DDS & Attatch for my other post.

[MrCharlie]

What anti-virus are you using now? I see AVG, Avast and Windows Defender.

Also do you have the pro version of Malwarebytes?

-------------------

Please do this:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in bold:

:OTL

O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll File not found

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll File not found

O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [windows] C:\windows\system32\system32\windows.exe File not found

O4 - HKU\S-1-5-21-3811417263-890335572-2532902937-1000..\Run: [windows] C:\windows\system32\system32\windows.exe File not found

O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found

O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll File not found

O18:64bit: - Protocol\Handler\livecall - No CLSID value found

O18:64bit: - Protocol\Handler\ms-help - No CLSID value found

O18:64bit: - Protocol\Handler\msnim - No CLSID value found

O18:64bit: - Protocol\Handler\skype4com - No CLSID value found

O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found

O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found

O18:64bit: - Protocol\Handler\wlpg - No CLSID value found

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll File not found

O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

:Commands

[EMPTYJAVA]

[emptytemp]

[EMPTYFLASH]

[*]Then click the Run Fix button at the top

[*]Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"

[*]Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

[rossjerram]

All processes killed

========== OTL ==========

64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\windows not found.

Registry value HKEY_USERS\S-1-5-21-3811417263-890335572-2532902937-1000\Software\Microsoft\Windows\CurrentVersion\Run\\windows not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\grooveLocalGWS\ deleted successfully.

File Protocol\Handler\grooveLocalGWS - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\linkscanner\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}\ deleted successfully.

File {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll File not found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.

File Protocol\Handler\livecall - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.

File Protocol\Handler\ms-help - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.

File Protocol\Handler\msnim - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype4com\ deleted successfully.

File Protocol\Handler\skype4com - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype-ie-addon-data\ deleted successfully.

File Protocol\Handler\skype-ie-addon-data - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.

File Protocol\Handler\wlmailhtml - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlpg\ deleted successfully.

File Protocol\Handler\wlpg - No CLSID value found not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\linkscanner\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}\ deleted successfully.

File {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll File not found not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon\ deleted successfully.

64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Public

User: Ross

->Java cache emptied: 264995628 bytes

Total Java Files Cleaned = 253.00 mb

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 56472 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Public

->Temp folder emptied: 0 bytes

User: Ross

->Temp folder emptied: 31466265 bytes

->Temporary Internet Files folder emptied: 3603224 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 580288896 bytes

->Google Chrome cache emptied: 24900498 bytes

->Flash cache emptied: 58438 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 594897 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes

RecycleBin emptied: 1450 bytes

Total Files Cleaned = 611.00 mb

[EMPTYFLASH]

User: All Users

User: Default

->Flash cache emptied: 0 bytes

User: Default User

->Flash cache emptied: 0 bytes

User: Public

User: Ross

->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 03272013_200152

Files\Folders moved on Reboot...

C:\Users\Ross\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

[MrCharlie]

You never answered this question:

What anti-virus are you using now? I see AVG, Avast and Windows Defender.

Also do you have the pro version of Malwarebytes?

MrC

[rossjerram]

Oh sorry, yeah i am using avg, not sure what windows defender is. im using the trial version of mwb which will run out in a day or something.

[MrCharlie]

OK, Delete these 2 folders:

C:\Program Files\AVAST Software

C:\ProgramData\AVAST Software

The log shows Windows Defender (anti-virus) is running:

SRV:64bit: - [2009/07/14 14:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

Please permanently disable it:

http://www.howtogeek...ow-turn-it-off/

MrC

[rossjerram]

ok its turned off and i have deleted the folders-i think. i type it into the search thing in the start menue and it still comes up, i click delete and it does nothing. but i think i deleted the first one.

[rossjerram]

ok yeah its deleted

[MrCharlie]

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt.
  
• Please Post the contents of that document.
  
• Do Not Attach It!!!
  

MrC

[rossjerram]

sorry it has taken me ages to reply, your last email was sent to spam

[rossjerram]

Results of screen317's Security Check version 0.99.61

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

AVG Anti-Virus Free Edition 2013

Antivirus up to date! (On Access scanning disabled!)

`````````Anti-malware/Other Utilities Check:`````````

Spybot - Search & Destroy

Malwarebytes Anti-Malware version 1.70.0.1100

Java 6 Update 31

Java 7 Update 17

Adobe Flash Player 11.6.602.180

Adobe Reader 9 Adobe Reader out of Date!

Mozilla Firefox (19.0.2)

Google Chrome 25.0.1364.172

Google Chrome 26.0.1410.43

````````Process Check: objlist.exe by Laurent````````

Spybot Teatimer.exe is disabled!

