Jump to content

Infected with PUM.Hijack.StartMenu, help?


Recommended Posts

  • Replies 73
  • Created
  • Last Reply

Top Posters In This Topic

RogueKiller V8.6.2 [Jul  5 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com




 

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User : David [Admin rights]

Mode : Scan -- Date : 07/05/2013 13:53:08

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 8 ¤¤¤

[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (xxx.xxx.xxx.xxx:xxxx) -> FOUND

[DNS] HKLM\[...]\CCSet\[...]\{3C4C231C-BD71-4AC7-A165-5023550969D3} : NameServer (68.94.156.1,68.94.157.1) -> FOUND

[DNS] HKLM\[...]\CS001\[...]\{3C4C231C-BD71-4AC7-A165-5023550969D3} : NameServer (68.94.156.1,68.94.157.1) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[FILEASSO] HKUS\S-1-5-21-1952376234-241356355-3558303045-1002\[...]\.exe :  (ilh) -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [LOADED] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

127.0.0.1       localhost

173.192.170.88 drghwaweg45j4i6u3q32fg2h.com

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: TOSHIBA MK1637GSX ATA Device +++++

--- User ---

[MBR] 488e820905beddbe25daed0d917206f3

[bSP] d359f184b4f987f009da31b68d9a3d90 : MBR Code unknown

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 143996 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 294905205 | Size: 8628 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[0]_S_07052013_135308.txt >>

RKreport[0]_H_07042013_150030.txt;RKreport[0]_S_07042013_143214.txt;RKreport[0]_S_07042013_144302.txt

RKreport[0]_S_07042013_150002.txt
Link to post
Share on other sites

Download and run Fixit at the link below to restore your host file:

http://support.microsoft.com/kb/972034

Then run this scan:

Please download Farbar Recovery Scan Tool and save it to a folder. (32bit version)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites

A lot of people don't like W8 including me.

--------------------

You may or may not be able to do this but give it a try:

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
      • Startup Repair

        System Restore

        Windows Complete PC Restore

        Windows Memory Diagnostic Tool

        Command Prompt

        Select Command Prompt

        Once in the Command Prompt:

    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

      Note: Replace letter e with the drive letter of your flash drive.

    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
MrC
Link to post
Share on other sites

Here's the FRST.txt, and addition.txt is attached:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-07-2013
Ran by MM (ATTENTION: The logged in user is not administrator) on 05-07-2013 15:21:33
Running from C:\Users\MM\Downloads
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
==================== Processes (Whitelisted) ===================
 
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
(CyberLink Corp.) C:\Program Files\HP\QuickPlay\QPService.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Alcatel-Lucent) C:\Program Files\ATT-SST\McciTrayApp.exe
(Microsoft Corporation) C:\Windows\system32\wbem\unsecapp.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
() C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
(Google Inc.) C:\Users\MM\AppData\Local\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\system32\wuauclt.exe
(Google Inc.) C:\Users\MM\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1721640 2010-05-27] (Synaptics Incorporated)
HKLM\...\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" [176128 2007-04-23] (CyberLink Corp.)
HKLM\...\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [159744 2007-02-13] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2009-06-24] (NVIDIA Corporation)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13601312 2009-06-24] (NVIDIA Corporation)
HKLM\...\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [480560 2007-10-03] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe" [1573888 2010-07-27] (Alcatel-Lucent)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe" [202296 2011-12-24] (Kaspersky Lab ZAO)
HKLM\...\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe [176128 2006-11-02] (Microsoft Corporation)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM\...\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce [318464 2008-01-19] (Microsoft Corporation)
Winlogon\Notify\klogon: C:\Windows\system32\klogon.dll (Kaspersky Lab ZAO)
HKCU\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-06-30] (Google Inc.)
HKCU\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKCU\...\Run: [Google Update] "C:\Users\MM\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-10-21] (Google Inc.)
HKCU\...\Policies\system: [LogonHoursAction] 2
HKCU\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
MountPoints2: {722cbcd1-b150-11de-8337-001b24c6f3a8} - F:\LaunchU3.exe -a
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
SearchScopes: HKCU - {037039D8-8C53-43CC-95BE-198556E66531} URL = 
SearchScopes: HKCU - {06EC6852-6A7C-4587-8477-05A40025DF1C} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7
SearchScopes: HKCU - {8E8176CF-3C72-4F29-B0AF-5E670D763FBD} URL = 
SearchScopes: HKCU - {E4A7BA5D-1FCA-4261-85CA-307FC5471A6D} URL = 
BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
BHO: IEVkbdBHO Class - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\ievkbd.dll (Kaspersky Lab ZAO)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: FilterBHO Class - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\klwtbbho.dll (Kaspersky Lab ZAO)
BHO: ChromeFrame BHO - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome Frame\Application\27.0.1453.116\npchrome_frame.dll (Google Inc.)
BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
Toolbar: HKLM - @C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
Toolbar: HKCU -Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome Frame\Application\27.0.1453.116\npchrome_frame.dll (Google Inc.)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Winsock: Catalog9 01 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 02 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 03 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 04 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 05 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 06 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 07 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 08 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 19 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{3C4C231C-BD71-4AC7-A165-5023550969D3}: [NameServer]68.94.156.1,68.94.157.1
 
