Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93124 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Major crashes, anti-virus won't work, black screens, help! [So

Started by CoolCat , May 29 2013 04:31 AM

  • This topic is locked This topic is locked
169 replies to this topic

#1 CoolCat

CoolCat

    Silver Member

  • Authentic Member
  • PipPipPip
  • 498 posts

Posted 29 May 2013 - 04:31 AM

Last night and this morning, I started having really bad computer problems. I've crashed over 10 times, had to re-install Chrome because my computer said it was not found, my anti-virus quit working for a while, then started to work then the computer crashed again. I use Avira and I can't run it now.

2 of the shut-downs caused a black screen after reboot, I also just got the blue screen of death and then on boot-up, got a windows repair utility which finally said the computer could not be fixed using that. I went ahead and shut down, rebooted and it came back ok. If I try to use Avira, I get shut down. Malware bytes said it was a read-only program more than once and I get a runtime error, 303, every time I try to run that. It DID let me run hijackthis so I am sending the log.

The past few days, the computer has been logging in online using only the router instead of the cable box and that router is an unsecured devise. I have to go into the system tray icon and reset it to the named cable connection and I am wondering if something didn't get in that way.

I have tried 5 times, at least, to run the new version of HiJackThis and it will not run!! I get a popup which I have included as a file, which I am sure you are familiar with. I have followed the instructions on it and am using Windows Vista, Home Edition. When I type in C:\\Windows\System32\drivers\etc\hosts and hit enter in the run menu, I get a menu asking which program I want to use to open this and all I am getting with that is a proxy server address 127.0.0.1 localhost

This will not let me run as administrator because it does not give me that option, no matter how many times I have tried and also rebooted and tried, again.

I am going to run SpyBot, just to see if it will even run! I have never had a mess such as this, before.
Help!!!!

Thank you so much!! :thumbup:

    Advertisements

Register to Remove

#2 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 30 May 2013 - 03:24 PM

Hello CoolCat,

My name is OCD. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • Copy and Paste logs directly into the reply window. DO NOT attach the logs unless specifically instructed to do so.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Please stay with this topic until I let you know that your system appears to be "All Clear"

Important: All tools MUST be run from the Desktop.

=========================

1. aswMBR

Download aswMBR.exe and save it to your desktop.
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan
  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

=========================

2. Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Windows XP : Double click on the icon to run it.
  • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply

=========================

In your next post please provide the following:
  • aswMBR.txt
  • attach MBR.zip
  • FRST.txt
  • Addition.txt
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

#3 CoolCat

CoolCat

    Silver Member

  • Authentic Member
  • PipPipPip
  • 498 posts

Posted 30 May 2013 - 07:45 PM

Thank you for getting back to me so quickly. Here are the logs and the attachment.

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-05-30 19:46:53
-----------------------------
19:46:53.552 OS Version: Windows x64 6.0.6002 Service Pack 2
19:46:53.553 Number of processors: 2 586 0x170A
19:46:53.554 ComputerName: ARWEN UserName:
19:46:55.030 Initialize success
19:51:18.070 AVAST engine defs: 13053001
19:52:44.163 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:52:44.167 Disk 0 Vendor: Hitachi_ FB4O Size: 305245MB BusType: 3
19:52:44.290 Disk 0 MBR read successfully
19:52:44.295 Disk 0 MBR scan
19:52:44.303 Disk 0 unknown MBR code
19:52:44.317 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12288 MB offset 2048
19:52:44.342 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 146477 MB offset 25167872
19:52:44.367 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 142848 MB offset 325152768
19:52:44.401 Disk 0 Partition 4 00 12 Compaq diag NTFS 3630 MB offset 617705472
19:52:44.557 Disk 0 scanning C:\Windows\system32\drivers
19:52:58.377 Service scanning
19:53:39.975 Modules scanning
19:53:39.976 Disk 0 trace - called modules:
19:53:40.009 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys iaStor.sys hal.dll
19:53:40.010 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006517790]
19:53:40.011 3 CLASSPNP.SYS[fffffa6000fc4c33] -> nt!IofCallDriver -> [0xfffffa800555f170]
19:53:40.011 5 acpi.sys[fffffa60008e3fde] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004be7050]
19:53:41.374 AVAST engine scan C:\Windows
19:53:56.750 AVAST engine scan C:\Windows\system32
19:58:18.213 AVAST engine scan C:\Windows\system32\drivers
19:58:36.811 AVAST engine scan C:\Users\Ratopia
20:05:43.855 File: C:\Users\Ratopia\Desktop\Antivirus\dds.scr **INFECTED** Win32:Malware-gen
20:08:58.769 AVAST engine scan C:\ProgramData
20:16:26.851 Scan finished successfully
20:30:32.978 Disk 0 MBR has been saved successfully to "C:\Users\Ratopia\Desktop\MBR.dat"
20:30:32.994 The log file has been saved successfully to "C:\Users\Ratopia\Desktop\aswMBR.txt"




