/27/2012 17:14:49

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[RUN][bLACKLIST DLL] HKCU\[...]\Run : Absolute_Software (rundll32.exe "C:\Users\Bobby\AppData\Local\Apple\Absolute_Software\fqnqx.dll",DllRegisterServerW) -> DELETED

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST320LT007-9ZV142 +++++

--- User ---

[MBR] 1a32068ead43316df46083136dcc5a14

[bSP] 1c4800de452768b6d964d568f52efec0 : Lenovo tatooed MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 285743 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 588275712 | Size: 18000 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] d234c43d41647f376d614833f0ee9aae

[bSP] 2ef9cc4afb18b71bca3360572191f969 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 285743 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 588275712 | Size: 18000 Mo

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

2. aswMBR log

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-09-27 17:15:20

-----------------------------

17:15:20.014 OS Version: Windows x64 6.1.7601 Service Pack 1

17:15:20.014 Number of processors: 4 586 0x3A09

17:15:20.014 ComputerName: BOBBY-THINK UserName: Bobby

17:15:20.763 Initialize success

17:16:05.732 AVAST engine defs: 12092700

17:16:10.880 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

17:16:10.895 Disk 0 Vendor: ST320LT0 0004 Size: 305245MB BusType: 3

17:16:10.911 Disk 0 MBR read successfully

17:16:10.911 Disk 0 MBR scan

17:16:10.926 Disk 0 unknown MBR code

17:16:10.926 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1500 MB offset 2048

17:16:10.942 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 285743 MB offset 3074048

17:16:10.989 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 18000 MB offset 588275712

17:16:11.036 Disk 0 scanning C:\Windows\system32\drivers

17:16:22.236 Service scanning

17:16:40.067 Modules scanning

17:16:40.067 Disk 0 trace - called modules:

17:16:40.145 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll

17:16:40.145 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80069b5060]

17:16:40.161 3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> [0xfffffa80036ac7e0]

17:16:40.161 5 ACPI.sys[fffff88000f697a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005763050]

17:16:41.034 AVAST engine scan C:\Windows

17:16:43.920 AVAST engine scan C:\Windows\system32

17:19:21.340 AVAST engine scan C:\Windows\system32\drivers

17:19:30.778 AVAST engine scan C:\Users\Bobby

17:20:18.421 Disk 0 MBR has been saved successfully to "C:\Users\Bobby\Desktop\MBR.dat"

17:20:18.436 The log file has been saved successfully to "C:\Users\Bobby\Desktop\aswMBR.txt"

