Jump to content

Windows 7 start-up White Screen in regular & safe mode


Recommended Posts

Help I have downloaded and run the frst64 frin farbar. Here is the log

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-09-2013 03

Ran by SYSTEM on MININT-J271J01 on 17-09-2013 09:19:28

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

 

The current controlset is ControlSet002

ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [mwlDaemon] - C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-02-01] (Egis Technology Inc.)

HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10060832 2010-02-08] (Realtek Semiconductor)

HKLM\...\Run: [PLFSetI] - C:\Windows\PLFSetI.exe [206208 2010-05-22] ()

HKLM\...\Run: [Apoint] - C:\Program Files\Apoint2K\Apoint.exe [344872 2010-03-09] (Alps Electric Co., Ltd.)

HKLM\...\Run: [Acer ePower Management] - C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [860704 2010-03-17] (Acer Incorporated)

HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)

HKLM\...\Run: [WrtMon.exe] - C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe [20480 2007-07-18] ()

HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKLM-x32\...\Run: [backupManagerTray] - C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [260608 2010-03-08] (NewTech Infosystems, Inc.)

HKLM-x32\...\Run: [NortonOnlineBackupReminder] - C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe [588648 2009-07-24] (Symantec Corporation)

HKLM-x32\...\Run: [suiteTray] - C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [337264 2010-02-01] (Egis Technology Inc.)

HKLM-x32\...\Run: [EgisUpdate] - C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201512 2009-12-24] (Egis Technology Inc.)

HKLM-x32\...\Run: [EgisTecPMMUpdate] - C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [401192 2009-12-24] (Egis Technology Inc.)

HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [1300560 2010-03-03] (Dritek System Inc.)

HKLM-x32\...\Run: [WordQ carat flag] - C:\Program Files (x86)\WordQ2\WordQcrs.exe [24576 2010-04-28] ()

HKLM-x32\...\Run: [updateLBPShortCut] - C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [CLMLServer] - C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe [103720 2009-06-03] (CyberLink)

HKLM-x32\...\Run: [updateP2GoShortCut] - C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [RemoteControl8] - C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe [91432 2009-04-15] (CyberLink Corp.)

HKLM-x32\...\Run: [PDVD8LanguageShortcut] - C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe [50472 2009-04-15] (CyberLink Corp.)

HKLM-x32\...\Run: [updatePPShortCut] - C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [uCam_Menu] - C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [218408 2009-02-17] (CyberLink Corp.)

HKLM-x32\...\Run: [LGODDFU] - C:\Program Files (x86)\lg_fwupdate\lgfw.exe [27760 2012-07-26] (Bitleader)

HKLM-x32\...\Run: [updatePSTShortCut] - C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [210216 2009-09-29] (CyberLink Corp.)

HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [79192 2011-02-18] (Research In Motion Limited)

HKLM-x32\...\Run: [] -  [x]

HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [887976 2011-08-23] (Ask)

HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-08-27] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-09-09] (Apple Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)

HKU\Default\...\RunOnce: [scrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()

HKU\Default User\...\RunOnce: [scrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()

HKU\Tyler\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-04-14] (Google Inc.)

HKU\Tyler\...\Run: [msnmsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [3872080 2010-04-16] (Microsoft Corporation)

HKU\Tyler\...\Run: [Google Update] - [x]

HKU\Tyler\...\Run: [6FUbxx4jxy.exe] - C:\Users\Tyler\AppData\Local\rxgY3TaPS\6FUbxx4jxy.exe [125952 2013-09-16] ()

HKU\Tyler\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION 

HKU\Tyler\...\Command Processor: "C:\Users\Tyler\AppData\Local\rxgY3TaPS\6FUbxx4jxy.exe" <===== ATTENTION!

 

==================== Services (Whitelisted) =================

 

S2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)

S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)

S3 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-02-01] (Egis Technology Inc.)

S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)

S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [271760 2009-04-15] ()

 

==================== Drivers (Whitelisted) ====================

 

S3 libusb0; C:\Windows\System32\drivers\libusb0.sys [29184 2012-03-01] (http://libusb-win32.sourceforge.net)

S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)

S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)

S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [74240 2011-02-16] (Research In Motion Limited)

S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-09-17 09:19 - 2013-09-17 09:19 - 00000000 ____D C:\FRST

2013-09-16 08:54 - 2013-09-16 21:15 - 00000000 ____D C:\Users\Tyler\AppData\Local\rxgY3TaPS

2013-08-26 13:42 - 2013-08-26 13:42 - 00027156 _____ C:\Users\Tyler\Downloads\receipt20130826174158476.htm

 

==================== One Month Modified Files and Folders =======

 

2013-09-17 09:19 - 2013-09-17 09:19 - 00000000 ____D C:\FRST

2013-09-17 07:18 - 2010-08-30 01:30 - 00000000 __SHD C:\Recovery

2013-09-17 03:40 - 2013-07-23 17:49 - 00000435 _____ C:\Windows\System32\Drivers\etc\hosts.ics

2013-09-17 03:39 - 2010-09-02 06:42 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-09-17 03:39 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2013-09-17 03:39 - 2009-07-13 20:51 - 00085089 _____ C:\Windows\setupact.log

2013-09-17 03:12 - 2010-05-22 21:01 - 01430414 _____ C:\Windows\WindowsUpdate.log

2013-09-17 03:11 - 2009-07-13 20:45 - 00017600 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-09-17 03:11 - 2009-07-13 20:45 - 00017600 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-09-17 03:04 - 2010-09-02 06:42 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-09-17 01:12 - 2012-10-19 17:29 - 00000000 ____D C:\Windows\System32\Macromed

2013-09-17 01:12 - 2010-08-30 01:31 - 00000000 ____D C:\users\Tyler

2013-09-17 01:12 - 2010-04-14 22:55 - 00000000 ____D C:\Program Files\Windows Journal

2013-09-17 01:12 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Offline Web Pages

2013-09-17 01:12 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender

2013-09-17 01:12 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender

2013-09-17 01:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-09-17 01:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions

2013-09-17 01:11 - 2010-10-14 13:44 - 00000000 ____D C:\ProgramData\Norton

2013-09-17 01:11 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-09-17 01:11 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2013-09-17 01:11 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

2013-09-16 21:15 - 2013-09-16 08:54 - 00000000 ____D C:\Users\Tyler\AppData\Local\rxgY3TaPS

2013-09-16 08:21 - 2012-10-19 17:29 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-09-16 07:32 - 2010-10-14 13:44 - 00000402 ____H C:\Windows\Tasks\Norton Security Scan for Tyler.job

2013-09-15 10:30 - 2010-09-02 06:33 - 00000000 ____D C:\Users\Tyler\Tracing

2013-09-13 15:21 - 2012-10-19 17:29 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-09-13 15:21 - 2012-10-19 17:29 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-09-13 15:21 - 2012-10-19 17:29 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater

2013-09-06 02:07 - 2010-10-15 06:23 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Skype

2013-09-02 16:52 - 2012-11-21 16:21 - 00000000 ____D C:\Program Files (x86)\WildTangent Games

2013-09-02 16:51 - 2012-11-21 16:22 - 00002626 ____N C:\Users\Public\Desktop\WildTangent Games App - acer.lnk

2013-09-02 16:51 - 2010-08-30 01:57 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\WildTangent

2013-09-02 16:51 - 2010-04-14 22:49 - 00000000 ____D C:\ProgramData\WildTangent

2013-08-26 13:42 - 2013-08-26 13:42 - 00027156 _____ C:\Users\Tyler\Downloads\receipt20130826174158476.htm

2013-08-19 13:22 - 2010-09-15 05:03 - 00000344 _____ C:\Windows\lgfwup.ini

2013-08-19 13:22 - 2010-09-15 05:03 - 00000000 ____D C:\Program Files (x86)\lg_fwupdate

2013-08-18 06:06 - 2009-07-13 21:13 - 00726316 _____ C:\Windows\System32\PerfStringBackup.INI

 

Files to move or delete:

====================

C:\Users\Tyler\AppData\Local\rxgY3TaPS\6FUbxx4jxy.exe

ZeroAccess:

C:\Users\Tyler\AppData\Local\Google\Desktop\Install

 

 

Some content of TEMP:

====================

C:\Users\Tyler\AppData\Local\Temp\InstallFlashPlayer.exe

C:\Users\Tyler\AppData\Local\Temp\msimg32.dll

C:\Users\Tyler\AppData\Local\Temp\yhhjyasqsgdqqnyaivo.dll

C:\Users\Tyler\AppData\Local\Temp\yhhjyasqsgdqqnyaivo.exe

 

 

==================== Known DLLs (Whitelisted) ================

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

==================== EXE ASSOCIATION =====================

 

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

 

==================== Restore Points  =========================

 

5

Restore point made on: 2013-08-29 14:28:35

Restore point made on: 2013-09-02 07:40:31

Restore point made on: 2013-09-06 07:41:15

Restore point made on: 2013-09-12 03:55:17

Restore point made on: 2013-09-16 08:57:48

 

==================== Memory info =========================== 

 

Percentage of memory in use: 19%

Total physical RAM: 3765.86 MB

Available physical RAM: 3041.6 MB

Total Pagefile: 3764.01 MB

Available Pagefile: 3028.35 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

 

==================== Drives ================================

 

Drive c: (ACER) (Fixed) (Total:285.3 GB) (Free:191.05 GB) NTFS

Drive e: (PQSERVICE) (Fixed) (Total:12.7 GB) (Free:1.57 GB) NTFS

Drive g: () (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: 17FF17FE)

Partition 1: (Not Active) - (Size=13 GB) - (Type=27)

Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=285 GB) - (Type=07 NTFS)

 

========================================================

Disk: 2 (MBR Code: Windows XP) (Size: 2 GB) (Disk ID: C3072E18)

Partition 1: (Active) - (Size=2 GB) - (Type=06)

 

 

LastRegBack: 2013-09-10 20:49

 

==================== End Of Log ============================

Link to post
Share on other sites

Save the attached file fixlist.txt to your USB stick (g:\) same place as FRST.

