|
#1
July 28th, 2012, 09:22 PM
|
|||
|
|||
|
Need help Trojan!
Recently my computer started to act funny. Frequently while on the internet another tab would open up with some random website (usually an AD or something). Also when I would enter a URL or try and click on a link I sometimes get redirected to a random AD page. My AVG is also going crazy spamming me throughout the day with "Threat detected c:\windows]system32\services.exe threat name Trojan horse patched_c.LYT" But I can only ignore the threat. I've also had another one pop up that was c:\windows\GAC\desktop.ini if I recall currectly. I've searched all over the internet as well as running malwarebytes scans, avg, and a spybot snd. And I can not get rid of this problem. I'd really rather not have to reformat if I can at all help it. Any and all advice/help would be greatly appreciated.
|
|
#2
July 29th, 2012, 02:22 AM
|
||||
|
||||
|
Welcome to CTH demonized03,
Let's take a look. Right off see if you can access Safe Mode, where the malware is less active. At startup tap the F8 key about once per half-second, then select Safe Mode with Networking from the menu that will appear. If the system is Vista/Windows7, when running any of the scan files we use, be sure to right click the file, then select "Run as administrator" to start the scan/tool. And To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed. ------- Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please. ----------- Click here and download the installer for Gmer to your desktop, then click that file to run Gmer. Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. ----------- Download aswMBR ( 511KB ) to your desktop.
A lot, but comprehensive, and will make sure we get a good view of everything.
|
|
#3
July 29th, 2012, 03:58 AM
|
|||
|
|||
|
Alright here are the results
OTL Log OTL logfile created on: 7/28/2012 8:42:46 PM - Run 1 OTL by OldTimer - Version 3.2.55.0 Folder = C:\Users\Jesse\Downloads Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 7.0.6002.18005) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.51 Gb Available Physical Memory | 75.57% Memory free 4.22 Gb Paging File | 3.89 Gb Available in Paging File | 92.06% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 465.76 Gb Total Space | 298.83 Gb Free Space | 64.16% Space Free | Partition Type: NTFS Computer Name: JESSE-PC | User Name: Jesse | Logged in as Administrator. Boot Mode: SafeMode with Networking | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012/07/28 20:41:58 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Users\Jesse\Downloads\OTL.exe PRC - [2012/07/26 11:17:19 | 001,147,488 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe PRC - [2012/07/19 06:17:17 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe ========== Modules (No Company Name) ========== MOD - [2012/07/26 11:17:21 | 000,132,704 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\12.1.5\SiteSafety.dll MOD - [2012/07/26 11:17:19 | 001,147,488 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe MOD - [2012/07/19 06:17:16 | 002,003,424 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll MOD - [2012/06/05 11:16:37 | 008,797,856 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_2_20 2_235.dll MOD - [2012/05/15 02:21:26 | 000,368,448 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\3D Vision\Nv3DVStreaming.dll MOD - [2011/11/10 22:43:26 | 000,138,072 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\ASCv5ExtMenu.dll MOD - [2011/05/29 00:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll MOD - [2009/04/11 01:28:22 | 000,223,232 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Auto | Stopped] -- C:\Program Files\Spybot -- (SBSDWSCService) SRV - File not found [Auto | Stopped] -- C:\Program Files\Application Updater\ApplicationUpdater.exe -- (Application Updater) SRV - [2012/07/26 11:17:21 | 000,830,048 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\12.1.5\ToolbarUpdater.exe -- (vToolbarUpdater12.1.5) SRV - [2012/07/19 06:17:16 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012/07/04 17:25:54 | 005,160,568 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG2012\avgidsagent.exe -- (AVGIDSAgent) SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012/06/07 19:12:14 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2012/05/26 12:04:52 | 000,913,792 | ---- | M] (IObit) [Auto | Stopped] -- C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe -- (AdvancedSystemCareService5) SRV - [2012/05/15 05:26:00 | 001,262,400 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService) SRV - [2012/05/15 02:21:40 | 000,382,272 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service) SRV - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd) SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\LogMeIn\x86\RaInfo.sys -- (LMIInfo) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive) DRV - [2012/07/26 11:17:22 | 000,027,496 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtpx86.sys -- (avgtp) DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2012/05/15 05:26:00 | 011,354,944 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2012/04/19 04:50:26 | 000,024,896 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\avgidshx.sys -- (AVGIDSHX) DRV - [2012/03/19 05:17:28 | 000,301,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix) DRV - [2012/02/22 05:25:32 | 000,235,216 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86) DRV - [2012/01/31 04:46:50 | 000,031,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86) DRV - [2011/12/23 13:32:14 | 000,041,040 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Stopped] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86) DRV - [2011/12/23 13:32:08 | 000,017,232 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\avgidsshimx.sys -- (AVGIDSShim) DRV - [2011/12/23 13:32:06 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\avgidsfilterx.sys -- (AVGIDSFilter) DRV - [2011/12/23 13:32:00 | 000,139,856 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\avgidsdriverx.sys -- (AVGIDSDriver) DRV - [2011/09/26 18:16:14 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP) DRV - [2011/09/16 15:10:50 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver) DRV - [2008/01/18 23:25:05 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) DRV - [2006/11/02 02:41:53 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?ilc=8 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=8 IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source? } IE - HKU\.DEFAULT\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.) IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\.DEFAULT\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source? } IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.) IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source? } IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-276229734-987665581-411863102-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://isearch.avg.com/?cid={A60FA511-AF30-48CF-BE5C-FB4D5AB46B91}&mid=3b402030b34647d0a6c1d1509765c248-b84832f815a7183093e8ec19e687298260e85691&lang=en&d s=gm011&pr=sa&d=2012-04-02 22:20:25&v=10.2.0.3&sap=hp IE - HKU\S-1-5-21-276229734-987665581-411863102-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.yahoo.com/?ilc=8 IE - HKU\S-1-5-21-276229734-987665581-411863102-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-276229734-987665581-411863102-1000\..\URLSearchHook: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files\IObit Toolbar\IE\6.1\iobitToolbarIE.dll (Spigot, Inc.) IE - HKU\S-1-5-21-276229734-987665581-411863102-1000\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.) IE - HKU\S-1-5-21-276229734-987665581-411863102-1000\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233} IE - HKU\S-1-5-21-276229734-987665581-411863102-1000\..\SearchScopes\{0169E633-8781-F882-9BC7-7B014AE4DE4E}: "URL" = http://www.bing.com/search?q={searchTerms}&pc=Z206&form=ZGAIDF&install _date=20111006&iesrc={referrer:source} IE - HKU\S-1-5-21-276229734-987665581-411863102-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source? } IE - HKU\S-1-5-21-276229734-987665581-411863102-1000\..\SearchScopes\{55F8F84B-48D7-4D41-B8A4-B9D996597F52}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=685749&p={searchTerms} IE - HKU\S-1-5-21-276229734-987665581-411863102-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = https://isearch.avg.com/search?cid={4D98A4F6-91AE-48A3-982E-2B2AE5421B93}&mid=3b402030b34647d0a6c1d1509765c248-b84832f815a7183093e8ec19e687298260e85691&lang=en&d s=AVG&pr=fr&d=2012-07-26 11:17:24&v=12.1.0.21&sap=dsp&q={searchTerms} IE - HKU\S-1-5-21-276229734-987665581-411863102-1000\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search" FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=mkg030&p=" FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=685749&ilc=12" FF - prefs.js..browser.startup.homepage: "www.yahoo.com" FF - prefs.js..keyword.URL: "https://isearch.avg.com/search?cid=%7B8301409a-dc9e-42d5-b949-9371d6bf8a48%7D&mid=3b402030b34647d0a6c1d1509765c2 48-b84832f815a7183093e8ec19e687298260e85691&ds=AVG&v= 12.1.0.21&lang=en&pr=fr&d=2012-07-26%2011%3A17%3A24&sap=ku&q=" FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_20 2_235.dll () FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\12.1.5\\npsitesafety.dl l () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks) FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ [2012/07/26 11:16:30 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\avg@toolbar: C:\ProgramData\AVG Secure Search\12.1.0.21\ [2012/07/26 11:17:30 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/19 06:17:17 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/10/05 11:50:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jesse\AppData\Roaming\Mozilla\Extensions [2012/07/25 09:35:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jesse\AppData\Roaming\Mozilla\Firefox\Pro files\67nqkw65.default\extensions [2012/05/18 22:23:19 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Jesse\AppData\Roaming\Mozilla\Firefox\Pro files\67nqkw65.