Jump to content

Moneypak virus got me


Recommended Posts

My computer was hijacked by the Moneypak virus. After killing processes from another user account I have on the computer and then running Malwarebytes and TDSSKiller I can remove the files but they (and the virus) have been coming back as soon as I reboot even though all say there is no virus left on the computer. Also, Malwarebytes has protection disabled and I can not get it to enable again. I used System Mechanic and msconfig to stop the autostarts and to be able to post here. Thanks in advance for any help you can give me. Here are the requested cut/paste files from DDS.com per the AdvancedSetup topic : DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 10.0.9200.16576 BrowserJavaVersion: 10.4.1

Run by Test at 15:56:45 on 2013-05-21

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.16366.13248 [GMT -5:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\IDT\WDM\STacSV64.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\IDT\WDM\AESTSr64.exe

C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe

C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files\Microsoft Security Client\NisSrv.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\iolo\System Mechanic Professional\SystemGuardAlerter.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\IDT\WDM\sttray64.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe

C:\Program Files (x86)\CyberLink\Shared files\brs.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe

C:\Program Files\Alienware\Command Center\AWCCServiceController.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe

C:\Program Files\Alienware\Command Center\AWCCApplicationWatcher32.exe

C:\Program Files\Alienware\Command Center\AWCCApplicationWatcher64.exe

C:\Users\Test\Desktop\aswMBR.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Alienware\Command Center\AlienFusionService.exe

C:\Program Files\Alienware\Command Center\AlienFusionController.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Microsoft Security Client\MpCmdRun.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://my.yahoo.com/

uDefault_Page_URL = www.dell.com

mWinlogon: Userinit = userinit.exe,

BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - <orphaned>

BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"

mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"

mRun: [bDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe

mRun: [AlienwareOn-ScreenDisplay] C:\Program Files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

StartupFolder: C:\Users\Test\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://rsvpn.raytheon.com/dana-cached/sc/JuniperSetupClient.cab

TCP: NameServer = 192.168.1.254

TCP: Interfaces\{10290551-55E4-4BB1-8C70-448409C20C79} : DHCPNameServer = 192.168.1.254

TCP: Interfaces\{2F028FA4-460E-44ED-8F31-10DC4AF7AA60} : DHCPNameServer = 192.168.1.254

TCP: Interfaces\{2F028FA4-460E-44ED-8F31-10DC4AF7AA60}\76F676F696E666C696768647 : DHCPNameServer = 172.19.134.2

TCP: Interfaces\{2F028FA4-460E-44ED-8F31-10DC4AF7AA60}\C496D6563747F6E65602C4F6467656 : DHCPNameServer = 192.168.0.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

SSODL: WebCheck - <orphaned>

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL

x64-BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - <orphaned>

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [NVHotkey] rundll32.exe C:\Windows\System32\nvHotkey.dll,Start

x64-Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe

x64-Run: [Command Center Controllers] "C:\Program Files\Alienware\Command Center\AWCCStartupOrchestrator.exe"

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R0 EMSC;COMPAL Embedded System Control;C:\Windows\System32\drivers\EMSC.sys [2009-6-26 16752]

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-1-20 230320]

R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-2-15 55856]

R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\System32\drivers\stdcfltn.sys [2012-2-15 21616]

R1 ElRawDisk;ElRawDisk;C:\Windows\System32\drivers\ElRawDsk.sys [2012-4-17 31432]

R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-2-15 89600]

R2 AlienFusionService;Alienware Fusion Service;C:\Program Files\Alienware\Command Center\AlienFusionService.exe [2010-11-10 15296]

R2 ioloSystemService;iolo System Service;C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2013-3-30 1070080]

R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 130008]

R2 PDFsFilter;PDFsFilter;C:\Windows\System32\drivers\PDFsFilter.sys [2012-7-27 82160]

R3 Acceler;Accelerometer Service;C:\Windows\System32\drivers\Accelern.sys [2012-2-15 27760]

R3 bpenum;bpenum;C:\Windows\System32\drivers\bpenum.sys [2012-2-15 71168]

R3 bpmp;Intel® Centrino® WiMAX 6050 Series;C:\Windows\System32\drivers\bpmp.sys [2012-2-15 175104]

R3 bpusb;bpusb;C:\Windows\System32\drivers\bpusb.sys [2012-2-15 81920]

R3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\System32\drivers\btwampfl.sys [2012-2-15 344616]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2012-2-15 172704]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2012-2-15 76912]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-5-20 25928]

R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]

R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2012-2-15 80384]

R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2012-2-15 180736]

R3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;C:\Windows\System32\drivers\nvstusb.sys [2011-5-16 121448]

R3 SiBEAMSB92xxHostSerial;SiBEAMSB92xxHostSerial;C:\Windows\System32\drivers\SiBEAM_x64.sys [2012-2-15 62464]

R3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]

S2 CLKMSVC10_9EC60124;CyberLink Product - 2012/02/15 07:23:41;C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2011-8-11 248304]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 MBAMScheduler;MBAMScheduler;"\mbamscheduler.exe" --> \mbamscheduler.exe [?]

S2 MBAMService;MBAMService;"\mbamservice.exe" --> \mbamservice.exe [?]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]

S3 CASprint;Sprint Con App Svc;C:\Program Files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe [2008-3-5 118784]

S3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;C:\Windows\System32\PCTINDIS5X64.sys [2008-3-5 43032]

S3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2012-2-15 335464]

S3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]

S3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]

S3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]

S3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-4-13 1255736]

S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]

S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-11-29 38608]

S4 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]

S4 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]

.

=============== File Associations ===============

.

FileExt: .vbe: VBEFile=NOTEPAD.EXE "%1"

FileExt: .vbs: VBSFile=NOTEPAD.EXE "%1"

FileExt: .js: JSFile=NOTEPAD.EXE "%1"

FileExt: .jse: JSEFile=NOTEPAD.EXE "%1"

FileExt: .wsf: WSFFile=NOTEPAD.EXE "%1"

.

=============== Created Last 30 ================

.

