Jump to content

RunDLL error/possible infection


Recommended Posts

Anytime I right-click on any of my files, I get a RunDLL error.  I have already run Malwarebytes and DDS.  Logs are as follows:

 

Malwarebytes:

    (First Run)

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.10.25.02
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
Crystal :: CRYSTAL-PC [administrator]
 
Protection: Enabled
 
10/25/2013 2:34:09 AM
mbam-log-2013-10-25 (02-34-09).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 229824
Time elapsed: 12 minute(s), 21 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 14
HKCR\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17} (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0021804.BHO (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0021804.BHO.1 (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0021804.Sandbox (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0021804.Sandbox.1 (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.
HKCU\Software\Cr_Installer\21804 (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider.M) -> Quarantined and deleted successfully.
HKCR\CLSID\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider.M) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440244184404} (PUP.Optional.CrossRider.M) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550255185504} (PUP.Optional.CrossRider.M) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider.M) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider.M) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider.M) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider.M) -> Quarantined and deleted successfully.
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 6
C:\Users\Crystal\AppData\Local\Temp\wajam_install.exe (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
C:\Users\Crystal\Downloads\7zip_installer_d162802.exe (PUP.Optional.InstallIQ.A) -> Quarantined and deleted successfully.
C:\Users\Crystal\Downloads\iLividSetup-r563-n-bc (1).exe (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.
C:\Users\Crystal\Downloads\iLividSetup-r563-n-bc.exe (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.
C:\Users\Crystal\Downloads\iLividSetupV1.exe (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Coupon Companion Plugin\Coupon Companion Plugin.dll (PUP.Optional.CrossRider.M) -> Quarantined and deleted successfully.
 
(end)
 
Malwarebytes:
(2nd Run after quarantining/deleting)
 
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.10.25.02
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
Crystal :: CRYSTAL-PC [administrator]
 
Protection: Enabled
 
10/25/2013 2:51:05 AM
mbam-log-2013-10-25 (02-51-05).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 229351
Time elapsed: 13 minute(s), 25 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 

Attaching the DDS and Attach logs.  Any help would be very much appreciated.  Thank you! :)

 

attach.txt

dds.txt

Link to post
Share on other sites

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin..

Link to post
Share on other sites

Crap.  Looks like I have a virus called Alureon according to the log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-10-2013
Ran by Crystal (administrator) on CRYSTAL-PC on 25-10-2013 08:50:48
Running from C:\Users\Crystal\Downloads
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(Logitech Inc.) C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Nero AG) C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe
(Microsoft Corporation) C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
(LeapFrog Enterprises, Inc.) C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
() C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
() C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(TOSHIBA Corporation) C:\Windows\system32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\TecoService.exe
(Tablet Driver) C:\windows\System32\Drivers\WTSRV.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Yahoo! Inc.) C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
(Microsoft Corporation) C:\windows\System32\alg.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
(Intel Corporation) C:\windows\system32\igfxsrvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\Teco.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Compete, Inc.) C:\Program Files (x86)\Upromise\dca-ua.exe
(TOSHIBA Corporation) C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
(LeapFrog Enterprises, Inc.) C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
(Tablet Driver) C:\Windows\SysWOW64\WTClient.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
(Intel Corporation) C:\windows\system32\igfxext.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(TOSHIBA Corporation) C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [] - [x]
HKLM\...\Run: [HotKeysCmds] - C:\windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [cAudioFilterAgent] - C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)
HKLM\...\Run: [smartAudio] - C:\Program Files\CONEXANT\SAII\SAIICpl.exe [307768 2010-04-28] ()
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [505696 2009-11-06] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] - C:\Program Files\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [smoothView] - C:\Program Files\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [913720 2010-03-03] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] - C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] - C:\Program Files\TOSHIBA\TECO\Teco.exe [1483776 2010-02-25] (TOSHIBA Corporation)
HKLM\...\Run: [smartFaceVWatcher] - C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] - C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] - C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1356240 2013-08-12] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKCU\...\Run: [upromise Update] - C:\Program Files (x86)\Upromise\dca-ua.exe [267584 2011-08-04] (Compete, Inc.)
HKCU\...\Runonce: [uninstall C:\Users\Crystal\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64] - C:\windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Crystal\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64"
HKCU\...\Runonce: [uninstall C:\Users\Crystal\AppData\Local\Microsoft\SkyDrive\17.0.2006.0314\amd64] - C:\windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Crystal\AppData\Local\Microsoft\SkyDrive\17.0.2006.0314\amd64"
HKCU\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\Crystal\AppData\Local\Temp\smoenbn\srufbfw\wow64.dll ATTENTION! ====> ZeroAccess?
MountPoints2: {05bf78ea-af7e-11e1-94ab-60eb698032a0} - E:\setup.exe -a
HKLM-x32\...\Run: [ToshibaServiceStation] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1294712 2010-11-29] (TOSHIBA Corporation)
HKLM-x32\...\Run: [TWebCamera] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [Monitor] - C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe [103936 2013-06-26] (LeapFrog Enterprises, Inc.)
HKLM-x32\...\Run: [WTClient] - C:\Windows\\SysWOW64\WTClient.exe [32768 2009-10-30] (Tablet Driver)
HKLM-x32\...\Run: [brMfcWnd] - C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [ControlCenter3] - C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {AB86EC7A-DF4C-4123-BB40-78350E28D272} URL = 
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: TBSB09676 Class - {43DB327E-57DF-4D92-BECC-595D113BF217} - C:\Program Files (x86)\TypoBounty ToolBar\tbcore3.dll ()
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: DCA BHO - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files (x86)\Upromise\dca-bho.dll (Compete, Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Upromise TurboSaver - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - C:\Program Files (x86)\Upromise\upromisetoolbar.dll (Upromise, Inc.)
BHO-x32: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll (<TOSHIBA>)
BHO-x32: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
Toolbar: HKLM-x32 - Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files (x86)\Upromise\upromisetoolbar.dll (Upromise, Inc.)
Toolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
Toolbar: HKLM-x32 - TypoBounty ToolBar - {BF3B82CD-2680-43D7-9952-A6BA714687FC} - C:\Program Files (x86)\TypoBounty ToolBar\tbcore3.dll ()
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {06E58E5E-F8CB-4049-991E-A41C03BD419E} -  No File
Toolbar: HKCU - No Name - {BF3B82CD-2680-43D7-9952-A6BA714687FC} -  No File
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: HKLM-x32 {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/distribution/alternatiff-ax-w32-2.0.4.cab
DPF: HKLM-x32 {18C3FD15-74F6-4280-9C98-3590C966B7B8} http://www.worldwinner.com/games/v47/skillgam/skillgam.cab
DPF: HKLM-x32 {1A1F56AA-3401-46F9-B277-D57F3421F821} http://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: HKLM-x32 {2C153C75-8476-434B-B3C3-57B63A3D1939} http://www.worldwinner.com/games/v48/brickout/brickout.cab
DPF: HKLM-x32 {555F1BBC-6EC2-474F-84AF-633EF097FF54} http://www.worldwinner.com/games/v53/wwhearts/wwhearts.cab
DPF: HKLM-x32 {61900274-3323-4446-BDCD-91548D32AF1B} http://www.worldwinner.com/games/v56/spidersolitaire/spidersolitaire.cab
DPF: HKLM-x32 {64CD313F-F079-4D93-959F-4D28B5519449} http://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: HKLM-x32 {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} http://www.worldwinner.com/games/v41/freecell/freecell.cab
DPF: HKLM-x32 {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: HKLM-x32 {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} http://www.worldwinner.com/games/launcher/ie/v2.23.01.0/iewwload.cab
DPF: HKLM-x32 {A021A215-6CDC-44B4-8C16-90491CED9605} http://www.worldwinner.com/games/v68/clue/clue.cab
DPF: HKLM-x32 {BB637307-92FA-47EC-B3F7-6969078673CC} http://www.worldwinner.com/games/v45/royal/royal.cab
DPF: HKLM-x32 {C5326A4D-E9AA-40AD-A09A-E74304D86B47} http://www.worldwinner.com/games/v52/dinerdash/dinerdash.cab
DPF: HKLM-x32 {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} http://www.worldwinner.com/games/v43/paint/paint.cab
DPF: HKLM-x32 {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} http://www.worldwinner.com/games/v44/golfsol/golfsol.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: HKLM-x32 {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} http://www.worldwinner.com/games/v54/wwspades/wwspades.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
 
