Jump to content

Help with Zbot/Zeus trojan


Recommended Posts

I could use some help. I believe I have a trojan in the family of Zbot/Zeus on either my computer or Android phone (or both). I connect to the internet at home via wifi hotspot with my Android phone. I had a suspicion something was wrong and ran all the normal anti-virus/malware software which came up with a couple issues.

After this I attempted to start an account with this forum and was denied access with the following:

"Sorry, you don't have permission for that! [#1001]

You are not allowed to visit this community."

This looked suspicious so I checked to see if my IP was blacklisted. As I have a dynamic IP I checked the range in which my phone normally uses, 3 of the 5 were blacklisted with cbl.abuseat.org. The majority of reports showed:

“This was detected by observing this IP attempting to make contact to a Zeus Command and Control server, with contents unique to Zeus C&C command protocols.”

I then switched my PC off and left my phone on, checking the current IP. The same activity was reported later that evening by cbl.abuseat.org for my IP with only my phone on (full report follows). It should also be noted that three other IPs in the range ending 10-15 also showed activity around the same time (so not all my phone).

From the report on cbl.abuseat.org it sounds like wiping the infected device is the best option for ensuring protection in future. I would like to know what others think. Is there a way to tell which device is infected? Maybe through logs on the phone and firewall on the computer? Is there anyway to know if my external hard drive is compromised (with my backupdata)? Any help is greatly appreciated.

Example log from cbl.abuseat.org (with my IP address removed):

CBL Lookup Utility: http://cbl.abuseat.org/lookup.cgi?ip=XX.XX.XX.12&.pubmit=Lookup

IP Address XX.XX.XX.12 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2013-07-25 11:00 GMT (+/- 30 minutes), approximately 3 hours ago.

It has been relisted following a previous removal at 2012-05-04 10:38 GMT (447 days, 3 hours, 19 minutes ago)

This IP is infected with, or is NATting for a machine infected with Win32/Zbot (Microsoft).

This was detected by observing this IP attempting to make contact to a Zeus Command and Control server, with contents unique to Zeus C&C command protocols.

Zbot is known by other names: Wsnpoem (Symantec) and most commonly as Zeus.

Zbot/Zeus is a banking trojan, and specializes in stealing personal information (passwords, account information, etc) from interactions with banking sites through the use of "formgrabs".

This was detected by a TCP/IP connection from XX.XX.XX.12 on port 16172 going to IP address 82.165.37.26 (the sinkhole) on port 80.

The botnet command and control domain for this connection was "zadejola.com".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 82.165.37.26 or host name zadejola.com on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 82.165.37.26 or zadejola.com. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

This detection corresponds to a connection at 2013-07-25 10:56:24 (GMT - this timestamp is believed accurate to within one second).

These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.

You will need to find and eradicate the infection before delisting the IP address.

We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, and they will STILL be delivering your users/customers personal information, including banking information to the criminal bot operators.

If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.

We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.

Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.

This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn't working.

The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives. NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as this listing, we aren't detecting port 25 traffic, we're detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP.

Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total.

Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected.

While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine - meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources.

Link to post
Share on other sites

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply
 
 
 
Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Link to post
Share on other sites

Thank you Marius. I have completed these scans as requested. Scans are below and file is attached.

 

I should also say that last night I factory reset my phone and deleted all contents. From this time point no new malicious activity has been reported from my phone's IP address on CBL. I am using a different connection for my computer.

 