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2012/06/09 01:16:25 | 000,000,000 | ---D | M] (Evernote Web Clipper) -- C:\Users\Jesse\AppData\Roaming\Mozilla\Firefox\Pro files\67nqkw65.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800} [2011/10/05 11:50:21 | 000,000,000 | ---D | M] (Shareaholic) -- C:\Users\Jesse\AppData\Roaming\Mozilla\Firefox\Pro files\67nqkw65.default\extensions\firefox-extension@shareaholic.com [2012/07/19 06:17:20 | 000,000,000 | ---D | M] (Zotero) -- C:\Users\Jesse\AppData\Roaming\Mozilla\Firefox\Pro files\67nqkw65.default\extensions\zotero@chnm.gmu. edu [2011/10/05 11:50:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jesse\AppData\Roaming\Mozilla\Firefox\Pro files\67nqkw65.default\extensions\firefox-extension@shareaholic.com\chrome [2011/10/05 11:50:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jesse\AppData\Roaming\Mozilla\Firefox\Pro files\67nqkw65.default\extensions\firefox-extension@shareaholic.com\defaults [2011/10/06 14:42:26 | 000,001,945 | ---- | M] () -- C:\Users\Jesse\AppData\Roaming\Mozilla\Firefox\Pro files\67nqkw65.default\searchplugins\bing-zugo.xml [2012/05/04 10:10:32 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2011/10/05 11:50:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions [2011/10/05 11:50:05 | 000,000,000 | ---D | M] ("StumbleUpon") -- C:\Program Files\Mozilla Firefox\distribution\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696} [2011/10/05 11:50:02 | 000,000,000 | ---D | M] (Evernote Web Clipper) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800} [2011/10/05 11:50:07 | 000,000,000 | ---D | M] (Shareaholic) -- C:\Program Files\Mozilla Firefox\distribution\extensions\firefox-extension@shareaholic.com [2011/10/05 11:50:07 | 000,000,000 | ---D | M] (Zotero) -- C:\Program Files\Mozilla Firefox\distribution\extensions\zotero@chnm.gmu.ed u [2011/10/05 11:50:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions\firefox-extension@shareaholic.com\chrome [2011/10/05 11:50:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions\firefox-extension@shareaholic.com\defaults [2012/07/26 11:16:30 | 000,000,000 | ---D | M] (AVG Do Not Track) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX\DONOTTRACK [2012/07/23 23:42:16 | 000,000,000 | ---D | M] (IObit Toolbar) -- C:\PROGRAM FILES\IOBIT TOOLBAR\FF [2012/07/26 11:17:30 | 000,000,000 | ---D | M] (AVG Security Toolbar) -- C:\PROGRAMDATA\AVG SECURE SEARCH\12.1.0.21 [2012/07/19 06:17:17 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012/07/26 11:17:19 | 000,003,750 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml [2012/01/09 16:50:30 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2011/10/06 14:33:18 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml.old [2012/01/09 16:50:30 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml ========== Chrome ========== O1 HOSTS File: ([2012/07/25 09:35:34 | 000,443,818 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 008i.com O1 - Hosts: 127.0.0.1 www.008k.com O1 - Hosts: 127.0.0.1 008k.com O1 - Hosts: 127.0.0.1 www.00hq.com O1 - Hosts: 127.0.0.1 00hq.com O1 - Hosts: 127.0.0.1 010402.com O1 - Hosts: 127.0.0.1 www.032439.com O1 - Hosts: 127.0.0.1 032439.com O1 - Hosts: 127.0.0.1 www.0scan.com O1 - Hosts: 127.0.0.1 0scan.com O1 - Hosts: 127.0.0.1 www.1000gratisproben.com O1 - Hosts: 127.0.0.1 1000gratisproben.com O1 - Hosts: 127.0.0.1 1001namen.com O1 - Hosts: 127.0.0.1 www.1001namen.com O1 - Hosts: 127.0.0.1 100888290cs.com O1 - Hosts: 127.0.0.1 www.100888290cs.com O1 - Hosts: 127.0.0.1 www.100sexlinks.com O1 - Hosts: 127.0.0.1 100sexlinks.com O1 - Hosts: 127.0.0.1 www.10sek.com O1 - Hosts: 127.0.0.1 10sek.com O1 - Hosts: 127.0.0.1 www.1-2005-search.com O1 - Hosts: 15246 more lines... O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.) O2 - BHO: (IObit Toolbar) - {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files\IObit Toolbar\IE\6.1\iobitToolbarIE.dll (Spigot, Inc.) O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (no name) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - No CLSID value found. O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll () O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInsta nce.dll (Yahoo! Inc) O3 - HKLM\..\Toolbar: (IObit Toolbar) - {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files\IObit Toolbar\IE\6.1\iobitToolbarIE.dll (Spigot, Inc.) O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll () O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.) O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found. O3 - HKU\S-1-5-21-276229734-987665581-411863102-1000\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found. O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [mifpsh] C:\Users\Jesse\AppData\Roaming\mifpsh.dll (Crytek) O4 - HKLM..\Run: [SearchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe" File not found O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe () O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-21-276229734-987665581-411863102-1000..\Run: [Advanced SystemCare 5] C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe (IObit) O4 - HKU\S-1-5-21-276229734-987665581-411863102-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\System: SoftwareSASGeneration = 3 O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.) O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\System32\winrnr.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\System32\winrnr.dll File not found O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_31) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.168.12 97.64.183.165 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{0DC994CA-C14F-4056-B981-AA6BBC8632BE}: DhcpNameServer = 97.64.168.12 97.64.183.165 O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\12.1.5\ViProtocol.dll () O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2012/07/28 14:53:15 | 000,000,000 | ---D | C] -- C:\Users\Jesse\AppData\Roaming\Yvozt [2012/07/28 14:53:15 | 000,000,000 | ---D | C] -- C:\Users\Jesse\AppData\Roaming\Efomul [2012/07/28 14:53:15 | 000,000,000 | ---D | C] -- C:\Users\Jesse\AppData\Roaming\Baywti [2012/07/26 22:09:36 | 000,132,608 | ---- | C] (Crytek) -- C:\Users\Jesse\AppData\Roaming\mifpsh.dll [2012/07/26 11:18:49 | 000,000,000 | ---D | C] -- C:\Users\Jesse\AppData\Roaming\AVG2012 [2012/07/26 11:17:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG [2012/07/26 11:17:29 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG Secure Search [2012/07/26 11:17:22 | 000,027,496 | ---- | C] (AVG Technologies) -- C:\Windows\System32\drivers\avgtpx86.sys [2012/07/26 11:17:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVG Secure Search [2012/07/26 11:17:19 | 000,000,000 | ---D | C] -- C:\Program Files\AVG Secure Search [2012/07/26 11:16:08 | 000,000,000 | -H-D | C] -- C:\$AVG [2012/07/26 11:16:08 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2012 [2012/07/26 11:16:08 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\AVG [2012/07/25 10:24:19 | 000,000,000 | ---D | C] -- C:\Users\Jesse\Desktop\tdss [2012/07/24 23:14:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012/07/24 23:14:00 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012/07/24 23:14:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012/07/23 23:42:12 | 000,000,000 | ---D | C] -- C:\Program Files\IObit Toolbar [2012/07/22 19:22:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation [2012/07/22 19:18:19 | 019,607,872 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvoglv32.dll [2012/07/22 19:18:19 | 011,354,944 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvlddmkm.sys [2012/07/22 19:18:19 | 002,524,992 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvid.dll [2012/07/22 19:18:18 | 017,551,680 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcompiler.dll [2012/07/22 19:18:18 | 005,982,528 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuda.dll [2012/07/22 19:18:18 | 002,445,120 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvenc.dll [2012/07/10 16:49:51 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ncrypt.dll [2012/07/10 16:49:22 | 002,047,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys [2012/07/02 22:40:18 | 000,000,000 | -HSD | C] -- C:\Config.Msi ========== Files - Modified Within 30 Days ========== [2012/07/28 20:39:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012/07/28 20:36:31 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012/07/28 20:36:31 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012/07/28 19:42:34 | 000,000,873 | ---- | M] () -- C:\Users\Public\Desktop\World of Warcraft.lnk [2012/07/28 18:23:06 | 102,391,247 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm [2012/07/28 15:00:33 | 000,002,377 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk [2012/07/26 22:09:23 | 000,132,608 | ---- | M] (Crytek) -- C:\Users\Jesse\AppData\Roaming\mifpsh.dll [2012/07/26 11:17:32 | 000,000,842 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2012.lnk [2012/07/26 11:17:22 | 000,027,496 | ---- | M] (AVG Technologies) -- C:\Windows\System32\drivers\avgtpx86.sys [2012/07/25 15:50:27 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS [2012/07/25 15:50:27 | 000,000,000 | RHS- | M] () -- C:\IO.SYS [2012/07/25 15:44:24 | 000,000,804 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2012/07/25 09:35:34 | 000,443,818 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts [2012/07/25 09:33:18 | 000,001,385 | ---- | M] () -- C:\Windows\wininit.ini [2012/07/24 23:14:01 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk [2012/07/17 10:43:21 | 000,230,896 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012/07/10 16:49:51 | 000,204,288 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ncrypt.dll [2012/07/10 16:49:22 | 002,047,488 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys ========== Files Created - No Company Name ========== [2012/07/28 18:23:06 | 102,391,247 | ---- | C] () -- C:\Windows\System32\drivers\AVG\incavi.avm [2012/07/26 11:17:32 | 000,000,842 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2012.lnk [2012/07/26 10:54:45 | 000,232,960 | ---- | C] () -- C:\Windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\U\00000008.