Jump to content

Windows Command Processor persistence

chipping
 Share

Recommended Posts

chipping

chipping

Posted
Posted

Hello, A few days ago I started to received a prompt from the windows command processor and ignored it by saying no the request. It started to prevent me from completing downloads so I decided to try and remove it and have spent the best part of today using malwarebytes, rkill.exe, OTL.exe, combofix.exe, roguekiller.exe all; with the exception of malwarebytes; of which detected and "removed" the offending files and made the necessary registry edits. However, the problem still persists and as soon as I log on normally the prompt re-appears. Can anyone please help me with resolving this issue. Attached are the dds.txt and attach.txt files as requested.

attach.txt

dds.txt

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello chipping and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

  • Download on the desktop RogueKiller
  • Quit all programs
  • Start RogueKiller.exe
  • Wait until Prescan has finished ...
  • Click on Scan. Click on Report and copy/paste the content of the notepad in your next reply.

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • RogueKiller log

Link to post
Share on other sites
chipping

chipping

Posted
  • Author
Posted

Hello Maniac,

thank you for offering to help.

Just wanted to confirm Malwarebytes will not start in normal mode, is it OK to do so in safe mode?

Some additional information:I other symptoms of the virus is it allows access to all websites apart from microsoft website and does not allow files to be downloaded in IE.

Thanks again

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted
Just wanted to confirm Malwarebytes will not start in normal mode, is it OK to do so in safe mode?

Yes, please boot in Safe mode with Networking and try there.

Some additional information:I other symptoms of the virus is it allows access to all websites apart from microsoft website and does not allow files to be downloaded in IE.

Try with another browser, if you couldn't download any of my tools.

Link to post
Share on other sites
chipping

chipping

Posted
  • Author
Posted

Thanks, just tried to access the malwarebytes site in safe mode and get notified that "IE cannot display browser"; strange as I could access it a couple of days ago in safe mode and I am currently able to access other sites.

I will try to download alternative browser.

Link to post
Share on other sites
chipping

chipping

Posted
  • Author
Posted

Malware Bytes Log

====================================================================

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.05.09.07

Windows 7 Service Pack 1 x86 FAT32

Internet Explorer 9.0.8112.16421

Tosh :: TOSH-PC [administrator]

10/05/2013 01:08:50

mbam-log-2013-05-10 (01-08-50).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 200724

Time elapsed: 7 minute(s), 21 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 2

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Delete on reboot.

HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 4

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit (Hijack.UserInit) -> Bad: (userinit.exe,,C:\Users\Tosh\AppData\Local\smetgxaw\bsvjqbjn.exe) Good: (userinit.exe) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠≠

Rogue Killer log

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : Tosh [Admin rights]

Mode : Scan -- Date : 05/10/2013 12:21:16

| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤

[sVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : BsvJqbjn (C:\Users\Tosh\AppData\Local\smetgxaw\bsvjqbjn.exe) [-] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1319328176-2492931121-1088025106-1000[...]\Run : BsvJqbjn (C:\Users\Tosh\AppData\Local\smetgxaw\bsvjqbjn.exe) [-] -> FOUND

[sHELL][sUSP PATH] HKLM\[...]\Winlogon : Userinit (userinit.exe,,C:\Users\Tosh\AppData\Local\smetgxaw\bsvjqbjn.exe) [-] -> FOUND

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND

[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND

[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[70] : NtCreateKey @ 0x82C08FFB -> HOOKED (\??\C:\Users\Tosh\AppData\Local\Temp\iewqqxca.sys @ 0x979F56AC)

SSDT[72] : NtCreateKeyTransacted @ 0x82BD9AF0 -> HOOKED (\??\C:\Users\Tosh\AppData\Local\Temp\iewqqxca.sys @ 0x979F5708)

SSDT[182] : NtOpenKey @ 0x82C538D2 -> HOOKED (\??\C:\Users\Tosh\AppData\Local\Temp\iewqqxca.sys @ 0x979F5562)

SSDT[183] : NtOpenKeyEx @ 0x82C17C93 -> HOOKED (\??\C:\Users\Tosh\AppData\Local\Temp\iewqqxca.sys @ 0x979F55B2)

SSDT[185] : NtOpenKeyTransacted @ 0x82BD7223 -> HOOKED (\??\C:\Users\Tosh\AppData\Local\Temp\iewqqxca.sys @ 0x979F5604)

SSDT[186] : NtOpenKeyTransactedEx @ 0x82BD71B3 -> HOOKED (\??\C:\Users\Tosh\AppData\Local\Temp\iewqqxca.sys @ 0x979F5656)

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS542512K9SA00 ATA Device +++++

--- User ---

[MBR] 1e197da4544db87bd09daa8a68fa1a04

[bSP] 5c619228b67b690fef3d428234f91444 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114470 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: Kingston DataTraveler 2.0 USB Device +++++

--- User ---

[MBR] 2b2c5b1a0b21a25859a8d9b6430d7944

[bSP] ec038f3ca5091360f60d743d6f1c7fdb : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 2232 | Size: 7654 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_05102013_02d1221.txt >>

RKreport[1]_S_05102013_02d1221.txt

===================================================================================================================

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

No, follow my instructions strictly.

