Jump to content

HELP! how to removie rans.gendarm and google redirect viruses


Recommended Posts

Hey, I am having an issue with google redirect viruses/trojans and rans.gendarm which was picked up by RogueKiller. I ran a scan with ESET which picked up 2 other trojans Olmarik and BHO or BEO something.

It deleted/cleaned those for me.

I have not touched the rans.gendarm via roguekiller because i'm not sure if i'd screw my computer up by deleting it.

This is the RogueKiller Report:. (Below the roguekiller report are the dds and attach text

RogueKiller V8.2.3 [11/07/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo...13-roguekiller/

Website: http://tigzy.geeksto...roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Brian [Admin rights]

Mode : Scan -- Date : 11/10/2012 13:41:11

¤¤¤ Bad processes : 1 ¤¤¤

[sUSP PATH] FacebookMessenger.exe -- C:\Users\Brian\AppData\Local\Facebook\Messenger\2.1.4651.0\FacebookMessenger.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 10 ¤¤¤

[RUN][Rans.Gendarm] HKUS\S-1-5-19[...]\Run : Update (rundll32.exe "C:\Users\Brian\AppData\Roaming\AVG10\AVG10\hmlxkn.dll",DllRegisterServer) -> FOUND

[RUN][Rans.Gendarm] HKUS\S-1-5-20[...]\Run : Update (rundll32.exe "C:\Users\Brian\AppData\Roaming\AVG10\AVG10\hmlxkn.dll",DllRegisterServer) -> FOUND

[sTARTUP][sUSP PATH] Facebook Messenger.lnk @Brian : C:\Users\Brian\AppData\Local\Facebook\Messenger\2.1.4651.0\FacebookMessenger.exe -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[sCREENSV][sUSP PATH] HKCU\[...]\Desktop (C:\Windows\es.scr) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : Rans.Gendarm ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10 01FALS-00J7B SCSI Disk Device +++++

--- User ---

[MBR] 8412aa878541586e929093f7e78a91e2

[bSP] 48dacca1a32dd45c7c7c2bdaeb9c1bdb : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[2]_S_11102012_02d1341.txt >>

RKreport[1]_S_11092012_02d1522.txt ; RKreport[2]_S_11102012_02d1341.txt

DDS (Ver_2012-11-07.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16450 BrowserJavaVersion: 10.9.2

Run by Brian at 15:00:13 on 2012-11-10

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.1235 [GMT -5:00]

.

AV: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}

SP: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe

C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\rundll32.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Becker Professional Education\CPA 2012\BPESelfStudy.exe

C:\Program Files (x86)\Becker Professional Education\CPA 2012\BPESelfStudy.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\wuauclt.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\Downloads\RogueKiller.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\msiexec.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Temp\SHSetup.exe

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\syswow64\MsiExec.exe

C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE

C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\SysWOW64\notepad.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\Downloads\OTL.exe

C:\Windows\system32\taskhost.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2786678/

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTo0.dll

mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTo0.dll

dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTo0.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

TB: uTorrentBar Toolbar: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files (x86)\uTorrentBar\prxtbuTo0.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTo0.dll

dRun: [DevconDefaultDB] C:\Windows\System32\READREG /SILENT /FAIL=1

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} - hxxps://insourcers.riahome.com/CABFiles/RSLoginModule.cab

DPF: {455182EE-8F93-11D2-BA3C-00C04F7F6533} - hxxps://insourcers.riahome.com/CABFiles/RSTabbedList.cab

DPF: {6C8E9E45-538C-473A-B83B-DA9AE1ED7604} - hxxps://insourcers.riahome.com/CABFiles/vspdf.cab

DPF: {82BFFC8C-B4BD-11D4-9908-000102053AFB} - hxxps://insourcers.riahome.com/CABFiles/webnotifier.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {A8561647-E93C-11D3-AC3B-CE6078F7B616} - hxxps://insourcers.riahome.com/CABFiles/vsprint7.cab

DPF: {C0A63B86-4B21-11D3-BD95-D426EF2C7949} - hxxps://insourcers.riahome.com/CABFiles/vsflex7L.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D76D712E-4A96-11D3-BD95-D296DC2DD072} - hxxps://insourcers.riahome.com/CABFiles/vsflex7.cab

DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {EBB0431C-10EB-432D-8C53-64BDBEDBD86B} - hxxps://insourcers.riahome.com/CABFiles/xmlgridRS.cab

DPF: {F4721362-90E1-11D4-B547-00105A80AE07} - hxxps://insourcers.riahome.com/CABFiles/RIAInRSImport.cab

DPF: {FE83D8C0-07C7-4915-A6B4-4A6B895E677F} - hxxps://insourcers.riahome.com/CABFiles/vsFlexXMLDSO.cab

TCP: NameServer = 10.0.1.1

TCP: Interfaces\{686FB0F5-C2A1-4852-9367-30F27E857263} : DHCPNameServer = 10.0.1.1

TCP: Interfaces\{686FB0F5-C2A1-4852-9367-30F27E857263}\C696E6B6379737F5355435F573731393 : DHCPNameServer = 68.87.64.150 68.87.75.198

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll

x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

x64-TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} -

x64-Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll

x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

x64-DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\sztemzys.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://google.com/

FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bf28f5906-2c96-4968-b15c-3e3ead21c13d%7D&mid=781f85c40e44c8fd6fb1bf3ef7404b16-9a17500a96d428a5cdb8b2643968b9a928fc107f&ds=AVG&v=11.1.0.12〈=en&pr=fr&d=2012-05-23%2018%3A51%3A44&sap=ku&q=

FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox4\components\avgssff4.dll

FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox4\components\avgssff5.dll

FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox4\components\avgssff6.dll

FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox4\components\avgssff7.dll

FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox4\components\avgssff8.dll

FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox4\components\avgssff9.dll

FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: C:\Users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\sztemzys.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll

FF - component: C:\Users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\sztemzys.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll

FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll

FF - plugin: C:\Program Files (x86)\Research In Motion Limited\BlackBerry App World Browser Plugin\npappworld.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Brian\AppData\Local\Facebook\Messenger\2.1.4651.0\npFbDesktopPlugin.dll

FF - plugin: C:\Users\Brian\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

============= SERVICES / DRIVERS ===============

.

R1 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2012-3-14 209768]

R2 cpuz134;cpuz134;C:\Windows\System32\drivers\cpuz134_x64.sys [2010-10-22 21480]

R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2012-3-7 913144]

R2 epfwwfpr;epfwwfpr;C:\Windows\System32\drivers\epfwwfpr.sys [2012-3-14 137144]

R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-10-2 3064000]

R2 SpyHunter 4 Service;SpyHunter 4 Service;C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [2012-10-10 1021888]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-5-15 382272]

R3 esgiguard;esgiguard;C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-3-2 13088]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-5-3 158856]

S3 EsgScanner;EsgScanner;C:\Windows\System32\drivers\EsgScanner.sys [2012-11-10 22704]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2011-3-13 20992]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-3-13 59392]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-8-2 51712]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-3-13 1255736]

S3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Users\Brian\Desktop\Real\WinRing0x64.sys [2010-10-21 14544]

.

=============== Created Last 30 ================

.

2012-11-10 19:49:18 -------- d-----w- C:\Windows\System32\appmgmt

2012-11-10 18:59:29 -------- d-----w- C:\Program Files\Hitman Pro 3.5

2012-11-10 18:50:46 22704 ----a-w- C:\Windows\System32\drivers\EsgScanner.sys

2012-11-10 18:50:42 110080 ----a-r- C:\Users\Brian\AppData\Roaming\Microsoft\Installer\{83B952C7-F8F3-4CA3-B4C5-33C85B24E478}\IconF7A21AF7.exe

2012-11-10 18:50:42 110080 ----a-r- C:\Users\Brian\AppData\Roaming\Microsoft\Installer\{83B952C7-F8F3-4CA3-B4C5-33C85B24E478}\IconD7F16134.exe

2012-11-10 18:50:42 110080 ----a-r- C:\Users\Brian\AppData\Roaming\Microsoft\Installer\{83B952C7-F8F3-4CA3-B4C5-33C85B24E478}\Icon1226A4C5.exe

2012-11-10 18:50:40 -------- d-----w- C:\sh4ldr

2012-11-10 18:50:40 -------- d-----w- C:\Program Files\Enigma Software Group

2012-11-10 18:49:56 -------- d-----w- C:\Windows\83B952C7F8F34CA3B4C533C85B24E478.TMP

2012-11-10 18:49:55 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard

2012-11-10 18:06:03 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CE5A6C6A-CC09-46E7-9E63-448183D13315}\offreg.dll

2012-11-10 03:22:05 73696 ----a-w- C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll

2012-11-10 03:19:40 -------- d-----w- C:\Users\Brian\AppData\Local\{287CE6B3-581D-4134-9483-F0E8D47C0C1D}

2012-11-10 00:29:59 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CE5A6C6A-CC09-46E7-9E63-448183D13315}\mpengine.dll

2012-11-10 00:12:02 424448 ----a-w- C:\Windows\System32\KernelBase.dll

2012-11-10 00:12:02 338432 ----a-w- C:\Windows\System32\conhost.exe

2012-11-10 00:12:02 215040 ----a-w- C:\Windows\System32\winsrv.dll

2012-11-10 00:12:00 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2012-11-10 00:10:50 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-11-10 00:09:59 574464 ----a-w- C:\Windows\System32\d3d10level9.dll

2012-11-10 00:09:59 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll

2012-11-10 00:09:58 209920 ----a-w- C:\Windows\System32\profsvc.dll

2012-11-10 00:09:57 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

2012-11-10 00:09:57 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll

2012-11-10 00:09:56 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe

2012-11-10 00:09:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll

2012-11-10 00:09:56 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll

2012-11-10 00:09:54 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys

2012-11-10 00:08:43 59392 ----a-w- C:\Windows\System32\browcli.dll

2012-11-10 00:08:43 136704 ----a-w- C:\Windows\System32\browser.dll

2012-11-10 00:08:42 41984 ----a-w- C:\Windows\SysWow64\browcli.dll

2012-11-10 00:04:53 751104 ----a-w- C:\Windows\System32\win32spl.dll

2012-11-10 00:04:52 67072 ----a-w- C:\Windows\splwow64.exe

2012-11-10 00:04:52 559104 ----a-w- C:\Windows\System32\spoolsv.exe

2012-11-10 00:04:52 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll

2012-11-10 00:04:50 503808 ----a-w- C:\Windows\System32\srcore.dll

2012-11-10 00:04:50 43008 ----a-w- C:\Windows\SysWow64\srclient.dll

2012-11-10 00:04:48 956928 ----a-w- C:\Windows\System32\localspl.dll

2012-11-09 23:02:47 -------- d-----w- C:\Users\Brian\AppData\Local\ESET

2012-11-09 21:38:40 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-11-09 21:38:28 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-11-09 21:38:18 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-11-09 21:38:18 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-11-09 21:32:26 39184 ----a-w- C:\Windows\System32\Partizan.exe