@ [2012/07/26 10:54:45 | 000,002,048 | ---- | C] () -- C:\Windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\U\00000004.@ [2012/07/25 15:50:27 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS [2012/07/25 15:50:27 | 000,000,000 | RHS- | C] () -- C:\IO.SYS [2012/07/25 09:33:10 | 000,001,385 | ---- | C] () -- C:\Windows\wininit.ini [2012/07/24 23:14:01 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk [2012/07/23 13:10:32 | 000,092,160 | ---- | C] () -- C:\Windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\U\80000032.@ [2012/07/23 13:10:32 | 000,000,804 | ---- | C] () -- C:\Windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\L\00000004.@ [2012/07/23 13:10:31 | 000,013,312 | ---- | C] () -- C:\Windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\U\80000000.@ [2012/07/23 13:10:31 | 000,001,632 | ---- | C] () -- C:\Windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\U\000000cb.@ [2012/05/15 02:21:50 | 000,423,744 | ---- | C] () -- C:\Windows\System32\nvStreaming.exe [2012/05/02 22:26:28 | 002,260,492 | ---- | C] () -- C:\Users\Jesse\AppData\Roaming\RSBot.db [2012/04/05 16:51:07 | 000,000,045 | ---- | C] () -- C:\Users\Jesse\jagex_cl_runescape_LIVE1.dat [2012/04/01 15:50:11 | 000,000,044 | ---- | C] () -- C:\Users\Jesse\jagex_cl_runescape_LIVE.dat [2012/04/01 15:50:11 | 000,000,024 | ---- | C] () -- C:\Users\Jesse\random.dat [2012/01/13 01:42:44 | 000,004,608 | ---- | C] () -- C:\Users\Jesse\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012/01/10 18:24:53 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\@ [2012/01/10 18:24:53 | 000,002,048 | -HS- | C] () -- C:\Users\Jesse\AppData\Local\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\@ [2011/12/15 01:59:29 | 000,000,173 | ---- | C] () -- C:\Users\Jesse\AppData\Local\rahistory.xml [2011/11/08 12:19:05 | 000,000,617 | ---- | C] () -- C:\Windows\eReg.dat [2011/10/19 03:21:46 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.b in [2011/10/18 12:42:41 | 000,090,480 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat [2011/10/18 04:44:22 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2011/10/18 04:44:22 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin [2011/10/05 13:35:43 | 000,000,680 | ---- | C] () -- C:\Users\Jesse\AppData\Local\d3d9caps.dat [2011/10/05 12:11:25 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini < End of report >
|
|
#4
July 29th, 2012, 03:58 AM
|
|||
|
|||
|
OTL Extras
OTL Extras logfile created on: 7/28/2012 8:42:46 PM - Run 1 OTL by OldTimer - Version 3.2.55.0 Folder = C:\Users\Jesse\Downloads Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 7.0.6002.18005) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.51 Gb Available Physical Memory | 75.57% Memory free 4.22 Gb Paging File | 3.89 Gb Available in Paging File | 92.06% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 465.76 Gb Total Space | 298.83 Gb Free Space | 64.16% Space Free | Partition Type: NTFS Computer Name: JESSE-PC | User Name: Jesse | Logged in as Administrator. Boot Mode: SafeMode with Networking | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) .html [@ = ChromeHTML] -- Reg Error: Key error. File not found .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l [HKEY_USERS\S-1-5-21-276229734-987665581-411863102-1000\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" http [open] -- Reg Error: Value error. https [open] -- Reg Error: Value error. inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found "VistaSp2" = Reg Error: Unknown registry data type -- File not found ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows NT\SystemRestore] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile] ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List] ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall] "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer "{17504ED4-DB08-40A8-81C2-27D8C01581DA}" = Windows Live Remote Service Resources "{19A4A990-5343-4FF7-B3B5-6F046C091EDF}" = Windows Live Remote Client "{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions "{227E8782-B2F4-4E97-B0EE-49DE9CC1C0C0}" = Windows Live Remote Service "{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31 "{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections "{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery "{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{464B3406-A4D0-4914-910F-7CA4380DCC13}" = Windows Live Remote Client Resources "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion "{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack "{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE "{6D12EC75-E7D3-4EAD-AB10-E1F3AFF94AA6}" = AVG 2012 "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{759142E8-25B0-42AE-B408-4215065D3F4B}" = Windows Live Family Safety "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client "{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core "{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT "{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail "{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh "{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common "{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer "{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer "{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter "{B143D835-EBAF-4A39-8B31-1868FF4166C1}" = AVG 2012 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller Driver 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.12.0213 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.8.15 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{BCF16F16-AC0E-4ABE-A9EF-412CF484BA51}" = Windows Live Family Safety "{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant "{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform "{DA909E62-3B45-4BA1-8B58-FCAEBA4BCEC9}" = NVIDIA PhysX "{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources "{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10 "{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger "{ED0B44B6-D76F-4671-8F87-26C9FAC584CB}" = IObit Toolbar v6.1 "{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10 "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU] "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "Advanced SystemCare 5_is1" = Advanced SystemCare 5 "AVG" = AVG 2012 "CCleaner" = CCleaner "Diablo III" = Diablo III "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Mozilla Firefox 14.0.1 (x86 en-US)" = Mozilla Firefox 14.0.1 (x86 en-US) "MozillaMaintenanceService" = Mozilla Maintenance Service "NVIDIA StereoUSB Driver" = NVIDIA 3D Vision Controller Driver "NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver "StarCraft II" = StarCraft II "WinLiveSuite" = Windows Live Essentials "WinRAR archiver" = WinRAR 4.01 (32-bit) "World of Warcraft" = World of Warcraft "World of Warcraft Beta" = World of Warcraft Beta "Yahoo! Companion" = Yahoo! Toolbar "Yahoo! Messenger" = Yahoo! Messenger "Yahoo! Software Update" = Yahoo! Software Update ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 7/26/2012 12:18:15 PM | Computer Name = Jesse-PC | Source = SideBySide | ID = 16842830 Description = Activation context generation failed for "C:\Program Files\Windows Live\Messenger\msnmsgr.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba 71c2.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edead a.manifest. Error - 7/28/2012 3:59:13 PM | Computer Name = Jesse-PC | Source = SideBySide | ID = 16842830 Description = Activation context generation failed for "C:\Program Files\Windows Live\Messenger\msnmsgr.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba 71c2.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edead a.manifest. Error - 7/28/2012 3:59:13 PM | Computer Name = Jesse-PC | Source = SideBySide | ID = 16842830 Description = Activation context generation failed for "C:\Program Files\Windows Live\Messenger\msnmsgr.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba 71c2.