Farbar Recovery log

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 30-05-2013 01
Ran by Ratopia (administrator) on 30-05-2013 20:36:55
Running from C:\Users\Ratopia\Desktop
Windows Vista ™ Home Premium Service Pack 2 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(AOL LLC) C:\Program Files (x86)\Common Files\AOL\ACS\AOLAcsd.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
() C:\Program Files (x86)\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
(Egis Incorporated) C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
() C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
() C:\Acer\Mobility Center\MobilityService.exe
(NewTech InfoSystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
() C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
(Sony Corporation) C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
() C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Conexant Systems, Inc.) C:\Windows\system32\DRIVERS\xaudio64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(Safer Networking Ltd.) D:\Spybot - Search & Destroy\SDWinSec.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Acer Inc.) C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
(Egis Incorporated) C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\eDSLoader.exe
(Realtek Semiconductor) C:\Windows\RAVCpl64.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
() C:\Windows\PLFSetI.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Google Inc.) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Acer Incorporated) C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe
() C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\QtZgAcer.EXE
(CyberLink Corp.) C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
(CyberLink) C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Intel Corporation) C:\Windows\system32\igfxext.exe
(AOL LLC) C:\Program Files (x86)\Common Files\aol\1242688622\ee\aolsoftware.exe
(Seagate LLC) C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Sony Corporation) C:\Program Files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe
(Egis inc.) C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSMSNLoader32.exe
(Realtek Semiconductor Corp.) C:\Users\Ratopia\AppData\Local\Temp\RtkBtMnt.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\SnippingTool.exe
(Microsoft Corporation) C:\Windows\SYSTEM32\WISPTIS.EXE

