Jump to content

Home Page & Search Bar HiJacked / Odd Windows Pop Up


TishB

Recommended Posts

Hello all, I'm in great need of some help. I have somehow acquired something that has changed my homepage as well a my search bar. Also I have windows popping up willy-nilly in Safari without my requesting them. Usually to sites such as:

 

www1.delta-search.com/?babsrc=NT_ss&mntrId=ECEB00265E2989B2&affID=119293&tt=110813_YTB&tsp=4973

 

http://seth.avazutracking.net/tracking/redirect/redirect.php?id=9870697&czid=YXZhenU5ODcwNjk3MQ==&vurl=1667596&usrid=MTMxOGF2&rgid=YXp1NzU3&kw=lax1CKmS94PFkq_LAhACGOmHusy2iPqDdiIOMjQuMTI3LjIyNy4yNDkoAQ..&dv1=1667596

 

or more recently today

 

http://search.blackfridaynewstoday.com/search/1?q=medical+center&src=50p&camp=BFNT-50P-KW&kw=medical+center&rpp=4&tt=3

 

My setting have not changed...it still 'shows' google as my homepage as well as high priority on no pop-ups but I can't even get to google. It sends me to Yahoo or something like it.

I've read through other postings and it seems my problems are pretty much like bladerunner537's...so I've tried to follow Mr. Charlie's recommendations. I too have a mess of PUPs and am terrified of removing them without someone holding my hand and/or a beer. I may never get back on. I've run the Malwarebyte and below is my log. I also have the DD text and it's attach ready to go. Any assistance would be deeply appreciated.

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.29.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Shauna :: LITTLEBIRD2 [administrator]

Protection: Enabled

9/29/2013 3:57:43 PM
MBAM-log-2013-09-29 (17-52-08).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 313401
Time elapsed: 1 hour(s), 7 minute(s), 55 second(s)

Memory Processes Detected: 1
C:\Program Files\SearchProtect\bin\CltMngSvc.exe (PUP.Optional.SearchProtect.A) -> 1620 -> No action taken.

Memory Modules Detected: 2
C:\Program Files\SearchProtect\bin\msvcp100.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\bin\msvcr100.dll (PUP.Optional.SearchProtect.A) -> No action taken.

Registry Keys Detected: 28
HKCR\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} (PUP.Optional.BrowseFox.A) -> No action taken.
HKCR\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23} (PUP.Optional.BrowseFox.A) -> No action taken.
HKCR\CLSID\{b9507101-e464-4b3b-a4cb-291aaedd94f2} (PUP.Optional.BrowseFox.A) -> No action taken.
HKCR\TypeLib\{006232F7-DBD6-4631-84E8-66EA161B43C4} (PUP.Optional.BrowseFox.A) -> No action taken.
HKCR\Interface\{BB9817CA-9B43-41EB-8706-44847957338D} (PUP.Optional.BrowseFox.A) -> No action taken.
HKCR\CLSID\{712F46B0-AFE0-D8A9-50DC-50D95E64CDD2} (PUP.Optional.MultiPlug.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{62D82EC1-0D3A-DF54-8E3E-07E1337A5311} (PUP.Optional.SilentInstall.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06C0EEBA-C97A-4B04-A9EF-8158DD23CC4C} (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{21E7F410-F549-450F-A7E4-BD6BFA04D6E6} (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3AF7FCA5-5F84-4DCF-AF24-17A6E114DE53} (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{415EC2DB-DFD1-48B7-AA5C-97F39ABDE02D} (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{47FB50CC-8FB6-469F-A474-C7949C18723A} (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{201A253A-CAF2-07C1-53EE-EC2FBF5345B1} (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B812400F-BD91-4662-A489-F5B363F162F9} (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\CltMngSvc (PUP.Optional.SearchProtect.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect (PUP.Optional.SearchProtect.A) -> No action taken.
HKCR\CrossriderApp0035578.BHO (PUP.Optional.CrossRider.A) -> No action taken.
HKCR\CrossriderApp0035578.BHO.1 (PUP.Optional.CrossRider.A) -> No action taken.
HKCR\CrossriderApp0035578.Sandbox (PUP.Optional.CrossRider.A) -> No action taken.
HKCR\CrossriderApp0035578.Sandbox.1 (PUP.Optional.CrossRider.A) -> No action taken.
HKCU\Software\1ClickDownload (PUP.Optional.1ClickDownload.A) -> No action taken.
HKCU\Software\AppDataLow\SProtector (PUP.Optional.SProtector.A) -> No action taken.
HKCU\Software\BabSolution\Updater (PUP.Optional.Babylon.A) -> No action taken.
HKCU\SOFTWARE\CROSSRIDER (PUP.Optional.CrossRider.A) -> No action taken.
HKCU\Software\InstalledBrowserExtensions\installdaddy (PUP.Optional.CrossRider.A) -> No action taken.
HKLM\SOFTWARE\Google\Chrome\Extensions\eooncjejnppfjjklapaamhcdmjbilmde (PUP.Optional.Delta.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Delta Chrome Toolbar (PUP.Optional.BabSolution.A) -> No action taken.

Registry Values Detected: 1
HKCU\Software\Crossrider|Verifier (PUP.Optional.CrossRider.A) -> Data: 070ed71a54c7c61a9b4ac26677361a99 -> No action taken.

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs (PUP.Optional.SProtect.A) -> Bad: (c:\progra~1\savesh~1\sprote~1.dll) Good: () -> No action taken.

Folders Detected: 27
C:\Program Files\SearchProtect\bin (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\lib (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spbd (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spbd\images (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spsd (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spsd\images (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\ffprotect (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\bin (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\lib (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spbd (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spbd\images (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spsd (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spsd\images (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\lib (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spbd (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spsd (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\SProtectorRepository (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\BabSolution (PUP.Optional.BabSolution.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\BabSolution\CR (PUP.Optional.BabSolution.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\BabSolution\Shared (PUP.Optional.BabSolution.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326 (PUP.Optional.Conduit.A) -> No action taken.

Files Detected: 169
C:\Program Files\SaveShare\sprotector.dll (PUP.Optional.SProtect.A) -> No action taken.
C:\Program Files\BrowseFox\IEClient.dll (PUP.Optional.BrowseFox.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\savenasHHarie\520985fdac735.dll (PUP.Optional.MultiPlug.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\savenasHHarie\uninstall.exe (PUP.Optional.SilentInstall.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{06C0EEBA-C97A-4B04-A9EF-8158DD23CC4C}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{06C0EEBA-C97A-4B04-A9EF-8158DD23CC4C}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{21E7F410-F549-450F-A7E4-BD6BFA04D6E6}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{21E7F410-F549-450F-A7E4-BD6BFA04D6E6}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{3AF7FCA5-5F84-4DCF-AF24-17A6E114DE53}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{3AF7FCA5-5F84-4DCF-AF24-17A6E114DE53}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{415EC2DB-DFD1-48B7-AA5C-97F39ABDE02D}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{415EC2DB-DFD1-48B7-AA5C-97F39ABDE02D}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{47FB50CC-8FB6-469F-A474-C7949C18723A}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{47FB50CC-8FB6-469F-A474-C7949C18723A}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{8D4E0CA3-D36D-4E58-ACB3-9B4F56AD2E55}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{8D4E0CA3-D36D-4E58-ACB3-9B4F56AD2E55}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{B812400F-BD91-4662-A489-F5B363F162F9}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{B812400F-BD91-4662-A489-F5B363F162F9}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\BabSolution\Shared\BabMaint.exe (PUP.Optional.Babylon.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\BabSolution\Shared\NTRedirect.dll (PUP.Optional.Babylon.A) -> No action taken.
C:\Documents and Settings\Shauna\My Documents\Downloads\smoboda.rar.exe (PUP.BundleInstaller.DW) -> No action taken.
C:\Documents and Settings\Shauna\My Documents\Downloads\zip.exe (PUP.Optional.InstallIQ.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\+Futg37I.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\19lfw+CD.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\2U1Jmj6a.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\nIND43s2.exe.part (PUP.Optional.Amonetize) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\O6jjdCLU.exe.part (PUP.Optional.Amonetize) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\4hwkW6BR.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\s2eU4MZY.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\8TbLTANb.exe.part (PUP.Optional.Amonetize) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\OL62tesp.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\PGXvTIRa.exe.part (PUP.BundleInstaller.DW) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\dojUKJvj.exe.part (PUP.Optional.Bandoo) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\DpMm6Bpb.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\IBCNbcmv.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\IFJd+dgM.exe.part (PUP.BundleInstaller.DW) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\iimBcyHk.exe.part (PUP.Downware) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\WvGSTMN4.exe.part (PUP.Optional.Topmedia) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\xpmAS0N8.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\Xq_6A6kP.exe.part (PUP.Downware) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\Xr8NH3fi.exe.part (PUP.Optional.Amonetize) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\YTO2ZCKg.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\Z3A28o7W.exe.part (PUP.BundleInstaller.DW) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\WnysxRJM.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\u6_uY6kA.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\umk5VsMH.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\H9Nt9qeW.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\mconduitinstaller.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\4KiYFmLD.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\5rdI+X5+.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\SPStub.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\Sti_cJcL.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\t20UeYPG.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\tAEi38x2.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\LdKQ3egH.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\LnNCKla_.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\LOGWLKbk.exe.part (PUP.Optional.Amonetize) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\toolbar6395265.exe (PUP.Optional.Yontoo) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\toolbar6401062.exe (PUP.Optional.DeltaTB) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ToolbarHelper.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\Aq+Zj8t8.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\RN_8wz0o.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ffgR_5JA.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\vgdsBfuv.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\VHpTj6f7.exe.part (PUP.Optional.Amonetize) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\WEmLHeQx.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\9A2A2F71-BAB0-7891-9B25-3B40DCB6E6F8\BabMaint.exe (PUP.Optional.Babylon.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\9A2A2F71-BAB0-7891-9B25-3B40DCB6E6F8\BUSolution.dll (PUP.Optional.BabSolution.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\9A2A2F71-BAB0-7891-9B25-3B40DCB6E6F8\ccp.exe (PUP.Babylon.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\9A2A2F71-BAB0-7891-9B25-3B40DCB6E6F8\CrxInstaller.dll (PUP.Optional.Babylon.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\9A2A2F71-BAB0-7891-9B25-3B40DCB6E6F8\NTRedirect.dll (PUP.Optional.Babylon.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\9A2A2F71-BAB0-7891-9B25-3B40DCB6E6F8\Setup.exe (PUP.Babylon.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326\ctbe.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326\ieLogic.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326\statisticsStub.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326\stub.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Application Data\Conduit\CT3291326\KeyBar_1.13AutoUpdateHelper.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\WINDOWS\Tasks\EPUpdater.job (PUP.Optional.Babylon.A) -> No action taken.
C:\Program Files\SearchProtect\bin\FirefoxModule.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\bin\ChromeModule.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\bin\cltmng.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\bin\CltMngSvc.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\bin\InternetExplorerModule.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\bin\msvcp100.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\bin\msvcr100.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\bin\SPHook32.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\bin\SPRunner.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\bin\uninstall.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\dialogsApi.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\lib\jquery.min.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\lib\json2.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spbd\bubble.css (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spbd\bubble.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spbd\main.html (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spbd\images\information.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spsd\main.html (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spsd\SearchProtector.css (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spsd\settings.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spsd\images\ok-button.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spsd\images\separation-line.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\Dialogs\spsd\images\warning.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\ffprotect\nsprotector.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\ffprotect\abstraction.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\ffprotect\application.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\bin\FirefoxModule.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\bin\ChromeModule.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\bin\cltmng.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\bin\CltMngSvc.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\bin\InternetExplorerModule.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\bin\msvcp100.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\bin\msvcr100.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\bin\rep.dat (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\bin\SPHook32.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\bin\SPRunner.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\dialogsApi.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\lib\jquery.min.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\lib\json2.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spbd\bubble.css (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spbd\bubble.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spbd\main.html (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spbd\images\information.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spsd\main.html (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spsd\SearchProtector.css (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spsd\settings.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spsd\images\ok-button.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spsd\images\separation-line.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\Dialogs\spsd\images\warning.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\nsprotector.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\abstraction.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\application.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\popupTransparent.xul (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\dialogsApi.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\lib\jquery.min.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\lib\json2.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.css (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spbd\main.html (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\information.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-LTR.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-RTL.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-LTR.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-RTL.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spsd\main.html (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spsd\SearchProtector.css (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spsd\settings.js (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\ok-button.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\separation-line.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\warning.png (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\SProtectorRepository\EN (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\SearchProtect\ffprotect\SProtectorRepository\searchProtectorData (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_eooncjejnppfjjklapaamhcdmjbilmde_0.localstorage (PUP.Optional.BrowserDefender.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\BabSolution\CR\Delta.crx (PUP.Optional.BabSolution.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\BabSolution\Shared\BUSolution.dll (PUP.Optional.BabSolution.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\BabSolution\Shared\chu.js (PUP.Optional.BabSolution.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\BabSolution\Shared\Delta.ico (PUP.Optional.BabSolution.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\BabSolution\Shared\enhancedNT.dll (PUP.Optional.BabSolution.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\BabSolution\Shared\GUninstaller.exe (PUP.Optional.BabSolution.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\BabSolution\Shared\SetupParams.ini (PUP.Optional.BabSolution.A) -> No action taken.
C:\Documents and Settings\Shauna\Application Data\BabSolution\Shared\sqlite3.dll (PUP.Optional.BabSolution.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326\chromeid.txt (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326\setup.ini.txt (PUP.Optional.Conduit.A) -> No action taken.

