Jump to content

Vista infected with PUM.UserWLoad and TrojanRansom


Recommended Posts

  • Staff

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

 

 

 

These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from
here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download
AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+

Gringo

Link to post
Share on other sites

I'm sorry for the delay. Now my keyboard does not seem to want to work on the infected pc and that is preventing me from getting into safe mode. In normal mode, my pc locks up after a minute or two, so I need safe mode to get anything done. I tried rebooting (several times) and I replaced the batteries with fresh ones, but it still isn't working. Tomorrow I will buy a cheap keyboard that I can plug in and attempt to get back to safe mode with networking and then download and run the programs.

Link to post
Share on other sites

Hello,

I have checkup.txt and the AdwCleaner[s1].txt below, but when I run RogueKiller from the desktop (as administrator) in safe mode, I get a message box that says "RogueKiller.exe has stopped working A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available." When I click on properties, both file version and program version are 8.4.3.0.

Results of screen317's Security Check version 0.99.57

Windows Vista Service Pack 2 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Security Center service is not running! This report may not be accurate!

Trend Micro Titanium

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

JavaFX 2.1.1

Java 6 Update 31

Java 7 Update 5

Java 6 Update 2

Java 6 Update 3

Java 6 Update 7

Java version out of Date!

Adobe Flash Player 11.5.502.146

Adobe Reader 8 Adobe Reader out of Date!

Adobe Reader 10.1.4 Adobe Reader out of Date!

Mozilla Firefox 17.0.1 Firefox out of Date!