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [182808 2008-07-20] (Intel Corporation)
HKLM\...\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe [481792 2008-08-01] (Acer Inc.)
HKLM\...\Run: [eDataSecurity Loader] "C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\eDSloader.exe" [561200 2008-07-29] (Egis Incorporated)
HKLM\...\Run: [RtHDVCpl] RAVCpl64.exe [x]
HKLM\...\Run: [Skytel] Skytel.exe [x]
HKLM\...\Run: [PLFSetI] C:\Windows\PLFSetI.exe [200704 2007-10-23] ()
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1237288 2008-04-24] (Synaptics, Inc.)
HKCU\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2009-05-08] (Google Inc.)
HKCU\...\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe [x]
HKLM-x32\...\Run: [eAudio] "C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe" [781824 2008-09-12] (Acer Incorporated)
HKLM-x32\...\Run: [BkupTray] "C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [28672 2008-04-26] ()
HKLM-x32\...\Run: [LManager] C:\PROGRA~2\LAUNCH~1\QtZgAcer.EXE [817672 2008-06-04] (Dritek System Inc.)
HKLM-x32\...\Run: [ArcadeDeluxeAgent] "C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [147456 2008-07-24] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [167936 2008-07-24] (CyberLink)
HKLM-x32\...\Run: [Acer Assist Launcher] "C:\Program Files (x86)\Acer\Acer Assist\launcher.exe" [1261568 2007-11-19] ()
HKLM-x32\...\Run: [Acer Product Registration] "C:\Program Files (x86)\Acer\Acer Registration\ACE1.exe" /startup [3387392 2007-11-26] (Leader Technologies)
HKLM-x32\...\Run: [HostManager] "C:\Program Files (x86)\Common Files\AOL\1242688622\ee\AOLSoftware.exe" [41824 2008-06-24] (AOL LLC)
HKLM-x32\...\Run: [MaxMenuMgr] "C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [185640 2009-09-26] (Seagate LLC)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [288080 2009-07-17] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [295072 2013-01-11] (RealNetworks, Inc.)
HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [345312 2013-05-20] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [PMBVolumeWatcher] "C:\Program Files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe" [688184 2012-02-15] (Sony Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-11] (Microsoft Corporation)
HKU\Default\...\RunOnce: [AcerScrSav] C:\Windows\Acer\run_NB.exe [24576 2007-08-21] ()
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-11] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [AcerScrSav] C:\Windows\Acer\run_NB.exe [24576 2007-08-21] ()
SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\System32\webcheck.dll (Microsoft Corporation)
SSODL-x32: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\SysWOW64\webcheck.dll (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-re...q={searchTerms}
SearchScopes: HKLM-x32 - {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = http://search.aol.co...e=tb50TB50CLie7
SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-re...q={searchTerms}
SearchScopes: HKLM-x32 - {BE28C22E-F666-424d-B5FD-125C4AFEE34E} URL = http://search.myheri...q={searchTerms}
SearchScopes: HKCU - {36377DD7-B3EB-42f5-986F-680BAF59BA9D} URL = http://start.iplay.c...q={searchTerms}
SearchScopes: HKCU - {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = http://search.aol.co...e=tb50TB50CLie7
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-re...q={searchTerms}
SearchScopes: HKCU - {BE28C22E-F666-424d-B5FD-125C4AFEE34E} URL = http://search.myheri...q={searchTerms}
SearchScopes: HKCU - {C04B7D22-5AEC-4561-8F49-27F6269208F6} URL = http://toolbar.inbox...r...0647&lng=en
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\ActiveToolBand.dll (Egis)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll No File
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll (AOL LLC)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
Toolbar: HKLM - Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\eDStoolbar.dll (Egis Incorporated.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
Toolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
PDF: HKLM-x32 {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcp...ols/pcmatic.cab
PDF: HKLM-x32 {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files (x86)\Yahoo!\Common\Yinsthelper20073151.dll
PDF: HKLM-x32 {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bit...m/qsax/qsax.cab
PDF: HKLM-x32 {94E5218F-9737-4FC2-8457-567B1FF23DC0} http://utilities.pcp...DiskMD3Ctrl.dll
PDF: HKLM-x32 {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} http://utilities.pcp...opAntiVirus.dll
PDF: HKLM-x32 {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg...l_v1-0-31-0.cab
PDF: HKLM-x32 {CB50428B-657F-47DF-9B32-671F82AA73F7} http://www.photodex.com/pxplay.cab
PDF: HKLM-x32 {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcp.../pcpitstop2.dll
Handler-x32: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files (x86)\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 97.64.183.164 97.64.209.37

