Jump to content

Trojan.Ransom and PUM.UserWLoad help!

joek314
 Share

Recommended Posts

Maniac

Maniac

Posted
Posted

Hello joek314 and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
What is your operating system?
Link to post
Share on other sites
joek314

joek314

Posted
  • Author
Posted

Hello, thank you for the reply

 

- I am not a paying customer at this time.

- I understand the instructions, I will not be using this computer until the issue is resolved.

- Windows 7 SP1

- I have attached "attach.txt" and "dds.txt"

 

 

attach.txt:

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 1/5/2010 12:19:37 PM
System Uptime: 6/22/2013 1:11:53 PM (4 hours ago)
.
Motherboard: PEGATRON CORPORATION |  | Eureka3
Processor: Intel® Core2 Quad CPU    Q8400  @ 2.66GHz | CPU 1 | 2670/1333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 582 GiB total, 97.78 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 2.06 GiB free.
E: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP228: 3/25/2013 10:53:41 PM - Windows Update
RP229: 4/11/2013 8:41:59 PM - Windows Update
RP230: 4/23/2013 5:29:09 PM - Scheduled Checkpoint
RP231: 4/24/2013 3:00:26 AM - Windows Update
RP232: 5/3/2013 10:52:53 PM - Scheduled Checkpoint
RP233: 5/11/2013 7:29:33 PM - Scheduled Checkpoint
RP234: 5/15/2013 10:57:27 PM - Windows Update
RP235: 6/1/2013 2:17:46 AM - Windows Update
RP236: 6/8/2013 6:15:41 PM - Scheduled Checkpoint
RP237: 6/15/2013 6:51:46 PM - Windows Update
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Photoshop Elements 8.0
Adobe Photoshop.com Inspiration Browser
Adobe Reader X (10.1.6)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 2013
AVG Security Toolbar
Bonjour
Brother HL-2140
Canon MP Navigator EX 1.0
CanoScan 8800F
Cisco Connect
Compatibility Pack for the 2007 Office system
CyberLink DVD Suite Deluxe
Google Talk Plugin
iTunes
Java Auto Updater
Java 6 Update 26
Juniper Networks Setup Client Activex Control
Juniper Networks, Inc. Setup Client
Juniper Terminal Services Client
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office File Validation Add-In
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Works 6-9 Converter
MSVCRT
Power2Go
QuickTime
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
sp44350
sp44353
Uninstall Web Viewer
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Visual Studio 2008 x64 Redistributables
Visual Studio 2010 x64 Redistributables
VLC media player 2.0.5
Windows Live Communications Platform
Windows Live Essentials
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
.
==== Event Viewer Messages From Past Week ========
.
6/22/2013 10:51:04 AM, Error: Service Control Manager [7043]  - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
6/22/2013 1:12:35 PM, Error: Service Control Manager [7006]  - The ScRegSetValueExW call failed for FailureActions with the following error:  Access is denied.
6/22/2013 1:12:29 PM, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
6/22/2013 1:12:26 PM, Error: Service Control Manager [7003]  - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
6/22/2013 1:12:26 PM, Error: Service Control Manager [7003]  - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
6/17/2013 6:42:15 PM, Error: Disk [11]  - The driver detected a controller error on \Device\Harddisk5\DR5.
6/16/2013 1:01:56 PM, Error: Service Control Manager [7038]  - The upnphost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error:  The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
6/16/2013 1:01:56 PM, Error: Service Control Manager [7000]  - The UPnP Device Host service failed to start due to the following error:  The service did not start due to a logon failure.
6/16/2013 1:01:56 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1069" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
.
==== End Of File ===========================

 

 

 

 

 

 

dds.txt:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16611
Run by Joseph at 17:48:48 on 2013-06-22
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8191.6285 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.

uWindows: Load = C:\Users\Joseph\LOCALS~1\Temp\mserwups.scr
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll
uRun: [Google Update] "C:\Users\Joseph\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}