Google Chrome 24.0.1312.52

Google Chrome 24.0.1312.56

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0 %

````````````````````End of Log``````````````````````

# AdwCleaner v2.109 - Logfile created 01/29/2013 at 16:48:20

# Updated 26/01/2013 by Xplode

# Operating system : Windows Vista Home Premium Service Pack 2 (32 bits)

# User : Owner - OWNER-PC

# Boot Mode : Safe mode with networking

# Running from : C:\Users\Owner\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

Stopped & Deleted : DefaultTabSearch

Stopped & Deleted : DefaultTabUpdate

***** [Files / Folders] *****

File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

File Deleted : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ymh3s2lz.default\extensions\addon@defaulttab.com.xpi

File Deleted : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ymh3s2lz.default\searchplugins\search-here.xml

Folder Deleted : C:\Program Files\Ask.com

Folder Deleted : C:\Program Files\DefaultTab

Folder Deleted : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc

Folder Deleted : C:\Users\Owner\AppData\LocalLow\AskToolbar

Folder Deleted : C:\Users\Owner\AppData\Roaming\DefaultTab

Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Deleted : HKCU\Software\61e2e24fb6013e6b

Key Deleted : HKCU\Software\APN

Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar

Key Deleted : HKCU\Software\AppDataLow\Software\DefaultTab

Key Deleted : HKCU\Software\Ask.com

Key Deleted : HKCU\Software\Default Tab

Key Deleted : HKCU\Software\DefaultTab

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7F6AFBF1-E065-4627-A2FD-810366367D01}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F6AFBF1-E065-4627-A2FD-810366367D01}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}

Key Deleted : HKCU\Software\Zugo

Key Deleted : HKLM\Software\APN

Key Deleted : HKLM\Software\AskToolbar

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd

Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1

Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF

Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Deleted : HKLM\SOFTWARE\Classes\S

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}

Key Deleted : HKLM\Software\Default Tab

Key Deleted : HKLM\Software\DefaultTab

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F6AFBF1-E065-4627-A2FD-810366367D01}

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\120DFADEB50841F408F04D2A278F9509

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ymh3s2lz.default\prefs.js

C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ymh3s2lz.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultengine", "Ask.com");

Deleted : user_pref("browser.search.order.2", "Ask.com");

Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "hxxp://www.bing.com/search?pc=Z014&form=ZGAAD[...]

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_.bing.com", "1300512336");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_.ebay.", "1297132777");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_.google.", "1295317603");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_.hrblock.com,.taxact.com,.taxactonline.com,tur[...]

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_.msn.com", "1296521241");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_.myspace.com", "1297132777");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_.yahoo.com", "1296521241");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_.youtube.com", "1296521241");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_/", "1291544347");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_amazon.com,www.ebay.,livingsocial.com,groupon.[...]

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_dealsplugin.com", "1292548576");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_dealsplugin.com/", "1296176290");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_facebook.com", "1291544347");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_h", "1300936370");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_hxxp", "1295317603");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_hxxp://www.facebook.com/plugins/like.php?href=[...]

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_iqquizgame.com", "1295086173");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_iqquizgame.com/", "1296176290");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_mail.aol.com", "1297399537");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_play-ga.me", "1295317603");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_play-ga.me/", "1296176290");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_revealmycrush.com", "1291943485");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_revealmycrush.com/", "1296176290");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_unlock-this.com", "1295086173");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_unlock-this.com/browserplugin", "1296003925");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_unlock-this.com/plugin", "1295575011");

Deleted : user_pref("extensions.crushcalc@gameplaylabs.com.rule_www.google.", "1294375232");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.fr", "1300937578");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.ranonce", true);

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_.bing.com", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_.ebay.", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_.google.", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_.hrblock.com,.taxact.com,.taxactonline.com,turbo[...]

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_.msn.com", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_.myspace.com", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_.yahoo.com", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_.youtube.com", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_/", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_dealsplugin.com/", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_facebook.com", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_h", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_hxxp", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_iqquizgame.com/", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_mail.aol.com", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_play-ga.me/", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_revealmycrush.com/", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_theclickcheck.com", "1301008702");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_unlock-this.com/browserplugin", "1300937632");

Deleted : user_pref("extensions.plugin2@gameplaylabs.com.rule_unlock-this.com/plugin", "1300937632");

-\\ Google Chrome v24.0.1312.56

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [12427 octets] - [29/01/2013 16:48:20]

########## EOF - C:\AdwCleaner[s1].txt - [12488 octets] ##########

Link to post
Share on other sites

  • Staff

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.


  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later

    [*]Please post the contents of OTL.txt in your next reply.

Gringo

Link to post
Share on other sites

OTL logfile created on: 1/29/2013 8:15:58 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Owner\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.53 Gb Available Physical Memory | 84.32% Memory free

8.90 Gb Paging File | 8.66 Gb Available in Paging File | 97.35% Paging File free

Paging file location(s): C:\pagefile.sys 3070 3070E:\pagef [binary data over 200 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 289.16 Gb Total Space | 125.08 Gb Free Space | 43.26% Space Free | Partition Type: NTFS

Drive D: | 8.92 Gb Total Space | 0.81 Gb Free Space | 9.12% Space Free | Partition Type: NTFS

Drive E: | 298.09 Gb Total Space | 68.65 Gb Free Space | 23.03% Space Free | Partition Type: NTFS

Computer Name: OWNER-PC | User Name: Owner | Logged in as Administrator.