FireFox:
========
FF ProfilePath: C:\Users\Ratopia\AppData\Roaming\Mozilla\Firefox\Profiles\yas9n9so.default
FF Homepage: hxxp://www.google.com/
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_202.dll ()
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF Plugin-x32: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF Plugin-x32: @divx.com/DivX Player Plugin,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.17.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.17.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 - C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 - C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin-x32: @oberon-media.com/ONCAdapter - C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll (Oberon-Media )
FF Plugin-x32: @photodex.com/PhotodexPresenter - C:\Program Files (x86)\Photodex Presenter\npPxPlay.dll ( )
FF Plugin-x32: @real.com/nppl3260;version=16.0.0.282 - c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=1.3.0 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=1.3.0 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=1.3.0 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=16.0.0.282 - c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin-x32: @realnetworks.com/npdlplugin;version=1 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @viewpoint.com/VMP - C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 - C:\Program Files (x86)\Yahoo!\Common\npyaxmpb.dll No File
FF Extension: GamePlayLabs Plugin - C:\Users\Ratopia\AppData\Roaming\Mozilla\Firefox\Profiles\yas9n9so.default\Extensions\plugin2@gameplaylabs.com
FF Extension: Microsoft .NET Framework Assistant - C:\Users\Ratopia\AppData\Roaming\Mozilla\Firefox\Profiles\yas9n9so.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF Extension: Savevid Toolbar - C:\Users\Ratopia\AppData\Roaming\Mozilla\Firefox\Profiles\yas9n9so.default\Extensions\{23cd218f-af09-443f-bbb1-adb89fd5986d}
FF Extension: Bitdefender QuickScan - C:\Users\Ratopia\AppData\Roaming\Mozilla\Firefox\Profiles\yas9n9so.default\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF Extension: No Name - C:\Users\Ratopia\AppData\Roaming\Mozilla\Firefox\Profiles\yas9n9so.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

Chrome:
=======
CHR HomePage: hxxp://www.google.com/
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{g
oogle:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:ins
tantExtendedEnabledParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.94\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.94\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.94\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (DivX Web Player) - C:\Program Files (x86)\Mozilla Firefox\plugins\npdivx32.dll (DivX,Inc.)
CHR Plugin: (DivX Player Netscape Plugin) - C:\Program Files (x86)\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll (DivX, Inc)
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files (x86)\Mozilla Firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (RealPlayer Download Plugin) - C:\Program Files (x86)\Mozilla Firefox\plugins\nprpplugin.dll (RealPlayer)
CHR Plugin: (Winamp Application Detector) - C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll (Nullsoft, Inc.)
CHR Plugin: (AlternaTIFF (QuickTime compatible)) - C:\Program Files (x86)\Mozilla Firefox\plugins\npzzatif.dll (Medical Informatics Engineering, Inc.)
CHR Plugin: (Microsoft\u00AE Windows Media Player Firefox Plugin) - C:\Users\Ratopia\AppData\Roaming\Mozilla\plugins\np-mswmp.dll (Microsoft Corporation)
CHR Plugin: (Oberon com adapter) - C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll (Oberon-Media )
CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
CHR Plugin: (Java™ Platform SE 7 U17) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
CHR Plugin: (Microsoft Office Live Plug-in for Firefox) - C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
CHR Plugin: (Photodex Presenter Plugin) - C:\Program Files (x86)\Photodex Presenter\npPxPlay.dll ( )
CHR Plugin: (MetaStream 3 Plugin) - C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (RealNetworks™ RealDownloader Chrome Background Extension Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
CHR Plugin: (RealNetworks™ RealDownloader HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealNetworks™ RealDownloader PepperFlashVideoShim Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealDownloader Plugin) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
CHR Plugin: (BrowserPlus (from Yahoo!) v2.9.8) - C:\Users\Ratopia\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)
CHR Plugin: (Windows Presentation Foundation) - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
CHR Plugin: (Java Deployment Toolkit 7.0.170.2) - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
CHR Extension: (Google Docs) - C:\Users\Ratopia\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Users\Ratopia\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\Ratopia\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\Ratopia\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Ratchet & Clank Future 2) - C:\Users\Ratopia\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejhfomhehcinmhgnlhdpghklkjgppdmn\3_0
CHR Extension: (AdBlock) - C:\Users\Ratopia\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.63_0
CHR Extension: (RealDownloader) - C:\Users\Ratopia\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji\1.3.0_0
CHR Extension: (Gmail) - C:\Users\Ratopia\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0