Chrome: 
=======
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\MM\AppData\Local\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\MM\AppData\Local\Google\Chrome\Application\27.0.1453.116\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\MM\AppData\Local\Google\Chrome\Application\27.0.1453.116\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Platform SE 6 U13) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (CANON iMAGE GATEWAY Album Plugin Utility) - C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
CHR Plugin: (Motive Plugin) - C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (RealNetworks Rhapsody Player Engine) - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
CHR Plugin: (WacomTabletPlugin) - C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
CHR Plugin: ( Wacom Dynamic Link Library) - C:\Program Files\TabletPlugins\npwacom.dll (Wacom, Inc.)
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.51204.0\npctrl.dll ( Microsoft Corporation)
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (YouTube) - C:\Users\MM\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\MM\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Kaspersky URL Advisor) - C:\Users\MM\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.1.288_0
CHR Extension: (Motive Extension) - C:\Users\MM\AppData\Local\Google\Chrome\User Data\Default\Extensions\edmgmpmklgfbohogafcfobonnkogchec\1.0_0
CHR Extension: (Virtual Keyboard) - C:\Users\MM\AppData\Local\Google\Chrome\User Data\Default\Extensions\jagncdcchgajhfhijbbhecadmaiegcmh\12.0.1.288_0
CHR Extension: (Gmail) - C:\Users\MM\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR Extension: (Anti-Banner) - C:\Users\MM\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjldcfjmnllhmgjclecdnfampinooman\12.0.1.288_0
 
