Jump to content

Help please. Rootkit.0.Access found.


Recommended Posts

Malwarebytes found 3 instances of Rootkit.0.Access.  Redirects went away but the computer is now running very slowly.  Couldn't download dds.scr, but had it on my computer from last year:

 

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 10.6.2
Run by Leslie at 0:36:56 on 2013-11-01
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3037.1773 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\System32\dinotify.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.

uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Google Update]
mRun: [<NO NAME>]
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll








TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6CE5E210-CC52-41B7-AF91-12C5C703AB63} : DhcpNameServer = 192.168.1.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} - c:\program files\intuit\quickbooks 2013\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\leslie\appdata\roaming\mozilla\firefox\profiles\bgknw8eh.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\leslie\appdata\local\citrix\plugins\104\npappdetector.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2009-12-3 81920]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2010-4-22 25824]
R2 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files\netgear genie\bin\NETGEARGenieDaemon.exe [2012-9-25 195400]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2013-3-11 1248256]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-4-30 14088]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-12-3 167936]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-29 117144]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-13 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-3-13 1343400]
S3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itNT.sys [2010-10-4 486176]
.
=============== Created Last 30 ================
.
2013-11-01 03:48:41 -------- d-----w- c:\windows\Logs
2013-11-01 03:46:34 0 ----a-w- c:\windows\system32\drivers\OLD7DF6.tmp
2013-11-01 03:46:34 0 ----a-w- c:\windows\system32\drivers\OLD7CEE.tmp
2013-11-01 03:28:11 -------- d-sh--w- c:\windows\system32\%APPDATA%
2013-11-01 03:23:42 -------- d-----w- c:\programdata\gpngVpn3
2013-11-01 03:23:39 -------- d-----w- c:\users\leslie\appdata\local\Google
2013-10-23 19:23:08 0 ----a-w- c:\windows\system32\drivers\OLD6FD3.tmp
2013-10-23 19:23:07 0 ----a-w- c:\windows\system32\drivers\OLD6E00.tmp
2013-10-23 18:39:14 0 ----a-w- c:\windows\system32\drivers\OLD9186.tmp
2013-10-23 18:39:13 0 ----a-w- c:\windows\system32\drivers\OLD8E1D.tmp
2013-10-23 18:37:35 46928 ----a-r- c:\windows\system32\AdobePDF.dll
2013-10-23 18:37:35 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2013-10-07 14:38:06 -------- d-----w- c:\users\leslie\appdata\local\Deployment
2013-10-07 04:02:52 0 ----a-w- c:\windows\system32\drivers\OLDC4F4.tmp
2013-10-07 04:02:52 0 ----a-w- c:\windows\system32\drivers\OLDC340.tmp
2013-10-07 03:58:45 -------- d-----w- c:\program files\iPod
2013-10-07 03:58:44 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-10-07 03:58:44 -------- d-----w- c:\program files\iTunes
.
==================== Find3M  ====================
.
2013-10-23 19:18:55 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-23 19:18:55 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-11 20:55:42 0 ----a-w- c:\windows\system32\drivers\OLD7A00.tmp
2013-08-11 20:55:42 0 ----a-w- c:\windows\system32\drivers\OLD77DF.tmp
.
============= FINISH:  0:37:56.87 ===============
 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 2/16/2010 4:24:46 PM
System Uptime: 10/31/2013 11:43:52 PM (1 hours ago)
.
Motherboard: Dell Inc. |  | 0CKCXH
Processor: Intel® Core2 Duo CPU     E7500  @ 2.93GHz | Socket 775 | 2928/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 451 GiB total, 293.946 GiB free.
D: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart C7200 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C7200 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
RP239: 9/2/2013 11:29:50 AM - Scheduled Checkpoint
RP240: 9/9/2013 2:54:48 PM - Scheduled Checkpoint
RP241: 9/17/2013 9:33:11 AM - Scheduled Checkpoint
RP242: 9/25/2013 1:00:16 AM - Scheduled Checkpoint
RP243: 10/2/2013 9:46:21 AM - Scheduled Checkpoint
RP244: 10/6/2013 11:55:20 PM - Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers
RP245: 10/6/2013 11:56:18 PM - Device Driver Package Install: Apple Network adapters
RP246: 10/14/2013 1:44:20 AM - Scheduled Checkpoint
RP247: 10/21/2013 10:11:14 AM - Scheduled Checkpoint
RP248: 10/28/2013 12:28:35 PM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Acrobat  9 Standard - English, Français, Deutsch
Adobe Acrobat 9.2.0 - CPSID_50026
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.2
AIO_Scan
Aleks 3.15
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
BufferChm
C7200
C7200_Help
Canon DIGITAL CAMERA Solution Disk Software Guide
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon PowerShot SX120 IS Camera User Guide
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC 8
Canon Utilities MyCamera
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Citrix Online Launcher
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Copy
Dell Backup and Recovery Manager
Dell Edoc Viewer
Destinations
DeviceDiscovery
DocProc
Dropbox
Fax
GoToMeeting 5.7.0.1172
GPBaseService2
HP Imaging Device Functions 13.0
HP Photosmart All-In-One Driver Software 13.0 Rel. 2
HP Photosmart Essential 3.5
HP Smart Web Printing 4.51
HP Solution Center 13.0
HP Update
HPPhotoGadget
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotosmartEssential
HPProductAssistant
Intel® Graphics Media Accelerator Driver
Intel® TV Wizard
Intel® Matrix Storage Manager
Internet Explorer (Enable DEP)
iTunes
iVideo Converter
Java 7 Update 6
Java Auto Updater
Junk Mail filter update
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.75.0.1300
Maxtor Backup
Maxtor OneTouch III
Memeo Instant Backup
MFCLOC
Microsoft .NET Framework 4.5
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Basic 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
Mozilla Firefox 21.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
NETGEAR Genie
Network
OCR Software by I.R.I.S. 13.0
PowerDVD DX
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_Min
QuickBooks
QuickBooks Pro 2013
QuickTime
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE 10.3
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Scan
Seagate Dashboard
Skype Toolbars
Skype™ 4.2
SmartWebPrinting
SolutionCenter
Spelling Dictionaries Support For Adobe Reader 9
Status
Symantec pcAnywhere
System Requirements Lab for Intel
Toolbox
TrayApp
UnloadSupport
ViewChoice
Visual Studio Tools for the Office system 3.0 Runtime
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258)
WebReg
Where in the World Is Carmen Sandiego? Treasures of Knowledge
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
.
==== Event Viewer Messages From Past Week ========
.
10/31/2013 11:46:45 PM, Error: Service Control Manager [7023]  - The Function Discovery Resource Publication service terminated with the following error:  %%-2147024891
10/31/2013 11:46:45 PM, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:  %%-2147024891
10/29/2013 7:20:48 AM, Error: Service Control Manager [7011]  - A timeout (120000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
.
==== End Of File ===========================
 

Link to post
Share on other sites

  • Root Admin

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER.  You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:

 

 

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

 

Message borrowed from quietman7 with minor wording and link changes
 

Link to post
Share on other sites

  • Root Admin

No it will not work properly. 

 

As stated we can attempt to assist you remove it as we have with thousands of other users.  We simply want you to be aware that we cannot promise that we can clean it and that its possible to break the computer during removal so you need to have your data backed up.  The vast majority of users do have us help them clean it if that makes you feel better but again that is your decision.

 

Thanks

Link to post
Share on other sites

  • Root Admin

Yes, please backup your files to an external drive.  Once ready please do the following.