FireFox:
========
FF ProfilePath: C:\Users\Crystal\AppData\Roaming\Mozilla\Firefox\Profiles\t5tkduri.default
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 - C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Extension: No Name - C:\Users\Crystal\AppData\Roaming\Mozilla\Firefox\Profiles\t5tkduri.default\Extensions\extension21804@extension21804.com
FF Extension: Greasemonkey - C:\Users\Crystal\AppData\Roaming\Mozilla\Firefox\Profiles\t5tkduri.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
 
Chrome: 
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.89\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\pdf.dll ()
CHR Plugin: (Skype Toolbars) - C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.9.0.9216_0\npSkypeChromePlugin.dll (Skype Technologies S.A.)
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (DivX Web Player) - C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Java Platform SE 6 U31) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (Windows Live\u00AE Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
CHR Extension: (Google Drive) - C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Add to Amazon Wish List) - C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciagpekplgpbepdgggflgmahnjgiaced\1.0.0.10_0
CHR Extension: (Google Search) - C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Raindrops(Non-Aero)) - C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpagcfbbmlebfnkeogkigellbgmfkjfg\1.0.0.2_0
CHR Extension: (Pandora) - C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbangkleohkafngihneedemihgfeikcl\1.0_0
CHR Extension: (MagicScroll eBook Reader) - C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgnmgfdoiplfmhgghbmlphanpfmjble\3.0_0
CHR Extension: (Facebook Video) - C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfampnnghmhngkollbpnnlgdbmjipidk\2.2.6_0
CHR Extension: (Skype Click to Call) - C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.9.0.9216_0
CHR Extension: (ICE Quick Stream) - C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Extensions\mapljocpedaolbooelchgnkkaplpadgp\4.94_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
CHR Extension: (Gmail) - C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx
 