(end)
 

What is my next step? Do I just select all of them and go?

Link to post
Share on other sites

  • Replies 87
  • Created
  • Last Reply

Top Posters In This Topic

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes and use the default font)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, Adobe host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Okay, here are the requested logs. On the off chance that the section you posted on pirateware stuff was something you see in my original post...can you tell me what to look for? I can't even get rid of half the games on this poor thing. They have no uninstall in them and I can't just dump them like I could on my Mac. Anyways...thank you for your help, Mr.C.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Shauna at 19:01:08 on 2013-09-29
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1015.77 [GMT -4:00]
.
AV: ESET NOD32 Antivirus 5.2 *Enabled/Outdated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ================
.
C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SearchProtect\bin\CltMngSvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\BrowseFox\updater.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\HP\HPBTWD.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\syncables\syncables desktop\Syncables.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\syncables\syncables desktop\jre\bin\javaw.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
C:\Program Files\syncables\syncables desktop\MigoMapi.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Calibre2\calibre.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.1\ToolbarUpdater.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.1\loggingserver.exe
C:\Program Files\AVG Secure Search\vprot.exe
c:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Calibre2\calibre-parallel.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.






mURLSearchHooks: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - <orphaned>
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\17.0.0.9\AVG Secure Search_toolbar.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0559.0\msneshellx.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\program files\msn\toolbar\3.0.0559.0\msneshellx.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\17.0.0.9\AVG Secure Search_toolbar.dll
uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [sysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [AESTFltr] c:\windows\system32\AESTFltr.exe /NoDlg
mRun: [HP BTW Detect Program] c:\program files\hp\HPBTWD.exe
mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Mobile Broadband] c:\swsetup\hpqwwan\HPMobileBroadband.exe /TrayMode
mRun: [syncables] c:\program files\syncables\syncables desktop\Syncables.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [PININST] c:\system.sav\util\pininst.exe c:\system.sav\util\PININST.INI
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.318\SSScheduler.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.




TCP: NameServer = 192.168.1.1
TCP: Interfaces\{D3DECF45-6A43-47C4-92A4-66B8BA13E230} : DHCPNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\17.0.1\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\savesh~1\sprote~1.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\shauna\application data\mozilla\firefox\profiles\g7yufipz.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Delta Search


FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\17.0.1\npsitesafety.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\mcafee security scan\3.0.318\npMcAfeeMSS.dll
FF - plugin: c:\program files\microsoft silverlight\2.0.31005.0\npctrlui.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - ExtSQL: 2013-08-07 22:06; firefox@browsefox.com; c:\documents and settings\shauna\application data\mozilla\firefox\profiles\g7yufipz.default\extensions\firefox@browsefox.com.xpi
FF - ExtSQL: 2013-08-12 21:06; boi@smfzyuo.edu; c:\documents and settings\shauna\application data\mozilla\firefox\profiles\g7yufipz.default\extensions\boi@smfzyuo.edu
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-6-14 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-6-14 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [2008-9-25 103792]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-1-3 37664]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2012-3-14 120152]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2012-3-14 104160]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-6-14 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2008-12-12 125424]
R2 BOTService;BOTService;c:\program files\roxio\backontrack\instant restore\BOTService.exe [2009-3-19 203248]
R2 CltMngSvc;Search Protect by Conduit Updater;c:\program files\searchprotect\bin\CltMngSvc.exe [2013-5-8 97056]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2012-3-7 913144]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-9-24 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-9-24 701512]
R2 vToolbarUpdater17.0.1;vToolbarUpdater17.0.1;c:\program files\common files\avg secure search\vtoolbarupdater\17.0.1\ToolbarUpdater.exe [2013-9-28 1734680]
R2 WebUpdater;WebUpdater;c:\program files\browsefox\updater.exe [2013-8-7 50464]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-6-14 113664]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-2 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-9-24 22856]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-9-24 40776]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.318\McCHSvc.exe [2013-2-5 235216]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1f86.tmp --> c:\windows\system32\1F86.tmp [?]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rts5121.sys --> c:\windows\system32\drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
.
=============== Created Last 30 ================
.
2013-09-25 22:38:07    54016    ----a-w-    c:\windows\system32\drivers\nvpw.sys
2013-09-24 13:52:09    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-09-24 13:40:22    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-09-24 13:40:21    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-09-18 16:30:59    3215256    ----a-w-    c:\program files\mozilla firefox\gkmedias.dll
2013-09-18 16:30:58    301464    ----a-w-    c:\program files\mozilla firefox\freebl3.dll
2013-09-18 16:30:58    274840    ----a-w-    c:\program files\mozilla firefox\firefox.exe
2013-09-18 16:30:57    2106216    ----a-w-    c:\program files\mozilla firefox\D3DCompiler_43.dll
2013-09-18 16:30:55    116632    ----a-w-    c:\program files\mozilla firefox\crashreporter.exe
2013-09-18 16:30:54    271256    ----a-w-    c:\program files\mozilla firefox\browser\components\browsercomps.dll
2013-09-18 16:30:53    74648    ----a-w-    c:\program files\mozilla firefox\breakpadinjector.dll
2013-09-18 16:30:51    19352    ----a-w-    c:\program files\mozilla firefox\AccessibleMarshal.dll
2013-09-07 20:40:55    --------    d-----w-    c:\documents and settings\shauna\Calibre Library
.
==================== Find3M  ====================
.
2013-09-28 20:41:06    37664    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600BEVT-60ZCT1 rev.13.01A13 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
error: Read  A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0;  }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x867E02E2
user & kernel MBR OK
.
============= FINISH: 19:08:12.42 ===============
 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 9/17/2009 4:07:41 AM
System Uptime: 9/25/2013 12:20:42 PM (103 hours ago)
.
Motherboard: Hewlett-Packard |  | 308F
Processor:          Intel® Atom CPU N270   @ 1.60GHz | CPU 1 | 1596/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 67.832 GiB free.
D: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.04)
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
AVG Security Toolbar
Boggle Supreme
Bonjour
Broadcom 802.11 Wireless LAN Adapter
BrowseFox 3.0.0
calibre
Compatibility Pack for the 2007 Office system
DAMN NFO Viewer 2.10.0031 RC3
Default Manager
Delta Chrome Toolbar
Detective Stories Hollywood
ESET NOD32 Antivirus
Fishdom Seasons Under the Sea 1.00
GoforFiles
Google Chrome
Google Update Helper
Hidden Relics
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP BatteryCheck 2.10 A2
HP Doc Viewer
HP Help and Support
HP Mobile Broadband Setup Utility
HP User Guides 0139
HP Wireless Assistant
HpSdpAppCoreApp
IDT Audio
Intel® Graphics Media Accelerator Driver
Invision
Java 6 Update 11
KeyBar 1.13 Toolbar
Malwarebytes Anti-Malware version 1.75.0.1300
McAfee Security Scan Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Live Search Toolbar
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders  (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Microsoft Works
mIRC
Mozilla Firefox 24.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 6.0 Parser
Mystery Legends Sleepy Hollow
Mystery Solitaire Secret Island 1.00
OpenAL
Pirate Solitaire 1.00
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Roxio BackOnTrack
Roxio Disaster Recovery
Roxio Instant Restore
Roxio Instant Restore Recovery Disk
Roxio Update Manager
savenasHHarie  
SaveShare 1.74
Search Protect by conduit
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Sophos Anti-Rootkit 1.5.20
Spybot - Search & Destroy
SpywareBlaster 4.6
Synaptics Pointing Device Driver
syncables desktop
Text Twist 2 1.00
Torntv 2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Office 2007 (KB934528)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB973815)
USB2.0 Card Reader Software
Viewpoint Media Player
WebFldrs XP
Windows Backup Utility
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR 4.20 (32-bit)
Xvid Video Codec
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
9/24/2013 8:54:02 PM, error: W32Time [17]  - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
.
==== End Of File ===========================
 

Link to post
Share on other sites

Looks like you're not going to run RogueKiller for me, please do this:

Please uninstall these from your add/remove programs if possible:

BrowseFox 3.0.0
Delta Chrome Toolbar
KeyBar 1.13 Toolbar
Search Protect by conduit
SaveShare


Then........

Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Here's the RogueKiller report. Thanks for the heads-up on the pirate stuff. I saw all that red in that warning it made me creeped out.

 

RogueKiller V8.6.12 [sep 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Shauna [Admin rights]
Mode : Scan -- Date : 09/29/2013 22:23:28
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ][PUM] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd\n. [x]) -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V1][sUSP PATH] EPUpdater.job : C:\DOCUME~1\Shauna\APPLIC~1\BABSOL~1\Shared\BabMaint.exe [7] -> FOUND
[V1][sUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\WINDOWS\TEMP\{377101E5-3795-458E-A2E6-1EA39D6683B9}.exe - --uninstall=1 [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[FF][PROXY] g7yufipz.default : user_pref("network.proxy.type", 4); -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] @ : C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\@ [-] --> FOUND
[ZeroAccess][File] @ : C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd\@ [-] --> FOUND
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U [-] --> FOUND
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd\U [-] --> FOUND
[ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\L [-] --> FOUND
[ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd\L [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    www.100888290cs.com
127.0.0.1    100888290cs.com
127.0.0.1    100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ )  -  +++++
--- User ---
[MBR] 4d32227ea6f80138149a3e3352c3b752
[bSP] 44af34bf80aacd4065657a6dc8994ac4 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152616 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 001bae72239183c3812aa2f539227b2b
[bSP] 44af34bf80aacd4065657a6dc8994ac4 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152616 Mo

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) (Standard disk drives) - JetFlash Transcend 8GB USB Device +++++
--- User ---
[MBR] 7cba8071c7d4ddaa491c627ee2bd7194
[bSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 6000 | Size: 7719 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_09292013_222327.txt >>
RKreport[0]_S_09292013_215631.txt

 

Link to post
Share on other sites

Okay, I've deleted those items you asked me to. I can't seem to uninstall sprotector.dll in that savenshare though. The rest is gone but that. Shall I simply delete it? Also...I can't find that delta chrome. Even ran my find with no results. Would it be in program files?