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Link to post
Share on other sites

That worked.  Here is the log file:

 

ComboFix 13-11-03.02 - Leslie 11/03/2013  23:16:36.2.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3037.2449 [GMT -5:00]
Running from: E:\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Google\Desktop\Install
c:\program files\Google\Desktop\Install\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\9519~1\A535~1\E628~1\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\@
c:\program files\Google\Desktop\Install\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\9519~1\A535~1\E628~1\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\U\00000001.@
c:\program files\Google\Desktop\Install\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\9519~1\A535~1\E628~1\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\U\00000002.@
c:\program files\Google\Desktop\Install\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\9519~1\A535~1\E628~1\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\U\80000000.@
c:\program files\Google\Desktop\Install\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\9519~1\A535~1\E628~1\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\U\80000001.@
c:\program files\Google\Desktop\Install\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\9519~1\A535~1\E628~1\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\U\800000cb.@
c:\programdata\Microsoft\Windows\DRM\AFFE.tmp
c:\users\Leslie\AppData\Local\Google\Desktop\Install
c:\users\Leslie\AppData\Local\Google\Desktop\Install\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\2E2F~1\28F0~1\E628~1\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\@
c:\users\Leslie\g2mdlhlpx.exe
c:\windows\PFRO.log
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-04 to 2013-11-04  )))))))))))))))))))))))))))))))
.
.
2013-11-04 04:24 . 2013-11-04 04:24 0 ----a-w- c:\windows\system32\drivers\OLD3B6B.tmp
2013-11-04 04:24 . 2013-11-04 04:24 0 ----a-w- c:\windows\system32\drivers\OLD3A82.tmp
2013-11-03 13:59 . 2013-11-03 14:17 -------- d-----w- C:\temp
2013-11-03 13:57 . 2013-11-03 13:57 0 ----a-w- c:\windows\system32\drivers\OLD7E25.tmp
2013-11-03 13:57 . 2013-11-03 13:57 0 ----a-w- c:\windows\system32\drivers\OLD7BB6.tmp
2013-11-01 03:48 . 2013-11-01 04:18 -------- d-----w- c:\windows\Logs
2013-11-01 03:46 . 2013-11-01 03:46 0 ----a-w- c:\windows\system32\drivers\OLD7DF6.tmp
2013-11-01 03:46 . 2013-11-01 03:46 0 ----a-w- c:\windows\system32\drivers\OLD7CEE.tmp
2013-11-01 03:28 . 2013-11-01 03:28 -------- d-sh--w- c:\windows\system32\%APPDATA%
2013-11-01 03:24 . 2013-11-01 03:24 -------- d-----w- c:\program files\Google
2013-11-01 03:23 . 2013-11-01 03:44 -------- d-----w- c:\programdata\gpngVpn3
2013-11-01 03:23 . 2013-11-01 03:23 -------- d-----w- c:\users\Leslie\AppData\Local\Google
2013-10-23 19:23 . 2013-10-23 19:23 0 ----a-w- c:\windows\system32\drivers\OLD6FD3.tmp
2013-10-23 19:23 . 2013-10-23 19:23 0 ----a-w- c:\windows\system32\drivers\OLD6E00.tmp
2013-10-23 18:39 . 2013-10-23 18:39 0 ----a-w- c:\windows\system32\drivers\OLD9186.tmp
2013-10-23 18:39 . 2013-10-23 18:39 0 ----a-w- c:\windows\system32\drivers\OLD8E1D.tmp
2013-10-23 18:37 . 2009-08-20 03:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2013-10-23 18:37 . 2009-08-20 03:50 46928 ----a-r- c:\windows\system32\AdobePDF.dll
2013-10-07 14:38 . 2013-10-23 19:09 -------- d-----w- c:\users\Leslie\AppData\Local\Deployment
2013-10-07 04:02 . 2013-10-07 04:02 0 ----a-w- c:\windows\system32\drivers\OLDC4F4.tmp
2013-10-07 04:02 . 2013-10-07 04:02 0 ----a-w- c:\windows\system32\drivers\OLDC340.tmp
2013-10-07 03:58 . 2013-10-07 03:58 -------- d-----w- c:\program files\iPod
2013-10-07 03:58 . 2013-10-07 03:58 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-10-07 03:58 . 2013-10-07 03:58 -------- d-----w- c:\program files\iTunes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-23 19:18 . 2012-04-24 17:12 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-23 19:18 . 2011-11-29 03:34 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-11 20:55 . 2013-08-11 20:55 0 ----a-w- c:\windows\system32\drivers\OLD7A00.tmp
2013-08-11 20:55 . 2013-08-11 20:55 0 ----a-w- c:\windows\system32\drivers\OLD77DF.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Leslie\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Leslie\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Leslie\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-05-29 16:00 8704 ----a-w- c:\windows\System32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Intuit Data Protect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk
backup=c:\windows\pss\Intuit Data Protect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
backup=c:\windows\pss\QuickBooks_Standard_21.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 03:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 08:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 16:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-09-13 23:51 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2010-10-12 21:24 304568 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\disks-sd]
2012-06-19 19:10 76800 ----a-w- c:\programdata\audiults.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2012-11-13 20:43 172064 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-07-22 22:33 150528 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2009-06-05 01:03 186904 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2012-11-13 20:43 138784 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2013-05-23 07:11 2786104 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-10-01 06:23 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 18:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2012-01-13 18:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
2005-11-09 20:19 634880 ----a-w- c:\program files\Maxtor\OneTouch\Utils\OneTouch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo Instant Backup]
2010-04-23 00:33 136416 ----a-w- c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2005-10-17 20:24 81920 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NETGEARGenie]
2012-10-16 13:54 1041736 ----a-w- c:\program files\NETGEAR Genie\bin\NETGEARGenie.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-06-25 02:19 140520 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2012-11-13 20:43 173600 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2009-05-23 08:22 7514656 ----a-w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Dashboard]
2010-04-30 14:47 79112 ----a-w- c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe
.
R2 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe [2012-09-25 195400]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-13 1343400]
R3 XIRLINK;IBM PC Camera;c:\windows\system32\DRIVERS\C-itnt.sys [2000-09-26 486176]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2010-07-14 65584]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [2010-04-23 25824]
S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [2013-03-11 1248256]
S2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2010-04-30 14088]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ    HPSLPSVC
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.

uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
Handler: intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} - c:\program files\Intuit\QuickBooks 2013\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\Leslie\AppData\Roaming\Mozilla\Firefox\Profiles\bgknw8eh.default\
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: !HIDDEN! 2011-10-24 09:28; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre7\bin\jusched.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3036)
c:\users\Leslie\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\System32\dinotify.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2013-11-03  23:26:40 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-04 04:26
ComboFix2.txt  2012-04-01 14:24
.
Pre-Run: 3,781,439,488 bytes free
Post-Run: 11,682,406,400 bytes free
.
- - End Of File - - 53943C00116BF4D2099AC81B71311C77
CDB4DE4BBD714F152979DA2DCBEF57EB
 

Link to post
Share on other sites

  • Root Admin

That's okay.  Please go ahead and run through the following steps and post back the logs when ready.

STEP 03
Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

STEP 04
Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus



STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.


Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.


STEP 06
button_eos.gif

Please go here to run the online antivirus scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

    [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.



STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.


 

Link to post
Share on other sites

Malwarebytes Anti-Rootkit BETA 1.07.0.1007
www.malwarebytes.org

Database version: v2013.10.02.12

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Leslie :: LESLIE-PC [administrator]

11/4/2013 11:16:30 PM
mbar-log-2013-11-04 (23-16-30).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 217185
Time elapsed: 7 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 8.0.7601.17514

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.926000 GHz
Memory total: 3184513024, free: 2676908032

Initializing...
======================
------------ Kernel report ------------
     11/04/2013 23:16:27
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PxHelp20.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Gernuwa.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\Drivers\awlegacy.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ctxusbm.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\Rt86win7.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\drivers\mouclass.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHDA.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\hidusb.sys
\SystemRoot\system32\drivers\HIDCLASS.SYS
\SystemRoot\system32\drivers\HIDPARSE.SYS
\SystemRoot\system32\drivers\USBD.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\drivers\kbdhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\dot4usb.sys
\SystemRoot\system32\DRIVERS\Dot4.sys
\SystemRoot\system32\DRIVERS\Dot4Prt.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\??\C:\Windows\system32\Drivers\PROCEXP113.SYS
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\ws2_32.dll
\Windows\System32\lpk.dll
\Windows\System32\advapi32.dll
\Windows\System32\difxapi.dll
\Windows\System32\setupapi.dll
\Windows\System32\imm32.dll
\Windows\System32\gdi32.dll
\Windows\System32\iertutil.dll
\Windows\System32\imagehlp.dll
\Windows\System32\normaliz.dll
\Windows\System32\wininet.dll
\Windows\System32\nsi.dll
\Windows\System32\Wldap32.dll
\Windows\System32\msctf.dll
\Windows\System32\ole32.dll
\Windows\System32\user32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\clbcatq.dll
\Windows\System32\kernel32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\psapi.dll
\Windows\System32\comdlg32.dll
\Windows\System32\shell32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\sechost.dll
\Windows\System32\usp10.dll
\Windows\System32\urlmon.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\comctl32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\crypt32.dll
\Windows\System32\devobj.dll
\Windows\System32\wintrust.dll
\Windows\System32\msasn1.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR7
Upper Device Object: 0xffffffff85bb6ac8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000086\
Lower Device Object: 0xffffffff859b4ca8
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xffffffff883f9030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000074\
Lower Device Object: 0xffffffff883f9ca8
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff86ec1218
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xffffffff86056028
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff86ec1218, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86ec2d18, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff86ec1218, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff86056028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 7740BF64