2013-05-21 20:48:49 76232 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7F3A2D00-3E1A-413B-AF60-64D31F9E0245}\offreg.dll

2013-05-21 00:14:43 -------- d-----w- C:\ProgramData\PC Tools

2013-05-21 00:14:42 -------- d-----w- C:\Users\Test\AppData\Roaming\TestApp

2013-05-21 00:12:37 9460464 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7F3A2D00-3E1A-413B-AF60-64D31F9E0245}\mpengine.dll

2013-05-20 18:35:28 -------- d-----w- C:\Users\Test\AppData\Roaming\Dell

2013-05-20 18:35:25 -------- d-----w- C:\ProgramData\PCDr

2013-05-20 18:35:25 -------- d-----w- C:\ProgramData\PC-Doctor for Windows

2013-05-20 18:35:17 -------- d-----w- C:\Program Files\AlienAutopsy

2013-05-20 18:34:24 -------- d-----w- C:\Users\Test\AppData\Roaming\PCDr

2013-05-20 18:34:20 -------- d-----w- C:\temp

2013-05-20 13:59:12 9460464 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-05-20 12:24:03 -------- d-----w- C:\Users\Test\AppData\Roaming\Malwarebytes

2013-05-20 12:23:42 -------- d-----w- C:\ProgramData\Malwarebytes

2013-05-20 12:23:41 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-05-20 12:23:41 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-05-20 12:23:24 -------- d-----w- C:\Users\Test\AppData\Local\Programs

2013-05-19 18:20:31 65024 ----a-w- C:\Users\Test\javaw.dll

2013-05-15 11:38:48 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys

2013-04-26 04:39:05 905296 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F3485C91-A19A-47C4-93B4-2238A363DE88}\gapaengine.dll

2013-04-25 12:07:51 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys

.

==================== Find3M ====================

.

2013-05-20 12:18:33 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-05-20 12:18:33 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-05-02 15:29:56 278800 ------w- C:\Windows\System32\MpSigStub.exe

2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll

2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll

2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll

2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll

2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys

2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys

2013-04-05 06:52:14 2242048 ----a-w- C:\Windows\System32\wininet.dll

2013-04-05 06:50:36 3958784 ----a-w- C:\Windows\System32\jscript9.dll

2013-04-05 06:50:31 67072 ----a-w- C:\Windows\System32\iesetup.dll

2013-04-05 06:50:31 136704 ----a-w- C:\Windows\System32\iesysprep.dll

2013-04-05 05:28:24 1767424 ----a-w- C:\Windows\SysWow64\wininet.dll

2013-04-05 05:26:26 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll

2013-04-05 05:26:21 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll

2013-04-05 05:26:21 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll

2013-04-05 04:43:00 2706432 ----a-w- C:\Windows\System32\mshtml.tlb

2013-04-05 04:29:45 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2013-04-05 03:51:11 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe

2013-04-05 03:38:25 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe

2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-03-19 05:53:58 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll

2013-03-19 05:53:58 230400 ----a-w- C:\Windows\System32\wwansvc.dll

2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll

2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll

2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe

2013-03-18 04:59:04 57584 ----a-w- C:\Windows\System32\iolobtdfg.exe

2013-03-18 04:58:56 26184 ----a-w- C:\Windows\System32\smrgdf.exe

2013-03-18 04:43:58 2155688 ----a-w- C:\Windows\System32\Incinerator64.dll

2013-03-18 04:43:56 2097472 ----a-w- C:\Windows\SysWow64\Incinerator32.dll

2013-02-27 06:02:44 111448 ----a-w- C:\Windows\System32\consent.exe

2013-02-27 05:48:00 1930752 ----a-w- C:\Windows\System32\authui.dll

2013-02-27 05:47:10 70144 ----a-w- C:\Windows\System32\appinfo.dll

2013-02-27 04:49:24 1796096 ----a-w- C:\Windows\SysWow64\authui.dll

.

============= FINISH: 15:56:51.64 ===============.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 4/9/2012 2:51:40 PM

System Uptime: 5/21/2013 3:47:33 PM (0 hours ago)

.

Motherboard: Alienware | | M17xR3

Processor: Intel® Core™ i7-2760QM CPU @ 2.40GHz | CPU1 | 2401/1600mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 238 GiB total, 87.544 GiB free.

D: is FIXED (NTFS) - 699 GiB total, 345.473 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: Bluetooth Peripheral Device

Device ID: BTHENUM\{00001132-0000-1000-8000-00805F9B34FB}_LOCALMFG&000F\8&1C3E1704&0&F40B93E720B8_C00000000

Manufacturer:

Name: Bluetooth Peripheral Device

PNP Device ID: BTHENUM\{00001132-0000-1000-8000-00805F9B34FB}_LOCALMFG&000F\8&1C3E1704&0&F40B93E720B8_C00000000

Service:

.

==== System Restore Points ===================

.

RP124: 2/26/2013 11:06:07 PM - Windows Update

RP125: 3/2/2013 10:19:50 AM - Windows Update

RP126: 3/8/2013 11:20:23 PM - Windows Update

RP127: 3/12/2013 5:59:05 PM - Windows Update

RP128: 3/14/2013 9:45:09 AM - Windows Update

RP129: 3/18/2013 11:09:31 AM - Windows Update

RP130: 3/22/2013 2:22:39 PM - Windows Update

RP131: 3/25/2013 9:44:03 PM - Windows Update

RP132: 3/29/2013 1:12:59 PM - Windows Update

RP133: 4/3/2013 10:23:59 AM - Windows Update

RP134: 4/7/2013 7:50:23 AM - Windows Update

RP135: 4/9/2013 3:52:57 PM - Windows Update

RP136: 4/12/2013 9:20:02 PM - Windows Update

RP137: 4/16/2013 7:22:19 PM - Windows Update

RP138: 4/20/2013 8:24:57 AM - Windows Update

RP139: 4/25/2013 11:38:46 PM - Windows Update

RP140: 4/26/2013 8:31:21 AM - Windows Update

RP141: 4/29/2013 10:00:35 AM - Windows Update

RP142: 4/30/2013 12:04:24 AM - Windows Update

RP143: 5/3/2013 2:04:18 PM - Windows Update

RP144: 5/7/2013 6:53:26 AM - Windows Update

RP145: 5/10/2013 4:59:22 PM - Windows Update

RP146: 5/14/2013 8:58:03 PM - Windows Update

RP147: 5/15/2013 7:50:12 PM - Windows Update

RP148: 5/19/2013 7:47:46 AM - Windows Update

RP149: 5/20/2013 3:27:57 PM - Malwarebytes Anti-Rootkit Restore Point

RP150: 5/20/2013 5:04:51 PM - Malwarebytes Anti-Rootkit Restore Point

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Reader X (10.1.7)