TCP: NameServer = 209.18.47.61 209.18.47.62 192.168.1.1
TCP: Interfaces\{A5882FF6-3702-4E73-9400-480F43665F85} : DHCPNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\15.2.0\ViProtocol.dll
SSODL: WebCheck - <orphaned>
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-10-15 63328]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2012-9-21 225120]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2012-11-16 111968]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-9-14 40800]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-1-5 55024]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2012-10-22 154464]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-10-2 185696]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-9-21 200032]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-12-16 45856]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-8-18 203264]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-16 5814904]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]
R2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [2013-5-21 1015984]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-3-2 187392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-30 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-1-3 1255736]
.
=============== Created Last 30 ================
.
2013-06-16 01:52:41 279040 ----a-w- C:\Program Files\Internet Explorer\sqmapi.dll
2013-06-15 23:56:45 751104 ----a-w- C:\Windows\System32\win32spl.dll
2013-06-15 23:56:45 492544 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-06-15 23:56:45 1910632 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-06-15 23:56:41 903168 ----a-w- C:\Windows\SysWow64\certutil.exe
2013-06-15 23:56:41 52224 ----a-w- C:\Windows\System32\certenc.dll
2013-06-15 23:56:41 43008 ----a-w- C:\Windows\SysWow64\certenc.dll
2013-06-15 23:56:41 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-06-15 23:56:41 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2013-06-15 23:56:41 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-06-15 23:56:41 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-06-15 23:56:41 1192448 ----a-w- C:\Windows\System32\certutil.exe
2013-06-15 23:56:41 1160192 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-06-15 23:56:41 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
.
==================== Find3M  ====================
.
2013-06-16 00:50:10 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-16 00:50:10 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-06-08 12:28:46 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-06-08 11:13:19 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-05-22 03:47:48 45856 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys
2013-05-17 01:25:57 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-05-17 01:25:27 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-05-17 01:25:26 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-05-17 01:25:26 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-05-17 00:59:03 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-05-17 00:58:10 3958784 ----a-w- C:\Windows\System32\jscript9.dll
2013-05-17 00:58:08 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-05-17 00:58:08 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-05-14 12:23:25 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-14 08:40:13 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 06:01:53 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-04-04 21:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 17:48:57.51 ===============

 

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair

      System Restore

      Windows Complete PC Restore

      Windows Memory Diagnostic Tool

      Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Link to post
Share on other sites
joek314

joek314

Posted
  • Author
Posted

Here is the FRST.txt:

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-06-2013
Ran by SYSTEM on 23-06-2013 15:01:43
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$6fdd4cbfc5b90af0d2412bdf0a595138\n. ATTENTION! ====> ZeroAccess
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3147384 2012-12-11] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1226928 2013-05-21] (AVG Secure Search)
HKU\Joseph\...\Run: [Google Update] "C:\Users\Joseph\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-05-04] (Google Inc.)
HKU\Joseph\...\CurrentVersion\Windows: [Load] C:\Users\Joseph\LOCALS~1\Temp\mserwups.scr

==================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [5814904 2012-11-15] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
S2 vToolbarUpdater15.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [1015984 2013-05-21] (AVG Secure Search)