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 80262

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 81920  Numsec = 30720000
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 30801920  Numsec = 945969200

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff85bb6ac8, DeviceName: \Device\Harddisk1\DR7\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85c2f7a8, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85bb6ac8, DeviceName: \Device\Harddisk1\DR7\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff859b4ca8, DeviceName: \Device\00000086\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR7\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 82155408

Partition information:

    Partition 0 type is Other (0x6)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 3608  Numsec = 3930600

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 2014314496 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xffffffff883f9030, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff883f9990, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff883f9030, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff883f9ca8, DeviceName: \Device\00000074\, DriverName: \Driver\USBSTOR\
------------ End ----------
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_1_81920_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_r.mbam...
Removal finished

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.7 (10.15.2013:3)
OS: Windows 7 Home Premium x86
Ran by Leslie on Mon 11/04/2013 at 23:30:18.66
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{D06FA7D3-3FFA-4683-95B7-9EFC295F4FCF}

 

~~~ Files

 

~~~ Folders

 

~~~ FireFox

Successfully deleted: [File] C:\Users\Leslie\AppData\Roaming\mozilla\firefox\profiles\bgknw8eh.default\extensions\fdbnsxnzlz@fdbnsxnzlz.org.xpi [Tracur]
Emptied folder: C:\Users\Leslie\AppData\Roaming\mozilla\firefox\profiles\bgknw8eh.default\minidumps [32 files]

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 11/04/2013 at 23:31:48.49
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

# AdwCleaner v3.011 - Report created 04/11/2013 at 23:34:54
# Updated 03/11/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)
# Username : Leslie - LESLIE-PC
# Running from : E:\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{05EE699F-AB25-42D8-8781-558C5D1D2FAD}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1099736F-918D-4628-803B-E4E8B4B73DAC}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{60E9CF86-68DD-46CC-9B18-370658635768}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.7601.17514

-\\ Mozilla Firefox v21.0 (en-US)

[ File : C:\Users\Leslie\AppData\Roaming\Mozilla\Firefox\Profiles\bgknw8eh.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [48433 octets] - [04/11/2013 23:33:25]
AdwCleaner[s0].txt - [1516 octets] - [04/11/2013 23:34:54]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1576 octets] ##########

 

ESET list of found threats:

C:\Documents and Settings\All Users\audiults.dll Win32/PSW.Papras.CD trojan
C:\Documents and Settings\All Users\Application Data\audiults.dll Win32/PSW.Papras.CD trojan
C:\Documents and Settings\Leslie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\73190831-3629c05c a variant of Java/Exploit.CVE-2010-4452.A trojan
C:\Documents and Settings\Leslie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\4cf3d289-2fc9a501 probably a variant of Java/Exploit.CVE-2011-3544.AZ trojan
C:\ProgramData\audiults.dll Win32/PSW.Papras.CD trojan
C:\Qoobox\Quarantine\C\Program Files\Google\Desktop\Install\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\9519~1\A535~1\E628~1\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\U\80000000.@.vir probably a variant of Win32/Sirefef.FA trojan
C:\Qoobox\Quarantine\C\Program Files\Google\Desktop\Install\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\9519~1\A535~1\E628~1\{a7099379-9a4c-a3ff-eeca-e490979c0b6e}\U\800000cb.@.vir a variant of Win32/Sirefef.FL trojan
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\AFFE.tmp.vir a variant of Win32/Kryptik.ADMA trojan
C:\TDSSKiller_Quarantine\01.04.2012_09.17.47\mbr0000\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\01.04.2012_09.17.47\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan
C:\TDSSKiller_Quarantine\01.04.2012_09.17.47\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AYH trojan
C:\TDSSKiller_Quarantine\01.04.2012_09.17.47\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AG trojan
C:\TDSSKiller_Quarantine\01.04.2012_09.17.47\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.KS trojan
C:\TDSSKiller_Quarantine\01.04.2012_09.17.47\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AF trojan
C:\TDSSKiller_Quarantine\01.04.2012_09.17.47\mbr0000\tdlfs0000\tsk0010.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\01.04.2012_09.17.47\mbr0000\tdlfs0000\tsk0011.dta Win64/Olmarik.X trojan
C:\TDSSKiller_Quarantine\01.04.2012_09.17.47\rtkt0000\svc0000\tsk0000.dta Win32/Simda.M.Gen trojan
C:\Users\All Users\audiults.dll Win32/PSW.Papras.CD trojan
C:\Users\All Users\Application Data\audiults.dll Win32/PSW.Papras.CD trojan
C:\Users\Leslie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\73190831-3629c05c a variant of Java/Exploit.CVE-2010-4452.A trojan
C:\Users\Leslie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\4cf3d289-2fc9a501 probably a variant of Java/Exploit.CVE-2011-3544.AZ trojan
 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-10-2013
Ran by Leslie (administrator) on LESLIE-PC on 05-11-2013 01:01:38
Running from E:\
Microsoft Windows 7 Home Premium  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Memeo) C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
(Memeo) C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
(Microsoft Corp.) C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(Microsoft Corporation) C:\Windows\System32\dinotify.exe

==================== Registry (Whitelisted) ==================

Winlogon\Notify\PCANotify: C:\Windows\system32\PCANotify.dll (Symantec Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {EF8721A1-F487-4FF6-9DCA-D94A06968A32} URL = http://www.bing.com/search?q={searchTerms}&form=DLSDF8&pc=MDDS&src=IE-SearchBox
SearchScopes: HKCU - {D06FA7D3-3FFA-4683-95B7-9EFC295F4FCF} URL = http://www.bing.com/search?q={searchTerms}&FORM=DLSDF7&pc=MDDS&src=IE-SearchBox
SearchScopes: HKCU - {EF8721A1-F487-4FF6-9DCA-D94A06968A32} URL =
BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKCU - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.13.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=972
Handler: intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} - C:\Program Files\Intuit\QuickBooks 2013\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Leslie\AppData\Roaming\Mozilla\Firefox\Profiles\bgknw8eh.default
FF NetworkProxy: "no_proxies_on", "*.local"
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @canon.com/MycameraPlugin - C:\Program Files\Canon\ZoomBrowser EX\Program\NPCIG.dll (CANON INC.)
FF Plugin: @java.com/DTPlugin,version=10.6.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.6.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8081.0709 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\Leslie\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF HKCU\...\Firefox\Extensions: [{FB03B9CF-CCCB-4896-AD87-37B25AFDD03C}] - C:\Users\Leslie\AppData\Local\{FB03B9CF-CCCB-4896-AD87-37B25AFDD03C}
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

========================== Services (Whitelisted) =================

S3 awhost32; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [106496 2003-05-29] (Symantec Corporation)
S3 MaxBackServiceInt; C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe [184320 2005-11-09] ()
R2 MemeoBackgroundService; C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe [25824 2010-04-22] (Memeo)
S2 NETGEARGenieDaemon; C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe [195400 2012-09-25] (NETGEAR)
S3 NTService1; C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe [110592 2005-11-09] ( )
R2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-03-11] (Intuit Inc.)