Now please enter System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

Reboot to normal windows and continue:

 

Open Malwarebytes, check for updates then run Quick scan. Full instructions follow if  Malwarebytes is not installed:

 

Download Malwarebytes from one of the following links and save it to your desktop.:

 

 

http://www.malwarebytes.org/mbam.php 

]

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

 

Double Click mbam-setup.exe to install the application.


Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

 

Let me see those logs, also give an update on current issues/concerns...

 

Kevin

 

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-09-2013 03

Ran by SYSTEM at 2013-09-18 00:02:55 Run:1

Running from G:\

Boot Mode: Recovery

==============================================

 

Content of fixlist:

*****************

Start

HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [887976 2011-08-23] (Ask)

HKU\Tyler\...\Run: [6FUbxx4jxy.exe] - C:\Users\Tyler\AppData\Local\rxgY3TaPS\6FUbxx4jxy.exe [125952 2013-09-16] ()

HKU\Tyler\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION 

HKU\Tyler\...\Command Processor: "C:\Users\Tyler\AppData\Local\rxgY3TaPS\6FUbxx4jxy.exe" <===== ATTENTION!

C:\Users\Tyler\AppData\Local\rxgY3TaPS\6FUbxx4jxy.exe

C:\Users\Tyler\AppData\Local\Google\Desktop\Install

C:\Users\Tyler\AppData\Local\rxgY3TaPS

C:\Users\Tyler\AppData\Local\Temp\InstallFlashPlayer.exe

C:\Users\Tyler\AppData\Local\Temp\msimg32.dll

C:\Users\Tyler\AppData\Local\Temp\yhhjyasqsgdqqnyaivo.dll

C:\Users\Tyler\AppData\Local\Temp\yhhjyasqsgdqqnyaivo.exe

End

 

*****************

 

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater => Value deleted successfully.

HKU\Tyler\Software\Microsoft\Windows\CurrentVersion\Run\\6FUbxx4jxy.exe => Value deleted successfully.

HKU\Tyler\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

HKU\Tyler\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.

C:\Users\Tyler\AppData\Local\rxgY3TaPS\6FUbxx4jxy.exe => Moved successfully.

C:\Users\Tyler\AppData\Local\Google\Desktop\Install => Moved successfully.

C:\Users\Tyler\AppData\Local\rxgY3TaPS => Moved successfully.

C:\Users\Tyler\AppData\Local\Temp\InstallFlashPlayer.exe => Moved successfully.

C:\Users\Tyler\AppData\Local\Temp\msimg32.dll => Moved successfully.

C:\Users\Tyler\AppData\Local\Temp\yhhjyasqsgdqqnyaivo.dll => Moved successfully.

C:\Users\Tyler\AppData\Local\Temp\yhhjyasqsgdqqnyaivo.exe => Moved successfully.

 

==== End of Fixlog ====
Link to post
Share on other sites

Malwarebytes Anti-Malware (Trial) 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.09.18.02

 

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Tyler :: TYLER-PC [administrator]

 

Protection: Enabled

 

18/09/2013 12:19:29 AM

mbam-log-2013-09-18 (00-19-29).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 201797

Time elapsed: 13 minute(s), 14 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)
Link to post
Share on other sites

OK continue:

 

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 

  • Double click on AdwCleaner.exe to run the tool.
  • Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Uncheck any elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review.
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted (if necessary):
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

 

Next,

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report here

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Let me see those logs...

 

Kevin

Link to post
Share on other sites

sorry after mal ware thought I was done now back to square 1 here is  my file

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-09-2013 03
Ran by SYSTEM on MININT-HLDRP0N on 20-09-2013 00:00:31
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [mwlDaemon] - C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-02-01] (Egis Technology Inc.)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10060832 2010-02-08] (Realtek Semiconductor)
HKLM\...\Run: [PLFSetI] - C:\Windows\PLFSetI.exe [206208 2010-05-22] ()
HKLM\...\Run: [Apoint] - C:\Program Files\Apoint2K\Apoint.exe [344872 2010-03-09] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Acer ePower Management] - C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [860704 2010-03-17] (Acer Incorporated)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [WrtMon.exe] - C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe [20480 2007-07-18] ()
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM-x32\...\Run: [backupManagerTray] - C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [260608 2010-03-08] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] - C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe [588648 2009-07-24] (Symantec Corporation)
HKLM-x32\...\Run: [suiteTray] - C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [337264 2010-02-01] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] - C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201512 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] - C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [401192 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [1300560 2010-03-03] (Dritek System Inc.)
HKLM-x32\...\Run: [WordQ carat flag] - C:\Program Files (x86)\WordQ2\WordQcrs.exe [24576 2010-04-28] ()
HKLM-x32\...\Run: [updateLBPShortCut] - C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer] - C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe [103720 2009-06-03] (CyberLink)
HKLM-x32\...\Run: [updateP2GoShortCut] - C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [RemoteControl8] - C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe [91432 2009-04-15] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD8LanguageShortcut] - C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe [50472 2009-04-15] (CyberLink Corp.)
HKLM-x32\...\Run: [updatePPShortCut] - C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [uCam_Menu] - C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [218408 2009-02-17] (CyberLink Corp.)
HKLM-x32\...\Run: [LGODDFU] - C:\Program Files (x86)\lg_fwupdate\lgfw.exe [27760 2012-07-26] (Bitleader)
HKLM-x32\...\Run: [updatePSTShortCut] - C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [210216 2009-09-29] (CyberLink Corp.)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [79192 2011-02-18] (Research In Motion Limited)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-09-09] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKU\Default\...\RunOnce: [scrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()
HKU\Default User\...\RunOnce: [scrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()
HKU\Tyler\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-04-14] (Google Inc.)
HKU\Tyler\...\Run: [msnmsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [3872080 2010-04-16] (Microsoft Corporation)
HKU\Tyler\...\Run: [Google Update] - [x]
HKU\Tyler\...\Run: [8GjrAyl8.exe] - C:\Users\Tyler\AppData\Local\z7oRfNHG4\8GjrAyl8.exe [99032 2013-09-19] (Microsoft Corporation)
HKU\Tyler\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION 
HKU\Tyler\...\Command Processor: "C:\Users\Tyler\AppData\Local\z7oRfNHG4\8GjrAyl8.exe" <===== ATTENTION!
 
==================== Services (Whitelisted) =================
 
S2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-02-01] (Egis Technology Inc.)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [271760 2009-04-15] ()
 
==================== Drivers (Whitelisted) ====================
 
S3 libusb0; C:\Windows\System32\drivers\libusb0.sys [29184 2012-03-01] (http://libusb-win32.sourceforge.net)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [74240 2011-02-16] (Research In Motion Limited)
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-09-19 17:55 - 2013-09-19 17:58 - 00000000 ____D C:\Users\Tyler\AppData\Local\z7oRfNHG4
2013-09-19 17:55 - 2013-09-19 17:55 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\uDDb5JB4
2013-09-19 17:55 - 2013-09-19 17:55 - 00238592 _____ C:\Users\Tyler\AppData\Local\YKJ7negY
2013-09-19 17:55 - 2013-09-19 17:55 - 00238592 _____ C:\ProgramData\Md0pdKyIsCY
2013-09-19 07:58 - 2013-09-19 07:58 - 00000000 _____ C:\Users\Tyler\AppData\Roaming\wklnhst.dat
2013-09-17 20:17 - 2013-09-17 20:17 - 00001077 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-17 20:17 - 2013-09-17 20:17 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Malwarebytes
2013-09-17 20:16 - 2013-09-17 20:17 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-17 20:16 - 2013-09-17 20:16 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-09-17 20:16 - 2013-04-04 10:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-09-17 20:14 - 2013-09-17 20:15 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tyler\Downloads\mbam-setup-1.75.0.1300.exe
2013-09-17 09:19 - 2013-09-17 09:19 - 00000000 ____D C:\FRST
2013-08-26 13:42 - 2013-08-26 13:42 - 00027156 _____ C:\Users\Tyler\Downloads\receipt20130826174158476.htm
 