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 3%

````````````````````End of Log``````````````````````

[MrCharlie]

Java™ 6 Update 31 <----please uninstall from add/remove programs

Java 7 Update 17 <----OK

Adobe Reader 9 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe.

Google Chrome 25.0.1364.172 <-----Old

Google Chrome 26.0.1410.43 <---OK

You have old versions of Google Chrome on the system.

Please download and run OldChromeRemover.

@Windows Vista/Windows 7 users must use “Run As Administrator.”

---------------------------------------------

You have out dated programs on the system which are vulnerable to malware.

Please update or uninstall them

Info on doing that can be found in my Preventive Maintenance

~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[rossjerram]

my main reason for asking for help is because i installed a game, then it made my league of legends run extremely slow (fps wise). but now it is a little better but still not the way it used to be. It used to be 60 fps all the time with decent graphics settings, now it still spikes down in fps often. Do you know why?

[MrCharlie]

The system is clean of malware, we removed a lot of it.

Run this scan:

Download aswMBR to your desktop.

http://public.avast.com/~gmerek/aswMBR.exe

Double click the aswMBR.exe to run it.

If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".

Click the "Scan" button to start scan.

On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

Please zip it up and attach it to your next post.

MrC

[rossjerram]

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software

Run date: 2013-04-03 05:11:16

-----------------------------

05:11:16.970 OS Version: Windows x64 6.1.7601 Service Pack 1

05:11:16.970 Number of processors: 4 586 0x2A07

05:11:16.971 ComputerName: ROSS-PC UserName: Ross

05:11:17.989 Initialize success

05:14:46.477 AVAST engine defs: 13040200

05:16:31.491 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

05:16:31.495 Disk 0 Vendor: TOSHIBA_ GH10 Size: 610480MB BusType: 3

05:16:31.622 Disk 0 MBR read successfully

05:16:31.629 Disk 0 MBR scan

05:16:31.638 Disk 0 Windows VISTA default MBR code

05:16:31.653 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048

05:16:31.677 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 596137 MB offset 3074048

05:16:31.714 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 12842 MB offset 1223962624

05:16:31.860 Disk 0 scanning C:\windows\system32\drivers

05:16:42.717 Service scanning

05:17:34.185 Modules scanning

05:17:34.186 Disk 0 trace - called modules:

05:17:34.198 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys

05:17:34.200 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800691a060]

05:17:34.200 3 CLASSPNP.SYS[fffff88001b4b43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004a1b050]

05:17:35.487 AVAST engine scan C:\windows

05:17:38.466 AVAST engine scan C:\windows\system32

05:20:41.132 AVAST engine scan C:\windows\system32\drivers

05:20:53.799 AVAST engine scan C:\Users\Ross

05:23:56.854 File: C:\Users\Ross\AppData\Local\Temp\tm449.tmp **INFECTED** MSIL:KeyLogger-BN [Trj]

05:25:28.350 Disk 0 MBR has been saved successfully to "C:\Users\Ross\Desktop\MBR.dat"

05:25:28.364 The log file has been saved successfully to "C:\Users\Ross\Desktop\aswMBR.txt"

[rossjerram]

stuff that keylogger is still there... im going to run an avg scan beause i need it gone immediatly

[rossjerram]

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software

Run date: 2013-04-03 05:37:50

-----------------------------

05:37:50.556 OS Version: Windows x64 6.1.7601 Service Pack 1

05:37:50.556 Number of processors: 4 586 0x2A07

05:37:50.557 ComputerName: ROSS-PC UserName: Ross

05:37:55.263 Initialize success

05:38:04.049 AVAST engine defs: 13040200

05:38:05.933 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

05:38:05.937 Disk 0 Vendor: Size: 0MB BusType: 0

05:38:06.175 Disk 0 MBR read successfully

05:38:06.177 Disk 0 MBR scan

05:38:06.180 Disk 0 Windows VISTA default MBR code

05:38:06.182 Disk 0 MBR hidden

05:38:06.207 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048

05:38:06.230 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 596137 MB offset 3074048

05:38:06.267 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 12842 MB offset 1223962624

05:38:06.577 Disk 0 scanning C:\windows\system32\drivers

05:38:31.398 Service scanning

05:39:35.419 Modules scanning

05:39:35.420 Disk 0 trace - called modules:

05:39:35.552 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll

05:39:35.553 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800691a060]

05:39:35.554 3 CLASSPNP.SYS[fffff88001b4b43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004a1b050]

05:39:38.095 AVAST engine scan C:\windows

05:40:09.462 AVAST engine scan C:\windows\system32

05:47:14.586 AVAST engine scan C:\windows\system32\drivers

05:48:04.829 AVAST engine scan C:\Users\Ross

05:50:09.554 Disk 0 MBR has been saved successfully to "C:\Users\Ross\Desktop\MBR.dat"

05:50:09.563 The log file has been saved successfully to "C:\Users\Ross\Desktop\aswMBR.txt"

[MrCharlie]

I don't believe that was a keylogger.

Your log is clean now, MrC

[rossjerram]

nah it was a keylogger of some sort, one of my accounts on a game i play got hacked and luqidated. but its gone now. Thanks for all of your help getting rid of my malware.

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!