S4 RemoteAccess; C:\Windows\System32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 SeagateDashboardService; C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [14088 2010-04-30] (Memeo)

==================== Drivers (Whitelisted) ====================

R1 awlegacy; C:\Windows\System32\Drivers\awlegacy.sys [10901 2003-04-21] (Symantec Corporation)
S4 AW_HOST; C:\Windows\System32\drivers\aw_host5.sys [24365 2003-05-05] (Symantec Corporation)
S3 BVRPMPR5; C:\Windows\system32\drivers\BVRPMPR5.SYS [49904 2007-06-15] (Avanquest Software)
R0 Gernuwa; C:\Windows\System32\Drivers\Gernuwa.sys [13898 2003-04-21] (Symantec Corporation)
S3 JRAID; C:\Windows\system32\DRIVERS\jraid.sys [89048 2009-05-21] (JMicron Technology Corp.)
S3 MXOPSWD; C:\Windows\System32\DRIVERS\mxopswd.sys [15360 2005-04-06] (Maxtor Corp.)
S3 SymEvent; C:\Program Files\Symantec\SYMEVENT.SYS [73496 2010-03-09] (Symantec Corporation)
U3 TrueSight; c:\windows\system32\drivers\TrueSight.sys [13824 2012-03-30] ()
S3 XIRLINK; C:\Windows\System32\DRIVERS\C-itnt.sys [486176 2000-09-26] (Xirlink, Inc)
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
S3 catchme; \??\C:\Users\Leslie\AppData\Local\Temp\catchme.sys [x]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-11-05 01:01 - 2013-11-05 01:01 - 00000000 ____D C:\FRST
2013-11-04 23:52 - 2013-11-04 23:52 - 00000000 ____D C:\Program Files\ESET
2013-11-04 23:36 - 2013-11-04 23:36 - 00000000 ____D C:\Windows\LastGood
2013-11-04 23:36 - 2013-11-04 23:36 - 00000000 _____ C:\Windows\system32\Drivers\OLD7619.tmp
2013-11-04 23:36 - 2013-11-04 23:36 - 00000000 _____ C:\Windows\system32\Drivers\OLD7511.tmp
2013-11-04 23:33 - 2013-11-04 23:34 - 00000000 ____D C:\AdwCleaner
2013-11-04 23:31 - 2013-11-04 23:31 - 00001154 _____ C:\Users\Leslie\Desktop\JRT.txt
2013-11-04 23:30 - 2013-11-04 23:30 - 00000000 ____D C:\Windows\ERUNT
2013-11-04 23:16 - 2013-11-04 23:25 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-11-04 23:16 - 2013-11-04 23:16 - 00075992 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2013-11-04 23:16 - 2013-11-04 23:16 - 00000000 ____D C:\Users\Leslie\Desktop\mbar
2013-11-03 23:26 - 2013-11-03 23:26 - 00015223 _____ C:\ComboFix.txt
2013-11-03 23:24 - 2013-11-03 23:24 - 00000000 _____ C:\Windows\system32\Drivers\OLD3B6B.tmp
2013-11-03 23:24 - 2013-11-03 23:24 - 00000000 _____ C:\Windows\system32\Drivers\OLD3A82.tmp
2013-11-03 23:15 - 2011-06-26 01:45 - 00256000 _____ C:\Windows\PEV.exe
2013-11-03 23:15 - 2010-11-07 12:20 - 00208896 _____ C:\Windows\MBR.exe
2013-11-03 23:15 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2013-11-03 23:15 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2013-11-03 23:15 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2013-11-03 23:15 - 2000-08-30 19:00 - 00098816 _____ C:\Windows\sed.exe
2013-11-03 23:15 - 2000-08-30 19:00 - 00080412 _____ C:\Windows\grep.exe
2013-11-03 23:15 - 2000-08-30 19:00 - 00068096 _____ C:\Windows\zip.exe
2013-11-03 23:14 - 2013-11-03 23:59 - 00000000 ____D C:\Qoobox
2013-11-03 08:57 - 2013-11-03 08:57 - 00000000 _____ C:\Windows\system32\Drivers\OLD7E25.tmp
2013-11-03 08:57 - 2013-11-03 08:57 - 00000000 _____ C:\Windows\system32\Drivers\OLD7BB6.tmp
2013-10-31 22:46 - 2013-10-31 22:46 - 00000000 _____ C:\Windows\system32\Drivers\OLD7DF6.tmp
2013-10-31 22:46 - 2013-10-31 22:46 - 00000000 _____ C:\Windows\system32\Drivers\OLD7CEE.tmp
2013-10-31 22:45 - 2013-11-04 23:36 - 00001812 _____ C:\Windows\setupact.log
2013-10-31 22:45 - 2013-10-31 22:45 - 00000000 _____ C:\Windows\setuperr.log
2013-10-31 22:43 - 2013-11-03 08:53 - 391172094 _____ C:\avenger.txt
2013-10-31 22:28 - 2013-10-31 22:28 - 00000000 __SHD C:\Windows\system32\%APPDATA%
2013-10-31 22:24 - 2013-10-31 22:24 - 00000000 ____D C:\Program Files\Google
2013-10-31 22:23 - 2013-10-31 22:44 - 00000000 ____D C:\ProgramData\gpngVpn3
2013-10-31 22:23 - 2013-10-31 22:23 - 00000000 ____D C:\Users\Leslie\AppData\Local\Google
2013-10-25 09:17 - 2013-10-25 09:17 - 00009471 _____ C:\Users\Leslie\Documents\Work contact email list.xlsx
2013-10-25 09:16 - 2013-10-25 09:16 - 00000462 _____ C:\Users\Leslie\Documents\Work contact email list.csv
2013-10-23 14:23 - 2013-10-23 14:23 - 00000000 _____ C:\Windows\system32\Drivers\OLD6FD3.tmp
2013-10-23 14:23 - 2013-10-23 14:23 - 00000000 _____ C:\Windows\system32\Drivers\OLD6E00.tmp
2013-10-23 13:39 - 2013-10-23 13:39 - 00000000 _____ C:\Windows\system32\Drivers\OLD9186.tmp
2013-10-23 13:39 - 2013-10-23 13:39 - 00000000 _____ C:\Windows\system32\Drivers\OLD8E1D.tmp
2013-10-23 13:37 - 2009-08-19 22:50 - 00046928 ____R (Adobe Systems Inc) C:\Windows\system32\AdobePDF.dll
2013-10-23 13:37 - 2009-08-19 22:50 - 00022872 ____R (Adobe Systems Inc.) C:\Windows\system32\AdobePDFUI.dll
2013-10-23 13:36 - 2013-10-23 13:36 - 00001986 _____ C:\Users\Public\Desktop\Adobe Reader 9.lnk
2013-10-07 09:38 - 2013-10-23 14:09 - 00000000 ____D C:\Users\Leslie\AppData\Local\Deployment
2013-10-06 23:02 - 2013-10-06 23:02 - 00000000 _____ C:\Windows\system32\Drivers\OLDC4F4.tmp
2013-10-06 23:02 - 2013-10-06 23:02 - 00000000 _____ C:\Windows\system32\Drivers\OLDC340.tmp
2013-10-06 23:00 - 2013-10-07 20:58 - 00011567 _____ C:\Users\Leslie\Documents\soccer list 2013.xlsx
2013-10-06 22:59 - 2013-10-06 22:59 - 00001755 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-10-06 22:58 - 2013-10-06 22:58 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-10-06 22:58 - 2013-10-06 22:58 - 00000000 ____D C:\Program Files\iTunes
2013-10-06 22:58 - 2013-10-06 22:58 - 00000000 ____D C:\Program Files\iPod

==================== One Month Modified Files and Folders =======

2013-11-05 01:01 - 2013-11-05 01:01 - 00000000 ____D C:\FRST
2013-11-05 01:00 - 2010-02-16 16:48 - 00000000 ____D C:\Users\Leslie\Documents\Adobe
2013-11-04 23:52 - 2013-11-04 23:52 - 00000000 ____D C:\Program Files\ESET
2013-11-04 23:43 - 2009-07-13 23:34 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-04 23:43 - 2009-07-13 23:34 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-04 23:41 - 2009-12-03 15:59 - 00785112 _____ C:\Windows\system32\PerfStringBackup.INI
2013-11-04 23:39 - 2009-07-13 23:55 - 01302639 _____ C:\Windows\WindowsUpdate.log
2013-11-04 23:36 - 2013-11-04 23:36 - 00000000 ____D C:\Windows\LastGood
2013-11-04 23:36 - 2013-11-04 23:36 - 00000000 _____ C:\Windows\system32\Drivers\OLD7619.tmp
2013-11-04 23:36 - 2013-11-04 23:36 - 00000000 _____ C:\Windows\system32\Drivers\OLD7511.tmp
2013-11-04 23:36 - 2013-10-31 22:45 - 00001812 _____ C:\Windows\setupact.log
2013-11-04 23:36 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-11-04 23:34 - 2013-11-04 23:33 - 00000000 ____D C:\AdwCleaner
2013-11-04 23:31 - 2013-11-04 23:31 - 00001154 _____ C:\Users\Leslie\Desktop\JRT.txt
2013-11-04 23:30 - 2013-11-04 23:30 - 00000000 ____D C:\Windows\ERUNT
2013-11-04 23:25 - 2013-11-04 23:16 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-11-04 23:16 - 2013-11-04 23:16 - 00075992 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2013-11-04 23:16 - 2013-11-04 23:16 - 00000000 ____D C:\Users\Leslie\Desktop\mbar
2013-11-04 10:01 - 2010-02-16 16:47 - 00000000 ____D C:\Users\Leslie\Documents\Word
2013-11-04 09:44 - 2010-02-16 16:47 - 00000000 ____D C:\Users\Leslie\Documents\Excel
2013-11-03 23:59 - 2013-11-03 23:14 - 00000000 ____D C:\Qoobox
2013-11-03 23:26 - 2013-11-03 23:26 - 00015223 _____ C:\ComboFix.txt
2013-11-03 23:24 - 2013-11-03 23:24 - 00000000 _____ C:\Windows\system32\Drivers\OLD3B6B.tmp
2013-11-03 23:24 - 2013-11-03 23:24 - 00000000 _____ C:\Windows\system32\Drivers\OLD3A82.tmp
2013-11-03 23:24 - 2009-07-13 21:04 - 00000215 _____ C:\Windows\system.ini
2013-11-03 23:22 - 2012-03-31 22:18 - 00000000 ____D C:\Windows\ERDNT
2013-11-03 23:22 - 2009-07-13 21:03 - 49283072 _____ C:\Windows\system32\config\software.bak
2013-11-03 23:22 - 2009-07-13 21:03 - 15204352 _____ C:\Windows\system32\config\system.bak
2013-11-03 23:22 - 2009-07-13 21:03 - 00524288 _____ C:\Windows\system32\config\default.bak
2013-11-03 23:22 - 2009-07-13 21:03 - 00262144 _____ C:\Windows\system32\config\security.bak
2013-11-03 23:22 - 2009-07-13 21:03 - 00262144 _____ C:\Windows\system32\config\sam.bak
2013-11-03 23:21 - 2010-02-16 16:24 - 00000000 ____D C:\Users\Leslie