==================== Services (Whitelisted) =================
 
S3 COMSysApp; C:\Windows\SysWow64\dllhost.exe [7168 2009-07-13] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MotoHelper; C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [223088 2011-04-26] ()
S3 msiserver; C:\Windows\SysWow64\msiexec.exe [73216 2010-11-20] (Microsoft Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-08-12] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366600 2013-08-12] (Microsoft Corporation)
R2 WSearch; C:\Windows\SysWow64\SearchIndexer.exe [427520 2011-05-03] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [247216 2013-06-18] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [139616 2013-06-18] (Microsoft Corporation)
S3 RTL8192cu; C:\Windows\System32\DRIVERS\RTL8192cu.sys [748648 2010-08-12] (Realtek Semiconductor Corporation                           )
S3 Tablet2k; "%SystemRoot%\System32\Drivers\Tablet2k.sys" [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-25 08:49 - 2013-10-25 08:49 - 00000000 ____D C:\FRST
2013-10-25 08:48 - 2013-10-25 08:48 - 01955412 _____ (Farbar) C:\Users\Crystal\Downloads\FRST64.exe
2013-10-25 03:08 - 2013-10-25 03:08 - 00012093 _____ C:\Users\Crystal\Desktop\attach.txt
2013-10-25 03:08 - 2013-10-25 03:07 - 00026231 _____ C:\Users\Crystal\Desktop\dds.txt
2013-10-25 03:05 - 2013-10-25 03:05 - 00688992 ____R (Swearware) C:\Users\Crystal\Downloads\dds.scr
2013-10-25 02:32 - 2013-10-25 02:32 - 00001124 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-25 02:32 - 2013-10-25 02:32 - 00000000 ____D C:\Users\Crystal\AppData\Roaming\Malwarebytes
2013-10-25 02:32 - 2013-10-25 02:32 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-25 02:32 - 2013-10-25 02:32 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-25 02:32 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys
2013-10-25 02:31 - 2013-10-25 02:31 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Crystal\Downloads\mbam-setup-1.75.0.1300.exe
2013-10-25 02:07 - 2013-10-25 02:13 - 00000000 ____D C:\Users\Crystal\Documents\Holly's Stuff
2013-10-25 01:54 - 2013-10-25 02:12 - 00000000 ____D C:\Users\Crystal\Documents\IDs
2013-10-25 01:48 - 2013-10-25 01:48 - 00000000 ____D C:\Users\Crystal\Documents\Inventions
2013-10-25 01:38 - 2013-10-25 02:15 - 00000000 ____D C:\Users\Crystal\Documents\Businesses
2013-10-25 01:36 - 2013-10-25 02:18 - 00000000 ____D C:\Users\Crystal\Documents\Parenting
2013-10-25 01:30 - 2013-10-25 01:30 - 00000000 ____D C:\Users\Crystal\Documents\Goals And Visions
2013-10-25 01:29 - 2013-10-25 01:38 - 00000000 ____D C:\Users\Crystal\Documents\Logins
2013-10-25 01:27 - 2013-10-25 02:16 - 00000000 ____D C:\Users\Crystal\Documents\Ever's Stuff
2013-10-25 01:26 - 2013-10-25 02:19 - 00000000 ____D C:\Users\Crystal\Documents\Resumes Cover Letters Past Jobs
2013-10-25 01:26 - 2013-10-25 02:18 - 00000000 ____D C:\Users\Crystal\Documents\Financial Docs
2013-10-25 01:24 - 2013-10-25 01:48 - 00000000 ____D C:\Users\Crystal\Documents\Cars
2013-10-25 01:21 - 2013-10-25 02:16 - 00000000 ____D C:\Users\Crystal\Documents\Crystal's Stuff
2013-10-22 23:01 - 2013-10-22 23:01 - 04633819 _____ C:\Users\Crystal\Downloads\DiaperPinning.wmv
2013-10-14 10:46 - 2013-09-22 18:28 - 01767936 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2013-10-14 10:46 - 2013-09-22 18:28 - 01141248 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2013-10-14 10:46 - 2013-09-22 18:27 - 14335488 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2013-10-14 10:46 - 2013-09-22 18:27 - 13761024 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2013-10-14 10:46 - 2013-09-22 18:27 - 02876928 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2013-10-14 10:46 - 2013-09-22 18:27 - 02048512 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2013-10-14 10:46 - 2013-09-22 18:27 - 00690688 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2013-10-14 10:46 - 2013-09-22 18:27 - 00493056 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2013-10-14 10:46 - 2013-09-22 18:27 - 00391168 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2013-10-14 10:46 - 2013-09-22 18:27 - 00109056 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesysprep.dll
2013-10-14 10:46 - 2013-09-22 18:27 - 00061440 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2013-10-14 10:46 - 2013-09-22 18:27 - 00039424 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2013-10-14 10:46 - 2013-09-22 18:27 - 00033280 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2013-10-14 10:46 - 2013-09-22 17:55 - 02241024 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2013-10-14 10:46 - 2013-09-22 17:55 - 01365504 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2013-10-14 10:46 - 2013-09-22 17:55 - 00051712 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2013-10-14 10:46 - 2013-09-22 17:54 - 19252224 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2013-10-14 10:46 - 2013-09-22 17:54 - 15404544 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2013-10-14 10:46 - 2013-09-22 17:54 - 03959296 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2013-10-14 10:46 - 2013-09-22 17:54 - 02647552 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2013-10-14 10:46 - 2013-09-22 17:54 - 00855552 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2013-10-14 10:46 - 2013-09-22 17:54 - 00603136 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2013-10-14 10:46 - 2013-09-22 17:54 - 00526336 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2013-10-14 10:46 - 2013-09-22 17:54 - 00136704 _____ (Microsoft Corporation) C:\windows\system32\iesysprep.dll
2013-10-14 10:46 - 2013-09-22 17:54 - 00067072 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2013-10-14 10:46 - 2013-09-22 17:54 - 00053248 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2013-10-14 10:46 - 2013-09-22 17:54 - 00039936 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2013-10-14 10:46 - 2013-09-20 22:38 - 02706432 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2013-10-14 10:46 - 2013-09-20 22:30 - 02706432 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2013-10-14 10:46 - 2013-09-20 21:48 - 00089600 _____ (Microsoft Corporation) C:\windows\system32\RegisterIEPKEYs.exe