========================== Services (Whitelisted) =================
 
R2 AdobeActiveFileMonitor8.0; C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [169312 2009-10-09] (Adobe Systems Incorporated)
R2 Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [144672 2009-08-28] (Apple Inc.)
R2 AVP; C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe [202296 2011-12-24] (Kaspersky Lab ZAO)
R2 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [96341 2005-09-30] (Canon Inc.)
R2 CSObjectsSrv; C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [743992 2009-12-21] (Infowatch)
R2 EPSON_PM_RPCV4_01; C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE [113664 2007-01-11] (SEIKO EPSON CORPORATION)
R2 iphlpsvc; C:\Windows\System32\svchost.exe [21504 2008-01-19] (Microsoft Corporation)
R2 lmhosts; C:\Windows\system32\svchost.exe [21504 2008-01-19] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\System32\svchost.exe [21504 2008-01-19] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [21504 2008-01-19] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
S3 Afc; C:\Windows\System32\drivers\Afc.sys [11776 2005-02-23] (Arcsoft, Inc.)
R0 CSCrySec; C:\Windows\System32\DRIVERS\CSCrySec.sys [88632 2009-12-14] (Infowatch)
R1 CSVirtualDiskDrv; C:\Windows\System32\DRIVERS\CSVirtualDiskDrv.sys [39352 2009-12-14] (Infowatch)
R1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)
S3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [160768 2007-04-11] (Conexant Systems Inc.)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [135984 2011-10-20] (Kaspersky Lab ZAO)
R1 kl2; C:\Windows\System32\DRIVERS\kl2.sys [13104 2011-10-20] (Kaspersky Lab ZAO)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [585560 2012-10-25] (Kaspersky Lab)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [23856 2011-03-10] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [19984 2009-11-02] (Kaspersky Lab)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2013-07-04] (Malwarebytes Corporation)
S3 MREMP50; C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [21248 2010-02-02] (Printing Communications Assoc., Inc. (PCAUSA))
R3 MRESP50; C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [20096 2010-02-02] (Printing Communications Assoc., Inc. (PCAUSA))
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-07-05 14:26 - 2013-07-05 14:26 - 01373373 ____A (Farbar) C:\Users\MM\Downloads\FRST.exe
2013-07-05 14:26 - 2013-07-05 14:26 - 00000000 ____D C:\FRST
2013-07-05 14:04 - 2013-07-05 14:04 - 00980480 ____A C:\Users\MM\Downloads\MicrosoftFixit50267.msi
2013-07-05 13:53 - 2013-07-05 13:53 - 00002242 ____A C:\Users\David\Desktop\RKreport[0]_S_07052013_135308.txt
2013-07-05 13:45 - 2013-07-05 13:45 - 00915456 ____A C:\Users\MM\Desktop\RogueKiller.exe
2013-07-05 13:44 - 2013-07-05 13:44 - 00244224 ____A C:\Users\MM\Downloads\CF_UNINST.EXE
2013-07-05 12:45 - 2013-07-05 12:45 - 00000000 ____D C:\Users\Lighthouse\Local Settings\Temp(4)
2013-07-05 12:45 - 2013-07-05 12:45 - 00000000 ____D C:\Users\Lighthouse\Local Settings\Application Data\Temp(4)
2013-07-05 12:45 - 2013-07-05 12:45 - 00000000 ____D C:\Users\Lighthouse\AppData\Local\Temp(4)
2013-07-05 12:45 - 2013-07-05 12:45 - 00000000 ____D C:\Users\Kristel\Local Settings\Temp(3)
2013-07-05 12:45 - 2013-07-05 12:45 - 00000000 ____D C:\Users\Kristel\Local Settings\Application Data\Temp(3)
2013-07-05 12:45 - 2013-07-05 12:45 - 00000000 ____D C:\Users\Kristel\AppData\Local\Temp(3)
2013-07-05 12:11 - 2013-07-05 12:46 - 00000000 ___SD C:\ComboFix
2013-07-05 08:47 - 2013-07-05 08:50 - 00003100 ____A C:\Users\David\Desktop\Rkill.txt
2013-07-04 15:00 - 2013-07-04 15:00 - 13399154 ____A C:\Users\MM\Downloads\mbar-1.06.0.1004.zip
2013-07-04 15:00 - 2013-07-04 15:00 - 00002109 ____A C:\Users\David\Desktop\RKreport[0]_S_07042013_150002.txt
2013-07-04 15:00 - 2013-07-04 15:00 - 00001670 ____A C:\Users\David\Desktop\RKreport[0]_H_07042013_150030.txt
2013-07-04 14:43 - 2013-07-04 14:43 - 00002075 ____A C:\Users\David\Desktop\RKreport[0]_S_07042013_144302.txt
2013-07-04 14:32 - 2013-07-04 14:32 - 00002042 ____A C:\Users\David\Desktop\RKreport[0]_S_07042013_143214.txt
2013-07-04 14:29 - 2013-07-05 13:54 - 00000000 ____D C:\Users\David\Desktop\RK_Quarantine
2013-07-04 13:39 - 2013-07-04 13:41 - 00015214 ____A C:\Users\David\Desktop\dds.txt
2013-07-04 13:39 - 2013-07-04 13:41 - 00007372 ____A C:\Users\David\Desktop\attach.txt
2013-07-04 10:26 - 2013-07-04 10:27 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2013-07-04 10:26 - 2013-07-04 10:26 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-04 10:26 - 2013-07-04 10:26 - 00000906 ____A C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-04 10:26 - 2013-07-04 10:26 - 00000000 ____D C:\Users\David\Application Data\Malwarebytes
2013-07-04 10:26 - 2013-07-04 10:26 - 00000000 ____D C:\Users\David\AppData\Roaming\Malwarebytes
2013-07-04 10:26 - 2013-07-04 10:26 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-07-04 10:26 - 2013-07-04 10:26 - 00000000 ____D C:\ProgramData\Application Data\Malwarebytes