2012-11-09 21:27:31 -------- d-----w- C:\Program Files\ESET

2012-11-09 19:46:47 -------- d-----w- C:\Program Files (x86)\ESET

2012-11-09 19:16:03 -------- d-----w- C:\ProgramData\RegRun

2012-11-09 19:16:02 39184 ----a-w- C:\Windows\SysWow64\Partizan.exe

2012-11-09 19:16:02 35816 ----a-w- C:\Windows\SysWow64\drivers\Partizan.sys

2012-11-09 19:15:58 2 --shatr- C:\Windows\winstart.bat

2012-11-09 19:15:55 12800 ----a-w- C:\Windows\SysWow64\drivers\UnHackMeDrv.sys

2012-11-09 19:15:52 -------- d-----w- C:\Program Files (x86)\UnHackMe

2012-11-09 19:00:14 -------- d-----w- C:\Users\Brian\AppData\Roaming\AVG2013

2012-11-09 18:58:23 -------- d-----w- C:\Users\Brian\AppData\Roaming\TuneUp Software

2012-11-09 18:56:56 -------- d-----w- C:\ProgramData\AVG2013

2012-11-09 18:51:06 -------- d-----w- C:\Users\Brian\AppData\Local\MFAData

2012-11-09 18:51:06 -------- d-----w- C:\Users\Brian\AppData\Local\Avg2013

2012-11-08 23:43:11 -------- d-----w- C:\Users\Brian\AppData\Local\Facebook

2012-11-08 23:17:43 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

.

==================== Find3M ====================

.

2012-11-10 19:00:41 23112 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys

2012-11-08 23:17:40 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-11-08 23:17:40 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-11-08 23:15:44 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-11-08 23:15:44 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-09-30 00:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-09-01 17:16:50 4480000 ----a-w- C:\Windows\es.scr

2012-09-01 17:16:50 4480000 ----a-w- C:\Windows\es.exe

2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll

2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll

2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-08-22 18:12:50 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys

2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys

2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS

2012-08-21 21:01:00 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe

2012-08-20 18:48:44 362496 ----a-w- C:\Windows\System32\wow64win.dll

2012-08-20 18:48:44 243200 ----a-w- C:\Windows\System32\wow64.dll

2012-08-20 18:48:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2012-08-20 18:48:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2012-08-20 17:40:21 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2012-08-20 17:38:44 44032 ----a-w- C:\Windows\apppatch\acwow64.dll

2012-08-20 17:38:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2012-08-20 17:37:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2012-08-20 15:38:21 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2012-08-20 15:38:20 2048 ----a-w- C:\Windows\SysWow64\user.exe

2012-08-20 15:33:28 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-08-20 15:33:28 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-08-20 15:33:28 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-08-20 15:33:28 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

.

============= FINISH: 15:00:56.82 ===============

Attach.txt

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-07.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 1/22/2010 1:57:09 PM

System Uptime: 11/10/2012 11:56:43 AM (4 hours ago)

.

Motherboard: EVGA | | nForce 750i SLI

Processor: Intel® Core2 Quad CPU Q9550 @ 2.83GHz | Socket 775 | 2868/337mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 931 GiB total, 728.106 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: PCI Input Device

Device ID: PCI\VEN_1102&DEV_7003&SUBSYS_00401102&REV_04\4&14591D7E&0&5180

Manufacturer:

Name: PCI Input Device

PNP Device ID: PCI\VEN_1102&DEV_7003&SUBSYS_00401102&REV_04\4&14591D7E&0&5180

Service:

.

==== System Restore Points ===================

.

RP140: 11/8/2012 6:16:55 PM - Installed Java 7 Update 9

RP141: 11/9/2012 1:56:32 PM - Installed AVG 2013

RP142: 11/9/2012 1:56:59 PM - Installed AVG 2013

RP143: 11/9/2012 2:19:05 PM - RegRun Virus Scan

RP144: 11/9/2012 4:17:59 PM - Removed AVG 2013

RP145: 11/9/2012 4:23:48 PM - Removed AVG 2013

RP146: 11/9/2012 4:34:48 PM - RegRun Virus Scan

RP147: 11/9/2012 4:38:11 PM - Windows Update

RP148: 11/9/2012 7:12:39 PM - Windows Update

RP149: 11/10/2012 1:50:06 PM - Installed SpyHunter

RP150: 11/10/2012 2:48:51 PM - Removed Facebook Messenger 2.1.4651.0

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

µTorrent

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.3)

AIM 7

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Becker's CPA Exam Review - 2012 Edition

Becker's Final Review - 2012 Edition

BlackBerry App World Browser Plugin

BlackBerry Desktop Software 5.0.1

BlackBerry® Media Sync

Bonjour

Counter-Strike: Source

CPA FAR

CPA REG

CPUID CPU-Z 1.55

D3DX10

Diablo III

Download Updater (AOL LLC)

Electric Sheep 2.7b34c

ESET NOD32 Antivirus

ESET Online Scanner v3

EVGA Precision 1.3.3

Glary Utilities Pro 2.16.0.758

GoldenEye: Source - HalfLife 2 Mod

Google Chrome

Hitman Pro 3.5

iTunes

Java 7 Update 9

Java 6 Update 16

Java 6 Update 31 (64-bit)

JavaFX 2.1.1

Junk Mail filter update

Lambers

League of Legends

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft IntelliPoint 8.2

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Office 64-bit Components 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional Plus 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared 64-bit MUI (English) 2007

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft WSE 3.0 Runtime

Mozilla Firefox 15.0.1 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NVIDIA 3D Vision Controller Driver 301.42

NVIDIA 3D Vision Driver 301.42

NVIDIA Control Panel 301.42

NVIDIA Display Control Panel

NVIDIA Drivers

NVIDIA Graphics Driver 301.42

NVIDIA Install Application

NVIDIA PhysX

NVIDIA PhysX System Software 9.12.0213

NVIDIA Stereoscopic 3D Driver

NVIDIA Update 1.8.15

NVIDIA Update Components

ONESOURCE 2008 Client

ONESOURCE 2009 Client

Pando Media Booster

PeerGuardian 2.0

QuickTime

Safari

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687314) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2687315) 32-Bit Edition

Skype Click to Call

Skype™ 5.9

Source SDK Base 2007

SpeedFan (remove only)

SpyHunter

StarCraft II

Steam

Team Fortress 2

The Witcher: Enhanced Edition

UnHackMe 5.99 release

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office Access 2007 Help (KB963663)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office Infopath 2007 Help (KB963662)

Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition

Update for Microsoft Office Outlook 2007 Help (KB963677)

Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687407) 32-Bit Edition

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Publisher 2007 Help (KB963667)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

uTorrentBar Toolbar

Visual C++ 8.0 Runtime Setup Package (x64)

Visual Studio 2008 x64 Redistributables

Visual Studio 2010 x64 Redistributables

Winamp

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Language Selector

Windows Live Mail

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Windows Media Player Firefox Plugin

WinRAR archiver

World of Warcraft

.

==== Event Viewer Messages From Past Week ========

.

11/9/2012 5:25:19 PM, Error: Microsoft-Windows-DistributedCOM [10001] - Unable to start a DCOM Server: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} as /. The error: "5" Happened while starting this command: C:\Windows\System32\slui.exe -Embedding

11/9/2012 4:28:14 PM, Error: Service Control Manager [7030] - The ESET Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

11/9/2012 2:01:30 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the AVGIDSAgent service to connect.

11/9/2012 2:01:30 PM, Error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

11/9/2012 1:39:31 PM, Error: cdrom [11] - The driver detected a controller error on \Device\CdRom0.

11/9/2012 1:03:37 AM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.

11/10/2012 11:59:25 AM, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

11/10/2012 11:59:25 AM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

.

==== End Of File ===========================

Link to post
Share on other sites

  • Staff

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive. (Choose the correct version depending on which architecture operating system you are using, 32bit (x86) or 64 (x64) bit)

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to the disclaimer.

[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there

[*]Press Scan button.