2013-10-14 10:46 - 2013-09-20 21:39 - 00071680 _____ (Microsoft Corporation) C:\windows\SysWOW64\RegisterIEPKEYs.exe
2013-10-10 22:35 - 2013-10-10 22:35 - 00000000 ____D C:\563025a9fa4333d65de1dbbc5f536a
2013-10-09 23:02 - 2013-09-07 21:30 - 01903552 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tcpip.sys
2013-10-09 23:02 - 2013-07-12 05:41 - 00185344 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbvideo.sys
2013-10-09 23:02 - 2013-07-12 05:41 - 00100864 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbcir.sys
2013-10-09 23:02 - 2013-07-12 05:40 - 00109824 _____ (Microsoft Corporation) C:\windows\system32\Drivers\USBAUDIO.sys
2013-10-09 23:02 - 2013-07-04 07:57 - 00259584 _____ (Microsoft Corporation) C:\windows\system32\WebClnt.dll
2013-10-09 23:02 - 2013-07-04 07:50 - 00633856 _____ (Microsoft Corporation) C:\windows\system32\comctl32.dll
2013-10-09 23:02 - 2013-07-04 07:50 - 00102400 _____ (Microsoft Corporation) C:\windows\system32\davclnt.dll
2013-10-09 23:02 - 2013-07-04 06:57 - 00205824 _____ (Microsoft Corporation) C:\windows\SysWOW64\WebClnt.dll
2013-10-09 23:02 - 2013-07-04 06:51 - 00081920 _____ (Microsoft Corporation) C:\windows\SysWOW64\davclnt.dll
2013-10-09 23:02 - 2013-07-04 06:50 - 00530432 _____ (Microsoft Corporation) C:\windows\SysWOW64\comctl32.dll
2013-10-09 23:02 - 2013-07-04 05:11 - 00140800 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxdav.sys
2013-10-09 23:02 - 2013-07-02 23:05 - 00076800 _____ (Microsoft Corporation) C:\windows\system32\Drivers\hidclass.sys
2013-10-09 23:02 - 2013-07-02 23:05 - 00032896 _____ (Microsoft Corporation) C:\windows\system32\Drivers\hidparse.sys
2013-10-09 23:02 - 2013-06-25 17:55 - 00785624 _____ (Microsoft Corporation) C:\windows\system32\Drivers\Wdf01000.sys
2013-10-09 23:02 - 2013-06-06 00:50 - 00041472 _____ (Microsoft Corporation) C:\windows\system32\lpk.dll
2013-10-09 23:02 - 2013-06-06 00:49 - 00100864 _____ (Microsoft Corporation) C:\windows\system32\fontsub.dll
2013-10-09 23:02 - 2013-06-06 00:49 - 00014336 _____ (Microsoft Corporation) C:\windows\system32\dciman32.dll
2013-10-09 23:02 - 2013-06-06 00:47 - 00046080 _____ (Adobe Systems) C:\windows\system32\atmlib.dll
2013-10-09 23:02 - 2013-06-05 23:57 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\lpk.dll
2013-10-09 23:02 - 2013-06-05 23:51 - 00070656 _____ (Microsoft Corporation) C:\windows\SysWOW64\fontsub.dll
2013-10-09 23:02 - 2013-06-05 23:50 - 00010240 _____ (Microsoft Corporation) C:\windows\SysWOW64\dciman32.dll
2013-10-09 23:02 - 2013-06-05 22:30 - 00368128 _____ (Adobe Systems Incorporated) C:\windows\system32\atmfd.dll
2013-10-09 23:02 - 2013-06-05 22:01 - 00295424 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\atmfd.dll
2013-10-09 23:02 - 2013-06-05 22:01 - 00034304 _____ (Adobe Systems) C:\windows\SysWOW64\atmlib.dll
2013-10-09 23:01 - 2013-09-13 20:10 - 00497152 _____ (Microsoft Corporation) C:\windows\system32\Drivers\afd.sys
2013-10-09 23:01 - 2013-09-07 21:27 - 00327168 _____ (Microsoft Corporation) C:\windows\system32\mswsock.dll
2013-10-09 23:01 - 2013-09-07 21:03 - 00231424 _____ (Microsoft Corporation) C:\windows\SysWOW64\mswsock.dll
2013-10-09 23:01 - 2013-08-28 21:17 - 05549504 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2013-10-09 23:01 - 2013-08-28 21:16 - 01732032 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2013-10-09 23:01 - 2013-08-28 21:16 - 00859648 _____ (Microsoft Corporation) C:\windows\system32\tdh.dll
2013-10-09 23:01 - 2013-08-28 21:16 - 00243712 _____ (Microsoft Corporation) C:\windows\system32\wow64.dll
2013-10-09 23:01 - 2013-08-28 21:13 - 00878080 _____ (Microsoft Corporation) C:\windows\system32\advapi32.dll
2013-10-09 23:01 - 2013-08-28 20:51 - 03969472 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2013-10-09 23:01 - 2013-08-28 20:51 - 03914176 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2013-10-09 23:01 - 2013-08-28 20:50 - 01292192 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntdll.dll
2013-10-09 23:01 - 2013-08-28 20:50 - 00619520 _____ (Microsoft Corporation) C:\windows\SysWOW64\tdh.dll
2013-10-09 23:01 - 2013-08-28 20:50 - 00005120 _____ (Microsoft Corporation) C:\windows\SysWOW64\wow32.dll
2013-10-09 23:01 - 2013-08-28 20:48 - 00640512 _____ (Microsoft Corporation) C:\windows\SysWOW64\advapi32.dll
2013-10-09 23:01 - 2013-08-28 19:49 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\setup16.exe
2013-10-09 23:01 - 2013-08-28 19:49 - 00014336 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntvdm64.dll
2013-10-09 23:01 - 2013-08-28 19:49 - 00007680 _____ (Microsoft Corporation) C:\windows\SysWOW64\instnm.exe
2013-10-09 23:01 - 2013-08-28 19:49 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\user.exe
2013-10-09 23:01 - 2013-08-27 20:21 - 03155968 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2013-10-09 23:01 - 2013-08-27 20:12 - 00461312 _____ (Microsoft Corporation) C:\windows\system32\scavengeui.dll
2013-10-09 23:01 - 2013-08-01 07:09 - 00983488 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgkrnl.sys
2013-10-09 23:01 - 2013-07-20 05:33 - 00124112 _____ (Microsoft Corporation) C:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-10-09 23:01 - 2013-07-20 05:33 - 00102608 _____ (Microsoft Corporation) C:\windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2013-10-07 02:30 - 2013-10-07 02:30 - 00017209 _____ C:\Users\Crystal\Desktop\N64 List.odt
2013-10-04 21:52 - 2013-10-04 21:52 - 00000000 ____D C:\Users\Crystal\AppData\Roaming\Windows Live Writer
2013-10-04 21:52 - 2013-10-04 21:52 - 00000000 ____D C:\Users\Crystal\AppData\Local\Windows Live Writer
 