2013-07-04 10:26 - 2013-07-04 10:26 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-07-04 10:26 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-07-04 10:22 - 2013-07-04 10:22 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Users\MM\Downloads\mbam-setup-1.75.0.1300.exe
2013-07-03 21:15 - 2013-07-03 21:15 - 00000000 ____D C:\a1e0f94f4f71a2b20f9c
2013-07-03 20:59 - 2013-07-03 21:01 - 138654041 ____A C:\Users\MM\Downloads\Windows6.0-KB947821-v28-x86.msu
2013-07-01 09:21 - 2013-07-05 14:27 - 00798242 ____A C:\Windows\WindowsUpdate.log
2013-06-30 22:17 - 2013-06-30 22:17 - 00000000 ____A C:\Windows\setuperr.log
2013-06-30 22:17 - 2013-06-30 22:17 - 00000000 ____A C:\Windows\setupact.log
2013-06-30 20:42 - 2013-06-30 20:42 - 00000078 ____A C:\lxdd.log
2013-06-30 20:31 - 2013-06-30 21:49 - 00000000 ____D C:\Users\David\Application Data\Skype
2013-06-30 20:31 - 2013-06-30 21:49 - 00000000 ____D C:\Users\David\AppData\Roaming\Skype
2013-06-30 19:26 - 2013-06-30 19:26 - 00347424 ____A (Microsoft Corporation) C:\Users\MM\Downloads\MicrosoftFixit.wu.FISC.133296068933299641.4.1.Run.exe
2013-06-30 14:49 - 2013-06-30 14:50 - 00000000 ____D C:\8053e7b0b634183b53
2013-06-30 07:25 - 2013-06-30 07:25 - 00473096 ____A (Hewlett-Packard Company                                     ) C:\Users\MM\Downloads\sp38202.exe
2013-06-29 16:07 - 2013-06-29 16:09 - 00000000 ____D C:\Users\MM\NHS Website Backgrounds
2013-06-29 15:58 - 2013-06-29 15:59 - 00000000 ____D C:\Users\MM\A
2013-06-29 15:55 - 2013-06-29 15:55 - 00000000 ____D C:\Users\MM\Dover Free Clip Art
2013-06-29 15:39 - 2013-06-29 16:06 - 00000000 ____D C:\Users\MM\MM Graduation Photos
2013-06-28 19:47 - 2013-06-28 19:47 - 00000000 ____D C:\ProgramData\Windows Genuine Advantage
2013-06-28 19:47 - 2013-06-28 19:47 - 00000000 ____D C:\ProgramData\Application Data\Windows Genuine Advantage
2013-06-28 19:46 - 2013-06-28 19:46 - 00002626 ____A C:\Users\MM\Downloads\legitcheck.hta
2013-06-28 07:09 - 2013-06-28 07:09 - 00000000 ____D C:\Users\MM\My Documents\New Folder
2013-06-28 07:09 - 2013-06-28 07:09 - 00000000 ____D C:\Users\MM\Documents\New Folder
2013-06-27 20:32 - 2013-06-27 20:32 - 03191888 ____A (McAfee, Inc.) C:\Users\MM\Downloads\MCPR.exe
2013-06-27 18:28 - 2013-06-27 18:36 - 00000000 ____D C:\Users\MM\Desktop\ReportMaker
2013-06-27 18:27 - 2013-06-27 18:28 - 05071019 ____A C:\Users\MM\Downloads\ReportMaker.exe
2013-06-26 18:18 - 2013-06-26 18:19 - 84531984 ____A (Microsoft Corporation) C:\Users\MM\Downloads\msert.exe
2013-06-24 12:28 - 2013-06-24 12:28 - 00000000 ____D C:\4c7a2a57247ff3414ec69abb20
2013-06-23 13:28 - 2013-06-23 13:28 - 00266635 ____A C:\Users\MM\Downloads\coupon.htm
2013-06-23 13:28 - 2013-06-23 13:28 - 00000000 ____D C:\Users\MM\Downloads\coupon_files
2013-06-13 12:32 - 2013-05-16 18:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-13 12:32 - 2013-05-16 17:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-13 12:32 - 2013-05-16 17:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-13 12:32 - 2013-05-16 17:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-13 12:32 - 2013-05-16 17:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-13 12:32 - 2013-05-16 17:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-13 12:32 - 2013-05-16 17:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-13 12:32 - 2013-05-16 17:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-13 12:32 - 2013-05-16 17:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-13 12:32 - 2013-05-16 17:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-13 12:32 - 2013-05-16 17:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-13 12:32 - 2013-05-16 17:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-13 12:32 - 2013-05-16 17:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-13 12:32 - 2013-05-16 17:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-13 12:32 - 2013-05-16 17:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-13 12:32 - 2013-05-16 17:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-12 14:51 - 2013-05-07 23:37 - 00905576 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-12 14:51 - 2013-05-02 17:03 - 03603832 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-06-12 14:51 - 2013-05-02 17:03 - 03551096 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-06-12 14:51 - 2013-05-01 23:04 - 00443904 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-12 14:51 - 2013-05-01 23:03 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\printcom.dll
2013-06-12 14:51 - 2013-04-23 23:00 - 00985600 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-12 14:51 - 2013-04-23 23:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-12 14:51 - 2013-04-23 23:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-12 14:51 - 2013-04-23 23:00 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-12 14:51 - 2013-04-23 20:46 - 00812544 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-07 13:57 - 2013-06-07 13:58 - 00000000 ____D C:\d21bc27f234745fff305b1
2013-06-06 15:18 - 2013-06-06 15:18 - 00000000 ____D C:\de97f0fff34a6460a575edf027f207
 