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Link to post
Share on other sites
chipping

chipping

Posted
  • Author
Posted

when attempting to run tdsskiller.exe, two boxes appear

1. Black empty DOS box with labelled "C:\users\Tosh\desktop\TDSSKI~1.exe

2. labelled 16 bit M-DOS subsystem populated with message:

C:\users\Tosh\desktop\TDSSKI~1.exe The NTVDM CPU has encountered an illegal instruction. CS:055aIP:010a OP:63 20 4f 53 20 'Close to terminate the application.

options to close or ignore

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Link to post
Share on other sites
chipping

chipping

Posted
  • Author
Posted

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-05-2013 01

Ran by SYSTEM on 11-05-2013 17:39:10

Running from E:\

Windows 7 Ultimate (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [248552 2010-05-14] (Sun Microsystems, Inc.)

HKLM\...\Run: [Nuance PDF Reader-reminder] "C:\Program Files\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\PDF Reader\Ereg\Ereg.ini" [370 2013-05-10] ()

HKLM\...\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)

HKLM\...\Winlogon: [userinit] userinit.exe,,C:\Users\Tosh\AppData\Local\smetgxaw\bsvjqbjn.exe [155136 2013-05-04] (Ke@g))

HKLM\...\Winlogon: [system]

HKU\Tosh\...\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" [x]

HKU\Tosh\...\Run: [iSUSPM] "C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe" -scheduler [ 2009-05-05] (Acresso Corporation)

HKU\Tosh\...\Run: [GoToMeeting] "C:\Program Files\Citrix\GoToMeeting\1133\g2mstart.exe" "/Trigger RunAtLogon" [ 2013-04-21] (Citrix Online, a division of Citrix Systems, Inc.)

HKU\Tosh\...\Run: [bsvJqbjn] C:\Users\Tosh\AppData\Local\smetgxaw\bsvjqbjn.exe [ 2013-05-04] (Ke@g))

Startup: C:\Users\Tosh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bsvjqbjn.exe (Ke@g))

Startup: C:\Users\Tosh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft SharePoint Workspace.lnk

ShortcutTarget: Microsoft SharePoint Workspace.lnk -> C:\Program Files\Microsoft Office\Office14\GROOVE.EXE (Microsoft Corporation)

Startup: C:\Users\Tosh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk

ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

========================== Services (Whitelisted) =================

S2 BrowserProtect; C:\ProgramData\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [2787280 2013-03-22] ()

S2 rpcnet; C:\Windows\system32\rpcnet.exe [69792 2013-05-09] (Absolute Software Corp.)

==================== Drivers (Whitelisted) ====================

S3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [379904 2010-03-30] (Realtek Semiconductor Corporation )

S4 MpsSvc;

S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]

S3 tsusbhub; system32\drivers\tsusbhub.sys [x]

S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-11 17:38 - 2013-05-11 17:38 - 00000000 ____D C:\FRST

2013-05-11 08:24 - 2013-05-11 08:24 - 00001109 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2013-05-11 08:24 - 2013-05-11 08:24 - 00000000 ____D C:\Users\Tosh\AppData\Roaming\Mozilla

2013-05-11 08:24 - 2013-05-11 08:24 - 00000000 ____D C:\Users\Tosh\AppData\Local\Mozilla

2013-05-11 08:23 - 2013-05-11 08:23 - 00000000 ____D C:\ProgramData\Mozilla

2013-05-11 08:23 - 2013-05-11 08:23 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2013-05-11 08:22 - 2013-05-11 08:22 - 00000374 ____A C:\Windows\Tasks\Auto Lyrics Update.job

2013-05-11 08:22 - 2013-05-11 08:22 - 00000000 ____D C:\ProgramData\BrowserProtect

2013-05-11 08:22 - 2013-05-11 08:22 - 00000000 ____D C:\Program Files\AutoLyrics

2013-05-11 08:21 - 2013-05-11 08:28 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-05-11 08:21 - 2013-05-11 08:21 - 00000280 ____A C:\Windows\Tasks\EPUpdater.job

2013-05-11 08:21 - 2013-05-11 08:21 - 00000000 ____D C:\Users\Tosh\AppData\Roaming\Babylon

2013-05-11 08:21 - 2013-05-11 08:21 - 00000000 ____D C:\Users\Tosh\AppData\Roaming\BabSolution

2013-05-11 08:21 - 2013-05-11 08:21 - 00000000 ____D C:\ProgramData\Babylon

2013-05-11 08:21 - 2013-05-11 08:21 - 00000000 ____D C:\Program Files\Delta

2013-05-11 08:20 - 2013-05-11 05:33 - 03015672 ____A C:\Users\Tosh\Desktop\installer_firefox_English.exe

2013-05-10 15:07 - 2013-05-10 15:07 - 00000000 ___HD C:\Windows\PIF

2013-05-10 15:00 - 2013-05-10 15:00 - 00000000 _RASH C:\MSDOS.SYS

2013-05-10 15:00 - 2013-05-10 15:00 - 00000000 _RASH C:\IO.SYS

2013-05-10 15:00 - 2013-05-10 14:59 - 00004096 ___AH C:\Users\Tosh\Desktop\iexplore.exe

2013-05-10 03:21 - 2013-05-10 03:21 - 00003098 ____A C:\Users\Tosh\Desktop\RKreport[1]_S_05102013_02d1221.txt

2013-05-10 03:16 - 2013-05-10 03:21 - 00000000 ____D C:\Users\Tosh\Desktop\RK_Quarantine