[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

services.exe

[*]now press the search button

[*]when the search is complete, search.txt will also be written to your USB

[*]type exit and reboot the computer normally

[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)

Link to post
Share on other sites

Farbar Recovery Scan Tool (x64) Version: 10-11-2012 02

Ran by SYSTEM at 2012-11-11 14:22:58

Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10-11-2012 02

Ran by SYSTEM at 11-11-2012 14:33:36

Running from F:\

Windows 7 Ultimate (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [4081008 2012-03-07] (ESET)

HKLM-x32\...\runonceex: [Flags] 128

HKLM-x32\...\runonceex: [Title] UnHackMe Rootkit Check

Tcpip\Parameters: [DhcpNameServer] 10.0.1.1

==================== Services (Whitelisted) ===================

3 COMMONFX.DLL; C:\Windows\System32\COMMONFX.DLL [151296 2007-04-12] (Creative Technology Ltd)

3 CT20XUT.DLL; C:\Windows\System32\CT20XUT.DLL [252712 2007-04-10] (Creative Technology Ltd.)

3 CTAUDFX.DLL; C:\Windows\System32\CTAUDFX.DLL [700200 2007-04-10] (Creative Technology Ltd)

3 CTEAPSFX.DLL; C:\Windows\System32\CTEAPSFX.DLL [219432 2007-04-10] (Creative Technology Ltd)

3 CTEDSPFX.DLL; C:\Windows\System32\CTEDSPFX.DLL [321832 2007-04-10] (Creative Technology Ltd)

3 CTEDSPIO.DLL; C:\Windows\System32\CTEDSPIO.DLL [190248 2007-04-10] (Creative Technology Ltd)

3 CTEDSPSY.DLL; C:\Windows\System32\CTEDSPSY.DLL [363304 2007-04-10] (Creative Technology Ltd)

3 CTERFXFX.DLL; C:\Windows\System32\CTERFXFX.DLL [142120 2007-04-10] (Creative Technology Ltd)

3 CTEXFIFX.DLL; C:\Windows\System32\CTEXFIFX.DLL [1571112 2007-04-10] (Creative Technology Ltd.)

3 CTHWIUT.DLL; C:\Windows\System32\CTHWIUT.DLL [123688 2007-04-10] (Creative Technology Ltd.)

3 CTSBLFX.DLL; C:\Windows\System32\CTSBLFX.DLL [681256 2007-04-10] (Creative Technology Ltd)

2 ekrn; "C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe" [913144 2012-03-07] (ESET)

==================== Drivers (Whitelisted) =====================

2 cpuz134; \??\C:\Windows\system32\drivers\cpuz134_x64.sys [21480 2010-07-09] (Windows ® Win 7 DDK provider)

1 eamonm; C:\Windows\System32\Drivers\eamonm.sys [209768 2012-03-14] (ESET)

1 ehdrv; C:\Windows\System32\Drivers\ehdrv.sys [148528 2012-03-14] (ESET)

2 epfwwfpr; C:\Windows\System32\Drivers\epfwwfpr.sys [137144 2012-03-14] (ESET)

0 speedfan; C:\Windows\SysWow64\speedfan.sys [14104 2007-02-07] (Windows ® Server 2003 DDK provider)

0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-01-22] (Duplex Secure Ltd.)

3 WinRing0_1_2_0; \??\C:\Users\Brian\Desktop\Real\WinRing0x64.sys [14544 2008-07-26] (OpenLibSys.org)

3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]

0 Partizan; C:\Windows\System32\drivers\Partizan.sys [x]

3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [x]

3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]

3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]

3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-11-11 14:20 - 2012-11-11 14:20 - 00000000 ____D C:\FRST

2012-11-10 15:24 - 2012-11-11 10:37 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2012-11-10 12:44 - 2012-11-10 12:44 - 05308955 ____A (LearnForce Partners LLC ) C:\Users\Brian\Downloads\ndb_lamb_cpaaudit_m.exe

2012-11-10 12:44 - 2012-11-10 12:44 - 00000000 __HDC C:\Users\All Users\{93D6607E-CDD1-4873-8FCA-D342BA47CD87}

2012-11-10 12:42 - 2012-11-10 12:42 - 00002017 ____A C:\Users\Public\Desktop\Lambers.lnk

2012-11-10 12:42 - 2012-11-10 12:42 - 00000000 __HDC C:\Users\All Users\{62889E3B-679B-45F8-A351-AA2FA7EC013C}

2012-11-10 12:39 - 2012-11-10 12:39 - 00000000 __HDC C:\Users\All Users\{53DF9DA2-B01F-423B-A7F6-5DBD67FB89CD}

2012-11-10 12:36 - 2012-11-10 12:37 - 13324539 ____A (LearnForce Partners LLC ) C:\Users\Brian\Downloads\ndb_lamb_cpafar_m(1).exe

2012-11-10 12:01 - 2012-11-10 12:01 - 00010945 ____A C:\Users\Brian\Desktop\attach.txt

2012-11-10 12:01 - 2012-11-10 12:00 - 00023675 ____A C:\Users\Brian\Desktop\dds.txt

2012-11-10 11:59 - 2012-11-10 11:59 - 00688901 ____R (Swearware) C:\Users\Brian\Downloads\dds (1).com

2012-11-10 11:50 - 2012-11-10 11:50 - 00002250 ____A C:\Users\Brian\Desktop\RKreport[3]_S_11102012_02d1450.txt

2012-11-10 11:49 - 2012-11-10 11:49 - 00000000 ____D C:\Windows\System32\appmgmt

2012-11-10 11:12 - 2012-11-10 11:13 - 00602112 ____A (OldTimer Tools) C:\Users\Brian\Downloads\OTL.exe

2012-11-10 10:59 - 2012-11-10 10:59 - 00001974 ____A C:\Users\Public\Desktop\Hitman Pro 3.5.lnk

2012-11-10 10:59 - 2012-11-10 10:59 - 00000000 ____D C:\Program Files\Hitman Pro 3.5

2012-11-10 10:57 - 2011-06-23 07:45 - 00000000 ____D C:\Users\Brian\Desktop\fixed by shajt

2012-11-10 10:57 - 2011-06-23 07:39 - 00000515 ____A C:\Users\Brian\Desktop\readme.txt

2012-11-10 10:51 - 2012-11-10 10:51 - 00000000 ____A C:\autoexec.bat

2012-11-10 10:50 - 2012-11-10 10:50 - 00000000 ____D C:\Program Files\Enigma Software Group

2012-11-10 10:49 - 2012-11-11 10:32 - 00000000 ____D C:\Windows\83B952C7F8F34CA3B4C533C85B24E478.TMP

2012-11-10 10:46 - 2012-11-10 10:46 - 00726464 ____A (Enigma Software Group USA, LLC.) C:\Users\Brian\Downloads\SpyHunter-Installer.exe

2012-11-10 10:44 - 2012-11-10 10:46 - 127231689 ____A (Igor Pavlov) C:\Users\Brian\Downloads\OTLPENet.exe

2012-11-10 10:41 - 2012-11-10 10:41 - 00002358 ____A C:\Users\Brian\Desktop\RKreport[2]_S_11102012_02d1341.txt

2012-11-10 10:40 - 2012-11-10 10:40 - 00666112 ____A C:\Users\Brian\Downloads\RogueKiller(1).exe

2012-11-09 19:55 - 2012-11-09 19:55 - 00026866 ____A C:\Users\Brian\Downloads\[HorribleSubs] Fairy Tail - 156 [720p].mkv.torrent

2012-11-09 19:19 - 2012-11-09 19:19 - 00000000 ____D C:\Users\Brian\AppData\Local\{287CE6B3-581D-4134-9483-F0E8D47C0C1D}

2012-11-09 16:17 - 2012-08-24 03:15 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-11-09 16:17 - 2012-08-24 02:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-11-09 16:17 - 2012-08-24 02:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-11-09 16:17 - 2012-08-24 02:22 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-11-09 16:17 - 2012-08-24 02:21 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-11-09 16:17 - 2012-08-24 02:20 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-11-09 16:17 - 2012-08-24 02:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-11-09 16:17 - 2012-08-24 02:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-11-09 16:17 - 2012-08-24 02:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-11-09 16:17 - 2012-08-24 02:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-11-09 16:17 - 2012-08-24 02:13 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-11-09 16:17 - 2012-08-24 02:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-11-09 16:17 - 2012-08-24 02:11 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-11-09 16:17 - 2012-08-24 02:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-11-09 16:17 - 2012-08-24 02:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-11-09 16:17 - 2012-08-24 02:04 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-11-09 16:17 - 2012-08-23 23:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-11-09 16:17 - 2012-08-23 23:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-11-09 16:17 - 2012-08-23 22:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-11-09 16:17 - 2012-08-23 22:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-11-09 16:17 - 2012-08-23 22:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-11-09 16:17 - 2012-08-23 22:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-11-09 16:17 - 2012-08-23 22:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-11-09 16:17 - 2012-08-23 22:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-11-09 16:17 - 2012-08-23 22:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-11-09 16:17 - 2012-08-23 22:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-11-09 16:17 - 2012-08-23 22:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-11-09 16:17 - 2012-08-23 22:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-11-09 16:17 - 2012-08-23 22:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-11-09 16:17 - 2012-08-23 22:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-11-09 16:17 - 2012-08-23 22:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-11-09 16:17 - 2012-08-23 22:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-11-09 16:12 - 2012-08-20 10:48 - 01162240 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

2012-11-09 16:12 - 2012-08-20 10:48 - 00424448 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll

2012-11-09 16:12 - 2012-08-20 10:48 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll

2012-11-09 16:12 - 2012-08-20 10:46 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe

2012-11-09 16:12 - 2012-08-20 09:37 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll

2012-11-09 16:12 - 2012-08-20 09:37 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll

2012-11-09 16:11 - 2012-09-14 11:19 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll

2012-11-09 16:11 - 2012-09-14 10:28 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll

2012-11-09 16:11 - 2012-08-20 10:48 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll

2012-11-09 16:11 - 2012-08-20 10:48 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll

2012-11-09 16:11 - 2012-08-20 10:48 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll

2012-11-09 16:11 - 2012-08-20 10:48 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 10:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:40 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll

2012-11-09 16:11 - 2012-08-20 09:38 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe

2012-11-09 16:11 - 2012-08-20 09:37 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 09:32 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 07:38 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe

2012-11-09 16:11 - 2012-08-20 07:38 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe

2012-11-09 16:11 - 2012-08-20 07:33 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 07:33 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 07:33 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll

2012-11-09 16:11 - 2012-08-20 07:33 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll

2012-11-09 16:11 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-11-09 16:11 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-11-09 16:10 - 2012-08-31 10:19 - 01659760 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

2012-11-09 16:10 - 2012-08-30 10:03 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-11-09 16:10 - 2012-08-30 09:12 - 03968880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-11-09 16:10 - 2012-08-30 09:12 - 03914096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-11-09 16:10 - 2012-08-24 10:05 - 00220160 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll

2012-11-09 16:10 - 2012-08-24 08:57 - 00172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll

2012-11-09 16:10 - 2012-08-22 10:12 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-11-09 16:10 - 2012-08-22 10:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys

2012-11-09 16:10 - 2012-08-22 10:12 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys

2012-11-09 16:10 - 2012-08-22 10:12 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS

2012-11-09 16:10 - 2012-08-21 13:01 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe

2012-11-09 16:10 - 2012-08-10 16:56 - 00715776 ____A (Microsoft Corporation) C:\Windows\System32\kerberos.dll

2012-11-09 16:10 - 2012-08-10 15:56 - 00542208 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll

2012-11-09 16:10 - 2012-07-18 10:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-11-09 16:10 - 2012-07-04 12:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys

2012-11-09 16:10 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-11-09 16:10 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-11-09 16:10 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-11-09 16:10 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-11-09 16:10 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-11-09 16:10 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-11-09 16:10 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-11-09 16:10 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-11-09 16:10 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-11-09 16:10 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-11-09 16:10 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-11-09 16:10 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-11-09 16:10 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-11-09 16:10 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll

2012-11-09 16:10 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll

2012-11-09 16:10 - 2012-03-02 22:35 - 01544704 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll

2012-11-09 16:10 - 2012-03-02 21:31 - 01077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll

2012-11-09 16:10 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll

2012-11-09 16:10 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll

2012-11-09 16:09 - 2012-08-02 09:58 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll

2012-11-09 16:09 - 2012-08-02 08:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll

2012-11-09 16:09 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-11-09 16:09 - 2012-04-27 21:32 - 01112064 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll

2012-11-09 16:09 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-11-09 16:09 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-11-09 16:09 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-11-09 16:09 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-11-09 16:09 - 2012-03-16 23:58 - 00075120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys

2012-11-09 16:08 - 2012-07-04 14:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

2012-11-09 16:08 - 2012-07-04 14:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

2012-11-09 16:08 - 2012-07-04 14:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

2012-11-09 16:08 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll

2012-11-09 16:08 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll

2012-11-09 16:05 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-11-09 16:05 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll

2012-11-09 16:05 - 2012-06-01 21:41 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-11-09 16:05 - 2012-06-01 21:41 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-11-09 16:05 - 2012-06-01 21:41 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-11-09 16:05 - 2012-06-01 20:36 - 01159680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll

2012-11-09 16:05 - 2012-06-01 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll

2012-11-09 16:05 - 2012-06-01 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

2012-11-09 16:04 - 2012-05-13 21:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll

2012-11-09 16:04 - 2012-05-05 00:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll

2012-11-09 16:04 - 2012-05-04 23:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll

2012-11-09 16:04 - 2012-02-10 22:43 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2012-11-09 16:04 - 2012-02-10 22:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe

2012-11-09 16:04 - 2012-02-10 22:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe

2012-11-09 16:04 - 2012-02-10 21:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2012-11-09 15:02 - 2012-11-09 15:02 - 00000000 ____D C:\Users\Brian\AppData\Local\ESET

2012-11-09 14:45 - 2012-11-09 14:45 - 00002324 ____A C:\Windows\epplauncher.mif

2012-11-09 14:44 - 2012-11-09 14:44 - 13529576 ____A (Microsoft Corporation) C:\Users\Brian\Downloads\mseinstall.exe

2012-11-09 13:38 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-11-09 13:38 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-11-09 13:38 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-11-09 13:38 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-11-09 13:38 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-11-09 13:38 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-11-09 13:38 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-11-09 13:38 - 2012-06-02 12:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-11-09 13:38 - 2012-06-02 12:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-11-09 13:33 - 2012-11-11 10:31 - 00000252 ____A C:\Windows\SysWOW64\PARTIZAN.TXT

2012-11-09 13:32 - 2012-11-09 13:32 - 00039184 ____A (Greatis Software) C:\Windows\System32\Partizan.exe

2012-11-09 13:27 - 2012-11-09 13:27 - 00000000 ____D C:\Users\All Users\ESET

2012-11-09 13:27 - 2012-11-09 13:27 - 00000000 ____D C:\Program Files\ESET

2012-11-09 13:22 - 2012-11-09 13:22 - 01378744 ____A (ESET) C:\Users\Brian\Downloads\eset_nod32_antivirus_live_installer(1).exe

2012-11-09 13:15 - 2012-11-09 13:16 - 01378744 ____A (ESET) C:\Users\Brian\Downloads\eset_nod32_antivirus_live_installer.exe

2012-11-09 12:43 - 2012-11-09 12:43 - 02195061 ____A C:\Users\Brian\Downloads\tdsskiller(2).zip

2012-11-09 12:22 - 2012-11-09 12:22 - 00002321 ____A C:\Users\Brian\Desktop\RKreport[1]_S_11092012_02d1522.txt

2012-11-09 12:21 - 2012-11-09 12:22 - 00000000 ____D C:\Users\Brian\Desktop\RK_Quarantine

2012-11-09 12:18 - 2012-11-09 12:18 - 00666112 ____A C:\Users\Brian\Downloads\RogueKiller.exe

2012-11-09 12:08 - 2012-11-09 12:11 - 00002120 ____A C:\scu.dat

2012-11-09 11:46 - 2012-11-09 11:46 - 02322184 ____A (ESET) C:\Users\Brian\Downloads\esetsmartinstaller_enu.exe

2012-11-09 11:46 - 2012-11-09 11:46 - 00000000 ____D C:\Program Files (x86)\ESET

2012-11-09 11:31 - 2012-11-09 11:31 - 00302592 ____A C:\Users\Brian\Downloads\ryjn9ufm.exe

2012-11-09 11:30 - 2012-11-09 11:30 - 00302592 ____A C:\Users\Brian\Downloads\bdv9009d.exe

2012-11-09 11:30 - 2012-11-09 11:30 - 00302592 ____A C:\Users\Brian\Downloads\38oojsdx.exe

2012-11-09 11:16 - 2012-11-11 10:31 - 00000000 ____D C:\Users\All Users\RegRun

2012-11-09 11:15 - 2012-11-11 10:33 - 00000000 ____D C:\Program Files (x86)\UnHackMe

2012-11-09 11:15 - 2012-11-09 11:18 - 00000000 ____D C:\Users\Brian\Documents\RegRun2

2012-11-09 11:15 - 2012-11-09 11:15 - 00000002 RASHOT C:\Windows\winstart.bat

2012-11-09 11:15 - 2012-11-09 11:15 - 00000002 RASHOT C:\Windows\SysWOW64\CONFIG.NT

2012-11-09 11:15 - 2012-11-09 11:15 - 00000002 RASHOT C:\Windows\SysWOW64\AUTOEXEC.NT

2012-11-09 11:15 - 2012-11-03 17:15 - 12585596 ____A (Greatis Software, LLC. ) C:\Users\Brian\Desktop\unhackme_setup.exe

2012-11-09 11:14 - 2012-11-09 11:15 - 12564642 ____A C:\Users\Brian\Downloads\unhackme.zip

2012-11-09 11:00 - 2012-11-09 11:00 - 00000000 ____D C:\Users\Brian\AppData\Roaming\AVG2013

2012-11-09 10:58 - 2012-11-09 10:58 - 00000000 ____D C:\Users\Brian\AppData\Roaming\TuneUp Software

2012-11-09 10:56 - 2012-11-09 13:23 - 00000000 ____D C:\Users\All Users\AVG2013

2012-11-09 10:51 - 2012-11-09 10:51 - 00000000 ____D C:\Users\Brian\AppData\Local\MFAData

2012-11-09 10:51 - 2012-11-09 10:51 - 00000000 ____D C:\Users\Brian\AppData\Local\Avg2013

2012-11-09 10:04 - 2012-11-09 10:04 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\Brian\Downloads\tdsskiller(2).exe

2012-11-08 15:43 - 2012-11-10 12:48 - 00000000 ____D C:\Users\Brian\AppData\Local\Facebook

2012-11-08 15:43 - 2012-11-09 16:49 - 00000137 ____A C:\Windows\SysWOW64\debug.log

2012-11-08 15:43 - 2012-11-08 15:43 - 00501240 ____A (Facebook Inc.) C:\Users\Brian\Downloads\FacebookMessengerSetup_v1.2.205.0.exe

2012-11-08 15:17 - 2012-11-08 15:17 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

==================== One Month Modified Files and Folders =======

2012-11-11 14:20 - 2012-11-11 14:20 - 00000000 ____D C:\FRST

2012-11-11 11:31 - 2009-07-13 21:13 - 00730448 ____A C:\Windows\System32\PerfStringBackup.INI

2012-11-11 11:30 - 2010-01-22 10:56 - 01267647 ____A C:\Windows\WindowsUpdate.log

2012-11-11 11:28 - 2009-07-13 20:51 - 00056093 ____A C:\Windows\setupact.log

2012-11-11 11:27 - 2012-08-20 10:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

2012-11-11 11:27 - 2010-01-22 14:21 - 00000324 ____A C:\Windows\Tasks\GlaryInitialize.job

2012-11-11 11:27 - 2010-01-22 11:06 - 00000000 ____D C:\Users\All Users\NVIDIA

2012-11-11 11:27 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-11-11 10:38 - 2012-04-10 11:44 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-11-11 10:37 - 2012-11-10 15:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2012-11-11 10:33 - 2012-11-09 11:15 - 00000000 ____D C:\Program Files (x86)\UnHackMe

2012-11-11 10:32 - 2012-11-10 10:49 - 00000000 ____D C:\Windows\83B952C7F8F34CA3B4C533C85B24E478.TMP

2012-11-11 10:31 - 2012-11-09 13:33 - 00000252 ____A C:\Windows\SysWOW64\PARTIZAN.TXT

2012-11-11 10:31 - 2012-11-09 11:16 - 00000000 ____D C:\Users\All Users\RegRun

2012-11-11 10:28 - 2010-01-22 12:05 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-769710056-2214912975-2338223646-1000UA.job

2012-11-10 15:19 - 2010-01-22 12:05 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-769710056-2214912975-2338223646-1000Core.job

2012-11-10 12:48 - 2012-11-08 15:43 - 00000000 ____D C:\Users\Brian\AppData\Local\Facebook

2012-11-10 12:44 - 2012-11-10 12:44 - 05308955 ____A (LearnForce Partners LLC ) C:\Users\Brian\Downloads\ndb_lamb_cpaaudit_m.exe

2012-11-10 12:44 - 2012-11-10 12:44 - 00000000 __HDC C:\Users\All Users\{93D6607E-CDD1-4873-8FCA-D342BA47CD87}

2012-11-10 12:42 - 2012-11-10 12:42 - 00002017 ____A C:\Users\Public\Desktop\Lambers.lnk

2012-11-10 12:42 - 2012-11-10 12:42 - 00000000 __HDC C:\Users\All Users\{62889E3B-679B-45F8-A351-AA2FA7EC013C}