Link to post
Share on other sites

You shouldn't get that error message anymore when you boot up.

~~~~~~~~~~~~~~~~~

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC

Link to post
Share on other sites

Hi MrC! Sorry for the delay...

1. You're right - I no longer get the error after I re-boot.

2. Here is the content of the AdwCleaner log:

# AdwCleaner v2.003 - Logfile created 09/27/2012 at 22:41:42

# Updated 23/09/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Bobby - BOBBY-THINK

# Boot Mode : Normal

# Running from : C:\Users\Bobby\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

Folder Found : C:\ProgramData\Partner

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default-1348354658048 [Profil par défaut]

File : C:\Users\Bobby\AppData\Roaming\Mozilla\Firefox\Profiles\phgeso05.default-1348354658048\prefs.js

[OK] File is clean.

-\\ Google Chrome v [unable to get version]

File : C:\Users\Bobby\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [936 octets] - [27/09/2012 22:41:42]

########## EOF - C:\AdwCleaner[R1].txt - [995 octets] ##########

Link to post
Share on other sites

¤¤¤ Infection : Root.MBR ¤¤¤

This is in the RogueKiller log and may indicate that there's an infection in the master boot record, lets take a look:

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Open up network connections and see if you have a "network bridge" listed as in the link:

How to open up network connections:

http://www.howtogeek...-windows-vista/

Network Bridge:

http://img.photobuck...work_Bridge.png

MrC

Link to post
Share on other sites

Hi MrC. Again, thanks so much for your help.

I ran FRST64.exe and pasted the results "FRST.txt" and "Search.txt" below.

I do *NOT* have a network bridge listed in my network connections.

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-09-2012

Ran by SYSTEM at 28-09-2012 11:06:14

Running from G:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [564352 2012-03-01] (Conexant Systems, Inc.)

HKLM\...\Run: [ForteConfig] C:\Program Files\Conexant\ForteConfig\fmapp.exe [49056 2010-10-25] ()

HKLM\...\Run: [smartAudio] C:\Program Files\CONEXANT\SAII\SACpl.exe /t [1654400 2012-02-21] (Conexant Systems, Inc.)

HKLM\...\Run: [TpShocks] TpShocks.exe [x]

HKLM\...\Run: [LENOVO.TPKNRRES] C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [290160 2012-06-01] (Lenovo Group Limited)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2881336 2012-06-19] (Synaptics Incorporated)

HKLM\...\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)

HKLM-x32\...\Run: [iMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [133400 2012-03-06] (Intel Corporation)

HKLM-x32\...\Run: [uSB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [291608 2012-04-13] (Intel Corporation)

HKLM-x32\...\Run: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe [55808 2008-10-30] (Ricoh co.,Ltd.)

HKLM-x32\...\Run: [Dolby Advanced Audio v2] "C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe" -autostart [507744 2011-12-20] (Dolby Laboratories Inc.)

HKLM-x32\...\Run: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor [5941344 2012-05-15] (Lenovo Group Limited)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Fastboot] C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe [1091376 2012-01-16] (Lenovo)

HKLM-x32\...\Run: [Lenovo Registration] C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot [4351712 2011-07-13] (Lenovo, Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3039352 2012-09-14] (AVG Technologies CZ, s.r.o.)

HKU\Bobby\...\Run: [Google Update] "C:\Users\Bobby\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-08-15] (Google Inc.)

HKU\Bobby\...\Run: [RESTART_STICKY_NOTES] C:\Windows\system32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)

HKU\Default\...\RunOnce: [Lenovo.ShowBand] C:\Program Files\Lenovo\SimpleTap DeskBand\ShowBand.exe /show [155960 2012-05-15] (Lenovo)

HKU\Default\...\RunOnce: [] [x]

HKU\Default\...\RunOnce: [Lenovoautoqdrive] C:\PROGRA~2\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe /DRIVE=Q [159744 2011-12-14] ()

HKU\Default User\...\RunOnce: [Lenovo.ShowBand] C:\Program Files\Lenovo\SimpleTap DeskBand\ShowBand.exe /show [155960 2012-05-15] (Lenovo)

HKU\Default User\...\RunOnce: [] [x]

HKU\Default User\...\RunOnce: [Lenovoautoqdrive] C:\PROGRA~2\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe /DRIVE=Q [159744 2011-12-14] ()

Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

Startup: C:\Users\Bobby\Start Menu\Programs\Startup\EvernoteClipper.lnk

ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)

==================== Services (Whitelisted) ===================