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edead a.manifest. Error - 7/28/2012 3:59:16 PM | Computer Name = Jesse-PC | Source = SideBySide | ID = 16842830 Description = Activation context generation failed for "C:\Program Files\Windows Live\Messenger\msnmsgr.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba 71c2.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edead a.manifest. Error - 7/28/2012 3:59:16 PM | Computer Name = Jesse-PC | Source = SideBySide | ID = 16842830 Description = Activation context generation failed for "C:\Program Files\Windows Live\Messenger\msnmsgr.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba 71c2.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edead a.manifest. Error - 7/28/2012 3:59:16 PM | Computer Name = Jesse-PC | Source = SideBySide | ID = 16842830 Description = Activation context generation failed for "C:\Program Files\Windows Live\Messenger\msnmsgr.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba 71c2.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edead a.manifest. Error - 7/28/2012 9:39:47 PM | Computer Name = Jesse-PC | Source = SideBySide | ID = 16842830 Description = Activation context generation failed for "C:\Program Files\Windows Live\Messenger\msnmsgr.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba 71c2.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edead a.manifest. Error - 7/28/2012 9:39:47 PM | Computer Name = Jesse-PC | Source = SideBySide | ID = 16842830 Description = Activation context generation failed for "C:\Program Files\Windows Live\Messenger\msnmsgr.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba 71c2.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edead a.manifest. Error - 7/28/2012 9:39:48 PM | Computer Name = Jesse-PC | Source = EventSystem | ID = 4609 Description = Error - 7/28/2012 9:39:49 PM | Computer Name = Jesse-PC | Source = SideBySide | ID = 16842830 Description = Activation context generation failed for "C:\Program Files\Windows Live\Messenger\msnmsgr.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba 71c2.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.vc90.crt _1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edead a.manifest. [ System Events ] Error - 10/24/2011 7:12:34 PM | Computer Name = Jesse-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20 Description = < End of report >
|
|
#5
July 29th, 2012, 04:02 AM
|
|||
|
|||
|
I'm unable to post the GMER results because it exceeds the character limit. Here is the aswMBR logs
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software Run date: 2012-07-28 21:26:59 ----------------------------- 21:26:59.766 OS Version: Windows 6.0.6002 Service Pack 2 21:26:59.766 Number of processors: 2 586 0xF06 21:26:59.766 ComputerName: JESSE-PC UserName: Jesse 21:27:01.828 Initialize success 21:28:18.846 AVAST engine defs: 12072801 21:28:34.217 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2 21:28:34.220 Disk 0 Vendor: WDC_WD50 15.0 Size: 476940MB BusType: 3 21:28:34.403 Disk 0 MBR read successfully 21:28:34.405 Disk 0 MBR scan 21:28:34.409 Disk 0 Windows VISTA default MBR code 21:28:34.491 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476938 MB offset 2048 21:28:34.602 Disk 0 scanning sectors +976771072 21:28:34.890 Disk 0 scanning C:\Windows\system32\drivers 21:29:26.794 Service scanning 21:29:42.904 Modules scanning 21:30:23.740 Disk 0 trace - called modules: 21:30:23.788 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastorv.sys hal.dll ndis.sys e1e6032.sys tcpip.sys NETIO.SYS tdx.sys afd.sys TDI.SYS 21:30:23.818 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8525fac8] 21:30:23.823 3 CLASSPNP.SYS[87f9f8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0x851d7030] 21:30:25.078 AVAST engine scan C:\Windows 21:33:09.688 AVAST engine scan C:\Windows\system32 21:40:01.312 File: C:\Windows\assembly\GAC\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk] 21:40:58.954 AVAST engine scan C:\Windows\system32\drivers 21:41:18.193 AVAST engine scan C:\Users\Jesse 21:44:54.556 AVAST engine scan C:\ProgramData 21:49:39.640 Scan finished successfully 21:49:52.422 Disk 0 MBR has been saved successfully to "C:\Users\Jesse\Downloads\MBR.dat" 21:49:52.428 The log file has been saved successfully to "C:\Users\Jesse\Downloads\aswMBR.txt"
|
|
#6
July 29th, 2012, 04:44 AM
|
|||
|
|||
|
GMER Logs part 1 of 2
GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-28 21:22:36 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2 WDC_WD50 rev.15.0 Running: vqbo4ksj.exe; Driver: C:\Users\Jesse\AppData\Local\Temp\ugloypoc.sys ---- User code sections - GMER 1.0.15 ---- ? C:\Windows\system32\services.exe[632] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: mswsock.dllunknown module: MSWSOCK.dll .text C:\Windows\System32\svchost.exe[1768] ole32.dll!CoCreateInstance 76A59F3E 5 Bytes JMP 00CC000A .text C:\Windows\System32\svchost.exe[1768] USER32.dll!GetCursorPos 76CA0B88 5 Bytes JMP 00CD000A .text C:\Windows\System32\svchost.exe[1768] USER32.dll!DialogBoxIndirectParamAorW 76CB2EB6 5 Bytes JMP 00CE000A ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] 51EC8B55 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] 8B565351 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] FF560875 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] 6651A415 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 85D88B00 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] C2840FDB IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 57000000 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 0068406A IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] FF000010 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 006A5073 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 506415FF IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] F88B0066 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] 85FC7D89 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 9E840FFF IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 8B000000 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] A4F3544B IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 1443B70F IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] 0653B70F IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] 1818448D IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 8B0CC083 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] 08758B08 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] 03FC7D8B IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 8BF903F1 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] C083FC48 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] A4F34A28 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] 758BE975 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] 9C3D8BFC IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] 2B006651 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 458D0875 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 056A50F8 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] [75FF016A] C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] 85D7FFFC IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] EB2574C0 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] 04488B1D IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 56F84D29 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 8B08508D IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] FC450300 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] 52F8C183 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 5051E9D1 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNumberOfSetBitsUlongPtr] 519815FF IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 7D830066 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] DD7500F8 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] 50F8458D IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 016A016A IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] FFFC75FF IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 74C085D7 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] 0C488D20 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] C085018B IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] F18B1774 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 03FC4D8B IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 15FF50C1 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] [0066506C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] 8B14C683 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] [75C08506] C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] FC458BEB IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] C95B5E5F IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] 560004C2 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] 8210BF57 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 8B570066 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] 6815FFF1 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 6A006650 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] 3C83580F IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] 66822885 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 09740000 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] 8548C88B IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] EBEF75C9 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 85348907 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] [00668228] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 6015FF57 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 5F006650 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 5756C35E IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 668210BF IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] F18B5700 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 506815FF IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 0F6A0066 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 85343958 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] [00668228] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] C88B0974 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] [75C98548] C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8308EBF0 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] 82288524 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 57000066 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 506015FF IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] 5E5F0066 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 800068C3 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 006A0000 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 5C15FF51 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 50006650 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] 519415FF IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 55C30066 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] 5351EC8B IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] 35FF5756