2012-11-10 12:39 - 2012-11-10 12:39 - 00000000 __HDC C:\Users\All Users\{53DF9DA2-B01F-423B-A7F6-5DBD67FB89CD}

2012-11-10 12:37 - 2012-11-10 12:36 - 13324539 ____A (LearnForce Partners LLC ) C:\Users\Brian\Downloads\ndb_lamb_cpafar_m(1).exe

2012-11-10 12:01 - 2012-11-10 12:01 - 00010945 ____A C:\Users\Brian\Desktop\attach.txt

2012-11-10 12:00 - 2012-11-10 12:01 - 00023675 ____A C:\Users\Brian\Desktop\dds.txt

2012-11-10 11:59 - 2012-11-10 11:59 - 00688901 ____R (Swearware) C:\Users\Brian\Downloads\dds (1).com

2012-11-10 11:50 - 2012-11-10 11:50 - 00002250 ____A C:\Users\Brian\Desktop\RKreport[3]_S_11102012_02d1450.txt

2012-11-10 11:49 - 2012-11-10 11:49 - 00000000 ____D C:\Windows\System32\appmgmt

2012-11-10 11:49 - 2010-01-22 13:34 - 00000000 ____D C:\Program Files (x86)\DAEMON Tools Toolbar

2012-11-10 11:13 - 2012-11-10 11:12 - 00602112 ____A (OldTimer Tools) C:\Users\Brian\Downloads\OTL.exe

2012-11-10 11:11 - 2010-01-22 16:04 - 00000000 ____D C:\Windows\pss

2012-11-10 11:00 - 2012-03-13 17:01 - 00023112 ____A C:\Windows\System32\Drivers\hitmanpro35.sys

2012-11-10 11:00 - 2010-01-22 12:12 - 00000000 ____D C:\Users\Brian\AppData\Roaming\uTorrent

2012-11-10 10:59 - 2012-11-10 10:59 - 00001974 ____A C:\Users\Public\Desktop\Hitman Pro 3.5.lnk

2012-11-10 10:59 - 2012-11-10 10:59 - 00000000 ____D C:\Program Files\Hitman Pro 3.5

2012-11-10 10:55 - 2012-03-13 16:59 - 00000000 ____D C:\Users\Brian\Downloads\Hitman Pro 3.5.9 Build 125 (x64) incl crack

2012-11-10 10:51 - 2012-11-10 10:51 - 00000000 ____A C:\autoexec.bat

2012-11-10 10:50 - 2012-11-10 10:50 - 00000000 ____D C:\Program Files\Enigma Software Group

2012-11-10 10:46 - 2012-11-10 10:46 - 00726464 ____A (Enigma Software Group USA, LLC.) C:\Users\Brian\Downloads\SpyHunter-Installer.exe

2012-11-10 10:46 - 2012-11-10 10:44 - 127231689 ____A (Igor Pavlov) C:\Users\Brian\Downloads\OTLPENet.exe

2012-11-10 10:41 - 2012-11-10 10:41 - 00002358 ____A C:\Users\Brian\Desktop\RKreport[2]_S_11102012_02d1341.txt

2012-11-10 10:40 - 2012-11-10 10:40 - 00666112 ____A C:\Users\Brian\Downloads\RogueKiller(1).exe

2012-11-10 09:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2012-11-09 19:55 - 2012-11-09 19:55 - 00026866 ____A C:\Users\Brian\Downloads\[HorribleSubs] Fairy Tail - 156 [720p].mkv.torrent

2012-11-09 19:19 - 2012-11-09 19:19 - 00000000 ____D C:\Users\Brian\AppData\Local\{287CE6B3-581D-4134-9483-F0E8D47C0C1D}

2012-11-09 16:49 - 2012-11-08 15:43 - 00000137 ____A C:\Windows\SysWOW64\debug.log

2012-11-09 16:47 - 2009-07-13 20:45 - 00434296 ____A C:\Windows\System32\FNTCACHE.DAT

2012-11-09 16:46 - 2010-01-22 15:10 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight

2012-11-09 16:45 - 2009-07-13 20:45 - 00010240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-11-09 16:45 - 2009-07-13 20:45 - 00010240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-11-09 16:44 - 2009-07-13 23:46 - 00000000 ____D C:\Program Files\Windows Journal

2012-11-09 16:37 - 2010-01-22 14:05 - 00000000 ____D C:\Users\All Users\Microsoft Help

2012-11-09 16:34 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini

2012-11-09 15:02 - 2012-11-09 15:02 - 00000000 ____D C:\Users\Brian\AppData\Local\ESET

2012-11-09 14:45 - 2012-11-09 14:45 - 00002324 ____A C:\Windows\epplauncher.mif

2012-11-09 14:44 - 2012-11-09 14:44 - 13529576 ____A (Microsoft Corporation) C:\Users\Brian\Downloads\mseinstall.exe

2012-11-09 13:33 - 2010-01-22 11:08 - 00046614 ____A C:\Windows\PFRO.log

2012-11-09 13:32 - 2012-11-09 13:32 - 00039184 ____A (Greatis Software) C:\Windows\System32\Partizan.exe

2012-11-09 13:27 - 2012-11-09 13:27 - 00000000 ____D C:\Users\All Users\ESET

2012-11-09 13:27 - 2012-11-09 13:27 - 00000000 ____D C:\Program Files\ESET

2012-11-09 13:24 - 2010-10-21 11:15 - 00000000 ____D C:\Users\All Users\MFAData

2012-11-09 13:23 - 2012-11-09 10:56 - 00000000 ____D C:\Users\All Users\AVG2013

2012-11-09 13:22 - 2012-11-09 13:22 - 01378744 ____A (ESET) C:\Users\Brian\Downloads\eset_nod32_antivirus_live_installer(1).exe

2012-11-09 13:16 - 2012-11-09 13:15 - 01378744 ____A (ESET) C:\Users\Brian\Downloads\eset_nod32_antivirus_live_installer.exe

2012-11-09 12:58 - 2012-03-12 21:13 - 00000000 ____D C:\TDSSKiller_Quarantine

2012-11-09 12:43 - 2012-11-09 12:43 - 02195061 ____A C:\Users\Brian\Downloads\tdsskiller(2).zip

2012-11-09 12:22 - 2012-11-09 12:22 - 00002321 ____A C:\Users\Brian\Desktop\RKreport[1]_S_11092012_02d1522.txt

2012-11-09 12:22 - 2012-11-09 12:21 - 00000000 ____D C:\Users\Brian\Desktop\RK_Quarantine

2012-11-09 12:18 - 2012-11-09 12:18 - 00666112 ____A C:\Users\Brian\Downloads\RogueKiller.exe

2012-11-09 12:11 - 2012-11-09 12:08 - 00002120 ____A C:\scu.dat

2012-11-09 11:46 - 2012-11-09 11:46 - 02322184 ____A (ESET) C:\Users\Brian\Downloads\esetsmartinstaller_enu.exe

2012-11-09 11:46 - 2012-11-09 11:46 - 00000000 ____D C:\Program Files (x86)\ESET

2012-11-09 11:31 - 2012-11-09 11:31 - 00302592 ____A C:\Users\Brian\Downloads\ryjn9ufm.exe

2012-11-09 11:30 - 2012-11-09 11:30 - 00302592 ____A C:\Users\Brian\Downloads\bdv9009d.exe

2012-11-09 11:30 - 2012-11-09 11:30 - 00302592 ____A C:\Users\Brian\Downloads\38oojsdx.exe

2012-11-09 11:18 - 2012-11-09 11:15 - 00000000 ____D C:\Users\Brian\Documents\RegRun2

2012-11-09 11:15 - 2012-11-09 11:15 - 00000002 RASHOT C:\Windows\winstart.bat

2012-11-09 11:15 - 2012-11-09 11:15 - 00000002 RASHOT C:\Windows\SysWOW64\CONFIG.NT

2012-11-09 11:15 - 2012-11-09 11:15 - 00000002 RASHOT C:\Windows\SysWOW64\AUTOEXEC.NT

2012-11-09 11:15 - 2012-11-09 11:14 - 12564642 ____A C:\Users\Brian\Downloads\unhackme.zip

2012-11-09 11:00 - 2012-11-09 11:00 - 00000000 ____D C:\Users\Brian\AppData\Roaming\AVG2013

2012-11-09 11:00 - 2010-08-25 13:59 - 00000000 ____D C:\Program Files (x86)\AVG

2012-11-09 10:59 - 2010-09-03 18:50 - 00000000 ___HD C:\$AVG

2012-11-09 10:58 - 2012-11-09 10:58 - 00000000 ____D C:\Users\Brian\AppData\Roaming\TuneUp Software

2012-11-09 10:51 - 2012-11-09 10:51 - 00000000 ____D C:\Users\Brian\AppData\Local\MFAData

2012-11-09 10:51 - 2012-11-09 10:51 - 00000000 ____D C:\Users\Brian\AppData\Local\Avg2013

2012-11-09 10:04 - 2012-11-09 10:04 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\Brian\Downloads\tdsskiller(2).exe

2012-11-08 15:43 - 2012-11-08 15:43 - 00501240 ____A (Facebook Inc.) C:\Users\Brian\Downloads\FacebookMessengerSetup_v1.2.205.0.exe

2012-11-08 15:20 - 2012-05-25 14:44 - 00000000 ____D C:\Users\All Users\Skype

2012-11-08 15:18 - 2012-03-12 15:26 - 00000000 ____D C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE

2012-11-08 15:18 - 2012-01-17 17:15 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-08 15:18 - 2010-12-07 12:31 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-11-08 15:17 - 2012-11-08 15:17 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2012-11-08 15:17 - 2012-08-20 11:31 - 00821736 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll

2012-11-08 15:17 - 2012-08-20 11:31 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll

2012-11-08 15:17 - 2012-08-20 11:31 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe

2012-11-08 15:17 - 2010-01-22 15:34 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2012-11-08 15:17 - 2010-01-22 15:34 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2012-11-08 15:17 - 2010-01-22 15:34 - 00000000 ____D C:\Program Files (x86)\Java

2012-11-08 15:17 - 2010-01-22 12:05 - 00002483 ____A C:\Users\Brian\Desktop\Google Chrome.lnk