2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5751928 2012-08-20] (AVG Technologies CZ, s.r.o.)

2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [184304 2012-08-20] (AVG Technologies CZ, s.r.o.)

2 CxAudMsg; C:\Windows\system32\CxAudMsg64.exe [198784 2010-12-17] (Conexant Systems Inc.)

2 FastbootService; C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [169776 2012-01-16] (Lenovo)

2 Intel® Capability Licensing Service Interface; "C:\Program Files\Intel\iCLS Client\HeciServer.exe" [628448 2012-02-02] (Intel® Corporation)

2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-03-06] ()

2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [163608 2012-03-06] (Intel Corporation)

2 LENOVO.TVTVCAM; C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [179568 2012-06-01] (Lenovo Group Limited)

2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [133992 2011-07-11] (Lenovo Group Limited)

2 NitroDriverReadSpool2; "C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe" [216072 2012-05-23] (Nitro PDF Software)

2 nlsX86cc; C:\Windows\SysWOW64\NLSSRV32.EXE [69640 2012-05-23] (Nalpeiron Ltd.)

2 VIPAppService; "C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe" [84080 2012-04-18] (Symantec Corporation)

==================== Drivers (Whitelisted) =====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [150880 2012-08-13] (AVG Technologies CZ, s.r.o. )

0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [56672 2012-09-17] (AVG Technologies CZ, s.r.o. )

1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [175968 2012-09-12] (AVG Technologies CZ, s.r.o.)

0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [230240 2012-08-09] (AVG Technologies CZ, s.r.o.)

1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [105312 2012-09-14] (AVG Technologies CZ, s.r.o.)

0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40288 2012-08-10] (AVG Technologies CZ, s.r.o.)

1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [199520 2012-09-12] (AVG Technologies CZ, s.r.o.)

3 Fastboot; C:\Windows\System32\Drivers\Fastboot.sys [70416 2012-01-16] (Windows ® Win 7 DDK provider)

0 iusb3hcs; C:\Windows\System32\Drivers\iusb3hcs.sys [19224 2012-04-13] (Intel Corporation)

3 iusb3hub; C:\Windows\System32\Drivers\iusb3hub.sys [356632 2012-04-13] (Intel Corporation)

3 iusb3xhc; C:\Windows\System32\Drivers\iusb3xhc.sys [789272 2012-04-13] (Intel Corporation)

3 RSP2STOR; C:\Windows\System32\DRIVERS\RtsP2Stor.sys [259688 2011-10-26] (Realtek Semiconductor Corp.)

3 SmbDrvIntel; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [27448 2012-06-19] (Synaptics Incorporated)

3 TVTI2C; C:\Windows\System32\Drivers\TVTI2C.sys [40248 2011-05-29] (Lenovo Information Product(ShenZhen China) Inc.)

3 tvtvcamd; C:\Windows\System32\Drivers\tvtvcamd.sys [27432 2011-12-07] (ThinkVantage Communications Utility)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-09-28 11:06 - 2012-09-28 11:06 - 00000000 ____D C:\FRST

2012-09-27 18:41 - 2012-09-27 18:41 - 00001063 ____A C:\AdwCleaner[R1].txt

2012-09-27 18:40 - 2012-09-27 14:00 - 00513501 ____A C:\Users\Bobby\Desktop\adwcleaner.exe

2012-09-27 13:20 - 2012-09-27 13:20 - 00001902 ____A C:\Users\Bobby\Desktop\aswMBR.txt

2012-09-27 13:20 - 2012-09-27 13:20 - 00000512 ____A C:\Users\Bobby\Desktop\MBR.dat

2012-09-27 13:14 - 2012-09-27 13:14 - 00001942 ____A C:\Users\Bobby\Desktop\RKreport[3].txt

2012-09-27 13:13 - 2012-09-27 13:13 - 00002116 ____A C:\Users\Bobby\Desktop\RKreport[2].txt

2012-09-27 12:53 - 2012-09-27 13:14 - 00000000 ____D C:\Users\Bobby\Desktop\RK_Quarantine

2012-09-27 12:53 - 2012-09-27 12:53 - 00002098 ____A C:\Users\Bobby\Desktop\RKreport[1].txt

2012-09-27 10:36 - 2012-09-27 10:36 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Bobby\Desktop\tdsskiller.exe

2012-09-25 17:40 - 2012-09-25 17:40 - 00000000 ____D C:\Program Files\Microsoft Silverlight

2012-09-25 17:40 - 2012-09-25 17:40 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight

2012-09-25 17:36 - 2012-09-25 17:37 - 13085120 ____A (Microsoft Corporation) C:\Users\Bobby\Downloads\Silverlight_x64.exe

2012-09-24 18:47 - 2012-09-24 18:51 - 324192964 ____A C:\Users\Bobby\Downloads\epd-7.3-2-win-x86.msi

2012-09-24 18:27 - 2012-09-24 18:28 - 47858637 ____A C:\Users\Bobby\Downloads\scipy-0.11.0rc2-win32-superpack-python2.7.exe

2012-09-24 18:14 - 2012-09-24 18:14 - 05746517 ____A C:\Users\Bobby\Downloads\numpy-1.6.2-win32-superpack-python2.7.exe

2012-09-24 17:31 - 2012-09-24 17:31 - 00000000 ____D C:\Program Files (x86)\Citrix

2012-09-24 17:30 - 2012-09-24 17:30 - 00000000 ____D C:\Users\Bobby\AppData\Local\Citrix

2012-09-24 11:55 - 2012-09-24 11:56 - 00000000 ____D C:\Users\All Users\BlueStacksSetup