DDS Scan:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 10.25.2
Run by Rochelle at 10:26:36 on 2013-07-26
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.353.1033.18.8106.5542 [GMT 1:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Outpost Security Suite *Disabled/Updated* {ECEA6BCD-A007-0BC7-D5A5-0254DCBD816E}
SP: Outpost Security Suite *Disabled/Updated* {578B8A29-863D-0449-EF15-3926A73ACBD3}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
FW: Outpost Security Suite *Enabled* {D4D1EAE8-EA68-0A9F-FEFA-AB61226EC615}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\atieclxx.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k NetworkService
C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe
C:\Program Files (x86)\Samsung\Easy Settings\SamsungDeviceConfiguration.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\WLANExt.exe
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\System32\WUDFHost.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Agnitum\Outpost Security Suite Free\op_mon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\SysWOW64\RunDll32.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe
C:\Program Files (x86)\Samsung\Easy Settings\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe
C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\windows\system32\igfxext.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe
C:\windows\system32\hkcmd.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\windows\system32\igfxpers.exe
C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Samsung\S Agent\CommonAgent.exe
C:\Program Files\Samsung\Easy Support Center\SamoyedAgent.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Users\Rochelle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rochelle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rochelle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rochelle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rochelle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rochelle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rochelle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe,
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - 
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{858B08B2-6A4C-4C95-B6B8-E3E60B84791C} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{BE087B43-FE97-447D-A81A-E3DDC6986D62} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{BE087B43-FE97-447D-A81A-E3DDC6986D62}\14E64627F69646D65616473707F64753431333 : DHCPNameServer = 192.168.43.1
TCP: Interfaces\{BE087B43-FE97-447D-A81A-E3DDC6986D62}\55053403034303831363 : DHCPNameServer = 89.101.160.4 89.101.160.5
TCP: Interfaces\{BE087B43-FE97-447D-A81A-E3DDC6986D62}\55053403034363238323 : DHCPNameServer = 89.101.160.4 89.101.160.5
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= c:\progra~1\agnitum\outpos~1\wl_hook.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - 
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [ETDCtrl] C:\Program Files (x86)\Elantech\ETDCtrl.exe
x64-Run: [OutpostMonitor] "C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" /tray /noservice
x64-Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Security Suite Free\feedback.exe" /dump:os_startup
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
Hosts: 127.0.0.1 ads.mcafee.com
Hosts: 127.0.0.1 analytics.microsoft.com
Hosts: 127.0.0.1 metrics.bitdefender.com
Hosts: 127.0.0.1 metrics.mcafee.com
Hosts: 127.0.0.1  om.symantec.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Rochelle\AppData\Roaming\Mozilla\Firefox\Profiles\7kj75i26.default\
FF - prefs.js: browser.search.selectedEngine - Ixquick HTTPS
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll
FF - plugin: C:\Users\Rochelle\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
FF - plugin: C:\windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-06-14 22:53; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\Rochelle\AppData\Roaming\Mozilla\Firefox\Profiles\7kj75i26.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-06-14 22:54; firefox@ghostery.com; C:\Users\Rochelle\AppData\Roaming\Mozilla\Firefox\Profiles\7kj75i26.default\extensions\firefox@ghostery.com
FF - ExtSQL: 2013-07-02 14:26; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\windows\System32\drivers\avgidsha.sys [2013-2-8 71480]
R0 Avgloga;AVG Logging Driver;C:\windows\System32\drivers\avgloga.sys [2013-2-8 311096]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\windows\System32\drivers\avgmfx64.sys [2013-2-8 116536]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\windows\System32\drivers\avgrkx64.sys [2013-2-8 45880]
R0 excsd;ExpressCache Storage Filter Driver;C:\windows\System32\drivers\excsd.sys [2011-9-21 76368]
R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2012-5-20 55856]
R1 afw;Agnitum Firewall Driver;C:\windows\System32\drivers\afw.sys [2013-7-21 39528]
R1 AVGIDSDriver;AVGIDSDriver;C:\windows\System32\drivers\avgidsdrivera.sys [2013-3-29 246072]
R1 Avgldx64;AVG AVI Loader Driver;C:\windows\System32\drivers\avgldx64.sys [2013-2-8 206136]
R1 Avgtdia;AVG TDI Driver;C:\windows\System32\drivers\avgtdia.sys [2013-3-21 240952]
R1 ctxusbm;Citrix USB Monitor Driver;C:\windows\System32\drivers\ctxusbm.sys [2011-8-10 91864]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;C:\windows\System32\drivers\SABI.sys [2011-9-21 13824]
R1 SandBox;SandBox;C:\windows\System32\drivers\SandBox64.sys [2013-7-21 1097672]
R2 acssrv;Agnitum Client Security Service;C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe [2013-7-21 3501696]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2013-7-18 235520]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2013-5-14 4937264]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2013-4-18 283136]
R2 ExpressCache;ExpressCache;C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe [2011-5-26 77904]
R2 SamsungDeviceConfigurationWinService;SamsungDeviceConfiguration;C:\Program Files (x86)\Samsung\Easy Settings\SamsungDeviceConfiguration.exe [2013-7-18 31624]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2013-7-3 1228504]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2013-7-3 660184]
R2 SGDrv;SGDrv;C:\windows\System32\drivers\SGDrv64.sys [2011-9-21 7680]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-9-21 2656536]
R3 acpials;ALS Sensor Filter;C:\windows\System32\drivers\acpials.sys [2010-11-21 9728]
R3 afwcore;afwcore;C:\windows\System32\drivers\afwcore.sys [2013-7-21 424040]
R3 asmthub3;ASMedia USB3 Hub Service;C:\windows\System32\drivers\asmthub3.sys [2011-11-3 130536]
R3 asmtxhci;ASMEDIA XHCI Service;C:\windows\System32\drivers\asmtxhci.sys [2011-11-3 395752]
R3 BTWAMPFL;BTWAMPFL;C:\windows\System32\drivers\btwampfl.sys [2012-4-25 349736]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\System32\drivers\btwl2cap.sys [2013-7-18 39464]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\windows\System32\drivers\clwvd.sys [2011-8-17 31216]
R3 ETD;ELAN PS/2 Port Input Device;C:\windows\System32\drivers\ETD.sys [2012-3-14 242512]
R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2011-8-23 317440]
R3 intelkmd;intelkmd;C:\windows\System32\drivers\igdpmd64.sys [2013-7-18 12311904]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2011-9-21 533096]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;C:\windows\System32\drivers\ssadadb.sys [2011-5-13 36328]
S3 ASWFilt;ASWFilt;C:\windows\System32\Filt\ASWFilt64.dll [2013-7-21 49168]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\windows\System32\drivers\ssudbus.sys [2011-9-21 82112]
S3 PSI;PSI;C:\windows\System32\drivers\psi_mf_amd64.sys [2013-7-3 18456]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\System32\drivers\rdpvideominiport.sys [2013-4-17 19456]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\windows\System32\drivers\ssadbus.sys [2011-5-13 157672]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\windows\System32\drivers\ssadmdfl.sys [2011-5-13 16872]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\windows\System32\drivers\ssadmdm.sys [2011-5-13 177640]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);C:\windows\System32\drivers\ssadserd.sys [2011-5-13 146920]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\windows\System32\drivers\ssudmdm.sys [2011-9-21 202560]
S3 ssudnflt;Remote NDIS Filter Driver;C:\windows\System32\drivers\ssudnflt.sys [2011-9-21 19520]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2013-4-17 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2013-4-17 30208]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2012-2-15 52736]
