Jump to content

avenger.txt and dllhost.exe


HyperX

Recommended Posts

Hello,
 

Got an infected computer (Windows XP SP3), Malwarebytes found multiple items and removed them, but the computer is still not usable, C:\ drive will be out of space quickly, filled by text file "avenger.txt".
CPU is bogged down by multiple "dllhost.exe" processes.
I can get some breathing room by running “taskkill /f /im dllhost.exe” from the command line.

How can I track this virus/rootkit and remove it?
 

Thank you for all the help!!!

 

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Next,

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes select "Report" save to desktop. Close the program > Don't Fix anything!
Post back the report which should be located on your desktop.

 

Let me see those logs in your next reply...

 

Kevin

Link to post
Share on other sites

Hi Kevin,

 

Thank you so much for your help, here is FRST.txt content:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-09-2014 01
Ran by TCiarlone (administrator) on TC-NY-SALE-LT on 23-09-2014 07:56:47
Running from C:\Documents and Settings\TCiarlone\My Documents\Downloads
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
(CANON INC) C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwisam.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\ramaint.exe
(LogMeIn, Inc.) C:\Documents and Settings\TCiarlone\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeIn.exe
(IBM) C:\Program Files\IBM\Lotus\Notes\nsd.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(O2Micro International) C:\WINDOWS\system32\drivers\o2flash.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(SonicWALL, Inc.) C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
(UltraVNC) C:\Program Files\UltraVNC\winvnc.exe
(UltraVNC) C:\Program Files\UltraVNC\winvnc.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
(LogMeIn, Inc.) C:\Documents and Settings\TCiarlone\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
(Andrea Electronics Corporation) C:\WINDOWS\system32\AESTFltr.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
() C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Renesas Electronics Corporation) C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
(CANON INC.) C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Microsoft Corporation) C:\WINDOWS\system32\cmd.exe
() C:\Program Files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081124-2154\soffice.exe
(Broadcom Corporation.) C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
(Trend Micro Inc.) C:\Program Files\Trend Micro\BM\TMBMSRV.exe
(LogMeIn, Inc.) C:\Documents and Settings\TCiarlone\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe
(Farbar) C:\Documents and Settings\TCiarlone\My Documents\Downloads\FRST (1).exe
(Microsoft Corporation) C:\WINDOWS\system32\ping.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nView\nwiz.exe [1634112 2011-09-07] ()
HKLM\...\Run: [sysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [536668 2011-01-25] (IDT, Inc.)
HKLM\...\Run: [AESTFltr] => C:\WINDOWS\system32\AESTFltr.exe [737280 2009-07-07] (Andrea Electronics Corporation)
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [505720 2011-07-20] (Alps Electric Co., Ltd.)
HKLM\...\Run: [intelZeroConfig] => C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe [1403152 2011-01-12] (Intel® Corporation)
HKLM\...\Run: [intelWireless] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1210640 2011-01-05] (Intel® Corporation)
HKLM\...\Run: [FreeFallProtection] => C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2011-07-25] ()
HKLM\...\Run: [NUSB3MON] => C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM\...\Run: [iAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [iSUSPM Startup] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2004-07-27] (InstallShield Software Corporation)
HKLM\...\Run: [iSUSScheduler] => C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [81920 2004-07-27] (InstallShield Software Corporation)
HKLM\...\Run: [Client Access Service] => C:\Program Files\IBM\Client Access\cwbsvstr.exe [20530 2005-06-12] (IBM Corporation)
HKLM\...\Run: [Client Access Help Update] => C:\Program Files\IBM\Client Access\cwbinhlp.exe [24627 2005-06-12] (IBM Corporation)
HKLM\...\Run: [Client Access Check Version] => C:\Program Files\IBM\Client Access\cwbckver.exe [45056 2005-06-12] (IBM Corporation)
HKLM\...\Run: [Client Access Express Welcome] => C:\Program Files\IBM\Client Access\cwbwlwiz.exe [20480 2005-06-12] (IBM Corporation)
HKLM\...\Run: [Client Access PC5250 Sound] => C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe [40960 2005-06-12] (IBM Corporation)
HKLM\...\Run: [OfficeScanNT Monitor] => C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe [849192 2010-02-05] (Trend Micro Inc.)
HKLM\...\Run: [CnwiDeviceAgent] => C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe [64336 2010-04-23] (CANON INC.)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2013-12-11] (LogMeIn, Inc.)
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM\...\Run: [sODCPreLoad] => C:\Program Files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081124-2154\preload.exe [40960 2012-05-28] ()
HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2014-05-12] (Malwarebytes Corporation)
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 220 more characters). <==== ATTENTION!
HKLM\...99B7938DA9E4}\LocalServer32: [a] #@~^wH4AAA==n{F+2im'xh,)mDk-+or8%mYvEUmDb2ORUtVsJbIStrVc+e'*+* Y.zPhxlc3XwC NAx\bDKU:xO?DDrUT/ (the data entry has 32372 more characters). <==== ATTENTION!
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTION
HKU\.DEFAULT\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_9_900_117_ActiveX.exe [829832 2013-10-10] (Adobe Systems Incorporated)
HKU\S-1-5-21-133290146-475602460-1306747606-1167\...\MountPoints2: {a3777aa6-16dc-11e2-ae45-247703660c4c} - "F:\WD SmartWare.exe" autoplay=true
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\imagePROGRAF Status Monitor.lnk
ShortcutTarget: imagePROGRAF Status Monitor.lnk -> C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwism.exe (CANON INC.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Shortcut to tn.lnk
ShortcutTarget: Shortcut to tn.lnk -> C:\tn.cmd ()
Startup: C:\Documents and Settings\TCiarlone\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Documents and Settings\TCiarlone\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: AutoCAD Digital Signatures Icon Overlay Handler -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\WINDOWS\system32\AcSignIcon.dll (Autodesk, Inc.)
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\TCiarlone\Application Data\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\TCiarlone\Application Data\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\TCiarlone\Application Data\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\TCiarlone\Application Data\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xF4CF8702745FCD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {00134F72-5284-44F7-95A8-52A619F70751} https://10.195.0.120:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} https://10.195.0.120:4343/officescan/console/html/root/AtxEnc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1338171088699
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\TCiarlone\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-05-27]