2013-05-10 03:15 - 2013-05-10 03:14 - 00000000 ____A C:\Users\Tosh\Desktop\RogueKiller.old

2013-05-10 03:15 - 2013-03-18 03:40 - 00816128 ____A C:\Users\Tosh\Desktop\RogueKiller.exe

2013-05-09 14:58 - 2013-05-09 14:58 - 00000000 ____D C:\Users\Tosh\AppData\Local\smetgxaw

2013-05-09 13:18 - 2013-05-09 13:18 - 00177152 ____A C:\Users\Tosh\Downloads\OCL - Deputy Head of IT JDPS - May 2013.doc.r0aw8fv.partial

2013-05-09 01:13 - 2013-05-09 01:13 - 00507392 ____A C:\Users\Tosh\Desktop\OCL-ICT Deputy Head Application Form - May 2013.doc.1v21oh7.partial

2013-05-07 12:34 - 2013-05-07 12:34 - 00015546 ____A C:\Users\Tosh\Desktop\attach.txt

2013-05-07 12:34 - 2013-05-07 12:34 - 00008855 ____A C:\Users\Tosh\Desktop\dds.txt

2013-05-07 12:33 - 2013-05-07 12:34 - 00688992 ____A (Swearware) C:\Users\Tosh\Desktop\dds.com

2013-05-07 12:32 - 2013-05-07 12:32 - 00688992 ____R (Swearware) C:\Users\Tosh\Desktop\dds.scr

2013-05-07 11:52 - 2013-05-11 08:29 - 00033682 ____A C:\Users\Tosh\AppData\Local\emffdelx.log

2013-05-07 11:52 - 2013-05-10 15:13 - 00703846 ____A C:\Users\Tosh\AppData\Local\qhaapoqb.log

2013-05-07 11:52 - 2013-05-10 15:13 - 00003449 ____A C:\Users\Tosh\AppData\Local\oojddpmx.log

2013-05-07 11:52 - 2013-05-10 15:13 - 00003247 ____A C:\Users\Tosh\AppData\Local\uvspuxqy.log

2013-05-07 11:51 - 2013-05-10 15:13 - 00005370 ____A C:\Users\Tosh\AppData\Local\hfdwlsuc.log

2013-05-07 11:51 - 2013-05-07 11:51 - 00453200 ____A C:\Users\Tosh\AppData\Local\dpppfwih.log

2013-05-07 11:45 - 2013-05-07 11:45 - 00000000 ____D C:\ProgramData\McAfee

2013-05-07 11:44 - 2013-05-07 11:44 - 00000000 ____D C:\Windows\Sun

2013-05-07 11:44 - 2013-05-07 11:44 - 00000000 ____D C:\Users\Tosh\AppData\Roaming\Oracle

2013-05-07 10:20 - 2013-05-11 08:29 - 00000028 ____A C:\Users\Tosh\AppData\Local\cyicjaek.log

2013-05-07 08:14 - 2013-05-10 02:52 - 00000000 ____D C:\Windows\erdnt

2013-05-07 08:06 - 2013-05-07 08:06 - 00000512 ____A C:\Users\Tosh\Desktop\MBR.dat

2013-05-07 06:37 - 2013-05-10 02:57 - 00002072 ____A C:\Windows\setupact.log

2013-05-07 06:37 - 2013-05-07 06:37 - 00000000 ____A C:\Windows\setuperr.log

2013-05-07 06:25 - 2013-05-07 11:59 - 01752992 ____A (Bleeping Computer, LLC) C:\Users\Tosh\Downloads\rkill.com

2013-05-06 12:08 - 2013-05-06 12:08 - 00002174 ____A C:\Users\Tosh\Desktop\GoToWebinar.lnk

2013-05-06 12:08 - 2013-05-06 12:08 - 00001346 ____A C:\Users\Tosh\Desktop\GoToMeeting.lnk

2013-05-06 11:59 - 2013-05-11 08:30 - 00000000 ____A C:\Users\Tosh\AppData\Local\anuuuwyw.log

2013-05-06 11:59 - 2013-05-06 11:59 - 00073216 ____A C:\Users\Tosh\Downloads\Lai Vincent cv 2.doc.5bhdr0s.partial

2013-05-06 09:57 - 2013-02-21 20:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-06 09:57 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-06 09:57 - 2013-02-21 19:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-06 09:57 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-06 09:57 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-06 09:57 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-05-06 09:57 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-05-06 09:57 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-06 09:57 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-06 09:57 - 2013-02-21 19:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-05-06 09:57 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-05-06 09:57 - 2013-02-21 19:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-06 09:57 - 2013-02-21 19:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-06 09:57 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-06 09:57 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-05-06 09:57 - 2013-02-21 19:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 03419136 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 02284544 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 01988096 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 01504768 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 01247744 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 01230336 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 01158144 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 01080832 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00906240 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00604160 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00417792 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00364544 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00249856 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00220160 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00207872 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00187392 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00161792 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll

2013-05-06 09:46 - 2013-05-06 09:52 - 00007971 ____A C:\Windows\IE10_main.log

2013-05-04 04:16 - 2013-05-11 08:30 - 00000004 ____A C:\Users\Tosh\AppData\Local\nodsrouu.log