==================== One Month Modified Files and Folders =======
 
2013-10-25 08:49 - 2013-10-25 08:49 - 00000000 ____D C:\FRST
2013-10-25 08:48 - 2013-10-25 08:48 - 01955412 _____ (Farbar) C:\Users\Crystal\Downloads\FRST64.exe
2013-10-25 08:48 - 2010-10-25 12:47 - 01077775 _____ C:\windows\WindowsUpdate.log
2013-10-25 03:18 - 2010-09-09 21:09 - 00000912 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-25 03:08 - 2013-10-25 03:08 - 00012093 _____ C:\Users\Crystal\Desktop\attach.txt
2013-10-25 03:07 - 2013-10-25 03:08 - 00026231 _____ C:\Users\Crystal\Desktop\dds.txt
2013-10-25 03:05 - 2013-10-25 03:05 - 00688992 ____R (Swearware) C:\Users\Crystal\Downloads\dds.scr
2013-10-25 02:57 - 2009-07-13 23:45 - 00015792 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-25 02:57 - 2009-07-13 23:45 - 00015792 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-25 02:49 - 2012-04-29 22:49 - 00000437 _____ C:\windows\system32\Drivers\etc\hosts.ics
2013-10-25 02:49 - 2010-09-09 21:09 - 00000908 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-25 02:49 - 2009-07-14 00:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2013-10-25 02:49 - 2009-07-13 23:51 - 00079451 _____ C:\windows\setupact.log
2013-10-25 02:48 - 2010-09-09 21:28 - 00265552 _____ C:\windows\PFRO.log
2013-10-25 02:32 - 2013-10-25 02:32 - 00001124 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-25 02:32 - 2013-10-25 02:32 - 00000000 ____D C:\Users\Crystal\AppData\Roaming\Malwarebytes
2013-10-25 02:32 - 2013-10-25 02:32 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-25 02:32 - 2013-10-25 02:32 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-25 02:31 - 2013-10-25 02:31 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Crystal\Downloads\mbam-setup-1.75.0.1300.exe
2013-10-25 02:19 - 2013-10-25 01:26 - 00000000 ____D C:\Users\Crystal\Documents\Resumes Cover Letters Past Jobs
2013-10-25 02:18 - 2013-10-25 01:36 - 00000000 ____D C:\Users\Crystal\Documents\Parenting
2013-10-25 02:18 - 2013-10-25 01:26 - 00000000 ____D C:\Users\Crystal\Documents\Financial Docs
2013-10-25 02:16 - 2013-10-25 01:27 - 00000000 ____D C:\Users\Crystal\Documents\Ever's Stuff
2013-10-25 02:16 - 2013-10-25 01:21 - 00000000 ____D C:\Users\Crystal\Documents\Crystal's Stuff
2013-10-25 02:15 - 2013-10-25 01:38 - 00000000 ____D C:\Users\Crystal\Documents\Businesses
2013-10-25 02:13 - 2013-10-25 02:07 - 00000000 ____D C:\Users\Crystal\Documents\Holly's Stuff
2013-10-25 02:12 - 2013-10-25 01:54 - 00000000 ____D C:\Users\Crystal\Documents\IDs
2013-10-25 01:48 - 2013-10-25 01:48 - 00000000 ____D C:\Users\Crystal\Documents\Inventions
2013-10-25 01:48 - 2013-10-25 01:24 - 00000000 ____D C:\Users\Crystal\Documents\Cars
2013-10-25 01:40 - 2012-12-26 11:00 - 00000000 ____D C:\Users\Crystal\Documents\My Media
2013-10-25 01:38 - 2013-10-25 01:29 - 00000000 ____D C:\Users\Crystal\Documents\Logins
2013-10-25 01:32 - 2013-09-16 14:09 - 00000000 ____D C:\Users\Crystal\AppData\Local\Windows Live
2013-10-25 01:30 - 2013-10-25 01:30 - 00000000 ____D C:\Users\Crystal\Documents\Goals And Visions
2013-10-25 01:28 - 2012-01-04 22:01 - 00000000 ____D C:\Users\Crystal\Documents\Geneaology
2013-10-22 23:01 - 2013-10-22 23:01 - 04633819 _____ C:\Users\Crystal\Downloads\DiaperPinning.wmv
2013-10-20 19:42 - 2009-07-13 22:20 - 00000000 ____D C:\windows\rescache
2013-10-20 18:50 - 2009-07-14 00:13 - 00814988 _____ C:\windows\system32\PerfStringBackup.INI
2013-10-20 17:49 - 2013-08-30 12:00 - 00000000 ____D C:\Users\Crystal\Desktop\Selling AugSept 2013
2013-10-18 17:12 - 2012-05-27 22:45 - 00071953 _____ C:\Users\Crystal\Desktop\Ever's Arcade -- Master Spreadsheet.ods
2013-10-17 19:40 - 2012-02-01 00:22 - 00000000 ____D C:\windows\System32\Tasks\NCH Software
2013-10-16 15:58 - 2009-07-13 23:45 - 00434704 _____ C:\windows\system32\FNTCACHE.DAT
2013-10-16 15:56 - 2011-01-14 09:01 - 00000000 ____D C:\Users\Crystal\AppData\Roaming\SoftGrid Client
2013-10-16 07:47 - 2012-10-01 16:03 - 00002155 _____ C:\windows\epplauncher.mif
2013-10-16 07:46 - 2012-10-01 16:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-10-16 07:46 - 2012-10-01 16:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-10-14 10:49 - 2011-05-30 03:01 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-10-11 23:24 - 2009-07-14 00:08 - 00032580 _____ C:\windows\Tasks\SCHEDLGU.TXT
2013-10-11 23:19 - 2012-05-16 05:01 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-11 23:19 - 2012-05-16 05:01 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-10-10 22:35 - 2013-10-10 22:35 - 00000000 ____D C:\563025a9fa4333d65de1dbbc5f536a
2013-10-10 22:33 - 2011-01-14 09:01 - 00809204 _____ C:\windows\SysWOW64\PerfStringBackup.INI
2013-10-10 22:26 - 2013-08-15 08:51 - 00000000 ____D C:\windows\system32\MRT
2013-10-10 22:22 - 2012-06-10 11:07 - 80541720 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2013-10-08 15:13 - 2010-09-09 21:09 - 00003908 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-08 15:13 - 2010-09-09 21:09 - 00003656 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-07 02:30 - 2013-10-07 02:30 - 00017209 _____ C:\Users\Crystal\Desktop\N64 List.odt
2013-10-04 21:52 - 2013-10-04 21:52 - 00000000 ____D C:\Users\Crystal\AppData\Roaming\Windows Live Writer
2013-10-04 21:52 - 2013-10-04 21:52 - 00000000 ____D C:\Users\Crystal\AppData\Local\Windows Live Writer
2013-10-01 00:50 - 2011-01-01 22:59 - 00000000 ____D C:\Users\Crystal\Documents\ControlCenter3
 