Chrome:
=======
CHR HomePage: Default ->
CHR DefaultSearchKeyword: Default -> 2E7F2B32FAD232A0FBDD9161CB4F041F941CFAFA7A50F01606A841507F333C6B
CHR DefaultSearchProvider: Default -> F284D36CEE764A45AC1FFEB3AF9F6BF64CFC81EEDBB330A280689C3C1188AE6B
CHR DefaultSearchURL: Default -> 4A124B959F3E22E5EAFEE2587B7AE9513D0AD021D2D84BB975E90E36DC732659
CHR CustomProfile: C:\Documents and Settings\TCiarlone\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Documents and Settings\TCiarlone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-12-23]
CHR Extension: (Google Drive) - C:\Documents and Settings\TCiarlone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-12-23]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\TCiarlone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-12]
CHR Extension: (YouTube) - C:\Documents and Settings\TCiarlone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-12-23]
CHR Extension: (Google Search) - C:\Documents and Settings\TCiarlone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-12-23]
CHR Extension: (Google Wallet) - C:\Documents and Settings\TCiarlone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-23]
CHR Extension: (Gmail) - C:\Documents and Settings\TCiarlone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-12-23]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Canon imagePROGRAF Status Monitor; C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwisam.exe [688912 2009-10-09] (CANON INC)
R2 Credential Vault Host Control Service; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [826272 2011-01-26] (Broadcom Corporation)
R2 Credential Vault Host Storage; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [32160 2011-01-26] (Broadcom Corporation)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-08-11] (Oracle Corporation)
R2 LMIRescue_db390dbf-90ce-4baa-9385-fdca157846a9; C:\Documents and Settings\TCiarlone\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe [3079488 2014-09-22] (LogMeIn, Inc.)
R2 Lotus Notes Diagnostics; C:\Program Files\IBM\Lotus\Notes\nsd.exe [3315080 2008-12-06] (IBM)
S3 Lotus Notes Single Logon; C:\Program Files\IBM\Lotus\Notes\nslsvice.exe [31624 2008-12-06] (IBM Corp)
R2 ntrtscan; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [1385768 2010-02-02] (Trend Micro Inc.)
R2 O2FLASH; C:\WINDOWS\system32\DRIVERS\o2flash.exe [72296 2010-02-10] (O2Micro International)
R2 S24EventMonitor; C:\Program Files\Intel\WiFi\bin\S24EvMon.exe [915728 2011-01-12] (Intel® Corporation)
R2 STacSV; C:\Program Files\IDT\WDM\stacsv.exe [274514 2011-01-25] (IDT, Inc.)
S3 stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [73728 2006-09-14] (MicroVision Development, Inc.) [File not signed]
R2 SWGVCSvc; C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe [227352 2009-03-05] (SonicWALL, Inc.)
R3 TMBMServer; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [345616 2012-03-19] (Trend Micro Inc.)
R2 tmlisten; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [1337488 2010-02-02] (Trend Micro Inc.)
R3 TmProxy; C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe [689416 2010-01-07] (Trend Micro Inc.)
R2 uvnc_service; C:\Program Files\UltraVNC\WinVNC.exe [1737200 2010-11-28] (UltraVNC)
R2 WLANKEEPER; C:\Program Files\Intel\WiFi\bin\WLKeeper.exe [375056 2011-01-12] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 Acceler; C:\WINDOWS\System32\DRIVERS\accelern.sys [44144 2011-07-22] (ST Microelectronics)