|
|
#7
July 29th, 2012, 04:45 AM
|
|||
|
|||
|
GMER Logs part 2 of 2
IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] [00668268] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 519015FF IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] 8D590066 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] E8400044 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserThread] 000031BC IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] [75FFFC8B] C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] FC7D8908 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 826835FF IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] 60680066 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 57006668 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 518C15FF IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] DB330066 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] 3910C483 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] 6E7D085D IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] FFF63357 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] 66505815 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 85F88B00 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 8D3774FF IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] 6A500845 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] FF575602 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExitUserThread] 66518815 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 7CC08500 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] FF556A25 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] 15FFFC75 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] [00665184] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] C9335959 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 08896657 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] FFFE1FE8 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] 85D88BFF IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] 8B0774DB IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] F72B0875 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] FF57F303 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] 66505415 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 74F68500 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] FC4D8B53 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] 668100BA IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] 85D6FF00 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] 684575C0 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] 00008000 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] 15FF5350 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] [0066505C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] 5D3936EB IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] BB31740C IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] [00668210] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 6815FF53 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] BE006650 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] [00668264] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] C085068B IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 4D8B0774 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] FFD78B08 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] 83C68BD0 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] 283D04EE IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] [75006682] C:\Windows\system32\CRYPT32.dll (Crypto API32/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] 15FF53E7 IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgBreakPoint] [00665060] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 5FF0658D IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] C2C95B5E IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] 8B550008 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) ---- Files - GMER 1.0.15 ---- File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\27CMJE6A\beacon[1].js 1900 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\27CMJE6A\AdDisplayTrackerServlet[11].htm 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\27CMJE6A\ri[1].gif 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\27CMJE6A\ri[2].gif 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\27CMJE6A\freq[5].htm 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\27CMJE6A\de[4].htm 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\35BWD6X0\blueprintacademy[1] 8789 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\35BWD6X0\150_275360-0[1].jpg 5616 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\35BWD6X0\75_1482524[1].gif 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\35BWD6X0\95072c2a-817c-485c-9b4e-6dcfe49e176e_regina-glasses-facebook[1].jpg 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\35BWD6X0\d7fa7868-945d-47af-bfcc-0a10ddd29ff1_kcg_pic_b[1].jpg 1882 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\35BWD6X0\b01c78b6-6eaf-447d-a8f0-bae391583770_judy1321businesscard_(2)[1].jpg 1746 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\35BWD6X0\405dfd04056fcba1eb429b3 6166a43c5[1].swf 41560 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\35BWD6X0\black_trans_bg[1].png 113 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\35BWD6X0\reese-witherspoon-022812-%20(2)[1].jpg 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\35BWD6X0\reese-witherspoon-022812-%20(5)[1].jpg 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\35BWD6X0\freq[11].htm 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\35BWD6X0\T89CACHCC3XCATJS686CAP4 1MN3CAZEPNX9CA4L00FXCA7V57OOCADBMFISCACIPTQZCAN83I 27CA8H5DJICAUWISAPCA4WPE45CAJ324MYCA2RKOF0CAEPK4VC CA342T4A.htm 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\35BWD6X0\JLJCAQYS6DQCA28NCSWCADV YRO6CA0K8YTECAWZMILMCACP1JUJCA9XWYEACARB6P1KCAKJRH 5VCAO8QCM3CAPXBRBGCAAGRFYWCAUE68ERCAX20PVWCARACU32 CAO3VDRD.txt 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G1BXUWC\et.htm 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G1BXUWC\default[4].htm 3931 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G1BXUWC\fpiCAYHOY2H.htm 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G1BXUWC\freqCAJONXTE.htm 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\G75A29UR\1049525132[2].gif 42 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\G75A29UR\fpiCAXVLFHR.htm 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\G75A29UR\distressed[1].jpg 13395 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\G75A29UR\26425_t_c_t_c_clickpayz _com[4].htm 155 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\G75A29UR\glamadapt_srv[1].htm 3208 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\G75A29UR\GUKCA6YD3OQCAWNLAWYCA8J NS11CA1029PXCAAI2SPPCA253X08CAD311MPCA46DUJ6CALBA0 UVCA22TVQ6CAXO6XMMCAB1HJNVCA7E8I5VCAR89CD7CA6DRKU2 CA82EG36.htm 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\G75A29UR\passport[1].jpg 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\G75A29UR\data[1].gif 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\S1FG1VJR\a[3].htm 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\YATHR33S\quant[1].js 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\YATHR33S\1049525132[2].gif 0 bytes File C:\Windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\YATHR33S\fpiCA99H2EQ.htm 0 bytes File C:\Windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\53XWAY33.txt 4103 bytes File C:\Windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\DKHFDJLB.txt 1848 bytes File C:\Windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\RJ1LI0DP.txt 287 bytes File C:\Windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\BOBOPP4N.txt 581 bytes File C:\Windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\BX62G2ZY.txt 5831 bytes File C:\Windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\3KG3WY9C.txt 469 bytes ---- EOF - GMER 1.0.15 ----
|
|
#8
July 29th, 2012, 11:00 PM
|
||||
|
||||
|
ZAccess bootkit/rootkit showing here. Tough one, as it "hooks" your net access and shows you what it wants.
