acetrout Posted August 3, 2013 ID:710439 Share Posted August 3, 2013 Hi Gang, Acetrout here. Have an Acer Aspire notebook running Win 7 64 bit and can't boot to safe mode or normal.Getting the Moneypak randsom screen. Ran the Frst64.exe and here are the logs. Also I ran Rogue Killer without deleting anything just to get the report and that's included too. Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-08-2013Ran by SYSTEM on 02-08-2013 20:35:08Running from H:\Windows 7 Home Premium (X64) OS Language: English(US)Internet Explorer Version 10Boot Mode: Recovery The current controlset is ControlSet001ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [AmIcoSinglun64] - C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [323584 2009-09-22] (Alcor Micro Corp.)HKLM\...\Run: [mwlDaemon] - C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-02-01] (Egis Technology Inc.)HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9643552 2009-12-10] (Realtek Semiconductor)HKLM\...\Run: [PLFSetI] - C:\Windows\PLFSetI.exe [206208 2010-05-07] ()HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1842472 2009-09-17] (Synaptics Incorporated)HKLM\...\Run: [Acer ePower Management] - C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [860192 2010-02-05] (Acer Incorporated)HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-10-03] (Adobe Systems Incorporated)HKLM-x32\...\Run: [iAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2009-12-23] (Intel Corporation)HKLM-x32\...\Run: [backupManagerTray] - C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [260608 2010-03-08] (NewTech Infosystems, Inc.)HKLM-x32\...\Run: [suiteTray] - C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [337264 2010-02-01] (Egis Technology Inc.)HKLM-x32\...\Run: [EgisUpdate] - C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201512 2009-12-24] (Egis Technology Inc.)HKLM-x32\...\Run: [EgisTecPMMUpdate] - C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [401192 2009-12-24] (Egis Technology Inc.)HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [1289296 2010-02-25] (Dritek System Inc.)HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)HKLM-x32\...\Run: [avast!] - C:\Program Files\Alwil Software\Avast4\ashDisp.exe [81000 2009-11-24] (ALWIL Software)HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)HKLM-x32\...\Run: [] - [x]HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1721480 2013-04-30] (Ask)HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-01-28] (Apple Inc.)HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-02-20] (Apple Inc.)HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [935288 2009-09-04] (Adobe Systems Incorporated)HKU\chia\...\Run: [msnmsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4280184 2012-03-08] (Microsoft Corporation)HKU\chia\...\Run: [Google Update] - C:\Users\chia\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2010-10-13] (Google Inc.)HKU\chia\...\Run: [ooVoo.exe] - C:\Program Files (x86)\ooVoo\oovoo.exe [27112568 2012-10-04] (ooVoo LLC)HKU\chia\...\Run: [GameXN GO] - "C:\ProgramData\GameXN\GameXNGO.exe" /startup [x]HKU\chia\...\Run: [skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [17878704 2012-11-09] (Skype Technologies S.A.)HKU\chia\...\Run: [Facebook Update] - C:\Users\chia\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2013-01-21] (Facebook Inc.)HKU\chia\...\Run: [{EFB72BFC-5C0C-466D-B85F-E767CADBDF54}] - rundll32 "C:\Users\chia\AppData\Local\{53AD4FD5-DAAD-4B9A-8E6D-7710949DBA56}\{EFB72BFC-5C0C-466D-B85F-E767CADBDF54}\gkfk.dll",DllRegisterServer [x] <===== ATTENTIONHKU\chia\...\Run: [Novatel Wireless] - RUNDLL32.EXE "C:\Users\chia\AppData\Local\Novatel Wireless\yowuxsax.dll",kcplebxlpiqldhijkc [x] <===== ATTENTIONHKU\chia\...\Run: [PCShowServer] - C:\Users\chia\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe [525240 2012-10-15] (NDS Technologies)HKU\chia\...\Run: [Facebook] - rundll32 "C:\Users\chia\AppData\Local\{F3ADB8EF-F34D-4012-AEE6-7D6FCD2F4634}\Facebook\mpngbgjj.dll",DllRegisterServer [x] <===== ATTENTIONHKU\chia\...\Run: [Novatel Wireless Auto] - C:\Users\chia\AppData\Local\Novatel Wireless\npvdumqzbomvjp.dll [925184 2013-08-01] (Hewlett-Packard Corporation)HKU\chia\...\Run: [internet Security] - C:\Users\chia\AppData\Roaming\wmdefender.exe [840192 2013-08-02] (TorchSoft)HKU\chia\...\Winlogon: [shell] explorer.exe,C:\Users\chia\AppData\Roaming\skype.dat [113152 2011-11-16] (IntroDev Software LLC.) <==== ATTENTION HKU\Default\...\RunOnce: [scrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()HKU\Default User\...\RunOnce: [scrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] () ==================== Services (Whitelisted) ================= S2 aswUpdSv; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [18752 2009-11-24] (ALWIL Software)S2 avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [138680 2009-11-24] (ALWIL Software)S3 avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [254040 2009-11-24] (ALWIL Software)S3 avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [352920 2009-11-24] (ALWIL Software)S3 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-02-01] (Egis Technology Inc.) ==================== Drivers (Whitelisted) ==================== S2 aswFsBlk; C:\Windows\System32\DRIVERS\aswFsBlk.sys [22096 2009-11-24] (ALWIL Software)S2 aswMonFlt; C:\Windows\System32\DRIVERS\aswMonFlt.sys [65616 2009-11-24] (ALWIL Software)S1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [27216 2009-11-24] (ALWIL Software)S1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [89680 2009-11-24] (ALWIL Software)S1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [53840 2009-11-24] (ALWIL Software)S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [30336 2007-01-18] (Research in Motion Ltd)S3 swmsflt; C:\Windows\System32\DRIVERS\swmsflt.sys [28808 2008-10-15] ()S3 SWNC5E00; C:\Windows\System32\DRIVERS\SWNC5E00.sys [285696 2010-06-08] (Sierra Wireless Inc.)S3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [42184 2013-01-10] (Anchorfree Inc.)S1 invbqtkr; \??