Adobe Shockwave Player 11.6

Advanced Audio FX Engine

Alienware On-Screen Display

Apple Application Support

Apple Software Update

Command Center

Corel PaintShop Pro X4

CyberLink PowerDVD 9.6

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Dell Webcam Central

Diablo II

Digital Copy

DirectX 9 Runtime

EMSC

Flixster Collections

Free File Viewer 2011

ICA

iolo technologies' System Mechanic Professional

IPM_PSP_COM

Java Auto Updater

Java™ 7 Update 4

JavaFX 2.1.0

Juniper Networks, Inc. Setup Client

Junk Mail filter update

Live! Cam Avatar Creator

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office Office 64-bit Components 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared 64-bit MUI (English) 2010

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Starter 2010 - English

Microsoft Office Word MUI (English) 2010

Microsoft Save as PDF Add-in for 2007 Microsoft Office programs

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NVIDIA 3D Vision Controller Driver

PhotoShowExpress

PSPPContent

PSPPHelp

PSPPro64

QuickTime

RBVirtualFolder64Inst

RealDownloader

RealNetworks - Microsoft Visual C++ 2008 Runtime

RealNetworks - Microsoft Visual C++ 2010 Runtime

RealPlayer

RealUpgrade 1.1

Roxio Activation Module

Roxio BackOnTrack

Roxio Burn

Roxio Creator Starter

Roxio Express Labeler 3

Roxio File Backup

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2736428)

Security Update for Microsoft .NET Framework 4 Extended (KB2742595)

Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition

Security Update for Microsoft Filter Pack 2.0 (KB2553501) 32-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2687422) 32-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2760406) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition

Security Update for Microsoft OneNote 2010 (KB2760600) 32-Bit Edition

Security Update for Microsoft Publisher 2010 (KB2553147) 32-Bit Edition

Security Update for Microsoft Visio 2010 (KB2810068) 32-Bit Edition

Security Update for Microsoft Visio Viewer 2010 (KB2687505) 32-Bit Edition

Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition

Setup

Sonic CinePlayer Decoder Pack

Sprint SmartView

swMSM

Synaptics Pointing Device Driver

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553092)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition

Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition

Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition

Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition

Widevine Media Optimizer IE 6.0.0

WiHD Controller

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Mail

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

WinZip 15.5

.

==== Event Viewer Messages From Past Week ========

.

5/21/2013 3:52:14 PM, Error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: The system cannot find the file specified.

5/21/2013 3:51:36 PM, Error: Service Control Manager [7000] - The MBAMScheduler service failed to start due to the following error: The system cannot find the file specified.

5/21/2013 3:48:47 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

5/21/2013 3:47:47 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: FileDisk

5/20/2013 7:35:21 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

5/20/2013 7:35:21 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-2147218173.

5/20/2013 7:33:09 PM, Error: volmgr [46] - Crash dump initialization failed!

5/20/2013 7:16:52 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer JEANNES-LAPTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{2F028FA4-460E-44ED-8F31-10DC4AF7AA60}. The master browser is stopping or an election is being forced.

5/20/2013 7:12:37 PM, Error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x80070003 Error description: The system cannot find the path specified. Signature version: 0.0.0.0;0.0.0.0 Engine version: 0.0.0.0

.

==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum, here's how we deal with that malware:

  1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    Plug the flash drive into the infected PC.
  2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
    If you are using Vista or Windows 7 enter System Recovery Options.
    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

[*]On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
      Select Command Prompt
      Once in the Command Prompt:

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

Link to post
Share on other sites

Thank you for assisting. Here is the log file requested :

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 21-05-2013 02

Ran by SYSTEM on 21-05-2013 17:47:19

Running from F:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2392872 2010-11-29] (Synaptics Incorporated)

HKLM\...\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start [315496 2011-06-26] (NVIDIA Corporation)

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-03-03] (IDT, Inc.)

HKLM\...\Run: [] [x]

HKLM\...\Run: [Command Center Controllers] "C:\Program Files\Alienware\Command Center\AWCCStartupOrchestrator.exe" [13256 2010-11-10] (Microsoft)

HKLM-x32\...\Run: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2010-10-01] (CyberLink Corp.)

HKLM-x32\...\Run: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-09-17] (CyberLink Corp.)

HKLM-x32\...\Run: [bDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe [75048 2011-08-11] (cyberlink)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [AlienwareOn-ScreenDisplay] C:\Program Files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe [1500528 2010-11-17] ()

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)

Startup: C:\Users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

BootExecute: ?????

==================== Services (Whitelisted) =================

S3 CASprint; C:\Program Files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe [118784 2008-03-05] (PCTEL)

S2 CLKMSVC10_9EC60124; C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [248304 2011-08-11] (CyberLink)

S2 ioloSystemService; C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [1070080 2013-03-17] (iolo technologies, LLC)

S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)

S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)

S4 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [38608 2012-11-29] ()

S3 SprintRcAppSvc; C:\Program Files (x86)\Sprint\Sprint SmartView\RcAppSvc.exe [106496 2008-03-05] (PCTEL)

S2 MBAMScheduler; "\mbamscheduler.exe" [x]

S2 MBAMService; "\mbamservice.exe" [x]

==================== Drivers (Whitelisted) ====================

S1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [31432 2012-04-11] (EldoS Corporation)

S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)

S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)

S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)

S3 NvStUSB; C:\Windows\System32\DRIVERS\nvstusb.sys [121448 2010-12-08] ()

S3 PCTINDIS5X64; C:\Windows\system32\PCTINDIS5X64.SYS [43032 2008-03-05] (PCTEL Inc.)

S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)

S3 SiBEAMSB92xxHostSerial; C:\Windows\System32\DRIVERS\SiBEAM_x64.sys [62464 2011-03-01] ()

S3 swmsflt; C:\Windows\System32\drivers\swmsflt.sys [28808 2008-03-05] ()

S3 SWNC5E00; C:\Windows\System32\DRIVERS\SWNC5E00.sys [195584 2008-03-05] (Sierra Wireless Inc.)