2012-09-24 11:48 - 2012-09-24 11:53 - 146784256 ____A C:\Users\Bobby\Downloads\BlueStacks_HD_AppPlayerPro_setup_REL.msi

2012-09-24 10:57 - 2012-09-24 11:47 - 00000000 ____D C:\Users\Bobby\.android

2012-09-24 10:56 - 2012-09-27 10:44 - 00000000 ____D C:\Program Files (x86)\Android

2012-09-24 10:48 - 2012-09-24 10:52 - 70495456 ____A (Google Inc.) C:\Users\Bobby\Downloads\installer_r20.0.3-windows.exe

2012-09-23 15:08 - 2012-09-26 16:54 - 00000000 ____D C:\Users\Bobby\Desktop\ORIE 5100

2012-09-23 15:08 - 2012-09-24 18:17 - 00000000 ____D C:\Users\Bobby\Documents\Cornell

2012-09-23 15:08 - 2012-09-23 15:08 - 00000000 ____D C:\Users\Bobby\Desktop\ORIE 5340

2012-09-23 15:08 - 2012-09-23 15:08 - 00000000 ____D C:\Users\Bobby\Desktop\HADM 6050

2012-09-23 15:07 - 2012-09-26 16:54 - 00000000 ____D C:\Users\Bobby\Desktop\CS 5780

2012-09-23 15:02 - 2012-09-22 21:06 - 00201728 ____A (OldTimer Tools) C:\Users\Bobby\Desktop\OTC.exe

2012-09-22 12:41 - 2012-09-22 12:41 - 00000000 ____D C:\Users\Bobby\AppData\Roaming\Malwarebytes

2012-09-22 12:41 - 2012-09-22 12:41 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-09-22 12:41 - 2012-09-22 12:41 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-09-22 12:41 - 2012-09-07 13:04 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-09-22 12:35 - 2012-09-22 12:13 - 04731392 ____A (AVAST Software) C:\Users\Bobby\Desktop\aswMBR.exe

2012-09-22 12:35 - 2012-09-21 21:36 - 00607260 ____R (Swearware) C:\Users\Bobby\Desktop\dds.scr

2012-09-21 22:00 - 2012-09-21 22:00 - 00002975 ____A C:\Users\Bobby\Desktop\HiJackThis.lnk

2012-09-21 22:00 - 2012-09-21 22:00 - 00000000 ____D C:\Program Files (x86)\Trend Micro

2012-09-21 21:09 - 2012-09-21 21:09 - 00000000 ____D C:\Users\Bobby\AppData\Roaming\AVG2013

2012-09-21 21:08 - 2012-09-21 21:38 - 00000000 ____D C:\Users\All Users\AVG2013

2012-09-21 21:08 - 2012-09-21 21:08 - 00000000 ___HD C:\$AVG

2012-09-21 21:08 - 2012-09-21 21:08 - 00000000 ____D C:\Users\Bobby\AppData\Roaming\TuneUp Software

2012-09-21 21:03 - 2012-09-21 21:12 - 00000000 ____D C:\Users\Bobby\AppData\Local\Avg2013

2012-09-21 21:03 - 2012-09-21 21:03 - 00000000 ____D C:\Users\Bobby\AppData\Local\MFAData

2012-09-17 14:58 - 2012-09-17 14:58 - 00056672 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsha.sys

2012-09-14 14:19 - 2012-09-14 14:19 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf

2012-09-14 01:34 - 2012-09-14 01:34 - 00105312 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgmfx64.sys

2012-09-13 16:40 - 2012-09-13 16:40 - 01378816 ____A C:\Users\Bobby\Desktop\RogueKiller.exe

2012-09-12 07:47 - 2012-09-12 07:47 - 00199520 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys

2012-09-12 07:47 - 2012-09-12 07:47 - 00175968 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgldx64.sys

2012-09-04 16:35 - 2012-09-04 16:35 - 00022242 ____A C:\Users\Bobby\Downloads\MinMaxSelection.zip

2012-09-03 07:49 - 2012-09-08 08:03 - 00000000 ____D C:\Users\Bobby\AppData\Roaming\vlc

2012-08-30 19:54 - 2012-08-30 19:54 - 00013138 ____A C:\Users\Bobby\Downloads\f.fig

2012-08-30 19:24 - 2012-08-30 19:24 - 00003144 ____A C:\Users\Bobby\Downloads\plots.m

2012-08-29 17:05 - 2012-08-29 17:05 - 00000000 ____D C:\Users\Bobby\AppData\Roaming\texstudio

2012-08-29 17:04 - 2012-08-29 17:04 - 00000000 ____D C:\Users\Bobby\AppData\Roaming\MiKTeX

2012-08-29 17:04 - 2012-08-29 17:04 - 00000000 ____D C:\Users\Bobby\AppData\Local\MiKTeX

2012-08-29 16:48 - 2012-08-29 16:48 - 00000000 ____D C:\Users\All Users\MiKTeX

2012-08-29 16:46 - 2012-08-29 16:48 - 00000000 ____D C:\Program Files\MiKTeX 2.9

2012-08-29 16:44 - 2012-08-29 16:44 - 00000000 ____D C:\Program Files (x86)\TeXstudio

2012-08-29 06:28 - 2012-08-29 06:28 - 02795480 ____A (Cornell University ) C:\Users\Bobby\Downloads\NetPrint_x64_3.0.exe

2012-08-29 06:28 - 2012-08-29 06:28 - 00000000 ____D C:\Program Files\Cornell University

2012-08-29 06:28 - 2008-05-13 09:20 - 00049664 ____A C:\Windows\System32\unredmon.exe

2012-08-29 06:28 - 2008-05-02 10:55 - 00092672 ____A C:\Windows\System32\redmonnt.dll

2012-08-29 06:28 - 2006-05-18 08:01 - 00119152 ____A C:\Windows\System32\redmon.hlp

==================== 3 Months Modified Files ==================

2012-09-28 06:55 - 2012-07-19 14:49 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-09-28 06:55 - 2012-07-19 14:32 - 01285208 ____A C:\Windows\WindowsUpdate.log

2012-09-28 06:55 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-09-28 06:55 - 2009-07-13 20:51 - 00056983 ____A C:\Windows\setupact.log

2012-09-28 06:51 - 2009-07-13 21:13 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI

2012-09-28 06:50 - 2012-08-14 20:12 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2450884636-1247048604-675393396-1000UA.job