==================== One Month Modified Files and Folders ========
 
2013-07-05 15:17 - 2012-02-04 23:39 - 00000928 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1952376234-241356355-3558303045-1004UA.job
2013-07-05 15:16 - 2011-03-02 20:14 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-05 14:56 - 2006-11-02 07:47 - 00003696 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-05 14:56 - 2006-11-02 07:47 - 00003696 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-05 14:41 - 2012-02-19 18:56 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1952376234-241356355-3558303045-1005UA.job
2013-07-05 14:38 - 2011-08-25 22:08 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1952376234-241356355-3558303045-1000UA.job
2013-07-05 14:27 - 2013-07-01 09:21 - 00798242 ____A C:\Windows\WindowsUpdate.log
2013-07-05 14:27 - 2011-11-11 04:38 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1952376234-241356355-3558303045-1002UA.job
2013-07-05 14:26 - 2013-07-05 14:26 - 01373373 ____A (Farbar) C:\Users\MM\Downloads\FRST.exe
2013-07-05 14:26 - 2013-07-05 14:26 - 00000000 ____D C:\FRST
2013-07-05 14:25 - 2007-08-04 05:40 - 00000147 ____A C:\Users\Public\Documents\hpqp.ini
2013-07-05 14:25 - 2007-08-04 05:40 - 00000147 ____A C:\ProgramData\Documents\hpqp.ini
2013-07-05 14:17 - 2012-03-12 15:54 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2013-07-05 14:17 - 2012-03-12 15:54 - 00000000 ____D C:\ProgramData\Application Data\Kaspersky Lab
2013-07-05 14:13 - 2009-02-15 15:37 - 00113522 ____A C:\ProgramData\nvModes.001
2013-07-05 14:13 - 2009-02-15 15:37 - 00113522 ____A C:\ProgramData\Application Data\nvModes.001
2013-07-05 14:11 - 2011-03-02 20:14 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-05 14:11 - 2006-11-02 08:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-05 14:08 - 2006-11-02 08:01 - 00004498 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-05 14:04 - 2013-07-05 14:04 - 00980480 ____A C:\Users\MM\Downloads\MicrosoftFixit50267.msi
2013-07-05 13:54 - 2013-07-04 14:29 - 00000000 ____D C:\Users\David\Desktop\RK_Quarantine
2013-07-05 13:53 - 2013-07-05 13:53 - 00002242 ____A C:\Users\David\Desktop\RKreport[0]_S_07052013_135308.txt
2013-07-05 13:45 - 2013-07-05 13:45 - 00915456 ____A C:\Users\MM\Desktop\RogueKiller.exe
2013-07-05 13:44 - 2013-07-05 13:44 - 00244224 ____A C:\Users\MM\Downloads\CF_UNINST.EXE
2013-07-05 13:23 - 2006-11-02 05:33 - 00703388 ____A C:\Windows\System32\PerfStringBackup.INI
2013-07-05 13:16 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\System32\Msdtc
2013-07-05 13:13 - 2009-06-30 23:46 - 00000000 ____D C:\users\Boogie
2013-07-05 13:13 - 2009-06-30 23:44 - 00000000 ____D C:\Users\MM\Application Data\Adobe
2013-07-05 13:13 - 2009-06-30 23:44 - 00000000 ____D C:\Users\MM\AppData\Roaming\Adobe
2013-07-05 13:13 - 2009-06-30 23:42 - 00000000 ____D C:\Users\MM\Local Settings\QuickPlay
2013-07-05 13:13 - 2009-06-30 23:42 - 00000000 ____D C:\Users\MM\Local Settings\Application Data\QuickPlay
2013-07-05 13:13 - 2009-06-30 23:42 - 00000000 ____D C:\Users\MM\AppData\Local\QuickPlay
2013-07-05 13:13 - 2009-06-30 23:42 - 00000000 ____D C:\users\MM
2013-07-05 13:13 - 2009-06-30 23:25 - 00000000 ____D C:\users\Lighthouse
2013-07-05 13:13 - 2009-06-30 22:25 - 00000000 ____D C:\users\David
2013-07-05 13:13 - 2007-11-23 03:22 - 00000000 ____D C:\users\Kristel
2013-07-05 13:13 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\System32\spool
2013-07-05 13:13 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\registration
2013-07-05 13:13 - 2006-11-02 05:22 - 87293952 ____A C:\Windows\System32\config\system_previous
2013-07-05 13:13 - 2006-11-02 05:22 - 54525952 ____A C:\Windows\System32\config\software_previous
2013-07-05 13:13 - 2006-11-02 05:22 - 42991616 ____A C:\Windows\System32\config\components_previous
2013-07-05 13:13 - 2006-11-02 05:22 - 00786432 ____A C:\Windows\System32\config\default_previous
2013-07-05 13:13 - 2006-11-02 05:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2013-07-05 13:13 - 2006-11-02 05:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2013-07-05 12:49 - 2010-12-20 10:19 - 00156656 ____A C:\Windows\PFRO.log
2013-07-05 12:49 - 2009-02-15 15:37 - 00113522 ____A C:\ProgramData\nvModes.dat
2013-07-05 12:49 - 2009-02-15 15:37 - 00113522 ____A C:\ProgramData\Application Data\nvModes.dat
2013-07-05 12:46 - 2013-07-05 12:11 - 00000000 ___SD C:\ComboFix