R3 AESTAud; C:\WINDOWS\System32\drivers\AESTAud.sys [113664 2009-04-21] (Andrea Electronics Corporation)
R3 BTDriver; C:\WINDOWS\System32\DRIVERS\btport.sys [37160 2012-05-27] (Broadcom Corporation.)
R3 BTKRNL; C:\WINDOWS\System32\DRIVERS\btkrnl.sys [933416 2012-05-27] (Broadcom Corporation.)
R3 BTWDNDIS; C:\WINDOWS\System32\DRIVERS\btwdndis.sys [118440 2012-05-27] (Broadcom Corporation.)
R3 BTWUSB; C:\WINDOWS\System32\Drivers\btwusb.sys [51752 2012-05-27] (Broadcom Corporation.)
R3 cvusbdrv; C:\WINDOWS\System32\Drivers\cvusbdrv.sys [33832 2010-08-24] (Broadcom Corporation)
R3 DNE; C:\WINDOWS\System32\DRIVERS\dne2000.sys [131984 2008-11-16] (Deterministic Networks, Inc.)
R3 e1cexpress; C:\WINDOWS\System32\DRIVERS\e1c5132.sys [193704 2011-07-20] (Intel Corporation)
R3 mv2; C:\WINDOWS\System32\DRIVERS\mv2.sys [11496 2012-05-28] (UVNC BVBA)
R3 NETwNx32; C:\WINDOWS\System32\DRIVERS\NETwNx32.sys [7391744 2011-01-04] (Intel Corporation)
R3 nusb3hub; C:\WINDOWS\System32\DRIVERS\nusb3hub.sys [62208 2010-11-19] (Renesas Electronics Corporation)
R3 nusb3xhc; C:\WINDOWS\System32\DRIVERS\nusb3xhc.sys [141568 2010-11-19] (Renesas Electronics Corporation)
R3 NVHDA; C:\WINDOWS\System32\drivers\nvhda32.sys [119528 2011-05-10] (NVIDIA Corporation)
R3 O2MDRRDR; C:\WINDOWS\System32\DRIVERS\O2MDRxp.sys [61728 2011-01-04] (O2Micro )
R3 O2SDJRDR; C:\WINDOWS\System32\DRIVERS\o2sdjxp.sys [63976 2011-03-23] (O2Micro )
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [36528 2006-07-24] (Sonic Solutions) [File not signed]
R3 radpms; C:\WINDOWS\System32\DRIVERS\radpms.sys [13408 2013-12-11] (LogMeIn, Inc.)
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [13952 2010-05-19] (Intel Corporation) [File not signed]
R0 stdcfltn; C:\WINDOWS\System32\DRIVERS\stdcfltn.sys [17904 2011-07-15] (ST Microelectronics)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1660547 2011-01-25] (IDT, Inc.)
R1 SWIPsec; C:\WINDOWS\system32\Drivers\SWIPsec.sys [87064 2009-03-05] (SonicWALL, Inc.)
S3 SWVNIC; C:\WINDOWS\System32\DRIVERS\swvnic.sys [21016 2009-03-04] (SonicWALL, Inc.)
R2 tmactmon; C:\WINDOWS\system32\drivers\tmactmon.sys [71440 2012-03-19] (Trend Micro Inc.)
R2 tmcomm; C:\WINDOWS\system32\drivers\tmcomm.sys [177424 2012-03-19] (Trend Micro Inc.)
R2 tmevtmgr; C:\WINDOWS\system32\drivers\tmevtmgr.sys [61200 2012-03-19] (Trend Micro Inc.)
R2 TmFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys [263968 2013-08-14] (Trend Micro Inc.)
R2 TmPreFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys [36128 2013-08-14] (Trend Micro Inc.)
R1 tmtdi; C:\WINDOWS\System32\DRIVERS\tmtdi.sys [90256 2010-01-07] (Trend Micro Inc.)
R2 VSApiNt; C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys [1517600 2013-08-14] (Trend Micro Inc.)
U0 xgmqntnj; C:\WINDOWS\System32\drivers\ltplw.sys [52440 2014-09-22] (Malwarebytes Corporation)
S0 cerc6; No ImagePath
U2 CertPropSvc; No ImagePath
S4 IntelIde; No ImagePath
S4 LMIRfsClientNP; No ImagePath
S3 rcvpn; system32\DRIVERS\rcvpn.sys [X]
U1 WS2IFSL; No ImagePath
U3 mbr; \??\C:\DOCUME~1\TCIARL~1\LOCALS~1\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-23 07:56 - 2014-09-23 07:56 - 00000000 ____D () C:\FRST
2014-09-22 15:52 - 2014-09-22 15:52 - 00052440 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\ltplw.sys
2014-09-22 15:25 - 2014-09-22 15:25 - 00022934 _____ () C:\Documents and Settings\TCiarlone\Desktop\attach.txt