2013-11-03 23:14 - 2009-07-13 23:53 - 00032556 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-11-03 08:57 - 2013-11-03 08:57 - 00000000 _____ C:\Windows\system32\Drivers\OLD7E25.tmp
2013-11-03 08:57 - 2013-11-03 08:57 - 00000000 _____ C:\Windows\system32\Drivers\OLD7BB6.tmp
2013-11-03 08:53 - 2013-10-31 22:43 - 391172094 _____ C:\avenger.txt
2013-11-02 10:46 - 2012-11-14 23:50 - 00003117 _____ C:\SeagateAdapter
2013-10-31 22:56 - 2010-03-13 22:07 - 00007620 _____ C:\Users\Leslie\AppData\Local\Resmon.ResmonCfg
2013-10-31 22:46 - 2013-10-31 22:46 - 00000000 _____ C:\Windows\system32\Drivers\OLD7DF6.tmp
2013-10-31 22:46 - 2013-10-31 22:46 - 00000000 _____ C:\Windows\system32\Drivers\OLD7CEE.tmp
2013-10-31 22:45 - 2013-10-31 22:45 - 00000000 _____ C:\Windows\setuperr.log
2013-10-31 22:44 - 2013-10-31 22:23 - 00000000 ____D C:\ProgramData\gpngVpn3
2013-10-31 22:43 - 2009-12-03 17:44 - 00000000 ____D C:\Windows\Panther
2013-10-31 22:28 - 2013-10-31 22:28 - 00000000 __SHD C:\Windows\system32\%APPDATA%
2013-10-31 22:24 - 2013-10-31 22:24 - 00000000 ____D C:\Program Files\Google
2013-10-31 22:23 - 2013-10-31 22:23 - 00000000 ____D C:\Users\Leslie\AppData\Local\Google
2013-10-31 22:20 - 2010-09-27 13:55 - 00002054 ____H C:\Users\Leslie\Documents\Default.rdp
2013-10-31 22:19 - 2009-07-13 23:52 - 00000000 ____D C:\Windows\system32\FxsTmp
2013-10-30 14:13 - 2010-08-25 10:45 - 00000000 ____D C:\Users\Leslie\Documents\My Scans
2013-10-28 17:59 - 2012-08-26 18:59 - 00000000 ____D C:\Users\Leslie\AppData\Roaming\.minecraft
2013-10-25 09:17 - 2013-10-25 09:17 - 00009471 _____ C:\Users\Leslie\Documents\Work contact email list.xlsx
2013-10-25 09:16 - 2013-10-25 09:16 - 00000462 _____ C:\Users\Leslie\Documents\Work contact email list.csv
2013-10-23 23:14 - 2010-03-16 22:54 - 00000000 ____D C:\Users\Leslie\Documents\Fax
2013-10-23 14:58 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\NDF
2013-10-23 14:23 - 2013-10-23 14:23 - 00000000 _____ C:\Windows\system32\Drivers\OLD6FD3.tmp
2013-10-23 14:23 - 2013-10-23 14:23 - 00000000 _____ C:\Windows\system32\Drivers\OLD6E00.tmp
2013-10-23 14:19 - 2010-02-16 16:25 - 00000000 ____D C:\Users\Leslie\AppData\Local\Adobe
2013-10-23 14:18 - 2012-04-24 12:12 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-10-23 14:18 - 2011-11-28 22:34 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-10-23 14:09 - 2013-10-07 09:38 - 00000000 ____D C:\Users\Leslie\AppData\Local\Deployment
2013-10-23 13:39 - 2013-10-23 13:39 - 00000000 _____ C:\Windows\system32\Drivers\OLD9186.tmp
2013-10-23 13:39 - 2013-10-23 13:39 - 00000000 _____ C:\Windows\system32\Drivers\OLD8E1D.tmp
2013-10-23 13:36 - 2013-10-23 13:36 - 00001986 _____ C:\Users\Public\Desktop\Adobe Reader 9.lnk
2013-10-23 13:36 - 2009-12-03 15:55 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-10-23 13:36 - 2009-12-03 15:55 - 00000000 ____D C:\Program Files\Adobe
2013-10-22 17:58 - 2013-05-24 15:25 - 00000000 ____D C:\Quickbooks backup files
2013-10-21 17:26 - 2012-01-03 11:06 - 00000000 ___RD C:\Users\Leslie\Dropbox
2013-10-21 17:26 - 2012-01-03 11:03 - 00000000 ____D C:\Users\Leslie\AppData\Roaming\Dropbox
2013-10-07 20:58 - 2013-10-06 23:00 - 00011567 _____ C:\Users\Leslie\Documents\soccer list 2013.xlsx
2013-10-07 09:38 - 2010-03-10 00:35 - 00000000 ___HD C:\Users\Leslie\AppData\Local\Apps\2.0
2013-10-06 23:02 - 2013-10-06 23:02 - 00000000 _____ C:\Windows\system32\Drivers\OLDC4F4.tmp
2013-10-06 23:02 - 2013-10-06 23:02 - 00000000 _____ C:\Windows\system32\Drivers\OLDC340.tmp
2013-10-06 22:59 - 2013-10-06 22:59 - 00001755 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-10-06 22:58 - 2013-10-06 22:58 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-10-06 22:58 - 2013-10-06 22:58 - 00000000 ____D C:\Program Files\iTunes
2013-10-06 22:58 - 2013-10-06 22:58 - 00000000 ____D C:\Program Files\iPod
2013-10-06 22:58 - 2010-03-12 00:14 - 00000000 ____D C:\Program Files\Common Files\Apple

Files to move or delete:
====================
C:\ProgramData\audiults.dll

Some content of TEMP:
====================
C:\Users\Leslie\AppData\Local\temp\Quarantine.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-10-31 11:47

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 31-10-2013
Ran by Leslie at 2013-11-05 01:01:57
Running from E:\
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

32 Bit HP CIO Components Installer (Version: 7.1.8)
Adobe Acrobat  9 Standard - English, Français, Deutsch (Version: 9.2.0)
Adobe Acrobat 9.2.0 - CPSID_50026
Adobe Flash Player 11 ActiveX (Version: 11.9.900.117)
Adobe Flash Player 11 Plugin (Version: 11.6.602.180)
Adobe Reader 9.2 (Version: 9.2.0)
AIO_Scan (Version: 130.0.365.000)
Aleks 3.15
Apple Application Support (Version: 2.3.6)
Apple Mobile Device Support (Version: 7.0.0.117)
Apple Software Update (Version: 2.1.3.127)
Bonjour (Version: 3.0.0.10)
BufferChm (Version: 130.0.331.000)
C7200 (Version: 130.0.365.000)
C7200_Help (Version: 100.0.206.000)
Canon DIGITAL CAMERA Solution Disk Software Guide (Version: 1.0.1.2)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (Version: 1.7.0.4)
Canon Internet Library for ZoomBrowser EX (Version: 1.6.3.9)
Canon MovieEdit Task for ZoomBrowser EX (Version: 3.2.0.34)
Canon Personal Printing Guide (Version: 1.0.0.1)
Canon PowerShot SX120 IS Camera User Guide (Version: 1.0.1.2)
Canon Utilities CameraWindow (Version: 7.3.0.4)
Canon Utilities CameraWindow DC (Version: 7.4.1.10)
Canon Utilities CameraWindow DC 8 (Version: 8.0.0.19)
Canon Utilities MyCamera (Version: 7.3.0.5)
Canon Utilities PhotoStitch (Version: 3.1.22.46)
Canon Utilities ZoomBrowser EX (Version: 6.4.0.7)
Canon ZoomBrowser EX Memory Card Utility (Version: 1.2.2.11)
Citrix Online Launcher (Version: 1.0.110)
Citrix online plug-in - web (Version: 12.1.0.30)
Citrix online plug-in (DV) (Version: 12.1.0.30)
Citrix online plug-in (HDX) (Version: 12.1.0.30)
Citrix online plug-in (USB) (Version: 12.1.0.30)
Citrix online plug-in (Web) (Version: 12.1.0.30)
Copy (Version: 130.0.428.000)
Dell Backup and Recovery Manager (Version: 1.1.0)
Dell Edoc Viewer (Version: 1.0.0)
Destinations (Version: 130.0.0.0)
DeviceDiscovery (Version: 130.0.465.000)
DocProc (Version: 13.0.0.0)
Dropbox (HKCU Version: 2.0.22)
ESET Online Scanner v3
Fax (Version: 130.0.418.000)
GoToMeeting 5.7.0.1172 (HKCU Version: 5.7.0.1172)
GPBaseService2 (Version: 130.0.371.000)
HP Imaging Device Functions 13.0 (Version: 13.0)
HP Photosmart All-In-One Driver Software 13.0 Rel. 2 (Version: 13.0)
HP Photosmart Essential 3.5 (Version: 3.5)
HP Smart Web Printing 4.51 (Version: 4.51)
HP Solution Center 13.0 (Version: 13.0)
HP Update (Version: 4.000.011.006)
HPPhotoGadget (Version: 130.0.282.000)
HPPhotoSmartDiscLabel_PaperLabel (Version: 2.04.0000)
HPPhotoSmartDiscLabel_PrintOnDisc (Version: 2.04.0000)
HPPhotoSmartDiscLabelContent1 (Version: 2.04.0000)
hpphotosmartdisclabelplugin (Version: 2.04.0000)
HPPhotosmartEssential (Version: 2.04.0000)
HPProductAssistant (Version: 130.0.371.000)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.2869)
Intel® TV Wizard
Intel® Matrix Storage Manager
Internet Explorer (Enable DEP)
iTunes (Version: 11.1.1.11)
iVideo Converter
Java 7 Update 6 (Version: 7.0.60)
Java Auto Updater (Version: 2.1.9.0)
Junk Mail filter update (Version: 14.0.8089.726)
LiveReg (Symantec Corporation) (Version: 2.3.0.1833)
LiveUpdate 1.80 (Symantec Corporation) (Version: 1.80.19.0)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Maxtor Backup (Version: 1.00.0011)
Maxtor OneTouch III (Version: 3.00.0015)
Memeo Instant Backup (Version: 4.60.0.7252)
MFCLOC (Version: 1.00.0000)
Microsoft .NET Framework 4.5 (Version: 4.5.50709)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Office 2007 Primary Interop Assemblies (Version: 12.0.4518.1014)
Microsoft Office Basic 2007 (Version: 12.0.4518.1014)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Search Enhancement Pack (Version: 1.2.123.0)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.50727.42)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (Version: 10.0.31007)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (Version: 10.0.31010)
Mozilla Firefox 21.0 (x86 en-US) (Version: 21.0)