S3 VBEngNT;VBEngNT;C:\windows\System32\drivers\VBEngNT.sys [2013-7-21 293048]
S3 VBFilt;VBFilt;C:\windows\System32\Filt\VBFilt64.dll [2013-7-21 42976]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2012-4-28 1255736]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-4-16 39056]
S4 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-5-14 3289208]
S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-6-3 162408]
S4 SWUpdateService;SW Update Service;C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe [2013-7-12 3017776]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
FileExt: .js: JSFile="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS5.5\Dreamweaver.exe","%1"
.
=============== Created Last 30 ================
.
2013-07-21 21:58:20 108968 ----a-w- C:\windows\System32\WindowsAccessBridge-64.dll
2013-07-21 20:30:02 -------- d-----w- C:\Program Files (x86)\RealNetworks
2013-07-21 20:30:00 -------- d-----w- C:\ProgramData\RealNetworks
2013-07-21 20:29:50 -------- d-----w- C:\Program Files (x86)\Common Files\xing shared
2013-07-21 20:29:35 499712 ----a-w- C:\windows\SysWow64\msvcp71.dll
2013-07-21 20:29:35 348160 ----a-w- C:\windows\SysWow64\msvcr71.dll
2013-07-21 20:24:29 96168 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-21 20:14:11 -------- d-----w- C:\Users\Rochelle\AppData\Local\Secunia PSI
2013-07-21 20:14:00 -------- d-----w- C:\Program Files (x86)\Secunia
2013-07-21 16:51:52 293048 ----a-w- C:\windows\System32\drivers\VBEngNT.sys
2013-07-21 16:51:51 1097672 ----a-w- C:\windows\System32\drivers\SandBox64.sys
2013-07-21 16:51:42 424040 ----a-w- C:\windows\System32\drivers\afwcore.sys
2013-07-21 16:51:24 39528 ----a-w- C:\windows\System32\drivers\afw.sys
2013-07-21 16:51:09 -------- d-----w- C:\windows\System32\Filt
2013-07-21 16:51:09 -------- d-----w- C:\Users\Rochelle\AppData\Roaming\Agnitum
2013-07-21 16:51:09 -------- d-----w- C:\Program Files\Agnitum
2013-07-21 16:50:43 -------- d-----w- C:\ProgramData\Agnitum
2013-07-21 16:25:02 -------- d-----w- C:\ProgramData\Licenses
2013-07-21 16:25:00 129872 ----a-w- C:\windows\SysWow64\MSSTDFMT.DLL
2013-07-21 16:25:00 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2013-07-19 13:24:34 -------- d-----w- C:\ProgramData\Sophos
2013-07-19 13:24:09 -------- d-----w- C:\Program Files (x86)\Sophos
2013-07-19 13:24:02 -------- d-----w- C:\SAVSCFXP
2013-07-19 12:05:08 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2013-07-19 12:04:19 -------- d-----w- C:\windows\PCHEALTH
2013-07-19 12:02:06 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 8
2013-07-19 12:01:20 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2013-07-19 11:20:19 7680 ----a-w- C:\Users\Rochelle\AppData\Local\Z@!-b904e8a2-0f5a-4a91-aa0c-6ba6b0661e7f.tmp
2013-07-19 11:20:19 7168 ----a-w- C:\Users\Rochelle\AppData\Local\Z@S!-9a6050a8-bb80-44ff-a82e-e40fca554d72.tmp
2013-07-19 11:20:18 7680 ----a-w- C:\Users\Rochelle\AppData\Local\Z@!-ea789ddf-068a-4122-ab8d-df16e2dfb3d9.tmp
2013-07-18 19:47:50 39464 ----a-w- C:\windows\System32\drivers\btwl2cap.sys
2013-07-18 19:47:50 21416 ----a-w- C:\windows\System32\drivers\btwrchid.sys
2013-07-18 19:47:50 138280 ----a-w- C:\windows\System32\drivers\btwavdt.sys
2013-07-18 19:47:50 107560 ----a-w- C:\windows\System32\drivers\btwaudio.sys
2013-07-18 19:40:38 -------- d-----w- C:\Program Files (x86)\AMD APP
2013-07-18 19:17:34 -------- d-----w- C:\Program Files (x86)\ASM104xUSB3
2013-07-18 12:21:15 -------- d-----w- C:\Users\Rochelle\AppData\Roaming\SAS
2013-07-18 12:21:14 89600 ----a-w- C:\windows\System32\sasperf.dll
2013-07-18 11:47:08 69714 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2013-07-18 11:47:08 63488 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ISBEW64.exe
2013-07-18 11:47:08 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2013-07-18 11:47:08 184320 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2013-07-18 11:47:07 753664 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2013-07-18 11:47:07 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2013-07-18 11:47:07 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2013-07-18 11:47:04 -------- d-----w- C:\Program Files (x86)\Microsoft WSE
2013-07-18 11:40:53 -------- d-----w- C:\Program Files\SASHome
2013-07-18 11:38:50 -------- d-----w- C:\ProgramData\SAS
2013-07-18 11:23:55 -------- d-----w- C:\SAS93
2013-07-17 07:27:25 -------- d-----w- C:\windows\System32\MRT
2013-07-13 10:01:37 2706432 ----a-w- C:\windows\System32\mshtml.tlb
2013-07-11 23:39:05 3153920 ----a-w- C:\windows\System32\win32k.sys
2013-07-11 23:38:52 1732608 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2013-07-11 23:38:52 1393152 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2013-07-11 23:38:52 1367040 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-11 23:38:51 936448 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-07-11 23:38:51 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2013-07-11 23:31:33 1643520 ----a-w- C:\windows\System32\DWrite.dll
2013-07-11 23:31:33 1247744 ----a-w- C:\windows\SysWow64\DWrite.dll
2013-07-11 23:30:04 9216 ----a-w- C:\Program Files (x86)\Windows Defender\MpAsDesc.dll
2013-07-11 23:30:04 571904 ----a-w- C:\Program Files\Windows Defender\MpClient.dll
2013-07-11 23:30:04 54784 ----a-w- C:\Program Files (x86)\Windows Defender\MpOAV.dll
2013-07-11 23:30:04 4608 ----a-w- C:\Program Files (x86)\Windows Defender\MsMpLics.dll
2013-07-11 23:30:04 392704 ----a-w- C:\Program Files (x86)\Windows Defender\MpClient.dll
2013-07-11 23:30:04 314880 ----a-w- C:\Program Files\Windows Defender\MpCommu.dll
2013-07-11 23:30:04 1011712 ----a-w- C:\Program Files\Windows Defender\MpSvc.dll
2013-07-11 23:30:02 624128 ----a-w- C:\windows\System32\qedit.dll
2013-07-11 23:30:02 509440 ----a-w- C:\windows\SysWow64\qedit.dll
2013-07-11 23:30:02 1887744 ----a-w- C:\windows\System32\WMVDECOD.DLL
2013-07-11 23:30:01 1620480 ----a-w- C:\windows\SysWow64\WMVDECOD.DLL
2013-07-03 08:32:42 18456 ----a-w- C:\windows\System32\drivers\psi_mf_amd64.sys
2013-07-02 15:02:25 -------- d-----w- C:\Users\Rochelle\AppData\Roaming\Oki Data
2013-07-02 14:58:28 241152 ----a-w- C:\windows\System32\OKBBAL.DLL
2013-07-02 13:26:28 -------- d-----r- C:\Program Files (x86)\Skype
.
==================== Find3M  ====================
.
2013-07-21 21:58:17 972712 ----a-w- C:\windows\System32\deployJava1.dll
2013-07-21 21:58:17 1093032 ----a-w- C:\windows\System32\npDeployJava1.dll
2013-07-21 20:34:03 71048 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-21 20:34:03 692104 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2013-07-21 20:24:26 867240 ----a-w- C:\windows\SysWow64\npdeployJava1.dll
2013-07-21 20:24:26 789416 ----a-w- C:\windows\SysWow64\deployJava1.dll
2013-06-11 23:43:37 1767936 ----a-w- C:\windows\SysWow64\wininet.dll
2013-06-11 23:43:00 2877440 ----a-w- C:\windows\SysWow64\jscript9.dll
2013-06-11 23:42:58 61440 ----a-w- C:\windows\SysWow64\iesetup.dll
2013-06-11 23:42:58 109056 ----a-w- C:\windows\SysWow64\iesysprep.dll
2013-06-11 23:26:20 2241024 ----a-w- C:\windows\System32\wininet.dll
2013-06-11 23:25:16 3958784 ----a-w- C:\windows\System32\jscript9.dll
2013-06-11 23:25:13 67072 ----a-w- C:\windows\System32\iesetup.dll
2013-06-11 23:25:13 136704 ----a-w- C:\windows\System32\iesysprep.dll
2013-06-11 22:51:45 71680 ----a-w- C:\windows\SysWow64\RegisterIEPKEYs.exe
2013-06-11 22:50:58 89600 ----a-w- C:\windows\System32\RegisterIEPKEYs.exe
2013-06-07 02:37:52 2706432 ----a-w- C:\windows\SysWow64\mshtml.tlb
2013-05-13 05:51:01 184320 ----a-w- C:\windows\System32\cryptsvc.dll
2013-05-13 05:51:00 1464320 ----a-w- C:\windows\System32\crypt32.dll
2013-05-13 05:51:00 139776 ----a-w- C:\windows\System32\cryptnet.dll
2013-05-13 05:50:40 52224 ----a-w- C:\windows\System32\certenc.dll
2013-05-13 04:45:55 140288 ----a-w- C:\windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55 1160192 ----a-w- C:\windows\SysWow64\crypt32.dll
2013-05-13 04:45:55 103936 ----a-w- C:\windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55 1192448 ----a-w- C:\windows\System32\certutil.exe
2013-05-13 03:08:10 903168 ----a-w- C:\windows\SysWow64\certutil.exe
2013-05-13 03:08:06 43008 ----a-w- C:\windows\SysWow64\certenc.dll
2013-05-10 05:49:27 30720 ----a-w- C:\windows\System32\cryptdlg.dll
2013-05-10 03:20:54 24576 ----a-w- C:\windows\SysWow64\cryptdlg.dll
2013-05-08 06:39:01 1910632 ----a-w- C:\windows\System32\drivers\tcpip.sys
.
============= FINISH: 10:27:05.42 ===============