2012-11-08 15:15 - 2012-04-10 11:44 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-11-08 15:15 - 2011-12-31 09:39 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-11-08 15:15 - 2011-05-01 21:57 - 00000000 ____D C:\Users\All Users\Adobe

2012-11-03 17:15 - 2012-11-09 11:15 - 12585596 ____A (Greatis Software, LLC. ) C:\Users\Brian\Desktop\unhackme_setup.exe

2012-10-31 18:49 - 2012-03-13 16:53 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\Brian\Desktop\TDSSKiller.exe

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-08 15:17:05

Restore point made on: 2012-11-09 10:56:41

Restore point made on: 2012-11-09 10:57:06

Restore point made on: 2012-11-09 11:19:09

Restore point made on: 2012-11-09 13:18:15

Restore point made on: 2012-11-09 13:23:56

Restore point made on: 2012-11-09 13:34:59

Restore point made on: 2012-11-09 13:38:15

Restore point made on: 2012-11-09 16:12:49

Restore point made on: 2012-11-10 10:50:17

Restore point made on: 2012-11-10 11:49:02

Restore point made on: 2012-11-11 10:32:07

==================== Memory info ===========================

Percentage of memory in use: 15%

Total physical RAM: 4094.49 MB

Available physical RAM: 3478.13 MB

Total Pagefile: 4092.64 MB

Available Pagefile: 3460.86 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:931.41 GB) (Free:727.44 GB) NTFS

2 Drive e: (Lambers Practice) (CDROM) (Total:0.04 GB) (Free:0 GB) CDFS

3 Drive f: (STORE N GO) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT

4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 931 GB 0 B

Disk 1 Online 1910 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 931 GB 101 MB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 931 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1906 MB 4032 KB

==================================================================================

Disk: 1

Partition 1

Type : 0E

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F STORE N GO FAT Removable 1906 MB Healthy

=========================================================

Last Boot: 2012-11-08 15:37

==================== End Of Log =============================

Link to post
Share on other sites

  • Staff

Please run the following

Refer to the ComboFix User's Guide

  1. Download ComboFix from the following location:
    Link
    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on ComboFix.exe & follow the prompts.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

ComboFix 12-11-10.01 - Brian 11/11/2012 15:16:18.1.4 - x64

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2658 [GMT -5:00]

Running from: c:\users\Brian\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}

SP: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Brian\Documents\~WRL1607.tmp

c:\windows\es.exe

c:\windows\pthreadGC2.dll

c:\windows\SysWow64\DEBUG.log

c:\windows\XSxS

.

.

((((((((((((((((((((((((( Files Created from 2012-10-11 to 2012-11-11 )))))))))))))))))))))))))))))))

.

.

2012-11-11 22:20 . 2012-11-11 22:20 -------- d-----w- C:\FRST

2012-11-11 20:21 . 2012-11-11 20:21 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-11-11 20:21 . 2012-11-11 20:21 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-11-11 20:04 . 2012-11-11 20:04 869376 ----a-w- c:\windows\is-5C6AA.exe

2012-11-10 20:44 . 2012-11-10 20:44 -------- dc-h--w- c:\programdata\{93D6607E-CDD1-4873-8FCA-D342BA47CD87}

2012-11-10 20:42 . 2012-11-10 20:42 -------- dc-h--w- c:\programdata\{62889E3B-679B-45F8-A351-AA2FA7EC013C}

2012-11-10 20:39 . 2012-11-10 20:39 -------- dc-h--w- c:\programdata\{53DF9DA2-B01F-423B-A7F6-5DBD67FB89CD}

2012-11-10 19:49 . 2012-11-10 19:49 -------- d-----w- c:\windows\system32\appmgmt

2012-11-10 18:59 . 2012-11-10 18:59 -------- d-----w- c:\program files\Hitman Pro 3.5

2012-11-10 18:50 . 2012-11-10 18:50 -------- d-----w- c:\program files\Enigma Software Group

2012-11-10 18:49 . 2012-11-11 18:32 -------- d-----w- c:\windows\83B952C7F8F34CA3B4C533C85B24E478.TMP

2012-11-10 18:49 . 2012-11-10 18:49 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard

2012-11-10 00:29 . 2012-10-17 06:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CE5A6C6A-CC09-46E7-9E63-448183D13315}\mpengine.dll

2012-11-10 00:12 . 2012-08-20 18:48 215040 ----a-w- c:\windows\system32\winsrv.dll

2012-11-10 00:12 . 2012-08-20 18:48 424448 ----a-w- c:\windows\system32\KernelBase.dll

2012-11-10 00:12 . 2012-08-20 18:48 1162240 ----a-w- c:\windows\system32\kernel32.dll

2012-11-10 00:12 . 2012-08-20 18:46 338432 ----a-w- c:\windows\system32\conhost.exe

2012-11-10 00:12 . 2012-08-20 17:37 274944 ----a-w- c:\windows\SysWow64\KernelBase.dll

2012-11-10 00:10 . 2012-08-30 18:03 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-11-10 00:09 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll

2012-11-10 00:09 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll

2012-11-10 00:09 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll

2012-11-10 00:09 . 2012-04-28 05:32 1112064 ----a-w- c:\windows\system32\rdpcorets.dll

2012-11-10 00:09 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-11-10 00:09 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll

2012-11-10 00:09 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-11-10 00:09 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-11-10 00:09 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys

2012-11-10 00:08 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll

2012-11-10 00:08 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll

2012-11-10 00:08 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll

2012-11-10 00:08 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll

2012-11-10 00:04 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll

2012-11-10 00:04 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe

2012-11-10 00:04 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe

2012-11-10 00:04 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll

2012-11-10 00:04 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll

2012-11-10 00:04 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll

2012-11-10 00:04 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll

2012-11-09 23:02 . 2012-11-09 23:02 -------- d-----w- c:\users\Brian\AppData\Local\ESET

2012-11-09 21:38 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-11-09 21:38 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-11-09 21:38 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2012-11-09 21:38 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-11-09 21:38 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2012-11-09 21:38 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-11-09 21:38 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-11-09 21:38 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-11-09 21:38 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-11-09 21:32 . 2012-11-09 21:32 39184 ----a-w- c:\windows\system32\Partizan.exe

2012-11-09 21:27 . 2012-11-09 21:27 -------- d-----w- c:\program files\ESET

2012-11-09 19:46 . 2012-11-09 19:46 -------- d-----w- c:\program files (x86)\ESET

2012-11-09 19:16 . 2012-11-11 18:31 -------- d-----w- c:\programdata\RegRun

2012-11-09 19:15 . 2012-11-09 19:15 2 --shatr- c:\windows\winstart.bat

2012-11-09 19:15 . 2012-11-11 18:33 -------- d-----w- c:\program files (x86)\UnHackMe

2012-11-09 19:00 . 2012-11-09 19:00 -------- d-----w- c:\users\Brian\AppData\Roaming\AVG2013

2012-11-09 18:58 . 2012-11-09 18:58 -------- d-----w- c:\users\Brian\AppData\Roaming\TuneUp Software

2012-11-09 18:56 . 2012-11-09 21:23 -------- d-----w- c:\programdata\AVG2013

2012-11-09 18:51 . 2012-11-09 18:51 -------- d-----w- c:\users\Brian\AppData\Local\MFAData

2012-11-09 18:51 . 2012-11-09 18:51 -------- d-----w- c:\users\Brian\AppData\Local\Avg2013

2012-11-08 23:43 . 2012-11-10 20:48 -------- d-----w- c:\users\Brian\AppData\Local\Facebook

2012-11-08 23:17 . 2012-11-08 23:17 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-10 19:00 . 2012-03-14 01:01 23112 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2012-11-08 23:17 . 2012-08-20 19:31 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll

2012-11-08 23:17 . 2012-08-20 19:31 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2012-11-08 23:15 . 2012-04-10 19:44 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-11-08 23:15 . 2011-12-31 17:39 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-09-30 00:54 . 2010-12-07 20:31 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-28 05:18 . 2010-01-22 20:11 65309168 ----a-w- c:\windows\system32\MRT.exe

2012-09-01 17:16 . 2012-09-01 17:16 4480000 ----a-w- c:\windows\es.scr

2012-08-20 17:38 . 2012-11-10 00:11 44032 ----a-w- c:\windows\apppatch\acwow64.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2010-11-20 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll

[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll

[-] 2011-03-13 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll

.

[-] 2011-03-13 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll

[7] 2010-11-20 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll

[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTo0.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\uTorrentBar\prxtbuTo0.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTo0.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"InnoSetupRegFile.0000000001"="c:\windows\is-5C6AA.exe" [2012-11-11 869376]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DevconDefaultDB"="c:\windows\system32\READREG" [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-disabled]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-10-02 3064000]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-05-03 158856]

R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-13 1255736]

R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\Brian\Desktop\Real\WinRing0x64.sys [2008-07-27 14544]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-22 834544]

S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2012-03-14 209768]

S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2012-03-14 148528]

S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [2010-07-09 21480]

S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2012-03-07 913144]

S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2012-03-14 137144]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]

S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 73616905

*Deregistered* - 73616905

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-11 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 23:15]

.

2012-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-769710056-2214912975-2338223646-1000Core.job

- c:\users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-22 20:05]

.

2012-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-769710056-2214912975-2338223646-1000UA.job

- c:\users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-22 20:05]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2012-03-07 4081008]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2786678/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 10.0.1.1

DPF: {6C8E9E45-538C-473A-B83B-DA9AE1ED7604} - hxxps://insourcers.riahome.com/CABFiles/vspdf.cab

DPF: {A8561647-E93C-11D3-AC3B-CE6078F7B616} - hxxps://insourcers.riahome.com/CABFiles/vsprint7.cab

DPF: {EBB0431C-10EB-432D-8C53-64BDBEDBD86B} - hxxps://insourcers.riahome.com/CABFiles/xmlgridRS.cab

DPF: {F4721362-90E1-11D4-B547-00105A80AE07} - hxxps://insourcers.riahome.com/CABFiles/RIAInRSImport.cab

DPF: {FE83D8C0-07C7-4915-A6B4-4A6B895E677F} - hxxps://insourcers.riahome.com/CABFiles/vsFlexXMLDSO.cab

FF - ProfilePath - c:\users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\sztemzys.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://google.com/

FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bf28f5906-2c96-4968-b15c-3e3ead21c13d%7D&mid=781f85c40e44c8fd6fb1bf3ef7404b16-9a17500a96d428a5cdb8b2643968b9a928fc107f&ds=AVG&v=11.1.0.12〈=en&pr=fr&d=2012-05-23%2018%3A51%3A44&sap=ku&q=

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)

AddRemove-Adobe AIR - c:\program files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe

AddRemove-GoldenEye: Source - c:\program files (x86)\Steam\SteamApps\sourcemods\GoldenEye: Source_Uninstall.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10e.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-11-11 15:23:39

ComboFix-quarantined-files.txt 2012-11-11 20:23

.