2013-05-04 04:16 - 2013-05-04 04:16 - 00000064 ____A C:\ProgramData\paqwhoil.log

2013-05-04 04:16 - 2013-05-04 04:16 - 00000000 ____A C:\Users\Tosh\AppData\Local\xylbxwke.log

2013-05-04 04:16 - 2013-05-04 04:16 - 00000000 ____A C:\Users\Tosh\AppData\Local\eetlvawv.log

2013-04-25 02:44 - 2013-05-06 09:43 - 00847872 ____A C:\Users\Tosh\Documents\Database1.accdb

2013-04-24 22:24 - 2013-04-24 22:25 - 00957304 ____A C:\Users\Tosh\Downloads\Database Design For Mere Mortals.exe

2013-04-23 13:15 - 2013-04-12 05:45 - 01211752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

2013-04-21 13:50 - 2013-05-06 12:08 - 00002394 ____A C:\Users\Tosh\Desktop\GoToMeeting Quick Connect.lnk

2013-04-21 13:20 - 2013-04-21 13:20 - 00015752 ____A C:\Users\Tosh\Desktop\hs_err_pid3936.log

2013-04-13 10:08 - 2013-04-18 04:56 - 00000000 ____D C:\Users\Tosh\Desktop\Careerinsights

==================== One Month Modified Files and Folders ========

2013-05-11 17:38 - 2013-05-11 17:38 - 00000000 ____D C:\FRST

2013-05-11 08:30 - 2013-05-06 11:59 - 00000000 ____A C:\Users\Tosh\AppData\Local\anuuuwyw.log

2013-05-11 08:30 - 2013-05-04 04:16 - 00000004 ____A C:\Users\Tosh\AppData\Local\nodsrouu.log

2013-05-11 08:29 - 2013-05-07 11:52 - 00033682 ____A C:\Users\Tosh\AppData\Local\emffdelx.log

2013-05-11 08:29 - 2013-05-07 10:20 - 00000028 ____A C:\Users\Tosh\AppData\Local\cyicjaek.log

2013-05-11 08:28 - 2013-05-11 08:21 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-05-11 08:24 - 2013-05-11 08:24 - 00001109 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2013-05-11 08:24 - 2013-05-11 08:24 - 00000000 ____D C:\Users\Tosh\AppData\Roaming\Mozilla

2013-05-11 08:24 - 2013-05-11 08:24 - 00000000 ____D C:\Users\Tosh\AppData\Local\Mozilla

2013-05-11 08:23 - 2013-05-11 08:23 - 00000000 ____D C:\ProgramData\Mozilla

2013-05-11 08:23 - 2013-05-11 08:23 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2013-05-11 08:22 - 2013-05-11 08:22 - 00000374 ____A C:\Windows\Tasks\Auto Lyrics Update.job

2013-05-11 08:22 - 2013-05-11 08:22 - 00000000 ____D C:\ProgramData\BrowserProtect

2013-05-11 08:22 - 2013-05-11 08:22 - 00000000 ____D C:\Program Files\AutoLyrics

2013-05-11 08:21 - 2013-05-11 08:21 - 00000280 ____A C:\Windows\Tasks\EPUpdater.job

2013-05-11 08:21 - 2013-05-11 08:21 - 00000000 ____D C:\Users\Tosh\AppData\Roaming\Babylon

2013-05-11 08:21 - 2013-05-11 08:21 - 00000000 ____D C:\Users\Tosh\AppData\Roaming\BabSolution

2013-05-11 08:21 - 2013-05-11 08:21 - 00000000 ____D C:\ProgramData\Babylon

2013-05-11 08:21 - 2013-05-11 08:21 - 00000000 ____D C:\Program Files\Delta

2013-05-11 05:33 - 2013-05-11 08:20 - 03015672 ____A C:\Users\Tosh\Desktop\installer_firefox_English.exe

2013-05-10 15:13 - 2013-05-07 11:52 - 00703846 ____A C:\Users\Tosh\AppData\Local\qhaapoqb.log

2013-05-10 15:13 - 2013-05-07 11:52 - 00003449 ____A C:\Users\Tosh\AppData\Local\oojddpmx.log

2013-05-10 15:13 - 2013-05-07 11:52 - 00003247 ____A C:\Users\Tosh\AppData\Local\uvspuxqy.log

2013-05-10 15:13 - 2013-05-07 11:51 - 00005370 ____A C:\Users\Tosh\AppData\Local\hfdwlsuc.log

2013-05-10 15:07 - 2013-05-10 15:07 - 00000000 ___HD C:\Windows\PIF

2013-05-10 15:00 - 2013-05-10 15:00 - 00000000 _RASH C:\MSDOS.SYS

2013-05-10 15:00 - 2013-05-10 15:00 - 00000000 _RASH C:\IO.SYS

2013-05-10 14:59 - 2013-05-10 15:00 - 00004096 ___AH C:\Users\Tosh\Desktop\iexplore.exe

2013-05-10 03:21 - 2013-05-10 03:21 - 00003098 ____A C:\Users\Tosh\Desktop\RKreport[1]_S_05102013_02d1221.txt

2013-05-10 03:21 - 2013-05-10 03:16 - 00000000 ____D C:\Users\Tosh\Desktop\RK_Quarantine

2013-05-10 03:14 - 2013-05-10 03:15 - 00000000 ____A C:\Users\Tosh\Desktop\RogueKiller.old