S1 FileDisk; No ImagePath

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-21 17:47 - 2013-05-21 17:47 - 00000000 ____D C:\FRST

2013-05-21 12:56 - 2013-05-21 12:57 - 00018015 ____A C:\Users\Test\Desktop\dds.txt

2013-05-21 12:56 - 2013-05-21 12:57 - 00011885 ____A C:\Users\Test\Desktop\attach.txt

2013-05-21 12:56 - 2013-05-21 12:56 - 00688992 ____R (Swearware) C:\Users\Test\Desktop\dds.com

2013-05-20 19:39 - 2013-05-21 13:35 - 00006394 ____A C:\Users\Test\Desktop\aswMBR.txt

2013-05-20 19:39 - 2013-05-21 13:35 - 00000512 ____A C:\Users\Test\Desktop\MBR.dat

2013-05-20 19:20 - 2013-05-20 19:22 - 04745728 ____A (AVAST Software) C:\Users\Test\Desktop\aswMBR.exe

2013-05-20 16:39 - 2013-05-20 16:39 - 00000020 __ASH C:\Users\Jeanne.DADS-ALIEN\ntuser.ini

2013-05-20 16:39 - 2013-05-20 16:39 - 00000000 ____D C:\Users\Jeanne.DADS-ALIEN\AppData\Roaming\Real

2013-05-20 16:39 - 2013-05-20 16:39 - 00000000 ____D C:\Users\Jeanne.DADS-ALIEN\AppData\Roaming\iolo

2013-05-20 16:39 - 2013-05-20 16:39 - 00000000 ____D C:\Users\Jeanne.DADS-ALIEN\AppData\Roaming\Adobe

2013-05-20 16:39 - 2013-05-20 16:39 - 00000000 ____D C:\Users\Jeanne.DADS-ALIEN\AppData\Local\VirtualStore

2013-05-20 16:39 - 2013-05-20 16:39 - 00000000 ____D C:\users\Jeanne.DADS-ALIEN

2013-05-20 16:39 - 2012-04-22 18:34 - 00000000 ____D C:\Users\Jeanne.DADS-ALIEN\AppData\Local\Microsoft Help

2013-05-20 16:39 - 2012-04-15 13:30 - 00000000 ____D C:\Users\Jeanne.DADS-ALIEN\AppData\Roaming\Macromedia

2013-05-20 16:27 - 2013-05-20 16:27 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Test\Desktop\TDSSKiller.exe

2013-05-20 16:14 - 2013-05-20 16:14 - 00000000 ____D C:\Users\Test\AppData\Roaming\TestApp

2013-05-20 16:14 - 2013-05-20 16:14 - 00000000 ____D C:\ProgramData\PC Tools

2013-05-20 13:48 - 2013-05-20 13:48 - 00000000 ____D C:\Users\Jeanne\AppData\Roaming\RealNetworks

2013-05-20 12:41 - 2013-05-20 12:41 - 02250054 ____A C:\ProgramData\1.bmp

2013-05-20 12:39 - 2013-05-20 12:39 - 00000000 ____D C:\Users\Jeanne\AppData\Roaming\Real

2013-05-20 12:39 - 2013-05-20 12:39 - 00000000 ____D C:\Users\Jeanne\AppData\Roaming\Malwarebytes

2013-05-20 12:38 - 2013-05-20 13:07 - 00000000 ____D C:\Users\Jeanne\AppData\Roaming\iolo

2013-05-20 12:38 - 2013-05-20 12:38 - 00000020 ___SH C:\Users\Jeanne\ntuser.ini

2013-05-20 12:38 - 2013-05-20 12:38 - 00000000 ____D C:\Users\Jeanne\AppData\Roaming\Adobe

2013-05-20 12:38 - 2013-05-20 12:38 - 00000000 ____D C:\Users\Jeanne\AppData\Local\VirtualStore

2013-05-20 12:38 - 2013-05-20 12:38 - 00000000 ____D C:\users\Jeanne

2013-05-20 12:38 - 2012-04-22 18:34 - 00000000 ____D C:\Users\Jeanne\AppData\Local\Microsoft Help

2013-05-20 12:38 - 2012-04-15 13:30 - 00000000 ____D C:\Users\Jeanne\AppData\Roaming\Macromedia

2013-05-20 12:36 - 2013-05-20 13:43 - 00000004 ____A C:\Users\Test\AppData\Roaming\skype.ini

2013-05-20 10:35 - 2013-05-20 11:00 - 00000000 ____D C:\Program Files\AlienAutopsy

2013-05-20 10:35 - 2013-05-20 10:35 - 00000000 ____D C:\Users\Test\AppData\Roaming\Dell

2013-05-20 10:35 - 2013-05-20 10:35 - 00000000 ____D C:\ProgramData\PCDr

2013-05-20 10:34 - 2013-05-20 10:34 - 00000000 ____D C:\Users\Test\AppData\Roaming\PCDr

2013-05-20 04:24 - 2013-05-20 04:24 - 00000000 ____D C:\Users\Test\AppData\Roaming\Malwarebytes

2013-05-20 04:23 - 2013-05-20 04:23 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-05-20 04:23 - 2013-05-20 04:23 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-05-20 04:23 - 2013-05-20 04:23 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-05-20 04:23 - 2013-04-04 11:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2013-05-19 10:21 - 2013-05-19 10:21 - 00000000 ____D C:\ProgramData\Intel

2013-05-19 10:20 - 2013-05-19 10:20 - 00065024 ____A C:\Users\Test\javaw.dll

2013-05-15 16:50 - 2013-04-04 22:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-15 16:50 - 2013-04-04 22:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-15 16:50 - 2013-04-04 22:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2013-05-15 16:50 - 2013-04-04 22:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-15 16:50 - 2013-04-04 22:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-15 16:50 - 2013-04-04 22:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-15 16:50 - 2013-04-04 22:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-15 16:50 - 2013-04-04 22:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-15 16:50 - 2013-04-04 22:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-15 16:50 - 2013-04-04 22:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-15 16:50 - 2013-04-04 22:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2013-05-15 16:50 - 2013-04-04 22:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2013-05-15 16:50 - 2013-04-04 22:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-15 16:50 - 2013-04-04 22:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2013-05-15 16:50 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-15 16:50 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-15 16:50 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-15 16:50 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-15 16:50 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-15 16:50 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-15 16:50 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-15 16:50 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-15 16:50 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-15 16:50 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll

2013-05-15 16:50 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2013-05-15 16:50 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-15 16:50 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2013-05-15 16:50 - 2013-04-04 20:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-15 16:50 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-15 16:50 - 2013-04-04 19:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2013-05-15 16:50 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