Pre-Run: 780,941,635,584 bytes free

Post-Run: 781,358,047,232 bytes free

.

- - End Of File - - EB342A35353AAF079502D06DD548DB8D

Link to post
Share on other sites

I ran Hijackthis and copied the log to their website and had it parsed. Here is the parsed information. Maybe this can help.

You can reference this log by going to: http://hjt.iamnotageek.com/log-1029024.html

Could not execute query correctly. : 1062: Duplicate entry '@serviceystemroot%system32fxsresm.dll,-' for key 1

Could not execute query correctly. : 1062: Duplicate entry '@serviceystemroot%system32psbase.dll,-' for key 1

Could not execute query correctly. : 1062: Duplicate entry '@serviceystemroot%system32Locator.exe,-' for key 1

Could not execute query correctly. : 1062: Duplicate entry '@serviceystemroot%system32spoolsv.exe,-' for key 1

Could not execute query correctly. : 1062: Duplicate entry '@serviceystemroot%system32vssvc.exe,-' for key 1

Could not execute query correctly. : 1062: Duplicate entry '@serviceystemroot%system32wbengine.exe,-' for key 1Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 3:30:38 PM, on 11/11/2012

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16450)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Lambers\TestPrep\CMEngine_v10.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Brian\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2786678/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTo0.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll (file missing)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: uTorrentBar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTo0.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTo0.dll

O4 - HKLM\..\RunOnce: [innoSetupRegFile.0000000001] "C:\Windows\is-5C6AA.exe" /REG /REGSVRMODE

O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} (CLRMachineInfoCtl Class) - https://insourcers.riahome.com/CABFiles/RSLoginModule.cab

O16 - DPF: {455182EE-8F93-11D2-BA3C-00C04F7F6533} (CLRTabbedList Class) - https://insourcers.riahome.com/CABFiles/RSTabbedList.cab

O16 - DPF: {6C8E9E45-538C-473A-B83B-DA9AE1ED7604} (:-) VideoSoft VSPDF 7.0) - https://insourcers.riahome.com/CABFiles/vspdf.cab

O16 - DPF: {82BFFC8C-B4BD-11D4-9908-000102053AFB} (GRSNotifierCtrl Class) - https://insourcers.riahome.com/CABFiles/webnotifier.cab

O16 - DPF: {A8561647-E93C-11D3-AC3B-CE6078F7B616} (:-) VideoSoft VSPrinter 7.0) - https://insourcers.riahome.com/CABFiles/vsprint7.cab

O16 - DPF: {C0A63B86-4B21-11D3-BD95-D426EF2C7949} (:-) VideoSoft FlexGrid 7.0 (Light)) - https://insourcers.riahome.com/CABFiles/vsflex7L.cab

O16 - DPF: {D76D712E-4A96-11D3-BD95-D296DC2DD072} (:-) VideoSoft FlexGrid 7.0 (OLEDB)) - https://insourcers.riahome.com/CABFiles/vsflex7.cab

O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} (RIM AxLoader) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {EBB0431C-10EB-432D-8C53-64BDBEDBD86B} (XmlGridRS Class) - https://insourcers.riahome.com/CABFiles/xmlgridRS.cab

O16 - DPF: {F4721362-90E1-11D4-B547-00105A80AE07} (xmlWrapper Class) - https://insourcers.riahome.com/CABFiles/RIAInRSImport.cab

O16 - DPF: {FE83D8C0-07C7-4915-A6B4-4A6B895E677F} (VSFlexDSO Class) - https://insourcers.riahome.com/CABFiles/vsFlexXMLDSO.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll (file missing)

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe

O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

Link to post
Share on other sites

  • Staff
I ran Hijackthis and copied the log to their website and had it parsed. Here is the parsed information. Maybe this can help.

no not really, if you want to finish this yourself, please feel free to do so

If you want to continue to have me help you, then please don't so anything else on your own as it may interfere with what I am trying to acconplish (I do have a certain method that so far, has been very successful but I understand it's asking a lot to have you have complete trust in a total stranger)

please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:

Press the WinKey + R to open a run box, type Notepad > click OK.

This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')


FCopy::
c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll | c:\windows\system32\user32.dll
c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll | c:\windows\SysWOW64\user32.dll

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NEXT

Download AdwCleaner from here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Go here to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Link to post
Share on other sites

ComboFix 12-11-10.02 - Brian 11/11/2012 18:15:22.2.4 - x64

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2575 [GMT -5:00]

Running from: c:\users\Brian\Desktop\ComboFix.exe

Command switches used :: c:\users\Brian\Desktop\CFScript.txt

AV: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}

SP: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

--------------- FCopy ---------------

.

c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll --> c:\windows\system32\user32.dll

c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll --> c:\windows\SysWOW64\user32.dll

.

((((((((((((((((((((((((( Files Created from 2012-10-11 to 2012-11-11 )))))))))))))))))))))))))))))))

.

.

2012-11-11 23:22 . 2012-11-11 23:22 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-11-11 23:22 . 2012-11-11 23:22 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-11-11 22:20 . 2012-11-11 22:20 -------- d-----w- C:\FRST

2012-11-11 21:55 . 2012-11-11 21:55 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll

2012-11-11 21:55 . 2012-11-11 21:55 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll

2012-11-11 21:55 . 2012-11-11 21:55 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll

2012-11-11 21:55 . 2012-11-11 21:55 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll

2012-11-11 21:55 . 2012-11-11 21:55 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll

2012-11-11 21:55 . 2012-11-11 21:54 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll

2012-11-11 21:55 . 2012-11-11 21:54 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll

2012-11-11 21:54 . 2012-11-11 21:54 -------- d-----w- c:\program files (x86)\QuickTime

2012-11-11 21:53 . 2012-08-21 18:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2012-11-11 21:52 . 2012-11-11 21:52 -------- d-----w- c:\program files\iPod

2012-11-11 21:52 . 2012-11-11 21:53 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

2012-11-11 21:52 . 2012-11-11 21:53 -------- d-----w- c:\program files\iTunes

2012-11-11 21:52 . 2012-11-11 21:53 -------- d-----w- c:\program files (x86)\iTunes

2012-11-11 21:24 . 2012-11-11 21:24 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service

2012-11-11 18:43 . 2012-11-11 22:01 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CE5A6C6A-CC09-46E7-9E63-448183D13315}\offreg.dll

2012-11-10 20:44 . 2012-11-10 20:44 -------- dc-h--w- c:\programdata\{93D6607E-CDD1-4873-8FCA-D342BA47CD87}

2012-11-10 20:42 . 2012-11-10 20:42 -------- dc-h--w- c:\programdata\{62889E3B-679B-45F8-A351-AA2FA7EC013C}

2012-11-10 20:39 . 2012-11-10 20:39 -------- dc-h--w- c:\programdata\{53DF9DA2-B01F-423B-A7F6-5DBD67FB89CD}

2012-11-10 19:49 . 2012-11-10 19:49 -------- d-----w- c:\windows\system32\appmgmt

2012-11-10 18:59 . 2012-11-10 18:59 -------- d-----w- c:\program files\Hitman Pro 3.5

2012-11-10 18:50 . 2012-11-10 18:50 -------- d-----w- c:\program files\Enigma Software Group

2012-11-10 18:49 . 2012-11-11 18:32 -------- d-----w- c:\windows\83B952C7F8F34CA3B4C533C85B24E478.TMP

2012-11-10 18:49 . 2012-11-10 18:49 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard

2012-11-10 00:29 . 2012-10-17 06:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CE5A6C6A-CC09-46E7-9E63-448183D13315}\mpengine.dll

2012-11-10 00:12 . 2012-08-20 18:48 215040 ----a-w- c:\windows\system32\winsrv.dll

2012-11-10 00:12 . 2012-08-20 18:48 424448 ----a-w- c:\windows\system32\KernelBase.dll

2012-11-10 00:12 . 2012-08-20 18:48 1162240 ----a-w- c:\windows\system32\kernel32.dll

2012-11-10 00:12 . 2012-08-20 18:46 338432 ----a-w- c:\windows\system32\conhost.exe

2012-11-10 00:12 . 2012-08-20 17:37 274944 ----a-w- c:\windows\SysWow64\KernelBase.dll

2012-11-10 00:10 . 2012-08-30 18:03 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-11-10 00:09 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll

2012-11-10 00:09 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll

2012-11-10 00:09 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll

2012-11-10 00:09 . 2012-04-28 05:32 1112064 ----a-w- c:\windows\system32\rdpcorets.dll

2012-11-10 00:09 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-11-10 00:09 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll

2012-11-10 00:09 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-11-10 00:09 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-11-10 00:09 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys

2012-11-10 00:08 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll

2012-11-10 00:08 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll

2012-11-10 00:08 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll

2012-11-10 00:08 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll

2012-11-10 00:04 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll

2012-11-10 00:04 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe

2012-11-10 00:04 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe

2012-11-10 00:04 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll

2012-11-10 00:04 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll

2012-11-10 00:04 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll

2012-11-10 00:04 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll

2012-11-09 23:02 . 2012-11-09 23:02 -------- d-----w- c:\users\Brian\AppData\Local\ESET

2012-11-09 21:38 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-11-09 21:38 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-11-09 21:38 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2012-11-09 21:38 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-11-09 21:38 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2012-11-09 21:38 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-11-09 21:38 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-11-09 21:38 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-11-09 21:38 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-11-09 21:32 . 2012-11-09 21:32 39184 ----a-w- c:\windows\system32\Partizan.exe