When you say let's clean the adware now...before the AdwCleaner...how?

Link to post
Share on other sites

Good morning, Mr. Charlie,

Below is the report from the AdwCleaner as you've requested.

Forgive me for any delays in sending it. I would never not run anything you've asked me to do. I came to you for help and am deeply grateful for your time. There must be a sizable delay between us. I still have not found that delta chrome you mentioned in an earlier post. I have however ran and cleaned everything that appeared in the AdwCleaner. Here is the log:

 

# AdwCleaner v3.005 - Report created 29/09/2013 at 23:43:19
# Updated 22/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Shauna - LITTLEBIRD2
# Running from : C:\Documents and Settings\Shauna\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\All Users\Application Data\SoftSafe
Folder Deleted : C:\Documents and Settings\All Users\Application Data\StarApp
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\All Users\Application Data\savenasHHarie
Folder Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\savenasHHarie
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\TornTV.com
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Shauna\Local Settings\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Shauna\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Shauna\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Shauna\Application Data\BabSolution
Folder Deleted : C:\Documents and Settings\Shauna\Start Menu\Programs\TornTV.com
Folder Deleted : C:\Documents and Settings\Shauna\Application Data\Mozilla\Firefox\Profiles\g7yufipz.default\Extensions\boi@smfzyuo.edu
[!] Folder Deleted : C:\Documents and Settings\Shauna\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\eooncjejnppfjjklapaamhcdmjbilmde
[!] Folder Deleted : C:\Documents and Settings\Shauna\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
File Deleted : C:\END
File Deleted : C:\DOCUME~1\Shauna\LOCALS~1\Temp\Uninstall.exe
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Deleted : C:\Documents and Settings\Shauna\Application Data\Mozilla\Firefox\Profiles\g7yufipz.default\searchplugins\Babylon.xml
File Deleted : C:\Documents and Settings\Shauna\Application Data\Mozilla\Firefox\Profiles\g7yufipz.default\user.js
File Deleted : C:\Documents and Settings\Shauna\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_eooncjejnppfjjklapaamhcdmjbilmde_0.localstorage
File Deleted : C:\WINDOWS\Tasks\EPUpdater.job

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bicnnkjibmphdeigoodpjlcklcnaobdj
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eooncjejnppfjjklapaamhcdmjbilmde
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SP_8e303e95
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0035578.BHO
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0035578.BHO.1
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0035578.Sandbox
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0035578.Sandbox.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3291326
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{712F46B0-AFE0-D8A9-50DC-50D95E64CDD2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4B5C-9287-DA72D38F4FE6}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4B5C-9287-DA72D38F4FE6}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Key Deleted : HKCU\Software\1ClickDownload
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\BabSolution
Key Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\Crossrider
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\AppDataLow\SProtector
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\Software\SP Global
Key Deleted : HKLM\Software\SProtector
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Delta Chrome Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{62D82EC1-0D3A-DF54-8E3E-07E1337A5311}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]

-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Documents and Settings\Shauna\Application Data\Mozilla\Firefox\Profiles\g7yufipz.default\prefs.js ]

Line Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Line Deleted : user_pref("aol_toolbar.default.search.check", false);
Line Deleted : user_pref("browser.search.defaultenginename", "Delta Search");

Line Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Line Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Line Deleted : user_pref("plugin.blocklisted.npviewpoint", true);
Line Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Line Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Line Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Line Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Line Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Line Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Line Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Line Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

-\\ Google Chrome v29.0.1547.76

[ File : C:\Documents and Settings\Shauna\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [13047 octets] - [29/09/2013 23:34:02]
AdwCleaner[s0].txt - [12530 octets] - [29/09/2013 23:43:19]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [12591 octets] ##########
 

Link to post
Share on other sites

OK, the log from RogueKiller shows another more serious problem:

Please read the following information first.
 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

I would change all my passwords and keep a close eye on all your sensitive accounts.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


-----------------------------------------

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest: (if found)
 

[HJ][PUM] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd\n. [x]) -> FOUND


-------------

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)
 

[ZeroAccess][File] @ : C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\@ [-] --> FOUND
[ZeroAccess][File] @ : C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd\@ [-] --> FOUND
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U [-] --> FOUND
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd\U [-] --> FOUND
[ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\L [-] --> FOUND
[ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd\L [-] --> FOUND


Now click Delete on the right hand column under Options

-------------

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.
reply1.jpg

New window that comes up.
replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.


MrC

Link to post
Share on other sites

In the process of rerunning RogueKiller again, Mr. Charlie. It's been updated since yesterday and had to redownload. Fortunately this little bird of mine is only my library/entertainment center. All transactions etc. are done on my Mac. Can this stuff cross platform via my hub I use for both? Only passwords it'll get from here are to a few websites such as this.

I neglected to completely read your request for me to redo the malware scan. That puppy took about an hour to do but I'm posting it just in case you can use it. Will post the RKill log as soon as it's completed. Again, my deepest thanks. Somehow I feel like I've got the cooties. Yuck.

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.29.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Shauna :: LITTLEBIRD2 [administrator]

Protection: Enabled

9/30/2013 7:25:33 AM
MBAM-log-2013-09-30 (08-28-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 304705
Time elapsed: 1 hour(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 9
HKCR\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} (PUP.Optional.BrowseFox.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06C0EEBA-C97A-4B04-A9EF-8158DD23CC4C} (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{21E7F410-F549-450F-A7E4-BD6BFA04D6E6} (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3AF7FCA5-5F84-4DCF-AF24-17A6E114DE53} (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{415EC2DB-DFD1-48B7-AA5C-97F39ABDE02D} (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{47FB50CC-8FB6-469F-A474-C7949C18723A} (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{201A253A-CAF2-07C1-53EE-EC2FBF5345B1} (PUP.Optional.Tarma.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B812400F-BD91-4662-A489-F5B363F162F9} (PUP.Optional.Tarma.A) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs (PUP.Optional.SProtect.A) -> Bad: (c:\progra~1\savesh~1\sprote~1.dll) Good: () -> No action taken.

Folders Detected: 1
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326 (PUP.Optional.Conduit.A) -> No action taken.

Files Detected: 76
C:\Program Files\SaveShare\sprotector.dll (PUP.Optional.SProtect.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{06C0EEBA-C97A-4B04-A9EF-8158DD23CC4C}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{06C0EEBA-C97A-4B04-A9EF-8158DD23CC4C}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{21E7F410-F549-450F-A7E4-BD6BFA04D6E6}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{21E7F410-F549-450F-A7E4-BD6BFA04D6E6}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{3AF7FCA5-5F84-4DCF-AF24-17A6E114DE53}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{3AF7FCA5-5F84-4DCF-AF24-17A6E114DE53}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{415EC2DB-DFD1-48B7-AA5C-97F39ABDE02D}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{415EC2DB-DFD1-48B7-AA5C-97F39ABDE02D}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{47FB50CC-8FB6-469F-A474-C7949C18723A}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{47FB50CC-8FB6-469F-A474-C7949C18723A}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{8D4E0CA3-D36D-4E58-ACB3-9B4F56AD2E55}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{8D4E0CA3-D36D-4E58-ACB3-9B4F56AD2E55}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{B812400F-BD91-4662-A489-F5B363F162F9}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\InstallMate\{B812400F-BD91-4662-A489-F5B363F162F9}\TsuDll.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\Documents and Settings\Shauna\My Documents\Downloads\smoboda.rar.exe (PUP.BundleInstaller.DW) -> No action taken.
C:\Documents and Settings\Shauna\My Documents\Downloads\zip.exe (PUP.Optional.InstallIQ.A) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc915.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc918.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc932.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc942.part (PUP.Optional.Amonetize.AS) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc952.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc972.part (PUP.Downware) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc923.part (PUP.Optional.Amonetize.AS) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc926.part (PUP.Optional.Amonetize.AS) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc930.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc931.part (PUP.Optional.Amonetize.AS) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc934.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc938.part (PUP.Optional.Topmedia) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc940.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc941.part (PUP.Downware) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc945.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc947.part (PUP.BundleInstaller.DW) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc948.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc950.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc958.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc959.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc960.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc965.part (PUP.BundleInstaller.DW) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc966.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc969.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc970.part (PUP.BundleInstaller.DW) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc974.part (PUP.Optional.Amonetize.AS) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc975.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc977.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc979.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc981.part (PUP.Optional.Bandoo) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc990.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc992.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc995.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc996.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc997.part (PUP.Optional.Installex) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc1001.part (PUP.Optional.Amonetize.AS) -> No action taken.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\Dc1002.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\nsk3680.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\nsr38DC.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\nsz38D7.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\s2eU4MZY.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\mconduitinstaller.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\SPStub.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\toolbar6395265.exe (PUP.Optional.Yontoo) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\toolbar6401062.exe (PUP.Optional.DeltaTB) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ToolbarHelper.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\Aq+Zj8t8.exe.part (PUP.Optional.Installex) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\9A2A2F71-BAB0-7891-9B25-3B40DCB6E6F8\BabMaint.exe (PUP.Optional.Babylon.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\9A2A2F71-BAB0-7891-9B25-3B40DCB6E6F8\BUSolution.dll (PUP.Optional.BabSolution.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\9A2A2F71-BAB0-7891-9B25-3B40DCB6E6F8\ccp.exe (PUP.Babylon.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\9A2A2F71-BAB0-7891-9B25-3B40DCB6E6F8\CrxInstaller.dll (PUP.Optional.Babylon.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\9A2A2F71-BAB0-7891-9B25-3B40DCB6E6F8\NTRedirect.dll (PUP.Optional.Babylon.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\9A2A2F71-BAB0-7891-9B25-3B40DCB6E6F8\Setup.exe (PUP.Babylon.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326\ctbe.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326\ieLogic.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326\statisticsStub.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326\stub.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326\chromeid.txt (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Shauna\Local Settings\Temp\ct3291326\setup.ini.txt (PUP.Optional.Conduit.A) -> No action taken.

(end)
 

Link to post
Share on other sites

Okay, RKiller complete. I'll post the log. But under the file tab section you mentioned...it doesn't appear to have a way to 'check' those files. They all seem to run together.