2013-05-15 03:38 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-15 03:38 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-15 03:38 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-15 03:38 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-15 03:38 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-15 03:38 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-15 03:38 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-15 03:38 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-15 03:38 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-15 03:38 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-15 03:38 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-15 03:38 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-15 03:38 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-15 03:38 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 01509376 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-04-29 21:05 - 2013-04-29 21:05 - 01441280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2013-04-29 21:05 - 2013-04-29 21:05 - 01400416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat

2013-04-29 21:05 - 2013-04-29 21:05 - 01400416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat

2013-04-29 21:05 - 2013-04-29 21:05 - 01054720 ____A (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00905728 ____A (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00762368 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00719360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00629248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00599552 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00523264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00452096 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\html.iec

2013-04-29 21:05 - 2013-04-29 21:05 - 00361984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec

2013-04-29 21:05 - 2013-04-29 21:05 - 00357888 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00281600 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00270848 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00247296 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00242200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00235008 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00232960 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00226816 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00226304 ____A (Microsoft Corporation) C:\Windows\System32\elshyph.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00216064 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00204800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00185344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\elshyph.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00173568 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00167424 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00163840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00158720 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00150528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00144896 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00138752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00137216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00136192 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00135680 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00125440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00117248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00110592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00097280 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00092160 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00082432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00081408 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00079872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx

2013-04-29 21:05 - 2013-04-29 21:05 - 00073728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00069120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00062976 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00061952 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx

2013-04-29 21:05 - 2013-04-29 21:05 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00051200 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00048640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00038400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00027648 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00023040 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00013824 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00012800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00011776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe

2013-04-29 21:04 - 2013-04-29 21:07 - 00007201 ____A C:\Windows\IE10_main.log

2013-04-25 04:07 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

==================== One Month Modified Files and Folders =======

2013-05-21 17:47 - 2013-05-21 17:47 - 00000000 ____D C:\FRST

2013-05-21 14:40 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-21 14:40 - 2009-07-13 20:51 - 00067522 ____A C:\Windows\setupact.log

2013-05-21 14:27 - 2012-02-15 05:06 - 01610393 ____A C:\Windows\WindowsUpdate.log

2013-05-21 13:56 - 2012-10-28 06:35 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-168337650-4283734589-1400818274-1002UA.job

2013-05-21 13:35 - 2013-05-20 19:39 - 00006394 ____A C:\Users\Test\Desktop\aswMBR.txt

2013-05-21 13:35 - 2013-05-20 19:39 - 00000512 ____A C:\Users\Test\Desktop\MBR.dat

2013-05-21 12:57 - 2013-05-21 12:56 - 00018015 ____A C:\Users\Test\Desktop\dds.txt

2013-05-21 12:57 - 2013-05-21 12:56 - 00011885 ____A C:\Users\Test\Desktop\attach.txt

2013-05-21 12:56 - 2013-05-21 12:56 - 00688992 ____R (Swearware) C:\Users\Test\Desktop\dds.com

2013-05-21 12:54 - 2009-07-13 20:45 - 00021472 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-21 12:54 - 2009-07-13 20:45 - 00021472 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-21 12:52 - 2009-07-13 21:13 - 00779724 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-21 12:51 - 2012-04-29 09:13 - 00000400 ____A C:\Windows\Tasks\FreeFileViewerUpdateChecker.job

2013-05-20 19:22 - 2013-05-20 19:20 - 04745728 ____A (AVAST Software) C:\Users\Test\Desktop\aswMBR.exe

2013-05-20 18:40 - 2012-04-17 13:51 - 00000000 ____D C:\Users\Test\AppData\Roaming\iolo

2013-05-20 18:34 - 2013-03-22 17:30 - 00000000 ____D C:\Users\Public\Downloads\mbar

2013-05-20 16:39 - 2013-05-20 16:39 - 00000020 __ASH C:\Users\Jeanne.DADS-ALIEN\ntuser.ini

2013-05-20 16:39 - 2013-05-20 16:39 - 00000000 ____D C:\Users\Jeanne.DADS-ALIEN\AppData\Roaming\Real

2013-05-20 16:39 - 2013-05-20 16:39 - 00000000 ____D C:\Users\Jeanne.DADS-ALIEN\AppData\Roaming\iolo

2013-05-20 16:39 - 2013-05-20 16:39 - 00000000 ____D C:\Users\Jeanne.DADS-ALIEN\AppData\Roaming\Adobe

2013-05-20 16:39 - 2013-05-20 16:39 - 00000000 ____D C:\Users\Jeanne.DADS-ALIEN\AppData\Local\VirtualStore

2013-05-20 16:39 - 2013-05-20 16:39 - 00000000 ____D C:\users\Jeanne.DADS-ALIEN

2013-05-20 16:36 - 2012-04-09 11:51 - 00000000 ____D C:\users\Test

2013-05-20 16:27 - 2013-05-20 16:27 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Test\Desktop\TDSSKiller.exe

2013-05-20 16:14 - 2013-05-20 16:14 - 00000000 ____D C:\Users\Test\AppData\Roaming\TestApp

2013-05-20 16:14 - 2013-05-20 16:14 - 00000000 ____D C:\ProgramData\PC Tools

2013-05-20 16:12 - 2010-11-20 19:47 - 00101666 ____A C:\Windows\PFRO.log

2013-05-20 14:56 - 2012-10-28 06:35 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-168337650-4283734589-1400818274-1002Core.job

2013-05-20 13:48 - 2013-05-20 13:48 - 00000000 ____D C:\Users\Jeanne\AppData\Roaming\RealNetworks

2013-05-20 13:43 - 2013-05-20 12:36 - 00000004 ____A C:\Users\Test\AppData\Roaming\skype.ini

2013-05-20 13:07 - 2013-05-20 12:38 - 00000000 ____D C:\Users\Jeanne\AppData\Roaming\iolo

2013-05-20 12:41 - 2013-05-20 12:41 - 02250054 ____A C:\ProgramData\1.bmp

2013-05-20 12:39 - 2013-05-20 12:39 - 00000000 ____D C:\Users\Jeanne\AppData\Roaming\Real

2013-05-20 12:39 - 2013-05-20 12:39 - 00000000 ____D C:\Users\Jeanne\AppData\Roaming\Malwarebytes

2013-05-20 12:38 - 2013-05-20 12:38 - 00000020 ___SH C:\Users\Jeanne\ntuser.ini

2013-05-20 12:38 - 2013-05-20 12:38 - 00000000 ____D C:\Users\Jeanne\AppData\Roaming\Adobe