2014-09-22 15:25 - 2014-09-22 15:25 - 00016583 _____ () C:\Documents and Settings\TCiarlone\Desktop\dds.txt
2014-09-22 15:07 - 2014-09-22 15:07 - 00052440 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\gkpo.sys
2014-09-22 14:20 - 2014-09-22 14:20 - 00000000 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat~
2014-09-22 13:43 - 2014-09-22 15:07 - 00000000 ____D () C:\Documents and Settings\TEMP
2014-09-22 13:43 - 2014-09-22 13:43 - 00000020 ___SH () C:\Documents and Settings\TEMP\ntuser.ini
2014-09-22 09:26 - 2014-09-22 15:07 - 00000000 ____D () C:\Documents and Settings\TEMP.BELVEDERE
2014-09-22 09:26 - 2014-09-22 09:26 - 00000020 ___SH () C:\Documents and Settings\TEMP.BELVEDERE\ntuser.ini
2014-09-19 09:07 - 2014-09-19 09:07 - 00000063 ____H () C:\Documents and Settings\TCiarlone\Desktop\NY SHOWROOM FLOOR PLAN RE-ARRANGE 6.12.2014.dwl
2014-09-18 17:53 - 2014-09-18 17:53 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Desktop\Interlocks
2014-09-18 17:29 - 2014-09-18 17:29 - 00000215 ____H () C:\Documents and Settings\TCiarlone\Desktop\Interlocks 09182014 drawings.dwl2
2014-09-18 17:29 - 2014-09-18 17:29 - 00000065 ____H () C:\Documents and Settings\TCiarlone\Desktop\Interlocks 09182014 drawings.dwl
2014-09-18 15:19 - 2014-09-18 17:31 - 05201952 _____ () C:\Documents and Settings\TCiarlone\Desktop\Interlocks 09182014 drawings.dwg
2014-09-18 11:17 - 2014-09-18 11:17 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Application Data\smkits
2014-09-18 10:21 - 2014-09-18 10:30 - 00000129 _____ () C:\tn.cmd
2014-09-18 08:02 - 2014-09-22 14:21 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-09-18 07:58 - 2014-09-18 10:16 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Desktop\mbar
2014-09-17 14:05 - 2014-09-17 14:05 - 00000000 ____D () C:\Program Files\ESET
2014-09-17 13:45 - 2014-09-22 15:14 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\Temp
2014-09-17 13:45 - 2014-09-17 13:45 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Temp
2014-09-17 13:44 - 2014-09-22 14:20 - 00000000 ____R () C:\avenger.txt
2014-09-17 11:17 - 2014-09-17 11:17 - 00000113 _____ () C:\Documents and Settings\TCiarlone\Desktop\TN.txt
2014-09-17 10:50 - 2014-09-17 10:50 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\NoVirusThanks
2014-09-17 09:11 - 2014-09-17 09:11 - 00001031 _____ () C:\Documents and Settings\TCiarlone\Desktop\JRT.txt
2014-09-17 09:03 - 2014-09-17 09:03 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-09-17 08:52 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\WINDOWS\system32\sqlite3.dll
2014-09-17 08:49 - 2014-09-17 08:52 - 00000000 ____D () C:\AdwCleaner
2014-09-17 08:45 - 2014-09-17 14:06 - 00003796 _____ () C:\Documents and Settings\TCiarlone\Desktop\Rkill.txt
2014-09-15 12:04 - 2014-09-15 12:06 - 00000000 ____D () C:\WINDOWS\pss
2014-09-12 21:54 - 2014-09-12 21:54 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Local Settings\Application Data\GHISLER
2014-09-12 21:46 - 2014-09-12 21:46 - 00000000 ____D () C:\totalcmd
2014-09-12 21:46 - 2014-09-12 21:46 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Application Data\GHISLER
2014-09-12 21:46 - 2014-09-12 21:46 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Total Commander
2014-09-12 21:46 - 2014-04-30 07:51 - 00000545 _____ () C:\WINDOWS\UC.PIF
2014-09-12 21:46 - 2014-04-30 07:51 - 00000545 _____ () C:\WINDOWS\RAR.PIF
2014-09-12 21:46 - 2014-04-30 07:51 - 00000545 _____ () C:\WINDOWS\PKZIP.PIF