\C:\Windows\system32\drivers\invbqtkr.sys [x]S3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-08-02 20:29 - 2013-08-02 20:29 - 00000000 ____D C:\FRST2013-08-02 14:37 - 2013-08-02 14:37 - 00000000 ____D C:\Users\chia\AppData\Local\{DC3397E2-50CB-4B7C-92EA-9682D5BB9F67}2013-08-02 06:55 - 2013-08-02 16:17 - 00000004 _____ C:\Users\chia\AppData\Roaming\skype.ini2013-08-02 06:51 - 2013-08-02 06:51 - 00840192 _____ (TorchSoft) C:\Users\chia\AppData\Roaming\wmdefender.exe2013-08-02 06:51 - 2013-08-02 06:51 - 00135168 _____ C:\Users\chia\flashplayer.exe2013-08-02 06:51 - 2013-08-02 06:51 - 00113152 _____ (IntroDev Software LLC.) C:\Users\chia\conhost.exe2013-08-02 06:51 - 2013-08-02 06:51 - 00000789 _____ C:\Users\chia\Desktop\Internet Security Pro.lnk2013-08-02 06:51 - 2013-08-02 06:51 - 00000000 _____ C:\Users\chia\teamviewer.exe2013-08-02 06:51 - 2013-08-02 06:51 - 00000000 _____ C:\Users\chia\jucheck.exe2013-07-28 06:34 - 2013-07-28 06:34 - 00001579 _____ C:\Users\chia\Downloads\Southwest and Southeast CAW.ics2013-07-22 08:37 - 2013-07-22 08:37 - 00000000 ____D C:\Users\chia\AppData\Local\DIRECTV Player2013-07-22 08:35 - 2013-07-22 08:35 - 13024568 _____ (DIRECTV) C:\Users\chia\Downloads\DIRECTV_Player_8.0 (1).exe2013-07-22 08:34 - 2013-08-02 16:16 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job2013-07-22 08:34 - 2013-07-22 08:36 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater2013-07-22 08:34 - 2013-07-22 08:35 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe2013-07-22 08:34 - 2013-07-22 08:35 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl2013-07-22 08:34 - 2013-07-22 08:34 - 00000000 ____D C:\Windows\System32\Macromed2013-07-22 08:33 - 2013-07-22 08:33 - 13024568 _____ (DIRECTV) C:\Users\chia\Downloads\DIRECTV_Player_8.0.exe2013-07-22 08:17 - 2013-07-30 15:02 - 00000000 ____D C:\Users\chia\AppData\Local\{E0657523-A660-47C0-8D6C-9BCCB9006DFF}2013-07-18 07:20 - 2013-07-18 07:27 - 00000000 ____D C:\Windows\System32\MRT2013-07-11 07:43 - 2013-08-02 07:23 - 00000000 ____D C:\Users\chia\AppData\Local\Novatel Wireless2013-07-11 06:08 - 2013-07-17 05:45 - 00000000 ____D C:\Users\chia\AppData\Local\{BA2531D7-52CA-4B00-91F0-AD9323A09DB9}2013-07-11 05:13 - 2013-06-11 15:43 - 14329856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll2013-07-11 05:13 - 2013-06-11 15:43 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll2013-07-11 05:13 - 2013-06-11 15:43 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll2013-07-11 05:13 - 2013-06-11 15:43 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll2013-07-11 05:13 - 2013-06-11 15:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll2013-07-11 05:13 - 2013-06-11 15:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll2013-07-11 05:13 - 2013-06-11 15:43 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll2013-07-11 05:13 - 2013-06-11 15:42 - 13760512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll2013-07-11 05:13 - 2013-06-11 15:42 - 02046976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll2013-07-11 05:13 - 2013-06-11 15:42 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll2013-07-11 05:13 - 2013-06-11 15:42 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll2013-07-11 05:13 - 2013-06-11 15:42 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll2013-07-11 05:13 - 2013-06-11 15:42 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll2013-07-11 05:13 - 2013-06-11 15:26 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll2013-07-11 05:13 - 2013-06-11 15:26 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll2013-07-11 05:13 - 2013-06-11 15:26 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe2013-07-11 05:13 - 2013-06-11 15:25 - 19238912 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll2013-07-11 05:13 - 2013-06-11 15:25 - 15404032 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll2013-07-11 05:13 - 2013-06-11 15:25 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll2013-07-11 05:13 - 2013-06-11 15:25 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll2013-07-11 05:13 - 2013-06-11 15:25 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll2013-07-11 05:13 - 2013-06-11 15:25 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll2013-07-11 05:13 - 2013-06-11 15:25 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll2013-07-11 05:13 - 2013-06-11 15:25 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll2013-07-11 05:13 - 2013-06-11 15:25 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll2013-07-11 05:13 - 2013-06-11 15:25 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll2013-07-11 05:13 - 2013-06-11 15:25 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll2013-07-11 05:13 - 2013-06-11 14:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe2013-07-11 05:13 - 2013-06-11 14:50 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe2013-07-11 05:13 - 2013-06-06 19:22 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb2013-07-11 05:13 - 2013-06-06 18:37 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb2013-07-10 06:21 - 2013-06-04 19:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys2013-07-10 06:21 - 2013-06-03 22:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll2013-07-10 06:21 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll2013-07-10 06:21 - 2013-05-05 22:03 - 01887744 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL2013-07-10 06:21 - 2013-05-05 20:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL2013-07-10 06:21 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll2013-07-10 06:21 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll2013-07-09 08:11 - 2013-07-09 08:11 - 00263237 _____ C:\Users\chia\Desktop\photo (1).htm2013-07-09 08:10 - 2013-07-09 08:11 - 00263324 _____ C:\Users\chia\Desktop\photo.htm2013-07-07 08:53 - 2013-07-07 08:53 - 00079388 _____ C:\Users\chia\Downloads\JULY ASSORTMENT ENH SELL SHEET FINAL 6 25 13.xlsx2013-07-04 12:09 - 2013-07-04 12:09 - 00014014 _____ C:\Users\chia\Desktop\hs_err_pid6404.log2013-07-04 12:01 - 2013-07-04 12:01 - 00003112 _____ C:\Windows\System32\Tasks\{DB2A4DB4-121D-4E39-A18E-0E106BB5B0FF}2013-07-04 12:01 - 2013-07-04 12:01 - 00002018 _____ C:\Users\Public\Desktop\Adobe Reader 9.lnk ==================== One Month Modified Files and Folders ======= 2013-08-02 20:29 - 2013-08-02 20:29 - 00000000 ____D C:\FRST2013-08-02 16:18 - 2010-10-26 13:43 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1683424006-4254386584-569884972-1001UA.job2013-08-02 16:18 - 2009-07-13 20:45 - 00017600 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02013-08-02 16:18 - 2009-07-13 20:45 - 00017600 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02013-08-02 16:17 - 2013-08-02 06:55 - 00000004 _____ C:\Users\chia\AppData\Roaming\skype.ini2013-08-02 