==================== Drivers (Whitelisted) ====================

S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [63328 2012-10-15] (AVG Technologies CZ, s.r.o. )
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [185696 2012-10-02] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [225120 2012-09-21] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [111968 2012-11-15] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [40800 2012-09-14] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [200032 2012-09-21] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-05-21] (AVG Technologies)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-23 15:01 - 2013-06-23 15:01 - 00000000 ____D C:\FRST
2013-06-23 13:42 - 2013-06-23 13:42 - 01931364 ____A (Farbar) C:\Users\Joseph\Desktop\FRST64.exe
2013-06-23 13:39 - 2013-06-23 13:39 - 00000469 ____A C:\Users\Joseph\Desktop\Trojan.Ransom and PUM.UserWLoad help! - Malware Removal Help - Malwarebytes Forum.website
2013-06-22 16:49 - 2013-06-22 16:49 - 00006231 ____A C:\Users\Joseph\Desktop\attach.txt
2013-06-22 16:49 - 2013-06-22 16:48 - 00010545 ____A C:\Users\Joseph\Desktop\dds.txt
2013-06-21 17:24 - 2013-06-21 17:24 - 00000000 ____D C:\Users\Joseph\AppData\Roaming\Mozilla
2013-06-17 18:36 - 2013-06-17 18:36 - 00688992 ____R (Swearware) C:\Users\Joseph\Desktop\dds.scr
2013-06-17 17:43 - 2013-06-17 17:44 - 00000000 ____D C:\Users\Joseph\Desktop\Dubstep
2013-06-17 17:42 - 2013-06-17 17:43 - 00000000 ____D C:\Users\Joseph\Desktop\Dubstep II
2013-06-15 17:53 - 2013-05-16 17:25 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-15 17:53 - 2013-05-16 17:25 - 01767936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-15 17:53 - 2013-05-16 17:25 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-15 17:53 - 2013-05-16 17:25 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-15 17:53 - 2013-05-16 17:25 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-06-15 17:53 - 2013-05-16 17:25 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-06-15 17:53 - 2013-05-16 17:25 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-15 17:53 - 2013-05-16 17:25 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-06-15 17:53 - 2013-05-16 16:59 - 02241024 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-15 17:53 - 2013-05-16 16:59 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-15 17:53 - 2013-05-16 16:58 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-15 17:53 - 2013-05-16 16:58 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-15 17:53 - 2013-05-16 16:58 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-15 17:53 - 2013-05-16 16:58 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-15 17:53 - 2013-05-16 16:58 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-15 17:53 - 2013-05-16 16:58 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-15 17:53 - 2013-05-16 16:58 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-15 17:53 - 2013-05-14 04:23 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-15 17:53 - 2013-05-14 00:40 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-06-15 17:52 - 2013-06-08 06:08 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-15 17:52 - 2013-06-08 06:07 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-15 17:52 - 2013-06-08 06:06 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-15 17:52 - 2013-06-08 06:06 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-15 17:52 - 2013-06-08 06:06 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-15 17:52 - 2013-06-08 04:28 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-15 17:52 - 2013-06-08 03:42 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-15 17:52 - 2013-06-08 03:40 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-15 17:52 - 2013-06-08 03:40 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-15 17:52 - 2013-06-08 03:40 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-15 17:52 - 2013-06-08 03:40 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-15 17:52 - 2013-06-08 03:13 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-15 16:55 - 2013-06-15 16:55 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-15 15:56 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-15 15:56 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-15 15:56 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-15 15:56 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-15 15:56 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-15 15:56 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-15 15:56 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-15 15:56 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-15 15:56 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-15 15:56 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-15 15:56 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-15 15:56 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-15 15:56 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-08 17:40 - 2013-06-08 21:14 - 00013824 ____A C:\Users\Joseph\Desktop\Book1.xls
2013-06-05 19:00 - 2013-06-23 13:57 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-06-01 01:20 - 2013-06-01 01:20 - 01509376 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-01 01:20 - 2013-06-01 01:20 - 01441280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-06-01 01:20 - 2013-06-01 01:20 - 01400416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
2013-06-01 01:20 - 2013-06-01 01:20 - 01400416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2013-06-01 01:20 - 2013-06-01 01:20 - 01054720 ____A (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00905728 ____A (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00762368 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00719360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00629248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00599552 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00523264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00452096 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2013-06-01 01:20 - 2013-06-01 01:20 - 00361984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2013-06-01 01:20 - 2013-06-01 01:20 - 00357888 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00281600 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00270848 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00247296 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00242200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00235008 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00232960 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00226816 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00226304 ____A (Microsoft Corporation) C:\Windows\System32\elshyph.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00216064 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00204800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00185344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\elshyph.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00173568 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00167424 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00163840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00158720 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00150528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00144896 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00138752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00137216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00136192 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00135680 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00125440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00117248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00110592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00097280 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00092160 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00082432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00081408 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00079872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2013-06-01 01:20 - 2013-06-01 01:20 - 00073728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00069120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00062976 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00061952 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2013-06-01 01:20 - 2013-06-01 01:20 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00051200 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00048640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00038400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00027648 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00023040 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00013824 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00012800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00011776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2013-06-01 01:18 - 2013-06-01 01:22 - 00006895 ____A C:\Windows\IE10_main.log