2013-05-20 12:38 - 2013-05-20 12:38 - 00000000 ____D C:\Users\Jeanne\AppData\Local\VirtualStore

2013-05-20 12:38 - 2013-05-20 12:38 - 00000000 ____D C:\users\Jeanne

2013-05-20 12:30 - 2012-04-16 15:32 - 00000000 ____D C:\Users\Test\AppData\Local\CrashDumps

2013-05-20 11:00 - 2013-05-20 10:35 - 00000000 ____D C:\Program Files\AlienAutopsy

2013-05-20 10:35 - 2013-05-20 10:35 - 00000000 ____D C:\Users\Test\AppData\Roaming\Dell

2013-05-20 10:35 - 2013-05-20 10:35 - 00000000 ____D C:\ProgramData\PCDr

2013-05-20 10:34 - 2013-05-20 10:34 - 00000000 ____D C:\Users\Test\AppData\Roaming\PCDr

2013-05-20 10:31 - 2012-10-28 06:35 - 00000000 ____D C:\Users\Test\AppData\Local\Deployment

2013-05-20 04:24 - 2013-05-20 04:24 - 00000000 ____D C:\Users\Test\AppData\Roaming\Malwarebytes

2013-05-20 04:23 - 2013-05-20 04:23 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-05-20 04:23 - 2013-05-20 04:23 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-05-20 04:23 - 2013-05-20 04:23 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-05-20 04:18 - 2012-04-13 12:22 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-05-20 04:18 - 2012-04-13 12:22 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-05-19 10:21 - 2013-05-19 10:21 - 00000000 ____D C:\ProgramData\Intel

2013-05-19 10:20 - 2013-05-19 10:20 - 00065024 ____A C:\Users\Test\javaw.dll

2013-05-15 18:47 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-05-15 16:55 - 2009-07-13 20:45 - 00461464 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-15 16:53 - 2012-04-21 13:38 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-05-15 16:52 - 2012-04-13 14:52 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-02 07:29 - 2010-11-20 19:27 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2013-04-30 04:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions

2013-04-29 21:07 - 2013-04-29 21:04 - 00007201 ____A C:\Windows\IE10_main.log

2013-04-29 21:05 - 2013-04-29 21:05 - 01509376 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-04-29 21:05 - 2013-04-29 21:05 - 01441280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2013-04-29 21:05 - 2013-04-29 21:05 - 01400416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat

2013-04-29 21:05 - 2013-04-29 21:05 - 01400416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat

2013-04-29 21:05 - 2013-04-29 21:05 - 01054720 ____A (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00905728 ____A (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00762368 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00719360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00629248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00599552 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00523264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00452096 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\html.iec

2013-04-29 21:05 - 2013-04-29 21:05 - 00361984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec

2013-04-29 21:05 - 2013-04-29 21:05 - 00357888 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00281600 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00270848 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00247296 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00242200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00235008 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00232960 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00226816 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00226304 ____A (Microsoft Corporation) C:\Windows\System32\elshyph.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00216064 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00204800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00185344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\elshyph.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00173568 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00167424 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00163840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00158720 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00150528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00144896 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00138752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00137216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00136192 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00135680 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00125440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00117248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00110592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00097280 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00092160 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00082432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00081408 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00079872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx

2013-04-29 21:05 - 2013-04-29 21:05 - 00073728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00069120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00062976 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00061952 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx

2013-04-29 21:05 - 2013-04-29 21:05 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00051200 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00048640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00038400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00027648 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00023040 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll

2013-04-29 21:05 - 2013-04-29 21:05 - 00013824 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00012800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe

2013-04-29 21:05 - 2013-04-29 21:05 - 00011776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe

Other Malware:

===========

C:\Users\Test\AppData\Roaming\skype.ini

C:\ProgramData\qci.pad

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-08 21:20:28

Restore point made on: 2013-03-12 14:59:09

Restore point made on: 2013-03-14 06:45:14

Restore point made on: 2013-03-18 08:09:36

Restore point made on: 2013-03-22 11:22:44

Restore point made on: 2013-03-25 18:44:07

Restore point made on: 2013-03-29 10:13:03

Restore point made on: 2013-04-03 07:24:04

Restore point made on: 2013-04-07 04:50:28

Restore point made on: 2013-04-09 12:53:01

Restore point made on: 2013-04-12 18:20:06

Restore point made on: 2013-04-16 16:22:24

Restore point made on: 2013-04-20 05:25:03

Restore point made on: 2013-04-25 20:38:52

Restore point made on: 2013-04-26 05:31:26

Restore point made on: 2013-04-29 07:00:40

Restore point made on: 2013-04-29 21:04:30

Restore point made on: 2013-05-03 11:04:23

Restore point made on: 2013-05-07 03:53:32

Restore point made on: 2013-05-10 13:59:27

Restore point made on: 2013-05-14 17:58:08

Restore point made on: 2013-05-15 16:50:17

Restore point made on: 2013-05-19 04:47:52

Restore point made on: 2013-05-20 12:28:05

Restore point made on: 2013-05-20 14:04:59

Restore point made on: 2013-05-21 12:58:31

==================== Memory info ===========================

Percentage of memory in use: 7%

Total physical RAM: 16365.86 MB

Available physical RAM: 15064.76 MB

Total Pagefile: 16364.06 MB

Available Pagefile: 15043.36 MB

Total Virtual: 8192 MB

Available Virtual: 8191.87 MB

==================== Drives ================================

Drive c: (OSDisk) (Fixed) (Total:238.47 GB) (Free:88.28 GB) NTFS (Disk=0 Partition=1) ==>[Drive with boot components (obtained from BCD)]

Drive d: (HD2) (Fixed) (Total:698.63 GB) (Free:345.3 GB) NTFS (Disk=1 Partition=1)

Drive e: (W7SP1_HOMEPREMIUM) (CDROM) (Total:4.69 GB) (Free:0 GB) UDF

Drive f: (USB MEM 64M) (Removable) (Total:0.06 GB) (Free:0.06 GB) FAT32 (Disk=2 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 238 GB) (Disk ID: 7219425B)

Partition 1: (Active) - (Size=238 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (MBR Code: Windows 7 or 8) (Size: 699 GB) (Disk ID: 62E6E4DB)

Partition 1: (Not Active) - (Size=699 GB) - (Type=07 NTFS)

========================================================

Disk: 2 (Size: 62 MB) (Disk ID: 4AD7EEF2)

Partition 1: (Active) - (Size=61 MB) - (Type=0B)

Last Boot: 2013-05-14 18:24

==================== End Of Log ============================

Link to post
Share on other sites

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Thanks MrC. The system booted ok, but it has been booting fine since I stopped the bootup processes as mentioned earlier but I knew I still had some virus elements from the fact that I had to disable the startups with msconfig. In any event I am praying that these changes bring it to heel. I will be retiring this year and you guys have shown me a possible way to give back when I do. It is much appreciated. Also, I will gladly put some funds in the account to keep you guys going!