2013-07-05 12:45 - 2013-07-05 12:45 - 00000000 ____D C:\Users\Lighthouse\Local Settings\Temp(4)
2013-07-05 12:45 - 2013-07-05 12:45 - 00000000 ____D C:\Users\Lighthouse\Local Settings\Application Data\Temp(4)
2013-07-05 12:45 - 2013-07-05 12:45 - 00000000 ____D C:\Users\Lighthouse\AppData\Local\Temp(4)
2013-07-05 12:45 - 2013-07-05 12:45 - 00000000 ____D C:\Users\Kristel\Local Settings\Temp(3)
2013-07-05 12:45 - 2013-07-05 12:45 - 00000000 ____D C:\Users\Kristel\Local Settings\Application Data\Temp(3)
2013-07-05 12:45 - 2013-07-05 12:45 - 00000000 ____D C:\Users\Kristel\AppData\Local\Temp(3)
2013-07-05 08:50 - 2013-07-05 08:47 - 00003100 ____A C:\Users\David\Desktop\Rkill.txt
2013-07-04 15:00 - 2013-07-04 15:00 - 13399154 ____A C:\Users\MM\Downloads\mbar-1.06.0.1004.zip
2013-07-04 15:00 - 2013-07-04 15:00 - 00002109 ____A C:\Users\David\Desktop\RKreport[0]_S_07042013_150002.txt
2013-07-04 15:00 - 2013-07-04 15:00 - 00001670 ____A C:\Users\David\Desktop\RKreport[0]_H_07042013_150030.txt
2013-07-04 14:43 - 2013-07-04 14:43 - 00002075 ____A C:\Users\David\Desktop\RKreport[0]_S_07042013_144302.txt
2013-07-04 14:32 - 2013-07-04 14:32 - 00002042 ____A C:\Users\David\Desktop\RKreport[0]_S_07042013_143214.txt
2013-07-04 13:41 - 2013-07-04 13:39 - 00015214 ____A C:\Users\David\Desktop\dds.txt
2013-07-04 13:41 - 2013-07-04 13:39 - 00007372 ____A C:\Users\David\Desktop\attach.txt
2013-07-04 10:27 - 2013-07-04 10:26 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2013-07-04 10:26 - 2013-07-04 10:26 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-04 10:26 - 2013-07-04 10:26 - 00000906 ____A C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-04 10:26 - 2013-07-04 10:26 - 00000000 ____D C:\Users\David\Application Data\Malwarebytes
2013-07-04 10:26 - 2013-07-04 10:26 - 00000000 ____D C:\Users\David\AppData\Roaming\Malwarebytes
2013-07-04 10:26 - 2013-07-04 10:26 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-07-04 10:26 - 2013-07-04 10:26 - 00000000 ____D C:\ProgramData\Application Data\Malwarebytes
2013-07-04 10:26 - 2013-07-04 10:26 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-07-04 10:22 - 2013-07-04 10:22 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Users\MM\Downloads\mbam-setup-1.75.0.1300.exe
2013-07-04 02:27 - 2011-11-11 04:38 - 00000844 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1952376234-241356355-3558303045-1002Core.job
2013-07-03 21:18 - 2012-02-04 23:39 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1952376234-241356355-3558303045-1004Core.job
2013-07-03 21:15 - 2013-07-03 21:15 - 00000000 ____D C:\a1e0f94f4f71a2b20f9c
2013-07-03 21:01 - 2013-07-03 20:59 - 138654041 ____A C:\Users\MM\Downloads\Windows6.0-KB947821-v28-x86.msu
2013-07-01 22:44 - 2009-09-28 18:05 - 00027648 ____A C:\Users\MM\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-07-01 22:44 - 2009-09-28 18:05 - 00027648 ____A C:\Users\MM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-07-01 22:44 - 2009-09-28 18:05 - 00027648 ____A C:\Users\MM\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-07-01 16:41 - 2012-02-19 18:56 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1952376234-241356355-3558303045-1005Core.job
2013-07-01 09:21 - 2006-11-02 06:18 - 00000000 ___RD C:\users\Public
2013-07-01 09:20 - 2009-06-30 23:42 - 00115944 ____A C:\Users\MM\Local Settings\GDIPFONTCACHEV1.DAT
2013-07-01 09:20 - 2009-06-30 23:42 - 00115944 ____A C:\Users\MM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-07-01 09:20 - 2009-06-30 23:42 - 00115944 ____A C:\Users\MM\AppData\Local\GDIPFONTCACHEV1.DAT
2013-07-01 09:17 - 2009-06-30 23:42 - 00000898 _RASH C:\Users\MM\ntuser.pol
2013-07-01 02:02 - 2009-10-02 11:23 - 00000000 ____D C:\Users\David\Local Settings\Application Data\Adobe
2013-07-01 02:02 - 2009-10-02 11:23 - 00000000 ____D C:\Users\David\Local Settings\Adobe
2013-07-01 02:02 - 2009-10-02 11:23 - 00000000 ____D C:\Users\David\AppData\Local\Adobe
2013-07-01 01:59 - 2009-12-19 16:08 - 00000000 ____D C:\Users\David\Application Data\Adobe
2013-07-01 01:59 - 2009-12-19 16:08 - 00000000 ____D C:\Users\David\AppData\Roaming\Adobe
2013-06-30 22:35 - 2009-12-19 16:16 - 00000118 ____A C:\Users\David\Application Data\wklnhst.dat
2013-06-30 22:35 - 2009-12-19 16:16 - 00000118 ____A C:\Users\David\AppData\Roaming\wklnhst.dat
2013-06-30 22:17 - 2013-06-30 22:17 - 00000000 ____A C:\Windows\setuperr.log
2013-06-30 22:17 - 2013-06-30 22:17 - 00000000 ____A C:\Windows\setupact.log