Mozilla Maintenance Service (Version: 21.0)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
NETGEAR Genie (Version: 2.2.27.1 )
Network (Version: 130.0.572.000)
OCR Software by I.R.I.S. 13.0 (Version: 13.0)
PowerDVD DX (Version: 8.3.5424)
PS_AIO_02_ProductContext (Version: 130.0.365.000)
PS_AIO_02_Software (Version: 130.0.365.000)
PS_AIO_02_Software_Min (Version: 130.0.365.000)
QuickBooks (Version: 23.0.4007.2305)
QuickBooks Pro 2013 (Version: 23.0.4006.2305)
QuickTime (Version: 7.69.80.9)
Realtek High Definition Audio Driver (Version: 6.0.1.5859)
Roxio Creator Audio (Version: 3.7.0)
Roxio Creator Copy (Version: 3.7.0)
Roxio Creator Data (Version: 3.7.0)
Roxio Creator DE 10.3 (Version: 10.3)
Roxio Creator DE 10.3 (Version: 3.7.0)
Roxio Creator Tools (Version: 3.7.0)
Roxio Express Labeler 3 (Version: 3.2.2)
Roxio Update Manager (Version: 6.0.0)
Scan (Version: 13.0.0.0)
Seagate Dashboard (Version: 1.0.0.809)
Skype Toolbars (Version: 1.0.4051)
Skype™ 4.2 (Version: 4.2.187)
SmartWebPrinting (Version: 130.0.457.000)
SolutionCenter (Version: 130.0.373.000)
Spelling Dictionaries Support For Adobe Reader 9 (Version: 9.0.0)
Status (Version: 130.0.469.000)
Symantec pcAnywhere (Version: 11.0.0)
System Requirements Lab for Intel (Version: 4.5.13.0)
Toolbox (Version: 130.0.648.000)
TrayApp (Version: 130.0.422.000)
UnloadSupport (Version: 11.0.0)
ViewChoice
Visual Studio Tools for the Office system 3.0 Runtime
Visual Studio Tools for the Office system 3.0 Runtime (Version: 9.0.30729)
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (Version: 1)
WebReg (Version: 130.0.132.017)
Where in the World Is Carmen Sandiego? Treasures of Knowledge
Windows Live Communications Platform (Version: 14.0.8064.206)
Windows Live Essentials (Version: 14.0.8089.0726)
Windows Live Essentials (Version: 14.0.8089.726)
Windows Live Mail (Version: 14.0.8089.0726)
Windows Live Movie Maker (Version: 14.0.8091.0730)
Windows Live Photo Gallery (Version: 14.0.8081.709)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live Toolbar (Version: 14.0.8064.206)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8089.0726)

==================== Restore Points  =========================

04-11-2013 15:26:24 Scheduled Checkpoint

==================== Hosts content: ==========================

2009-07-13 21:04 - 2013-11-03 23:24 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {7B50BDB3-C216-4BCA-8886-B8714390C5E1} - System32\Tasks\task251025498 => C:\Users\Public\Documents\e.exe

==================== Loaded Modules (whitelisted) =============

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

==================== Faulty Device Manager Devices =============

Name: Photosmart C7200 series
Description: Photosmart C7200 series
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================

System errors:
=============
Error: (11/04/2013 11:36:09 PM) (Source: Service Control Manager) (User: )
Description: The NETGEARGenieDaemon service failed to start due to the following error:
%%1053

Error: (11/04/2013 11:36:09 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (120000 milliseconds) while waiting for the NETGEARGenieDaemon service to connect.

Microsoft Office Sessions:
=========================
Error: (01/05/2013 11:02:52 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 4986 seconds with 2040 seconds of active time.  This session ended with a crash.

Error: (10/12/2011 02:18:36 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 254 seconds with 180 seconds of active time.  This session ended with a crash.

Error: (04/12/2011 11:52:38 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 3544 seconds with 1860 seconds of active time.  This session ended with a crash.

Error: (12/23/2010 00:36:34 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 11035 seconds with 4440 seconds of active time.  This session ended with a crash.

CodeIntegrity Errors:
===================================
  Date: 2012-04-01 01:15:54.508
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\urlmon.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-04-01 01:15:54.492
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-04-01 00:50:46.302
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\urlmon.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-04-01 00:50:46.271
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-03-31 12:43:00.957
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\urlmon.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-03-31 12:43:00.941
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-03-30 11:31:57.043
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\urlmon.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-03-30 11:31:57.011
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-03-30 11:24:18.308
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\urlmon.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-03-30 11:24:18.293
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Percentage of memory in use: 34%
Total physical RAM: 3036.99 MB
Available physical RAM: 1982.22 MB
Total Pagefile: 6072.26 MB
Available Pagefile: 5141.29 MB
Total Virtual: 2047.88 MB
Available Virtual: 1871.11 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:451.07 GB) (Free:9.89 GB) NTFS
Drive e: () (Removable) (Total:1.87 GB) (Free:1.86 GB) FAT

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 466 GB) (Disk ID: 7740BF64)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=451 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 2 GB) (Disk ID: 82155408)
Partition 1: (Not Active) - (Size=2 GB) - (Type=06)

==================== End Of Log ============================

 

 

 

Link to post
Share on other sites

  • Root Admin

Please uninstall ALL versions of Java from Control Panel, Add\Remove programs.
 
Then run the following.
 
Please download JavaRa-1.16 and save it to your computer.

  • Double click to open the zip file and then select all and choose Copy.
  • Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
  • Quit all browsers and other running applications.
  • Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.

 

 

Next,

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Link to post
Share on other sites

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Nov 05 14:54:07 2013

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0001-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0002-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0003-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0004-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0005-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0006-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0007-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0008-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0009-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0010-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0011-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0012-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0013-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0014-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0015-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0016-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0017-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0018-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0019-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0020-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0021-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0022-ABCDEFFDCBA}. The error returned was 124.

Found and removed: JavaPlugin.FamilyVersionSupport

Found and removed: Software\Classes\JavaPlugin.170_06

Found and removed: SOFTWARE\Classes\JavaPlugin

Found and removed: SOFTWARE\Classes\JavaPlugin.170_06

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.6.0.0

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}

Found and removed: SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}

Found and removed: SOFTWARE\Classes\MIME\Database\Content Type\application/java-deployment-toolkit

Found and removed: SOFTWARE\Classes\.jnlp