 

RogueKiller V8.7.0 [sep 30 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Shauna [Admin rights]
Mode : Scan -- Date : 09/30/2013 08:42:26
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\RunOnce : SpUninstallDeleteDir (rmdir /s /q "C:\Documents and Settings\Shauna\Application Data\SearchProtect" [x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1226193511-2892163551-3241378241-1006\[...]\RunOnce : SpUninstallDeleteDir (rmdir /s /q "C:\Documents and Settings\Shauna\Application Data\SearchProtect" [x]) -> FOUND
[HJ][PUM] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd\n. [x]) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V1][sUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\WINDOWS\TEMP\{377101E5-3795-458E-A2E6-1EA39D6683B9}.exe - --uninstall=1 [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[FF][PROXY] g7yufipz.default : user_pref("network.proxy.type", 4); -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] @ : C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\@ [-] --> FOUND
[ZeroAccess][File] @ : C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd\@ [-] --> FOUND
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U [-] --> FOUND
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd\U [-] --> FOUND
[ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\L [-] --> FOUND
[ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd\L [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] IRP[DriverStartIo] : atapi.sys -> HOOKED (Unknown @ 0x869CA2E2)
[inline] EAT @explorer.exe (??_7?$basic_ostringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@6B@) : MSVCP60.dll -> HOOKED (Unknown @ 0x768381A1)
[inline] EAT @explorer.exe (??_7?$basic_streambuf@GU?$char_traits@G@std@@@std@@6B@) : MSVCP100.dll -> HOOKED (Unknown @ 0x4B7D2083)
[inline] IAT @firefox.exe (CreateFileW) : KERNEL32.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100781B0)
[inline] IAT @firefox.exe (CloseHandle) : KERNEL32.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100782F0)
[inline] EAT @firefox.exe (NtQueryAttributesFile) : ntdll.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x10078550)
[inline] EAT @firefox.exe (NtQueryFullAttributesFile) : ntdll.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100786D0)
[inline] EAT @firefox.exe (NtQueryInformationFile) : ntdll.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100784C0)
[inline] EAT @firefox.exe (NtQueryValueKey) : ntdll.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100AC400)
[inline] EAT @firefox.exe (NtSetInformationFile) : ntdll.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100783F0)
[inline] EAT @firefox.exe (NtSetValueKey) : ntdll.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100AC490)
[inline] EAT @firefox.exe (ZwQueryAttributesFile) : ntdll.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x10078550)
[inline] EAT @firefox.exe (ZwQueryFullAttributesFile) : ntdll.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100786D0)
[inline] EAT @firefox.exe (ZwQueryInformationFile) : ntdll.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100784C0)
[inline] EAT @firefox.exe (ZwQueryValueKey) : ntdll.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100AC400)
[inline] EAT @firefox.exe (ZwSetInformationFile) : ntdll.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100783F0)
[inline] EAT @firefox.exe (ZwSetValueKey) : ntdll.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100AC490)
[inline] EAT @firefox.exe (CloseHandle) : kernel32.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100782F0)
[inline] EAT @firefox.exe (CreateFileA) : kernel32.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x10078070)
[inline] EAT @firefox.exe (CreateFileW) : kernel32.dll -> HOOKED (c:\progra~1\savesh~1\sprote~1.dll @ 0x100781B0)
[inline] EAT @firefox.exe (_wpgmptr) : MSVCR100.dll -> HOOKED (Unknown @ 0x692DEC70)
[inline] EAT @firefox.exe (??_7?$basic_ostringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@6B@) : MSVCP60.dll -> HOOKED (Unknown @ 0x768381A1)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    www.100888290cs.com
127.0.0.1    100888290cs.com
127.0.0.1    100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ )  -  +++++
--- User ---
[MBR] 4d32227ea6f80138149a3e3352c3b752
[bSP] 44af34bf80aacd4065657a6dc8994ac4 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152616 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 001bae72239183c3812aa2f539227b2b
[bSP] 44af34bf80aacd4065657a6dc8994ac4 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152616 Mo

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) (Standard disk drives) - JetFlash Transcend 8GB USB Device +++++
--- User ---
[MBR] 7cba8071c7d4ddaa491c627ee2bd7194
[bSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 6000 | Size: 7719 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_09302013_084225.txt >>
RKreport[0]_S_09292013_215631.txt;RKreport[0]_S_09292013_222327.txt


 

Link to post
Share on other sites

Okay...here's what happening, Mr. Charlie. I've downloaded the mbar and updated. The first scan produced this message: Error - the system volume seems inaccessible or encrypted. Scan can't continue

But then it did pop up a message saying Congratulations! No whatevers were found. Can't remember the exact wording. So I reran the app yet again and received this message:  Probable rootkit activity detected -  Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity.
Note: Press No button if not sure. I the tool crashes or terminates unexpectedly during a system scan, restart the tool and press yes should this message appear again.

DDA driver was not installed which may be caused by rootkit activity. Do you want to reboot the computer to install DDA driver (Scan will continue after reboot.)?

 

I have not answered it's request yet. Not until I check with you. There appears to be something Shauna had on this system I was unaware of that now has asked me to allow or disallow changes. It's called Spybot. I have seen it before but thought it was part of the antivirus she said she had. How do I turn this guy off? Is it what may have cause a lock down? Should I try to get rid of it? Or shall I just let mbar shut down and load the dll it wants?

Link to post
Share on other sites

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites

FRST has run it's scan and here's it's results, Mr. C.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-09-2013 01
Ran by Shauna (administrator) on LITTLEBIRD2 on 30-09-2013 10:16:21
Running from C:\Documents and Settings\Shauna\Desktop
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Sonic Solutions) C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
(IDT, Inc.) c:\program files\idt\wdm\STacSV.exe
(http://goforfiles.com/) C:\Program Files\GoforFiles\GFFUpdater.exe
() C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Andrea Electronics Corporation) C:\WINDOWS\system32\AESTFltr.exe
() C:\Program Files\HP\HPBTWD.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jusched.exe
(syncables, LLC) C:\Program Files\syncables\syncables desktop\Syncables.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(Sun Microsystems, Inc.) C:\Program Files\syncables\syncables desktop\jre\bin\javaw.exe
(RealNetworks, Inc.) C:\program files\real\realplayer\update\realsched.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Safer Networking Limited) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
(syncables, LLC) C:\Program Files\syncables\syncables desktop\MigoMapi.exe
() C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jucheck.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\WINDOWS\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [sysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [483428 2009-03-30] (IDT, Inc.)
HKLM\...\Run: [AESTFltr] - C:\Windows\system32\AESTFltr.exe [737280 2009-02-18] (Andrea Electronics Corporation)
HKLM\...\Run: [HP BTW Detect Program] - C:\Program Files\HP\HPBTWD.exe [319488 2009-03-30] ()
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1418536 2009-01-15] (Synaptics, Inc.)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Java\jre6\bin\jusched.exe [136600 2009-06-14] (Sun Microsystems, Inc.)
HKLM\...\Run: [HP Mobile Broadband] - c:\SWsetup\HPQWWAN\HPMobileBroadband.exe [455224 2009-01-09] (Hewlett-Packard Company)
HKLM\...\Run: [syncables] - C:\Program Files\syncables\syncables desktop\Syncables.exe [173360 2009-04-02] (syncables, LLC)
HKLM\...\Run: [Microsoft Default Manager] - c:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [224616 2009-02-06] (Microsoft Corp.)
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [PININST] - C:\SYSTEM.SAV\UTIL\PININST.EXE [94208 2006-02-25] ()
HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k
HKLM\...\Run: [TkBellExe] - C:\program files\real\realplayer\update\realsched.exe [296096 2012-07-22] (RealNetworks, Inc.)
HKLM\...\Run: [egui] - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [3117344 2012-03-07] (ESET)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [vProt] - "C:\Program Files\AVG Secure Search\vprot.exe"
HKLM\...\RunOnce: [ (A0)] - cmd /c "C:\Documents and Settings\Shauna\Desktop\mbar\mbar.exe" /rdv /s [1178424 2013-08-13] (Malwarebytes Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKCU\...\Run: [spybotSD TeaTimer] - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2144088 2009-01-26] (Safer Networking Limited)
HKCU\...\Run: [Xvid] - C:\Program Files\Xvid\CheckUpdate.exe [8192 2011-01-17] ()
HKCU\...\Runonce: [spUninstallDeleteDir] - rmdir /s /q "C:\Documents and Settings\Shauna\Application Data\SearchProtect"
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {C44A8427-A5BA-4FA9-945A-7936B0D694F2} URL = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPNTDF
SearchScopes: HKLM - {F636501E-CE16-4CE0-9FB8-8B4C6B9E5574} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKCU - {C44A8427-A5BA-4FA9-945A-7936B0D694F2} URL = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPNTDF&src=IE-SearchBox
SearchScopes: HKCU - {D4F130FD-E0B8-4770-8AAD-BF28F263B5A0} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3291326&CUI=UN20604546432976931&UM=2
SearchScopes: HKCU - {F636501E-CE16-4CE0-9FB8-8B4C6B9E5574} URL =
BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0559.0\msneshellx.dll (Microsoft Corp.)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0559.0\msneshellx.dll (Microsoft Corp.)
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Shauna\Application Data\Mozilla\Firefox\Profiles\g7yufipz.default
FF SearchEngineOrder.user_pref("browser.search.order.1", "");: user_pref("browser.search.order.1", "");
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "");: user_pref("browser.search.order.1,S", "");
FF NetworkProxy: "type", 4
FF DefaultSearchEngine: user_pref("browser.search.defaultenginename", "");
FF SelectedSearchEngine: user_pref("browser.search.selectedEngine", "");
FF Keyword.URL: user_pref("keyword.URL", "");
FF Homepage: user_pref("browser.startup.homepage", "");
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=15.0.5.109 - c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=15.0.5.109 - c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.5.109 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.5.109 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=15.0.5.109 - c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\avg-secure-search.xml
FF Extension: jid0-HVSBDzuc3UFGvmtex3x0IZzgCM8 - C:\Documents and Settings\Shauna\Application Data\Mozilla\Firefox\Profiles\g7yufipz.default\Extensions\jid0-HVSBDzuc3UFGvmtex3x0IZzgCM8@jetpack.xpi
FF Extension: personas - C:\Documents and Settings\Shauna\Application Data\Mozilla\Firefox\Profiles\g7yufipz.default\Extensions\personas@christopher.beard.xpi
FF Extension: trtv3 - C:\Documents and Settings\Shauna\Application Data\Mozilla\Firefox\Profiles\g7yufipz.default\Extensions\trtv3@trtv.com.xpi
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF HKLM\...\Firefox\Extensions: [{C3949AC2-4B17-43ee-B4F1-D26B9D42404D}] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: RealPlayer Browser Record Plugin - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
FF Extension: ESET Smart Security Extension - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

Chrome:
=======
CHR Extension: (Docs) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0
CHR Extension: (Google Drive) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0
CHR Extension: (YouTube) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0
CHR Extension: (Chrome In-App Payments service) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
CHR Extension: (Gmail) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx

========================== Services (Whitelisted) =================

R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269; C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [125424 2008-12-12] ()
R2 BOTService; C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [203248 2009-03-19] (Sonic Solutions)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [913144 2012-03-07] (ESET)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
R2 STacSV; c:\program files\idt\wdm\STacSV.exe [254042 2009-03-30] (IDT, Inc.)
R2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
S2 vToolbarUpdater17.0.1; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.1\ToolbarUpdater.exe [x]