2014-09-12 21:46 - 2014-04-30 07:51 - 00000545 _____ () C:\WINDOWS\PKUNZIP.PIF
2014-09-12 21:46 - 2014-04-30 07:51 - 00000545 _____ () C:\WINDOWS\LHA.PIF
2014-09-12 21:46 - 2014-04-30 07:51 - 00000545 _____ () C:\WINDOWS\ARJ.PIF
2014-09-12 14:57 - 2014-09-22 15:30 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-09-12 14:56 - 2014-09-18 08:37 - 00054232 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-09-12 14:56 - 2014-09-12 14:56 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-12 14:56 - 2014-09-12 14:56 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-12 14:56 - 2014-09-12 14:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-09-12 14:56 - 2014-05-12 06:25 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-09-12 14:29 - 2014-09-22 15:20 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Local Settings\Application Data\LogMeIn Rescue Applet
2014-09-08 09:05 - 2014-09-12 14:35 - 00000178 ___SH () C:\Documents and Settings\aschiro\ntuser.ini
2014-09-08 09:05 - 2014-09-08 09:32 - 00000000 ____D () C:\Documents and Settings\aschiro
2014-09-08 09:05 - 2012-05-27 22:31 - 00000000 ____D () C:\Documents and Settings\aschiro\Application Data\Intel
2014-09-08 09:05 - 2012-05-02 21:17 - 00001599 _____ () C:\Documents and Settings\aschiro\Start Menu\Programs\Remote Assistance.lnk
2014-09-08 09:05 - 2012-05-02 21:17 - 00000792 _____ () C:\Documents and Settings\aschiro\Start Menu\Programs\Windows Media Player.lnk
2014-09-08 09:05 - 2012-05-02 21:17 - 00000000 ___RD () C:\Documents and Settings\aschiro\Start Menu\Programs\Accessories
2014-09-07 13:18 - 2014-09-07 13:17 - 00106496 _____ () C:\WINDOWS\Minidump\Mini090714-01.dmp
2014-09-02 09:24 - 2014-09-11 02:11 - 00181272 _____ () C:\WINDOWS\RegBootClean.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-23 07:57 - 2012-06-05 08:31 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Local Settings\Temp
2014-09-23 07:57 - 2012-05-27 23:14 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-09-23 07:56 - 2014-09-23 07:56 - 00000000 ____D () C:\FRST
2014-09-23 07:42 - 2014-04-09 11:58 - 00000522 _____ () C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1722381446-1352620852-1844936127-1705.job
2014-09-23 07:34 - 2014-04-25 14:44 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\LogMeIn
2014-09-23 07:29 - 2014-05-09 02:18 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA1cf6b56e875f3fc.job
2014-09-23 04:00 - 2012-05-02 21:16 - 01534905 _____ () C:\WINDOWS\WindowsUpdate.log
2014-09-23 02:29 - 2012-05-02 21:26 - 00032520 _____ () C:\WINDOWS\SchedLgU.Txt
2014-09-22 21:54 - 2012-05-27 22:20 - 00173247 _____ () C:\WINDOWS\system32\nvModes.001
2014-09-22 15:52 - 2014-09-22 15:52 - 00052440 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\ltplw.sys
2014-09-22 15:52 - 2012-05-02 16:01 - 00000000 ____D () C:\WINDOWS\pchealth
2014-09-22 15:30 - 2014-09-12 14:57 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-09-22 15:26 - 2012-05-27 23:34 - 05308416 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-09-22 15:25 - 2014-09-22 15:25 - 00022934 _____ () C:\Documents and Settings\TCiarlone\Desktop\attach.txt
2014-09-22 15:25 - 2014-09-22 15:25 - 00016583 _____ () C:\Documents and Settings\TCiarlone\Desktop\dds.txt
2014-09-22 15:20 - 2014-09-12 14:29 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Local Settings\Application Data\LogMeIn Rescue Applet