16:16 - 2013-07-22 08:34 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job2013-08-02 16:16 - 2013-01-21 08:04 - 00000924 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1683424006-4254386584-569884972-1001UA.job2013-08-02 16:16 - 2010-08-14 06:59 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job2013-08-02 14:55 - 2010-08-21 07:08 - 00000000 ____D C:\Users\chia\Tracing2013-08-02 14:54 - 2010-08-14 06:59 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job2013-08-02 14:53 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT2013-08-02 14:53 - 2009-07-13 20:51 - 00129063 _____ C:\Windows\setupact.log2013-08-02 14:51 - 2010-05-07 05:58 - 01357405 _____ C:\Windows\WindowsUpdate.log2013-08-02 14:46 - 2010-08-14 06:47 - 00000000 ____D C:\Users\chia\AppData\Roaming\Skype2013-08-02 14:37 - 2013-08-02 14:37 - 00000000 ____D C:\Users\chia\AppData\Local\{DC3397E2-50CB-4B7C-92EA-9682D5BB9F67}2013-08-02 07:23 - 2013-07-11 07:43 - 00000000 ____D C:\Users\chia\AppData\Local\Novatel Wireless2013-08-02 06:51 - 2013-08-02 06:51 - 00840192 _____ (TorchSoft) C:\Users\chia\AppData\Roaming\wmdefender.exe2013-08-02 06:51 - 2013-08-02 06:51 - 00135168 _____ C:\Users\chia\flashplayer.exe2013-08-02 06:51 - 2013-08-02 06:51 - 00113152 _____ (IntroDev Software LLC.) C:\Users\chia\conhost.exe2013-08-02 06:51 - 2013-08-02 06:51 - 00000789 _____ C:\Users\chia\Desktop\Internet Security Pro.lnk2013-08-02 06:51 - 2013-08-02 06:51 - 00000000 _____ C:\Users\chia\teamviewer.exe2013-08-02 06:51 - 2013-08-02 06:51 - 00000000 _____ C:\Users\chia\jucheck.exe2013-08-02 06:51 - 2010-08-14 06:35 - 00000000 ____D C:\users\chia2013-08-02 05:26 - 2010-10-26 13:43 - 00000852 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1683424006-4254386584-569884972-1001Core.job2013-08-02 05:20 - 2010-10-26 06:41 - 00000000 ____D C:\Users\chia\AppData\Roaming\Mozilla2013-08-01 07:09 - 2013-01-21 08:04 - 00000902 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1683424006-4254386584-569884972-1001Core.job2013-08-01 06:27 - 2011-09-22 04:16 - 00000000 ____D C:\Users\chia\AppData\Local\{F3ADB8EF-F34D-4012-AEE6-7D6FCD2F4634}2013-07-30 15:02 - 2013-07-22 08:17 - 00000000 ____D C:\Users\chia\AppData\Local\{E0657523-A660-47C0-8D6C-9BCCB9006DFF}2013-07-28 06:34 - 2013-07-28 06:34 - 00001579 _____ C:\Users\chia\Downloads\Southwest and Southeast CAW.ics2013-07-22 08:37 - 2013-07-22 08:37 - 00000000 ____D C:\Users\chia\AppData\Local\DIRECTV Player2013-07-22 08:36 - 2013-07-22 08:34 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater2013-07-22 08:35 - 2013-07-22 08:35 - 13024568 _____ (DIRECTV) C:\Users\chia\Downloads\DIRECTV_Player_8.0 (1).exe2013-07-22 08:35 - 2013-07-22 08:34 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe2013-07-22 08:35 - 2013-07-22 08:34 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl2013-07-22 08:34 - 2013-07-22 08:34 - 00000000 ____D C:\Windows\System32\Macromed2013-07-22 08:33 - 2013-07-22 08:33 - 13024568 _____ (DIRECTV) C:\Users\chia\Downloads\DIRECTV_Player_8.0.exe2013-07-18 14:02 - 2012-10-26 08:43 - 00000000 ___RD C:\Program Files (x86)\Skype2013-07-18 14:02 - 2010-08-14 06:46 - 00000000 ____D C:\ProgramData\Skype2013-07-18 07:27 - 2013-07-18 07:20 - 00000000 ____D C:\Windows\System32\MRT2013-07-17 10:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF2013-07-17 05:45 - 2013-07-11 06:08 - 00000000 ____D C:\Users\chia\AppData\Local\{BA2531D7-52CA-4B00-91F0-AD9323A09DB9}2013-07-13 05:43 - 2010-08-14 06:59 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA2013-07-13 05:43 - 2010-08-14 06:59 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore2013-07-12 14:13 - 2010-10-26 13:43 - 00003872 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1683424006-4254386584-569884972-1001UA2013-07-12 14:13 - 2010-10-26 13:43 - 00003476 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1683424006-4254386584-569884972-1001Core2013-07-11 07:43 - 2011-08-02 03:26 - 00000000 ____D C:\Users\chia\AppData\Local\{53AD4FD5-DAAD-4B9A-8E6D-7710949DBA56}2013-07-11 06:07 - 2010-03-27 03:21 - 00000000 ____D C:\ProgramData\Adobe2013-07-11 05:46 - 2011-01-29 12:06 - 00000258 __RSH C:\ProgramData\ntuser.pol2013-07-11 05:45 - 2009-07-13 20:45 - 00385080 _____ C:\Windows\System32\FNTCACHE.DAT2013-07-11 05:43 - 2013-03-14 12:10 - 00000000 ____D C:\Program Files\Microsoft Silverlight2013-07-11 05:43 - 2013-03-14 12:10 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight2013-07-11 05:42 - 2010-03-27 04:08 - 00000000 ____D C:\Program Files\Windows Journal2013-07-11 05:42 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender2013-07-11 05:42 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender2013-07-11 05:22 - 2009-07-13 21:13 - 00747008 _____ C:\Windows\System32\PerfStringBackup.INI2013-07-11 05:20 - 2009-07-13 18:34 - 00000534 _____ C:\Windows\win.ini2013-07-10 06:01 - 2013-06-16 23:56 - 00000000 ____D C:\Users\chia\AppData\Local\{EDBF3D94-75CF-4AFA-AC4F-79C4C1F60736}2013-07-09 08:11 - 2013-07-09 08:11 - 00263237 _____ C:\Users\chia\Desktop\photo (1).htm2013-07-09 08:11 - 2013-07-09 08:10 - 00263324 _____ C:\Users\chia\Desktop\photo.htm2013-07-07 08:53 - 2013-07-07 08:53 - 00079388 _____ C:\Users\chia\Downloads\JULY ASSORTMENT ENH SELL SHEET FINAL 6 25 13.xlsx2013-07-04 12:09 - 2013-07-04 12:09 - 00014014 _____ C:\Users\chia\Desktop\hs_err_pid6404.log2013-07-04 12:01 - 2013-07-04 12:01 - 00003112 _____ C:\Windows\System32\Tasks\{DB2A4DB4-121D-4E39-A18E-0E106BB5B0FF}2013-07-04 12:01 - 2013-07-04 12:01 - 00002018 _____ C:\Users\Public\Desktop\Adobe Reader 9.lnk Files to move or delete:====================C:\Users\chia\conhost.exeC:\Users\chia\flashplayer.exeC:\Users\chia\jucheck.exeC:\Users\chia\teamviewer.exeC:\Users\chia\AppData\Roaming\skype.datC:\Users\chia\AppData\Roaming\skype.ini ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\SysWOW64\wininit.exe => MD5 is legitC:\Windows\explorer.exe => MD5 is legitC:\Windows\SysWOW64\explorer.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\SysWOW64\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\SysWOW64\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\SysWOW64\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OKHKLM\...