==================== One Month Modified Files and Folders =======

2013-06-23 15:01 - 2013-06-23 15:01 - 00000000 ____D C:\FRST
2013-06-23 13:57 - 2013-06-05 19:00 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-06-23 13:56 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-23 13:56 - 2009-07-13 20:51 - 00128395 ____A C:\Windows\setupact.log
2013-06-23 13:42 - 2013-06-23 13:42 - 01931364 ____A (Farbar) C:\Users\Joseph\Desktop\FRST64.exe
2013-06-23 13:42 - 2010-01-05 12:07 - 01866988 ____A C:\Windows\WindowsUpdate.log
2013-06-23 13:39 - 2013-06-23 13:39 - 00000469 ____A C:\Users\Joseph\Desktop\Trojan.Ransom and PUM.UserWLoad help! - Malware Removal Help - Malwarebytes Forum.website
2013-06-23 13:39 - 2009-07-13 20:45 - 00015152 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-23 13:39 - 2009-07-13 20:45 - 00015152 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-23 13:37 - 2012-01-09 23:31 - 00000000 ____D C:\ProgramData\MFAData
2013-06-22 16:49 - 2013-06-22 16:49 - 00006231 ____A C:\Users\Joseph\Desktop\attach.txt
2013-06-22 16:48 - 2013-06-22 16:49 - 00010545 ____A C:\Users\Joseph\Desktop\dds.txt
2013-06-22 16:24 - 2011-05-04 07:26 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2124304795-3788902753-3595442574-1000UA.job
2013-06-21 19:24 - 2011-05-04 07:26 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2124304795-3788902753-3595442574-1000Core.job
2013-06-21 19:15 - 2012-12-24 20:59 - 00003567 ____A C:\Users\Joseph\Desktop\Amazon.com Online Shopping for Electronics, Apparel, Computers, Books, DVDs & more.website
2013-06-21 17:24 - 2013-06-21 17:24 - 00000000 ____D C:\Users\Joseph\AppData\Roaming\Mozilla
2013-06-21 17:04 - 2009-07-13 21:08 - 00032622 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-20 19:50 - 2011-07-07 08:37 - 00000426 ____A C:\Windows\BRWMARK.INI
2013-06-17 18:36 - 2013-06-17 18:36 - 00688992 ____R (Swearware) C:\Users\Joseph\Desktop\dds.scr
2013-06-17 17:44 - 2013-06-17 17:43 - 00000000 ____D C:\Users\Joseph\Desktop\Dubstep
2013-06-17 17:44 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-17 17:43 - 2013-06-17 17:42 - 00000000 ____D C:\Users\Joseph\Desktop\Dubstep II
2013-06-15 22:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-06-15 17:55 - 2009-07-13 18:34 - 00000499 ____A C:\Windows\win.ini
2013-06-15 17:53 - 2010-01-05 14:09 - 75825640 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-15 16:57 - 2013-01-02 15:55 - 00000000 ____D C:\Users\Joseph\AppData\Roaming\Duesob
2013-06-15 16:57 - 2012-12-29 17:09 - 00000000 ____D C:\Users\Joseph\AppData\Roaming\Qafuve
2013-06-15 16:55 - 2013-06-15 16:55 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-15 16:55 - 2012-12-27 18:18 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-06-15 16:50 - 2012-04-19 11:37 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-15 16:50 - 2011-06-30 14:27 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-08 21:14 - 2013-06-08 17:40 - 00013824 ____A C:\Users\Joseph\Desktop\Book1.xls
2013-06-08 06:08 - 2013-06-15 17:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-08 06:07 - 2013-06-15 17:52 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-08 06:06 - 2013-06-15 17:52 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-08 06:06 - 2013-06-15 17:52 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-08 06:06 - 2013-06-15 17:52 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-08 04:28 - 2013-06-15 17:52 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-08 03:42 - 2013-06-15 17:52 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-08 03:40 - 2013-06-15 17:52 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-08 03:40 - 2013-06-15 17:52 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-08 03:40 - 2013-06-15 17:52 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-08 03:40 - 2013-06-15 17:52 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-08 03:13 - 2013-06-15 17:52 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-07 08:31 - 2012-01-30 21:08 - 00000000 ____D C:\Users\Joseph\Desktop\Launderland
2013-06-07 08:31 - 2011-12-21 00:09 - 00000000 ____D C:\Users\Joseph\Desktop\Stephanie
2013-06-05 19:00 - 2012-12-16 09:49 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2013-06-02 10:45 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2013-06-01 01:22 - 2013-06-01 01:18 - 00006895 ____A C:\Windows\IE10_main.log
2013-06-01 01:20 - 2013-06-01 01:20 - 01509376 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-01 01:20 - 2013-06-01 01:20 - 01441280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-06-01 01:20 - 2013-06-01 01:20 - 01400416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
2013-06-01 01:20 - 2013-06-01 01:20 - 01400416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2013-06-01 01:20 - 2013-06-01 01:20 - 01054720 ____A (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00905728 ____A (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00762368 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00719360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00629248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00599552 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00523264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00452096 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2013-06-01 01:20 - 2013-06-01 01:20 - 00361984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2013-06-01 01:20 - 2013-06-01 01:20 - 00357888 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00281600 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00270848 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00247296 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00242200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00235008 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00232960 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00226816 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00226304 ____A (Microsoft Corporation) C:\Windows\System32\elshyph.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00216064 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00204800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00185344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\elshyph.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00173568 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00167424 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00163840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00158720 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00150528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00144896 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00138752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00137216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00136192 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00135680 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00125440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00117248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00110592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00097280 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00092160 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00082432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00081408 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00079872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2013-06-01 01:20 - 2013-06-01 01:20 - 00073728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00069120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00062976 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00061952 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2013-06-01 01:20 - 2013-06-01 01:20 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00051200 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00048640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00038400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00027648 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00023040 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2013-06-01 01:20 - 2013-06-01 01:20 - 00013824 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00012800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2013-06-01 01:20 - 2013-06-01 01:20 - 00011776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2124304795-3788902753-3595442574-1000\$6fdd4cbfc5b90af0d2412bdf0a595138