Boot Mode: SafeMode with Networking | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Owner\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Windows\explorer.exe (Microsoft Corporation)

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV - (Amsp) -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe File not found

SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)

SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)

SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)

SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)

SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)

SRV - (FlipShare Service) -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe ()

SRV - (FlipShareServer) -- C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe ()

SRV - (WAS) -- C:\Windows\System32\inetsrv\iisw3adm.dll (Microsoft Corporation)

SRV - (W3SVC) -- C:\Windows\System32\inetsrv\iisw3adm.dll (Microsoft Corporation)

SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

SRV - (ABBYY.Licensing.FineReader.ScreenshotReader.9.0) -- C:\Program Files\ABBYY Screenshot Reader\NetworkLicenseServer.exe (ABBYY)

SRV - (AppHostSvc) -- C:\Windows\System32\inetsrv\apphostsvc.dll (Microsoft Corporation)

SRV - (IAANTMON) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

SRV - (Remote UI Service) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe (Intel® Corporation)

SRV - (MCLServiceATL) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe (Intel® Corporation)

SRV - (ISSM) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\issm.exe (Intel® Corporation)

SRV - (AlertService) -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe (Intel® Corporation)

SRV - (DQLWinService) -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe ()

SRV - (M1 Server) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe ()

SRV - (IntelDHSvcConf) -- C:\Program Files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe (Intel® Corporation)

========== Driver Services (SafeList) ==========

DRV - (NwlnkFwd) -- File not found

DRV - (NwlnkFlt) -- File not found

DRV - (IpInIp) -- File not found

DRV - (TrueSight) -- C:\Windows\System32\drivers\TrueSight.sys ()

DRV - (MBAMSwissArmy) -- C:\Windows\System32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)

DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)

DRV - (RsFx0105) -- C:\Windows\System32\drivers\RsFx0105.sys (Microsoft Corporation)

DRV - (tmcomm) -- C:\Windows\System32\drivers\tmcomm.sys (Trend Micro Inc.)

DRV - (tmtdi) -- C:\Windows\System32\drivers\tmtdi.sys (Trend Micro Inc.)

DRV - (tmevtmgr) -- C:\Windows\System32\drivers\tmevtmgr.sys (Trend Micro Inc.)

DRV - (tmactmon) -- C:\Windows\System32\drivers\tmactmon.sys (Trend Micro Inc.)

DRV - (netr73) -- C:\Windows\System32\drivers\netr73.sys (Ralink Technology, Corp.)

DRV - (hcw18bda) -- C:\Windows\System32\drivers\hcw18bda.sys (Hauppauge Computer Works, Inc)

DRV - (HSXHWBS2) -- C:\Windows\System32\drivers\HSXHWBS2.sys (Conexant Systems, Inc.)

DRV - (HSF_DP) -- C:\Windows\System32\drivers\HSX_DP.sys (Conexant Systems, Inc.)

DRV - (e1express) -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)

DRV - (SSKBFD) -- C:\Windows\System32\drivers\sskbfd.sys (Webroot Software Inc (www.webroot.com))

DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)

DRV - (MCSTRM) -- C:\Windows\System32\drivers\mcstrm.sys (RealNetworks, Inc.)

DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)

DRV - (Ps2) -- C:\Windows\System32\drivers\PS2.sys (Hewlett-Packard Company)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop

IE - HKLM\..\SearchScopes,DefaultScope =

IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKLM\..\SearchScopes\{9C78CC89-4D44-467E-9FED-43E4F41598BD}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

IE - HKLM\..\SearchScopes\{AD7F031B-1E37-4441-B0B7-2D53C0F148FA}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

IE - HKLM\..\SearchScopes\{BA03F9B3-E0AA-409B-9357-5AA0C124EEC8}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7

IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.com/ig?hl=enhtt [binary data over 200 bytes]

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\..\SearchScopes\{02BF8049-74E2-469F-9F5D-C0361F912E27}: "URL" = http://www.mysearchresults.com/search?&c=2652&t=03&q={searchTerms}

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\..\SearchScopes\{27A57C1C-EE9B-81EC-BDC1-8EA138781FE4}: "URL" = http://www.bing.com/search?q={searchTerms}&pc=Z014&form=ZGAIDF

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\..\SearchScopes\{9C78CC89-4D44-467E-9FED-43E4F41598BD}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\..\SearchScopes\{AD7F031B-1E37-4441-B0B7-2D53C0F148FA}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\..\SearchScopes\{BA03F9B3-E0AA-409B-9357-5AA0C124EEC8}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3115292585-132024008-615525151-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"

FF - prefs.js..browser.search.order.1: "Yahoo"

FF - prefs.js..browser.search.param.yahoo-fr: "w3i&type=W3i_DS,157,0_0,Search,20121252,6902,0,63,0"

FF - prefs.js..browser.search.selectedEngine: "Yahoo"

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "http://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-syctransfer&type=W3i_SP,205,0_0,StartPage,20121252,16900,0,63,0"

FF - prefs.js..extensions.enabledAddons: amznUWL2%40amazon.com:1.10

FF - prefs.js..extensions.enabledAddons: LogMeInClient%40logmein.com:1.0.0.664

FF - prefs.js..extensions.enabledAddons: support%40ancestry.com:1.0.0.1

FF - prefs.js..extensions.enabledAddons: taahenxxmj%40taahenxxmj.org:2.5

FF - prefs.js..extensions.enabledAddons: %7B20a82645-c095-46ed-80e3-08825760534b%7D:0.0.0

FF - prefs.js..extensions.enabledAddons: addon%40defaulttab.com:1.4.3

FF - prefs.js..extensions.enabledAddons: %7B635abd67-4fe9-1b23-4f01-e679fa7484c1%7D:2.5.1.20121012015120

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1

FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.3

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: support@ancestry.com:1.0.0.1

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - prefs.js..extensions.enabledItems: searchtoolbar@zugo.com:1.2

FF - prefs.js..extensions.enabledItems: amznUWL2@amazon.com:1.4

FF - prefs.js..extensions.enabledItems: plugin2@gameplaylabs.com:2.0

FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?ei=UTF-8&fr=w3i&type=W3i_DS,157,0_0,Search,20121252,6902,0,63,0&p="

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_5_502_146.dll ()

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa2,version=2.0.0: C:\Program Files\Picasa2\npPicasa2.dll (Google, Inc.)

FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Picasa2\npPicasa3.dll (Google, Inc.)

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/wpi,version=1.0: C:\Program Files\Microsoft\Web Platform Installer\\npwpidetector.dll ()

FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)

FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.732: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.732: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=1.0.0.0: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.732: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/04/04 22:22:30 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1505\6.6.1088\firefoxextension\ [2012/12/11 06:16:35 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/08 07:46:25 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/12/08 07:46:18 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{57E72829-C158-4341-BBED-58F0AD1740FD}: C:\Program Files\Google\Google Photos Screensaver\FF_ext [2007/08/14 05:40:36 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/08 07:46:25 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/12/08 07:46:18 | 000,000,000 | ---D | M]

[2010/02/20 11:42:38 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Owner\AppData\Roaming\Mozilla\Extensions

[2013/01/29 16:48:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ymh3s2lz.default\extensions