 

 

 

Gmer log:

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-07-26 10:54:00
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JF4O 698.64GB
Running: hug7umw8.exe; Driver: C:\Users\Rochelle\AppData\Local\Temp\fxldypoc.sys
 
 
---- Threads - GMER 2.1 ----
 
Thread  C:\windows\system32\taskhost.exe [3860:4672]                                                     000007fefebe2740
Thread  C:\windows\system32\taskhost.exe [3860:628]                                                      000007fefebd1f38
Thread  C:\windows\system32\taskhost.exe [3860:824]                                                      000007fef9f91010
Thread  C:\windows\system32\taskhost.exe [3860:5440]                                                     000007fef55b5170
Thread  C:\windows\system32\Dwm.exe [872:944]                                                            000007fefe65abf0
Thread  C:\windows\SysWOW64\ntdll.dll [3160:3520]                                                        00000000011231ef
Thread  C:\windows\SysWOW64\ntdll.dll [3160:2768]                                                        0000000072eac59c
Thread  C:\windows\SysWOW64\ntdll.dll [3160:1716]                                                        0000000072eac59c
Thread  C:\windows\SysWOW64\ntdll.dll [3160:1556]                                                        0000000072eac59c
Thread  C:\windows\SysWOW64\ntdll.dll [3160:1552]                                                        0000000072eac59c
Thread  C:\windows\SysWOW64\ntdll.dll [3160:800]                                                         0000000072eac59c
Thread  C:\windows\SysWOW64\ntdll.dll [3160:5400]                                                        000000006df2eb6e
Thread  C:\windows\SysWOW64\ntdll.dll [3160:5412]                                                        000000006dc80349
Thread  C:\windows\SysWOW64\ntdll.dll [3160:5436]                                                        000000006dc80349
Thread  C:\windows\SysWOW64\ntdll.dll [3160:5460]                                                        000000006dc80349
Thread  C:\windows\SysWOW64\ntdll.dll [3160:1000]                                                        00000000749e27c1
Thread  C:\windows\SysWOW64\ntdll.dll [3160:856]                                                         0000000074e0d864
Thread  C:\Program Files\Microsoft IntelliPoint\ipoint.exe [5520:5368]                                   000007feed243774
Thread  C:\Program Files\Microsoft IntelliPoint\ipoint.exe [5520:3516]                                   000007feed087498
 
---- Registry - GMER 2.1 ----
 
Reg     HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de9ca1db                      
Reg     HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de9ca1db (not active ControlSet)  
 
---- Disk sectors - GMER 2.1 ----
 
Disk    \Device\Harddisk0\DR0                                                                            unknown MBR code
 
---- EOF - GMER 2.1 ----

 

 

attach.txt

Link to post
Share on other sites

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe



When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

Link to post
Share on other sites

Please ignore my last post, I restarted my computer and error went away, as per instructions in your last post. I have reactivated my AV. Here is the log from Combofix:

 

Combofix

 