Go to Start - Control Panel - Programs - Programs and Features/Uninstall, then click on each of the following programs, if they show there, and click "Uninstall/Change". Advanced SystemCare- Problem causing Iobit program. Does little, and can cause system damage. Spybot - Search & Destroy - Your choice, but can cause issues, and not known to be of any real benefit. It's TeaTimer function can interfere with normal operations. --------- Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. If you do not have web access after running ComboFix, reboot, and run it again.
|
|
#9
July 30th, 2012, 01:07 AM
|
|||
|
|||
|
Alright I removed those 2 programs, and I got the combofix, I wasn't sure If I was supposed to run it in safe mode or not so I just did. I started the scan the first time and it did a few things and then it rebooted my pc. I restarted it up in safe mode again and retried. Here are the logs.
ComboFix 12-07-29.02 - Jesse 07/29/2012 18:54:25.1.2 - x86 NETWORK Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1402 [GMT -5:00] Running from: c:\users\Jesse\Downloads\ComboFix.exe AV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0} SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Jesse\AppData\Roaming\mifpsh.dll c:\users\Jesse\AppData\Roaming\Mozilla\Firefox\Pro files\67nqkw65.default\searchplugins\bing-zugo.xml c:\users\Jesse\AppData\Roaming\RSBot.db c:\windows\assembly\GAC\Desktop.ini c:\windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\@ c:\windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\L\00000004.@ c:\windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\L\201d3dde c:\windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\U\00000004.@ c:\windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\U\00000008.@ c:\windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\U\000000cb.@ c:\windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\U\80000000.@ c:\windows\Installer\{d0cb33e8-8af7-0fc4-4d0f-adf804436b9a}\U\80000032.@ c:\windows\system32\Cache c:\windows\system32\Cache\272512937d9e61a4.fb c:\windows\system32\Cache\287204568329e189.fb c:\windows\system32\Cache\28bc8f716fd76a47.fb c:\windows\system32\Cache\2c53092c95605355.fb c:\windows\system32\Cache\31a0997e9a5b5eb3.fb c:\windows\system32\Cache\32c84fe32bb74d60.fb c:\windows\system32\Cache\3917078cb68ec657.fb c:\windows\system32\Cache\590ba23ce359fd0c.fb c:\windows\system32\Cache\610289e025a3ee9a.fb c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb c:\windows\system32\Cache\6d03dad1035885d3.fb c:\windows\system32\Cache\8767c2be19c1127c.fb c:\windows\system32\Cache\a8556537add6dfc5.fb c:\windows\system32\Cache\ad10a52aff5e038d.fb c:\windows\system32\Cache\c1fa887b03019701.fb c:\windows\system32\Cache\c4d28dca2e7648be.fb c:\windows\system32\Cache\d201ef9910cd39de.fb c:\windows\system32\Cache\d2e94710a5708128.fb c:\windows\system32\Cache\d79b9dfe81484ec4.fb c:\windows\system32\Cache\e0de16f883bea794.fb c:\windows\system32\Cache\e269ffd848f69e82.fb c:\windows\system32\Cache\f5f5888e879f0732.fb c:\windows\system32\Cache\f998975c9cc711ee.fb . Infected copy of c:\windows\system32\services.exe was found and disinfected Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy7_!Window s!System32!services.exe . . ((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-30 ))))))))))))))))))))))))))))))) . . 2012-07-28 19:53 . 2012-07-28 19:59 -------- d-----w- c:\users\Jesse\AppData\Roaming\Baywti 2012-07-28 19:53 . 2012-07-28 19:53 -------- d-----w- c:\users\Jesse\AppData\Roaming\Yvozt 2012-07-28 19:53 . 2012-07-28 19:53 -------- d-----w- c:\users\Jesse\AppData\Roaming\Efomul 2012-07-26 16:18 . 2012-07-26 16:18 -------- d-----w- c:\users\Jesse\AppData\Roaming\AVG2012 2012-07-26 16:17 . 2012-07-27 03:11 -------- d-----w- c:\programdata\AVG Secure Search 2012-07-26 16:17 . 2012-07-26 16:17 27496 ----a-w- c:\windows\system32\drivers\avgtpx86.sys 2012-07-26 16:17 . 2012-07-26 16:17 -------- d-----w- c:\program files\Common Files\AVG Secure Search 2012-07-26 16:17 . 2012-07-26 16:17 -------- d-----w- c:\program files\AVG Secure Search 2012-07-26 16:16 . 2012-07-29 23:09 -------- d-----w- c:\windows\system32\drivers\AVG 2012-07-26 16:16 . 2012-07-28 19:59 -------- d-----w- c:\programdata\AVG2012 2012-07-26 16:16 . 2012-07-26 16:16 -------- d-----w- C:\$AVG 2012-07-25 04:14 . 2012-07-25 04:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-07-25 04:14 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-07-24 04:42 . 2012-07-24 04:42 -------- d-----w- c:\program files\IObit Toolbar 2012-07-23 00:18 . 2012-05-15 10:26 2524992 ----a-w- c:\windows\system32\nvcuvid.dll 2012-07-23 00:18 . 2012-05-15 10:26 19607872 ----a-w- c:\windows\system32\nvoglv32.dll 2012-07-23 00:18 . 2012-05-15 10:26 11354944 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys 2012-07-23 00:18 . 2012-05-15 10:26 5982528 ----a-w- c:\windows\system32\nvcuda.dll 2012-07-23 00:18 . 2012-05-15 10:26 2445120 ----a-w- c:\windows\system32\nvcuvenc.dll 2012-07-23 00:18 . 2012-05-15 10:26 17551680 ----a-w- c:\windows\system32\nvcompiler.dll 2012-07-10 21:50 . 2012-07-10 21:50 1401856 ----a-w- c:\windows\system32\msxml6.dll 2012-07-10 21:50 . 2012-07-10 21:50 1248768 ----a-w- c:\windows\system32\msxml3.dll 2012-07-10 21:49 . 2012-07-10 21:49 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2012-07-10 21:49 . 2012-07-10 21:49 278528 ----a-w- c:\windows\system32\schannel.dll 2012-07-10 21:49 . 2012-07-10 21:49 204288 ----a-w- c:\windows\system32\ncrypt.dll 2012-07-10 21:49 . 2012-07-10 21:49 2047488 ----a-w- c:\windows\system32\win32k.sys 2012-07-10 21:48 . 2012-07-10 21:48 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2012-06-05 16:16 . 2012-04-24 18:19 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-06-05 16:16 . 2011-10-05 16:57 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-06-02 22:19 . 2012-06-21 10:22 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-21 10:22 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-21 10:22 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-21 10:22 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2012-06-21 10:22 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:12 . 2012-06-21 10:22 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12 . 2012-06-21 10:22 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 20:19 . 2012-06-21 10:21 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 20:12 . 2012-06-21 10:21 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-05-24 15:48 . 2011-12-17 17:16 21888 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe 2012-05-15 22:04 . 2012-06-14 02:14 834048 ----a-w- c:\windows\system32\wininet.dll 2012-05-15 10:26 . 2012-05-14 21:54 61248 ----a-w- c:\windows\system32\OpenCL.dll 2012-05-15 10:26 . 2011-10-05 18:24 8105280 ----a-w- c:\windows\system32\nvwgf2um.dll 2012-05-15 10:26 . 2011-10-05 18:24 883008 ----a-w- c:\windows\system32\nvgenco32.dll 2012-05-15 10:26 . 2011-10-05 18:24 2368832 ----a-w- c:\windows\system32\nvapi.dll 2012-05-15 10:26 . 2011-10-05 18:24 15322432 ----a-w- c:\windows\system32\nvd3dum.dll 2012-05-15 10:26 . 2011-10-05 18:24 1000768 ----a-w- c:\windows\system32\nvdispco32.dll 2012-05-15 09:28 . 2011-10-05 18:25 645440 ----a-w- c:\windows\system32\nvvsvc.exe 2012-05-15 09:28 . 