Found and removed: SOFTWARE\Classes\JNLPFile

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Found and removed: SOFTWARE\JavaSoft

Found and removed: SOFTWARE\JreMetrics

Found and removed: SOFTWARE\MozillaPlugins

------------------------------------

Finished reporting.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 31-10-2013
Ran by Leslie at 2013-11-05 15:07:42 Run:1
Running from C:\Users\Leslie\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
C:\Documents and Settings\All Users\audiults.dll
C:\Documents and Settings\All Users\Application Data\audiults.dll
C:\Documents and Settings\Leslie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0
C:\ProgramData\audiults.dll
C:\Users\All Users\audiults.dll
C:\Users\All Users\Application Data\audiults.dll
C:\Users\Leslie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://download.eset...lineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://content.syste...el_4.5.13.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab
FF Plugin: @java.com/DTPlugin,version=10.6.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.6.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

*****************

C:\Documents and Settings\All Users\audiults.dll => Moved successfully.
"C:\Documents and Settings\All Users\Application Data\audiults.dll" => File/Directory not found.
C:\Documents and Settings\Leslie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0 => Moved successfully.
"C:\ProgramData\audiults.dll" => File/Directory not found.
"C:\Users\All Users\audiults.dll" => File/Directory not found.
"C:\Users\All Users\Application Data\audiults.dll" => File/Directory not found.
"C:\Users\Leslie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0" => File/Directory not found.
HKCU\Software\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EF8721A1-F487-4FF6-9DCA-D94A06968A32} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{EF8721A1-F487-4FF6-9DCA-D94A06968A32} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D06FA7D3-3FFA-4683-95B7-9EFC295F4FCF} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{D06FA7D3-3FFA-4683-95B7-9EFC295F4FCF} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EF8721A1-F487-4FF6-9DCA-D94A06968A32} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{EF8721A1-F487-4FF6-9DCA-D94A06968A32} => Key not found.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{02BCC737-B171-4746-94C9-0D8A0B2C0089} => Key deleted successfully.
HKCR\CLSID\{02BCC737-B171-4746-94C9-0D8A0B2C0089} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5} => Key deleted successfully.
HKCR\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93} => Key deleted successfully.
HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93} => Key not found.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA} => Key not found.
HKCR\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA} => Key not found.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} => Key deleted successfully.
HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} => Key not found.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} => Key deleted successfully.
HKCR\CLSID\{CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000} => Key deleted successfully.
HKCR\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000} => Key not found.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7} => Key deleted successfully.
HKCR\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7} => Key not found.
HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.6.2 => Key not found.
C:\Windows\system32\npDeployJava1.dll => Moved successfully.
HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.6.2 => Key not found.
C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll not found.

==== End of Fixlog ====

Link to post
Share on other sites

  • Root Admin

Please run the following

 

dr_web_cureit_zpse80d87bf.jpg

  1. Please download Dr.Web CureIt! antivirus and save it to your computer. The file size is in excess of 100MB
  2. NOTE: Free usage of Dr.Web CureIt! for business purposes is illegal.
  3. Internet Explorer may show a warning when downloading - the file is safe to download from the provided link.
  4. Shutdown your antivirus to avoid any conflicts while scanning.
  5. Once the scans have completed please re-enable your antivirus.
  6. If using Malwarebytes Anti-Malware PRO you can right click over the tray icon and disable the Protection Modules
  7. If needed you can also temporarily disable it from starting with Windows
  8. Temporarily turn off any other security add-ons or applications you may also have.
  9. Once you have downloaded Dr.Web CureIt! you should right click over it and choose Properties and verify it has a Digital Signature.
  10. If it does not have a Digital Signature then do not run it.
  11. Close all open programs including all Web browsers and then double-click on drweb-cureit.exe to start the installer.
  12. You should have your User Account Control (UAC) enabled for improved security and which should then produce a dialog box asking for approval to run the installer.
  13. Click on the Yes button to start the installer.
  14. Click OK to scan your computer in the Enhanced Protection Mode
  15. Click on the check box to agree to participate in their software improvement program.
  16. Then if needed choose your Language by clicking on the small globe like icon in the upper right corner by the wrench.
  17. Then click on the Continue button and then click on the Select objects for scanning link just below the "Start scanning" button.
  18. Place a check mark on all the items except for Temporary files and System restore points - those items should not have a check mark on them.
  19. Then click on the Start scanning button.
  20. If a threat is found you can click on the Action column in the program.
  21. Your options will be Cure or Ignore
  22. If you see an item that you are absolutely sure is OK, then un-check the check box for that item, otherwise keep it on Cure.
  23. Then click on the Neutralize button.
  24. Once completed click on the green Open Report link. It will open the report in NOTEPAD
  25. Save the report to your desktop. The report will be called Cureit.log
  26. Close Dr.Web Cureit!
  27. Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  28. After reboot, attach the log Cureit.log you saved previously in your next reply.
  29. Re-Enable your antivirus and other security programs when all done.


 

Link to post
Share on other sites

Dr.Web CureIt finished with "No Threats Found."  (The first time I tried to run it, the computer crased.  When it rebooted, I got the message that said the recycle bin on c:\ is corrupted.  It said, "Do you want to empty the recycle bin for this drive?"  I said, no.  I've received this message several times and I keep saying no.)   A CureIt.log was not created.

Link to post
Share on other sites

  • Root Admin

Please run a Full Disk Check on your system C: drive.  If needed here are some links on how to run a Disk Check.

Option #8 shows the full disk check.


On Windows 7 the disk check log is in the Event Logs under Application with a heading source of  Wininit

How to Run Disk Check in Windows 7

How to Read the Event Viewer Log for Check Disk (chkdsk) in Vista, Windows 7, and Windows 8
 

When done please post back the Event Log entry showing what CHKDSK found

 

 

Link to post
Share on other sites

After chkdsk ran, I got the corrupted recycle bin message again.  Also, most times when I try to go to malwarebytes.org, I get a message saying the page cannot be found, but after I refresh, the page loads.  Here are the chkdsk results:

  

Checking file system on C:

The type of the file system is NTFS.

Volume label is OS.

 

A disk check has been scheduled.

Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 3)...

198144 file records processed. File verification completed.

610 large file records processed. 0 bad file records processed. 10 EA records processed. 59 reparse records processed. CHKDSK is verifying indexes (stage 2 of 3)...

249054 index entries processed. Index verification completed.