\exefile\DefaultIcon: %1 => OKHKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-07-09 06:43:41Restore point made on: 2013-07-11 04:53:50Restore point made on: 2013-07-16 06:24:04Restore point made on: 2013-07-18 07:19:09Restore point made on: 2013-07-23 06:06:45Restore point made on: 2013-07-30 06:46:07Restore point made on: 2013-07-30 06:47:06 ==================== Memory info =========================== Percentage of memory in use: 23%Total physical RAM: 2804.51 MBAvailable physical RAM: 2136 MBTotal Pagefile: 2802.66 MBAvailable Pagefile: 2145.58 MBTotal Virtual: 8192 MBAvailable Virtual: 8191.87 MB ==================== Drives ================================ Drive c: (ACER) (Fixed) (Total:220.09 GB) (Free:148.51 GB) NTFS (Disk=0 Partition=3)Drive e: (PQSERVICE) (Fixed) (Total:12.7 GB) (Free:0.59 GB) NTFS (Disk=0 Partition=1)Drive f: (SATURDAY_NIGHT_FEVER) (CDROM) (Total:7.64 GB) (Free:0 GB) UDFDrive h: () (Removable) (Total:1.9 GB) (Free:1.88 GB) FAT32 (Disk=1 Partition=1)Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFSDrive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ========================================================Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 233 GB) (Disk ID: 53BF53BF)Partition 1: (Not Active) - (Size=13 GB) - (Type=27)Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)Partition 3: (Not Active) - (Size=220 GB) - (Type=07 NTFS) ========================================================Disk: 1 (Size: 2 GB) (Disk ID: 73696D20)No partition Table on disk 1. LastRegBack: 2013-08-02 05:22 ==================== End Of Log ============================ RogueKiller V8.6.4 _x64_ [Jul 29 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7600 ) 64 bits versionStarted in : Normal modeUser : SYSTEM [Admin rights]Mode : Scan -- Date : 08/02/2013 21:18:54| ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 9 ¤¤¤[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[EXT RUN][sUSP PATH] HKCU\chia_ON_D:\[...]\Run : {EFB72BFC-5C0C-466D-B85F-E767CADBDF54} (rundll32 "C:\Users\chia\AppData\Local\{53AD4FD5-DAAD-4B9A-8E6D-7710949DBA56}\{EFB72BFC-5C0C-466D-B85F-E767CADBDF54}\gkfk.dll",DllRegisterServer [x][x][x]) -> FOUND[EXT RUN][sUSP PATH] HKCU\chia_ON_D:\[...]\Run : Novatel Wireless (RUNDLL32.EXE "C:\Users\chia\AppData\Local\Novatel Wireless\yowuxsax.dll",kcplebxlpiqldhijkc [x][x][x]) -> FOUND[EXT RUN][sUSP PATH] HKCU\chia_ON_D:\[...]\Run : PCShowServer ("C:\Users\chia\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe" [x]) -> FOUND[EXT RUN][sUSP PATH] HKCU\chia_ON_D:\[...]\Run : Facebook (rundll32 "C:\Users\chia\AppData\Local\{F3ADB8EF-F34D-4012-AEE6-7D6FCD2F4634}\Facebook\mpngbgjj.dll",DllRegisterServer [x][x][x]) -> FOUND[EXT RUN][sUSP PATH] HKCU\chia_ON_D:\[...]\Run : Novatel Wireless Auto (regsvr32.exe "C:\Users\chia\AppData\Local\Novatel Wireless\npvdumqzbomvjp.dll" [x][x]) -> FOUND[EXT RUN][sUSP PATH] HKCU\chia_ON_D:\[...]\Run : Internet Security (C:\Users\chia\AppData\Roaming\wmdefender.exe [x]) -> FOUND[EXT SHELL][Rans.Gendarm] HKCU\chia_ON_D:\[...]\Winlogon : shell (explorer.exe,C:\Users\chia\AppData\Roaming\skype.dat [x][x]) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]-> D:\Users\AppData\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]-> D:\Users\chia\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]-> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]-> D:\Users\Public\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND] ¤¤¤ Infection : Rans.Gendarm ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤--> ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: +++++--- User ---[MBR] 487cb5b539040997cf0c5f99adf5e1c7[bSP] 13d76bf99898f7cec3aa379c48f6545a : Windows Vista MBR CodePartition table:0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13000 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 26626048 | Size: 100 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 26830848 | Size: 225373 MoUser = LL1 ... OK!User = LL2 ... OK! +++++ PhysicalDrive1: +++++--- User ---[MBR] 7cc45e22d53b8680fe8446f1177df838[bSP] a112efd0750b06367cd4f146c2b33058 : MBR Code unknownPartition table:0 - [XXXXXX] OS/2 (0x0a) [VISIBLE] Offset (sectors): 1919230059 | Size: 2092621 Mo1 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 544829025 | Size: 266028 Mo2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 2885681152 | Size: 25 MoUser = LL1 ... OK!Error reading LL2 MBR! Finished : << RKreport[0]_S_08022013_211854.txt >>RKreport[0]_S_08022013_211729.txt Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted August 3, 2013 ID:710440 Share Posted August 3, 2013 Looking at it now. -dfb Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted August 3, 2013 ID:710441 Share Posted August 3, 2013 Okay this should get you going. Please do the following:Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.Right-click in the open notepad and select Paste).Save it on the flashdrive as fixlist.txtHKU\chia\...\Run: [{EFB72BFC-5C0C-466D-B85F-E767CADBDF54}] - rundll32 "C:\Users\chia\AppData\Local\{53AD4FD5-DAAD-4B9A-8E6D-7710949DBA56}\{EFB72BFC-5C0C-466D-B85F-E767CADBDF54}\gkfk.dll",DllRegisterServer [x] <===== ATTENTIONHKU\chia\...\Run: [Novatel Wireless] - RUNDLL32.EXE "C:\Users\chia\AppData\Local\Novatel Wireless\yowuxsax.dll",kcplebxlpiqldhijkc [x] <===== ATTENTIONHKU\chia\...\Run: [Facebook] - rundll32 "C:\Users\chia\AppData\Local\{F3ADB8EF-F34D-4012-AEE6-7D6FCD2F4634}\Facebook\mpngbgjj.dll",DllRegisterServer [x] <===== ATTENTIONHKU\chia\...\Run: [Novatel Wireless Auto] - C:\Users\chia\AppData\Local\Novatel Wireless\npvdumqzbomvjp.dll [925184 2013-08-01] (Hewlett-Packard Corporation)HKU\chia\...\Winlogon: [shell] explorer.exe,C:\Users\chia\AppData\Roaming\skype.dat [113152 2011-11-16] (IntroDev Software LLC.) <==== ATTENTIONS1 invbqtkr; \??\C:\Windows\system32\drivers\invbqtkr.sys [x]C:\Users\chia\conhost.exeC:\Users\chia\flashplayer.exeC:\Users\chia\jucheck.exeC:\Users\chia\teamviewer.exeC:\Users\chia\AppData\Roaming\skype.datC:\Users\chia\AppData\Roaming\skype.iniNOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemNow please enter System Recovery Options.Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.After that- are you able to boot into normal mode? Let me know when you can as we have more malware to remove.-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Note:Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly" -------> Your topic will be closed if you haven't replied within 3 days! <--------(If I don't respond within 24 hours, please send me a PM)-DFB Link to post Share on other sites More sharing options...
acetrout Posted August 3, 2013 Author ID:710447 Share Posted August 3, 2013 OKDFB, here's the fixlog Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-08-2013Ran by SYSTEM at 2013-08-02 22:36:23 Run:1Running from H:\Boot Mode: Recovery============================================== HKU\chia\Software\Microsoft\Windows\CurrentVersion\Run\\{EFB72BFC-5C0C-466D-B85F-E767CADBDF54} => Value deleted successfully.HKU\chia\Software\Microsoft\Windows\CurrentVersion\Run\\Novatel Wireless => Value deleted successfully.HKU\chia\Software\Microsoft\Windows\CurrentVersion\Run\\Facebook => Value deleted successfully.HKU\chia\Software\Microsoft\Windows\CurrentVersion\Run\\Novatel Wireless Auto => Value deleted successfully.HKU\chia\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.invbqtkr => Service deleted successfully.C:\Users\chia\conhost.exe => Moved successfully.C:\Users\chia\flashplayer.exe => Moved successfully.C:\Users\chia\jucheck.exe => Moved successfully.C:\Users\chia\teamviewer.exe => Moved successfully.C:\Users\chia\AppData\Roaming\skype.dat => Moved successfully.C:\Users\chia\AppData\Roaming\skype.ini => Moved successfully. ==== End of Fixlog ==== And yes, we got a good boot in normal mode......but......now we have what looks like some bogus Internet Security Tool telling me we have some serious threats found. I was able to pause the scan and that's where we're at. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted August 3, 2013 ID:710448 Share Posted August 3, 2013 Glad to hear you can boot. Let's start getting rid of the rest of it:----------Step 1----------------Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Double-click on TDSSKiller.exe to run the tool for known TDSS variants.Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it.To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.Click the Start Scan button.Do not use the computer during the scanIf the scan completes with nothing found, click Close to exit.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).Copy and paste the contents of that file in your next reply.----------Step 2----------------Please download Malwarebytes Anti-Rootkit from HEREUnzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exeFollow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt----------Step 3----------------Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:http://www.bleepingc...to-use-combofix***IMPORTANT: save ComboFix to your Desktop**** Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Please go here to see a list of programs that should be disabled.**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall** Please include the C:\ComboFix.txt in your next reply for further review.NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.----------Step 4----------------Please download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.----------Step 5----------------In your next reply, please include the following:TDSSKiller's logfileMBAR mbar-log.txt and system-log.txtComboFix's report (C:\ComboFix.txt)Security Check checkup.txtAfter that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. Link to post Share on other sites More sharing options...
acetrout Posted August 3, 2013 Author ID:710469 Share Posted August 3, 2013 Hey DFB, Tdsskiller didn't find anything. Running MBAR for quite awhile now, with 7 trojans identified so far, and it's almost done. Will attach logs when all 5 steps are finished.We have Avast AV on this notebook and it didn't stop the moneypak trojan. I'm planning to install the Malwarebytes Pro on this laptop. The question is: Do Avast and Malwarebytes Pro get along well together? I have that combination installed on my desktop and they seem to work ok together. What's your opinion? Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted August 3, 2013 ID:710471 Share Posted August 3, 2013 We have Avast AV on this notebook and it didn't stop the moneypak trojan. I'm planning to install the Malwarebytes Pro on this laptop. The question is: Do Avast and Malwarebytes Pro get along well together? I have that combination installed on my desktop and they seem to work ok together. What's your opinion?Yep, that's the exact same combo I use. Should be just fine Link to post Share on other sites More sharing options...