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$6fdd4cbfc5b90af0d2412bdf0a595138

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-03-25 21:53:51
Restore point made on: 2013-04-11 19:42:11
Restore point made on: 2013-04-23 16:29:22
Restore point made on: 2013-04-24 02:00:31
Restore point made on: 2013-05-03 21:53:46
Restore point made on: 2013-05-11 18:29:46
Restore point made on: 2013-05-15 21:57:41
Restore point made on: 2013-06-01 01:17:58
Restore point made on: 2013-06-08 17:15:54
Restore point made on: 2013-06-15 17:51:56

==================== Memory info ===========================

Percentage of memory in use: 9%
Total physical RAM: 8191.18 MB
Available physical RAM: 7382.04 MB
Total Pagefile: 8189.33 MB
Available Pagefile: 7371.68 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (HP) (Fixed) (Total:581.52 GB) (Free:97.73 GB) NTFS (Disk=0 Partition=1) ==>[Drive with boot components (obtained from BCD)]
Drive d: (FACTORY_IMAGE) (Fixed) (Total:14.65 GB) (Free:2.06 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]
Drive f: () (Removable) (Total:14.94 GB) (Free:0.97 GB) NTFS (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=582 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=15 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 15 GB) (Disk ID: 04030201)
Partition 1: (Not Active) - (Size=15 GB) - (Type=07 NTFS)

LastRegBack: 2013-06-15 22:22

==================== End Of Log ============================

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

I'm afraid I have bad news.

One or more of the identified infections is a rootkit. Rootkits are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

I suggest you disconnect this computer from the Internet immediately you finish reading this post.

If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted.

Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on Internet theft and when to reformat!

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.

Instructions how to format and reinstall Windows can be found here

Link to post
Share on other sites
joek314

joek314

Posted
  • Author
Posted

Thank you, I will reinstall the system.  I am currently on another computer.

 

- Should I do anything with the hard drive before using my Windows7 disc and reinstalling?  Should I reformat the hdd and if so, what is the best way?

 

- My Windows7 disc is somewhat dated, is there a way to pre-download windows updates and install them before connecting the newly reinstalled computer to the internet?

 

Thanks again.

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Should I reformat the hdd and if so, what is the best way?

Yes, you should. Format the entire hard drive and start from beginning.

http://windows.microsoft.com/en-US/windows7/installing-and-reinstalling-windows-7

- My Windows7 disc is somewhat dated, is there a way to pre-download windows updates and install them before connecting the newly reinstalled computer to the internet?

Download Service Pack 1 from another computer and transfer it via USB flash drive.

http://windows.microsoft.com/en-us/windows7/install-windows-7-service-pack-1

Install it and then connect your PC with Internet.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.