2013-05-10 03:14 - 2009-07-13 20:34 - 00010208 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-10 03:14 - 2009-07-13 20:34 - 00010208 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-10 02:57 - 2013-05-07 06:37 - 00002072 ____A C:\Windows\setupact.log

2013-05-10 02:57 - 2012-01-09 09:49 - 00069792 ____A (Absolute Software Corp.) C:\Windows\System32\rpcnet.dll

2013-05-10 02:57 - 2012-01-09 09:33 - 00017408 ____A C:\Windows\System32\rpcnetp.exe

2013-05-10 02:57 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-10 02:56 - 2013-05-07 08:14 - 00000000 ____D C:\Windows\erdnt

2013-05-09 16:50 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache

2013-05-09 15:49 - 2012-01-09 09:33 - 00017408 ____A C:\Windows\System32\rpcnetp.dll

2013-05-09 15:01 - 2012-01-09 09:49 - 00069792 ____N (Absolute Software Corp.) C:\Windows\System32\rpcnet.exe

2013-05-09 14:58 - 2013-05-09 14:58 - 00000000 ____D C:\Users\Tosh\AppData\Local\smetgxaw

2013-05-09 14:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Cursors

2013-05-09 14:36 - 2012-09-05 03:24 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-05-09 13:18 - 2013-05-09 13:18 - 00177152 ____A C:\Users\Tosh\Downloads\OCL - Deputy Head of IT JDPS - May 2013.doc.r0aw8fv.partial

2013-05-09 09:17 - 2012-01-09 12:29 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-05-09 01:13 - 2013-05-09 01:13 - 00507392 ____A C:\Users\Tosh\Desktop\OCL-ICT Deputy Head Application Form - May 2013.doc.1v21oh7.partial

2013-05-08 13:06 - 2012-01-09 09:51 - 00735230 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-08 00:31 - 2012-01-15 11:47 - 00024576 __ASH C:\Users\Tosh\Documents\Thumbs.db

2013-05-07 18:27 - 2012-01-09 09:35 - 01370349 ____A C:\Windows\WindowsUpdate.log

2013-05-07 12:34 - 2013-05-07 12:34 - 00015546 ____A C:\Users\Tosh\Desktop\attach.txt

2013-05-07 12:34 - 2013-05-07 12:34 - 00008855 ____A C:\Users\Tosh\Desktop\dds.txt

2013-05-07 12:34 - 2013-05-07 12:33 - 00688992 ____A (Swearware) C:\Users\Tosh\Desktop\dds.com

2013-05-07 12:32 - 2013-05-07 12:32 - 00688992 ____R (Swearware) C:\Users\Tosh\Desktop\dds.scr

2013-05-07 12:00 - 2012-09-05 03:23 - 00002250 ____A C:\Users\Tosh\Desktop\Rkill.txt

2013-05-07 11:59 - 2013-05-07 06:25 - 01752992 ____A (Bleeping Computer, LLC) C:\Users\Tosh\Downloads\rkill.com

2013-05-07 11:53 - 2012-01-09 12:43 - 00016888 ____A C:\Windows\PFRO.log

2013-05-07 11:51 - 2013-05-07 11:51 - 00453200 ____A C:\Users\Tosh\AppData\Local\dpppfwih.log

2013-05-07 11:45 - 2013-05-07 11:45 - 00000000 ____D C:\ProgramData\McAfee

2013-05-07 11:44 - 2013-05-07 11:44 - 00000000 ____D C:\Windows\Sun

2013-05-07 11:44 - 2013-05-07 11:44 - 00000000 ____D C:\Users\Tosh\AppData\Roaming\Oracle

2013-05-07 11:36 - 2009-07-13 18:04 - 00000215 ____A C:\Windows\system.ini

2013-05-07 08:29 - 2009-07-13 18:37 - 00000000 ___RD C:\users\Public

2013-05-07 08:06 - 2013-05-07 08:06 - 00000512 ____A C:\Users\Tosh\Desktop\MBR.dat

2013-05-07 06:37 - 2013-05-07 06:37 - 00000000 ____A C:\Windows\setuperr.log

2013-05-07 05:22 - 2012-09-05 03:24 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-05-06 19:21 - 2012-01-31 23:08 - 00000000 ____D C:\Windows\Minidump

2013-05-06 12:08 - 2013-05-06 12:08 - 00002174 ____A C:\Users\Tosh\Desktop\GoToWebinar.lnk

2013-05-06 12:08 - 2013-05-06 12:08 - 00001346 ____A C:\Users\Tosh\Desktop\GoToMeeting.lnk

2013-05-06 12:08 - 2013-04-21 13:50 - 00002394 ____A C:\Users\Tosh\Desktop\GoToMeeting Quick Connect.lnk

2013-05-06 11:59 - 2013-05-06 11:59 - 00073216 ____A C:\Users\Tosh\Downloads\Lai Vincent cv 2.doc.5bhdr0s.partial

2013-05-06 10:23 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET

2013-05-06 10:06 - 2009-07-13 20:33 - 00436240 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-TW

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-HK

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-CN

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\tr-TR

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\sv-SE

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ru-RU

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pt-PT

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pt-BR

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pl-PL

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\nl-NL

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\nb-NO

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ko-KR

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ja-JP

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\it-IT

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\hu-HU

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\fr-FR

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\fi-FI

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\el-GR

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore

2013-05-06 10:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\de-DE

2013-05-06 09:54 - 2012-01-09 10:14 - 70490256 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-06 09:52 - 2013-05-06 09:46 - 00007971 ____A C:\Windows\IE10_main.log