2011-10-05 18:25 62272 ----a-w- c:\windows\system32\nvshext.dll 2012-05-15 09:28 . 2011-10-05 18:25 108352 ----a-w- c:\windows\system32\nvmctray.dll 2012-05-15 09:28 . 2011-10-05 18:25 3931456 ----a-w- c:\windows\system32\nvcpl.dll 2012-05-15 09:27 . 2011-10-05 18:25 2759488 ----a-w- c:\windows\system32\nvsvc.dll 2012-05-15 07:21 . 2012-05-15 07:21 423744 ----a-w- c:\windows\system32\nvStreaming.exe 2012-05-01 14:03 . 2012-06-14 02:12 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-07-19 11:17 . 2011-10-05 16:50 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2012-01-12 1517368] . [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1] [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}] 2012-07-26 16:17 2086496 ----a-w- c:\program files\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll" [2012-07-26 2086496] . [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920] "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008] "vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-07-26 1147488] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "SoftwareSASGeneration"= 3 (0x3) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)] 2011-08-22 08:18 6276408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] 2011-05-13 22:03 4283256 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster] 2011-10-05 17:07 3077528 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . . ------- Supplementary Scan ------- . uStart Page = hxxp://isearch.avg.com/?cid={A60FA511-AF30-48CF-BE5C-FB4D5AB46B91}&mid=3b402030b34647d0a6c1d1509765c248-b84832f815a7183093e8ec19e687298260e85691&lang=en&d s=gm011&pr=sa&d=2012-04-02 22:20&v=10.2.0.3&sap=hp mStart Page = hxxp://www.yahoo.com/?ilc=8 TCP: DhcpNameServer = 97.64.168.12 97.64.183.165 Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\12.1.5\ViProtocol.dll FF - ProfilePath - c:\users\Jesse\AppData\Roaming\Mozilla\Firefox\Pro files\67nqkw65.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=mkg030&p= FF - prefs.js: browser.startup.homepage - www.yahoo.com FF - prefs.js: keyword.URL - hxxps://isearch.avg.com/search?cid=%7B8301409a-dc9e-42d5-b949-9371d6bf8a48%7D&mid=3b402030b34647d0a6c1d1509765c2 48-b84832f815a7183093e8ec19e687298260e85691&ds=AVG&v= 12.1.0.21&lang=en&pr=fr&d=2012-07-26%2011%3A17%3A24&sap=ku&q= FF - user.js: yahoo.ytff.general.dontshowhpoffer - true . - - - - ORPHANS REMOVED - - - - . WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file) HKLM-Run-SearchSettings - c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe HKLM-Run-mifpsh - c:\users\Jesse\AppData\Roaming\mifpsh.dll MSConfigStartUp-Advanced SystemCare 5 - c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe MSConfigStartUp-SearchSettings - c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe MSConfigStartUp-StartNowToolbarHelper - c:\program files\StartNow Toolbar\ToolbarHelper.exe . . . ************************************************** ************************ . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-07-29 19:02 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************** ************************ . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2012-07-29 19:04:54 ComboFix-quarantined-files.txt 2012-07-30 00:04 . Pre-Run: 327,346,622,464 bytes free Post-Run: 327,257,546,752 bytes free . - - End Of File - - B2EE75ED619368148C2252D8C8B68F99
|
|
#11
July 31st, 2012, 01:52 AM
|
|||
|
|||
|
In safe mode or does it matter at this point?
|
|
#12
July 31st, 2012, 02:21 AM
|
|||
|
|||
|
ComboFix Log #2
ComboFix 12-07-30.01 - Jesse 07/30/2012 20:10:22.2.2 - x86 NETWORK Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1550 [GMT -5:00] Running from: c:\users\Jesse\Downloads\ComboFix.exe AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0} SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-31 ))))))))))))))))))))))))))))))) . . 2012-07-31 01:18 . 2012-07-31 01:18 -------- d-----w- c:\users\Jesse\AppData\Local\temp 2012-07-31 01:18 . 2012-07-31 01:18 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\L ocal\temp 2012-07-31 01:18 . 2012-07-31 01:18 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2012-07-31 01:18 . 2012-07-31 01:18 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-28 19:53 . 2012-07-28 19:59 -------- d-----w- c:\users\Jesse\AppData\Roaming\Baywti 2012-07-28 19:53 . 2012-07-28 19:53 -------- d-----w- c:\users\Jesse\AppData\Roaming\Yvozt 2012-07-28 19:53 . 2012-07-28 19:53 -------- d-----w- c:\users\Jesse\AppData\Roaming\Efomul 2012-07-26 16:18 . 2012-07-26 16:18 -------- d-----w- c:\users\Jesse\AppData\Roaming\AVG2012 2012-07-26 16:17 . 2012-07-27 03:11 -------- d-----w- c:\programdata\AVG Secure Search 2012-07-26 16:17 . 2012-07-26 16:17 27496 ----a-w- c:\windows\system32\drivers\avgtpx86.sys 2012-07-26 16:17 . 2012-07-26 16:17 -------- d-----w- c:\program files\Common Files\AVG Secure Search 2012-07-26 16:17 . 2012-07-26 16:17 -------- d-----w- c:\program files\AVG Secure Search 2012-07-26 16:16 . 2012-07-31 00:08 -------- d-----w- c:\windows\system32\drivers\AVG 2012-07-26 16:16 . 2012-07-28 19:59 -------- d-----w- c:\programdata\AVG2012 2012-07-26 16:16 . 2012-07-26 16:16 -------- d-----w- C:\$AVG 2012-07-25 04:14 . 2012-07-25 04:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-07-25 04:14 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-07-23 00:18 . 2012-05-15 10:26 2524992 ----a-w- c:\windows\system32\nvcuvid.dll 2012-07-23 00:18 . 2012-05-15 10:26 19607872 ----a-w- c:\windows\system32\nvoglv32.dll 2012-07-23 00:18 . 2012-05-15 10:26 11354944 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys 2012-07-23 00:18 . 2012-05-15 10:26 5982528 ----a-w- c:\windows\system32\nvcuda.dll 2012-07-23 00:18 . 2012-05-15 10:26 2445120 ----a-w- c:\windows\system32\nvcuvenc.dll 2012-07-23 00:18 . 2012-05-15 10:26 17551680 ----a-w- c:\windows\system32\nvcompiler.dll 2012-07-10 21:50 . 2012-07-10 21:50 1401856 ----a-w- c:\windows\system32\msxml6.dll 2012-07-10 21:50 . 2012-07-10 21:50 1248768 ----a-w- c:\windows\system32\msxml3.dll 2012-07-10 21:49 . 2012-07-10 21:49 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2012-07-10 21:49 . 2012-07-10 21:49 278528 ----a-w- c:\windows\system32\schannel.dll 2012-07-10 21:49 . 2012-07-10 21:49 204288 ----a-w- c:\windows\system32\ncrypt.dll 2012-07-10 21:49 . 2012-07-10 21:49 2047488 ----a-w- c:\windows\system32\win32k.sys 2012-07-10 21:48 . 2012-07-10 21:48 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2012-06-05 16:16 . 2012-04-24 18:19 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-06-05 16:16 . 2011-10-05 16:57 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-06-02 22:19 . 2012-06-21 10:22 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-21 10:22 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-21 10:22 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-21 10:22 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2012-06-21 10:22 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:12 . 2012-06-21 10:22 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12 . 2012-06-21 10:22 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 20:19 . 2012-06-21 10:21 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 20:12 . 