0 unindexed files scanned. 0 unindexed files recovered. CHKDSK is verifying security descriptors (stage 3 of 3)...

198144 file SDs/SIDs processed. CHKDSK is compacting the security descriptor stream

Cleaning up 2100 unused security descriptors.

25456 data files processed. CHKDSK is verifying Usn Journal...

37241440 USN bytes processed. Usn Journal verification completed.

CHKDSK discovered free space marked as allocated in the

master file table (MFT) bitmap.

Correcting errors in the Volume Bitmap.

Windows has made corrections to the file system.

472984599 KB total disk space.

464007828 KB in 148926 files.

93244 KB in 25459 indexes.

0 KB in bad sectors.

316007 KB in use by the system.

65536 KB occupied by the log file.

8567520 KB available on disk.

4096 bytes in each allocation unit.

118246149 total allocation units on disk.

2141880 allocation units available on disk.

Internal Info:

00 06 03 00 3a a9 02 00 a1 b2 04 00 00 00 00 00 ....:...........

e5 1b 00 00 3b 00 00 00 00 00 00 00 00 00 00 00 ....;...........

38 90 30 00 50 01 2f 00 60 1d 2f 00 00 00 2f 00 8.0.P./.`./.../.

Windows has finished checking your disk.

Please wait while your computer restarts.

Link to post
Share on other sites

  • Root Admin

Great that looks good.
 
Please visit each of the following sites and lets reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome
Chrome - Reset browser settings

Opera
How to Perform a (really) clean Reinstall of Opera
 
 

Then restart the computer and run the following
 
 
Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

Link to post
Share on other sites

  • Root Admin

Sorry for the delay.  I see that you're getting the following error - not sure of the cause but possibly damage from the infection.  Once done here a reinstall may correct that error.

 

An unexpected error has occured in "QuickBooks Pro 2013"

 

Let me have you run MBAR again but this time if you look in the Plugins folder under MBAR you should find a file named FIXDAMAGE.EXE  please right click over that file and choose "Run as administrator" and then restart the computer.

 

 

Please download Malwarebytes Anti-Rootkit from HERE
If needed there is a self help tutorial here: MBAR tutorial

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

 
 
 
 
 
Then run the following for me again.
Delete all log files and the application FRST and download a new fresh copy and run it.
 
 
Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

Malwarebytes Anti-Rootkit BETA 1.07.0.1007

www.malwarebytes.org

Database version: v2013.11.12.02

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 8.0.7601.17514

Leslie :: LESLIE-PC [administrator]

11/11/2013 10:28:58 PM

mbar-log-2013-11-11 (22-28-58).txt

Scan type: Quick scan

Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled:

Objects scanned: 221747

Time elapsed: 8 minute(s), 54 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

Physical Sectors Detected: 0

(No malicious items detected)

(end)

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.07.0.1007

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 8.0.7601.17514

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.926000 GHz

Memory total: 3184513024, free: 2358857728

Downloaded database version: v2013.11.12.02

Downloaded database version: v2013.10.11.02

Initializing...

======================

------------ Kernel report ------------

11/11/2013 22:28:54

------------ Loaded modules -----------

\SystemRoot\system32\ntkrnlpa.exe

\SystemRoot\system32\halmacpi.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\BOOTVID.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\DRIVERS\iaStor.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\PxHelp20.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\System32\Drivers\Gernuwa.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\Drivers\awlegacy.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\ws2ifsl.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\ctxusbm.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\igdkmd32.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\DRIVERS\Rt86win7.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\drivers\mouclass.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\drivers\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\RTKVHDA.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_iaStor.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\drivers\hidusb.sys

\SystemRoot\system32\drivers\HIDCLASS.SYS

\SystemRoot\system32\drivers\HIDPARSE.SYS

\SystemRoot\system32\drivers\USBD.SYS

\SystemRoot\system32\drivers\kbdhid.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\DRIVERS\asyncmac.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\usbscan.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\system32\DRIVERS\dot4usb.sys

\SystemRoot\system32\DRIVERS\Dot4.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\Dot4Prt.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\gdi32.dll

\Windows\System32\comdlg32.dll

\Windows\System32\advapi32.dll

\Windows\System32\shlwapi.dll

\Windows\System32\imagehlp.dll

\Windows\System32\urlmon.dll

\Windows\System32\msctf.dll

\Windows\System32\setupapi.dll

\Windows\System32\shell32.dll

\Windows\System32\sechost.dll

\Windows\System32\kernel32.dll

\Windows\System32\ws2_32.dll

\Windows\System32\normaliz.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\psapi.dll

\Windows\System32\clbcatq.dll

\Windows\System32\imm32.dll

\Windows\System32\wininet.dll

\Windows\System32\oleaut32.dll

\Windows\System32\nsi.dll

\Windows\System32\usp10.dll

\Windows\System32\difxapi.dll

\Windows\System32\user32.dll

\Windows\System32\ole32.dll

\Windows\System32\Wldap32.dll

\Windows\System32\lpk.dll

\Windows\System32\iertutil.dll

\Windows\System32\msvcrt.dll

\Windows\System32\KernelBase.dll

\Windows\System32\wintrust.dll

\Windows\System32\devobj.dll

\Windows\System32\comctl32.dll

\Windows\System32\crypt32.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\msasn1.dll

----------- End -----------

Done!

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR2

Upper Device Object: 0xffffffff85c72130

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000007c\

Lower Device Object: 0xffffffff85a68580

Lower Device Driver Name: \Driver\USBSTOR\

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff86ec0a58

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IAAStorageDevice-1\

Lower Device Object: 0xffffffff86054028

Lower Device Driver Name: \Driver\iaStor\

<<<2>>>

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff86ec0a58, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff86ec0698, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff86ec0a58, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff86054028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\

------------ End ----------

Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

<<<2>>>

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...

<<<2>>>

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 7740BF64

Partition information:

Partition 0 type is Other (0xde)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 80262

Partition 1 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 81920 Numsec = 30720000

Partition file system is NTFS

Partition is bootable

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 30801920 Numsec = 945969200

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...

Done!

Physical Sector Size: 0

Drive: 1, DevicePointer: 0xffffffff85c72130, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff88cb3820, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff85c72130, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff85a68580, DeviceName: \Device\0000007c\, DriverName: \Driver\USBSTOR\

------------ End ----------

Scan finished

=======================================

Removal queue found; removal started

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_1_81920_i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...

Removal finished

Attached is FRST.txt. Addtion.txt was not created.

FRST.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.