==================== Services (Whitelisted) =================

R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [86752 2013-03-28] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [110816 2013-03-28] (Avira Operations GmbH & Co. KG)
R2 BUNAgentSvc; C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [16384 2008-03-03] (NewTech Infosystems, Inc.)
R2 CLHNService; C:\Program Files (x86)\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [81504 2008-01-16] ()
R2 eDataSecurity Service; C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe [500784 2008-07-29] (Egis Incorporated)
R2 ETService; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [24576 2008-08-19] ()
R2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe [132096 2007-12-06] ()
R2 NTISchedulerSvc; C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [131072 2008-04-26] ()
R2 PMBDeviceInfoProvider; C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [459832 2012-02-15] (Sony Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [38608 2012-11-29] ()
R2 RichVideo; C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe [272024 2007-01-08] ()
R2 SBSDWSCService; D:\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

==================== Drivers (Whitelisted) ====================

R2 int15; C:\Windows\SysWOW64\drivers\int15_64.sys [17952 2008-08-19] (Acer, Inc.)
R3 L1E; C:\Windows\System32\DRIVERS\L1E60x64.sys [57856 2009-08-05] (Atheros Communications, Inc.)
R0 PSDFilter; C:\Windows\System32\DRIVERS\psdfilter.sys [22064 2008-07-29] (Egis Incorporated)
R2 PSDNServ; C:\Windows\System32\DRIVERS\PSDNServ.sys [21040 2008-07-29] (Egis Incorporated)
R2 psdvdisk; C:\Windows\System32\DRIVERS\PSDVdisk.sys [60976 2008-07-29] (Egis Incorporated)
R3 winbondcir; C:\Windows\System32\DRIVERS\winbondcir.sys [46592 2007-03-28] (Winbond Electronics Corporation)
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\000.fcl [32240 2008-07-18] (Cyberlink Corp.)
R2 avgntflt; system32\DRIVERS\avgntflt.sys [x]
R1 avipbb; system32\DRIVERS\avipbb.sys [x]
R1 avkmgr; system32\DRIVERS\avkmgr.sys [x]
S1 Beep; No ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
U3 aswMBR; \??\C:\Users\Ratopia\AppData\Local\Temp\aswMBR.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-30 20:36 - 2013-05-30 20:36 - 00000000 ____D C:\FRST
2013-05-30 20:35 - 2013-05-30 20:35 - 01915980 ____A (Farbar) C:\Users\Ratopia\Desktop\FRST64.exe
2013-05-30 20:32 - 2013-05-30 20:32 - 00000568 ____A C:\Users\Ratopia\Desktop\MBR.zip
2013-05-30 20:30 - 2013-05-30 20:30 - 00002192 ____A C:\Users\Ratopia\Desktop\aswMBR.txt
2013-05-30 20:30 - 2013-05-30 20:30 - 00000512 ____A C:\Users\Ratopia\Desktop\MBR.dat
2013-05-30 20:01 - 2013-05-30 20:03 - 00000000 ____D C:\Users\Ratopia\Desktop\transmitter
2013-05-30 19:49 - 2013-05-30 19:50 - 00001676 ____A C:\Users\Ratopia\Desktop\whatthetech.txt
2013-05-30 19:42 - 2013-05-30 19:44 - 04745728 ____A (AVAST Software) C:\Users\Ratopia\Downloads\aswMBR (1).exe
2013-05-30 19:35 - 2013-05-30 19:37 - 04745728 ____A (AVAST Software) C:\Users\Ratopia\Desktop\aswMBR.exe
2013-05-30 17:49 - 2013-05-30 18:05 - 00000074 ____A C:\Users\Ratopia\Desktop\sprint2.txt
2013-05-29 05:29 - 2013-05-29 05:29 - 00000000 ____D C:\Users\Ratopia\AppData\Local\Adobe
2013-05-29 05:21 - 2013-05-29 05:21 - 00000158 ____A C:\Users\Ratopia\Desktop\hijackthis instructions.txt
2013-05-29 05:07 - 2013-05-29 05:07 - 00001265 ____A C:\Users\Ratopia\Desktop\coolcat.txt
2013-05-29 04:57 - 2013-05-29 04:57 - 01402880 ____A C:\Users\Ratopia\Downloads\HiJackThis.msi
2013-05-29 04:44 - 2013-05-29 05:17 - 00002563 ____A C:\Users\Ratopia\Desktop\HiJackThis.lnk
2013-05-29 04:43 - 2013-05-29 04:43 - 00812344 ____A (Trend Micro Inc.) C:\Users\Ratopia\Downloads\HJTInstall.exe