2013-06-30 22:14 - 2009-06-30 22:53 - 00000632 _RASH C:\Users\David\ntuser.pol
2013-06-30 21:49 - 2013-06-30 20:31 - 00000000 ____D C:\Users\David\Application Data\Skype
2013-06-30 21:49 - 2013-06-30 20:31 - 00000000 ____D C:\Users\David\AppData\Roaming\Skype
2013-06-30 21:04 - 2011-04-03 06:04 - 00000000 ____D C:\Windows\Minidump
2013-06-30 20:56 - 2007-08-04 04:50 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2013-06-30 20:45 - 2006-11-02 07:47 - 00448848 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-30 20:42 - 2013-06-30 20:42 - 00000078 ____A C:\lxdd.log
2013-06-30 20:42 - 2008-01-13 13:34 - 00000000 ____D C:\Program Files\Lexmark Toolbar
2013-06-30 20:42 - 2008-01-13 13:34 - 00000000 ____D C:\Program Files\Lexmark Fax Solutions
2013-06-30 20:40 - 2009-06-30 22:26 - 00115944 ____A C:\Users\David\Local Settings\GDIPFONTCACHEV1.DAT
2013-06-30 20:40 - 2009-06-30 22:26 - 00115944 ____A C:\Users\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-06-30 20:40 - 2009-06-30 22:26 - 00115944 ____A C:\Users\David\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-30 20:39 - 2008-06-12 11:24 - 00000162 ____A C:\YServer.txt
2013-06-30 20:39 - 2007-08-04 05:58 - 00000000 ____D C:\Program Files\Yahoo!
2013-06-30 19:26 - 2013-06-30 19:26 - 00347424 ____A (Microsoft Corporation) C:\Users\MM\Downloads\MicrosoftFixit.wu.FISC.133296068933299641.4.1.Run.exe
2013-06-30 18:38 - 2011-08-25 22:08 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1952376234-241356355-3558303045-1000Core.job
2013-06-30 14:50 - 2013-06-30 14:49 - 00000000 ____D C:\8053e7b0b634183b53
2013-06-30 07:25 - 2013-06-30 07:25 - 00473096 ____A (Hewlett-Packard Company                                     ) C:\Users\MM\Downloads\sp38202.exe
2013-06-29 16:09 - 2013-06-29 16:07 - 00000000 ____D C:\Users\MM\NHS Website Backgrounds
2013-06-29 16:06 - 2013-06-29 15:39 - 00000000 ____D C:\Users\MM\MM Graduation Photos
2013-06-29 15:59 - 2013-06-29 15:58 - 00000000 ____D C:\Users\MM\A
2013-06-29 15:55 - 2013-06-29 15:55 - 00000000 ____D C:\Users\MM\Dover Free Clip Art
2013-06-28 19:47 - 2013-06-28 19:47 - 00000000 ____D C:\ProgramData\Windows Genuine Advantage
2013-06-28 19:47 - 2013-06-28 19:47 - 00000000 ____D C:\ProgramData\Application Data\Windows Genuine Advantage
2013-06-28 19:46 - 2013-06-28 19:46 - 00002626 ____A C:\Users\MM\Downloads\legitcheck.hta
2013-06-28 19:17 - 2009-07-04 14:46 - 00027656 ____A C:\Users\MM\Application Data\wklnhst.dat
2013-06-28 19:17 - 2009-07-04 14:46 - 00027656 ____A C:\Users\MM\AppData\Roaming\wklnhst.dat
2013-06-28 07:09 - 2013-06-28 07:09 - 00000000 ____D C:\Users\MM\My Documents\New Folder
2013-06-28 07:09 - 2013-06-28 07:09 - 00000000 ____D C:\Users\MM\Documents\New Folder
2013-06-27 20:32 - 2013-06-27 20:32 - 03191888 ____A (McAfee, Inc.) C:\Users\MM\Downloads\MCPR.exe
2013-06-27 18:36 - 2013-06-27 18:28 - 00000000 ____D C:\Users\MM\Desktop\ReportMaker
2013-06-27 18:28 - 2013-06-27 18:27 - 05071019 ____A C:\Users\MM\Downloads\ReportMaker.exe
2013-06-26 18:19 - 2013-06-26 18:18 - 84531984 ____A (Microsoft Corporation) C:\Users\MM\Downloads\msert.exe
2013-06-24 12:28 - 2013-06-24 12:28 - 00000000 ____D C:\4c7a2a57247ff3414ec69abb20
2013-06-24 07:10 - 2009-06-30 23:48 - 00000000 ____D C:\Users\Boogie\Local Settings\Google
2013-06-24 07:10 - 2009-06-30 23:48 - 00000000 ____D C:\Users\Boogie\Local Settings\Application Data\Google
2013-06-24 07:10 - 2009-06-30 23:48 - 00000000 ____D C:\Users\Boogie\AppData\Local\Google
2013-06-23 13:28 - 2013-06-23 13:28 - 00266635 ____A C:\Users\MM\Downloads\coupon.htm
2013-06-23 13:28 - 2013-06-23 13:28 - 00000000 ____D C:\Users\MM\Downloads\coupon_files
2013-06-21 07:53 - 2012-02-19 18:57 - 00002047 ____A C:\Users\Boogie\Desktop\Google Chrome.lnk
2013-06-20 17:38 - 2011-11-11 04:40 - 00002027 ____A C:\Users\MM\Desktop\Google Chrome.lnk
2013-06-13 13:10 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\rescache
2013-06-13 12:26 - 2006-11-02 05:24 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-06-13 05:20 - 2010-10-24 05:18 - 00000000 ____D C:\Users\MM\Application Data\gtk-2.0
2013-06-13 05:20 - 2010-10-24 05:18 - 00000000 ____D C:\Users\MM\AppData\Roaming\gtk-2.0
2013-06-13 05:20 - 2010-10-24 04:44 - 00000000 ____D C:\Users\MM\.gimp-2.6
2013-06-07 13:58 - 2013-06-07 13:57 - 00000000 ____D C:\d21bc27f234745fff305b1
2013-06-06 15:18 - 2013-06-06 15:18 - 00000000 ____D C:\de97f0fff34a6460a575edf027f207
 