ComboFix 13-07-25.02 - Rochelle 26/07/2013  11:49:48.1.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.353.1033.18.8106.5584 [GMT 1:00]
Running from: c:\users\Rochelle\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Outpost Security Suite *Disabled/Updated* {ECEA6BCD-A007-0BC7-D5A5-0254DCBD816E}
FW: Outpost Security Suite *Disabled* {D4D1EAE8-EA68-0A9F-FEFA-AB61226EC615}
SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Outpost Security Suite *Disabled/Updated* {578B8A29-863D-0449-EF15-3926A73ACBD3}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Rochelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{7182978F-58F3-49AC-8321-99EFE0B8D4A5}.xps
c:\users\Rochelle\AppData\Local\Z@!-b904e8a2-0f5a-4a91-aa0c-6ba6b0661e7f.tmp
c:\users\Rochelle\AppData\Local\Z@!-ea789ddf-068a-4122-ab8d-df16e2dfb3d9.tmp
c:\users\Rochelle\AppData\Local\Z@S!-9a6050a8-bb80-44ff-a82e-e40fca554d72.tmp
c:\windows\SysWow64\muzapp.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-26 to 2013-07-26  )))))))))))))))))))))))))))))))
.
.
2013-07-21 21:58 . 2013-07-21 21:58 312232 ----a-w- c:\windows\system32\javaws.exe
2013-07-21 21:58 . 2013-07-21 21:58 189352 ----a-w- c:\windows\system32\javaw.exe
2013-07-21 21:58 . 2013-07-21 21:58 188840 ----a-w- c:\windows\system32\java.exe
2013-07-21 21:58 . 2013-07-21 21:58 108968 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2013-07-21 21:58 . 2013-07-21 21:58 -------- d-----w- c:\program files\Java
2013-07-21 20:30 . 2013-07-21 20:30 -------- d-----w- c:\program files (x86)\RealNetworks
2013-07-21 20:30 . 2013-07-21 20:30 -------- d-----w- c:\programdata\RealNetworks
2013-07-21 20:29 . 2013-07-21 20:29 -------- d-----w- c:\program files (x86)\Common Files\xing shared
2013-07-21 20:29 . 2013-07-21 20:29 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2013-07-21 20:29 . 2013-07-21 20:29 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2013-07-21 20:24 . 2013-07-21 20:24 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-21 20:14 . 2013-07-21 20:14 -------- d-----w- c:\users\Rochelle\AppData\Local\Secunia PSI
2013-07-21 20:14 . 2013-07-21 20:14 -------- d-----w- c:\program files (x86)\Secunia
2013-07-21 16:51 . 2011-02-02 16:04 293048 ----a-w- c:\windows\system32\drivers\VBEngNT.sys
2013-07-21 16:51 . 2011-03-21 15:29 1097672 ----a-w- c:\windows\system32\drivers\SandBox64.sys
2013-07-21 16:51 . 2010-09-27 14:38 424040 ----a-w- c:\windows\system32\drivers\afwcore.sys
2013-07-21 16:51 . 2010-04-20 15:02 39528 ----a-w- c:\windows\system32\drivers\afw.sys
2013-07-21 16:51 . 2013-07-26 09:05 -------- d-----w- c:\windows\system32\Filt
2013-07-21 16:51 . 2013-07-21 16:51 -------- d-----w- c:\users\Rochelle\AppData\Roaming\Agnitum
2013-07-21 16:51 . 2013-07-21 16:51 -------- d-----w- c:\program files\Agnitum
2013-07-21 16:50 . 2013-07-21 16:50 -------- d-----w- c:\programdata\Agnitum
2013-07-21 16:25 . 2013-07-21 16:25 -------- d-----w- c:\programdata\Licenses
2013-07-21 16:25 . 2013-07-21 16:28 -------- d-----w- c:\program files (x86)\SpywareBlaster
2013-07-21 16:25 . 2009-03-24 11:52 129872 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
2013-07-19 13:24 . 2013-07-19 16:52 -------- d-----w- c:\programdata\Sophos
2013-07-19 13:24 . 2013-07-19 13:24 -------- d-----w- c:\program files (x86)\Sophos
2013-07-19 13:24 . 2011-02-02 11:42 -------- d-----w- C:\SAVSCFXP
2013-07-19 12:05 . 2013-07-19 12:05 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services
2013-07-19 12:04 . 2013-07-19 12:04 -------- d-----w- c:\windows\PCHEALTH
2013-07-19 12:04 . 2013-07-19 12:04 -------- d-----w- c:\program files (x86)\Microsoft Sync Framework
2013-07-19 12:02 . 2013-07-19 12:02 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8
2013-07-19 12:01 . 2013-07-19 12:01 -------- d-----w- c:\program files\Microsoft Office
2013-07-19 12:01 . 2013-07-19 12:01 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2013-07-19 12:00 . 2013-07-19 12:00 -------- d-----r- C:\MSOCache
2013-07-18 19:47 . 2011-08-25 13:18 39464 ----a-w- c:\windows\system32\drivers\btwl2cap.sys
2013-07-18 19:47 . 2011-08-25 13:18 21416 ----a-w- c:\windows\system32\drivers\btwrchid.sys
2013-07-18 19:47 . 2011-08-25 13:18 138280 ----a-w- c:\windows\system32\drivers\btwavdt.sys
2013-07-18 19:47 . 2011-08-25 13:18 107560 ----a-w- c:\windows\system32\drivers\btwaudio.sys
2013-07-18 19:44 . 2013-07-18 19:44 -------- d-----w- c:\programdata\ATI
2013-07-18 19:40 . 2013-07-18 19:40 -------- d-----w- c:\program files (x86)\AMD APP
2013-07-18 19:17 . 2013-07-18 19:17 -------- d-----w- c:\program files (x86)\ASM104xUSB3
2013-07-18 12:21 . 2013-07-19 20:28 -------- d-----w- c:\users\Rochelle\AppData\Roaming\SAS
2013-07-18 12:21 . 2011-05-26 04:21 89600 ----a-w- c:\windows\system32\sasperf.dll
2013-07-18 11:47 . 2005-04-03 22:02 69714 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2013-07-18 11:47 . 2005-04-03 22:01 274432 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2013-07-18 11:47 . 2005-04-03 22:00 184320 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2013-07-18 11:47 . 2005-04-03 22:00 63488 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ISBEW64.exe
2013-07-18 11:47 . 2013-07-18 11:47 331908 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2013-07-18 11:47 . 2013-07-18 11:47 200836 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2013-07-18 11:47 . 2005-04-03 22:02 753664 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2013-07-18 11:47 . 2013-07-18 11:47 -------- d-----w- c:\program files (x86)\Microsoft WSE
2013-07-18 11:40 . 2013-07-18 12:57 -------- d-----w- c:\program files\SASHome
2013-07-18 11:38 . 2013-07-18 11:38 -------- d-----w- c:\programdata\SAS
2013-07-18 11:23 . 2013-07-18 12:47 -------- d-----w- C:\SAS93
2013-07-17 07:27 . 2013-07-17 07:30 -------- d-----w- c:\windows\system32\MRT
2013-07-11 23:39 . 2013-06-05 03:34 3153920 ----a-w- c:\windows\system32\win32k.sys
2013-07-11 23:38 . 2013-04-10 05:48 1732608 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2013-07-11 23:38 . 2013-04-10 05:46 1393152 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2013-07-11 23:38 . 2013-04-10 05:46 1367040 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-11 23:38 . 2013-04-10 05:46 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-07-11 23:38 . 2013-04-10 05:03 936448 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-07-11 23:31 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-07-11 23:31 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-07-11 23:30 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll
2013-07-11 23:30 . 2013-05-27 05:50 571904 ----a-w- c:\program files\Windows Defender\MpClient.dll
2013-07-11 23:30 . 2013-05-27 05:50 314880 ----a-w- c:\program files\Windows Defender\MpCommu.dll
2013-07-11 23:30 . 2013-05-27 04:57 4608 ----a-w- c:\program files (x86)\Windows Defender\MsMpLics.dll
2013-07-11 23:30 . 2013-05-27 04:57 54784 ----a-w- c:\program files (x86)\Windows Defender\MpOAV.dll
2013-07-11 23:30 . 2013-05-27 04:57 392704 ----a-w- c:\program files (x86)\Windows Defender\MpClient.dll
2013-07-11 23:30 . 2013-05-27 03:15 9216 ----a-w- c:\program files (x86)\Windows Defender\MpAsDesc.dll
2013-07-11 23:30 . 2013-06-04 06:00 624128 ----a-w- c:\windows\system32\qedit.dll
2013-07-11 23:30 . 2013-06-04 04:53 509440 ----a-w- c:\windows\SysWow64\qedit.dll
2013-07-11 23:30 . 2013-05-06 06:03 1887744 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-11 23:30 . 2013-05-06 04:56 1620480 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL
2013-07-03 08:32 . 2013-07-03 08:32 18456 ----a-w- c:\windows\system32\drivers\psi_mf_amd64.sys
2013-07-02 15:02 . 2013-07-02 15:02 -------- d-----w- c:\users\Rochelle\AppData\Roaming\Oki Data
2013-07-02 14:58 . 2011-01-16 14:09 241152 ----a-w- c:\windows\system32\OKBBAL.DLL
2013-07-02 13:26 . 2013-07-02 13:26 -------- d-----r- c:\program files (x86)\Skype
2013-07-02 13:26 . 2013-07-02 13:26 -------- d-----w- c:\program files (x86)\Common Files\Skype
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-21 21:58 . 2012-08-19 14:51 972712 ----a-w- c:\windows\system32\deployJava1.dll
2013-07-21 21:58 . 2012-08-19 14:51 1093032 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-21 20:34 . 2012-04-25 19:43 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-21 20:34 . 2012-04-25 19:43 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-07-21 20:24 . 2012-07-30 02:02 867240 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-07-21 20:24 . 2012-04-25 19:45 789416 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-06-23 23:57 . 2012-05-04 11:54 78277128 ----a-w- c:\windows\system32\MRT.exe
2013-05-24 12:56 . 2013-05-24 12:56 226304 ----a-w- c:\windows\system32\elshyph.dll
2013-05-24 12:56 . 2013-05-24 12:56 185344 ----a-w- c:\windows\SysWow64\elshyph.dll
2013-05-24 12:56 . 2013-05-24 12:56 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-05-24 12:56 . 2013-05-24 12:56 719360 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2013-05-24 12:56 . 2013-05-24 12:56 158720 ----a-w- c:\windows\SysWow64\msls31.dll
2013-05-24 12:56 . 2013-05-24 12:56 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2013-05-24 12:56 . 2013-05-24 12:56 138752 ----a-w- c:\windows\SysWow64\wextract.exe
2013-05-24 12:56 . 2013-05-24 12:56 523264 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-05-24 12:56 . 2013-05-24 12:56 38400 ----a-w- c:\windows\SysWow64\imgutil.dll
2013-05-24 12:56 . 2013-05-24 12:56 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-05-24 12:56 . 2013-05-24 12:56 12800 ----a-w- c:\windows\SysWow64\mshta.exe
2013-05-24 12:56 . 2013-05-24 12:56 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2013-05-24 12:56 . 2013-05-24 12:56 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-05-24 12:56 . 2013-05-24 12:56 61952 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-05-24 12:56 . 2013-05-24 12:56 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2013-05-24 12:56 . 2013-05-24 12:56 361984 ----a-w- c:\windows\SysWow64\html.iec
2013-05-24 12:56 . 2013-05-24 12:56 452096 ----a-w- c:\windows\system32\dxtmsft.dll
2013-05-24 12:56 . 2013-05-24 12:56 441856 ----a-w- c:\windows\system32\html.iec
2013-05-24 12:56 . 2013-05-24 12:56 281600 ----a-w- c:\windows\system32\dxtrans.dll
2013-05-24 12:56 . 2013-05-24 12:56 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll
2013-05-24 12:56 . 2013-05-24 12:56 216064 ----a-w- c:\windows\system32\msls31.dll
2013-05-24 12:56 . 2013-05-24 12:56 197120 ----a-w- c:\windows\system32\msrating.dll
2013-05-24 12:56 . 2013-05-24 12:56 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-05-24 12:56 . 2013-05-24 12:56 97280 ----a-w- c:\windows\system32\mshtmled.dll
2013-05-24 12:56 . 2013-05-24 12:56 905728 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-05-24 12:56 . 2013-05-24 12:56 81408 ----a-w- c:\windows\system32\icardie.dll
2013-05-24 12:56 . 2013-05-24 12:56 762368 ----a-w- c:\windows\system32\ieapfltr.dll
2013-05-24 12:56 . 2013-05-24 12:56 27648 ----a-w- c:\windows\system32\licmgr10.dll
2013-05-24 12:56 . 2013-05-24 12:56 270848 ----a-w- c:\windows\system32\iedkcs32.dll
2013-05-24 12:56 . 2013-05-24 12:56 247296 ----a-w- c:\windows\system32\webcheck.dll
2013-05-24 12:56 . 2013-05-24 12:56 235008 ----a-w- c:\windows\system32\url.dll
2013-05-24 12:56 . 2013-05-24 12:56 1509376 ----a-w- c:\windows\system32\inetcpl.cpl
2013-05-24 12:56 . 2013-05-24 12:56 144896 ----a-w- c:\windows\system32\wextract.exe
2013-05-24 12:56 . 2013-05-24 12:56 1400416 ----a-w- c:\windows\system32\ieapfltr.dat
2013-05-24 12:56 . 2013-05-24 12:56 102912 ----a-w- c:\windows\system32\inseng.dll
2013-05-24 12:56 . 2013-05-24 12:56 62976 ----a-w- c:\windows\system32\pngfilt.dll
2013-05-24 12:56 . 2013-05-24 12:56 599552 ----a-w- c:\windows\system32\vbscript.dll
2013-05-24 12:56 . 2013-05-24 12:56 173568 ----a-w- c:\windows\system32\ieUnatt.exe
2013-05-24 12:56 . 2013-05-24 12:56 167424 ----a-w- c:\windows\system32\iexpress.exe
2013-05-24 12:56 . 2013-05-24 12:56 149504 ----a-w- c:\windows\system32\occache.dll
2013-05-24 12:56 . 2013-05-24 12:56 13824 ----a-w- c:\windows\system32\mshta.exe
2013-05-24 12:56 . 2013-05-24 12:56 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-05-24 12:56 . 2013-05-24 12:56 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2013-05-24 12:56 . 2013-05-24 12:56 51200 ----a-w- c:\windows\system32\imgutil.dll
2013-05-24 12:56 . 2013-05-24 12:56 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-05-24 12:56 . 2013-05-24 12:56 136192 ----a-w- c:\windows\system32\iepeers.dll
2013-05-24 12:56 . 2013-05-24 12:56 135680 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-05-24 12:56 . 2013-05-24 12:56 12800 ----a-w- c:\windows\system32\msfeedssync.exe
2013-05-24 12:56 . 2013-05-24 12:56 77312 ----a-w- c:\windows\system32\tdc.ocx