Alureon:
C:\Users\Crystal\AppData\Local\Temp\smoenbn\srufbfw\wow64.dll
 
Files to move or delete:
====================
C:\Windows\Tasks\{43F0CD0C-B58D-456B-A12B-17378F463E8B}.job
 
 
Some content of TEMP:
====================
C:\Users\Crystal\AppData\Local\Temp\ccittfax2.exe
C:\Users\Crystal\AppData\Local\Temp\fllxl337.dll
C:\Users\Crystal\AppData\Local\Temp\freetype.exe
C:\Users\Crystal\AppData\Local\Temp\libjpeg.exe
C:\Users\Crystal\AppData\Local\Temp\MML_Installer-v1.5.2060.2_signed.exe
C:\Users\Crystal\AppData\Local\Temp\mp3el2.exe
C:\Users\Crystal\AppData\Local\Temp\MyPublishersetup-USD-en-US.exe
C:\Users\Crystal\AppData\Local\Temp\pixsetup.exe
C:\Users\Crystal\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Crystal\AppData\Local\Temp\upromiseupdate.exe
C:\Users\Crystal\AppData\Local\Temp\vpsetup.exe
C:\Users\Crystal\AppData\Local\Temp\x264enc2.exe
C:\Users\Crystal\AppData\Local\Temp\zlib1.exe
C:\Users\Crystal\AppData\Local\Temp\_is34B0.exe
C:\Users\Crystal\AppData\Local\Temp\_is4318.exe
C:\Users\Crystal\AppData\Local\Temp\_is4BED.exe
C:\Users\Crystal\AppData\Local\Temp\{FF99938B-77C5-4a24-8B17-2056918BC20F}-UpromiseUpdate.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2013-10-20 19:34
 
==================== End Of Log ============================
 
 
 
Also attaching the Addition log.  Thanks so much for your quick reply and help.  Not sure where to go from here.
 
-Crystal

Addition.txt

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.


The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Run Malwarebytes Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware,

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the logs in next reply,

 

Kevin

fixlist.txt

Link to post
Share on other sites

Fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-10-2013
Ran by Crystal at 2013-10-25 09:21:39 Run:1
Running from C:\Users\Crystal\Downloads
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
Start
HKCU\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\Crystal\AppData\Local\Temp\smoenbn\srufbfw\wow64.dll ATTENTION! ====> ZeroAccess?
MountPoints2: {05bf78ea-af7e-11e1-94ab-60eb698032a0} - E:\setup.exe -a
S3 Tablet2k; "%SystemRoot%\System32\Drivers\Tablet2k.sys" [x]
C:\Users\Crystal\AppData\Local\Temp\smoenbn\srufbfw\wow64.dll
C:\Windows\Tasks\{43F0CD0C-B58D-456B-A12B-17378F463E8B}.job
C:\Users\Crystal\AppData\Local\Temp\ccittfax2.exe
C:\Users\Crystal\AppData\Local\Temp\fllxl337.dll
C:\Users\Crystal\AppData\Local\Temp\freetype.exe
C:\Users\Crystal\AppData\Local\Temp\libjpeg.exe
C:\Users\Crystal\AppData\Local\Temp\MML_Installer-v1.5.2060.2_signed.exe
C:\Users\Crystal\AppData\Local\Temp\mp3el2.exe
C:\Users\Crystal\AppData\Local\Temp\MyPublishersetup-USD-en-US.exe
C:\Users\Crystal\AppData\Local\Temp\pixsetup.exe
C:\Users\Crystal\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Crystal\AppData\Local\Temp\upromiseupdate.exe
C:\Users\Crystal\AppData\Local\Temp\vpsetup.exe
C:\Users\Crystal\AppData\Local\Temp\x264enc2.exe
C:\Users\Crystal\AppData\Local\Temp\zlib1.exe
C:\Users\Crystal\AppData\Local\Temp\_is34B0.exe
C:\Users\Crystal\AppData\Local\Temp\_is4318.exe
C:\Users\Crystal\AppData\Local\Temp\_is4BED.exe
C:\Users\Crystal\AppData\Local\Temp\{FF99938B-77C5-4a24-8B17-2056918BC20F}-UpromiseUpdate.exe
Task: {08110383-B567-4152-B6D8-1A2314D8485D} - System32\Tasks\Updater21804.exe => C:\Users\Crystal\AppData\Local\Updater21804\Updater21804.exe [2013-01-06] (FileProperties_CompanyName)
AlternateDataStreams: C:\ProgramData\TEMP:0DACB2B7
End
 
 
 
*****************
 
HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key deleted successfully. If the key returned, move the associated file, reboot and list the key for deletion.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05bf78ea-af7e-11e1-94ab-60eb698032a0} => Key deleted successfully.
HKCR\CLSID\{05bf78ea-af7e-11e1-94ab-60eb698032a0} => Key not found.
Tablet2k => Service deleted successfully.
C:\Users\Crystal\AppData\Local\Temp\smoenbn\srufbfw\wow64.dll => Moved successfully.
C:\Windows\Tasks\{43F0CD0C-B58D-456B-A12B-17378F463E8B}.job => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\ccittfax2.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\fllxl337.dll => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\freetype.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\libjpeg.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\MML_Installer-v1.5.2060.2_signed.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\mp3el2.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\MyPublishersetup-USD-en-US.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\pixsetup.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\upromiseupdate.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\vpsetup.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\x264enc2.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\zlib1.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\_is34B0.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\_is4318.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\_is4BED.exe => Moved successfully.
C:\Users\Crystal\AppData\Local\Temp\{FF99938B-77C5-4a24-8B17-2056918BC20F}-UpromiseUpdate.exe => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{08110383-B567-4152-B6D8-1A2314D8485D} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{08110383-B567-4152-B6D8-1A2314D8485D} => Key deleted successfully.
C:\Windows\System32\Tasks\Updater21804.exe => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updater21804.exe => Key deleted successfully.
C:\ProgramData\TEMP => ":0DACB2B7" ADS removed successfully.
 