2012-11-09 21:27 . 2012-11-09 21:27 -------- d-----w- c:\program files\ESET

2012-11-09 19:46 . 2012-11-09 19:46 -------- d-----w- c:\program files (x86)\ESET

2012-11-09 19:16 . 2012-11-11 18:31 -------- d-----w- c:\programdata\RegRun

2012-11-09 19:15 . 2012-11-09 19:15 2 --shatr- c:\windows\winstart.bat

2012-11-09 19:15 . 2012-11-11 18:33 -------- d-----w- c:\program files (x86)\UnHackMe

2012-11-09 19:00 . 2012-11-09 19:00 -------- d-----w- c:\users\Brian\AppData\Roaming\AVG2013

2012-11-09 18:58 . 2012-11-09 18:58 -------- d-----w- c:\users\Brian\AppData\Roaming\TuneUp Software

2012-11-09 18:56 . 2012-11-09 21:23 -------- d-----w- c:\programdata\AVG2013

2012-11-09 18:51 . 2012-11-09 18:51 -------- d-----w- c:\users\Brian\AppData\Local\MFAData

2012-11-09 18:51 . 2012-11-09 18:51 -------- d-----w- c:\users\Brian\AppData\Local\Avg2013

2012-11-08 23:43 . 2012-11-10 20:48 -------- d-----w- c:\users\Brian\AppData\Local\Facebook

2012-11-08 23:17 . 2012-11-08 23:17 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2012-10-25 08:12 . 2012-10-25 08:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

2012-10-25 08:12 . 2012-10-25 08:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-10 19:00 . 2012-03-14 01:01 23112 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2012-11-08 23:17 . 2012-08-20 19:31 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll

2012-11-08 23:17 . 2012-08-20 19:31 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2012-11-08 23:15 . 2012-04-10 19:44 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-11-08 23:15 . 2011-12-31 17:39 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-09-30 00:54 . 2010-12-07 20:31 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-28 05:18 . 2010-01-22 20:11 65309168 ----a-w- c:\windows\system32\MRT.exe

2012-09-01 17:16 . 2012-09-01 17:16 4480000 ----a-w- c:\windows\es.scr

2012-08-21 18:01 . 2010-01-22 20:25 125872 ----a-w- c:\windows\system32\GEARAspi64.dll

2012-08-21 18:01 . 2010-01-22 20:25 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll

2012-08-20 17:38 . 2012-11-10 00:11 44032 ----a-w- c:\windows\apppatch\acwow64.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTo0.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\uTorrentBar\prxtbuTo0.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTo0.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DevconDefaultDB"="c:\windows\system32\READREG" [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-disabled]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-10-02 3064000]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-05-03 158856]

R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-13 1255736]

R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\Brian\Desktop\Real\WinRing0x64.sys [2008-07-27 14544]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-22 834544]

S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2012-03-14 209768]

S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2012-03-14 148528]

S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [2010-07-09 21480]

S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2012-03-07 913144]

S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2012-03-14 137144]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]

S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-11 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 23:15]

.

2012-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-769710056-2214912975-2338223646-1000Core.job

- c:\users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-22 20:05]

.

2012-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-769710056-2214912975-2338223646-1000UA.job

- c:\users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-22 20:05]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2012-03-07 4081008]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2786678/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 10.0.1.1

DPF: {6C8E9E45-538C-473A-B83B-DA9AE1ED7604} - hxxps://insourcers.riahome.com/CABFiles/vspdf.cab

DPF: {A8561647-E93C-11D3-AC3B-CE6078F7B616} - hxxps://insourcers.riahome.com/CABFiles/vsprint7.cab

DPF: {EBB0431C-10EB-432D-8C53-64BDBEDBD86B} - hxxps://insourcers.riahome.com/CABFiles/xmlgridRS.cab

DPF: {F4721362-90E1-11D4-B547-00105A80AE07} - hxxps://insourcers.riahome.com/CABFiles/RIAInRSImport.cab

DPF: {FE83D8C0-07C7-4915-A6B4-4A6B895E677F} - hxxps://insourcers.riahome.com/CABFiles/vsFlexXMLDSO.cab

FF - ProfilePath - c:\users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\oj3hehmz.default\

FF - ExtSQL: 2012-11-10 18:24; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)

AddRemove-Adobe AIR - c:\program files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe

AddRemove-GoldenEye: Source - c:\program files (x86)\Steam\SteamApps\sourcemods\GoldenEye: Source_Uninstall.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10e.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-11-11 18:30:23

ComboFix-quarantined-files.txt 2012-11-11 23:30

ComboFix2.txt 2012-11-11 20:23

.

Pre-Run: 783,080,435,712 bytes free

Post-Run: 783,133,372,416 bytes free

.

- - End Of File - - A88716296C3568148FE3E1ECFA4206ED

Link to post
Share on other sites

# AdwCleaner v2.007 - Logfile created 11/11/2012 at 18:46:08

# Updated 06/11/2012 by Xplode

# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)

# User : Brian - BRIAN-PC

# Boot Mode : Normal

# Running from : C:\Users\Brian\Desktop\AdwCleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll

File Deleted : C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.xpt

File Deleted : C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll

File Deleted : C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.xpt

File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\avg-secure-search.xml

Folder Deleted : C:\Program Files (x86)\Common Files\Software Update Utility

Folder Deleted : C:\Program Files (x86)\Conduit

Folder Deleted : C:\Program Files (x86)\DAEMON Tools Toolbar

Folder Deleted : C:\Program Files (x86)\uTorrentBar

Folder Deleted : C:\ProgramData\boost_interprocess

Folder Deleted : C:\Users\Brian\AppData\Local\Conduit

Folder Deleted : C:\Users\Brian\AppData\LocalLow\Conduit

Folder Deleted : C:\Users\Brian\AppData\LocalLow\uTorrentBar

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit

Key Deleted : HKCU\Software\AppDataLow\Software\uTorrentBar

Key Deleted : HKCU\Software\AppDataLow\Toolbar

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{32099AAC-C132-4136-9E9A-4E364A424E17}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2786678

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9BB710D1-284A-49DC-9215-732ED0ECA65A}

Key Deleted : HKLM\Software\uTorrentBar

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{9BB710D1-284A-49DC-9215-732ED0ECA65A}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{043353E0-023D-4279-8E24-C217692CC4AB}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F600EE0B-979E-4E5E-98C1-4209CA465087}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\uTorrentBar Toolbar

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}]

Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT2786678/ --> hxxp://www.google.com

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default

File : C:\Users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\oj3hehmz.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v23.0.1271.64

File : C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [6870 octets] - [11/11/2012 18:46:08]

########## EOF - C:\AdwCleaner[s1].txt - [6930 octets] ##########

Link to post
Share on other sites

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.11.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Brian :: BRIAN-PC [administrator]

11/11/2012 6:49:49 PM

mbam-log-2012-11-11 (18-49-49).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 234071

Time elapsed: 4 minute(s),

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

My computer seems to be running much MUCH faster, and I haven't had any google-redirect issues reoccur.

Not sure if there are any more steps to be done, but THANK YOU SO MUCH. I did NOT want to re-format the computer.

The only issue that occurred was when you had me copy the script showing the build of windows 7600 and 7601 into combofix.

It caused windows to have an not genuine warning, but I fixed that issue (or at least the warning) within 3 mins.

Let me know if there are any more steps I should take to make sure its 100% removed from my computer.

I will definitely be sending you a Paypal reward within the next few days :)

Link to post
Share on other sites

  • Staff

µTorrent

P2P - I see you have P2P software µTorrent

installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

Perils of P2P File Sharing.

I would strongly recommend that you uninstall this now. You can do so via Control Panel >> Programs and Features.

There are indications of cracked programs on your system:

C:\Users\Brian\Downloads\Hitman Pro 3.5.9 Build 125 (x64) incl crack

most certaininly this practice has resulted in this infection.

Pirating software is theft and Malwarebytes does not condone this type of activity.

Now that you are clean, I strongly urge you to remove all the pirated software from your system, it really isn't worth it.

You can remove all the old Java from your system as you have the latest Java installed:

Please run the following:

CKScanner

Download CKScanner by askey127 from Here & save it to your Desktop.

  • Doubleclick CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

let me know if there are any outstanding issues, if not, then we can clean up our tools

Link to post
Share on other sites

CKScanner 2.1 - Additional Security Risks - These are not necessarily bad

c:\program files (x86)\steam\steamapps\sourcemods\gesource\materials\goldeneye\temple\crackedrock.vmt

c:\program files (x86)\steam\steamapps\sourcemods\gesource\materials\goldeneye\temple\crackedrock.vtf

c:\program files (x86)\steam\steamapps\sourcemods\gesource\materials\goldeneye\temple\crackedrock_normal.vtf

c:\windows\system32\slmgr.vbs.removewat

c:\windows\syswow64\slmgr.vbs.removewat

scanner sequence 3.EM.11.LSBBKB

----- EOF -----

Goldeneye is a free Halflife2 mod.

Link to post
Share on other sites

  • Staff

C:\Users\Brian\Desktop\RemoveWAT 2.2.7 (2012).rar

It's my understanding this program is used to pirate the Windows Operating System

If you do not own a licence for your operating system, then you need to contact Microsoft and make arrangements with them to obtain one.

How is the computer running now

are there any outstanding issues

Link to post
Share on other sites

Everything seems perfectly fine.

I'm going to be purchasing Windows 8 ~ January :)

I can't thank you enough. I can't believe how many Trojans and rootkits I had on my computer. By the time I got to you, I had removed 4 different ones. Unless, they were all linked.

Normally, i'd instantly reformat the computer, but since my laptop is being repaired, I had no other option for studying for this certification.

I have a backup hard drive, but of course I never used it.

Link to post
Share on other sites

  • Staff

We just have some housekeeping to do now,

Please do the following:

You can delete the roguekiller and Farbar logs and programs from your desktop.

NEXT

Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Combofix_uninstall_image.jpg

NEXT

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.

If there are any logs/tools remaining on your desktop > right click and delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

    [*]Download TFC to your desktop

    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean

    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

    [*]WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an addon available for both Firefox and IE

    [*]Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

    [*]ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

    [*]In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

    PC Safety and Security--What Do I Need?.

    [*]Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.