==================== One Month Modified Files and Folders =======
 
2013-09-19 19:50 - 2013-07-23 17:49 - 00000434 _____ C:\Windows\System32\Drivers\etc\hosts.ics
2013-09-19 19:50 - 2010-09-02 06:42 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-19 19:50 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-19 19:49 - 2009-07-13 20:51 - 00085369 _____ C:\Windows\setupact.log
2013-09-19 17:58 - 2013-09-19 17:55 - 00000000 ____D C:\Users\Tyler\AppData\Local\z7oRfNHG4
2013-09-19 17:57 - 2010-05-22 21:01 - 01877153 _____ C:\Windows\WindowsUpdate.log
2013-09-19 17:55 - 2013-09-19 17:55 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\uDDb5JB4
2013-09-19 17:55 - 2013-09-19 17:55 - 00238592 _____ C:\Users\Tyler\AppData\Local\YKJ7negY
2013-09-19 17:55 - 2013-09-19 17:55 - 00238592 _____ C:\ProgramData\Md0pdKyIsCY
2013-09-19 17:21 - 2012-10-19 17:29 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-19 17:16 - 2010-09-02 06:42 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-19 07:58 - 2013-09-19 07:58 - 00000000 _____ C:\Users\Tyler\AppData\Roaming\wklnhst.dat
2013-09-18 18:57 - 2010-10-14 13:44 - 00000402 ____H C:\Windows\Tasks\Norton Security Scan for Tyler.job
2013-09-17 20:40 - 2010-09-15 05:03 - 00000344 _____ C:\Windows\lgfwup.ini
2013-09-17 20:40 - 2010-09-15 05:03 - 00000000 ____D C:\Program Files (x86)\lg_fwupdate
2013-09-17 20:17 - 2013-09-17 20:17 - 00001077 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-17 20:17 - 2013-09-17 20:17 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Malwarebytes
2013-09-17 20:17 - 2013-09-17 20:16 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-17 20:16 - 2013-09-17 20:16 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-09-17 20:15 - 2013-09-17 20:14 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tyler\Downloads\mbam-setup-1.75.0.1300.exe
2013-09-17 20:15 - 2009-07-13 20:45 - 00017600 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-17 20:15 - 2009-07-13 20:45 - 00017600 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-17 20:07 - 2010-09-02 06:33 - 00000000 ____D C:\Users\Tyler\Tracing
2013-09-17 09:19 - 2013-09-17 09:19 - 00000000 ____D C:\FRST
2013-09-17 07:18 - 2010-08-30 01:30 - 00000000 __SHD C:\Recovery
2013-09-17 01:12 - 2012-10-19 17:29 - 00000000 ____D C:\Windows\System32\Macromed
2013-09-17 01:12 - 2010-08-30 01:31 - 00000000 ____D C:\users\Tyler
2013-09-17 01:12 - 2010-04-14 22:55 - 00000000 ____D C:\Program Files\Windows Journal
2013-09-17 01:12 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Offline Web Pages
2013-09-17 01:12 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-09-17 01:12 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-09-17 01:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-09-17 01:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2013-09-17 01:11 - 2010-10-14 13:44 - 00000000 ____D C:\ProgramData\Norton
2013-09-17 01:11 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-09-17 01:11 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-09-17 01:11 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-09-13 15:21 - 2012-10-19 17:29 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-09-13 15:21 - 2012-10-19 17:29 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-09-13 15:21 - 2012-10-19 17:29 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-09-06 02:07 - 2010-10-15 06:23 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Skype
2013-09-02 16:52 - 2012-11-21 16:21 - 00000000 ____D C:\Program Files (x86)\WildTangent Games
2013-09-02 16:51 - 2012-11-21 16:22 - 00002626 ____N C:\Users\Public\Desktop\WildTangent Games App - acer.lnk
2013-09-02 16:51 - 2010-08-30 01:57 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\WildTangent
2013-09-02 16:51 - 2010-04-14 22:49 - 00000000 ____D C:\ProgramData\WildTangent
2013-08-26 13:42 - 2013-08-26 13:42 - 00027156 _____ C:\Users\Tyler\Downloads\receipt20130826174158476.htm
 
Files to move or delete:
====================
C:\Users\Tyler\AppData\Local\z7oRfNHG4\8GjrAyl8.exe
 
 
Some content of TEMP:
====================
C:\Users\Tyler\AppData\Local\Temp\vtpkfaytnybxotirwyf.dll
C:\Users\Tyler\AppData\Local\Temp\vtpkfaytnybxotirwyf.exe
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
4
Restore point made on: 2013-09-06 07:41:15
Restore point made on: 2013-09-12 03:55:17
Restore point made on: 2013-09-16 08:57:48
Restore point made on: 2013-09-17 20:37:26
 
==================== Memory info =========================== 
 
Percentage of memory in use: 18%
Total physical RAM: 3765.86 MB
Available physical RAM: 3056.91 MB
Total Pagefile: 3764.01 MB
Available Pagefile: 3049.47 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
 
==================== Drives ================================
 
Drive c: (ACER) (Fixed) (Total:285.3 GB) (Free:191.75 GB) NTFS
Drive e: (PQSERVICE) (Fixed) (Total:12.7 GB) (Free:1.57 GB) NTFS
Drive g: () (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: 17FF17FE)
Partition 1: (Not Active) - (Size=13 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=285 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 2 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=2 GB) - (Type=06)
 
 
LastRegBack: 2013-09-10 20:49
 
==================== End Of Log ============================
Link to post
Share on other sites

here is the file to top it off I now have the interpol virus and started out disguising itself as security essentials. I have added this as an attachment to I am not sure what is easier for you.

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-09-2013 03
Ran by SYSTEM on MININT-7PEN3VD on 20-09-2013 08:25:54
Running from G:\
WIN_7 (X64) OS Language: English(US)
Boot Mode: Recovery
Attention: Could not load system hive.
==================== Registry (Whitelisted) ==================
 
ATTENTION: Software hive is not loaded.
 
HKU\Default\...\RunOnce: [scrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()
HKU\Default User\...\RunOnce: [scrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()
HKU\Tyler\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-04-14] (Google Inc.)
HKU\Tyler\...\Run: [msnmsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [3872080 2010-04-16] (Microsoft Corporation)
HKU\Tyler\...\Run: [Google Update] - [x]
HKU\Tyler\...\Run: [8GjrAyl8.exe] - C:\Users\Tyler\AppData\Local\z7oRfNHG4\8GjrAyl8.exe [99032 2013-09-19] (Microsoft Corporation)
HKU\Tyler\...\Run: [tZIsngznqS9.exe] - C:\Users\Tyler\AppData\Local\F7ShP3px8\tZIsngznqS9.exe [99032 2013-09-19] (Microsoft Corporation)
HKU\Tyler\...\Run: [HaZK65eD.exe] - C:\Users\Tyler\AppData\Local\kkkbMCc2RWD\HaZK65eD.exe [99032 2013-09-19] (Microsoft Corporation)
HKU\Tyler\...\Run: [rF8ALNbm.exe] - C:\Users\Tyler\AppData\Local\HsHG3R3wQ\rF8ALNbm.exe [99032 2013-09-19] (Microsoft Corporation)
HKU\Tyler\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION 
HKU\Tyler\...\Command Processor: "C:\Users\Tyler\AppData\Local\HsHG3R3wQ\rF8ALNbm.exe" <===== ATTENTION!
 
==================== Services (Whitelisted) =================
 
 
==================== Drivers (Whitelisted) ====================
 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-09-19 21:33 - 2013-09-19 21:33 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\I96hFi8VXk
2013-09-19 21:33 - 2013-09-19 21:33 - 00238592 _____ C:\Users\Tyler\AppData\Local\lrxEdMHrKJN
2013-09-19 21:33 - 2013-09-19 21:33 - 00238592 _____ C:\ProgramData\zm5hRHseO
2013-09-19 21:29 - 2013-09-19 21:29 - 02049128 _____ (Trend Micro Inc.) C:\Users\Tyler\Downloads\HousecallLauncher.exe
2013-09-19 21:29 - 2013-09-19 21:29 - 00000036 _____ C:\Users\Tyler\AppData\Local\housecall.guid.cache
2013-09-19 21:18 - 2013-09-19 21:18 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\StQjI5NYK
2013-09-19 21:18 - 2013-09-19 21:18 - 00238592 _____ C:\Users\Tyler\AppData\Local\7VsiPeb0rc
2013-09-19 21:18 - 2013-09-19 21:18 - 00238592 _____ C:\ProgramData\x8wiWaPzL5E
2013-09-19 21:01 - 2013-09-19 21:00 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\DbyyiLwh6kl
2013-09-19 21:01 - 2013-09-19 21:00 - 00238592 _____ C:\Users\Tyler\AppData\Local\eaY7n3t5r
2013-09-19 21:01 - 2013-09-19 21:00 - 00238592 _____ C:\ProgramData\Hk67nFfQ
2013-09-19 20:44 - 2013-09-19 21:15 - 00000000 ____D C:\AdwCleaner
2013-09-19 20:43 - 2013-09-19 20:45 - 01039554 _____ C:\Users\Tyler\Downloads\AdwCleaner (1).exe
2013-09-19 20:42 - 2013-09-19 20:43 - 01039554 _____ C:\Users\Tyler\Downloads\AdwCleaner.exe
2013-09-19 17:55 - 2013-09-20 08:26 - 00000000 ____D C:\Users\Tyler\AppData\Local\z7oRfNHG4
2013-09-19 17:55 - 2013-09-19 17:55 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\uDDb5JB4
2013-09-19 17:55 - 2013-09-19 17:55 - 00238592 _____ C:\Users\Tyler\AppData\Local\YKJ7negY
2013-09-19 17:55 - 2013-09-19 17:55 - 00238592 _____ C:\ProgramData\Md0pdKyIsCY
2013-09-19 07:58 - 2013-09-19 07:58 - 00000000 _____ C:\Users\Tyler\AppData\Roaming\wklnhst.dat
2013-09-17 20:17 - 2013-09-17 20:17 - 00001077 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-17 20:17 - 2013-09-17 20:17 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Malwarebytes
2013-09-17 20:16 - 2013-09-17 20:17 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-17 20:16 - 2013-09-17 20:16 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-09-17 20:16 - 2013-04-04 10:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-09-17 20:14 - 2013-09-17 20:15 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tyler\Downloads\mbam-setup-1.75.0.1300.exe
2013-09-17 09:19 - 2013-09-20 08:25 - 00000000 ____D C:\FRST
2013-08-26 13:42 - 2013-08-26 13:42 - 00027156 _____ C:\Users\Tyler\Downloads\receipt20130826174158476.htm
 