2013-05-29 03:11 - 2013-04-04 20:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-29 03:11 - 2013-04-04 20:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-29 03:11 - 2013-04-04 20:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-29 03:11 - 2013-04-04 19:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-05-29 03:11 - 2013-04-04 19:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-05-29 03:11 - 2013-04-04 19:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-29 03:11 - 2013-04-04 19:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-05-29 03:11 - 2013-04-04 19:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-29 03:11 - 2013-04-04 19:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-05-29 03:11 - 2013-04-04 19:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-29 03:11 - 2013-04-04 19:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-29 03:11 - 2013-04-04 19:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-05-29 03:11 - 2013-04-04 19:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-29 03:11 - 2013-04-04 17:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-29 03:11 - 2013-04-04 17:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-05-29 03:11 - 2013-04-04 17:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-29 03:11 - 2013-04-04 17:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-29 03:11 - 2013-04-04 17:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-05-29 03:11 - 2013-04-04 16:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-05-29 03:11 - 2013-04-04 16:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-29 03:11 - 2013-04-04 16:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-05-29 03:11 - 2013-04-04 16:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-05-29 03:11 - 2013-04-04 16:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-29 03:11 - 2013-04-04 16:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-29 03:11 - 2013-04-04 16:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-05-29 03:11 - 2013-04-04 16:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-05-29 03:10 - 2013-04-04 20:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-29 03:10 - 2013-04-04 17:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-29 03:01 - 2013-05-05 16:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-29 03:01 - 2013-05-05 16:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-29 03:01 - 2013-05-05 14:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-29 03:01 - 2013-05-05 14:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-29 00:57 - 2013-05-29 00:57 - 00002029 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-05-29 00:56 - 2013-05-29 00:56 - 00781800 ____A (Google Inc.) C:\Users\Ratopia\Desktop\ChromeSetup.exe
2013-05-29 00:50 - 2013-04-08 20:55 - 02774016 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-29 00:49 - 2013-04-15 09:17 - 00901496 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-29 00:49 - 2013-04-12 22:34 - 00047104 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-05-28 23:44 - 2013-05-30 19:20 - 00437780 ____A C:\Windows\WindowsUpdate.log
2013-05-28 19:34 - 2013-05-28 19:34 - 00000195 ____A C:\Users\Ratopia\Desktop\1st post.txt
2013-05-27 05:20 - 2013-05-27 11:10 - 00000000 ____D C:\Users\Ratopia\Desktop\Oxana
2013-05-26 07:35 - 2013-05-26 07:35 - 00000202 ____A C:\Users\Ratopia\Desktop\bald eagle behavior.txt
2013-05-22 02:33 - 2013-05-22 02:33 - 00000011 ____A C:\Users\Ratopia\Desktop\storm chasers.txt
2013-05-20 09:12 - 2013-05-20 09:12 - 00000369 ____A C:\Users\Ratopia\Desktop\HELLGATE - Shortcut.lnk
2013-05-20 09:10 - 2013-05-20 09:10 - 00000390 ____A C:\Users\Ratopia\Desktop\MADIS & ESTONIA - Shortcut.lnk
2013-05-19 00:08 - 2013-05-20 08:41 - 00000000 ___RD C:\Users\Ratopia\Desktop\Monty
2013-05-15 08:08 - 2013-05-15 08:08 - 00006836 ____A C:\Users\Ratopia\Desktop\raptor mating.txt
2013-05-13 06:57 - 2013-05-13 06:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware(108)
2013-05-13 01:26 - 2013-05-13 01:26 - 00000050 ____A C:\Users\Ratopia\Desktop\bengazi.txt
2013-05-06 07:35 - 2013-05-06 07:35 - 00000000 ____D C:\Users\Ratopia\Desktop\kathy freeze
2013-05-04 05:57 - 2013-05-04 05:57 - 00000582 ____A C:\Users\Ratopia\Desktop\fiends mafia.txt
2013-05-03 15:56 - 2013-05-03 15:57 - 00000032 ____A C:\Users\Ratopia\Desktop\sprint.txt
2013-04-30 16:01 - 2013-05-28 20:37 - 00000000 ____D C:\Users\Ratopia\Desktop\Outdoors Iowa