2013-05-15 19:09 . 2010-06-24 02:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-13 05:51 . 2013-06-12 15:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-05-13 05:51 . 2013-06-12 15:37 1464320 ----a-w- c:\windows\system32\crypt32.dll
2013-05-13 05:51 . 2013-06-12 15:37 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-05-13 05:50 . 2013-06-12 15:37 52224 ----a-w- c:\windows\system32\certenc.dll
2013-05-13 04:45 . 2013-06-12 15:37 1160192 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-05-13 04:45 . 2013-06-12 15:37 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-05-13 04:45 . 2013-06-12 15:37 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-05-13 03:43 . 2013-06-12 15:37 1192448 ----a-w- c:\windows\system32\certutil.exe
2013-05-13 03:08 . 2013-06-12 15:37 903168 ----a-w- c:\windows\SysWow64\certutil.exe
2013-05-13 03:08 . 2013-06-12 15:37 43008 ----a-w- c:\windows\SysWow64\certenc.dll
2013-05-10 05:49 . 2013-06-12 15:37 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2013-05-10 03:20 . 2013-06-12 15:37 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll
2013-05-08 06:39 . 2013-06-12 15:37 1910632 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2013-04-28 4408368]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2011-8-25 1132320]
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2013-7-3 563416]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DelayedDesktopSwitchTimeout"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\progra~1\Agnitum\OUTPOS~1\wl_hook.dll
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys;c:\windows\SYSNATIVE\Drivers\ssadadb.sys [x]
R3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt64.dll;c:\windows\SYSNATIVE\Filt\ASWFilt64.dll [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf_amd64.sys;c:\windows\SYSNATIVE\DRIVERS\psi_mf_amd64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdm.sys [x]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys;c:\windows\SYSNATIVE\DRIVERS\ssadserd.sys [x]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
R3 ssudnflt;Remote NDIS Filter Driver;c:\windows\system32\DRIVERS\ssudnflt.sys;c:\windows\SYSNATIVE\DRIVERS\ssudnflt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys;c:\windows\SYSNATIVE\drivers\VBEngNT.sys [x]
R3 VBFilt;VBFilt;c:\windows\system32\Filt\VBFilt64.dll;c:\windows\SYSNATIVE\Filt\VBFilt64.dll [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
R4 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R4 SWUpdateService;SW Update Service;c:\programdata\Samsung\SW Update Service\SWMAgent.exe;c:\programdata\Samsung\SW Update Service\SWMAgent.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S0 excsd;ExpressCache Storage Filter Driver;c:\windows\system32\DRIVERS\excsd.sys;c:\windows\SYSNATIVE\DRIVERS\excsd.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 afw;Agnitum Firewall Driver;c:\windows\system32\DRIVERS\afw.sys;c:\windows\SYSNATIVE\DRIVERS\afw.sys [x]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys;c:\windows\SYSNATIVE\Drivers\SABI.sys [x]
S1 SandBox;SandBox;c:\windows\system32\drivers\SandBox64.sys;c:\windows\SYSNATIVE\drivers\SandBox64.sys [x]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [x]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [x]
S2 ExpressCache;ExpressCache;c:\program files\Diskeeper Corporation\ExpressCache\ExpressCache.exe;c:\program files\Diskeeper Corporation\ExpressCache\ExpressCache.exe [x]
S2 SamsungDeviceConfigurationWinService;SamsungDeviceConfiguration;c:\program files (x86)\Samsung\Easy Settings\SamsungDeviceConfiguration.exe;c:\program files (x86)\Samsung\Easy Settings\SamsungDeviceConfiguration.exe [x]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe;c:\program files (x86)\Secunia\PSI\PSIA.exe [x]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe;c:\program files (x86)\Secunia\PSI\sua.exe [x]
S2 SGDrv;SGDrv;c:\windows\system32\DRIVERS\SGdrv64.sys;c:\windows\SYSNATIVE\DRIVERS\SGdrv64.sys [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys;c:\windows\SYSNATIVE\DRIVERS\acpials.sys [x]
S3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys;c:\windows\SYSNATIVE\drivers\afwcore.sys [x]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys;c:\windows\SYSNATIVE\DRIVERS\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys;c:\windows\SYSNATIVE\DRIVERS\igdpmd64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-25 20:34]
.
2013-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4154854846-2536015032-3920982776-1000Core.job
- c:\users\Rochelle\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-25 06:15]
.
2013-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4154854846-2536015032-3920982776-1000UA.job
- c:\users\Rochelle\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-25 06:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Outpost]
@="{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
[HKEY_CLASSES_ROOT\CLSID\{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}]
2011-03-30 18:02 601528 ----a-w- c:\program files\Agnitum\Outpost Security Suite Free\op_shell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-08-01 12661352]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2011-04-04 4510072]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Security Suite Free\feedback.exe" [2011-03-30 808064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~1\Agnitum\OUTPOS~1\wl_hook64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Rochelle\AppData\Roaming\Mozilla\Firefox\Profiles\7kj75i26.default\
FF - prefs.js: browser.search.selectedEngine - Ixquick HTTPS
FF - ExtSQL: 2013-06-14 22:53; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Rochelle\AppData\Roaming\Mozilla\Firefox\Profiles\7kj75i26.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-06-14 22:54; firefox@ghostery.com; c:\users\Rochelle\AppData\Roaming\Mozilla\Firefox\Profiles\7kj75i26.default\extensions\firefox@ghostery.com
FF - ExtSQL: 2013-07-02 14:26; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe
AddRemove-RealPlayer 16.0 - c:\program files (x86)\real\realplayer\Update\r1puninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe
c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2013-07-26  12:00:52 - machine was rebooted
ComboFix-quarantined-files.txt  2013-07-26 11:00
.
Pre-Run: 163,264,610,304 bytes free
Post-Run: 163,033,387,008 bytes free
.
- - End Of File - - A2234CE40ECC57CDD318CB62AC774145
D41D8CD98F00B204E9800998ECF8427E
Link to post
Share on other sites