2014-09-22 15:20 - 2013-01-24 09:33 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Application Data\Dropbox
2014-09-22 15:20 - 2012-05-02 16:09 - 00618434 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-09-22 15:17 - 2008-04-14 07:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-09-22 15:16 - 2014-05-09 02:18 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore1cf6b56e85e1c78.job
2014-09-22 15:16 - 2014-03-31 09:15 - 00000230 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-09-22 15:15 - 2014-04-25 14:44 - 00000744 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\LogMeIn Client.lnk
2014-09-22 15:15 - 2014-04-25 14:44 - 00000728 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\LogMeIn Control Panel.lnk
2014-09-22 15:14 - 2014-09-17 13:45 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\Temp
2014-09-22 15:14 - 2012-05-02 16:10 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-09-22 15:14 - 2012-05-02 16:10 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-09-22 15:14 - 2012-05-02 16:08 - 01161147 _____ () C:\WINDOWS\setupapi.log
2014-09-22 15:13 - 2012-06-05 08:31 - 00000178 ___SH () C:\Documents and Settings\TCiarlone\ntuser.ini
2014-09-22 15:13 - 2012-05-02 21:26 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-09-22 15:12 - 2012-05-02 16:07 - 00000211 ___SH () C:\boot.ini
2014-09-22 15:07 - 2014-09-22 15:07 - 00052440 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\gkpo.sys
2014-09-22 15:07 - 2014-09-22 13:43 - 00000000 ____D () C:\Documents and Settings\TEMP
2014-09-22 15:07 - 2014-09-22 09:26 - 00000000 ____D () C:\Documents and Settings\TEMP.BELVEDERE
2014-09-22 14:21 - 2014-09-18 08:02 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-09-22 14:20 - 2014-09-22 14:20 - 00000000 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat~
2014-09-22 14:20 - 2014-09-17 13:44 - 00000000 ____R () C:\avenger.txt
2014-09-22 13:58 - 2012-06-04 19:58 - 00000136 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2014-09-22 13:43 - 2014-09-22 13:43 - 00000020 ___SH () C:\Documents and Settings\TEMP\ntuser.ini
2014-09-22 12:44 - 2012-05-02 16:01 - 00000000 ____D () C:\WINDOWS\security
2014-09-22 09:26 - 2014-09-22 09:26 - 00000020 ___SH () C:\Documents and Settings\TEMP.BELVEDERE\ntuser.ini
2014-09-19 09:07 - 2014-09-19 09:07 - 00000063 ____H () C:\Documents and Settings\TCiarlone\Desktop\NY SHOWROOM FLOOR PLAN RE-ARRANGE 6.12.2014.dwl
2014-09-18 18:04 - 2012-05-28 16:54 - 00017236 _____ () C:\WINDOWS\cfgall.ini
2014-09-18 17:53 - 2014-09-18 17:53 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Desktop\Interlocks
2014-09-18 17:31 - 2014-09-18 15:19 - 05201952 _____ () C:\Documents and Settings\TCiarlone\Desktop\Interlocks 09182014 drawings.dwg
2014-09-18 17:29 - 2014-09-18 17:29 - 00000215 ____H () C:\Documents and Settings\TCiarlone\Desktop\Interlocks 09182014 drawings.dwl2
2014-09-18 17:29 - 2014-09-18 17:29 - 00000065 ____H () C:\Documents and Settings\TCiarlone\Desktop\Interlocks 09182014 drawings.dwl
2014-09-18 17:28 - 2012-06-06 10:15 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Local Settings\Application Data\CutePDF Writer
2014-09-18 14:38 - 2012-05-28 13:01 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-09-18 14:38 - 2012-05-28 13:01 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-09-18 14:38 - 2012-05-27 22:20 - 00173247 _____ () C:\WINDOWS\system32\nvModes.dat