2013-05-06 09:49 - 2013-05-06 09:49 - 03419136 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 02284544 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 01988096 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 01504768 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 01247744 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 01230336 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 01158144 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 01080832 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00906240 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00604160 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00417792 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00364544 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00249856 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00220160 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00207872 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00187392 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00161792 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll

2013-05-06 09:49 - 2013-05-06 09:49 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll

2013-05-06 09:43 - 2013-04-25 02:44 - 00847872 ____A C:\Users\Tosh\Documents\Database1.accdb

2013-05-04 04:16 - 2013-05-04 04:16 - 00000064 ____A C:\ProgramData\paqwhoil.log

2013-05-04 04:16 - 2013-05-04 04:16 - 00000000 ____A C:\Users\Tosh\AppData\Local\xylbxwke.log

2013-05-04 04:16 - 2013-05-04 04:16 - 00000000 ____A C:\Users\Tosh\AppData\Local\eetlvawv.log

2013-05-01 17:06 - 2012-01-09 10:09 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2013-04-24 22:25 - 2013-04-24 22:24 - 00957304 ____A C:\Users\Tosh\Downloads\Database Design For Mere Mortals.exe

2013-04-21 13:49 - 2013-04-08 11:29 - 00000000 ____D C:\Program Files\Citrix

2013-04-21 13:20 - 2013-04-21 13:20 - 00015752 ____A C:\Users\Tosh\Desktop\hs_err_pid3936.log

2013-04-18 08:29 - 2012-04-12 17:54 - 00000000 ____D C:\Users\Tosh\Desktop\NORTHGATE BA Sample CV

2013-04-18 04:56 - 2013-04-13 10:08 - 00000000 ____D C:\Users\Tosh\Desktop\Careerinsights

2013-04-12 05:45 - 2013-04-23 13:15 - 01211752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-23 17:52:37

Restore point made on: 2013-04-30 21:13:20

Restore point made on: 2013-05-06 09:45:29

Restore point made on: 2013-05-09 13:10:09

==================== Memory info ===========================

Percentage of memory in use: 34%

Total physical RAM: 1014.43 MB

Available physical RAM: 662.25 MB

Total Pagefile: 1014.43 MB

Available Pagefile: 663.29 MB

Total Virtual: 2047.88 MB

Available Virtual: 1969.62 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.79 GB) (Free:86.25 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

Drive d: (GSOG_DVD) (CDROM) (Total:2.82 GB) (Free:0 GB) UDF

Drive e: (KINGSTON) (Removable) (Total:7.46 GB) (Free:6.11 GB) FAT32

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 112 GB) (Disk ID: 29252924)

Partition 1: (Active) - (Size=112 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (Size: 7 GB) (Disk ID: 04030201)

Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)

Last Boot: 2013-05-06 10:53

==================== End Of Log ============================

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKLM\...\Winlogon: [userinit] userinit.exe,,C:\Users\Tosh\AppData\Local\smetgxaw\bsvjqbjn.exe [155136 2013-05-04] (Ke@g))

HKLM\...\Winlogon: [system]

HKU\Tosh\...\Run: [bsvJqbjn] C:\Users\Tosh\AppData\Local\smetgxaw\bsvjqbjn.exe [ 2013-05-04] (Ke@g))

Startup: C:\Users\Tosh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bsvjqbjn.exe (Ke@g))

2013-05-11 08:21 - 2013-05-11 08:21 - 00000000 ____D C:\Users\Tosh\AppData\Roaming\Babylon

2013-05-11 08:21 - 2013-05-11 08:21 - 00000000 ____D C:\Users\Tosh\AppData\Roaming\BabSolution

2013-05-11 08:21 - 2013-05-11 08:21 - 00000000 ____D C:\ProgramData\Babylon

2013-05-11 08:21 - 2013-05-11 08:21 - 00000000 ____D C:\Program Files\Delta

2013-05-07 11:52 - 2013-05-11 08:29 - 00033682 ____A C:\Users\Tosh\AppData\Local\emffdelx.log

2013-05-07 11:52 - 2013-05-10 15:13 - 00703846 ____A C:\Users\Tosh\AppData\Local\qhaapoqb.log

2013-05-07 11:52 - 2013-05-10 15:13 - 00003449 ____A C:\Users\Tosh\AppData\Local\oojddpmx.log

2013-05-07 11:52 - 2013-05-10 15:13 - 00003247 ____A C:\Users\Tosh\AppData\Local\uvspuxqy.log

2013-05-07 11:51 - 2013-05-10 15:13 - 00005370 ____A C:\Users\Tosh\AppData\Local\hfdwlsuc.log

2013-05-07 11:51 - 2013-05-07 11:51 - 00453200 ____A C:\Users\Tosh\AppData\Local\dpppfwih.log

2013-05-06 11:59 - 2013-05-11 08:30 - 00000000 ____A C:\Users\Tosh\AppData\Local\anuuuwyw.log

2013-05-04 04:16 - 2013-05-11 08:30 - 00000004 ____A C:\Users\Tosh\AppData\Local\nodsrouu.log