2012-09-28 06:50 - 2012-07-19 14:49 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-09-27 18:52 - 2009-07-13 20:45 - 00031472 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-09-27 18:52 - 2009-07-13 20:45 - 00031472 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-09-27 18:46 - 2012-07-19 14:34 - 00000828 ____A C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job

2012-09-27 18:41 - 2012-09-27 18:41 - 00001063 ____A C:\AdwCleaner[R1].txt

2012-09-27 18:32 - 2012-07-19 14:34 - 00000830 ____A C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job

2012-09-27 14:00 - 2012-09-27 18:40 - 00513501 ____A C:\Users\Bobby\Desktop\adwcleaner.exe

2012-09-27 13:20 - 2012-09-27 13:20 - 00001902 ____A C:\Users\Bobby\Desktop\aswMBR.txt

2012-09-27 13:20 - 2012-09-27 13:20 - 00000512 ____A C:\Users\Bobby\Desktop\MBR.dat

2012-09-27 13:14 - 2012-09-27 13:14 - 00001942 ____A C:\Users\Bobby\Desktop\RKreport[3].txt

2012-09-27 13:13 - 2012-09-27 13:13 - 00002116 ____A C:\Users\Bobby\Desktop\RKreport[2].txt

2012-09-27 12:53 - 2012-09-27 12:53 - 00002098 ____A C:\Users\Bobby\Desktop\RKreport[1].txt

2012-09-27 11:54 - 2012-08-14 20:12 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2450884636-1247048604-675393396-1000Core.job

2012-09-27 10:36 - 2012-09-27 10:36 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Bobby\Desktop\tdsskiller.exe

2012-09-26 11:02 - 2010-11-20 19:47 - 00533814 ____A C:\Windows\PFRO.log

2012-09-25 17:37 - 2012-09-25 17:36 - 13085120 ____A (Microsoft Corporation) C:\Users\Bobby\Downloads\Silverlight_x64.exe

2012-09-24 18:51 - 2012-09-24 18:47 - 324192964 ____A C:\Users\Bobby\Downloads\epd-7.3-2-win-x86.msi

2012-09-24 18:28 - 2012-09-24 18:27 - 47858637 ____A C:\Users\Bobby\Downloads\scipy-0.11.0rc2-win32-superpack-python2.7.exe

2012-09-24 18:14 - 2012-09-24 18:14 - 05746517 ____A C:\Users\Bobby\Downloads\numpy-1.6.2-win32-superpack-python2.7.exe

2012-09-24 11:53 - 2012-09-24 11:48 - 146784256 ____A C:\Users\Bobby\Downloads\BlueStacks_HD_AppPlayerPro_setup_REL.msi

2012-09-24 10:52 - 2012-09-24 10:48 - 70495456 ____A (Google Inc.) C:\Users\Bobby\Downloads\installer_r20.0.3-windows.exe

2012-09-22 21:06 - 2012-09-23 15:02 - 00201728 ____A (OldTimer Tools) C:\Users\Bobby\Desktop\OTC.exe

2012-09-22 12:13 - 2012-09-22 12:35 - 04731392 ____A (AVAST Software) C:\Users\Bobby\Desktop\aswMBR.exe

2012-09-21 22:00 - 2012-09-21 22:00 - 00002975 ____A C:\Users\Bobby\Desktop\HiJackThis.lnk

2012-09-21 21:36 - 2012-09-22 12:35 - 00607260 ____R (Swearware) C:\Users\Bobby\Desktop\dds.scr

2012-09-17 14:58 - 2012-09-17 14:58 - 00056672 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsha.sys

2012-09-14 14:19 - 2012-09-14 14:19 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf

2012-09-14 01:34 - 2012-09-14 01:34 - 00105312 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgmfx64.sys

2012-09-13 16:40 - 2012-09-13 16:40 - 01378816 ____A C:\Users\Bobby\Desktop\RogueKiller.exe

2012-09-12 07:47 - 2012-09-12 07:47 - 00199520 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys

2012-09-12 07:47 - 2012-09-12 07:47 - 00175968 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgldx64.sys

2012-09-07 13:04 - 2012-09-22 12:41 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-09-04 16:35 - 2012-09-04 16:35 - 00022242 ____A C:\Users\Bobby\Downloads\MinMaxSelection.zip

2012-08-30 19:54 - 2012-08-30 19:54 - 00013138 ____A C:\Users\Bobby\Downloads\f.fig

2012-08-30 19:24 - 2012-08-30 19:24 - 00003144 ____A C:\Users\Bobby\Downloads\plots.m

2012-08-29 12:21 - 2012-07-19 14:47 - 629145600 __ASH C:\Windows\lenovo_fastboot.img

2012-08-29 06:28 - 2012-08-29 06:28 - 02795480 ____A (Cornell University ) C:\Users\Bobby\Downloads\NetPrint_x64_3.0.exe

2012-08-25 18:47 - 2012-08-25 18:47 - 00192512 ____A C:\Users\Bobby\Downloads\nmhd-template4.xls

2012-08-23 19:30 - 2009-07-13 20:45 - 00434552 ____A C:\Windows\System32\FNTCACHE.DAT

2012-08-23 19:11 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini

2012-08-23 09:46 - 2012-08-14 17:20 - 00122152 ____A C:\Users\Bobby\AppData\Local\GDIPFONTCACHEV1.DAT

2012-08-21 18:31 - 2012-08-21 18:31 - 00821736 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll

2012-08-21 18:31 - 2012-08-21 18:31 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll

2012-08-21 18:31 - 2012-08-21 18:31 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe

2012-08-21 18:31 - 2012-08-21 18:31 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2012-08-21 18:31 - 2012-08-21 18:31 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2012-08-21 18:31 - 2012-08-21 18:31 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2012-08-18 14:39 - 2012-08-18 14:39 - 00294574 ____A C:\Windows\msxml4-KB973688-enu.LOG