[2012/12/27 10:44:20 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ymh3s2lz.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2011/07/11 19:57:50 | 000,000,000 | ---D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ymh3s2lz.default\extensions\LogMeInClient@logmein.com

[2011/04/04 22:22:33 | 000,000,000 | ---D | M] (Ancestry.com Advanced Image Viewer) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ymh3s2lz.default\extensions\support@ancestry.com

[2012/09/19 21:12:26 | 000,243,287 | ---- | M] () (No name found) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ymh3s2lz.default\extensions\amznUWL2@amazon.com.xpi

[2008/01/18 23:49:12 | 000,004,804 | ---- | M] () (No name found) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ymh3s2lz.default\extensions\taahenxxmj@taahenxxmj.org.xpi

[2010/12/05 04:18:21 | 000,001,919 | -H-- | M] () -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ymh3s2lz.default\searchplugins\bing-zugo.xml

[2012/12/08 07:46:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

File not found (No name found) -- C:\USERS\OWNER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\YMH3S2LZ.DEFAULT\EXTENSIONS\ADDON@DEFAULTTAB.COM.XPI

[2009/07/04 21:33:12 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION

[2012/12/08 07:46:24 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2012/09/09 21:51:05 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2012/10/14 11:47:33 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: http://www.google.com

CHR - default_search_provider: Google (Enabled)

CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}

CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}

CHR - homepage: http://www.google.com

CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\24.0.1312.56\pdf.dll

CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\24.0.1312.56\gears.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\24.0.1312.56\gcswf32.dll

CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll

CHR - plugin: Java Deployment Toolkit 6.0.210.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll

CHR - plugin: Java Platform SE 6 U21 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll

CHR - plugin: RealPlayer G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll

CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll

CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll

CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll

CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll

CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll

CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll

CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll

CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll

CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll

CHR - plugin: Google Updater (Enabled) = C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll

CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.0.50917.0\npctrl.dll

CHR - plugin: WPI Detector 1.1 (Enabled) = C:\Program Files\Microsoft\Web Platform Installer\\npwpidetector.dll

CHR - plugin: Picasa (Enabled) = C:\Program Files\Picasa2\npPicasa2.dll

CHR - plugin: Picasa (Enabled) = C:\Program Files\Picasa2\npPicasa3.dll

CHR - plugin: RealNetworks Rhapsody Player Engine (Enabled) = C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll

CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

CHR - plugin: RealPlayer HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

CHR - plugin: Windows Presentation Foundation (Enabled) = C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll

CHR - plugin: Default Plug-in (Enabled) = default_plugin

CHR - Extension: Entanglement = C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.7.9_0\

CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.1\

CHR - Extension: Poppit = C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

O1 HOSTS File: ([2011/08/01 19:28:26 | 000,000,791 | ---- | M]) - C:\Windows\System32\drivers\etc\HOSTS

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O1 - Hosts: 127.0.0.1 www.goodhockey.com

O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1505\6.6.1088\TmIEPlg.dll (Trend Micro Inc.)

O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)

O2 - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)

O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)

O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)

O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)

O4 - HKLM..\Run: [KBD] C:\HP\KBD\KbdStub.EXE ()

O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)

O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)

O4 - HKLM..\Run: [snapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe ()

O4 - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)

O4 - HKLM..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe (Trend Micro Inc.)

O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)

O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)

O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)

F3 - HKU\S-1-5-21-3115292585-132024008-615525151-1001 WinNT: Load - (C:\Users\Owner\LOCALS~1\Temp\msezucw.com) - File not found

O7 - HKU\S-1-5-21-3115292585-132024008-615525151-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\Program Files\Bonjour\mdnsNSP.dll File not found

O13 - gopher Prefix: missing

O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)

O15 - HKU\S-1-5-21-3115292585-132024008-615525151-1001\..Trusted Ranges: Range1 ([http] in Local intranet)

O16 - DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} http://mvod.web.aol.com/mce/new/ServiceMgr.CAB (ZtServiceManager Class)

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 10.5.1)

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)

O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 10.5.1)

O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} http://eserver.solcominc.com/dwa7W.cab (Domino Web Access 7 Control)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2350491D-60ED-45BD-9443-8EF8116A8580}: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)

O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1505\6.6.1088\TmIEPlg.dll (Trend Micro Inc.)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\awave.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\awave.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/05/24 18:27:07 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O33 - MountPoints2\{3bcdd59e-3f9e-11dc-83fd-001bfc5237f9}\Shell\AutoRun\command - "" = K:\mri.exe

O34 - HKLM BootExecute: (autocheck autochk *)

O34 - HKLM BootExecute: (MACHINE BootExecut)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/29 20:13:16 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe

[2013/01/29 17:05:37 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\RK_Quarantine

[2013/01/27 20:50:17 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2013/01/27 12:19:25 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\Owner\Desktop\dds.com

[2013/01/27 12:08:01 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\Put back on desktop before running contents

[2013/01/09 13:05:33 | 002,048,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

[2013/01/09 13:05:03 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ncrypt.dll

========== Files - Modified Within 30 Days ==========

[2013/01/29 20:13:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe

[2013/01/29 17:09:41 | 000,015,616 | ---- | M] () -- C:\Windows\System32\drivers\TrueSight.sys

[2013/01/29 17:04:12 | 000,768,512 | ---- | M] () -- C:\Users\Owner\Desktop\RogueKiller.exe

[2013/01/29 16:54:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2013/01/29 16:50:55 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2013/01/29 16:50:25 | 000,000,324 | ---- | M] () -- C:\Windows\tasks\spmonitor.job

[2013/01/29 16:50:25 | 000,000,270 | ---- | M] () -- C:\Windows\tasks\SpeedUpMyPC.job

[2013/01/29 16:50:22 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2013/01/29 16:50:21 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2013/01/29 16:46:43 | 000,580,235 | ---- | M] () -- C:\Users\Owner\Desktop\adwcleaner.exe