2013-05-04 04:16 - 2013-05-04 04:16 - 00000064 ____A C:\ProgramData\paqwhoil.log

2013-05-04 04:16 - 2013-05-04 04:16 - 00000000 ____A C:\Users\Tosh\AppData\Local\xylbxwke.log

2013-05-04 04:16 - 2013-05-04 04:16 - 00000000 ____A C:\Users\Tosh\AppData\Local\eetlvawv.log

2013-05-11 08:29 - 2013-05-07 10:20 - 00000028 ____A C:\Users\Tosh\AppData\Local\cyicjaek.log

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites
chipping

chipping

Posted
  • Author
Posted

<p> </p>

<div>Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-05-2013 01</div>

<div>Ran by SYSTEM at 2013-05-13 19:50:53 Run:1</div>

<div>Running from E:\</div>

<div>Boot Mode: Recovery</div>

<div> </div>

<div>==============================================</div>

<div> </div>

<div>HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => Value was restored successfully.</div>

<div>HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\System => Value deleted successfully.</div>

<div>HKEY_USERS\Tosh\Software\Microsoft\Windows\CurrentVersion\Run\\BsvJqbjn => Value deleted successfully.</div>

<div>C:\Users\Tosh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bsvjqbjn.exe => Moved successfully.</div>

<div>C:\Users\Tosh\AppData\Roaming\Babylon => Moved successfully.</div>

<div>C:\Users\Tosh\AppData\Roaming\BabSolution => Moved successfully.</div>

<div>C:\ProgramData\Babylon => Moved successfully.</div>

<div>C:\Program Files\Delta => Moved successfully.</div>

<div>C:\Users\Tosh\AppData\Local\emffdelx.log => Moved successfully.</div>

<div>C:\Users\Tosh\AppData\Local\qhaapoqb.log => Moved successfully.</div>

<div>C:\Users\Tosh\AppData\Local\oojddpmx.log => Moved successfully.</div>

<div>C:\Users\Tosh\AppData\Local\uvspuxqy.log => Moved successfully.</div>

<div>C:\Users\Tosh\AppData\Local\hfdwlsuc.log => Moved successfully.</div>

<div>C:\Users\Tosh\AppData\Local\dpppfwih.log => Moved successfully.</div>

<div>C:\Users\Tosh\AppData\Local\anuuuwyw.log => Moved successfully.</div>

<div>C:\Users\Tosh\AppData\Local\nodsrouu.log => Moved successfully.</div>

<div>C:\ProgramData\paqwhoil.log => Moved successfully.</div>

<div>C:\Users\Tosh\AppData\Local\xylbxwke.log => Moved successfully.</div>

<div>C:\Users\Tosh\AppData\Local\eetlvawv.log => Moved successfully.</div>

<div>C:\Users\Tosh\AppData\Local\cyicjaek.log => Moved successfully.</div>

<div> </div>

<div>==== End of Fixlog ====</div>

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites
chipping

chipping

Posted
  • Author
Posted

Thanks Maniac

Combofix.exe rebooted the computer after completing the scan, the screen is frozen with the log on screen and not responding to keyboard or mouse. Is it OK to hard restart (press start button to turn off and press again to turn off)?

Link to post
Share on other sites
chipping

chipping

Posted
  • Author
Posted

ComboFix 13-05-13.01 - Tosh 14/05/2013 4:30.4.2 - x86 NETWORK

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.1014.498 [GMT 1:00]

Running from: c:\users\Tosh\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\AutoLyrics\auTOlrcs.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_MICORSOFT_WINDOWS_SERVICE

.

.

((((((((((((((((((((((((( Files Created from 2013-04-14 to 2013-05-14 )))))))))))))))))))))))))))))))

.

.

2013-05-12 01:38 . 2013-05-12 01:38 -------- d-----w- C:\FRST

2013-05-11 16:24 . 2013-05-11 16:24 -------- d-----w- c:\users\Tosh\AppData\Local\Mozilla

2013-05-11 16:23 . 2013-05-11 16:23 -------- d-----w- c:\program files\Mozilla Maintenance Service

2013-05-11 16:22 . 2013-05-14 03:35 -------- d-----w- c:\program files\AutoLyrics

2013-05-11 16:22 . 2013-05-11 16:22 -------- d-----w- c:\programdata\BrowserProtect

2013-05-10 23:07 . 2013-05-10 23:07 -------- d--h--w- c:\windows\PIF

2013-05-09 22:58 . 2013-05-09 22:58 -------- d-----w- c:\users\Tosh\AppData\Local\smetgxaw

2013-05-07 19:45 . 2013-05-07 19:45 -------- d-----w- c:\programdata\McAfee

2013-05-07 19:44 . 2013-05-07 19:44 -------- d-----w- c:\users\Tosh\AppData\Roaming\Oracle

2013-05-07 19:44 . 2013-05-07 19:44 -------- d-----w- c:\windows\Sun

2013-05-07 13:21 . 2013-05-07 13:21 -------- d-----w- c:\users\Tosh\AppData\Local\Programs

2013-05-07 02:36 . 2013-05-07 02:57 -------- d-----w- C:\BA Templates

2013-05-06 17:49 . 2013-05-06 17:49 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-04-23 21:15 . 2013-04-12 13:45 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-05-14 03:38 . 2012-01-09 17:49 69792 ----a-w- c:\windows\system32\rpcnet.dll