2014-09-18 11:17 - 2014-09-18 11:17 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Application Data\smkits
2014-09-18 10:30 - 2014-09-18 10:21 - 00000129 _____ () C:\tn.cmd
2014-09-18 10:16 - 2014-09-18 07:58 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Desktop\mbar
2014-09-18 08:37 - 2014-09-12 14:56 - 00054232 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-09-18 07:40 - 2012-05-02 16:08 - 00170023 _____ () C:\WINDOWS\setupact.log
2014-09-17 23:44 - 2012-05-02 21:15 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-09-17 14:06 - 2014-09-17 08:45 - 00003796 _____ () C:\Documents and Settings\TCiarlone\Desktop\Rkill.txt
2014-09-17 14:05 - 2014-09-17 14:05 - 00000000 ____D () C:\Program Files\ESET
2014-09-17 13:45 - 2014-09-17 13:45 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Temp
2014-09-17 11:17 - 2014-09-17 11:17 - 00000113 _____ () C:\Documents and Settings\TCiarlone\Desktop\TN.txt
2014-09-17 11:09 - 2013-05-10 05:01 - 00002401 _____ () C:\WINDOWS\TMFilter.log
2014-09-17 10:50 - 2014-09-17 10:50 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\NoVirusThanks
2014-09-17 09:11 - 2014-09-17 09:11 - 00001031 _____ () C:\Documents and Settings\TCiarlone\Desktop\JRT.txt
2014-09-17 09:03 - 2014-09-17 09:03 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-09-17 08:52 - 2014-09-17 08:49 - 00000000 ____D () C:\AdwCleaner
2014-09-17 08:41 - 2014-08-22 09:07 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-09-15 18:37 - 2008-04-14 07:00 - 00000654 _____ () C:\WINDOWS\win.ini
2014-09-15 18:37 - 2008-04-14 07:00 - 00000227 _____ () C:\WINDOWS\system.ini
2014-09-15 12:06 - 2014-09-15 12:04 - 00000000 ____D () C:\WINDOWS\pss
2014-09-12 21:54 - 2014-09-12 21:54 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Local Settings\Application Data\GHISLER
2014-09-12 21:46 - 2014-09-12 21:46 - 00000000 ____D () C:\totalcmd
2014-09-12 21:46 - 2014-09-12 21:46 - 00000000 ____D () C:\Documents and Settings\TCiarlone\Application Data\GHISLER
2014-09-12 21:46 - 2014-09-12 21:46 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Total Commander
2014-09-12 14:56 - 2014-09-12 14:56 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-12 14:56 - 2014-09-12 14:56 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-12 14:56 - 2014-09-12 14:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-09-12 14:35 - 2014-09-08 09:05 - 00000178 ___SH () C:\Documents and Settings\aschiro\ntuser.ini
2014-09-12 11:35 - 2013-12-23 12:40 - 00001822 _____ () C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2014-09-11 14:58 - 2012-06-05 08:31 - 00000000 ____D () C:\Documents and Settings\TCiarlone
2014-09-11 02:28 - 2013-08-14 02:11 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-09-11 02:11 - 2014-09-02 09:24 - 00181272 _____ () C:\WINDOWS\RegBootClean.exe
2014-09-11 02:01 - 2012-05-27 21:59 - 98758480 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-09-09 03:40 - 2012-05-02 21:15 - 00000000 ____D () C:\WINDOWS\system32\Macromed
2014-09-08 14:00 - 2014-03-31 09:15 - 00000224 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-09-08 09:32 - 2014-09-08 09:05 - 00000000 ____D () C:\Documents and Settings\aschiro
2014-09-07 13:18 - 2012-06-04 20:02 - 00000000 __SHD () C:\WINDOWS\CSC
2014-09-07 13:18 - 2012-05-28 13:43 - 00000000 ____D () C:\WINDOWS\Minidump
2014-09-07 13:17 - 2014-09-07 13:18 - 00106496 _____ () C:\WINDOWS\Minidump\Mini090714-01.dmp