[2013/01/29 16:12:04 | 000,881,914 | ---- | M] () -- C:\Users\Owner\Desktop\SecurityCheck.exe

[2013/01/27 21:01:01 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job

[2013/01/27 20:50:17 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2013/01/27 12:19:25 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\Owner\Desktop\dds.com

[2013/01/26 21:39:12 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2013/01/26 19:02:32 | 000,000,322 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForOwner.job

[2013/01/26 13:55:01 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job

[2013/01/19 04:06:58 | 000,001,997 | ---- | M] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

[2013/01/13 08:19:00 | 000,000,400 | ---- | M] () -- C:\Windows\tasks\EasyShare Registration Task.job

[2013/01/10 03:36:20 | 000,762,146 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2013/01/10 03:36:20 | 000,166,736 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2013/01/10 03:29:23 | 000,355,072 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2013/01/09 01:01:14 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe

[2013/01/09 01:01:14 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl

========== Files Created - No Company Name ==========

[2013/01/29 17:05:43 | 000,015,616 | ---- | C] () -- C:\Windows\System32\drivers\TrueSight.sys

[2013/01/29 17:04:12 | 000,768,512 | ---- | C] () -- C:\Users\Owner\Desktop\RogueKiller.exe

[2013/01/29 16:46:43 | 000,580,235 | ---- | C] () -- C:\Users\Owner\Desktop\adwcleaner.exe

[2013/01/29 16:12:04 | 000,881,914 | ---- | C] () -- C:\Users\Owner\Desktop\SecurityCheck.exe

[2012/12/22 08:29:53 | 000,000,055 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\mbam.context.scan

[2012/12/22 08:08:19 | 000,019,240 | -HS- | C] () -- C:\Users\Owner\AppData\Local\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl

[2012/12/22 08:08:19 | 000,019,240 | -HS- | C] () -- C:\ProgramData\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl

[2012/12/16 10:41:46 | 000,751,078 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\1.bmp

[2012/12/16 10:41:34 | 000,018,252 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\sound.mp3

[2012/12/16 10:41:28 | 000,114,890 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\1.jpg

[2012/08/30 05:22:34 | 000,022,032 | ---- | C] () -- C:\Windows\DCEBoot.exe

[2011/04/04 21:45:32 | 000,000,136 | -H-- | C] () -- C:\ProgramData\~40492808r

[2011/04/04 21:45:32 | 000,000,112 | -H-- | C] () -- C:\ProgramData\~40492808

[2011/04/04 21:45:28 | 000,000,336 | -H-- | C] () -- C:\ProgramData\40492808

[2011/02/26 20:26:10 | 000,001,356 | ---- | C] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat

[2011/02/21 20:37:57 | 000,102,400 | ---- | C] () -- C:\Windows\RegBootClean.exe

[2007/08/17 23:02:02 | 000,015,360 | ---- | C] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2012/07/02 20:42:51 | 000,000,000 | -HSD | M] -- C:\Users\Owner\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029}\L

[2012/07/07 11:01:39 | 000,000,000 | -HSD | M] -- C:\Users\Owner\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029}\U

[2012/07/03 01:58:02 | 000,000,804 | ---- | M] () -- C:\Users\Owner\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029}\L\00000004.@

[2012/08/28 20:59:38 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin\S-1-5-18\$79b005e273268a47eca5cdb3a313f029\L

[2012/08/28 20:59:38 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin\S-1-5-18\$79b005e273268a47eca5cdb3a313f029\U

[2006/11/02 06:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

"ThreadingModel" = Both

"" = shell32.dll -- [2012/06/08 11:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 11:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = fastprox.dll -- [2009/04/11 00:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 00:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

< End of report >

Link to post
Share on other sites

  • Staff

Hello

download Farbar Recovery Scan Tool and save it to a flash drive.

 

Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:


  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.

[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe

[*]Click the Search button

[*]It will make a log (Search.txt)

I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-02-2013 02

Ran by SYSTEM at 03-02-2013 15:22:39

Running from G:\

Windows Vista Home Premium (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [hpsysdrv] "c:\hp\support\hpsysdrv.exe" [65536 2006-09-28] (Hewlett-Packard Company)

HKLM\...\Run: [KBD] "C:\HP\KBD\KbdStub.EXE" [65536 2006-12-08] ()

HKLM\...\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [118784 2007-02-15] (OsdMaestro)

HKLM\...\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [151552 2006-11-15] (Intel Corporation)

HKLM\...\Run: [RtHDVCpl] "RtHDVCpl.exe" [x]

HKLM\...\Run: [snapfishMediaDetector] "C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe" [1441792 2007-03-02] ()

HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-10-05] (Apple Inc.)

HKLM\...\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart [90191 2007-03-12] (NVIDIA Corporation)

HKLM\...\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup [7770112 2007-03-12] (NVIDIA Corporation)

HKLM\...\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [81920 2007-03-12] (NVIDIA Corporation)

HKLM\...\Run: [ArcSoft Connection Service] "C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [207424 2010-10-27] (ArcSoft Inc.)

HKLM\...\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun [68592 2009-06-28] (Google Inc.)

HKLM\...\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL "" [1111568 2011-10-08] (Trend Micro Inc.)

HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [116752 2011-02-10] (Trend Micro Inc.)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [248552 2010-05-14] (Sun Microsystems, Inc.)

HKLM\...\Run: [] [x]

HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-12] (Hewlett-Packard)

HKU\Default\...\Run: [Windows Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /autorun [1233920 2009-04-10] (Microsoft Corporation)

HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-12] (Hewlett-Packard)

HKU\Default User\...\Run: [Windows Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /autorun [1233920 2009-04-10] (Microsoft Corporation)

HKU\IUSR_NMPR\...\Run: [Windows Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /autorun [1233920 2009-04-10] (Microsoft Corporation)

HKU\Owner\...\Run: [sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun [1233920 2009-04-10] (Microsoft Corporation)

HKU\Owner\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)

HKU\Owner\...\Run: [Windows Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /autorun [1233920 2009-04-10] (Microsoft Corporation)

HKU\Owner\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2007-08-05] (Google Inc.)

HKU\Owner\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [8704 2006-11-02] (Microsoft Corporation)

HKU\Owner\...\CurrentVersion\Windows: [Load] C:\Users\Owner\LOCALS~1\Temp\msezucw.com

HKLM\...\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe [44168 2007-03-07] (soft thinks)

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Snapfish Media Detector.lnk

ShortcutTarget: Snapfish Media Detector.lnk -> C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe ()

Startup: C:\Users\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 ABBYY.Licensing.FineReader.ScreenshotReader.9.0; "C:\Program Files\ABBYY Screenshot Reader\NetworkLicenseServer.exe" -service [759048 2009-05-14] (ABBYY)

2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)

3 AlertService; "C:\Program Files\Intel\IntelDH\CCU\AlertService.exe" [188416 2006-09-11] (Intel® Corporation)

2 DQLWinService; "C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe" [208896 2006-09-03] ()

2 FlipShare Service; "C:\Program Files\Flip Video\FlipShare\FlipShareService.exe" [460144 2011-05-06] ()