==================== Drivers (Whitelisted) ====================

R3 AESTAud; C:\Windows\System32\drivers\AESTAud.sys [113664 2009-03-19] (Andrea Electronics Corporation)
R1 avgtp; C:\WINDOWS\system32\drivers\avgtpx86.sys [37664 2013-09-28] (AVG Technologies)
R3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [1735040 2009-09-17] (Broadcom Corporation)
R1 eamon; C:\Windows\System32\DRIVERS\eamon.sys [160816 2012-03-14] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [120152 2012-03-14] (ESET)
R1 epfwtdir; C:\Windows\System32\DRIVERS\epfwtdir.sys [104160 2012-03-14] (ESET)
R3 L1c; C:\Windows\System32\DRIVERS\l1c51x86.sys [38912 2009-03-02] (Atheros Communications, Inc.)
R3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [48728 2013-09-30] (MalwareBytes)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R4 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [105176 2013-09-30] (Malwarebytes Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1550891 2009-03-30] (IDT, Inc.)
R0 SysCow; C:\Windows\System32\drivers\syscow32x.sys [103792 2008-09-25] (Sonic Solutions)
S3 MEMSWEEP2; \??\C:\WINDOWS\system32\1F86.tmp [x]
U4 RemoteRegistry;
S3 RSUSBSTOR; System32\Drivers\RTS5121.sys [x]
S3 Rts516xIR; system32\DRIVERS\Rts516xIR.sys [x]
S3 USBCCID; system32\DRIVERS\Rts5161ccid.sys [x]
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-09-30 10:16 - 2013-09-30 10:16 - 00000000 ____D C:\FRST
2013-09-30 10:15 - 2013-09-30 10:15 - 01086873 _____ (Farbar) C:\Documents and Settings\Shauna\Desktop\FRST.exe
2013-09-30 09:06 - 2013-09-30 09:06 - 00105176 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2013-09-30 08:59 - 2013-09-30 08:59 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-09-30 08:58 - 2013-09-30 08:58 - 00048728 _____ (MalwareBytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-09-30 08:56 - 2013-09-30 09:02 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\mbar
2013-09-30 08:54 - 2013-09-30 08:54 - 00007680 _____ C:\Documents and Settings\Shauna\Desktop\RKreport[0]_D_09302013_085405.txt
2013-09-30 08:42 - 2013-09-30 08:42 - 00006686 _____ C:\Documents and Settings\Shauna\Desktop\RKreport[0]_S_09302013_084225.txt
2013-09-30 08:27 - 2013-09-30 08:27 - 12907592 _____ (Malwarebytes Corp.) C:\Documents and Settings\Shauna\Desktop\mbar-1.07.0.1005.exe
2013-09-30 06:50 - 2013-09-30 06:50 - 01030305 _____ (Thisisu) C:\Documents and Settings\Shauna\Desktop\JRT.exe
2013-09-29 23:33 - 2013-09-29 23:46 - 00000000 ____D C:\AdwCleaner
2013-09-29 22:23 - 2013-09-29 22:27 - 00003785 _____ C:\Documents and Settings\Shauna\Desktop\RKreport[0]_S_09292013_222327.txt
2013-09-29 21:56 - 2013-09-29 21:56 - 00003837 _____ C:\Documents and Settings\Shauna\Desktop\RKreport[0]_S_09292013_215631.txt
2013-09-29 21:45 - 2013-09-30 08:54 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\RK_Quarantine
2013-09-29 21:36 - 2013-09-30 08:34 - 00948736 _____ C:\Documents and Settings\Shauna\Desktop\RogueKiller.exe
2013-09-29 19:19 - 2013-09-29 19:19 - 01042066 _____ C:\Documents and Settings\Shauna\Desktop\AdwCleaner.exe
2013-09-29 19:08 - 2013-09-29 19:08 - 00015149 _____ C:\Documents and Settings\Shauna\Desktop\dds.txt
2013-09-29 19:08 - 2013-09-29 19:08 - 00010822 _____ C:\Documents and Settings\Shauna\Desktop\attach.txt
2013-09-29 15:56 - 2013-09-29 15:56 - 00000758 _____ C:\Documents and Settings\Shauna\Desktop\wire-jewelry.txt
2013-09-24 09:40 - 2013-09-24 09:40 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-24 09:40 - 2013-09-24 09:40 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-09-24 09:40 - 2013-09-24 09:40 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-09-24 09:40 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2013-09-24 09:31 - 2013-09-24 09:31 - 00688992 ____R (Swearware) C:\Documents and Settings\Shauna\Desktop\dds.scr
2013-09-24 09:01 - 2013-09-24 09:01 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Documents and Settings\Shauna\Desktop\mbam-setup-1.75.0.1300.exe
2013-09-22 21:13 - 2013-09-24 08:59 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\round-up
2013-09-19 21:50 - 2013-09-29 21:37 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\Calibre Library
2013-09-18 12:30 - 2013-09-28 16:42 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-09-18 06:53 - 2013-09-18 06:56 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\jewelry
2013-09-18 06:34 - 2013-09-18 06:40 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\Biographies
2013-09-18 05:25 - 2013-09-18 05:25 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\2post
2013-09-17 20:13 - 2013-09-17 20:13 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
2013-09-07 16:40 - 2013-09-07 16:40 - 00000000 ____D C:\Documents and Settings\Shauna\Calibre Library

==================== One Month Modified Files and Folders =======

2013-09-30 10:16 - 2013-09-30 10:16 - 00000000 ____D C:\FRST
2013-09-30 10:15 - 2013-09-30 10:15 - 01086873 _____ (Farbar) C:\Documents and Settings\Shauna\Desktop\FRST.exe
2013-09-30 10:02 - 2009-09-17 04:10 - 00000282 _____ C:\WINDOWS\Tasks\BackOnTrack Instant Restore Idle.job
2013-09-30 09:24 - 2008-06-24 21:48 - 00032564 _____ C:\WINDOWS\SchedLgU.Txt
2013-09-30 09:22 - 2012-07-22 22:40 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-30 09:06 - 2013-09-30 09:06 - 00105176 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2013-09-30 09:02 - 2013-09-30 08:56 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\mbar
2013-09-30 08:59 - 2013-09-30 08:59 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-09-30 08:58 - 2013-09-30 08:58 - 00048728 _____ (MalwareBytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-09-30 08:54 - 2013-09-30 08:54 - 00007680 _____ C:\Documents and Settings\Shauna\Desktop\RKreport[0]_D_09302013_085405.txt
2013-09-30 08:54 - 2013-09-29 21:45 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\RK_Quarantine
2013-09-30 08:42 - 2013-09-30 08:42 - 00006686 _____ C:\Documents and Settings\Shauna\Desktop\RKreport[0]_S_09302013_084225.txt
2013-09-30 08:34 - 2013-09-29 21:36 - 00948736 _____ C:\Documents and Settings\Shauna\Desktop\RogueKiller.exe
2013-09-30 08:27 - 2013-09-30 08:27 - 12907592 _____ (Malwarebytes Corp.) C:\Documents and Settings\Shauna\Desktop\mbar-1.07.0.1005.exe
2013-09-30 06:50 - 2013-09-30 06:50 - 01030305 _____ (Thisisu) C:\Documents and Settings\Shauna\Desktop\JRT.exe
2013-09-30 06:02 - 2013-06-10 18:03 - 00000424 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{B1F49AD2-9F9C-4279-A3B5-B260CFC4E382}.job
2013-09-29 23:54 - 2008-06-24 21:26 - 00521766 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-09-29 23:50 - 2013-08-12 22:28 - 00001166 _____ C:\WINDOWS\Tasks\Torntv 2-updater.job
2013-09-29 23:50 - 2012-07-22 22:44 - 00000288 _____ C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1226193511-2892163551-3241378241-1006.job
2013-09-29 23:50 - 2012-07-22 22:44 - 00000280 _____ C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1226193511-2892163551-3241378241-1006.job
2013-09-29 23:49 - 2013-08-13 19:02 - 00000282 _____ C:\WINDOWS\Tasks\GoforFilesUpdate.job
2013-09-29 23:49 - 2013-08-12 22:28 - 00001160 _____ C:\WINDOWS\Tasks\Torntv 2-codedownloader.job
2013-09-29 23:49 - 2013-08-12 22:28 - 00001070 _____ C:\WINDOWS\Tasks\Torntv 2-enabler.job
2013-09-29 23:49 - 2013-06-12 08:49 - 00000350 _____ C:\WINDOWS\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-09-29 23:49 - 2012-07-22 22:40 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-29 23:49 - 2008-06-24 21:48 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-09-29 23:49 - 2008-06-24 14:08 - 00000157 _____ C:\WINDOWS\wiadebug.log
2013-09-29 23:49 - 2008-06-24 14:08 - 00000049 _____ C:\WINDOWS\wiaservc.log
2013-09-29 23:48 - 2012-07-26 21:55 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB952287$
2013-09-29 23:48 - 2009-09-17 04:08 - 00000178 ___SH C:\Documents and Settings\Shauna\ntuser.ini
2013-09-29 23:48 - 2008-06-24 21:48 - 01573001 _____ C:\WINDOWS\WindowsUpdate.log
2013-09-29 23:46 - 2013-09-29 23:33 - 00000000 ____D C:\AdwCleaner
2013-09-29 22:27 - 2013-09-29 22:23 - 00003785 _____ C:\Documents and Settings\Shauna\Desktop\RKreport[0]_S_09292013_222327.txt
2013-09-29 21:56 - 2013-09-29 21:56 - 00003837 _____ C:\Documents and Settings\Shauna\Desktop\RKreport[0]_S_09292013_215631.txt
2013-09-29 21:37 - 2013-09-19 21:50 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\Calibre Library
2013-09-29 19:19 - 2013-09-29 19:19 - 01042066 _____ C:\Documents and Settings\Shauna\Desktop\AdwCleaner.exe
2013-09-29 19:08 - 2013-09-29 19:08 - 00015149 _____ C:\Documents and Settings\Shauna\Desktop\dds.txt
2013-09-29 19:08 - 2013-09-29 19:08 - 00010822 _____ C:\Documents and Settings\Shauna\Desktop\attach.txt
2013-09-29 18:58 - 2012-07-12 08:17 - 00000000 ____D C:\Games
2013-09-29 18:33 - 2013-04-21 11:16 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\New Books
2013-09-29 15:56 - 2013-09-29 15:56 - 00000758 _____ C:\Documents and Settings\Shauna\Desktop\wire-jewelry.txt
2013-09-28 16:42 - 2013-09-18 12:30 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-09-28 16:42 - 2013-05-20 18:34 - 00003727 _____ C:\Program Files\Mozilla Firefoxavg-secure-search.xml
2013-09-28 16:41 - 2013-01-09 16:15 - 00000000 ____D C:\WINDOWS\system32\cache
2013-09-28 16:41 - 2013-01-03 19:32 - 00037664 _____ (AVG Technologies) C:\WINDOWS\system32\Drivers\avgtpx86.sys
2013-09-25 20:30 - 2009-06-14 19:17 - 00000000 ____D C:\WINDOWS\Registration
2013-09-24 15:55 - 2013-06-15 11:59 - 00000284 _____ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2013-09-24 09:40 - 2013-09-24 09:40 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-24 09:40 - 2013-09-24 09:40 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-09-24 09:40 - 2013-09-24 09:40 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-09-24 09:31 - 2013-09-24 09:31 - 00688992 ____R (Swearware) C:\Documents and Settings\Shauna\Desktop\dds.scr
2013-09-24 09:01 - 2013-09-24 09:01 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Documents and Settings\Shauna\Desktop\mbam-setup-1.75.0.1300.exe
2013-09-24 08:59 - 2013-09-22 21:13 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\round-up
2013-09-23 18:02 - 2013-01-03 19:37 - 00000000 ____D C:\Documents and Settings\Shauna\Application Data\mIRC
2013-09-23 04:49 - 2013-05-03 16:22 - 00000000 ____D C:\mIRCa
2013-09-22 21:37 - 2009-09-17 04:08 - 00000000 ____D C:\Documents and Settings\Shauna
2013-09-22 20:54 - 2012-07-25 13:36 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\Protection
2013-09-20 13:04 - 2012-07-25 13:17 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-09-20 12:54 - 2008-06-24 21:48 - 00659104 _____ C:\WINDOWS\setupapi.log
2013-09-19 10:53 - 2008-06-24 21:48 - 00001158 _____ C:\WINDOWS\system32\wpa.dbl
2013-09-19 10:50 - 2008-06-24 21:12 - 00001507 _____ C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk
2013-09-19 09:45 - 2012-07-22 20:58 - 00000000 ____D C:\Program Files\HijackThis
2013-09-19 06:29 - 2013-06-15 13:04 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\calibre & ebook progs
2013-09-18 06:56 - 2013-09-18 06:53 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\jewelry
2013-09-18 06:56 - 2013-07-01 14:07 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\needs revtew
2013-09-18 06:40 - 2013-09-18 06:34 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\Biographies
2013-09-18 05:25 - 2013-09-18 05:25 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\2post
2013-09-17 20:17 - 2013-01-09 17:31 - 00002347 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2013-09-17 20:13 - 2013-09-17 20:13 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
2013-09-17 20:12 - 2012-07-22 22:35 - 00000000 ____D C:\Program Files\Google
2013-09-07 16:40 - 2013-09-07 16:40 - 00000000 ____D C:\Documents and Settings\Shauna\Calibre Library