==== End of Fixlog ====
 
Malwarebytes didn't find anything:
 
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.10.25.04
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
Crystal :: CRYSTAL-PC [administrator]
 
Protection: Enabled
 
10/25/2013 9:25:20 AM
mbam-log-2013-10-25 (09-25-20).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 229698
Time elapsed: 6 minute(s), 11 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
Link to post
Share on other sites

We will need to run an online AV scan, first run the following and post logs..

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Next,

 

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.

Make sure the following options are checked:

 


Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender

 


Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

 

Post those two logs

Link to post
Share on other sites

Checkup.txt:

 

Results of screen317's Security Check version 0.99.74  

 Windows 7 Service Pack 1 x64 (UAC is enabled)  

 Internet Explorer 10  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

Microsoft Security Essentials   

 Antivirus up to date!  

`````````Anti-malware/Other Utilities Check:````````` 

 Malwarebytes Anti-Malware version 1.75.0.1300  

 Java 6 Update 22  

 Java 6 Update 31  

 Java 7 Update 25  

 Java version out of Date! 

 Adobe Flash Player 10 Flash Player out of Date! 

 Adobe Reader 9 Adobe Reader out of Date! 

 Mozilla Firefox 13.0 Firefox out of Date!  

 Google Chrome 30.0.1599.101  

 Google Chrome 30.0.1599.69  