2 FlipShareServer; "C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe" [1085440 2011-05-06] ()

2 IntelDHSvcConf; "C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe" [29696 2006-05-10] (Intel® Corporation)

3 ISSM; "C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe" [75264 2006-09-11] (Intel® Corporation)

3 M1 Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [26624 2006-08-31] ()

2 MBAMScheduler; "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)

2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)

3 MCLServiceATL; "C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe" [167936 2006-09-11] (Intel® Corporation)

2 MSSQL$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [43028328 2011-09-22] (Microsoft Corporation)

4 MSSQLServerADHelper100; "C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [47128 2009-03-31] (Microsoft Corporation)

3 Remote UI Service; "C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe" [544256 2006-09-11] (Intel® Corporation)

4 SQLAgent$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [370024 2011-09-22] (Microsoft Corporation)

2 wscsvc; "C:\Windows\system32\wscsvc.dll" [61440 2009-04-10] (Microsoft Corporation)

2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 [x]

2 LightScribeService; "c:\Program Files\Common Files\LightScribe\LSSrvc.exe" [x]

3 RoxMediaDB9; "c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe" [x]

3 stllssvr; "c:\Program Files\Common Files\SureThing Shared\stllssvr.exe" [x]

==================== Drivers (Whitelisted) ====================

3 hcw18bda; C:\Windows\System32\drivers\hcw18bda.sys [391168 2009-03-19] (Hauppauge Computer Works, Inc)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [21104 2012-12-14] (Malwarebytes Corporation)

3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2013-01-27] (Malwarebytes Corporation)

2 MCSTRM; C:\Windows\System32\Drivers\MCSTRM.sys [8413 2007-09-08] (RealNetworks, Inc.)

4 RsFx0105; C:\Windows\System32\DRIVERS\RsFx0105.sys [238696 2011-09-22] (Microsoft Corporation)

3 SSKBFD; C:\Windows\System32\Drivers\sskbfd.sys [23920 2008-01-04] (Webroot Software Inc (www.webroot.com))

2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [80464 2011-08-01] (Trend Micro Inc.)

2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [189520 2011-08-01] (Trend Micro Inc.)

2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [64080 2011-08-01] (Trend Micro Inc.)

1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [92112 2011-08-01] (Trend Micro Inc.)

3 TrueSight; \??\C:\Windows\system32\drivers\TrueSight.sys [15616 2013-01-29] ()

4 blbdrive; [x]

3 IpInIp; [x]

3 NwlnkFlt; [x]

3 NwlnkFwd; [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-01-29 18:28 - 2013-01-29 18:28 - 00056398 ____A C:\Users\Owner\Desktop\Extras.Txt

2013-01-29 18:26 - 2013-01-29 18:26 - 00078406 ____A C:\Users\Owner\Desktop\OTL.Txt

2013-01-29 18:13 - 2013-01-29 18:13 - 00602112 ____A (OldTimer Tools) C:\Users\Owner\Desktop\OTL.exe

2013-01-29 15:05 - 2013-01-29 15:09 - 00015616 ____A C:\Windows\System32\Drivers\TrueSight.sys

2013-01-29 15:05 - 2013-01-29 15:09 - 00000000 ____D C:\Users\Owner\Desktop\RK_Quarantine

2013-01-29 15:04 - 2013-01-29 15:04 - 00768512 ____A C:\Users\Owner\Desktop\RogueKiller.exe

2013-01-29 14:48 - 2013-01-29 14:48 - 00012558 ____A C:\AdwCleaner[s1].txt

2013-01-29 14:46 - 2013-01-29 14:46 - 00580235 ____A C:\Users\Owner\Desktop\adwcleaner.exe

2013-01-29 14:12 - 2013-01-29 14:12 - 00881914 ____A C:\Users\Owner\Desktop\SecurityCheck.exe

2013-01-27 18:50 - 2013-01-27 18:50 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys

2013-01-27 18:34 - 2013-01-27 18:34 - 00000000 ____A C:\Users\Owner\Desktop\New Text Document.txt

2013-01-27 10:26 - 2013-01-27 10:26 - 00016547 ____A C:\Users\Owner\Desktop\attach.txt

2013-01-27 10:26 - 2013-01-27 10:26 - 00014402 ____A C:\Users\Owner\Desktop\dds.txt

2013-01-27 10:19 - 2013-01-27 10:19 - 00688992 ____R (Swearware) C:\Users\Owner\Desktop\dds.com

2013-01-27 10:08 - 2013-01-27 10:11 - 00000000 ____D C:\Users\Owner\Desktop\Put back on desktop before running contents

2013-01-09 11:05 - 2012-11-22 17:35 - 02048000 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-01-09 11:05 - 2012-11-21 19:54 - 00353280 ____A (Microsoft Corporation) C:\Windows\System32\shlwapi.dll

2013-01-09 11:05 - 2012-11-19 20:22 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2013-01-09 11:05 - 2012-11-02 02:19 - 01400832 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

==================== One Month Modified Files and Folders ========

2013-02-03 15:22 - 2013-02-03 15:22 - 00000000 ____D C:\FRST

2013-02-03 13:16 - 2006-11-02 04:47 - 00355072 ____A C:\Windows\System32\FNTCACHE.DAT

2013-02-03 13:13 - 2009-12-17 21:20 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-02-03 13:13 - 2007-05-24 16:40 - 00000000 ____D C:\Windows\SMINST

2013-02-03 13:12 - 2012-12-07 08:56 - 00000324 ____A C:\Windows\Tasks\spmonitor.job

2013-02-03 13:12 - 2012-08-05 12:32 - 00000270 ____A C:\Windows\Tasks\SpeedUpMyPC.job

2013-02-03 13:12 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-02-03 13:12 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2013-02-03 13:12 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2013-01-29 18:28 - 2013-01-29 18:28 - 00056398 ____A C:\Users\Owner\Desktop\Extras.Txt

2013-01-29 18:26 - 2013-01-29 18:26 - 00078406 ____A C:\Users\Owner\Desktop\OTL.Txt

2013-01-29 18:13 - 2013-01-29 18:13 - 00602112 ____A (OldTimer Tools) C:\Users\Owner\Desktop\OTL.exe

2013-01-29 15:09 - 2013-01-29 15:05 - 00015616 ____A C:\Windows\System32\Drivers\TrueSight.sys

2013-01-29 15:09 - 2013-01-29 15:05 - 00000000 ____D C:\Users\Owner\Desktop\RK_Quarantine

2013-01-29 15:04 - 2013-01-29 15:04 - 00768512 ____A C:\Users\Owner\Desktop\RogueKiller.exe

2013-01-29 14:48 - 2013-01-29 14:48 - 00012558 ____A C:\AdwCleaner[s1].txt

2013-01-29 14:46 - 2013-01-29 14:46 - 00580235 ____A C:\Users\Owner\Desktop\adwcleaner.exe

2013-01-29 14:12 - 2013-01-29 14:12 - 00881914 ____A C:\Users\Owner\Desktop\SecurityCheck.exe

2013-01-27 19:01 - 2012-04-13 00:38 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-01-27 18:59 - 2006-11-02 04:37 - 00000000 __RHD C:\Users\Public\Recorded TV

2013-01-27 18:53 - 2007-06-08 20:04 - 01908711 ____A C:\Windows\WindowsUpdate.log

2013-01-27 18:50 - 2013-01-27 18:50 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys

2013-01-27 18:42 - 2007-08-05 14:32 - 00000000 ____D C:\Users\Owner\Local Settings\Google

2013-01-27 18:42 - 2007-08-05 14:32 - 00000000 ____D C:\Users\Owner\Local Settings\Application Data\Google

2013-01-27 18:42 - 2007-08-05 14:32 - 00000000 ____D C:\Users\Owner\AppData\Local\Google

2013-01-27 18:34 - 2013-01-27 18:34 - 00000000 ____A C:\Users\Owner\Desktop\New Text Document.txt

2013-01-27 10:41 - 2012-12-08 05:46 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-01-27 10:26 - 2013-01-27 10:26 - 00016547 ____A C:\Users\Owner\Desktop\attach.txt

2013-01-27 10:26 - 2013-01-27 10:26 - 00014402 ____A C:\Users\Owner\Desktop\dds.txt

2013-01-27 10:19 - 2013-01-27 10:19 - 00688992 ____R (Swearware) C:\Users\Owner\Desktop\dds.com

2013-01-27 10:11 - 2013-01-27 10:08 - 00000000 ____D C:\Users\Owner\Desktop\Put back on desktop before running contents

2013-01-27 09:40 - 2006-11-02 05:01 - 00032592 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-01-26 19:39 - 2009-12-17 21:20 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-01-26 17:02 - 2012-07-30 05:23 - 00000322 ____A C:\Windows\Tasks\HPCeeScheduleForOwner.job

2013-01-26 11:55 - 2009-03-24 21:18 - 00000868 ____A C:\Windows\Tasks\Google Software Updater.job

2013-01-19 02:03 - 2007-05-24 16:42 - 01666596 ____A C:\Windows\PFRO.log

2013-01-13 06:19 - 2009-05-10 05:20 - 00000400 ____A C:\Windows\Tasks\EasyShare Registration Task.job

2013-01-13 01:13 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET

2013-01-13 01:02 - 2006-11-02 03:18 - 00000000 ____D C:\Program Files\Common Files\microsoft shared

2013-01-12 16:25 - 2007-05-24 16:30 - 00000000 ____D C:\Windows\PCHEALTH