ZeroAccess:
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd

Some content of TEMP:
====================
C:\Documents and Settings\Shauna\Local Settings\Temp\BarControl.dll
C:\Documents and Settings\Shauna\Local Settings\Temp\ffqpfk.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\fhkwcw.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\fp_pl_pfs_installer.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\GDSSetup.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\GoogleInstApp.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\GoogleToolbar.dll
C:\Documents and Settings\Shauna\Local Settings\Temp\hkxjrc.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\hmnpkb.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\htmlayout.dll
C:\Documents and Settings\Shauna\Local Settings\Temp\jre-7u40-windows-i586-iftw.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\mconduitinstaller.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\mirc727.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\mirc729.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\nnqgxg.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\nsk3680.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\nsr38DC.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\nsz38D7.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\ntdll_dump.dll
C:\Documents and Settings\Shauna\Local Settings\Temp\oi_{D10C21C8-F0D9-4E50-9BBD-B5E6F0489BCA}.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\SPStub.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\tbKeyB.dll
C:\Documents and Settings\Shauna\Local Settings\Temp\toolbar6395265.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\toolbar6401062.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\ToolbarHelper.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 27-09-2013 01
Ran by Shauna at 2013-09-30 10:38:45
Running from C:\Documents and Settings\Shauna\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: ESET NOD32 Antivirus 5.2 (Disabled - Up to date) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

==================== Installed Programs ======================

Acrobat.com (Version: 1.1.377)
Activation Assistant for the 2007 Microsoft Office suites
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0)
Adobe AIR (Version: 1.5.0.7220)
Adobe Flash Player 11 ActiveX (Version: 11.7.700.224)
Adobe Flash Player 11 Plugin (Version: 11.7.700.224)
Adobe Reader XI (11.0.04) (Version: 11.0.04)
AIM 6
Apple Application Support (Version: 2.3.4)
Apple Mobile Device Support (Version: 6.1.0.13)
Apple Software Update (Version: 2.1.3.127)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (Version: 1.0.0.16)
Boggle Supreme
Bonjour (Version: 3.0.0.10)
Broadcom 802.11 Wireless LAN Adapter (Version: 5.10.91.4)
calibre (Version: 0.9.35)
Compatibility Pack for the 2007 Office system (Version: 12.0.4518.1014)
DAMN NFO Viewer 2.10.0031 RC3 (Version: 2.10.0031)
Default Manager (Version: 1.0.105.0)
Detective Stories Hollywood (Version: 1.0)
ESET NOD32 Antivirus (Version: 5.2.9.1)
Fishdom Seasons Under the Sea 1.00
GoforFiles (HKCU Version: 1.9.1)
Google Chrome (Version: 29.0.1547.76)
Hidden Relics (Version: 5.2.30)
HijackThis 1.99.1 (Version: 1.99.1)
HP BatteryCheck 2.10 A2 (Version: 2.10 A2)
HP Doc Viewer (Version: 1.01.0005)
HP Help and Support (Version: 4.4.0003)
HP Mobile Broadband Setup Utility (Version: 1.000.17.0)
HP User Guides 0139 (Version: 1.01.0000)
HP Wireless Assistant (Version: 3.00 K2)
HpSdpAppCoreApp (Version: 3.00.0000)
IDT Audio (Version: 1.0.6162.12)
Intel® Graphics Media Accelerator Driver
Invision (Version: 3.3)
Java 6 Update 11 (Version: 6.0.110)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
McAfee Security Scan Plus (Version: 3.0.318.3)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Live Search Toolbar (Version: 3.0.559.0)
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Home and Student 2007 (Version: 12.0.4518.1014)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.4518.1014)
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Silverlight (Version: 2.0.31005.0)
Microsoft Software Update for Web Folders  (English) 12 (Version: 12.0.4518.1014)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries (Version: 2.0.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Works (Version: 9.7.0621)
mIRC (Version: 7.29)
Mozilla Firefox 24.0 (x86 en-US) (Version: 24.0)
Mozilla Maintenance Service (Version: 24.0)
MSXML 6.0 Parser (Version: 6.10.1129.0)
Mystery Legends Sleepy Hollow (Version: 1.0)
Mystery Solitaire Secret Island 1.00
OpenAL
Pirate Solitaire 1.00
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealPlayer (Version: 15.0.5)
RealUpgrade 1.1 (Version: 1.1.0)
Roxio BackOnTrack (Version: 1.3.0)
Roxio Disaster Recovery (Version: 1.3.0)
Roxio Instant Restore (Version: 3.8.0)
Roxio Instant Restore Recovery Disk (Version: 3.8.0)
Roxio Update Manager (Version: 6.0.0)
Sophos Anti-Rootkit 1.5.20 (Version: 1.5.20)
Spybot - Search & Destroy (Version: 1.6.2)
SpywareBlaster 4.6 (Version: 4.6.1)
Synaptics Pointing Device Driver (Version: 12.1.5.0)
syncables desktop (Version: 5.0.111)
Text Twist 2 1.00
Torntv 2 (Version: 1.27.153.8)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Office 2007 (KB934528)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
USB2.0 Card Reader Software (Version: 6.0.6000.75)
WebFldrs XP (Version: 9.50.7523)
Windows Backup Utility (Version: 5.1)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR 4.20 (32-bit) (Version: 4.20.0)
Xvid Video Codec (Version: 1.3.2)
Yahoo! Software Update
Yahoo! Toolbar

==================== Restore Points  =========================


==================== Hosts content: ==========================

2008-04-15 08:00 - 2012-07-24 14:26 - 00443488 ____R C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    www.100888290cs.com
127.0.0.1    100888290cs.com
127.0.0.1    100sexlinks.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    www.10sek.com
127.0.0.1    10sek.com
127.0.0.1    1-2005-search.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    www.123fporn.info
127.0.0.1    123fporn.info
127.0.0.1    www.123haustiereundmehr.com
127.0.0.1    123haustiereundmehr.com

There are 1000 more lines.


==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\WINDOWS\TEMP\{377101E5-3795-458E-A2E6-1EA39D6683B9}.exe
Task: C:\WINDOWS\Tasks\BackOnTrack Instant Restore Idle.job => C:\Program Files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe
Task: C:\WINDOWS\Tasks\GoforFilesUpdate.job => C:\Program Files\GoforFiles\GFFUpdater.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1226193511-2892163551-3241378241-1006.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1226193511-2892163551-3241378241-1006.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\Torntv 2-codedownloader.job => C:\Program Files\Torntv 2\Torntv 2-codedownloader.exe
Task: C:\WINDOWS\Tasks\Torntv 2-enabler.job => C:\Program Files\Torntv 2\Torntv 2-enabler.exe
Task: C:\WINDOWS\Tasks\Torntv 2-updater.job => C:\Program Files\Torntv 2\Torntv 2-updater.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{B1F49AD2-9F9C-4279-A3B5-B260CFC4E382}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (whitelisted) =============

2013-04-21 21:44 - 2013-04-21 21:44 - 00087952 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2013-04-21 21:44 - 2013-04-21 21:44 - 01242952 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2013-01-24 07:16 - 2013-01-24 07:16 - 01050112 _____ () C:\Program Files\SaveShare\sprotector.dll
2013-09-18 12:31 - 2013-09-18 12:32 - 03279768 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:339562A6
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:3C282BEA
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:4573A78F
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:6EE8565A
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:8DB31C20
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A4CDE823
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A5CD91DF

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (09/29/2013 10:58:43 PM) (Source: CltMngSvc) (User: )
Description: CltMngSvcShutting down. (Error: 997)

Error: (09/29/2013 06:32:59 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 30220578

Error: (09/29/2013 06:32:59 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 30220578

Error: (09/29/2013 06:32:59 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (09/28/2013 07:44:01 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 34853125

Error: (09/28/2013 07:44:01 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 34853125

Error: (09/28/2013 07:44:01 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (09/27/2013 06:48:12 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 36852406

Error: (09/27/2013 06:48:12 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 36852406

Error: (09/27/2013 06:48:12 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second


System errors:
=============
Error: (09/29/2013 11:50:32 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AliIde
IntelIde
ViaIde

Error: (09/29/2013 11:50:32 PM) (Source: Service Control Manager) (User: )
Description: The vToolbarUpdater17.0.1 service failed to start due to the following error:
%%2

Error: (09/29/2013 10:46:05 PM) (Source: Service Control Manager) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the WebUpdater service, but this action failed with the following error:
%%1058

Error: (09/29/2013 10:46:01 PM) (Source: Service Control Manager) (User: )
Description: The WebUpdater service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (09/24/2013 08:54:02 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 59 minutes.
NtpClient has no source of accurate time.

Error: (09/24/2013 08:54:02 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)


Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Percentage of memory in use: 74%
Total physical RAM: 1015.23 MB
Available physical RAM: 256.57 MB
Total Pagefile: 2441.8 MB
Available Pagefile: 1391.09 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:149.04 GB) (Free:68.14 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (Transcend) (Removable) (Total:7.52 GB) (Free:6.87 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 149 GB) (Disk ID: 1BFC1BFC)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 8 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=8 GB) - (Type=0C)

==================== End Of Log ============================

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.