==================== One Month Modified Files and Folders =======
 
2013-09-20 08:26 - 2013-09-19 17:55 - 00000000 ____D C:\Users\Tyler\AppData\Local\z7oRfNHG4
2013-09-20 08:26 - 2010-08-30 01:31 - 00000000 ____D C:\users\Tyler
2013-09-20 08:25 - 2013-09-17 09:19 - 00000000 ____D C:\FRST
2013-09-20 04:12 - 2013-07-23 17:49 - 00000435 _____ C:\Windows\System32\Drivers\etc\hosts.ics
2013-09-20 04:11 - 2010-09-02 06:42 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-20 04:11 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-20 04:11 - 2009-07-13 20:51 - 00085817 _____ C:\Windows\setupact.log
2013-09-19 21:42 - 2010-05-22 21:01 - 02069170 _____ C:\Windows\WindowsUpdate.log
2013-09-19 21:33 - 2013-09-19 21:33 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\I96hFi8VXk
2013-09-19 21:33 - 2013-09-19 21:33 - 00238592 _____ C:\Users\Tyler\AppData\Local\lrxEdMHrKJN
2013-09-19 21:33 - 2013-09-19 21:33 - 00238592 _____ C:\ProgramData\zm5hRHseO
2013-09-19 21:31 - 2009-07-13 20:45 - 00017600 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-19 21:31 - 2009-07-13 20:45 - 00017600 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-19 21:29 - 2013-09-19 21:29 - 02049128 _____ (Trend Micro Inc.) C:\Users\Tyler\Downloads\HousecallLauncher.exe
2013-09-19 21:29 - 2013-09-19 21:29 - 00000036 _____ C:\Users\Tyler\AppData\Local\housecall.guid.cache
2013-09-19 21:24 - 2010-09-02 06:33 - 00000000 ____D C:\Users\Tyler\Tracing
2013-09-19 21:18 - 2013-09-19 21:18 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\StQjI5NYK
2013-09-19 21:18 - 2013-09-19 21:18 - 00238592 _____ C:\Users\Tyler\AppData\Local\7VsiPeb0rc
2013-09-19 21:18 - 2013-09-19 21:18 - 00238592 _____ C:\ProgramData\x8wiWaPzL5E
2013-09-19 21:15 - 2013-09-19 20:44 - 00000000 ____D C:\AdwCleaner
2013-09-19 21:00 - 2013-09-19 21:01 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\DbyyiLwh6kl
2013-09-19 21:00 - 2013-09-19 21:01 - 00238592 _____ C:\Users\Tyler\AppData\Local\eaY7n3t5r
2013-09-19 21:00 - 2013-09-19 21:01 - 00238592 _____ C:\ProgramData\Hk67nFfQ
2013-09-19 20:45 - 2013-09-19 20:43 - 01039554 _____ C:\Users\Tyler\Downloads\AdwCleaner (1).exe
2013-09-19 20:43 - 2013-09-19 20:42 - 01039554 _____ C:\Users\Tyler\Downloads\AdwCleaner.exe
2013-09-19 17:55 - 2013-09-19 17:55 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\uDDb5JB4
2013-09-19 17:55 - 2013-09-19 17:55 - 00238592 _____ C:\Users\Tyler\AppData\Local\YKJ7negY
2013-09-19 17:55 - 2013-09-19 17:55 - 00238592 _____ C:\ProgramData\Md0pdKyIsCY
2013-09-19 17:21 - 2012-10-19 17:29 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-19 17:16 - 2010-09-02 06:42 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-19 07:58 - 2013-09-19 07:58 - 00000000 _____ C:\Users\Tyler\AppData\Roaming\wklnhst.dat
2013-09-18 18:57 - 2010-10-14 13:44 - 00000402 ____H C:\Windows\Tasks\Norton Security Scan for Tyler.job
2013-09-17 20:40 - 2010-09-15 05:03 - 00000344 _____ C:\Windows\lgfwup.ini
2013-09-17 20:40 - 2010-09-15 05:03 - 00000000 ____D C:\Program Files (x86)\lg_fwupdate
2013-09-17 20:17 - 2013-09-17 20:17 - 00001077 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-17 20:17 - 2013-09-17 20:17 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Malwarebytes
2013-09-17 20:17 - 2013-09-17 20:16 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-17 20:16 - 2013-09-17 20:16 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-09-17 20:15 - 2013-09-17 20:14 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tyler\Downloads\mbam-setup-1.75.0.1300.exe
2013-09-17 07:18 - 2010-08-30 01:30 - 00000000 __SHD C:\Recovery
2013-09-17 01:12 - 2012-10-19 17:29 - 00000000 ____D C:\Windows\System32\Macromed
2013-09-17 01:12 - 2010-04-14 22:55 - 00000000 ____D C:\Program Files\Windows Journal
2013-09-17 01:12 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Offline Web Pages
2013-09-17 01:12 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-09-17 01:12 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-09-17 01:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-09-17 01:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2013-09-17 01:11 - 2010-10-14 13:44 - 00000000 ____D C:\ProgramData\Norton
2013-09-17 01:11 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-09-17 01:11 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-09-17 01:11 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-09-13 15:21 - 2012-10-19 17:29 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-09-13 15:21 - 2012-10-19 17:29 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-09-13 15:21 - 2012-10-19 17:29 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-09-06 02:07 - 2010-10-15 06:23 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Skype
2013-09-02 16:52 - 2012-11-21 16:21 - 00000000 ____D C:\Program Files (x86)\WildTangent Games
2013-09-02 16:51 - 2012-11-21 16:22 - 00002626 ____N C:\Users\Public\Desktop\WildTangent Games App - acer.lnk
2013-09-02 16:51 - 2010-08-30 01:57 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\WildTangent
2013-09-02 16:51 - 2010-04-14 22:49 - 00000000 ____D C:\ProgramData\WildTangent
2013-08-26 13:42 - 2013-08-26 13:42 - 00027156 _____ C:\Users\Tyler\Downloads\receipt20130826174158476.htm
 
Files to move or delete:
====================
C:\Users\Tyler\AppData\Local\HsHG3R3wQ\rF8ALNbm.exe
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe:  <===== ATTENTION!
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION!
HKLM\...\exefile\open\command:  <===== ATTENTION!
 
==================== Restore Points  =========================
 
4
Restore point made on: 2013-09-06 07:41:15
Restore point made on: 2013-09-12 03:55:17
Restore point made on: 2013-09-16 08:57:48
Restore point made on: 2013-09-17 20:37:26
 
==================== Memory info =========================== 
 
Percentage of memory in use: 18%
Total physical RAM: 3765.86 MB
Available physical RAM: 3052.97 MB
Total Pagefile: 3764.01 MB
Available Pagefile: 3091 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
 
==================== Drives ================================
 
Drive c: (ACER) (Fixed) (Total:285.3 GB) (Free:191.41 GB) NTFS
Drive e: (PQSERVICE) (Fixed) (Total:12.7 GB) (Free:1.57 GB) NTFS
Drive g: () (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: 17FF17FE)
Partition 1: (Not Active) - (Size=13 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=285 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 2 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=2 GB) - (Type=06)
 
 
LastRegBack: 2013-09-10 20:49
 
==================== End Of Log ============================
Link to post
Share on other sites

I`m not exactly sure what you are doing, if you have ran ESET can you post its log, also run FRST again and post fresh logs...

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Do not run fixes before I can check your logs,

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-09-2013 01

Ran by Tyler (administrator) on TYLER-PC on 20-09-2013 11:11:03

Running from C:\Users\Tyler\Desktop

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Normal

 

==================== Processes (Whitelisted) =================

 

(ABBYY) C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe

(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe

(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe

(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe

(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe

() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe

(Acer Group) C:\Program Files\Acer\Acer Updater\UpdaterService.exe

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe

(Microsoft Corporation) C:\Windows\System32\alg.exe

(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe

(Intel Corporation) C:\Windows\System32\igfxtray.exe

(Intel Corporation) C:\Windows\System32\hkcmd.exe

(Intel Corporation) C:\Windows\System32\igfxpers.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

(Intel Corporation) C:\Windows\system32\igfxsrvc.exe

() C:\Windows\PLFSetI.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apoint.exe

(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

() C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe

(Google Inc.) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

(NewSoft Technology Corporation) C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe

(Intel Corporation) C:\Windows\system32\igfxext.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApMsgFwd.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apntex.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\HidFind.exe

(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe

() C:\Program Files (x86)\CD-R KING\OpticSlim 2600\DocuAction.exe

(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe

(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe

(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe

(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe

(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe

(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe

(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe

(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe

(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe

(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe

(BitLeader) C:\Program Files (x86)\lg_fwupdate\fwupdate.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

(Microsoft Corporation) C:\Windows\system32\UI0Detect.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_8_800_174_ActiveX.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [mwlDaemon] - C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-02-01] (Egis Technology Inc.)

HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10060832 2010-02-08] (Realtek Semiconductor)

HKLM\...\Run: [PLFSetI] - C:\Windows\PLFSetI.exe [206208 2010-05-23] ()

HKLM\...\Run: [Apoint] - C:\Program Files\Apoint2K\Apoint.exe [344872 2010-03-09] (Alps Electric Co., Ltd.)

HKLM\...\Run: [Acer ePower Management] - C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [860704 2010-03-17] (Acer Incorporated)

HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)

HKLM\...\Run: [WrtMon.exe] - C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe [20480 2007-07-18] ()

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKCU\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-04-15] (Google Inc.)

HKCU\...\Run: [msnmsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [3872080 2010-04-16] (Microsoft Corporation)

HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)

MountPoints2: {529847a8-bb30-11df-8b91-78e400ae37b7} - D:\setup.exe

HKLM-x32\...\Run: [backupManagerTray] - C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [260608 2010-03-08] (NewTech Infosystems, Inc.)

HKLM-x32\...\Run: [suiteTray] - C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [337264 2010-02-01] (Egis Technology Inc.)

HKLM-x32\...\Run: [EgisUpdate] - C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201512 2009-12-24] (Egis Technology Inc.)

HKLM-x32\...\Run: [EgisTecPMMUpdate] - C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [401192 2009-12-24] (Egis Technology Inc.)

HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [1300560 2010-03-04] (Dritek System Inc.)

HKLM-x32\...\Run: [WordQ carat flag] - C:\Program Files (x86)\WordQ2\WordQcrs.exe [24576 2010-04-29] ()

HKLM-x32\...\Run: [updateLBPShortCut] - C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [CLMLServer] - C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe [103720 2009-06-03] (CyberLink)

HKLM-x32\...\Run: [updateP2GoShortCut] - C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [RemoteControl8] - C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe [91432 2009-04-15] (CyberLink Corp.)

HKLM-x32\...\Run: [PDVD8LanguageShortcut] - C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe [50472 2009-04-15] (CyberLink Corp.)

HKLM-x32\...\Run: [updatePPShortCut] - C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [uCam_Menu] - C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [218408 2009-02-17] (CyberLink Corp.)

HKLM-x32\...\Run: [LGODDFU] - C:\Program Files (x86)\lg_fwupdate\lgfw.exe [27760 2012-07-26] (Bitleader)

HKLM-x32\...\Run: [updatePSTShortCut] - C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [210216 2009-09-29] (CyberLink Corp.)

HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [79192 2011-02-18] (Research In Motion Limited)

HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-08-27] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-09-09] (Apple Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)

HKU\Default\...\RunOnce: [scrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()

HKU\Default User\...\RunOnce: [scrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()

 

==================== Internet (Whitelisted) ====================

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?brand=ACAW&bmod=ACRW&aig=0&reason=1

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_1830t&r=27360810z016l0448z1h5t4681k422

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_1830t&r=27360810z016l0448z1h5t4681k422


HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_1830t&r=27360810z016l0448z1h5t4681k422

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_1830t&r=27360810z016l0448z1h5t4681k422

StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe

SearchScopes: HKCU - {36A8C685-325A-4DBA-A109-F2985EC0D732} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=U3&apn_dtid=OSJ000YYCA&apn_uid=F202BB0C-D6ED-4BAD-A644-B140131EA79C&apn_sauid=A79E9D06-F656-452D-AFA2-E2341DEAD9C6&

BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File

BHO-x32: KESIReaderBHO Class - {67EC1BB4-1AC3-4B5E-9CAD-DA52013E7C31} - C:\Program Files (x86)\Kurzweil Educational Systems\Common Files\KESIReaderIE.dll (TODO: <Company name>)

BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

Toolbar: HKCU -  No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File

DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File

Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)

Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)

Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)

Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} -  No File

Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} -  No File

Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} -  No File

Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} -  No File

Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} -  No File

Filter-x32: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll (Design Science, Inc.)

Filter-x32: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll (Design Science, Inc.)

Filter-x32: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll (Design Science, Inc.)

Filter-x32: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll (Design Science, Inc.)

Filter-x32: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll (Design Science, Inc.)

Tcpip\..\Interfaces\{7C33C9E4-F6F2-4F98-A30C-A6C3A027CD64}: [NameServer]8.8.8.8 205.208.139.32

 

Chrome: 

=======

CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}

CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}

CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\PepperFlash\pepflashplayer.dll ()

CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer

CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\ppGoogleNaClPluginChrome.dll ()

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\pdf.dll ()

CHR Plugin: (Adobe Acrobat) - c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)

CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)

CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)

CHR Plugin: (RIM Handheld Application Loader) - C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()

CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File

CHR Plugin: (Java Platform SE 6 U37) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)

CHR Plugin: (Java Deployment Toolkit 6.0.370.6) - C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)

CHR Plugin: (Windows Live\u00AE Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll No File

CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File

CHR Extension: (YouTube) - C:\Users\Tyler\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0

CHR Extension: (Google Search) - C:\Users\Tyler\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0

CHR Extension: (Chrome In-App Payments service) - C:\Users\Tyler\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0

CHR Extension: (Gmail) - C:\Users\Tyler\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1

 

==================== Services (Whitelisted) =================

 

R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)

R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)

S3 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-02-01] (Egis Technology Inc.)

R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)

R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [271760 2009-04-15] ()

 

==================== Drivers (Whitelisted) ====================

 

S3 libusb0; C:\Windows\System32\drivers\libusb0.sys [29184 2012-03-02] (http://libusb-win32.sourceforge.net)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)

R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)

S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [74240 2011-02-16] (Research In Motion Limited)

R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)

S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-09-20 11:08 - 2013-09-20 11:09 - 01950622 _____ (Farbar) C:\Users\Tyler\Desktop\FRST64.exe

2013-09-20 11:07 - 2013-09-20 11:07 - 00000236 _____ C:\Users\Tyler\Desktop\eESET SCAN.txt

2013-09-20 08:53 - 2013-09-20 08:53 - 00891144 _____ C:\Users\Tyler\Desktop\SecurityCheck.exe

2013-09-20 08:48 - 2013-09-20 08:48 - 00000000 ____D C:\Program Files (x86)\ESET

2013-09-20 08:46 - 2013-09-20 08:47 - 01039554 _____ C:\Users\Tyler\Desktop\AdwCleaner.exe

2013-09-20 08:45 - 2013-09-20 08:46 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tyler\Desktop\mbam-setup-1.75.0.1300 (1).exe

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\I96hFi8VXk

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\Users\Tyler\AppData\Local\lrxEdMHrKJN

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\ProgramData\zm5hRHseO

2013-09-20 01:29 - 2013-09-20 01:29 - 00000036 _____ C:\Users\Tyler\AppData\Local\housecall.guid.cache

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\StQjI5NYK

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\Users\Tyler\AppData\Local\7VsiPeb0rc

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\ProgramData\x8wiWaPzL5E

2013-09-20 01:01 - 2013-09-20 01:00 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\DbyyiLwh6kl

2013-09-20 01:01 - 2013-09-20 01:00 - 00238592 _____ C:\Users\Tyler\AppData\Local\eaY7n3t5r

2013-09-20 01:01 - 2013-09-20 01:00 - 00238592 _____ C:\ProgramData\Hk67nFfQ

2013-09-20 00:44 - 2013-09-20 01:15 - 00000000 ____D C:\AdwCleaner

2013-09-19 21:55 - 2013-09-20 12:26 - 00000000 ____D C:\Users\Tyler\AppData\Local\z7oRfNHG4

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\uDDb5JB4

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\Users\Tyler\AppData\Local\YKJ7negY

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\ProgramData\Md0pdKyIsCY

2013-09-19 11:58 - 2013-09-19 11:58 - 00000000 _____ C:\Users\Tyler\AppData\Roaming\wklnhst.dat

2013-09-18 00:17 - 2013-09-18 00:17 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Malwarebytes

2013-09-18 00:16 - 2013-09-18 00:16 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-09-18 00:14 - 2013-09-18 00:15 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tyler\Downloads\mbam-setup-1.75.0.1300.exe

2013-09-17 13:19 - 2013-09-20 12:25 - 00000000 ____D C:\FRST

2013-08-26 17:42 - 2013-08-26 17:42 - 00027156 _____ C:\Users\Tyler\Downloads\receipt20130826174158476.htm

 

==================== One Month Modified Files and Folders =======

 

2013-09-20 12:26 - 2013-09-19 21:55 - 00000000 ____D C:\Users\Tyler\AppData\Local\z7oRfNHG4

2013-09-20 12:26 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration

2013-09-20 12:25 - 2013-09-17 13:19 - 00000000 ____D C:\FRST

2013-09-20 11:09 - 2013-09-20 11:08 - 01950622 _____ (Farbar) C:\Users\Tyler\Desktop\FRST64.exe

2013-09-20 11:07 - 2013-09-20 11:07 - 00000236 _____ C:\Users\Tyler\Desktop\eESET SCAN.txt

2013-09-20 10:31 - 2010-05-23 01:01 - 01484485 _____ C:\Windows\WindowsUpdate.log

2013-09-20 10:21 - 2012-10-19 21:29 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-09-20 10:16 - 2010-09-02 10:42 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-09-20 09:22 - 2012-10-19 21:29 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater

2013-09-20 09:21 - 2012-10-19 21:29 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-09-20 09:21 - 2012-10-19 21:29 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-09-20 08:53 - 2013-09-20 08:53 - 00891144 _____ C:\Users\Tyler\Desktop\SecurityCheck.exe

2013-09-20 08:48 - 2013-09-20 08:48 - 00000000 ____D C:\Program Files (x86)\ESET

2013-09-20 08:47 - 2013-09-20 08:46 - 01039554 _____ C:\Users\Tyler\Desktop\AdwCleaner.exe

2013-09-20 08:47 - 2009-07-14 01:13 - 00726316 _____ C:\Windows\system32\PerfStringBackup.INI

2013-09-20 08:46 - 2013-09-20 08:45 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tyler\Desktop\mbam-setup-1.75.0.1300 (1).exe

2013-09-20 08:44 - 2009-07-14 00:51 - 00085997 _____ C:\Windows\setupact.log

2013-09-20 08:44 - 2009-07-14 00:45 - 00017600 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-09-20 08:44 - 2009-07-14 00:45 - 00017600 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-09-20 08:43 - 2013-07-23 21:49 - 00000436 _____ C:\Windows\system32\Drivers\etc\hosts.ics

2013-09-20 08:41 - 2010-04-15 03:02 - 00000000 ____D C:\ProgramData\Symantec

2013-09-20 08:40 - 2010-10-14 17:44 - 00000000 ____D C:\ProgramData\Norton

2013-09-20 08:38 - 2010-09-15 09:03 - 00000344 _____ C:\Windows\lgfwup.ini

2013-09-20 08:38 - 2010-09-15 09:03 - 00000000 ____D C:\Program Files (x86)\lg_fwupdate

2013-09-20 08:38 - 2010-09-02 10:33 - 00000000 ____D C:\Users\Tyler\Tracing

2013-09-20 08:37 - 2010-09-15 08:56 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\LG Power Tools

2013-09-20 08:36 - 2010-09-02 10:42 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-09-20 08:36 - 2010-08-30 05:31 - 00000000 ____D C:\Users\Tyler

2013-09-20 08:36 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\I96hFi8VXk

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\Users\Tyler\AppData\Local\lrxEdMHrKJN

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\ProgramData\zm5hRHseO

2013-09-20 01:29 - 2013-09-20 01:29 - 00000036 _____ C:\Users\Tyler\AppData\Local\housecall.guid.cache

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\StQjI5NYK

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\Users\Tyler\AppData\Local\7VsiPeb0rc

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\ProgramData\x8wiWaPzL5E

2013-09-20 01:15 - 2013-09-20 00:44 - 00000000 ____D C:\AdwCleaner

2013-09-20 01:00 - 2013-09-20 01:01 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\DbyyiLwh6kl

2013-09-20 01:00 - 2013-09-20 01:01 - 00238592 _____ C:\Users\Tyler\AppData\Local\eaY7n3t5r

2013-09-20 01:00 - 2013-09-20 01:01 - 00238592 _____ C:\ProgramData\Hk67nFfQ

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\uDDb5JB4

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\Users\Tyler\AppData\Local\YKJ7negY

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\ProgramData\Md0pdKyIsCY

2013-09-19 11:58 - 2013-09-19 11:58 - 00000000 _____ C:\Users\Tyler\AppData\Roaming\wklnhst.dat

2013-09-18 00:17 - 2013-09-18 00:17 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Malwarebytes

2013-09-18 00:16 - 2013-09-18 00:16 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-09-18 00:15 - 2013-09-18 00:14 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tyler\Downloads\mbam-setup-1.75.0.1300.exe

2013-09-17 11:18 - 2010-08-30 05:30 - 00000000 __SHD C:\Recovery

2013-09-17 05:12 - 2012-10-19 21:29 - 00000000 ____D C:\Windows\system32\Macromed

2013-09-17 05:12 - 2010-04-15 02:55 - 00000000 ____D C:\Program Files\Windows Journal

2013-09-17 05:12 - 2009-07-14 01:32 - 00000000 ____D C:\Windows\Offline Web Pages

2013-09-17 05:12 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Windows Defender

2013-09-17 05:12 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender

2013-09-17 05:12 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache

2013-09-17 05:12 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\PolicyDefinitions

2013-09-17 05:11 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\AppCompat

2013-09-17 05:11 - 2009-07-13 23:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

2013-09-06 06:07 - 2010-10-15 10:23 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Skype

2013-09-02 20:52 - 2012-11-21 20:21 - 00000000 ____D C:\Program Files (x86)\WildTangent Games

2013-09-02 20:51 - 2012-11-21 20:22 - 00002626 ____N C:\Users\Public\Desktop\WildTangent Games App - acer.lnk

2013-09-02 20:51 - 2010-08-30 05:57 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\WildTangent

2013-09-02 20:51 - 2010-04-15 02:49 - 00000000 ____D C:\ProgramData\WildTangent

2013-08-26 17:42 - 2013-08-26 17:42 - 00027156 _____ C:\Users\Tyler\Downloads\receipt20130826174158476.htm

 

Some content of TEMP:

====================

C:\Users\Tyler\AppData\Local\Temp\{397E31AA-0D78-4649-A01C-339D73A2ED35}_NSS_20942.exe

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legitScan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-09-2013 01

Ran by Tyler (administrator) on TYLER-PC on 20-09-2013 11:11:03

Running from C:\Users\Tyler\Desktop

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Normal

 

==================== Processes (Whitelisted) =================

 

(ABBYY) C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe

(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe

(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe

(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe

(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe

() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe

(Acer Group) C:\Program Files\Acer\Acer Updater\UpdaterService.exe

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe

(Microsoft Corporation) C:\Windows\System32\alg.exe

(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe

(Intel Corporation) C:\Windows\System32\igfxtray.exe

(Intel Corporation) C:\Windows\System32\hkcmd.exe

(Intel Corporation) C:\Windows\System32\igfxpers.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

(Intel Corporation) C:\Windows\system32\igfxsrvc.exe

() C:\Windows\PLFSetI.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apoint.exe

(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

() C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe

(Google Inc.) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

(NewSoft Technology Corporation) C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe

(Intel Corporation) C:\Windows\system32\igfxext.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApMsgFwd.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apntex.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\HidFind.exe

(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe

() C:\Program Files (x86)\CD-R KING\OpticSlim 2600\DocuAction.exe

(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe

(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe

(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe

(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe

(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe

(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe

(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe

(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe

(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe

(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe

(BitLeader) C:\Program Files (x86)\lg_fwupdate\fwupdate.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

(Microsoft Corporation) C:\Windows\system32\UI0Detect.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_8_800_174_ActiveX.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [mwlDaemon] - C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-02-01] (Egis Technology Inc.)

HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10060832 2010-02-08] (Realtek Semiconductor)

HKLM\...\Run: [PLFSetI] - C:\Windows\PLFSetI.exe [206208 2010-05-23] ()

HKLM\...\Run: [Apoint] - C:\Program Files\Apoint2K\Apoint.exe [344872 2010-03-09] (Alps Electric Co., Ltd.)

HKLM\...\Run: [Acer ePower Management] - C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [860704 2010-03-17] (Acer Incorporated)

HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)

HKLM\...\Run: [WrtMon.exe] - C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe [20480 2007-07-18] ()

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKCU\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-04-15] (Google Inc.)

HKCU\...\Run: [msnmsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [3872080 2010-04-16] (Microsoft Corporation)

HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)

MountPoints2: {529847a8-bb30-11df-8b91-78e400ae37b7} - D:\setup.exe

HKLM-x32\...\Run: [backupManagerTray] - C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [260608 2010-03-08] (NewTech Infosystems, Inc.)

HKLM-x32\...\Run: [suiteTray] - C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [337264 2010-02-01] (Egis Technology Inc.)

HKLM-x32\...\Run: [EgisUpdate] - C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201512 2009-12-24] (Egis Technology Inc.)

HKLM-x32\...\Run: [EgisTecPMMUpdate] - C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [401192 2009-12-24] (Egis Technology Inc.)

HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [1300560 2010-03-04] (Dritek System Inc.)

HKLM-x32\...\Run: [WordQ carat flag] - C:\Program Files (x86)\WordQ2\WordQcrs.exe [24576 2010-04-29] ()

HKLM-x32\...\Run: [updateLBPShortCut] - C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [CLMLServer] - C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe [103720 2009-06-03] (CyberLink)

HKLM-x32\...\Run: [updateP2GoShortCut] - C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [RemoteControl8] - C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe [91432 2009-04-15] (CyberLink Corp.)

HKLM-x32\...\Run: [PDVD8LanguageShortcut] - C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe [50472 2009-04-15] (CyberLink Corp.)

HKLM-x32\...\Run: [updatePPShortCut] - C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [uCam_Menu] - C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [218408 2009-02-17] (CyberLink Corp.)

HKLM-x32\...\Run: [LGODDFU] - C:\Program Files (x86)\lg_fwupdate\lgfw.exe [27760 2012-07-26] (Bitleader)

HKLM-x32\...\Run: [updatePSTShortCut] - C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [210216 2009-09-29] (CyberLink Corp.)

HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [79192 2011-02-18] (Research In Motion Limited)

HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-08-27] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-09-09] (Apple Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)

HKU\Default\...\RunOnce: [scrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()

HKU\Default User\...\RunOnce: [scrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()

 

==================== Internet (Whitelisted) ====================

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?brand=ACAW&bmod=ACRW&aig=0&reason=1

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_1830t&r=27360810z016l0448z1h5t4681k422

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_1830t&r=27360810z016l0448z1h5t4681k422


HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_1830t&r=27360810z016l0448z1h5t4681k422

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_1830t&r=27360810z016l0448z1h5t4681k422

StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe

SearchScopes: HKCU - {36A8C685-325A-4DBA-A109-F2985EC0D732} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=U3&apn_dtid=OSJ000YYCA&apn_uid=F202BB0C-D6ED-4BAD-A644-B140131EA79C&apn_sauid=A79E9D06-F656-452D-AFA2-E2341DEAD9C6&

BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File

BHO-x32: KESIReaderBHO Class - {67EC1BB4-1AC3-4B5E-9CAD-DA52013E7C31} - C:\Program Files (x86)\Kurzweil Educational Systems\Common Files\KESIReaderIE.dll (TODO: <Company name>)

BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

Toolbar: HKCU -  No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File

DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File

Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)

Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)

Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)

Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} -  No File

Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} -  No File

Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} -  No File

Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} -  No File

Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} -  No File

Filter-x32: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll (Design Science, Inc.)

Filter-x32: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll (Design Science, Inc.)

Filter-x32: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll (Design Science, Inc.)

Filter-x32: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll (Design Science, Inc.)

Filter-x32: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files (x86)\Design Science\MathPlayer\MathMLMimer.dll (Design Science, Inc.)

Tcpip\..\Interfaces\{7C33C9E4-F6F2-4F98-A30C-A6C3A027CD64}: [NameServer]8.8.8.8 205.208.139.32

 

Chrome: 

=======

CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}

CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}

CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\PepperFlash\pepflashplayer.dll ()

CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer

CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\ppGoogleNaClPluginChrome.dll ()

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\pdf.dll ()

CHR Plugin: (Adobe Acrobat) - c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)

CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)

CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)

CHR Plugin: (RIM Handheld Application Loader) - C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()

CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File

CHR Plugin: (Java Platform SE 6 U37) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)

CHR Plugin: (Java Deployment Toolkit 6.0.370.6) - C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)

CHR Plugin: (Windows Live\u00AE Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll No File

CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File

CHR Extension: (YouTube) - C:\Users\Tyler\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0

CHR Extension: (Google Search) - C:\Users\Tyler\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0

CHR Extension: (Chrome In-App Payments service) - C:\Users\Tyler\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0

CHR Extension: (Gmail) - C:\Users\Tyler\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1

 

==================== Services (Whitelisted) =================

 

R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)

R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)

S3 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-02-01] (Egis Technology Inc.)

R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)

R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [271760 2009-04-15] ()

 

==================== Drivers (Whitelisted) ====================

 

S3 libusb0; C:\Windows\System32\drivers\libusb0.sys [29184 2012-03-02] (http://libusb-win32.sourceforge.net)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)

R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)

S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [74240 2011-02-16] (Research In Motion Limited)

R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)

S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-09-20 11:08 - 2013-09-20 11:09 - 01950622 _____ (Farbar) C:\Users\Tyler\Desktop\FRST64.exe

2013-09-20 11:07 - 2013-09-20 11:07 - 00000236 _____ C:\Users\Tyler\Desktop\eESET SCAN.txt

2013-09-20 08:53 - 2013-09-20 08:53 - 00891144 _____ C:\Users\Tyler\Desktop\SecurityCheck.exe

2013-09-20 08:48 - 2013-09-20 08:48 - 00000000 ____D C:\Program Files (x86)\ESET

2013-09-20 08:46 - 2013-09-20 08:47 - 01039554 _____ C:\Users\Tyler\Desktop\AdwCleaner.exe

2013-09-20 08:45 - 2013-09-20 08:46 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tyler\Desktop\mbam-setup-1.75.0.1300 (1).exe

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\I96hFi8VXk

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\Users\Tyler\AppData\Local\lrxEdMHrKJN

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\ProgramData\zm5hRHseO

2013-09-20 01:29 - 2013-09-20 01:29 - 00000036 _____ C:\Users\Tyler\AppData\Local\housecall.guid.cache

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\StQjI5NYK

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\Users\Tyler\AppData\Local\7VsiPeb0rc

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\ProgramData\x8wiWaPzL5E

2013-09-20 01:01 - 2013-09-20 01:00 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\DbyyiLwh6kl

2013-09-20 01:01 - 2013-09-20 01:00 - 00238592 _____ C:\Users\Tyler\AppData\Local\eaY7n3t5r

2013-09-20 01:01 - 2013-09-20 01:00 - 00238592 _____ C:\ProgramData\Hk67nFfQ

2013-09-20 00:44 - 2013-09-20 01:15 - 00000000 ____D C:\AdwCleaner

2013-09-19 21:55 - 2013-09-20 12:26 - 00000000 ____D C:\Users\Tyler\AppData\Local\z7oRfNHG4

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\uDDb5JB4

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\Users\Tyler\AppData\Local\YKJ7negY

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\ProgramData\Md0pdKyIsCY

2013-09-19 11:58 - 2013-09-19 11:58 - 00000000 _____ C:\Users\Tyler\AppData\Roaming\wklnhst.dat

2013-09-18 00:17 - 2013-09-18 00:17 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Malwarebytes

2013-09-18 00:16 - 2013-09-18 00:16 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-09-18 00:14 - 2013-09-18 00:15 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tyler\Downloads\mbam-setup-1.75.0.1300.exe

2013-09-17 13:19 - 2013-09-20 12:25 - 00000000 ____D C:\FRST

2013-08-26 17:42 - 2013-08-26 17:42 - 00027156 _____ C:\Users\Tyler\Downloads\receipt20130826174158476.htm

 

==================== One Month Modified Files and Folders =======

 

2013-09-20 12:26 - 2013-09-19 21:55 - 00000000 ____D C:\Users\Tyler\AppData\Local\z7oRfNHG4

2013-09-20 12:26 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration

2013-09-20 12:25 - 2013-09-17 13:19 - 00000000 ____D C:\FRST

2013-09-20 11:09 - 2013-09-20 11:08 - 01950622 _____ (Farbar) C:\Users\Tyler\Desktop\FRST64.exe

2013-09-20 11:07 - 2013-09-20 11:07 - 00000236 _____ C:\Users\Tyler\Desktop\eESET SCAN.txt

2013-09-20 10:31 - 2010-05-23 01:01 - 01484485 _____ C:\Windows\WindowsUpdate.log

2013-09-20 10:21 - 2012-10-19 21:29 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-09-20 10:16 - 2010-09-02 10:42 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-09-20 09:22 - 2012-10-19 21:29 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater

2013-09-20 09:21 - 2012-10-19 21:29 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-09-20 09:21 - 2012-10-19 21:29 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-09-20 08:53 - 2013-09-20 08:53 - 00891144 _____ C:\Users\Tyler\Desktop\SecurityCheck.exe

2013-09-20 08:48 - 2013-09-20 08:48 - 00000000 ____D C:\Program Files (x86)\ESET

2013-09-20 08:47 - 2013-09-20 08:46 - 01039554 _____ C:\Users\Tyler\Desktop\AdwCleaner.exe

2013-09-20 08:47 - 2009-07-14 01:13 - 00726316 _____ C:\Windows\system32\PerfStringBackup.INI

2013-09-20 08:46 - 2013-09-20 08:45 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tyler\Desktop\mbam-setup-1.75.0.1300 (1).exe

2013-09-20 08:44 - 2009-07-14 00:51 - 00085997 _____ C:\Windows\setupact.log

2013-09-20 08:44 - 2009-07-14 00:45 - 00017600 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-09-20 08:44 - 2009-07-14 00:45 - 00017600 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-09-20 08:43 - 2013-07-23 21:49 - 00000436 _____ C:\Windows\system32\Drivers\etc\hosts.ics

2013-09-20 08:41 - 2010-04-15 03:02 - 00000000 ____D C:\ProgramData\Symantec

2013-09-20 08:40 - 2010-10-14 17:44 - 00000000 ____D C:\ProgramData\Norton

2013-09-20 08:38 - 2010-09-15 09:03 - 00000344 _____ C:\Windows\lgfwup.ini

2013-09-20 08:38 - 2010-09-15 09:03 - 00000000 ____D C:\Program Files (x86)\lg_fwupdate

2013-09-20 08:38 - 2010-09-02 10:33 - 00000000 ____D C:\Users\Tyler\Tracing

2013-09-20 08:37 - 2010-09-15 08:56 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\LG Power Tools

2013-09-20 08:36 - 2010-09-02 10:42 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-09-20 08:36 - 2010-08-30 05:31 - 00000000 ____D C:\Users\Tyler

2013-09-20 08:36 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\I96hFi8VXk

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\Users\Tyler\AppData\Local\lrxEdMHrKJN

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\ProgramData\zm5hRHseO

2013-09-20 01:29 - 2013-09-20 01:29 - 00000036 _____ C:\Users\Tyler\AppData\Local\housecall.guid.cache

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\StQjI5NYK

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\Users\Tyler\AppData\Local\7VsiPeb0rc

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\ProgramData\x8wiWaPzL5E

2013-09-20 01:15 - 2013-09-20 00:44 - 00000000 ____D C:\AdwCleaner

2013-09-20 01:00 - 2013-09-20 01:01 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\DbyyiLwh6kl

2013-09-20 01:00 - 2013-09-20 01:01 - 00238592 _____ C:\Users\Tyler\AppData\Local\eaY7n3t5r