Here is the fixlog data :

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-05-2013 02

Ran by SYSTEM at 2013-05-21 18:46:11 Run:1

Running from F:\

Boot Mode: Recovery

==============================================

C:\Users\Test\AppData\Roaming\skype.ini => Moved successfully.

C:\ProgramData\qci.pad => Moved successfully.

==== End of Fixlog ====

Then when I ran MBAR, it found a virus file. I have to reboot so will post the final two logs when done and have a (hopefully) clean bill. Here are the interim logs attached.

system-log.txt

mbar-log-2013-05-21 (18-58-00).txt

Link to post
Share on other sites

OK, we're not done so please be patient.....Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Also, when I try to go to scheduler to set up, I get an error that reads : "An error has occurred. Please report this issue to our support team (include the content of all error message(s) and code(s) in your submission). PROGRAM_ERROR_SCHEDULER (2,0,SchedulerStart). The system cannot find the file specified. Here is the quickscan log :

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

Database version: v2013.05.21.11

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 10.0.9200.16576

Test :: DADS-ALIEN [administrator]

Protection: Disabled

5/21/2013 7:46:54 PM

mbam-log-2013-05-21 (19-46-54).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 290774

Time elapsed: 1 minute(s), 37 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

OK, combofix downloaded and run. Sorry, I thought we were done and really appreciate you sticking with it. The log for combofix is : ComboFix 13-05-21.01 - Test 05/21/2013 19:56:32.1.8 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.16366.13859 [GMT -5:00]

Running from: c:\users\Test\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Test\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8936BCF0-4298-4D10-99DE-21BB469F7693}.xps

c:\users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum

c:\users\Test\javaw.dll

.

.

((((((((((((((((((((((((( Files Created from 2013-04-22 to 2013-05-22 )))))))))))))))))))))))))))))))

.

.

2013-05-22 01:47 . 2013-05-22 01:47 -------- d-----w- C:\FRST

2013-05-22 00:59 . 2013-05-22 00:59 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-05-22 00:59 . 2013-05-22 00:59 -------- d-----w- c:\users\Family\AppData\Local\temp

2013-05-22 00:21 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D0ADF1B9-41BB-4053-B279-C952788C494C}\mpengine.dll

2013-05-21 20:58 . 2013-05-21 20:58 964552 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F1317648-5D7B-4C01-A4AD-830041067201}\gapaengine.dll

2013-05-21 20:58 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-05-21 00:14 . 2013-05-21 00:14 -------- d-----w- c:\programdata\PC Tools

2013-05-21 00:14 . 2013-05-21 00:14 -------- d-----w- c:\users\Test\AppData\Roaming\TestApp

2013-05-20 20:38 . 2013-05-20 20:38 -------- d-----w- c:\users\Jeanne

2013-05-20 18:35 . 2013-05-20 18:35 -------- d-----w- c:\users\Test\AppData\Roaming\Dell

2013-05-20 18:35 . 2013-05-20 18:35 -------- d-----w- c:\programdata\PCDr

2013-05-20 18:35 . 2013-05-20 18:35 -------- d-----w- c:\programdata\PC-Doctor for Windows

2013-05-20 18:35 . 2013-05-20 19:00 -------- d-----w- c:\program files\AlienAutopsy

2013-05-20 18:34 . 2013-05-20 18:34 -------- d-----w- c:\users\Test\AppData\Roaming\PCDr

2013-05-20 18:34 . 2013-05-20 19:00 -------- d-----w- C:\temp

2013-05-20 12:24 . 2013-05-20 12:24 -------- d-----w- c:\users\Test\AppData\Roaming\Malwarebytes

2013-05-20 12:23 . 2013-05-20 12:23 -------- d-----w- c:\programdata\Malwarebytes

2013-05-20 12:23 . 2013-05-22 00:40 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2013-05-20 12:23 . 2013-04-04 19:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-05-20 12:23 . 2013-05-20 12:23 -------- d-----w- c:\users\Test\AppData\Local\Programs

2013-05-19 18:21 . 2013-05-19 18:21 -------- d-----w- c:\programdata\Intel

2013-05-15 11:38 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2013-04-25 12:07 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-05-20 12:18 . 2012-04-13 20:22 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-05-20 12:18 . 2012-04-13 20:22 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-05-16 00:52 . 2012-04-13 22:52 75016696 ----a-w- c:\windows\system32\MRT.exe

2013-05-02 15:29 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe

2013-04-26 04:38 . 2012-06-12 14:57 905296 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

2013-04-13 05:49 . 2013-05-15 11:38 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2013-04-13 05:49 . 2013-05-15 11:38 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2013-04-13 05:49 . 2013-05-15 11:38 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll

2013-04-13 05:49 . 2013-05-15 11:38 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll

2013-04-13 04:45 . 2013-05-15 11:38 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-04-13 04:45 . 2013-05-15 11:38 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-03-19 06:04 . 2013-04-09 19:52 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-19 05:46 . 2013-04-09 19:52 43520 ----a-w- c:\windows\system32\csrsrv.dll

2013-03-19 05:04 . 2013-04-09 19:52 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2013-03-19 05:04 . 2013-04-09 19:52 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2013-03-19 04:47 . 2013-04-09 19:52 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll

2013-03-19 03:06 . 2013-04-09 19:52 112640 ----a-w- c:\windows\system32\smss.exe

2013-03-18 04:59 . 2012-04-17 22:24 57584 ----a-w- c:\windows\system32\iolobtdfg.exe

2013-03-18 04:58 . 2012-04-17 22:24 26184 ----a-w- c:\windows\system32\smrgdf.exe

2013-03-18 04:43 . 2012-04-17 22:25 2155688 ----a-w- c:\windows\system32\Incinerator64.dll