````````Process Check: objlist.exe by Laurent````````  

 Microsoft Security Essentials MSMpEng.exe 

 Microsoft Security Essentials msseces.exe 

 Malwarebytes Anti-Malware mbamservice.exe  

 Malwarebytes Anti-Malware mbamgui.exe  

 Malwarebytes' Anti-Malware mbamscheduler.exe   

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C: 1% 

````````````````````End of Log`````````````````````` 

 

 

FSS.txt:

 


Farbar Service Scanner Version: 24-10-2013

Ran by Crystal (administrator) on 25-10-2013 at 10:23:57

Running from "C:\Users\Crystal\Downloads"

Microsoft Windows 7 Home Premium  Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

 

Internet Services:

============

 

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo.com is accessible.

 

 

Windows Firewall:

=============

 

Firewall Disabled Policy: 

==================

 

 

System Restore:

============

 

System Restore Disabled Policy: 

========================

 

 

Action Center:

============

 

 

Windows Update:

============

 

Windows Autoupdate Disabled Policy: 

============================

 

 

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

 

 

Windows Defender Disabled Policy: 

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

 

 

Other Services:

==============

 

 

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys

[2013-10-09 23:01] - [2013-09-13 20:10] - 0497152 ____A (Microsoft Corporation) 314C17917AC8523EC77A710215012A65

 

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys

[2013-10-09 23:02] - [2013-09-07 21:30] - 1903552 ____A (Microsoft Corporation) 40AF23633D197905F03AB5628C558C51

 

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll => MD5 is legit

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\wscsvc.dll => MD5 is legit

C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\System32\wuaueng.dll => MD5 is legit

C:\Windows\System32\qmgr.dll => MD5 is legit

C:\Windows\System32\es.dll => MD5 is legit

C:\Windows\System32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

 

 

**** End of log ****

Link to post
Share on other sites

Thanks for those logs, do the following:

 

Adobe Reader is outdated...

Visit http://get.adobe.com/uk/reader/otherversions/ and download the latest version of Acrobat Reader

 

Step 1 - Select your Operating System.

Step 2 - Select your Langauge.

Step 3 - Select latest version.

 

Untick the option for any security scanner or toolbar if offered.

 

Download and install.

 

Having the latest updates ensures there are no security vulnerabilities in your system.

 

Next,

 

Go here http://www.adobe.com/shockwave/welcome/ and have Adobe Flashplayer checked. Accept new version if required.

There maybe an offer of Google Chrome etc, untick those options if offered...

 

Next,

 

Your Java javaicon.gif is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

 

Upgrading Java:

 

Go to http://java.com/en/ and click on "Do I have Java"

It will check your current version and then offer to update to the latest version

Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

 

***Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if so - remove them.

 

Make sure the following outdated versions are removed:

 

Java™ 6 Update 22  
Java™ 6 Update 31  
Java 7 Update 25

 

When those steps complete do this:

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

 

  •  

     

  • Turn off the real time scanner of any existing antivirus program while performing the online scan

     

     

  • click on the Run ESET Online Scanner button

     

     

  • Tick the box next to YES, I accept the Terms of Use.

     

    Click Start

     

  • When asked, allow the add/on to be installed

     

    Click Start

     

  • Make sure that the option Remove found threats is unticked

     

     

  • Click on Advanced Settings, ensure the options

     

     

  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

     

    Click Scan

     

  • wait for the virus definitions to be downloaded

     

     

  • Wait for the scan to finish

     

     

 

 

When the scan is complete

 

 

  •  

     

  • If no threats were found

     

     

  • put a checkmark in "Uninstall application on close"

     

     

  • close program

     

     

  • report to me that nothing was found

     

     

 

 

If threats were found

 

 

  •  

     

  • click on "list of threats found"

     

     

  • click on "export to text file" and save it as ESET SCAN and save to the desktop

     

     

  • Click on back

     

     

  • put a checkmark in "Uninstall application on close"

     

     

  • click on finish

     

     

 

 

close program

 

copy and paste the report here

 

Kevin....

Link to post
Share on other sites

Thanks, Kevin.

 

Threats were found.  Here's the report:

 

C:\FRST\Quarantine\wow64.dll Win64/Olmarik.BD trojan
C:\Program Files (x86)\Coupon Companion Plugin\ButtonUtil.dll a variant of Win32/Toolbar.CrossRider.G application
C:\Program Files (x86)\Coupon Companion Plugin\Coupon Companion Plugin-bg.exe a variant of Win32/Toolbar.CrossRider.E application
C:\Program Files (x86)\Coupon Companion Plugin\Coupon Companion Plugin.exe a variant of Win32/Toolbar.CrossRider.E application
C:\Program Files (x86)\Coupon Companion Plugin\Coupon Companion PluginGui.exe a variant of Win32/Toolbar.CrossRider.F application
C:\Program Files (x86)\Coupon Companion Plugin\Uninstall.exe multiple threats
C:\Users\Crystal\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SKAKZSPY\metrics[1].htm HTML/Iframe.B.Gen virus
C:\Users\Crystal\AppData\Local\Temp\ICReinstall\cnet2_prismpsetup_exe.exe a variant of Win32/InstallCore.D application
C:\Users\Crystal\AppData\Local\Updater21804\Updater21804.exe a variant of Win32/Toolbar.CrossRider.C application
C:\Users\Crystal\Downloads\cnet2_prismpsetup_exe.exe a variant of Win32/InstallCore.D application
 
I'll be away from my computer for at least a few hours.  Thanks so much for all your help!
Link to post
Share on other sites

Download OTM from either of the following links and save to your Desktop:

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Filles

    :FilesC:\Program Files (x86)\Coupon Companion PluginC:\Users\Crystal\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SKAKZSPY\metrics[1].htmC:\Users\Crystal\AppData\Local\Temp\ICReinstall\cnet2_prismpsetup_exe.exeC:\Users\Crystal\AppData\Local\Updater21804\Updater21804.exeC:\Users\Crystal\Downloads\cnet2_prismpsetup_exe.exe:Commands[EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

 

Post that log, let me know if you have any remaining issues or concerns...

 

Kevin

Link to post
Share on other sites

Here is the log:

 

All processes killed
========== FILES ==========
C:\Program Files (x86)\Coupon Companion Plugin folder moved successfully.
C:\Users\Crystal\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SKAKZSPY\metrics[1].htm moved successfully.
C:\Users\Crystal\AppData\Local\Temp\ICReinstall\cnet2_prismpsetup_exe.exe moved successfully.
C:\Users\Crystal\AppData\Local\Updater21804\Updater21804.exe moved successfully.
C:\Users\Crystal\Downloads\cnet2_prismpsetup_exe.exe moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
 
User: All Users
 
User: Crystal
->Temp folder emptied: 1025636468 bytes
->Temporary Internet Files folder emptied: 772720948 bytes
->Java cache emptied: 7213216 bytes
->FireFox cache emptied: 28631693 bytes
->Google Chrome cache emptied: 247742129 bytes
->Flash cache emptied: 1298201 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 58264 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1112952948 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 39290 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 78367999 bytes
RecycleBin emptied: 179050 bytes
 
Total Files Cleaned = 3,123.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 10252013_180835
 
Files moved on Reboot...
File C:\Users\Crystal\AppData\Local\Temp\etilqs_Kmk8rTjdjzLlqoz not found!
C:\Users\Crystal\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Crystal\AppData\Local\Temp\JavaDeployReg.log moved successfully.
C:\Users\Crystal\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KLHFFS1R\online-scanner[1].htm moved successfully.
C:\Users\Crystal\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
 
Registry entries deleted on Reboot...
 
 
It ended with that after it automatically restarted my computer.  Is there anything else I should do?
Link to post
Share on other sites

We need to remove FRST, first it is very important to deal with its Quarantine folder using FRST itself..

OK, we continue:

Delete any fixlist.txt file previously used, continue:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful. 

Next,

 

Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

 

Next,

 

 


  •  

     


  • Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.

     

     


  • Double click OTC_Icon.jpg icon to start the program.

     

    If you are using Vista or Windows 7 accept UAC

     


  • Then Click the big CleanUp.jpg button.

     

     


  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.

     

     


  • Restart your computer when prompted.

     

     


  • This will remove tools we have used and itself.

     

     



 

 

Any tools/logs remaining on the Desktop can be deleted.

 

Next,

 

Create a new restore point:

 

   1. Right-click on Computer and go to Properties.

   2. Next click on the System Protection link.

   3. The System Properties dialog screen opens up and you will want to click on Create.

   4. Type in a description for the restore point which will help you remember the point at which it was created. Click on create.

   5. You should see the message "The restore point was created successfully

 

To remove all but the most recent restore point do the following:

 

   1.      Open Disk Cleanup by clicking the Start button 4f6cbd09-148c-4dd8-b1f2-48f232a2fd33.jpg. In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.

   2.      If prompted, select the drive that you want to clean up, and then click OK.

   3.      In the Disk Cleanup for (usually C:\) dialog box, click Clean up system files. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

   4.      If prompted, select the drive that you want to clean up, and then click OK.

   5.      Click the More Options tab, under System Restore and Shadow Copies, click Clean up.

   6.      In the Disk Cleanup dialog box, click Delete.

   7.      Click Delete Files, and then click OK. Re-Boot your PC.

 

Do you have any remaining issues or concerns?

 

Kevin

fixlist.txt

Link to post
Share on other sites

Thanks so much!  I was able to delete all previous system restore points, but I'm stuck on the regular disc cleanup.  It just gets stuck for hours, probably because I have so many things that need deleting.  Other than that, everything looks great.  Thank you again for all of your help!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.