2013-01-10 01:36 - 2006-11-02 02:33 - 00929830 ____A C:\Windows\System32\PerfStringBackup.INI

2013-01-10 01:07 - 2007-05-24 16:29 - 00000000 ____D C:\Users\All Users\Microsoft Help

2013-01-10 01:07 - 2007-05-24 16:29 - 00000000 ____D C:\Users\All Users\Application Data\Microsoft Help

2013-01-08 23:01 - 2012-04-13 00:38 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-01-08 23:01 - 2011-06-16 01:08 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$79b005e273268a47eca5cdb3a313f029

C:\$Recycle.Bin\S-1-5-18\$79b005e273268a47eca5cdb3a313f029\L

C:\$Recycle.Bin\S-1-5-18\$79b005e273268a47eca5cdb3a313f029\U

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-3115292585-132024008-615525151-1001\$79b005e273268a47eca5cdb3a313f029

C:\$Recycle.Bin\S-1-5-21-3115292585-132024008-615525151-1001\$79b005e273268a47eca5cdb3a313f029\L

C:\$Recycle.Bin\S-1-5-21-3115292585-132024008-615525151-1001\$79b005e273268a47eca5cdb3a313f029\U

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$79b005e273268a47eca5cdb3a313f029

ZeroAccess:

C:\Users\Owner\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029}

C:\Users\Owner\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029}\L

C:\Users\Owner\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029}\U

C:\Users\Owner\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029}\L\00000004.@

C:\Users\Owner\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029}\L\55490ac4

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2012-12-12 19:27] - [2012-08-21 03:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 17%

Total physical RAM: 3069.88 MB

Available physical RAM: 2545.58 MB

Total Pagefile: 2775.16 MB

Available Pagefile: 2626.31 MB

Total Virtual: 2047.88 MB

Available Virtual: 1975.51 MB

==================== Partitions =============================

1 Drive c: (HP) (Fixed) (Total:289.16 GB) (Free:124.98 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (Recovery) (Fixed) (Total:8.92 GB) (Free:0.72 GB) NTFS ==>[system with boot components (obtained from reading drive)]

3 Drive e: (HP_PAVILION) (Fixed) (Total:298.09 GB) (Free:68.65 GB) NTFS

5 Drive g: (KINGSTON) (Removable) (Total:14.53 GB) (Free:14.43 GB) FAT32

10 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 298 GB 1528 KB

Disk 1 Online 298 GB 1528 KB

Disk 2 Online 15 GB 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Disk 6 No Media 0 B 0 B

Partitions of Disk 0:

===============

ACTIVE - Mark the selected basic partition as active.

ADD - Add a mirror to a simple volume.

ASSIGN - Assign a drive letter or mount point to the selected volume.

ATTRIBUTES - Manipulate volume attributes.

AUTOMOUNT - Enable and disable automatic mounting of basic volumes.

BREAK - Break a mirror set.

CLEAN - Clear the configuration information, or all information, off the

disk.

CONVERT - Convert between different disk formats.

CREATE - Create a volume or partition.

DELETE - Delete an object.

DETAIL - Provide details about an object.

EXIT - Exit DiskPart.

EXTEND - Extend a volume.

FILESYSTEMS - Display current and supported file systems on the volume.

FORMAT - Format the volume or partition.

GPT - Assign attributes to the selected GPT partition.

HELP - Display a list of commands.

IMPORT - Import a disk group.

INACTIVE - Mark the selected basic partition as inactive.

LIST - Display a list of objects.

ONLINE - Online a disk that is currently marked as offline.

REM - Does nothing. This is used to comment scripts.

REMOVE - Remove a drive letter or mount point assignment.

REPAIR - Repair a RAID-5 volume with a failed member.

RESCAN - Rescan the computer looking for disks and volumes.

RETAIN - Place a retained partition under a simple volume.

SELECT - Shift the focus to an object.

SETID - Change the partition type.

SHRINK - Reduce the size of the selected volume.

=========================================================

Partitions of Disk 1:

===============

ACTIVE - Mark the selected basic partition as active.

ADD - Add a mirror to a simple volume.

ASSIGN - Assign a drive letter or mount point to the selected volume.

ATTRIBUTES - Manipulate volume attributes.

AUTOMOUNT - Enable and disable automatic mounting of basic volumes.

BREAK - Break a mirror set.

CLEAN - Clear the configuration information, or all information, off the

disk.

CONVERT - Convert between different disk formats.

CREATE - Create a volume or partition.

DELETE - Delete an object.

DETAIL - Provide details about an object.

EXIT - Exit DiskPart.

EXTEND - Extend a volume.

FILESYSTEMS - Display current and supported file systems on the volume.

FORMAT - Format the volume or partition.

GPT - Assign attributes to the selected GPT partition.

HELP - Display a list of commands.

IMPORT - Import a disk group.

INACTIVE - Mark the selected basic partition as inactive.

LIST - Display a list of objects.

ONLINE - Online a disk that is currently marked as offline.

REM - Does nothing. This is used to comment scripts.

REMOVE - Remove a drive letter or mount point assignment.

REPAIR - Repair a RAID-5 volume with a failed member.

RESCAN - Rescan the computer looking for disks and volumes.

RETAIN - Place a retained partition under a simple volume.

SELECT - Shift the focus to an object.

SETID - Change the partition type.

SHRINK - Reduce the size of the selected volume.

=========================================================

Partitions of Disk 2:

===============

ACTIVE - Mark the selected basic partition as active.

ADD - Add a mirror to a simple volume.

ASSIGN - Assign a drive letter or mount point to the selected volume.

ATTRIBUTES - Manipulate volume attributes.

AUTOMOUNT - Enable and disable automatic mounting of basic volumes.

BREAK - Break a mirror set.

CLEAN - Clear the configuration information, or all information, off the

disk.

CONVERT - Convert between different disk formats.

CREATE - Create a volume or partition.

DELETE - Delete an object.

DETAIL - Provide details about an object.

EXIT - Exit DiskPart.

EXTEND - Extend a volume.

FILESYSTEMS - Display current and supported file systems on the volume.

FORMAT - Format the volume or partition.

GPT - Assign attributes to the selected GPT partition.

HELP - Display a list of commands.

IMPORT - Import a disk group.

INACTIVE - Mark the selected basic partition as inactive.

LIST - Display a list of objects.

ONLINE - Online a disk that is currently marked as offline.

REM - Does nothing. This is used to comment scripts.

REMOVE - Remove a drive letter or mount point assignment.

REPAIR - Repair a RAID-5 volume with a failed member.

RESCAN - Rescan the computer looking for disks and volumes.

RETAIN - Place a retained partition under a simple volume.

SELECT - Shift the focus to an object.

SETID - Change the partition type.

SHRINK - Reduce the size of the selected volume.

=========================================================

Last Boot: 2013-02-03 03:35

==================== End Of Log ============================

Farbar Recovery Scan Tool (x86) Version: 02-02-2013 02

Ran by SYSTEM at 2013-02-03 15:50:31

Running from G:\

================== Search: "services.exe" ===================

Link to post
Share on other sites

  • Staff

 

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
C:\$Recycle.Bin\S-1-5-18\$79b005e273268a47eca5cdb3a313f029
C:\$Recycle.Bin\S-1-5-21-3115292585-132024008-615525151-1001\$79b005e273268a47eca5cdb3a313f029
C:\$Recycle.Bin\S-1-5-18\$79b005e273268a47eca5cdb3a313f029
C:\Users\Owner\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029}

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.

The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo

 

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 02-02-2013 02

Ran by SYSTEM at 2013-02-03 23:47:13 Run:1

Running from G:\

==============================================

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).

C:\$Recycle.Bin\S-1-5-18\$79b005e273268a47eca5cdb3a313f029 moved successfully.

C:\$Recycle.Bin\S-1-5-21-3115292585-132024008-615525151-1001\$79b005e273268a47eca5cdb3a313f029 moved successfully.