2012-06-21 10:21 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-05-24 15:48 . 2011-12-17 17:16 21888 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe 2012-05-15 22:04 . 2012-06-14 02:14 834048 ----a-w- c:\windows\system32\wininet.dll 2012-05-15 10:26 . 2012-05-14 21:54 61248 ----a-w- c:\windows\system32\OpenCL.dll 2012-05-15 10:26 . 2011-10-05 18:24 8105280 ----a-w- c:\windows\system32\nvwgf2um.dll 2012-05-15 10:26 . 2011-10-05 18:24 883008 ----a-w- c:\windows\system32\nvgenco32.dll 2012-05-15 10:26 . 2011-10-05 18:24 2368832 ----a-w- c:\windows\system32\nvapi.dll 2012-05-15 10:26 . 2011-10-05 18:24 15322432 ----a-w- c:\windows\system32\nvd3dum.dll 2012-05-15 10:26 . 2011-10-05 18:24 1000768 ----a-w- c:\windows\system32\nvdispco32.dll 2012-05-15 09:28 . 2011-10-05 18:25 645440 ----a-w- c:\windows\system32\nvvsvc.exe 2012-05-15 09:28 . 2011-10-05 18:25 62272 ----a-w- c:\windows\system32\nvshext.dll 2012-05-15 09:28 . 2011-10-05 18:25 108352 ----a-w- c:\windows\system32\nvmctray.dll 2012-05-15 09:28 . 2011-10-05 18:25 3931456 ----a-w- c:\windows\system32\nvcpl.dll 2012-05-15 09:27 . 2011-10-05 18:25 2759488 ----a-w- c:\windows\system32\nvsvc.dll 2012-05-15 07:21 . 2012-05-15 07:21 423744 ----a-w- c:\windows\system32\nvStreaming.exe 2012-07-19 11:17 . 2011-10-05 16:50 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2012-01-12 1517368] . [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1] [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}] 2012-07-26 16:17 2086496 ----a-w- c:\program files\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll" [2012-07-26 2086496] . [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008] "vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-07-26 1147488] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce] "GrpConv"="grpconv -o" [X] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "SoftwareSASGeneration"= 3 (0x3) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)] 2011-08-22 08:18 6276408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] 2011-05-13 22:03 4283256 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster] 2011-10-05 17:07 3077528 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . --- Other Services/Drivers In Memory --- . *NewlyCreated* - ECACHE . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . . ------- Supplementary Scan ------- . uStart Page = hxxp://isearch.avg.com/?cid={A60FA511-AF30-48CF-BE5C-FB4D5AB46B91}&mid=3b402030b34647d0a6c1d1509765c248-b84832f815a7183093e8ec19e687298260e85691&lang=en&d s=gm011&pr=sa&d=2012-04-02 22:20&v=10.2.0.3&sap=hp mStart Page = hxxp://www.yahoo.com/?ilc=8 TCP: DhcpNameServer = 97.64.168.12 97.64.183.165 Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\12.1.5\ViProtocol.dll FF - ProfilePath - c:\users\Jesse\AppData\Roaming\Mozilla\Firefox\Pro files\67nqkw65.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=mkg030&p= FF - prefs.js: browser.startup.homepage - www.yahoo.com FF - prefs.js: keyword.URL - hxxps://isearch.avg.com/search?cid=%7B8301409a-dc9e-42d5-b949-9371d6bf8a48%7D&mid=3b402030b34647d0a6c1d1509765c2 48-b84832f815a7183093e8ec19e687298260e85691&ds=AVG&v= 12.1.0.21&lang=en&pr=fr&d=2012-07-26%2011%3A17%3A24&sap=ku&q= FF - user.js: yahoo.ytff.general.dontshowhpoffer - true . - - - - ORPHANS REMOVED - - - - . HKLM-RunOnce-<NO NAME> - (no file) . . . ************************************************** ************************ . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-07-30 20:18 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************** ************************ . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2012-07-30 20:19:49 ComboFix-quarantined-files.txt 2012-07-31 01:19 ComboFix2.txt 2012-07-30 00:04 . Pre-Run: 323,175,276,544 bytes free Post-Run: 323,092,365,312 bytes free . - - End Of File - - A9598F15DEFBFBF909973D31B969A5B6
|
|
#13
July 31st, 2012, 02:50 AM
|
|||
|
|||
|
GMER Scan #2
GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-30 20:49:50 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2 WDC_WD50 rev.15.0 Running: vqbo4ksj.exe; Driver: C:\Users\Jesse\AppData\Local\Temp\ugloypoc.sys ---- Kernel code sections - GMER 1.0.15 ---- ? C:\Users\Jesse\AppData\Local\Temp\catchme.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1684] ntdll.dll!LdrLoadDll 774C9378 5 Bytes JMP 6E99B52A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1684] kernel32.dll!LockResource + C 770D6B0B 7 Bytes JMP 6EC4B6D2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1684] kernel32.dll!VirtualAllocEx + 54 770DAF70 7 Bytes JMP 6EC4B6F5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1684] USER32.dll!GetWindowInfo 75D1428E 5 Bytes JMP 6EB22BD4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1684] GDI32.dll!SetStretchBltMode + 256 7614745C 7 Bytes JMP 6EC4B653 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) ---- EOF - GMER 1.0.15 ----
|
|
#14
July 31st, 2012, 03:08 AM
|
||||
|
||||
|
That made a serious dent in what Gmer was picking up, so very good progress.
Before we go further, AVG has installed it's search hijacker toolbar there (one reason I cannot support supposed security programs like it). Here were the steps to disable that, if still current. Firefox still shows as a little bit busier than usual. In Firefox, go to Help - Restart with Add-ons Disabled. In that "Firefox Safe Mode" display that opens, place checks next to the following, then click "Make changes and restart". Reset toolbars and controls Reset all user preferences to Firefox defaults Restore default search engines You can change those later to whatever you prefer, but for now, too many search hijackers have altered things there. Reboot, then run and post a new Gmer scan log please. ------------- Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Open and update Malwarebytes. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform quick scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. * The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes. * Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then. --------------- Disable your antivirus program and click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file to run the scanner. If you accept the Terms of Use, check the box and click Start. It will take a couple minutes for the scanner to get ready. When the Computer scan settings display shows, check the following boxes: Remove found threats Scan unwanted applications Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives). Then click the Advanced option, the place a check next to the following (if it is not already checked): Enable Anti-Stealth technology Click Start. This scan may take a while, so please be patient. If infection is found, at the end of the scan click "List of found threats". In that display, at the bottom, select the option to save the results as a text file, and save that to your desktop. Post that back here please. Post that log and the Malwarebytes log please.
|
|
#15
July 31st, 2012, 03:24 AM
|
|||
|
|||
|
I was unable to find whatever avg thing you were talking about. Not sure what redirect page you were referring to.
|
 |
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
All times are GMT +1. The time now is 03:01 AM.