2013-03-18 04:43 . 2012-04-17 22:25 2097472 ----a-w- c:\windows\SysWow64\Incinerator32.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2010-10-01 87336]

"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-09-18 50472]

"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2011-08-11 75048]

"AlienwareOn-ScreenDisplay"="c:\program files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe" [2010-11-17 1500528]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"Z1"="c:\users\Public\Downloads\mbar\mbar\mbar.exe" [2013-03-23 1398856]

"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2013-04-04 532040]

.

c:\users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2013-1-8 228448]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ ???\0??\0

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 CLKMSVC10_9EC60124;CyberLink Product - 2012/02/15 07:23;c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2011-08-12 248304]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 MBAMScheduler;MBAMScheduler;mbamscheduler.exe [x]

R2 MBAMService;MBAMService;mbamservice.exe [x]

R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]

R3 CASprint;Sprint Con App Svc;c:\program files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe [2008-03-05 118784]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]

R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [2008-03-05 43032]

R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-02-15 335464]

R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]

R3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]

R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]

R3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-13 1255736]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]

R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 25088]

R4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-11-30 38608]

R4 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]

R4 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]

S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 16752]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]

S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2010-08-20 21616]

S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2012-04-11 31432]

S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-03-03 89600]

S2 AlienFusionService;Alienware Fusion Service;c:\program files\Alienware\Command Center\AlienFusionService.exe [2010-11-10 15296]

S2 ioloSystemService;iolo System Service;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2013-03-18 1070080]

S2 PDFsFilter;PDFsFilter;c:\windows\system32\DRIVERS\PDFsFilter.sys [2012-07-26 82160]

S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-08-20 27760]

S3 bpenum;bpenum;c:\windows\system32\DRIVERS\bpenum.sys [2010-05-16 71168]

S3 bpmp;Intel® Centrino® WiMAX 6050 Series;c:\windows\system32\DRIVERS\bpmp.sys [2010-05-16 175104]

S3 bpusb;bpusb;c:\windows\system32\Drivers\bpusb.sys [2010-05-16 81920]

S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-07-13 344616]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-11-30 76912]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 25928]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-09-30 80384]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-09-30 180736]

S3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;c:\windows\system32\DRIVERS\nvstusb.sys [2010-12-08 121448]

S3 SiBEAMSB92xxHostSerial;SiBEAMSB92xxHostSerial;c:\windows\system32\DRIVERS\SiBEAM_x64.sys [2011-03-01 62464]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - CLKMDRV10_9EC60124

*Deregistered* - ioloSGuardDriver

.

Contents of the 'Scheduled Tasks' folder

.

2013-05-22 c:\windows\Tasks\FreeFileViewerUpdateChecker.job

- c:\program files (x86)\FreeFileViewer\FFVCheckForUpdates.exe [2012-04-29 19:24]

.

2013-05-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-168337650-4283734589-1400818274-1002Core.job

- c:\users\Test\AppData\Local\Google\Update\GoogleUpdate.exe [2012-10-28 14:35]

.

2013-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-168337650-4283734589-1400818274-1002UA.job

- c:\users\Test\AppData\Local\Google\Update\GoogleUpdate.exe [2012-10-28 14:35]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-06-27 315496]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-03 525312]

"Command Center Controllers"="c:\program files\Alienware\Command Center\AWCCStartupOrchestrator.exe" [2010-11-10 13256]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService

FontCache

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

Trusted Zone: raytheon.com\rsvpn

TCP: DhcpNameServer = 192.168.1.254

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE "%1"

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_169_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_169_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-05-21 20:00:21

ComboFix-quarantined-files.txt 2013-05-22 01:00

.

Pre-Run: 93,978,312,704 bytes free

Post-Run: 93,921,071,104 bytes free

.

- - End Of File - - 765096F829B7D6AB66F201792ED68645

Link to post
Share on other sites

OK...Next:

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion method. It can be easily uninstalled using the "Uninstall" mode.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Note:

Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner.

You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below:

/DisableAskDetection - This option disables Ask Toolbar detection.

MrC

Link to post
Share on other sites

Log file for ADW Cleaner :

# AdwCleaner v2.301 - Logfile created 05/21/2013 at 20:13:50

# Updated 16/05/2013 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Test - DADS-ALIEN

# Boot Mode : Normal

# Running from : C:\Users\Test\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Found : HKCU\Software\APN PIP

Key Found : HKLM\Software\Freeze.com

Key Found : HKLM\Software\PIP

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16576

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [716 octets] - [21/05/2013 20:13:50]

########## EOF - C:\AdwCleaner[R1].txt - [775 octets] ##########

Link to post
Share on other sites

Some adware found....lets clear it out.....

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Then......

Lets check your computers security:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Link to post
Share on other sites

I owe you MrC. Results of the two requested actions :

# AdwCleaner v2.301 - Logfile created 05/21/2013 at 20:52:43

# Updated 16/05/2013 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Test - DADS-ALIEN

# Boot Mode : Normal

# Running from : C:\Users\Test\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP

Key Deleted : HKLM\Software\Freeze.com

Key Deleted : HKLM\Software\PIP

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16576

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [843 octets] - [21/05/2013 20:13:50]

AdwCleaner[s1].txt - [783 octets] - [21/05/2013 20:52:43]

########## EOF - C:\AdwCleaner[s1].txt - [842 octets] ########## Results of screen317's Security Check version 0.99.63

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Microsoft Security Essentials

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.75.0.1300

JavaFX 2.1.0

Java 7 Update 4

Java version out of Date!

Adobe Reader 10.1.7 Adobe Reader out of Date!

````````Process Check: objlist.exe by Laurent````````

Microsoft Security Essentials MSMpEng.exe

iolo Common Lib ioloServiceManager.exe

iolo System Mechanic Professional SystemGuardAlerter.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 17% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Good..............

Out dated programs on the system are vulnerable to malware.

Please update or uninstall them:

JavaFX 2.1.0 <---uninstall from add/remove programs

Java™ 7 Update 4 <---please update should be Update 21

Java version out of Date! <--------Go to control panel > Java > Update Tab > Update Now

Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

If there's no update tab in Java, uninstall it and Download and install the latest version from Here

Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

----------------------------------------------------

Adobe Reader 10.1.7 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

If you used DeFogger to disable your CD Emulation drivers, please re-enable them.

-------------------------------

Please download OTC to your desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.