2013-05-14 03:38 . 2012-01-09 17:33 17408 ----a-w- c:\windows\system32\rpcnetp.dll

2013-05-14 03:37 . 2012-01-09 17:33 17408 ----a-w- c:\windows\system32\rpcnetp.exe

2013-05-09 23:01 . 2012-01-09 17:49 69792 ------w- c:\windows\system32\rpcnet.exe

2013-05-02 01:06 . 2012-01-09 18:09 238872 ------w- c:\windows\system32\MpSigStub.exe

2013-04-04 13:50 . 2012-09-05 11:24 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-19 05:04 . 2013-04-10 11:31 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-03-19 05:04 . 2013-04-10 11:31 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-19 04:48 . 2013-04-10 11:31 38912 ----a-w- c:\windows\system32\csrsrv.dll

2013-03-19 02:49 . 2013-04-10 11:31 69632 ----a-w- c:\windows\system32\smss.exe

2013-03-15 12:34 . 2012-04-09 15:50 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-15 12:34 . 2012-01-09 21:43 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-03-01 03:09 . 2013-04-10 11:31 2347008 ----a-w- c:\windows\system32\win32k.sys

2013-02-15 04:37 . 2013-04-10 11:30 3217408 ----a-w- c:\windows\system32\mstscax.dll

2013-02-15 04:34 . 2013-04-10 11:30 131584 ----a-w- c:\windows\system32\aaclient.dll

2013-02-15 03:25 . 2013-04-10 11:30 36864 ----a-w- c:\windows\system32\tsgqec.dll

2013-02-27 05:10 . 2013-05-11 16:23 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-20 719672]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]

"GoToMeeting"="c:\program files\Citrix\GoToMeeting\1133\g2mstart.exe" [2013-04-21 40816]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]

"Nuance PDF Reader-reminder"="c:\program files\Nuance\PDF Reader\Ereg\Ereg.exe" [2010-07-05 333088]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

.

c:\users\Tosh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft SharePoint Workspace.lnk - c:\program files\Microsoft Office\Office14\GROOVE.EXE [2012-9-20 30785672]

OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~2\BROWSE~1\261249~1.132\{C16C1~1\BrowserProtect.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BsvJqbjn]

2013-05-04 12:16 155136 --s-a-w- c:\users\Tosh\AppData\Local\smetgxaw\bsvjqbjn.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

R2 BrowserProtect;BrowserProtect;c:\programdata\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [x]

S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [x]

S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [x]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService

FontCache

.

.

Contents of the 'Scheduled Tasks' folder

.

2013-05-11 c:\windows\Tasks\Auto Lyrics Update.job

- c:\program files\AutoLyrics\AutoLyricsUpdater.exe [2013-04-22 13:14]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www2.delta-search.com/?affID=119747&tt=gc_&babsrc=HP_ss&mntrId=F443001644D356EF

Trusted Zone: treehouse.org.uk\remote

TCP: DhcpNameServer = 192.168.1.254

DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://remote.treehouse.org.uk/MLWebCacheCleaner.cab

FF - ProfilePath - c:\users\Tosh\AppData\Roaming\Mozilla\Firefox\Profiles\if4x71ox.default\

FF - ExtSQL: 2013-05-11 17:22; autolyrics@man-soft.net; c:\program files\AutoLyrics\FF

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

AddRemove-delta - c:\program files\Delta\delta\1.8.16.16\GUninstaller.exe

AddRemove-Delta Chrome Toolbar - c:\users\Tosh\AppData\Roaming\BabSolution\Shared\GUninstaller.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\conhost.exe

c:\windows\helppane.exe

.

**************************************************************************

.

Completion time: 2013-05-14 12:10:29 - machine was rebooted

ComboFix-quarantined-files.txt 2013-05-14 11:10

.

Pre-Run: 92,509,851,648 bytes free

Post-Run: 92,467,658,752 bytes free

.

- - End Of File - - 5ECF45D61A483587F49A2E20F9174A97

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.

    [*]Check "YES, I accept the Terms of Use."

    [*]Click the Start button.

    [*]Accept any security warnings from your browser.

    [*]Under Scan Settings, check "Scan Archives" and "Remove found threats"

    [*]Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

    [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

    [*]When the scan completes, click List Threats

    [*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

    [*]Click the Back button.

    [*]Click the Finish button.

Link to post
Share on other sites
chipping

chipping

Posted
  • Author
Posted

C:\FRST\Quarantine\bsvjqbjn.exe a variant of Win32/Kryptik.BAIH trojan cleaned by deleting - quarantined

C:\Users\Tosh\AppData\Local\smetgxaw\bsvjqbjn.exe a variant of Win32/Kryptik.BAIH trojan cleaned by deleting - quarantined

C:\Users\Tosh\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\dd9bd82-1605cf34 Java/Exploit.CVE-2012-1723.AZ trojan cleaned by deleting - quarantined

C:\Users\Tosh\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\53443534-4686b56a a variant of Win32/Kryptik.BAIH trojan cleaned by deleting - quarantined

Link to post
Share on other sites
chipping

chipping

Posted
  • Author
Posted

Hello Maniac,

During ComboFix scan it detected a virus in the registry [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BsvJqbjn]

2013-05-04 12:16 155136 --s-a-w- c:\users\Tosh\AppData\Local\smetgxaw\bsvjqbjn.exe

How does ESET scan detect and remove this. How can I check?

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept