Jump to content

Trojan zaccess

alfromny

By alfromny
in Resolved Malware Removal Logs

 Share

Recommended Posts

MrCharlie

MrCharlie

Posted
Posted

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites
alfromny

alfromny

Posted
  • Author
Posted

Addition.txt is attached from the action yesterday

 

frst.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-08-2013
Ran by acitron (administrator) on 28-08-2013 14:19:51
Running from C:\Documents and Settings\acitron\Desktop\Farbar2
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Cisco Systems, Inc.) C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
(Microsoft Corporation) C:\WINDOWS\System32\SCardSvr.exe
(Cisco Systems, Inc.) C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(SigmaTel, Inc.) C:\WINDOWS\system32\StacSV.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
() C:\Documents and Settings\acitron\Desktop\RogueKiller.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
(WinZip Computing, S.L.) C:\Program Files\WinZip\zipsendservice.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NvCplDaemon] - C:\WINDOWS\system32\NvCpl.dll [13594624 2009-03-11] (NVIDIA Corporation)
HKLM\...\Run: [nwiz] - nwiz.exe /installquiet [x]
HKLM\...\Run: [NVHotkey] - C:\Windows\System32\nvHotkey.dll [90112 2009-03-11] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] - C:\WINDOWS\system32\NvMcTray.dll [86016 2009-03-11] (NVIDIA Corporation)
HKLM\...\Run: [Client Access Service] - C:\Program Files\IBM\Client Access\cwbsvstr.exe [20480 2005-06-05] (IBM Corporation)
HKLM\...\Run: [Client Access Help Update] - C:\Program Files\IBM\Client Access\cwbinhlp.exe [24576 2005-06-05] (IBM Corporation)
HKLM\...\Run: [Client Access Check Version] - C:\Program Files\IBM\Client Access\cwbckver.exe [45106 2005-06-05] (IBM Corporation)
HKLM\...\Run: [Client Access Express Welcome] - C:\Program Files\IBM\Client Access\cwbwlwiz.exe [20480 2005-06-05] (IBM Corporation)
HKLM\...\Run: [Client Access PC5250 Sound] - C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe [40960 2005-06-05] (IBM Corporation)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [screwDrivers RDP Plugin] - C:\Program Files\triCerat\Simplify Printing\ScrewDrivers Client v4\install_rdp.exe [45384 2011-08-26] ()
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM\...\RunOnce: [ (A0)] - cmd /c "C:\Documents and Settings\acitron\Desktop\Farbar\New Folder\mbar\mbar.exe" /rdv /s [1178424 2013-08-13] (Malwarebytes Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [X]
Winlogon\Notify\PCANotify: PCANotify.dll (Symantec Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
ShortcutTarget: Cisco Systems VPN Client.lnk -> C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {910D7C6E-6236-44B6-B06C-405F09CCF9CB} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
SearchScopes: HKCU - {645701DB-0A59-AE3F-8D62-BAA040AFB663} URL = http://www.bing.com/search?q={searchTerms}&pc=Z007&form=ZGAIDF
SearchScopes: HKCU - {910D7C6E-6236-44B6-B06C-405F09CCF9CB} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU -No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} https://vpn.empirecorporate.com/CACHE/stc/1/binaries/stcweb.cab
DPF: {2CCFEB42-1C81-4191-807C-708F4043D179} https://rdc-commercial3.wachovia.com/merchantcapturewebclient/CaptureControlUtility.cab
DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} https://www.yardiasptx11.com/58924empire/activexviewer9.cab
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} https://rdc-commercial3.wachovia.com/MerchantCaptureWebClient/Reserved.ReportViewerWebControl.axd?ReportSession=kx4jq1451h1gypmz3iysbw45&ControlID=b00231b5dbd44fdf87e3924c093b854d&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} https://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C53EE992-020F-40B8-A1B4-16518D8C7948} https://www.yardiasp14.com/40435elon/ysiNetClientInstaller.CAB
DPF: {C5E4DA8E-FB29-4961-A64A-11EF015CC903} https://rdc-commercial3.wachovia.com/merchantcapturewebclient/AfsDevice_TellerScan.cab
DPF: {CED616F0-2859-4BF8-8538-9DAF544AF2CB} https://www.yardiasptx11.com/58924empire/ysiComm.CAB
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://protus.webex.com/client/T27L10NSP11/webex/ieatgpc.cab
DPF: {F48DE781-C525-44C9-9529-C5ADE3EF5F70} https://www.yardiasp14.com/40435elon/gdpicturepro5.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://beta.logmein.com//activex/ractrl.cab?lmi=1007
Handler: ipp - No CLSID Value -
Handler: msdaipp - No CLSID Value -
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\acitron\Application Data\Mozilla\Firefox\Profiles\ld09q662.default

FF SelectedSearchEngine: Bing

FF NetworkProxy: "http", "127.0.0.1"
FF NetworkProxy: "http_port", 59030
FF NetworkProxy: "type", 1
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.25.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\3.0.50106.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Documents and Settings\acitron\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Documents and Settings\acitron\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll No File
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Documents and Settings\acitron\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll No File
FF SearchPlugin: C:\Documents and Settings\acitron\Application Data\Mozilla\Firefox\Profiles\ld09q662.default\searchplugins\bing-zugo.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\bing-zugo.xml
FF Extension: No Name - C:\Documents and Settings\acitron\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\acitron\Application Data\Mozilla\Firefox\Profiles\ld09q662.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

========================== Services (Whitelisted) =================

S3 awhost32; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [106496 2004-11-01] (Symantec Corporation)
R2 CVPND; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [1445912 2004-08-04] (Cisco Systems, Inc.)
S3 Cwbrxd; C:\WINDOWS\CWBRXD.EXE [57344 2005-06-05] (IBM Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [45408 2008-11-24] (Microsoft Corporation)
R2 STacSV; C:\WINDOWS\system32\StacSV.exe [94208 2007-05-10] (SigmaTel, Inc.)
R2 STCAgent; C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe [267320 2012-01-02] (Cisco Systems, Inc.)
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

R1 awecho; C:\Windows\System32\drivers\awechomd.sys [8368 2004-03-05] (Symantec Corporation)
R1 awlegacy; C:\Windows\System32\Drivers\awlegacy.sys [11165 2003-11-17] (Symantec Corporation)
R1 AW_HOST; C:\Windows\System32\drivers\aw_host5.sys [16984 2003-10-23] (Symantec Corporation)
R3 b57w2k; C:\Windows\System32\DRIVERS\b57xp32.sys [161792 2007-10-22] (Broadcom Corporation)
S3 CSVirtA; C:\Windows\System32\DRIVERS\CSVirtA.sys [22136 2012-01-02] (Cisco Systems, Inc.)
S3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5220 2003-05-01] (Cisco Systems, Inc.)
R2 CVPNDRVA; C:\WINDOWS\system32\Drivers\CVPNDRVA.sys [269387 2004-08-04] (Cisco Systems, Inc.)
R3 dfmirage; C:\Windows\System32\DRIVERS\dfmirage.sys [31896 2009-03-28] (DemoForge, LLC)
R3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [139604 2003-07-24] (Deterministic Networks, Inc.)
R0 Gernuwa; C:\Windows\System32\Drivers\Gernuwa.sys [13898 2003-04-21] (Symantec Corporation)
R3 guardian2; C:\Windows\System32\Drivers\oz776.sys [62208 2007-03-26] (O2Micro)
R3 HSFHWAZL; C:\Windows\System32\DRIVERS\HSFHWAZL.sys [209152 2006-11-02] (Conexant Systems, Inc.)
R3 HSF_DPV; C:\Windows\System32\DRIVERS\HSF_DPV.sys [989696 2006-11-02] (Conexant Systems, Inc.)
R3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [48728 2013-08-28] (MalwareBytes)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [165264 2010-10-24] (Microsoft Corporation)
R3 NETw4x32; C:\Windows\System32\DRIVERS\NETw4x32.sys [2210816 2007-08-28] (Intel Corporation)
R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1222840 2007-05-10] (SigmaTel, Inc.)
S3 SymEvent; C:\Program Files\Symantec\SYMEVENT.SYS [104144 2009-12-29] (Symantec Corporation)
U3 TrueSight; C:\WINDOWS\system32\TrueSight.sys [15616 2013-08-28] ()
R3 WinDriver6; C:\Windows\System32\DRIVERS\Windrvr6.sys [197416 2009-02-03] (Jungo)
S3 catchme; \??\C:\DOCUME~1\acitron\LOCALS~1\Temp\catchme.sys [x]
S4 IntelIde; No ImagePath
U2 TMAgent;
S3 TSUSB2; system32\DRIVERS\TSUSB2.sys [x]
S4 vsdatant; a [x]
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================

NETSVC: SSHNAS -> No Registry Path.

==================== One Month Created Files and Folders ========

2013-08-28 13:55 - 2013-08-28 13:55 - 00002927 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08282013_135524.txt
2013-08-28 13:54 - 2013-08-28 13:54 - 00015616 _____ C:\WINDOWS\system32\TrueSight.sys
2013-08-28 11:08 - 2013-08-28 11:34 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-08-28 11:08 - 2013-08-28 11:08 - 00048728 _____ (MalwareBytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-08-28 10:50 - 2013-08-28 10:50 - 00002499 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08282013_105041.txt
2013-08-28 10:30 - 2013-08-28 10:30 - 00000000 ____D C:\Program Files\Common Files\Java
2013-08-28 10:30 - 2013-08-28 10:29 - 00867240 _____ (Oracle Corporation) C:\WINDOWS\system32\npDeployJava1.dll
2013-08-28 10:30 - 2013-08-28 10:29 - 00263592 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2013-08-28 10:30 - 2013-08-28 10:29 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2013-08-28 10:30 - 2013-08-28 10:29 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2013-08-28 10:30 - 2013-08-28 10:29 - 00144896 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2013-08-28 10:30 - 2013-08-28 10:29 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2013-08-28 10:29 - 2013-08-28 10:29 - 00000000 ____D C:\Program Files\Java
2013-08-28 10:29 - 2013-08-28 10:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\McAfee
2013-08-27 20:20 - 2013-08-27 20:20 - 00891144 _____ C:\Documents and Settings\acitron\Desktop\SecurityCheck.exe
2013-08-27 19:44 - 2013-08-27 19:44 - 00000000 __SHD C:\Documents and Settings\acitron\IECompatCache
2013-08-27 18:25 - 2013-08-27 18:25 - 00002465 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_182518.txt
2013-08-27 17:47 - 2013-08-27 18:52 - 00000000 ____D C:\AdwCleaner
2013-08-27 17:43 - 2013-08-27 17:43 - 00002864 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_174310.txt
2013-08-27 17:43 - 2013-08-27 17:43 - 00002735 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_D_08272013_174346.txt
2013-08-27 17:26 - 2013-08-27 17:26 - 00002830 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_172624.txt
2013-08-27 17:19 - 2013-08-27 17:19 - 00003965 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_D_08272013_171931.txt
2013-08-27 17:16 - 2013-08-27 17:16 - 00004063 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_171644.txt
2013-08-27 16:57 - 2013-08-27 16:57 - 00004029 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_165729.txt
2013-08-27 16:56 - 2013-08-27 17:43 - 00000000 ____D C:\Documents and Settings\acitron\Desktop\RK_Quarantine
2013-08-27 14:57 - 2013-08-27 14:57 - 00000000 ____D C:\FRST
2013-08-27 14:56 - 2013-08-27 17:46 - 00000000 ____D C:\Documents and Settings\acitron\Desktop\Farbar
2013-08-27 14:23 - 2013-08-27 14:23 - 00007700 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_142346.txt
2013-08-27 14:21 - 2013-08-28 13:53 - 00913408 _____ C:\Documents and Settings\acitron\Desktop\RogueKiller.exe
2013-08-27 12:29 - 2013-08-27 12:29 - 00017363 _____ C:\Documents and Settings\acitron\Desktop\attach.txt
2013-08-27 12:29 - 2013-08-27 12:29 - 00012635 _____ C:\Documents and Settings\acitron\Desktop\dds.txt
2013-08-27 12:23 - 2013-08-27 12:23 - 00688992 ____R (Swearware) C:\Documents and Settings\acitron\Desktop\dds.scr
2013-08-27 11:52 - 2013-08-27 11:52 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-08-27 11:13 - 2013-08-27 11:13 - 00001324 _____ C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2013-08-27 10:21 - 2013-08-27 10:21 - 00000000 ____D C:\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-26 13:22 - 2013-08-26 13:22 - 00000000 ____D C:\Documents and Settings\All Users\Kaspersky Lab Setup Files
2013-08-26 11:39 - 2013-08-26 11:40 - 74455064 _____ (Trend Micro Inc.) C:\Documents and Settings\All Users\Desktop\TTi_HE_Download_32bit.exe
2013-08-26 11:33 - 2013-08-26 21:59 - 00000908 _____ C:\Documents and Settings\All Users\Desktop\Trend Micro Titanium Maximum Security Installer.lnk
2013-08-26 11:31 - 2013-08-26 21:58 - 00000000 ____D C:\Program Files\Trend Micro
2013-08-26 10:33 - 2013-08-26 10:52 - 00000664 _____ C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
2013-08-23 13:36 - 2013-08-23 13:37 - 00010476 _____ C:\Documents and Settings\acitron\Desktop\Rkill.txt
2013-08-23 13:32 - 2013-08-23 13:32 - 00000000 __SHD C:\found.000
2013-08-23 12:00 - 2013-08-23 12:00 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-23 11:28 - 2013-08-23 11:57 - 00060928 _____ C:\WINDOWS\drivfunc.dll
2013-08-23 11:11 - 2013-08-23 11:51 - 00060928 _____ C:\WINDOWS\system32\drivfunc.dll
2013-08-23 11:09 - 2013-08-23 11:09 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-23 10:59 - 2013-08-23 10:59 - 00182276 _____ C:\WINDOWS\system32\c_7265174.nls
2013-08-23 10:57 - 2013-08-23 10:57 - 00000000 ____D C:\Program Files\Google
2013-08-19 14:59 - 2011-05-16 12:31 - 00008592 _____ C:\WINDOWS\system32\ractrlkeyhook.dll

==================== One Month Modified Files and Folders =======

2013-08-28 14:19 - 2013-08-28 14:18 - 00000000 ____D C:\Documents and Settings\acitron\Desktop\Farbar2
2013-08-28 14:18 - 2008-09-27 23:48 - 00539955 _____ C:\WINDOWS\system32\nvModes.001
2013-08-28 14:03 - 2004-08-04 08:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2013-08-28 13:55 - 2013-08-28 13:55 - 00002927 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08282013_135524.txt
2013-08-28 13:54 - 2013-08-28 13:54 - 00015616 _____ C:\WINDOWS\system32\TrueSight.sys
2013-08-28 13:53 - 2013-08-27 14:21 - 00913408 _____ C:\Documents and Settings\acitron\Desktop\RogueKiller.exe
2013-08-28 12:25 - 2010-08-27 11:55 - 00000986 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3774402678-1038661908-2601123593-3176UA.job
2013-08-28 11:54 - 2010-06-01 13:27 - 00000426 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{EF0C38ED-00ED-4766-9EFA-D9FF4BC6659E}.job
2013-08-28 11:34 - 2013-08-28 11:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-08-28 11:08 - 2013-08-28 11:08 - 00048728 _____ (MalwareBytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-08-28 10:53 - 2008-10-06 12:22 - 00055040 _____ C:\Documents and Settings\acitron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-08-28 10:50 - 2013-08-28 10:50 - 00002499 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08282013_105041.txt
2013-08-28 10:39 - 2008-09-27 23:38 - 01137358 _____ C:\WINDOWS\WindowsUpdate.log
2013-08-28 10:37 - 2009-06-29 16:06 - 00000000 ____D C:\Program Files\Adobe
2013-08-28 10:37 - 2008-09-28 14:20 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Adobe
2013-08-28 10:36 - 2008-10-07 13:13 - 00000000 ____D C:\Documents and Settings\acitron\Local Settings\Application Data\Adobe
2013-08-28 10:36 - 2008-09-28 14:19 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-08-28 10:34 - 2010-05-17 11:20 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-08-28 10:30 - 2013-08-28 10:30 - 00000000 ____D C:\Program Files\Common Files\Java
2013-08-28 10:29 - 2013-08-28 10:30 - 00867240 _____ (Oracle Corporation) C:\WINDOWS\system32\npDeployJava1.dll
2013-08-28 10:29 - 2013-08-28 10:30 - 00263592 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2013-08-28 10:29 - 2013-08-28 10:30 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2013-08-28 10:29 - 2013-08-28 10:30 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2013-08-28 10:29 - 2013-08-28 10:30 - 00144896 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2013-08-28 10:29 - 2013-08-28 10:30 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2013-08-28 10:29 - 2013-08-28 10:29 - 00000000 ____D C:\Program Files\Java
2013-08-28 10:29 - 2013-08-28 10:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\McAfee
2013-08-28 10:29 - 2010-04-15 14:05 - 00789416 _____ (Oracle Corporation) C:\WINDOWS\system32\deployJava1.dll
2013-08-28 10:23 - 2008-09-27 19:19 - 00000159 _____ C:\WINDOWS\wiadebug.log
2013-08-28 10:23 - 2008-09-27 19:19 - 00000049 _____ C:\WINDOWS\wiaservc.log
2013-08-28 10:15 - 2008-09-27 19:18 - 00194745 _____ C:\WINDOWS\system32\nvapps.xml
2013-08-28 10:14 - 2008-09-27 23:44 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-08-27 23:11 - 2008-09-28 17:11 - 00000368 ___SH C:\Documents and Settings\acitron\ntuser.ini
2013-08-27 23:11 - 2008-09-27 23:44 - 00032650 _____ C:\WINDOWS\SchedLgU.Txt
2013-08-27 20:20 - 2013-08-27 20:20 - 00891144 _____ C:\Documents and Settings\acitron\Desktop\SecurityCheck.exe
2013-08-27 19:44 - 2013-08-27 19:44 - 00000000 __SHD C:\Documents and Settings\acitron\IECompatCache
2013-08-27 19:44 - 2008-09-28 17:11 - 00000000 ____D C:\Documents and Settings\acitron
2013-08-27 18:52 - 2013-08-27 17:47 - 00000000 ____D C:\AdwCleaner
2013-08-27 18:25 - 2013-08-27 18:25 - 00002465 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_182518.txt
2013-08-27 17:46 - 2013-08-27 14:56 - 00000000 ____D C:\Documents and Settings\acitron\Desktop\Farbar
2013-08-27 17:43 - 2013-08-27 17:43 - 00002864 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_174310.txt
2013-08-27 17:43 - 2013-08-27 17:43 - 00002735 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_D_08272013_174346.txt
2013-08-27 17:43 - 2013-08-27 16:56 - 00000000 ____D C:\Documents and Settings\acitron\Desktop\RK_Quarantine
2013-08-27 17:26 - 2013-08-27 17:26 - 00002830 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_172624.txt
2013-08-27 17:19 - 2013-08-27 17:19 - 00003965 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_D_08272013_171931.txt
2013-08-27 17:16 - 2013-08-27 17:16 - 00004063 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_171644.txt
2013-08-27 16:57 - 2013-08-27 16:57 - 00004029 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_165729.txt
2013-08-27 15:35 - 2011-01-11 15:29 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-08-27 14:57 - 2013-08-27 14:57 - 00000000 ____D C:\FRST
2013-08-27 14:23 - 2013-08-27 14:23 - 00007700 _____ C:\Documents and Settings\acitron\Desktop\RKreport[0]_S_08272013_142346.txt
2013-08-27 12:29 - 2013-08-27 12:29 - 00017363 _____ C:\Documents and Settings\acitron\Desktop\attach.txt
2013-08-27 12:29 - 2013-08-27 12:29 - 00012635 _____ C:\Documents and Settings\acitron\Desktop\dds.txt
2013-08-27 12:23 - 2013-08-27 12:23 - 00688992 ____R (Swearware) C:\Documents and Settings\acitron\Desktop\dds.scr
2013-08-27 11:52 - 2013-08-27 11:52 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-08-27 11:52 - 2010-04-22 09:27 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-08-27 11:47 - 2008-09-27 23:45 - 00000000 __SHD C:\WINDOWS\CSC
2013-08-27 11:13 - 2013-08-27 11:13 - 00001324 _____ C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2013-08-27 10:21 - 2013-08-27 10:21 - 00000000 ____D C:\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-27 10:21 - 2011-12-14 13:23 - 00000000 ____D C:\YardiASP
2013-08-27 09:25 - 2010-08-27 11:55 - 00000934 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3774402678-1038661908-2601123593-3176Core.job
2013-08-27 00:20 - 2009-10-14 09:59 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB974112$
2013-08-26 22:25 - 2008-09-27 19:14 - 00000361 __RSH C:\boot.ini
2013-08-26 21:59 - 2013-08-26 11:33 - 00000908 _____ C:\Documents and Settings\All Users\Desktop\Trend Micro Titanium Maximum Security Installer.lnk
2013-08-26 21:58 - 2013-08-26 11:31 - 00000000 ____D C:\Program Files\Trend Micro
2013-08-26 13:22 - 2013-08-26 13:22 - 00000000 ____D C:\Documents and Settings\All Users\Kaspersky Lab Setup Files
2013-08-26 13:02 - 2009-06-08 10:04 - 00000000 ____D C:\Utilities
2013-08-26 12:30 - 2011-01-11 17:54 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-08-26 11:40 - 2013-08-26 11:39 - 74455064 _____ (Trend Micro Inc.) C:\Documents and Settings\All Users\Desktop\TTi_HE_Download_32bit.exe
2013-08-26 10:52 - 2013-08-26 10:33 - 00000664 _____ C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
2013-08-24 22:30 - 2008-09-28 03:03 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB951066$
2013-08-23 13:37 - 2013-08-23 13:36 - 00010476 _____ C:\Documents and Settings\acitron\Desktop\Rkill.txt
2013-08-23 13:32 - 2013-08-23 13:32 - 00000000 __SHD C:\found.000
2013-08-23 12:00 - 2013-08-23 12:00 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-23 11:57 - 2013-08-23 11:28 - 00060928 _____ C:\WINDOWS\drivfunc.dll
2013-08-23 11:51 - 2013-08-23 11:11 - 00060928 _____ C:\WINDOWS\system32\drivfunc.dll
2013-08-23 11:09 - 2013-08-23 11:09 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-23 10:59 - 2013-08-23 10:59 - 00182276 _____ C:\WINDOWS\system32\c_7265174.nls
2013-08-23 10:57 - 2013-08-23 10:57 - 00000000 ____D C:\Program Files\Google
2013-08-23 10:57 - 2010-08-27 11:55 - 00000000 ____D C:\Documents and Settings\acitron\Local Settings\Application Data\Google
2013-08-19 14:59 - 2008-09-27 19:15 - 00808461 _____ C:\WINDOWS\setupapi.log
2013-08-14 13:32 - 2004-08-04 08:00 - 00000664 _____ C:\WINDOWS\win.ini
2013-08-12 11:30 - 2011-12-22 14:34 - 00000000 ____D C:\Documents and Settings\acitron\My Documents\Elon
2013-08-12 10:21 - 2013-07-02 12:52 - 00000000 ____D C:\Documents and Settings\acitron\Local Settings\Application Data\YSI.NetClient
2013-08-07 13:01 - 2008-10-13 13:11 - 00000000 ____D C:\alan
2013-07-30 10:20 - 2008-09-27 19:16 - 00591256 _____ C:\WINDOWS\system32\PerfStringBackup.INI

Files to move or delete:
====================
C:\Documents and Settings\acitron\DimdimSetup.exe
C:\Documents and Settings\acitron\GoToAssistDownloadHelper.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\G2MInstallerExtractor.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\install_reader10_en_air_gtbd_aih[1].exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\jre-6u33-windows-i586-iftw.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\jre-6u37-windows-i586-iftw.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\jre-7u10-windows-i586-iftw.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\jre-7u15-windows-i586-iftw.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\jre-7u21-windows-i586-iftw.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\Quarantine.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\~nsu.tmp\Au_.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\{E47EC140-EC18-4979-B421-F4CEE87D4B83}\_Setup.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\{475E6FBB-9803-4EDA-B342-A9A0A07994A1}\_Setup.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\_ir_sf_temp_2\npCouponPrinter.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\_ir_sf_temp_2\npMozCouponPrinter.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\_ir_sf_temp_1\npCouponPrinter.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\_ir_sf_temp_1\npMozCouponPrinter.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\_ir_sf_temp_0\npCouponPrinter.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\_ir_sf_temp_0\npMozCouponPrinter.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\VSD1B.tmp\DotNetFX\dotnetchk.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\Temporary Directory 1 for setup.zip\setup.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\Temporary Directory 1 for Paint.NET.3.5.8.Install[1].zip\Paint.NET.3.5.8.Install.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\Temporary Directory 1 for MyVisionX.zip\Dev\setup.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\Temp8-Fg2e8\Common.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\Temp8-Fg2e8\STCExe.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\Temp8-Fg2e8\STCResource.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\nst5.tmp\setup.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\nsnC.tmp\setup.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\g2mA.tmp\G2MCoreInstExtractor.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\g2m8B.tmp\G2MCoreInstExtractor.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\g2m1.tmp\G2MCoreInstExtractor.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_V6EH\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_V6EH\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_V6EH\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_U54V\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_U54V\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_U54V\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_SOQ7\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_SOQ7\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_SOQ7\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_MTXH\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_MTXH\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_MTXH\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_MFT5\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_MFT5\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_MFT5\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_811Q\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_811Q\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_811Q\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_7U70\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_7U70\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_7U70\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_5JCB\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_5JCB\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_5JCB\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_50QU\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_50QU\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_50QU\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_1ZFA\msvbvm60.dll
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_1ZFA\yClient.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\ckz_1ZFA\yUpdate.exe
C:\DOCUME~1\acitron\LOCALS~1\Temp\95.dir\InstallFlashPlayer.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please delete these two files:

C:\Documents and Settings\acitron\DimdimSetup.exe

C:\Documents and Settings\acitron\GoToAssistDownloadHelper.exe

----------------------------------------

Download, install and run CCleaner free to clean out temp files.

Here's a Tutorial if needed.

You might want to un-check cookies.

-------------------------------------------

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
If you agree with everything listed to be removed in the folders section...........

Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Then..................

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Last.........

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites
alfromny

alfromny

Posted
  • Author
Posted

No luck - sluggish and still getting redirected :(

 

Here are the log files:

 

AdwCleaner before clean:

 

# AdwCleaner v3.001 - Report created 28/08/2013 at 16:02:02
# Updated 24/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : acitron - ACITRON-LAPTOP
# Running from : C:\Documents and Settings\acitron\Desktop\Farbar2\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found C:\Documents and Settings\acitron\IECompatCache

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v

[ File : C:\Documents and Settings\acitron\Application Data\Mozilla\Firefox\Profiles\ld09q662.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [4388 octets] - [27/08/2013 17:47:14]
AdwCleaner[R1].txt - [4448 octets] - [27/08/2013 18:51:52]
AdwCleaner[R2].txt - [855 octets] - [28/08/2013 16:02:02]
AdwCleaner[s0].txt - [4591 octets] - [27/08/2013 18:52:31]

########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [974 octets] ##########

 

AdwCleaner After:

 

# AdwCleaner v3.001 - Report created 28/08/2013 at 16:04:49
# Updated 24/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : acitron - ACITRON-LAPTOP
# Running from : C:\Documents and Settings\acitron\Desktop\Farbar2\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\acitron\IECompatCache

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v

[ File : C:\Documents and Settings\acitron\Application Data\Mozilla\Firefox\Profiles\ld09q662.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [4388 octets] - [27/08/2013 17:47:14]
AdwCleaner[R1].txt - [4448 octets] - [27/08/2013 18:51:52]
AdwCleaner[R2].txt - [1053 octets] - [28/08/2013 16:02:02]
AdwCleaner[R3].txt - [1114 octets] - [28/08/2013 16:03:16]
AdwCleaner[s0].txt - [4591 octets] - [27/08/2013 18:52:31]
AdwCleaner[s1].txt - [1040 octets] - [28/08/2013 16:04:49]

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [1100 octets] ##########

 

JTR.text:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.4 (08.22.2013:1)
OS: Microsoft Windows XP x86
Ran by acitron on Wed 08/28/2013 at 17:50:31.31
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 08/28/2013 at 21:24:48.62
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

MalewareBytes Log:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.29.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
acitron :: ACITRON-LAPTOP [administrator]

8/28/2013 10:33:24 PM
mbam-log-2013-08-28 (22-33-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 436847
Time elapsed: 13 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites
alfromny

alfromny

Posted
  • Author
Posted

MrCharlie - You don't give up easily - Thanks!

 

Here is the log file:

 

ComboFix 13-08-29.01 - acitron 08/29/2013   9:45.5.2 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1622 [GMT -4:00]
Running from: c:\documents and settings\acitron\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\acitron\g2mdlhlpx.exe
c:\documents and settings\acitron\Local Settings\Application Data\assembly\tmp
c:\documents and settings\acitron\prfD6A.tmp
c:\documents and settings\acitron\WINDOWS
c:\documents and settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
c:\documents and settings\LocalService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
c:\documents and settings\NetworkService\Local Settings\Application Data\c43ba21e-2e41-49c1-8b47-9fd54da70595ad\cbaeecbfddaad.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-28 to 2013-08-29  )))))))))))))))))))))))))))))))
.
.
2013-08-28 20:12 . 2013-08-28 20:12 -------- d-----w- c:\windows\ERUNT
2013-08-28 20:11 . 2013-08-28 20:11 -------- d-sh--w- c:\documents and settings\acitron\IECompatCache
2013-08-28 19:54 . 2013-08-28 19:54 -------- d-----w- c:\program files\CCleaner
2013-08-28 19:53 . 2013-08-28 19:53 -------- d-----w- C:\CCleaner
2013-08-28 15:08 . 2013-08-28 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-08-28 14:30 . 2013-08-28 14:30 -------- d-----w- c:\program files\Common Files\Java
2013-08-28 14:30 . 2013-08-28 14:29 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-08-28 14:30 . 2013-08-28 14:29 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-08-28 14:30 . 2013-08-28 14:29 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-08-28 14:29 . 2013-08-28 14:29 -------- d-----w- c:\program files\Java
2013-08-28 14:29 . 2013-08-28 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2013-08-27 21:47 . 2013-08-28 20:04 -------- d-----w- C:\AdwCleaner
2013-08-27 18:57 . 2013-08-27 18:57 -------- d-----w- C:\FRST
2013-08-27 15:52 . 2013-08-27 15:52 -------- d-----w- C:\TDSSKiller_Quarantine
2013-08-27 15:13 . 2013-08-27 15:13 1324 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2013-08-27 14:21 . 2013-08-27 14:21 -------- d-----w- C:\c43ba21e-2e41-49c1-8b47-9fd54da70595ad
2013-08-26 17:22 . 2013-08-26 17:22 -------- d-----w- c:\documents and settings\All Users\Kaspersky Lab Setup Files
2013-08-26 15:31 . 2013-08-27 01:58 -------- d-----w- c:\program files\Trend Micro
2013-08-23 17:32 . 2013-08-23 17:32 -------- d-----w- C:\found.000
2013-08-23 15:28 . 2013-08-23 15:57 60928 ----a-w- c:\windows\drivfunc.dll
2013-08-23 15:11 . 2013-08-23 15:51 60928 ----a-w- c:\windows\system32\drivfunc.dll
2013-08-23 14:57 . 2013-08-23 14:57 -------- d-----w- c:\program files\Google
2013-08-19 18:59 . 2011-05-16 16:31 8592 ----a-w- c:\windows\system32\ractrlkeyhook.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-28 14:29 . 2010-04-15 18:05 789416 ----a-w- c:\windows\system32\deployJava1.dll
2009-08-14 17:33 . 2009-08-14 17:33 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-08-14 17:33 . 2009-08-14 17:33 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-08-14 17:33 . 2009-08-14 17:33 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-08-14 17:33 . 2009-08-14 17:33 20824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-08-14 17:34 . 2009-08-14 17:34 206160 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-08-14 17:33 . 2009-08-14 17:33 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-08-14 17:33 . 2009-08-14 17:33 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:33 . 2007-03-16 22:33 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:33 . 2007-03-16 22:33 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:33 . 2007-03-16 22:33 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-08-14 16:50 . 2009-08-14 16:50 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-08-14 17:33 . 2009-08-14 17:33 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-11 13594624]
"nwiz"="nwiz.exe" [2009-03-11 1657376]
"NVHotkey"="nvHotkey.dll" [2009-03-11 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-11 86016]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2005-06-05 20480]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2005-06-05 24576]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2005-06-05 45106]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2005-06-05 20480]
"Client Access PC5250 Sound"="c:\program files\IBM\Client Access\Emulator\pcssnd.exe" [2005-06-05 40960]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"ScrewDrivers RDP Plugin"="c:\program files\triCerat\Simplify Printing\ScrewDrivers Client v4\install_rdp.exe" [2011-08-26 45384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-04 240288]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe "-user_logon" [2008-10-31 1445904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableVirtualization"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-11-10 21:10 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 16:50 8704 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-1177238915-725345543-1566\Scripts\Logon\0\0]
"Script"=login.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-1177238915-725345543-2604\Scripts\Logon\0\0]
"Script"=logon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-1177238915-725345543-3661\Scripts\Logon\0\0]
"Script"=login.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3774402678-1038661908-2601123593-3132\Scripts\Logon\0\0]
"Script"=login.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3774402678-1038661908-2601123593-3176\Scripts\Logon\0\0]
"Script"=login.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/10/2012 2:09 PM 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/11/2011 3:29 PM 701512]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [1/2/2012 11:56 AM 22136]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [3/28/2009 3:45 PM 31896]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/11/2011 3:29 PM 22856]
S3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\DRIVERS\TSUSB2.sys --> c:\windows\system32\DRIVERS\TSUSB2.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-28 c:\windows\Tasks\User_Feed_Synchronization-{EF0C38ED-00ED-4766-9EFA-D9FF4BC6659E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.


uInternet Settings,ProxyOverride = <local>
Trusted Zone: avidxchange.com
Trusted Zone: avidxchange.net\app
Trusted Zone: gotomeeting.com\www
Trusted Zone: yardi.com\www
Trusted Zone: yardiasp14.com\www
TCP: DhcpNameServer = 192.168.20.21 8.8.8.8 4.2.2.2







.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-31977924.sys
SafeBoot-MsMpSvc
AddRemove-Coupon Printer for Windows5.0.0.1 - c:\program files\Coupons\uninstall.exe
AddRemove-WinDriver6 USB Driver - c:\windows\system32\WdReg.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-29 09:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bb,92,64,30,0c,e8,6c,4d,8e,7e,41,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bb,92,64,30,0c,e8,6c,4d,8e,7e,41,\
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1164)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2013-08-29  09:56:16
ComboFix-quarantined-files.txt  2013-08-29 13:56
ComboFix2.txt  2011-01-13 14:52
ComboFix3.txt  2011-01-13 14:01
ComboFix4.txt  2011-01-11 21:40
.
Pre-Run: 42,665,426,944 bytes free
Post-Run: 44,173,406,208 bytes free
.
- - End Of File - - 00847B27A461B48C09D29D59C698A84B
8F558EB6672622401DA993E1E865C861
 

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

I would change them all and keep a close eye on all your sensitive accounts.

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

You know the rest.......MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

I've cleaned up. Thanks. Sorry for being so direct but this is the first time I've used such a forum and I don't see a "tipping"  guide  :) I would like to say thank you for your time, but have no idea what is considered proper. Any suggestions would be appreciated.

There is no guide, it's up to you.

Thanks...MrC

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.