2012-08-18 14:38 - 2012-08-18 14:38 - 00294862 ____A C:\Windows\msxml4-KB954430-enu.LOG

2012-08-17 20:54 - 2012-08-15 05:15 - 00004549 ____A C:\Users\Bobby\AppData\Roaming\AbsoluteReminder.xml

2012-08-16 20:41 - 2012-08-25 05:40 - 00126944 ____A (Power Software Ltd) C:\Windows\System32\Drivers\scdemu.sys

2012-08-15 20:31 - 2012-08-15 20:31 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_point64_01009.Wdf

2012-08-15 18:23 - 2012-08-15 18:23 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-08-15 18:23 - 2012-08-15 18:23 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-08-15 05:15 - 2012-08-15 05:15 - 00000000 ____A C:\Users\Bobby\agent.log

2012-08-15 05:14 - 2012-08-15 05:14 - 00000020 ___SH C:\Users\Bobby\ntuser.ini

2012-08-15 05:14 - 2012-08-15 05:14 - 00000000 ____A C:\Windows\firstboot.dat

2012-08-14 17:19 - 2012-07-19 14:33 - 00000042 ____A C:\Windows\SysWOW64\Drivers\17AA_Lenovo_ThinkPad_Edge_E430_3254_CTO.MRK

2012-08-13 12:40 - 2012-08-13 12:40 - 00150880 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsdrivera.sys

2012-08-10 00:52 - 2012-08-10 00:52 - 00040288 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgrkx64.sys

2012-08-09 09:56 - 2012-08-09 09:56 - 00230240 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgloga.sys

2012-08-03 00:27 - 2012-08-18 14:19 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-19 15:05 - 2009-07-13 20:46 - 00005075 ____A C:\Windows\DtcInstall.log

2012-07-19 14:59 - 2012-07-19 14:59 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_SynTP_01009.Wdf

2012-07-19 14:59 - 2012-07-19 14:59 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_Smb_driver_Intel_01009.Wdf

2012-07-19 14:59 - 2012-07-19 14:58 - 00001346 ____A C:\Windows\Synaptics.log

2012-07-19 14:59 - 2012-07-19 14:31 - 00022232 ____A C:\Windows\DPINST.LOG

2012-07-19 14:53 - 2012-07-19 14:53 - 00000020 ____A C:\Windows\¬ôÁ

2012-07-19 14:53 - 2012-07-19 14:44 - 00198794 ____A C:\Windows\DirectX.log

2012-07-19 14:48 - 2012-07-19 14:48 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_tcwbf_01_09_00.Wdf

2012-07-19 14:48 - 2012-07-19 14:48 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_WinUSB_01009.Wdf

2012-07-19 14:47 - 2012-07-19 14:47 - 00196608 ____A C:\Windows\ocsetup_install_OEMHelpCustomization.etl

2012-07-19 14:47 - 2012-07-19 14:47 - 00028728 ____A C:\Windows\ocsetup_cbs_install_OEMHelpCustomization.txt

2012-07-19 14:36 - 2012-07-19 14:36 - 00000207 ____A C:\setup.log

2012-07-19 14:35 - 2012-07-19 14:35 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_iusb3hcs_01009.Wdf

2012-07-19 14:29 - 2011-02-24 09:05 - 00005949 ____A C:\Windows\TSSysprep.log

2012-07-19 14:25 - 2012-07-19 14:25 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-07-19 14:25 - 2012-07-19 14:25 - 00075120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys

2012-07-19 14:24 - 2012-07-19 14:24 - 01731920 ____A (Microsoft Corporation) C:\Windows\System32\ntdll.dll

2012-07-19 14:24 - 2012-07-19 14:24 - 01544704 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll

2012-07-19 14:24 - 2012-07-19 14:24 - 01292080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll

2012-07-19 14:24 - 2012-07-19 14:24 - 01077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll

2012-07-19 14:24 - 2012-07-19 14:24 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcrt.dll

2012-07-19 14:24 - 2012-07-19 14:24 - 00634880 ____A (Microsoft Corporation) C:\Windows\System32\msvcrt.dll

2012-07-19 14:24 - 2012-07-19 14:24 - 00515584 ____A (Microsoft Corporation) C:\Windows\System32\timedate.cpl

2012-07-19 14:24 - 2012-07-19 14:24 - 00498688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys

2012-07-19 14:24 - 2012-07-19 14:24 - 00478720 ____A (Microsoft Corporation) C:\Windows\SysWOW64\timedate.cpl

2012-07-19 14:24 - 2012-07-19 14:24 - 00220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll

2012-07-19 14:24 - 2012-07-19 14:24 - 00172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll

2012-07-19 14:24 - 2012-07-19 14:24 - 00159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll

2012-07-19 14:24 - 2012-07-19 14:24 - 00081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll

2012-07-19 14:24 - 2012-07-19 14:24 - 00023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys

2012-07-19 14:24 - 2012-07-19 14:24 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll

2012-07-19 14:24 - 2012-07-19 14:24 - 00005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll

2012-07-19 14:23 - 2012-07-19 14:23 - 01572864 ____A (Microsoft Corporation) C:\Windows\System32\quartz.dll

2012-07-19 14:23 - 2012-07-19 14:23 - 01328128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll

2012-07-19 14:23 - 2012-07-19 14:23 - 01031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll

2012-07-19 14:23 - 2012-07-19 14:23 - 00826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll

2012-07-19 14:23 - 2012-07-19 14:23 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll

2012-07-19 14:23 - 2012-07-19 14:23 - 00509952 ____A (Microsoft Corporation) C:\Windows\System32\ntshrui.dll

2012-07-19 14:23 - 2012-07-19 14:23 - 00442880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntshrui.dll

2012-07-19 14:23 - 2012-07-19 14:23 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll

2012-07-19 14:23 - 2012-07-19 14:23 - 00023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys

2012-07-19 14:23 - 2012-07-19 14:23 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll

2012-07-19 14:23 - 2012-07-19 14:23 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 01447936 ____A (Microsoft Corporation) C:\Windows\System32\lsasrv.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00951680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys

2012-07-19 14:22 - 2012-07-19 14:22 - 00861696 ____A (Microsoft Corporation) C:\Windows\System32\oleaut32.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00723456 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00613888 ____A (Microsoft Corporation) C:\Windows\System32\psisdecd.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00571904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00534528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\EncDec.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00465408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\psisdecd.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00395776 ____A (Microsoft Corporation) C:\Windows\System32\webio.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00331776 ____A (Microsoft Corporation) C:\Windows\System32\oleacc.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00314880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webio.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00233472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\oleacc.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\umpo.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00136192 ____A (Microsoft Corporation) C:\Windows\System32\sspicli.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00108032 ____A (Microsoft Corporation) C:\Windows\System32\psisrndr.ax

2012-07-19 14:22 - 2012-07-19 14:22 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\packager.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00075776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\psisrndr.ax

2012-07-19 14:22 - 2012-07-19 14:22 - 00067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00031232 ____A (Microsoft Corporation) C:\Windows\System32\lsass.exe

2012-07-19 14:22 - 2012-07-19 14:22 - 00029184 ____A (Microsoft Corporation) C:\Windows\System32\sspisrv.dll

2012-07-19 14:22 - 2012-07-19 14:22 - 00028160 ____A (Microsoft Corporation) C:\Windows\System32\secur32.dll

2012-07-19 14:21 - 2012-07-19 14:21 - 00262144 ____A C:\Windows\IE90-ENU.LOG.bootstrap.dpx

2012-07-19 14:21 - 2012-07-19 14:21 - 00196608 ____A C:\Windows\IE90-ENU.LOG.bootstrap.perf

2012-07-19 14:21 - 2012-07-19 14:21 - 00062952 ____A C:\Windows\ENU-ie90.log

2012-07-19 14:21 - 2012-07-19 14:21 - 00038495 ____A C:\Windows\IE90-ENU.log

2012-07-18 21:57 - 2009-07-13 21:38 - 00025600 __ASH C:\Windows\System32\config\BCD-Template.LOG

2012-07-18 21:57 - 2009-07-13 21:32 - 00028672 ____A C:\Windows\System32\config\BCD-Template

2012-07-18 21:40 - 2012-07-18 21:57 - 00000012 ____A C:\Windows\CSUP.TXT

2012-07-18 10:15 - 2012-08-15 23:04 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-04 14:16 - 2012-08-15 23:05 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

2012-07-04 14:13 - 2012-08-15 23:05 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

2012-07-04 14:13 - 2012-08-15 23:05 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

2012-07-04 13:16 - 2012-08-15 23:05 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll

2012-07-04 13:14 - 2012-08-15 23:05 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-21 20:54:14

Restore point made on: 2012-09-21 20:55:15

Restore point made on: 2012-09-21 21:07:35

Restore point made on: 2012-09-21 21:07:58

Restore point made on: 2012-09-21 22:00:17

Restore point made on: 2012-09-24 11:54:17

Restore point made on: 2012-09-27 10:45:16

==================== Memory info ===========================

Percentage of memory in use: 23%

Total physical RAM: 3689.96 MB

Available physical RAM: 2826 MB

Total Pagefile: 3688.16 MB

Available Pagefile: 2821.57 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (Windows7_OS) (Fixed) (Total:279.05 GB) (Free:189.16 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive e: (Lenovo_Recovery) (Fixed) (Total:17.58 GB) (Free:6.58 GB) NTFS

4 Drive g: (TOSHIBA) (Removable) (Total:3.72 GB) (Free:3.62 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (SYSTEM_DRV) (Fixed) (Total:1.46 GB) (Free:1.12 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 3821 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1500 MB 1024 KB

Partition 2 Primary 279 GB 1501 MB

Partition 3 Primary 17 GB 280 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y SYSTEM_DRV NTFS Partition 1500 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C Windows7_OS NTFS Partition 279 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E Lenovo_Reco NTFS Partition 17 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3821 MB 31 KB

==================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G TOSHIBA FAT32 Removable 3821 MB Healthy

=========================================================

Last Boot: 2012-09-27 14:12

==================== End Of Log =============================

Search.txt:

Farbar Recovery Scan Tool (x64) Version: 25-09-2012

Ran by SYSTEM at 2012-09-28 11:07:36

Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Link to post
Share on other sites

Log is clean.

Lets do some checking in Chrome:

First please make sure you have the latest version of Chrome:

Click the wrench in the upper right hand corner

Click on "About Google Chrome"

If an update is available it will be downloaded and installed

Next:

Carefully check for any odd extensions or plugins: (it's a good idea to disable them all and see if you're still redirected and then add each one back until you find the culprit)

Type the following into the address box and hit Enter:

chrome:plugins

Do the same for:

chrome:extensions

Next:

Go to Settings > Show advanced settings........ (at the bottom)

Put a check next to all of these:

  1. Clear browsing history
  2. Clear download history
  3. Empty the cache

Click "Clear Browsing Data"

Next:

Look through the rest of Tools, Settings and View Backround Pages and make sure there's nothing suspicious.

---------------------------

Then look at this link (it's for a different infection but the way to change Chromes settings is the same)

http://deletemalware...tall-guide.html

If you don't find anything, disable all the extensions and plug-ins and see how it is.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For Firefox there a way to reset it back to defaults, please try it.

http://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems

Let me know, MrC

Link to post
Share on other sites

MrC- I followed all of the Chrome and Firefox instructions and everything seems to be working fine... Do you think the issue is with the browser? Maybe I should stick to only one browser - perhaps delete Chrome and exclusively use Mozilla? Or maybe switch over to Opera only?

My only concern is that the virus returns. Any general tips/suggestions to ensure that doesn't happen?

Thanks

Link to post
Share on other sites

Do you think the issue is with the browser?

Yes the browser gets infected and usually causes it.

Maybe I should stick to only one browser - perhaps delete Chrome and exclusively use Mozilla?

I use Chrome myself > what ever works for you.

~~~~~~~~~~~~~~~~~~~~~~~~

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Link to post
Share on other sites

Here are the results of checkup.txt:

Results of screen317's Security Check version 0.99.51

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

AVG Anti-Virus Free Edition 2013

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.0.1400

Java 7 Update 6

Java SE Development Kit 7 Update 6

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Flash Player 11.3.300.268 Flash Player out of Date!

Adobe Reader X (10.1.4)

Mozilla Firefox (15.0.1)

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

````````Process Check: objlist.exe by Laurent````````

AVG avgwdsvc.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 4%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Java 7 Update 6 <---please update should be Update 7

Java SE Development Kit 7 Update 6 <------please update should be 7

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date! <---please uninstall

Adobe Flash Player 11.3.300.268 Flash Player out of Date! <---please update

You have out dated programs on the system which are vulnerable to malware.

Please update or delete them

Info on doing that can be found in my Preventive Maintenance

~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.