I do not recommend that you have more than one anti-virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti-virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Outpost or AVG.

Link to post
Share on other sites

Full System Scan with Malwarebytes Antimalware


  • If not existing, please download
Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.



If the program is already installed:

  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Link to post
Share on other sites

Thank you again. Here are the logs:

 

Malwarebytes
 
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.07.28.02
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
Rochelle :: SAMMY [administrator]
 
28/07/2013 09:34:30
mbam-log-2013-07-28 (09-34-30).txt
 
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 442063
Time elapsed: 56 minute(s), 32 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
 
ESET log
 
C:\Users\Rochelle\AppData\Local\Babylon\Setup\BExternal.dll a variant of Win32/Toolbar.Babylon.C application
C:\Users\Rochelle\AppData\Local\Babylon\Setup\IECookieLow.dll a variant of Win32/Toolbar.Babylon.E application
C:\Users\Rochelle\AppData\Local\Babylon\Setup\Setup.exe a variant of Win32/Toolbar.Babylon.E application
C:\Users\Rochelle\Downloads\cbsidlm-tr1_10a-Free_FLAC_to_MP3_Converter-ORG-75206134.exe Win32/DownloadAdmin.G application
 
Link to post
Share on other sites

C:\Users\Rochelle\AppData\Local\Babylon\Setup\BExternal.dll a variant of Win32/Toolbar.Babylon.C applicationC:\Users\Rochelle\AppData\Local\Babylon\Setup\IECookieLow.dll a variant of Win32/Toolbar.Babylon.E applicationC:\Users\Rochelle\AppData\Local\Babylon\Setup\Setup.exe a variant of Win32/Toolbar.Babylon.E applicationC:\Users\Rochelle\Downloads\cbsidlm-tr1_10a-Free_FLAC_to_MP3_Converter-ORG-75206134.exe Win32/DownloadAdmin.G application

These files aren´t malware but contain security risks. I would delete them immediately - your choice.

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner

Please download AdwCleaner to your desktop.

  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[s1].txt also.

SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Link to post
Share on other sites

I deleted those files. The computer is running well, but every time it restarts the firewall is disconnected and I have to reset it. I am using Windows firewall at the moment. 

 

Here are the logs for AdwCleaner and SecurityCheck:

 

AdwCleaner

 

# AdwCleaner v2.306 - Logfile created 07/28/2013 at 16:40:16
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Rochelle - SAMMY
# Boot Mode : Normal
# Running from : C:\Users\Rochelle\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [services] *****
 
 
***** [Files / Folders] *****
 
File Deleted : C:\user.js
File Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAS\Additional Languages\SAS 9.3 (English with DBCS).lnk
File Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAS\Additional Languages\SAS 9.3 (English).lnk
File Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAS\Additional Languages\SAS 9.3 (Unicode Support).lnk
File Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAS\SAS 9.3 (English).lnk
File Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAS\Utilities\SAS 9.3 (Unicode Server).lnk
Folder Deleted : C:\Program Files (x86)\OApps
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Users\Rochelle\AppData\Local\Babylon
Folder Deleted : C:\Users\Rochelle\AppData\Roaming\Babylon
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\AppDataLow\Software\I Want This
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\I Want This_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\I Want This_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]
 
***** [internet Browsers] *****
 
-\\ Internet Explorer v10.0.9200.16635
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v22.0 (en-US)
 
File : C:\Users\Rochelle\AppData\Roaming\Mozilla\Firefox\Profiles\7kj75i26.default\prefs.js
 
[OK] File is clean.
 
-\\ Google Chrome v28.0.1500.72
 
File : C:\Users\Rochelle\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[s1].txt - [321 octets] - [28/07/2013 16:39:45]
AdwCleaner[s2].txt - [5850 octets] - [28/07/2013 16:40:16]
 
########## EOF - C:\AdwCleaner[s2].txt - [5910 octets] ##########

 

 
 
 
SecurityCheck
 
 Results of screen317's Security Check version 0.99.71  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:`````````````` 
AVG AntiVirus Free Edition 2013   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 SpywareBlaster 5.0    
 Secunia PSI (3.0.0.7011)   
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 25  
 Adobe Flash Player 11.8.800.94  
 Adobe Reader XI  
 Mozilla Firefox (22.0) 
 Google Chrome 28.0.1500.71  
 Google Chrome 28.0.1500.72  
````````Process Check: objlist.exe by Laurent````````  
 AVG avgwdsvc.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 
 
 
 
Link to post
Share on other sites

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender



    [*]Press "Scan". [*]It will create a log (FSS.txt) in the same directory the tool is run. [*]Please copy and paste the log to your reply.

Link to post
Share on other sites

Thank you for your help, sorry for the delay. I have limited internet access at the moment.

Farbar Service Scanner Version: 26-07-2013

Ran by Rochelle (administrator) on 29-07-2013 at 11:30:05

Running from "C:\Users\Rochelle\Desktop"

Microsoft Windows 7 Home Premium Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Attempt to access Google IP returned error. Google IP is offline

Attempt to access Google.com returned error: Other errors

Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:

=============

mpsdrv Service is not running. Checking service configuration:

The start type of mpsdrv service is OK.

The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:

The start type of MpsSvc service is set to Demand. The default start type is Auto.

The ImagePath of MpsSvc service is OK.

The ServiceDll of MpsSvc service is OK.

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys => MD5 is legit

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll => MD5 is legit

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\wscsvc.dll => MD5 is legit

C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\System32\wuaueng.dll => MD5 is legit

C:\Windows\System32\qmgr.dll => MD5 is legit

C:\Windows\System32\es.dll => MD5 is legit

C:\Windows\System32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\System32\ipnathlp.dll => MD5 is legit

C:\Windows\System32\iphlpsvc.dll => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

Windows Repair (all-in-one)

Please download Windows Repair (all in one) from here.

Install the program then run it.

Go to step 2 and allow it to run Disk check.

Capture3.gif

Once that is done then go to step 3 and allow it to run SFC by clicking Do it

Capture.gif


On the Start Repairs tab, click Start.
Within the opening window, hit unselect all.
Check only the following:



  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair Windows Firewall
  • Repair Windows Updates



then click on Start

DON'T use the computer while each scan is in progress.

Restart may be needed to finish the repair procedure.

Let me know how that worked out for you.

Link to post
Share on other sites

All above has been completed. I noticed many files said "failed" when running. Is there a log that I can look at?

Computer restarted no problem. I checked the firewall, to ensure it was on and the firewall program has stalled after clicking "Turn Windows Firewall on or off"

Link to post
Share on other sites

Then your system is clean! :)

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  1. In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  2. In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  3. In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process

[*] If there is still something left please delete it manualy.

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:

    [*] Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice. [*] Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.