acetrout Posted August 3, 2013 Author ID:710588 Share Posted August 3, 2013 OK DFB, Here are all of the logs,(and see attached at bottom) and everything seems to be working well. Had tremendous battle getting combofix to run as the Avast modules refused to shut off completely.My kid somehow wound up with Internet Security Pro on this laptop. Should we keep that or uninstall? ComboFix 13-08-02.01 - chia 08/03/2013 1:10.1.2 - x64Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2805.1785 [GMT -4:00]Running from: c:\users\chia\Desktop\ComboFix.exeAV: avast! antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}SP: avast! antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((( Files Created from 2013-07-03 to 2013-08-03 )))))))))))))))))))))))))))))))..2013-08-03 05:21 . 2013-08-03 05:21 -------- d-----w- c:\users\Default\AppData\Local\temp2013-08-03 04:29 . 2013-08-03 04:29 -------- d-----w- C:\FRST2013-08-03 03:16 . 2013-08-03 03:16 36680 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys2013-08-03 03:16 . 2013-08-03 03:16 -------- d-----w- c:\programdata\Malwarebytes2013-08-02 13:23 . 2013-07-02 08:34 9460976 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{68AE344D-04D2-4E07-9F96-138F5C2FEBA4}\mpengine.dll2013-07-22 16:37 . 2013-07-22 16:37 63384 ----a-r- c:\users\chia\AppData\Roaming\Microsoft\Installer\{43D1B973-3D12-42ba-9E6E-56A8FEFF5250}\ARPPRODUCTICON.exe2013-07-22 16:37 . 2013-07-22 16:37 -------- d-----w- c:\users\chia\AppData\Local\DIRECTV Player2013-07-22 16:34 . 2013-07-22 16:35 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2013-07-22 16:34 . 2013-07-22 16:35 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe2013-07-22 16:34 . 2013-07-22 16:34 -------- d-----w- c:\windows\system32\Macromed2013-07-18 15:20 . 2013-07-18 15:27 -------- d-----w- c:\windows\system32\MRT2013-07-11 15:43 . 2013-08-03 03:55 -------- d-----w- c:\users\chia\AppData\Local\Novatel Wireless2013-07-10 14:22 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll2013-07-10 14:22 . 2013-05-27 05:50 571904 ----a-w- c:\program files\Windows Defender\MpClient.dll2013-07-10 14:22 . 2013-05-27 05:50 314880 ----a-w- c:\program files\Windows Defender\MpCommu.dll2013-07-10 14:22 . 2013-05-27 04:57 54784 ----a-w- c:\program files (x86)\Windows Defender\MpOAV.dll2013-07-10 14:22 . 2013-05-27 04:57 392704 ----a-w- c:\program files (x86)\Windows Defender\MpClient.dll2013-07-10 14:22 . 2013-05-27 03:15 9216 ----a-w- c:\program files (x86)\Windows Defender\MpAsDesc.dll2013-07-10 14:22 . 2013-05-27 04:57 4608 ----a-w- c:\program files (x86)\Windows Defender\MsMpLics.dll2013-07-10 14:21 . 2013-06-04 06:00 624128 ----a-w- c:\windows\system32\qedit.dll2013-07-10 14:21 . 2013-06-04 04:53 509440 ----a-w- c:\windows\SysWow64\qedit.dll2013-07-10 14:21 . 2013-05-06 06:03 1887744 ----a-w- c:\windows\system32\WMVDECOD.DLL2013-07-10 14:21 . 2013-05-06 04:56 1620480 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL2013-07-10 14:21 . 2013-06-05 03:34 3153920 ----a-w- c:\windows\system32\win32k.sys2013-07-10 14:21 . 2013-04-10 05:48 1732608 ----a-w- c:\program files\Windows Journal\NBDoc.DLL2013-07-10 14:21 . 2013-04-10 05:46 1393152 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll2013-07-10 14:21 . 2013-04-10 05:46 1367040 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll2013-07-10 14:21 . 2013-04-10 05:46 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll2013-07-10 14:21 . 2013-04-10 05:03 936448 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll2013-07-10 14:21 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll2013-07-10 14:21 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-06-24 04:57 . 2010-08-25 00:51 78277128 ----a-w- c:\windows\system32\MRT.exe2013-05-16 19:12 . 2012-06-22 14:44 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll2013-05-13 05:51 . 2013-06-12 19:01 184320 ----a-w- c:\windows\system32\cryptsvc.dll2013-05-13 05:51 . 2013-06-12 19:01 1464320 ----a-w- c:\windows\system32\crypt32.dll2013-05-13 05:51 . 2013-06-12 19:01 139776 ----a-w- c:\windows\system32\cryptnet.dll2013-05-13 05:50 . 2013-06-12 19:01 52224 ----a-w- c:\windows\system32\certenc.dll2013-05-13 04:45 . 2013-06-12 19:01 1160192 ----a-w- c:\windows\SysWow64\crypt32.dll2013-05-13 04:45 . 2013-06-12 19:01 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll2013-05-13 04:45 . 2013-06-12 19:01 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll2013-05-13 03:43 . 2013-06-12 19:01 1192448 ----a-w- c:\windows\system32\certutil.exe2013-05-13 03:08 . 2013-06-12 19:01 903168 ----a-w- c:\windows\SysWow64\certutil.exe2013-05-13 03:08 . 2013-06-12 19:01 43008 ----a-w- c:\windows\SysWow64\certenc.dll2013-05-10 05:49 . 2013-06-12 19:02 30720 ----a-w- c:\windows\system32\cryptdlg.dll2013-05-10 03:20 . 2013-06-12 19:02 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll2013-05-08 06:39 . 2013-06-12 19:02 1910632 ----a-w- c:\windows\system32\drivers\tcpip.sys..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2013-04-30 1527432].[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]2013-04-30 15:57 1527432 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]2011-12-09 01:11 194848 ----a-w- c:\program files (x86)\Yontoo\YontooIEClient.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2013-04-30 1527432].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]2010-02-01 18:03 120176 ----a-w- c:\program files (x86)\EgisTec MyWinLocker\x86\PSDProtect.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ooVoo.exe"="c:\program files (x86)\ooVoo\oovoo.exe" [2012-10-04 27112568]"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-11-09 17878704]"Facebook Update"="c:\users\chia\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2013-01-21 138096]"PCShowServer"="c:\users\chia\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe" [2012-10-15 525240].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-12-24 284696]"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2010-03-08 260608]"SuiteTray"="c:\program files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [2010-02-01 337264]"EgisUpdate"="c:\program files (x86)\EgisTec IPS\EgisUpdate.exe" [2009-12-25 201512]"EgisTecPMMUpdate"="c:\program files (x86)\EgisTec IPS\PmmUpdate.exe" [2009-12-25 401192]"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2010-02-26 1289296]"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-11-24 81000]"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2013-04-30 1721480]"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288].c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drv.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]@="".R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe;c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS;c:\windows\SYSNATIVE\drivers\AmUStor.SYS [x]R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe;c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]R3 MWLService;MyWinLocker Service;c:\program files (x86)\EgisTec MyWinLocker\x86\MWLService.exe;c:\program files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [x]R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [x]R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS;c:\windows\SYSNATIVE\PCTINDIS5X64.SYS [x]R3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys;c:\windows\SYSNATIVE\DRIVERS\taphss6.sys [x]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]S1 aswSP;avast! Self Protection; [x]S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDFilter.sys [x]S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDNServ.sys [x]S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDVDisk.sys [x]S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys;c:\windows\SYSNATIVE\DRIVERS\aswFsBlk.sys [x]S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys;c:\windows\SYSNATIVE\DRIVERS\aswMonFlt.sys [x]S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [x]S2 Greg_Service;GRegService;c:\program files (x86)\Acer\Registration\GregHSRW.exe;c:\program files (x86)\Acer\Registration\GregHSRW.exe [x]S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [x]S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [x]S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe;c:\program files\Acer\Acer Updater\UpdaterService.exe [x]S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]..