C:\$Recycle.Bin\S-1-5-18\$79b005e273268a47eca5cdb3a313f029 not found.

C:\Users\Owner\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029} moved successfully.

==== End of Fixlog ====

When I booted in normal mode, it locked up, meaning thee screen froze shortly after displaying the desktop.

Link to post
Share on other sites

  • Staff

Hello

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Link to post
Share on other sites

ComboFix 13-02-03.03 - Owner 02/04/2013 20:42:11.1.4 - x86 NETWORK

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2492 [GMT -6:00]

Running from: c:\users\Owner\Desktop\ComboFix.exe

AV: Trend Micro Titanium *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}

SP: Trend Micro Titanium *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

/wow section - STAGE 48

SED: can't read CuRun.dmp: No such file or directory

SED: can't read CuRun.dmp: No such file or directory

SED: can't read CuRun.dmp: No such file or directory

SED: can't read CuRun.dmp: No such file or directory

.

/wow section - STAGE 50

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\40492808

.

.

((((((((((((((((((((((((( Files Created from 2013-01-05 to 2013-02-05 )))))))))))))))))))))))))))))))

.

.

2013-02-05 02:53 . 2013-02-05 02:54 -------- d-----w- c:\users\Owner\AppData\Local\temp

2013-02-05 02:53 . 2013-02-05 02:53 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp

2013-02-05 02:53 . 2013-02-05 02:53 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-02-04 05:36 . 2013-02-04 05:36 -------- d-----w- C:\found.000

2013-02-03 23:22 . 2013-02-03 23:22 -------- d-----w- C:\FRST

2013-01-29 23:05 . 2013-01-29 23:09 15616 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2013-01-28 02:50 . 2013-01-28 02:50 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-01-09 19:05 . 2012-11-23 01:35 2048000 ----a-w- c:\windows\system32\win32k.sys

2013-01-09 19:05 . 2012-11-20 04:22 204288 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-09 19:05 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\system32\msxml6.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-09 07:01 . 2012-04-13 08:38 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-01-09 07:01 . 2011-06-16 09:08 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-16 13:12 . 2012-12-21 09:00 34304 ----a-w- c:\windows\system32\atmlib.dll

2012-12-16 10:50 . 2012-12-21 09:00 293376 ----a-w- c:\windows\system32\atmfd.dll

2012-12-14 22:49 . 2012-07-03 07:51 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-14 02:09 . 2012-12-13 09:18 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-11-14 01:58 . 2012-12-13 09:18 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-14 01:57 . 2012-12-13 09:18 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-11-14 01:49 . 2012-12-13 09:18 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-14 01:48 . 2012-12-13 09:18 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-11-14 01:44 . 2012-12-13 09:18 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-13 01:29 . 2012-12-13 03:27 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-08 13:46 . 2012-12-08 13:46 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"Windows Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2009-04-11 1233920]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-05 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]

"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]

"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 151552]

"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 4390912]

"SnapfishMediaDetector"="c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 1441792]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]

"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-03-12 90191]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-12 7770112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-03-12 81920]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-28 68592]

"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

.

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Snapfish Media Detector.lnk - c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe [2007-3-2 1441792]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]

FactoryMode [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

R2 ABBYY.Licensing.FineReader.ScreenshotReader.9.0;ABBYY.Licensing.FineReader.ScreenshotReader.9.0;c:\program files\ABBYY Screenshot Reader\NetworkLicenseServer.exe [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - ECACHE

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-01-22 22:26 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.56\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-28 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 07:01]

.

2013-01-26 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-05 19:07]

.

2013-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 05:20]

.

2013-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 05:20]

.

2013-01-27 c:\windows\Tasks\HPCeeScheduleForOwner.job

- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-05-25 18:56]

.

2013-02-05 c:\windows\Tasks\SpeedUpMyPC.job

- c:\program files\Uniblue\SpeedUpMyPC\sump.exe [2012-08-05 01:44]

.

2013-02-05 c:\windows\Tasks\spmonitor.job

- c:\program files\Uniblue\SpeedUpMyPC\spmonitor.exe [2012-08-05 01:44]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} - hxxp://mvod.web.aol.com/mce/new/ServiceMgr.CAB

FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ymh3s2lz.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-syctransfer&type=W3i_SP,205,0_0,StartPage,20121252,16900,0,63,0

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=w3i&type=W3i_DS,157,0_0,Search,20121252,6902,0,63,0&p=

FF - ExtSQL: 2012-12-11 06:16; {22C7F6C6-8D67-4534-92B5-529A0EC09405}; c:\program files\Trend Micro\AMSP\Module\20004\1.5.1505\6.6.1088\firefoxextension

FF - ExtSQL: 2012-12-25 17:01; addon@defaulttab.com; c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ymh3s2lz.default\extensions\addon@defaulttab.com.xpi

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-WudfPf

SafeBoot-WudfRd

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

MSConfigStartUp-IS CfgWiz - c:\program files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-02-04 20:54

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2013-02-04 20:57:10

ComboFix-quarantined-files.txt 2013-02-05 02:56

.

Pre-Run: 135,714,922,496 bytes free

Post-Run: 139,081,523,200 bytes free

.

- - End Of File - - 64902706B8775CE451538C6F0B569B11

It still locks up in normal mode.

Link to post
Share on other sites

  • Staff

Greetings

I want you to run these next,

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. If this report is to long to post then please attach it.

Please download aswMBR to your desktop.

  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo

Link to post
Share on other sites

  • Staff

 

Hello

I would like you to run this new tool and see if it finds anything.

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit

2.Unzip the contents to a folder in a convenient location.

3.Open the folder where the contents were unzipped and run mbar.exe

4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.

5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.

6.Wait while the system shuts down and the cleanup process is performed.

7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

  • •Internet access
    •Windows Update
    •Windows Firewall

9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.

10.Verify that your system is now functioning normally.

Gringo

 

Link to post
Share on other sites

  • Staff

Dr.Web CureIt

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Link to post
Share on other sites

  • Staff

Hello stillsleepin

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later

    [*]Please post the contents of OTL.txt in your next reply.

Gringo

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.