Files to move or delete:
====================
C:\ProgramData\nvModes.dat
C:\ProgramData\sysqcl1129139270.dat
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2013-07-05 14:16
 
==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Do you know why these errors appear in your log:
 

Application errors:
==================
Error: (07/05/2013 02:11:49 PM) (Source: Winlogon) (User: )
Description: Windows license activation failed. Error 0x00000000.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download the attached fixlist.txt to the same folder as FRST.
Run FRST and click Fix only once and wait
The tool will create a log (Fixlog.txt) please post it to your reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Then......

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 04-07-2013

Ran by MM at 2013-07-06 15:27:43 Run:1

Running from C:\Users\MM\Downloads

Boot Mode: Normal

 

==============================================

 

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04 => Value not found.

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore] C:\Windows\System32\rstrui.exe /runonce [318464 2008-01-19 => Value not found.

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} => Value deleted successfully.

HKCR\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{037039D8-8C53-43CC-95BE-198556E66531} => Key deleted successfully.

HKCR\CLSID\{037039D8-8C53-43CC-95BE-198556E66531} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8E8176CF-3C72-4F29-B0AF-5E670D763FBD} => Key deleted successfully.

HKCR\CLSID\{8E8176CF-3C72-4F29-B0AF-5E670D763FBD} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E4A7BA5D-1FCA-4261-85CA-307FC5471A6D} => Key deleted successfully.

HKCR\CLSID\{E4A7BA5D-1FCA-4261-85CA-307FC5471A6D} => Key not found.

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} => Value deleted successfully.

HKCR\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} => Key not found.

C:\ProgramData\nvModes.dat => Moved successfully.

C:\ProgramData\sysqcl1129139270.dat => Moved successfully.

 

==== End of Fixlog ====

Link to post
Share on other sites

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.07.06.05

 

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

MM :: PC [limited]

 

7/6/2013 3:30:34 PM

mbam-log-2013-07-06 (15-30-34).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 312389

Time elapsed: 11 minute(s), 49 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 1

HKCU\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 2

HKCR\.exe| (Hijacked.exeFile) -> Bad: (ilh) Good: (exefile) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)
Link to post
Share on other sites

Also, I don't know why it says my license is invalid.  I have been trying to validate it online with my product key (I don't have the CD because Vista was preinstalled in my computer) and had received "Unexpected Error" in the past, so I thought it was also because of malware --- Microsoft said it was a possible "registry error."

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.