Run FRST and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

Okay, Mr. C., here's the fixlog as you've requested. The malware antirootkit is running as I type. Will post results when finished.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 27-09-2013 01
Ran by Shauna at 2013-09-30 11:26:10 Run:1
Running from C:\Documents and Settings\Shauna\Desktop\FRST
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd
C:\Documents and Settings\Shauna\Local Settings\Temp\BarControl.dll
C:\Documents and Settings\Shauna\Local Settings\Temp\ffqpfk.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\fhkwcw.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\fp_pl_pfs_installer.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\GDSSetup.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\GoogleInstApp.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\GoogleToolbar.dll
C:\Documents and Settings\Shauna\Local Settings\Temp\hkxjrc.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\hmnpkb.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\htmlayout.dll
C:\Documents and Settings\Shauna\Local Settings\Temp\jre-7u40-windows-i586-iftw.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\mconduitinstaller.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\mirc727.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\mirc729.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\nnqgxg.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\nsk3680.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\nsr38DC.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\nsz38D7.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\ntdll_dump.dll
C:\Documents and Settings\Shauna\Local Settings\Temp\oi_{D10C21C8-F0D9-4E50-9BBD-B5E6F0489BCA}.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\SPStub.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\tbKeyB.dll
C:\Documents and Settings\Shauna\Local Settings\Temp\toolbar6395265.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\toolbar6401062.exe
C:\Documents and Settings\Shauna\Local Settings\Temp\ToolbarHelper.exe
C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd




*****************

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\BarControl.dll => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\ffqpfk.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\fhkwcw.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\fp_pl_pfs_installer.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\GDSSetup.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\GoogleInstApp.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\GoogleToolbar.dll => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\hkxjrc.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\hmnpkb.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\htmlayout.dll => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\jre-7u40-windows-i586-iftw.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\mconduitinstaller.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\mirc727.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\mirc729.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\nnqgxg.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\nsk3680.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\nsr38DC.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\nsz38D7.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\ntdll_dump.dll => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\oi_{D10C21C8-F0D9-4E50-9BBD-B5E6F0489BCA}.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\Quarantine.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\SPStub.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\tbKeyB.dll => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\toolbar6395265.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\toolbar6401062.exe => Moved successfully.
C:\Documents and Settings\Shauna\Local Settings\Temp\ToolbarHelper.exe => Moved successfully.

"C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd" directory move:

Could not move "C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\00000004.$" => Scheduled to move on reboot.
Could not move "C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\00000004.@" => Scheduled to move on reboot.
Could not move "C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\00000008.@" => Scheduled to move on reboot.
Could not move "C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\000000cb.$" => Scheduled to move on reboot.
Could not move "C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\000000cb.@" => Scheduled to move on reboot.
Could not move "C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\80000000.@" => Scheduled to move on reboot.
Could not move "C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\80000032.@" => Scheduled to move on reboot.
Could not move "C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd" directory. => Scheduled to move on reboot.

"C:\RECYCLER\S-1-5-21-1226193511-2892163551-3241378241-1006\$f82827fb0426f2f4879495aa9a387cdd" => File/Directory not found.

=========== Result of Scheduled Files to move ===========

C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\00000004.$ => Moved successfully.
C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\00000004.@ => Moved successfully.
C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\00000008.@ => Moved successfully.
C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\000000cb.$ => Moved successfully.
C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\000000cb.@ => Moved successfully.
C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\80000000.@ => Moved successfully.
C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U\80000032.@ => Moved successfully.
"C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd" => Directory could not move.

==== End of Fixlog ====

Link to post
Share on other sites

Well now...this round scared me, Mr. C. Sorry for the delays. All was well to a point. I up-dated the antirootkit and proceeded on to the scan. At one point the pc shut down. At first I thought it was what malware antirootkit would do once it ran. I just don't recall it telling me it was going to do that. Have to admit I was watching the government shutdown clock on msnbc...and wasn't paying full attention to the run.

Well, when it came back up...it appeared all was normal. I could see each stage like usual, including my welcome screen then my desktop. Unfortunately it was only my desktop image sans anything else such as the items on it or the tool bar, clock, start button etc. Just the image. I waited for over 15 minutes thinking it would settle. It didn't. I had to shut it down cold. Did that twice...until the third time. On the third try there is a screen that asks if you wanted to go to some form of booting. There was only two choices..I took the first choice instead of the second that said bios set-up. Up came my desktop again along with everything else to navigate around with.

Now I'm spooked. Also...it doesn't seem to have created the two files that should have been done with the maleware scan completed. Shall I try running the rootkit again? I mean I can always switch to my Mac if it stays down and let you know. I'm just not sure what you can do to help me get it back up again if it doesn't work the way it did the way I tried it this last time. What do you advise?

Link to post
Share on other sites

Goodness, that scan seemed to take longer. No matter...here it is, Mr. Charlie.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-09-2013 01
Ran by Shauna (administrator) on LITTLEBIRD2 on 30-09-2013 13:05:25
Running from C:\Documents and Settings\Shauna\Desktop\FRST
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Sonic Solutions) C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
(IDT, Inc.) c:\program files\idt\wdm\STacSV.exe
(http://goforfiles.com/) C:\Program Files\GoforFiles\GFFUpdater.exe
() C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
(Andrea Electronics Corporation) C:\WINDOWS\system32\AESTFltr.exe
() C:\Program Files\HP\HPBTWD.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jusched.exe
(syncables, LLC) C:\Program Files\syncables\syncables desktop\Syncables.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(RealNetworks, Inc.) C:\program files\real\realplayer\update\realsched.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Safer Networking Limited) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
(Sun Microsystems, Inc.) C:\Program Files\syncables\syncables desktop\jre\bin\javaw.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
(syncables, LLC) C:\Program Files\syncables\syncables desktop\MigoMapi.exe
() C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\WINDOWS\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [sysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [483428 2009-03-30] (IDT, Inc.)
HKLM\...\Run: [AESTFltr] - C:\Windows\system32\AESTFltr.exe [737280 2009-02-18] (Andrea Electronics Corporation)
HKLM\...\Run: [HP BTW Detect Program] - C:\Program Files\HP\HPBTWD.exe [319488 2009-03-30] ()
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1418536 2009-01-15] (Synaptics, Inc.)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Java\jre6\bin\jusched.exe [136600 2009-06-14] (Sun Microsystems, Inc.)
HKLM\...\Run: [HP Mobile Broadband] - c:\SWsetup\HPQWWAN\HPMobileBroadband.exe [455224 2009-01-09] (Hewlett-Packard Company)
HKLM\...\Run: [syncables] - C:\Program Files\syncables\syncables desktop\Syncables.exe [173360 2009-04-02] (syncables, LLC)
HKLM\...\Run: [Microsoft Default Manager] - c:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [224616 2009-02-06] (Microsoft Corp.)
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [PININST] - C:\SYSTEM.SAV\UTIL\PININST.EXE [94208 2006-02-25] ()
HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k
HKLM\...\Run: [TkBellExe] - C:\program files\real\realplayer\update\realsched.exe [296096 2012-07-22] (RealNetworks, Inc.)
HKLM\...\Run: [egui] - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [3117344 2012-03-07] (ESET)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [vProt] - "C:\Program Files\AVG Secure Search\vprot.exe"
HKCU\...\Run: [spybotSD TeaTimer] - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2144088 2009-01-26] (Safer Networking Limited)
HKCU\...\Run: [Xvid] - C:\Program Files\Xvid\CheckUpdate.exe [8192 2011-01-17] ()
HKCU\...\Runonce: [spUninstallDeleteDir] - rmdir /s /q "C:\Documents and Settings\Shauna\Application Data\SearchProtect"
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {C44A8427-A5BA-4FA9-945A-7936B0D694F2} URL = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPNTDF
SearchScopes: HKLM - {F636501E-CE16-4CE0-9FB8-8B4C6B9E5574} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKCU - {C44A8427-A5BA-4FA9-945A-7936B0D694F2} URL = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPNTDF&src=IE-SearchBox
SearchScopes: HKCU - {D4F130FD-E0B8-4770-8AAD-BF28F263B5A0} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3291326&CUI=UN20604546432976931&UM=2
SearchScopes: HKCU - {F636501E-CE16-4CE0-9FB8-8B4C6B9E5574} URL =
BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0559.0\msneshellx.dll (Microsoft Corp.)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0559.0\msneshellx.dll (Microsoft Corp.)
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Shauna\Application Data\Mozilla\Firefox\Profiles\g7yufipz.default
FF DefaultSearchEngine: user_pref("browser.search.defaultenginename", "");
FF SearchEngineOrder.user_pref("browser.search.order.1", "");: user_pref("browser.search.order.1", "");
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "");: user_pref("browser.search.order.1,S", "");
FF SelectedSearchEngine: user_pref("browser.search.selectedEngine", "");
FF Keyword.URL: user_pref("keyword.URL", "");
FF NetworkProxy: "type", 4
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=15.0.5.109 - c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=15.0.5.109 - c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.5.109 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.5.109 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=15.0.5.109 - c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\avg-secure-search.xml
FF Extension: jid0-HVSBDzuc3UFGvmtex3x0IZzgCM8 - C:\Documents and Settings\Shauna\Application Data\Mozilla\Firefox\Profiles\g7yufipz.default\Extensions\jid0-HVSBDzuc3UFGvmtex3x0IZzgCM8@jetpack.xpi
FF Extension: personas - C:\Documents and Settings\Shauna\Application Data\Mozilla\Firefox\Profiles\g7yufipz.default\Extensions\personas@christopher.beard.xpi
FF Extension: trtv3 - C:\Documents and Settings\Shauna\Application Data\Mozilla\Firefox\Profiles\g7yufipz.default\Extensions\trtv3@trtv.com.xpi
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF HKLM\...\Firefox\Extensions: [{C3949AC2-4B17-43ee-B4F1-D26B9D42404D}] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: RealPlayer Browser Record Plugin - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
FF Extension: ESET Smart Security Extension - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

Chrome:
=======
CHR Extension: (Docs) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0
CHR Extension: (Google Drive) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0
CHR Extension: (YouTube) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0
CHR Extension: (Chrome In-App Payments service) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
CHR Extension: (Gmail) - C:\DOCUME~1\Shauna\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx

========================== Services (Whitelisted) =================

R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269; C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [125424 2008-12-12] ()
R2 BOTService; C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [203248 2009-03-19] (Sonic Solutions)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [913144 2012-03-07] (ESET)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
R2 STacSV; c:\program files\idt\wdm\STacSV.exe [254042 2009-03-30] (IDT, Inc.)
R2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
S2 vToolbarUpdater17.0.1; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.1\ToolbarUpdater.exe [x]