2013-09-20 01:00 - 2013-09-20 01:01 - 00238592 _____ C:\ProgramData\Hk67nFfQ

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\uDDb5JB4

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\Users\Tyler\AppData\Local\YKJ7negY

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\ProgramData\Md0pdKyIsCY

2013-09-19 11:58 - 2013-09-19 11:58 - 00000000 _____ C:\Users\Tyler\AppData\Roaming\wklnhst.dat

2013-09-18 00:17 - 2013-09-18 00:17 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Malwarebytes

2013-09-18 00:16 - 2013-09-18 00:16 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-09-18 00:15 - 2013-09-18 00:14 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Tyler\Downloads\mbam-setup-1.75.0.1300.exe

2013-09-17 11:18 - 2010-08-30 05:30 - 00000000 __SHD C:\Recovery

2013-09-17 05:12 - 2012-10-19 21:29 - 00000000 ____D C:\Windows\system32\Macromed

2013-09-17 05:12 - 2010-04-15 02:55 - 00000000 ____D C:\Program Files\Windows Journal

2013-09-17 05:12 - 2009-07-14 01:32 - 00000000 ____D C:\Windows\Offline Web Pages

2013-09-17 05:12 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Windows Defender

2013-09-17 05:12 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender

2013-09-17 05:12 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache

2013-09-17 05:12 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\PolicyDefinitions

2013-09-17 05:11 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\AppCompat

2013-09-17 05:11 - 2009-07-13 23:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

2013-09-06 06:07 - 2010-10-15 10:23 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\Skype

2013-09-02 20:52 - 2012-11-21 20:21 - 00000000 ____D C:\Program Files (x86)\WildTangent Games

2013-09-02 20:51 - 2012-11-21 20:22 - 00002626 ____N C:\Users\Public\Desktop\WildTangent Games App - acer.lnk

2013-09-02 20:51 - 2010-08-30 05:57 - 00000000 ____D C:\Users\Tyler\AppData\Roaming\WildTangent

2013-09-02 20:51 - 2010-04-15 02:49 - 00000000 ____D C:\ProgramData\WildTangent

2013-08-26 17:42 - 2013-08-26 17:42 - 00027156 _____ C:\Users\Tyler\Downloads\receipt20130826174158476.htm

 

Some content of TEMP:

====================

C:\Users\Tyler\AppData\Local\Temp\{397E31AA-0D78-4649-A01C-339D73A2ED35}_NSS_20942.exe

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

 

LastRegBack: 2013-09-11 00:49

 

==================== End Of Log ============================

 

 

LastRegBack: 2013-09-11 00:49

 

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST/FRST64 and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

1.Download Malwarebytes Anti-Rootkit from this link:

 http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe

Image1.png

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

mbarwm.png

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

Image2.png

7. The following image opens, select Update

Image3.png

8. When the update completes select Next.

Image4.png

9. In the following window ensure "Targets" are ticked. Then select "Scan"

Image5.png

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

MBAntiRKcleanA.png

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.
12. If no threats were found you will see the following image, Select Exit:

Image6.png

13. Verify that your system is now running normally, making sure that the following items are functional:


  •      
  • Internet access
         
  • Windows Update
         
  • Windows Firewall



14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

15. Select "Y" from your Keyboard, tap Enter.

16. The fix will be applied, select any key to Exit.

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log   Date and time of scan will also be shown

Thanks,

Kevin...
 

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-09-2013 03

Ran by Tyler at 2013-09-21 08:06:13 Run:4

Running from D:\

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

Start

HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)

MountPoints2: {529847a8-bb30-11df-8b91-78e400ae37b7} - D:\setup.exe


2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\I96hFi8VXk

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\Users\Tyler\AppData\Local\lrxEdMHrKJN

2013-09-20 01:33 - 2013-09-20 01:33 - 00238592 _____ C:\ProgramData\zm5hRHseO

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\StQjI5NYK

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\Users\Tyler\AppData\Local\7VsiPeb0rc

2013-09-20 01:18 - 2013-09-20 01:18 - 00238592 _____ C:\ProgramData\x8wiWaPzL5E

2013-09-20 01:01 - 2013-09-20 01:00 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\DbyyiLwh6kl

2013-09-20 01:01 - 2013-09-20 01:00 - 00238592 _____ C:\Users\Tyler\AppData\Local\eaY7n3t5r

2013-09-20 01:01 - 2013-09-20 01:00 - 00238592 _____ C:\ProgramData\Hk67nFfQ

2013-09-19 21:55 - 2013-09-20 12:26 - 00000000 ____D C:\Users\Tyler\AppData\Local\z7oRfNHG4

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\Users\Tyler\AppData\Roaming\uDDb5JB4

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\Users\Tyler\AppData\Local\YKJ7negY

2013-09-19 21:55 - 2013-09-19 21:55 - 00238592 _____ C:\ProgramData\Md0pdKyIsCY

C:\Users\Tyler\AppData\Local\Temp\{397E31AA-0D78-4649-A01C-339D73A2ED35}_NSS_20942.exe

End

 

*****************

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{529847a8-bb30-11df-8b91-78e400ae37b7} => Key deleted successfully.

HKCR\CLSID\{529847a8-bb30-11df-8b91-78e400ae37b7} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{36A8C685-325A-4DBA-A109-F2985EC0D732} => Key deleted successfully.

HKCR\CLSID\{36A8C685-325A-4DBA-A109-F2985EC0D732} => Key not found.

C:\Users\Tyler\AppData\Roaming\I96hFi8VXk => Moved successfully.

C:\Users\Tyler\AppData\Local\lrxEdMHrKJN => Moved successfully.

C:\ProgramData\zm5hRHseO => Moved successfully.

C:\Users\Tyler\AppData\Roaming\StQjI5NYK => Moved successfully.

C:\Users\Tyler\AppData\Local\7VsiPeb0rc => Moved successfully.

C:\ProgramData\x8wiWaPzL5E => Moved successfully.

C:\Users\Tyler\AppData\Roaming\DbyyiLwh6kl => Moved successfully.

C:\Users\Tyler\AppData\Local\eaY7n3t5r => Moved successfully.

C:\ProgramData\Hk67nFfQ => Moved successfully.

C:\Users\Tyler\AppData\Local\z7oRfNHG4 => Moved successfully.

C:\Users\Tyler\AppData\Roaming\uDDb5JB4 => Moved successfully.

C:\Users\Tyler\AppData\Local\YKJ7negY => Moved successfully.

C:\ProgramData\Md0pdKyIsCY => Moved successfully.

C:\Users\Tyler\AppData\Local\Temp\{397E31AA-0D78-4649-A01C-339D73A2ED35}_NSS_20942.exe => Moved successfully.

 

==== End of Fixlog ====

Link to post
Share on other sites

Logs look good, i`d still like to run an Online AV scan to be sure we`ve removed all remnants of the infection and any other entries. The scan will take several hours as it is very thorough...

 

The instructions are for report only,

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scan from ESET.

 

 

  •  

     

  • Turn off the real time scanner of any existing antivirus program while performing the online scan

     

     

  • click on the Run ESET Online Scanner button

     

     

  • Tick the box next to YES, I accept the Terms of Use.

     

    Click Start

     

  • When asked, allow the add/on to be installed

     

    Click Start

     

  • Make sure that the option Remove found threats is unticked

     

     

  • Click on Advanced Settings, ensure the options

     

     

  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

     

    Click Scan

     

  • wait for the virus definitions to be downloaded

     

     

  • Wait for the scan to finish

     

     

 

 

When the scan is complete

 

 

  •  

     

  • If no threats were found

     

     

  • put a checkmark in "Uninstall application on close"

     

     

  • close program

     

     

  • report to me that nothing was found

     

     

 

 

If threats were found

 

 

  •  

     

  • click on "list of threats found"

     

     

  • click on "export to text file" and save it as ESET SCAN and save to the desktop

     

     

  • Click on back

     

     

  • put a checkmark in "Uninstall application on close"

     

     

  • click on finish

     

     

 

 

close program

 

copy and paste the report here

 

Regarding security, I give you the set I use for W7....

 

Windows own Firewall, Microsoft Security Essentials and Malwarebytes Pro. Windows FW and MSE are free, MB does also have a free version, however I prefer the pro version as it provides auto updates and realtime protection. Cost is about £20 for a lifetime license.

 

As an extra layer I also use WinPatrol, the free version is adeqaute for general home use. Available here: http://www.winpatrol.com/download.html

 

For my browser I use Firefox with these addons: Web of Trust, Adblock Plus, Flash Block, NoScipt, Ghostery. When Firefox is open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons, use, start, stop or disable those features etc....

Before using NoScript read from this link http://noscript.net/ makes it easy to understand....

 

Understanding Windows 7 Firewall - http://windows.microsoft.com/en-GB/windows7/Understanding-Windows-Firewall-settings

 

Understanding Microsoft Security Essentials - http://www.microsoft.com/en-gb/security/pc-security/mse.aspx

 

Understanding Malwarebytes, how to create an exclusion in MSE - http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=162100entry162100

 

Understanding WinPatrol - http://www.winpatrol.com/features.html

 

I also use the Professional version of Sandboxie, I believe there is also free version available. Visit this link http://www.sandboxie.com/ for access to d/l, also make sure to use the "Help and FAQ" option to understand its uses, specifically how to run your browser sandboxed!.

 

 

Kevin

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.