--- Other Services/Drivers In Memory ---.*NewlyCreated* - WS2IFSL.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]2013-08-01 16:59 1173456 ----a-w- c:\program files (x86)\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe.Contents of the 'Scheduled Tasks' folder.2013-08-03 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-22 16:35].2013-08-01 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1683424006-4254386584-569884972-1001Core.job- c:\users\chia\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-01-21 16:03].2013-08-03 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1683424006-4254386584-569884972-1001UA.job- c:\users\chia\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-01-21 16:03].2013-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-14 14:59].2013-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-14 14:59].2013-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1683424006-4254386584-569884972-1001Core.job- c:\users\chia\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-26 21:15].2013-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1683424006-4254386584-569884972-1001UA.job- c:\users\chia\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-26 21:15]..--------- X64 Entries -----------..[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]2010-02-01 18:06 137584 ----a-w- c:\program files (x86)\EgisTec MyWinLocker\x64\PSDProtect.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2009-09-22 323584]"mwlDaemon"="c:\program files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe" [2010-02-01 349552]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-12 166424]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-12 390680]"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-12 410136]"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-11 9643552]"PLFSetI"="c:\windows\PLFSetI.exe" [2010-05-07 206208]"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2010-02-06 860192].------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmmLocal Page = c:\windows\SysWOW64\blank.htmuInternet Settings,ProxyOverride = *.localIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.htmlTrusted Zone: alipay.comTrusted Zone: alisoft.comTrusted Zone: taobao.comTCP: DhcpNameServer = 192.168.1.1.- - - - ORPHANS REMOVED - - - -.URLSearchHooks-{872b5b88-9db5-4310-bdd0-ac189557e5f5} - (no file)Toolbar-Locked - (no file)Wow6432Node-HKCU-Run-GameXN GO - c:\programdata\GameXN\GameXNGO.exeWow6432Node-HKLM-Run-<NO NAME> - (no file)BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - c:\program files (x86)\Hotspot Shield\HssIE\HssIE_64.dllToolbar-Locked - (no file)WebBrowser-{872B5B88-9DB5-4310-BDD0-AC189557E5F5} - (no file)HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exeAddRemove-Uninstall_is1 - c:\program files (x86)\Common Files\DVDVideoSoft\unins000.exeAddRemove-Applet - c:\windows\system32\javaws.exeAddRemove-JNLP - c:\windows\system32\javaws.exe...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.11".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2013-08-03 01:25:53ComboFix-quarantined-files.txt 2013-08-03 05:25.Pre-Run: 162,310,369,280 bytes freePost-Run: 163,515,236,352 bytes free.- - End Of File - - DBC3B665DA5E6FCEA5D899A1E8777FCAD41D8CD98F00B204E9800998ECF8427E Results of screen317's Security Check version 0.99.71 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 10 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! avast! antivirus Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Java 6 Update 35 Java version out of Date! Adobe Flash Player 11.8.800.94 Adobe Reader 9 Adobe Reader out of Date! Google Chrome 28.0.1500.72 Google Chrome 28.0.1500.95 ````````Process Check: objlist.exe by Laurent```````` Alwil Software Avast4 aswUpdSv.exe Alwil Software Avast4 ashServ.exe Alwil Software Avast4 ashDisp.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0% ````````````````````End of Log`````````````````````` system-log.txtmbar-log-2013-08-02 (23-20-03).txtTDSSKiller.2.8.18.0_02.08.2013_23.03.04_log.txt Link to post Share on other sites More sharing options...
acetrout Posted August 3, 2013 Author ID:710608 Share Posted August 3, 2013 Hi DFB, Downloaded Malwrebytes Free Version and did a full scan and it found 1 Trojan.FakeFlash.Ed which was checkmarked for removal but it found 15 more PUP.Optional.Tarma.A instances that are not checked for removal. What should I do? Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted August 3, 2013 ID:710623 Share Posted August 3, 2013 What should I do?Go ahead and have MBAM delete those. Once you've done that, please move on to the following: ----------Step 1----------------Please download AdwCleaner by Xplode onto your desktop.Double click on AdwCleaner.exe to run the tool.Click on Search.A logfile will automatically open after the scan has finished.Please post the contents of that logfile with your next reply.You can find the logfile at C:\AdwCleaner[R1].txt as well.----------Step 2----------------Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".The tool will open start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message. ----------Step 3 (note: this scan may take a little time)----------------I'd like us to scan your machine with ESET OnlineScanHold down Control and click on the following link to open ESET OnlineScan in a new window.ESET OnlineScanClick the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on to download the ESET Smart Installer. Save it to your desktop.Double click on the icon on your desktop.Check Click the button.Accept any security warnings from your browser.Check Push the Start button.ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.When the scan completes, push Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.Push the button.Push A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt----------Step 4----------------Please post the AdwCleaner logfile, the JRT.txt, and the ESET online scan log in your next reply.Let me know how things go. Link to post Share on other sites More sharing options...
acetrout Posted August 3, 2013 Author ID:710634 Share Posted August 3, 2013 I left that MBam window open for the last 4 hours and then I closed it 10 minutes ago taking no action since I hadn't heard back. The scan will take 1 hr 15 minutes to get back to where I was. Here is the Mbam log. Would there be a shorter scan that will find the same threats or do I need to do the full again now? Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.org Database version: v2013.08.03.05 Windows 7 Service Pack 1 x64 NTFSInternet Explorer 10.0.9200.16635chia :: PC [administrator] 8/3/2013 10:31:10 AMMBAM-log-2013-08-03 (13-25-34).txt Scan type: Full scan (C:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 383611Time elapsed: 57 minute(s), 39 second(s) Memory Processes Detected: 0(No malicious items detected) Memory Modules Detected: 0(No malicious items detected) Registry Keys Detected: 0(No malicious items detected) Registry Values Detected: 0(No malicious items detected) Registry Data Items Detected: 0(No malicious items detected) Folders Detected: 5C:\ProgramData\Tarma Installer (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Cache (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96} (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Cache (PUP.Optional.Tarma.A) -> No action taken. Files Detected: 11C:\FRST\Quarantine\flashplayer.exe (Trojan.FakeFlash.ED) -> No action taken.C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Setup.dat (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Setup.ico (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setup.dll (PUP.Optional.Tarma.A) -> No action taken.C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll (PUP.Optional.Tarma.A) -> No action taken. (end) Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted August 3, 2013 ID:710637 Share Posted August 3, 2013 Just do Quick Scan. You never need to do Full Scan Link to post Share on other sites More sharing options...
acetrout Posted August 3, 2013 Author ID:710644 Share Posted August 3, 2013 You didn't say to uncheck the "remove found threats" above the "scan archives" checkbox on eset scan. so I'm assuming you wanted that left checked? It's about 1/2 way done now. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted August 3, 2013 ID:710645 Share Posted August 3, 2013 It's no big deal, we can just remove them manually with ComboFix. Link to post Share on other sites More sharing options...
acetrout Posted August 3, 2013 Author ID:710646 Share Posted August 3, 2013 re-read my post. Eset It is checked to remove found threats by default. You didn't say to UNCHECK this box so I'm assuming they will be removed. Is that right? Or did we just want to IDENTIFY the threats? Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted August 3, 2013 ID:710649 Share Posted August 3, 2013 I understood your post. Either way is fine. If you didn't uncheck it, then yes, they will be removed. If not, we'll remove them manually. Link to post Share on other sites More sharing options...
acetrout Posted August 3, 2013 Author ID:710677 Share Posted August 3, 2013 wow, here you go. AdwCleanerR1.txtesetscanresults.txtJRT.txt Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted August 3, 2013 ID:710678 Share Posted August 3, 2013 Looks a lot better. Please do the following: Instructions for DELETE:Close all open programs and internet browsers.Double click on adwcleaner.exe to run the tool.Click on Delete.Confirm each time with Ok.You will be prompted to restart your computer. A text file will open after the restart.Please post the contents of that logfile with your next reply.You can find the logfile at C:\AdwCleaner[s1].txt as well.Afterwards, please reboot the computer. Link to post Share on other sites More sharing options...
acetrout Posted August 3, 2013 Author ID:710682 Share Posted August 3, 2013 # AdwCleaner v2.306 - Logfile created 08/03/2013 at 17:01:54# Updated 19/07/2013 by Xplode# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)# User : chia - PC# Boot Mode : Normal# Running from : C:\Users\chia\Desktop\Jim's Virus Tools\AdwCleaner.exe# Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Users\chia\AppData\Local\PackageAware ***** [Registry] ***** Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASAPI32Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASMANCSKey Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCSKey Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{99066096-8989-4612-841F-621A01D54AD7}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEFKey Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} ***** [internet Browsers] ***** -\\ Internet Explorer v10.0.9200.16635 [OK] Registry is clean. -\\ Google Chrome v28.0.1500.95 File : C:\Users\chia\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[R1].txt - [8828 octets] - [03/08/2013 14:48:35]AdwCleaner[s1].txt - [4659 octets] - [03/08/2013 17:01:54] ########## EOF - C:\AdwCleaner[s1].txt - [4719 octets] ########## Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted August 3, 2013 ID:710683 Share Posted August 3, 2013 Things look good. Judging by your last few logs, I'd say your system is clean. Before we move on, please take the time to install the following updates. Program updates are a critical part of your computer's safety net, as outdated applications leave you vulnerable to malware. ---------Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:Download the latest version of Adobe Reader and save it to your desktop.Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offeredClick the download button at the bottom.If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your ComputerThen from your desktop double-click on Adobe Reader to install the newest version.If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.When the "Adobe Setup - Welcome" window opens, click the Install > button.If offered to install a Toolbar, just uncheck the box before continuing unless you want it.--------- Java is out of date and older versions contain vulnerabilities. Please update to the newest version.Download the newest version from here http://java.com/en/download/index.jsp.It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.Go to Start > Control Panel and open Add or Remove Programs.Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). They will have this icon next to them: Select each in turn and click Remove.Once old versions are gone, please install the newest version. --------- Please let me know how the updates went, as failed updates may be due to malware. Link to post Share on other sites More sharing options...
acetrout Posted August 3, 2013 Author ID:710684 Share Posted August 3, 2013 I don't think I am comfortable un-installing and re-installing a new version of Adobe reader. We have at least 2 or 3 older versions on this laptop with multiple active x modules, something called Adobe Air and who knows what else. Last time I messed with Adobe reader all of the desktop Icons lost their images and none of the shortcuts or exe's would work. At least without very detailed instructions. The Java I think I can handle. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted August 3, 2013 ID:710686 Share Posted August 3, 2013 Last time I messed with Adobe reader all of the desktop Icons lost their images and none of the shortcuts or exe's would work.That's never happened to me before, nor anyone I've helped. The instructions I've provided you should do the trick. If you need me to clarify any specific step, please let me know and I'd be happy to do so. Link to post Share on other sites More sharing options...
acetrout Posted August 3, 2013 Author ID:710692 Share Posted August 3, 2013 the updates went fine, I guess.There was only 1 version of Adobe Reader, I uninstalled that and installed new version with no issues.Java updater has been trying to run all day and I kept on closing the window. I let it run and the newer version installed without issue. When I went to control panel to uninstall earlier versions, there were none. Just the newest that just installed. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted August 3, 2013 ID:710714 Share Posted August 3, 2013 Glad to hear the updates went successfully!Unless there are any other issues, I will now provide you with some steps to better protect your computer.First, we need to remove ComboFix.The following will implement some cleanup procedures as well as reset System Restore points:Click Start > Run and copy/paste the following bolded text into the Run box and click OK:ComboFix /Uninstall -------------------Let's remove OTL and the other tools we used as well:Reopen on your desktop. Click on You will be prompted to reboot your system. Please do so.-------------------Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.-------------------It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.avast!.AntiVirAVGMicrosoft Security Essentials-------------------Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:Spybot-Search & DestroyA tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.SpywareBlasterA tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.SpywareGuardA tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.-------------------Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too. A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.These firewalls are good and do have free versions availableOutpost Firewall FreeOnline Armor FirewallA tutorial on understanding and using firewalls may be found here.-------------------Please keep your security programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time.-------------------Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:http://www.spywarewa...nti-spyware.htmA similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.-------------------Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.If you are interested, Firefox may be downloaded from hereOpera is available here: http://www.opera.com/download/-------------------For more useful information, please also read Tony Klein's excellent article: How did I get infected in the first placeHopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.-------------------I would grateful if you could reply to this post so that I know you have read it and, if you have no other questions, the thread can then be closed.I will leave the thread open for a few more days. If you need anything, just come back here and let me know. After that time you will have to send me a PM.---------------------------------------------------------My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against malware, then click here: Every little bit helps. -DFB Link to post Share on other sites More sharing options...
acetrout Posted August 4, 2013 Author ID:710929 Share Posted August 4, 2013 OK DFB, Yes, everything looks like it's working fine, although I'm getting a popup saying my copy of Avast is illegal and pirated. How can free software be pirated? All the modules load just fine and the software is registered. Did you see anything out of kilter in the logs with respect to Avast? Link to post Share on other sites More sharing options...
Recommended Posts