==================== Drivers (Whitelisted) ====================

R3 AESTAud; C:\Windows\System32\drivers\AESTAud.sys [113664 2009-03-19] (Andrea Electronics Corporation)
R1 avgtp; C:\WINDOWS\system32\drivers\avgtpx86.sys [37664 2013-09-28] (AVG Technologies)
R3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [1735040 2009-09-17] (Broadcom Corporation)
R1 eamon; C:\Windows\System32\DRIVERS\eamon.sys [160816 2012-03-14] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [120152 2012-03-14] (ESET)
R1 epfwtdir; C:\Windows\System32\DRIVERS\epfwtdir.sys [104160 2012-03-14] (ESET)
R3 L1c; C:\Windows\System32\DRIVERS\l1c51x86.sys [38912 2009-03-02] (Atheros Communications, Inc.)
S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [48728 2013-09-30] (MalwareBytes)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [105176 2013-09-30] (Malwarebytes Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1550891 2009-03-30] (IDT, Inc.)
R0 SysCow; C:\Windows\System32\drivers\syscow32x.sys [103792 2008-09-25] (Sonic Solutions)
S3 MEMSWEEP2; \??\C:\WINDOWS\system32\1F86.tmp [x]
U4 RemoteRegistry;
S3 RSUSBSTOR; System32\Drivers\RTS5121.sys [x]
S3 Rts516xIR; system32\DRIVERS\Rts516xIR.sys [x]
S3 USBCCID; system32\DRIVERS\Rts5161ccid.sys [x]
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-09-30 12:31 - 2013-09-30 12:31 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\RK
2013-09-30 12:29 - 2013-09-30 12:30 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\mware
2013-09-30 12:06 - 2013-09-30 12:06 - 00090112 _____ C:\WINDOWS\Minidump\Mini093013-01.dmp
2013-09-30 11:39 - 2013-09-30 11:39 - 00105176 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2013-09-30 11:22 - 2013-09-30 13:05 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\FRST
2013-09-30 10:16 - 2013-09-30 11:32 - 00000000 ____D C:\FRST
2013-09-30 08:59 - 2013-09-30 11:45 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-09-30 08:58 - 2013-09-30 08:58 - 00048728 _____ (MalwareBytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-09-30 08:56 - 2013-09-30 11:31 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\mbar
2013-09-30 06:50 - 2013-09-30 06:50 - 01030305 _____ (Thisisu) C:\Documents and Settings\Shauna\Desktop\JRT.exe
2013-09-29 23:33 - 2013-09-29 23:46 - 00000000 ____D C:\AdwCleaner
2013-09-29 21:36 - 2013-09-30 08:34 - 00948736 _____ C:\Documents and Settings\Shauna\Desktop\RogueKiller.exe
2013-09-29 19:19 - 2013-09-29 19:19 - 01042066 _____ C:\Documents and Settings\Shauna\Desktop\AdwCleaner.exe
2013-09-29 19:08 - 2013-09-29 19:08 - 00010822 _____ C:\Documents and Settings\Shauna\Desktop\attach.txt
2013-09-24 09:40 - 2013-09-24 09:40 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-09-24 09:40 - 2013-09-24 09:40 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-09-24 09:40 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2013-09-24 09:31 - 2013-09-24 09:31 - 00688992 ____R (Swearware) C:\Documents and Settings\Shauna\Desktop\dds.scr
2013-09-24 09:01 - 2013-09-24 09:01 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Documents and Settings\Shauna\Desktop\mbam-setup-1.75.0.1300.exe
2013-09-22 21:13 - 2013-09-30 11:33 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\round-up
2013-09-19 21:50 - 2013-09-29 21:37 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\Calibre Library
2013-09-18 12:30 - 2013-09-28 16:42 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-09-17 20:13 - 2013-09-17 20:13 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
2013-09-07 16:40 - 2013-09-07 16:40 - 00000000 ____D C:\Documents and Settings\Shauna\Calibre Library

==================== One Month Modified Files and Folders =======

2013-09-30 13:05 - 2013-09-30 11:22 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\FRST
2013-09-30 13:03 - 2009-09-17 04:10 - 00000282 _____ C:\WINDOWS\Tasks\BackOnTrack Instant Restore Idle.job
2013-09-30 12:31 - 2013-09-30 12:31 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\RK
2013-09-30 12:31 - 2008-06-24 21:26 - 00521766 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-09-30 12:30 - 2013-09-30 12:29 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\mware
2013-09-30 12:28 - 2013-06-10 18:03 - 00000424 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{B1F49AD2-9F9C-4279-A3B5-B260CFC4E382}.job
2013-09-30 12:28 - 2013-04-21 11:16 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\New Books
2013-09-30 12:28 - 2012-07-22 22:44 - 00000280 _____ C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1226193511-2892163551-3241378241-1006.job
2013-09-30 12:27 - 2013-08-12 22:28 - 00001166 _____ C:\WINDOWS\Tasks\Torntv 2-updater.job
2013-09-30 12:27 - 2012-07-22 22:44 - 00000288 _____ C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1226193511-2892163551-3241378241-1006.job
2013-09-30 12:26 - 2013-08-13 19:02 - 00000282 _____ C:\WINDOWS\Tasks\GoforFilesUpdate.job
2013-09-30 12:26 - 2013-08-12 22:28 - 00001160 _____ C:\WINDOWS\Tasks\Torntv 2-codedownloader.job
2013-09-30 12:26 - 2013-08-12 22:28 - 00001070 _____ C:\WINDOWS\Tasks\Torntv 2-enabler.job
2013-09-30 12:26 - 2013-06-12 08:49 - 00000350 _____ C:\WINDOWS\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-09-30 12:26 - 2012-07-22 22:40 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-30 12:26 - 2008-06-24 21:48 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-09-30 12:26 - 2008-06-24 14:08 - 00000159 _____ C:\WINDOWS\wiadebug.log
2013-09-30 12:26 - 2008-06-24 14:08 - 00000049 _____ C:\WINDOWS\wiaservc.log
2013-09-30 12:06 - 2013-09-30 12:06 - 00090112 _____ C:\WINDOWS\Minidump\Mini093013-01.dmp
2013-09-30 12:06 - 2012-07-22 19:10 - 00000000 ____D C:\WINDOWS\Minidump
2013-09-30 11:45 - 2013-09-30 08:59 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-09-30 11:39 - 2013-09-30 11:39 - 00105176 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2013-09-30 11:33 - 2013-09-22 21:13 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\round-up
2013-09-30 11:32 - 2013-09-30 10:16 - 00000000 ____D C:\FRST
2013-09-30 11:31 - 2013-09-30 08:56 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\mbar
2013-09-30 11:29 - 2009-09-17 04:08 - 00000178 ___SH C:\Documents and Settings\Shauna\ntuser.ini
2013-09-30 11:29 - 2009-09-17 04:08 - 00000000 ____D C:\Documents and Settings\Shauna
2013-09-30 11:29 - 2008-06-24 21:48 - 01573383 _____ C:\WINDOWS\WindowsUpdate.log
2013-09-30 11:29 - 2008-06-24 21:48 - 00032564 _____ C:\WINDOWS\SchedLgU.Txt
2013-09-30 11:22 - 2012-07-22 22:40 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-30 08:58 - 2013-09-30 08:58 - 00048728 _____ (MalwareBytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-09-30 08:34 - 2013-09-29 21:36 - 00948736 _____ C:\Documents and Settings\Shauna\Desktop\RogueKiller.exe
2013-09-30 06:50 - 2013-09-30 06:50 - 01030305 _____ (Thisisu) C:\Documents and Settings\Shauna\Desktop\JRT.exe
2013-09-29 23:48 - 2012-07-26 21:55 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB952287$
2013-09-29 23:46 - 2013-09-29 23:33 - 00000000 ____D C:\AdwCleaner
2013-09-29 21:37 - 2013-09-19 21:50 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\Calibre Library
2013-09-29 19:19 - 2013-09-29 19:19 - 01042066 _____ C:\Documents and Settings\Shauna\Desktop\AdwCleaner.exe
2013-09-29 19:08 - 2013-09-29 19:08 - 00010822 _____ C:\Documents and Settings\Shauna\Desktop\attach.txt
2013-09-29 18:58 - 2012-07-12 08:17 - 00000000 ____D C:\Games
2013-09-28 16:42 - 2013-09-18 12:30 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-09-28 16:42 - 2013-05-20 18:34 - 00003727 _____ C:\Program Files\Mozilla Firefoxavg-secure-search.xml
2013-09-28 16:41 - 2013-01-09 16:15 - 00000000 ____D C:\WINDOWS\system32\cache
2013-09-28 16:41 - 2013-01-03 19:32 - 00037664 _____ (AVG Technologies) C:\WINDOWS\system32\Drivers\avgtpx86.sys
2013-09-25 20:30 - 2009-06-14 19:17 - 00000000 ____D C:\WINDOWS\Registration
2013-09-24 15:55 - 2013-06-15 11:59 - 00000284 _____ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2013-09-24 09:40 - 2013-09-24 09:40 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-09-24 09:40 - 2013-09-24 09:40 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-09-24 09:31 - 2013-09-24 09:31 - 00688992 ____R (Swearware) C:\Documents and Settings\Shauna\Desktop\dds.scr
2013-09-24 09:01 - 2013-09-24 09:01 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Documents and Settings\Shauna\Desktop\mbam-setup-1.75.0.1300.exe
2013-09-23 18:02 - 2013-01-03 19:37 - 00000000 ____D C:\Documents and Settings\Shauna\Application Data\mIRC
2013-09-23 04:49 - 2013-05-03 16:22 - 00000000 ____D C:\mIRCa
2013-09-22 20:54 - 2012-07-25 13:36 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\Protection
2013-09-20 13:04 - 2012-07-25 13:17 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-09-20 12:54 - 2008-06-24 21:48 - 00659104 _____ C:\WINDOWS\setupapi.log
2013-09-19 10:53 - 2008-06-24 21:48 - 00001158 _____ C:\WINDOWS\system32\wpa.dbl
2013-09-19 10:50 - 2008-06-24 21:12 - 00001507 _____ C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk
2013-09-19 09:45 - 2012-07-22 20:58 - 00000000 ____D C:\Program Files\HijackThis
2013-09-19 06:29 - 2013-06-15 13:04 - 00000000 ____D C:\Documents and Settings\Shauna\Desktop\calibre & ebook progs
2013-09-17 20:17 - 2013-01-09 17:31 - 00002347 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2013-09-17 20:13 - 2013-09-17 20:13 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
2013-09-17 20:12 - 2012-07-22 22:35 - 00000000 ____D C:\Program Files\Google
2013-09-07 16:40 - 2013-09-07 16:40 - 00000000 ____D C:\Documents and Settings\Shauna\Calibre Library

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Link to post
Share on other sites

Here's the RK report, Mr. C.

 

RogueKiller V8.7.0 [sep 30 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Shauna [Admin rights]
Mode : Scan -- Date : 09/30/2013 13:43:02
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\RunOnce : SpUninstallDeleteDir (rmdir /s /q "C:\Documents and Settings\Shauna\Application Data\SearchProtect" [x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1226193511-2892163551-3241378241-1006\[...]\RunOnce : SpUninstallDeleteDir (rmdir /s /q "C:\Documents and Settings\Shauna\Application Data\SearchProtect" [x]) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V1][sUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\WINDOWS\TEMP\{377101E5-3795-458E-A2E6-1EA39D6683B9}.exe - --uninstall=1 [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[FF][PROXY] g7yufipz.default : user_pref("network.proxy.type", 4); -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] IRP[DriverStartIo] : atapi.sys -> HOOKED (Unknown @ 0x868F92E2)
[inline] EAT @explorer.exe (??_7?$basic_ostringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@6B@) : MSVCP60.dll -> HOOKED (Unknown @ 0x768381A1)
[inline] EAT @explorer.exe (??_7?$basic_streambuf@GU?$char_traits@G@std@@@std@@6B@) : MSVCP100.dll -> HOOKED (Unknown @ 0x4B7D2083)
[inline] EAT @firefox.exe (_wpgmptr) : MSVCR100.dll -> HOOKED (Unknown @ 0x692DEC70)
[inline] EAT @firefox.exe (??_7?$basic_ostringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@6B@) : MSVCP60.dll -> HOOKED (Unknown @ 0x768381A1)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    www.100888290cs.com
127.0.0.1    100888290cs.com
127.0.0.1    100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ )  -  +++++
--- User ---
[MBR] 4d32227ea6f80138149a3e3352c3b752
[bSP] 44af34bf80aacd4065657a6dc8994ac4 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152616 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 001bae72239183c3812aa2f539227b2b
[bSP] 44af34bf80aacd4065657a6dc8994ac4 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152616 Mo

Finished : << RKreport[0]_S_09302013_134302.txt >>



 

Link to post
Share on other sites

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

 

[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-18\$f82827fb0426f2f4879495aa9a387cdd\U [-] --> FOUND

Now click Delete on the right hand column under Options

-------------

Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.