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

Addition.txt and RogueKiller report are attached.

 

Thanks,

Tom

Malwarebytes forum.zip

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

 

 

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

 

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

 

 

In most cases, a restart will be required.

 

 

Wait for the prompt to restart the computer to appear, then click on Yes.

 

 

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

Let me see those logs in your next reply, also give an update on any remaining issues or concerns...

 

Kevin....

Fixlist.txt

Link to post
Share on other sites

MB scan log, empty YAY!!!!!!

Kevin, thank you so much, so far the computer has been great. How do one protect himself from this nasty Powerliks infection? What do you recommend? TrendMicro was no help at all!!! What AV do you recommend?

And how do I thank you for helping me remove this malware?

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 9/23/2014
Scan Time: 11:05:28 AM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.23.07
Rootkit Database: v2014.09.19.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: TCiarlone

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 395450
Time Elapsed: 21 min, 7 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin.

 

(To run ESET Online Scanner in a browser other than Internet Explorer, you'll need to download ESET SMART  Installer during the process)

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the following options are checked:
 
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
 
Select "Change" next to Current scan targets A new window will open, select any extra drives, Flash drives etc as required.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Regarding security, I use Windows own Firewall, Microsoft Security Essentials and Malwarebytes Premium.

 

Kevin.....

Link to post
Share on other sites

This is what ESET found:

 

C:\AdwCleaner\Quarantine\C\Documents and Settings\All Users\Application Data\apn\APN-Stub\W3IV6-G\APNIC.7z.vir Win32/Bundled.Toolbar.Ask.B potentially unsafe application
C:\WINDOWS\Installer\164c2627.msi a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
 

Link to post
Share on other sites

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

 

http://oldtimer.geekstogo.com/OTM.exe.

http://www.itxassociates.com/OT-Tools/OTM.com

http://www.itxassociates.com/OT-Tools/OTM.exe 

 

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...


Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Files
 
:FilesC:\WINDOWS\Installer\164c2627.msiG\APNIC.7z.vir:Commands[EmptyTemp]
 
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red btnmoveit.png button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

If the machine reboots, the Results log can be found here:

 

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

 

Where mmddyyyy_hhmmss is the date of the tool run.

 

Next,

 

To clean up run the following:

 

Download "Delfix by Xplode" and save it to your desktop.

 

Or use the following if first link is down:

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 


    Remove disinfection tools
    Create registry backup
    Purge System Restore
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Let me know if we are ok to close out....

 

Regards,

 

Kevin

Link to post
Share on other sites

Kevin, thank you, computer is much better now. Below you will find OTM log,

DelFix removed bunch of stuff.

 

All processes killed
========== FILES ==========
C:\WINDOWS\Installer\164c2627.msi moved successfully.
File/Folder G\APNIC.7z.vir not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Administrator.USBEDO01
 
User: All Users
 
User: aschiro
 
User: Default User
 
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: TCiarlone
->Temp folder emptied: 4492234 bytes
->Temporary Internet Files folder emptied: 12140678 bytes
->Google Chrome cache emptied: 7084884 bytes
->Flash cache emptied: 0 bytes
 
User: TEMP
 
User: TEMP.BELVEDERE
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 80986 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 513 bytes
 
Total Files Cleaned = 25.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 09242014_134901

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\BtwEventTrace_5_6_0_6600.etl scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.