==================== One Month Modified Files and Folders =======

2013-05-30 20:36 - 2013-05-30 20:36 - 00000000 ____D C:\FRST
2013-05-30 20:35 - 2013-05-30 20:35 - 01915980 ____A (Farbar) C:\Users\Ratopia\Desktop\FRST64.exe
2013-05-30 20:32 - 2013-05-30 20:32 - 00000568 ____A C:\Users\Ratopia\Desktop\MBR.zip
2013-05-30 20:30 - 2013-05-30 20:30 - 00002192 ____A C:\Users\Ratopia\Desktop\aswMBR.txt
2013-05-30 20:30 - 2013-05-30 20:30 - 00000512 ____A C:\Users\Ratopia\Desktop\MBR.dat
2013-05-30 20:18 - 2012-08-16 19:09 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-30 20:03 - 2013-05-30 20:01 - 00000000 ____D C:\Users\Ratopia\Desktop\transmitter
2013-05-30 20:00 - 2010-07-15 14:46 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-30 19:50 - 2013-05-30 19:49 - 00001676 ____A C:\Users\Ratopia\Desktop\whatthetech.txt
2013-05-30 19:44 - 2013-05-30 19:42 - 04745728 ____A (AVAST Software) C:\Users\Ratopia\Downloads\aswMBR (1).exe
2013-05-30 19:37 - 2013-05-30 19:35 - 04745728 ____A (AVAST Software) C:\Users\Ratopia\Desktop\aswMBR.exe
2013-05-30 19:24 - 2006-11-02 07:46 - 00706816 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-30 19:22 - 2013-05-28 23:44 - 00437780 ____A C:\Windows\WindowsUpdate.log
2013-05-30 19:19 - 2008-12-18 02:18 - 01063528 ____A C:\Users\Public\eDSMSNLoader32.log
2013-05-30 19:17 - 2010-07-15 14:46 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-30 19:17 - 2009-08-15 16:14 - 00000434 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2013-05-30 19:17 - 2008-12-18 02:14 - 00000147 ____A C:\Windows\SysWOW64\agent.log
2013-05-30 19:17 - 2006-11-02 10:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-30 19:17 - 2006-11-02 10:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-30 19:16 - 2006-11-02 10:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-30 18:10 - 2006-11-02 10:42 - 00032532 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-05-30 18:05 - 2013-05-30 17:49 - 00000074 ____A C:\Users\Ratopia\Desktop\sprint2.txt
2013-05-30 08:45 - 2010-06-26 23:21 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-05-29 05:29 - 2013-05-29 05:29 - 00000000 ____D C:\Users\Ratopia\AppData\Local\Adobe
2013-05-29 05:21 - 2013-05-29 05:21 - 00000158 ____A C:\Users\Ratopia\Desktop\hijackthis instructions.txt
2013-05-29 05:17 - 2013-05-29 04:44 - 00002563 ____A C:\Users\Ratopia\Desktop\HiJackThis.lnk
2013-05-29 05:07 - 2013-05-29 05:07 - 00001265 ____A C:\Users\Ratopia\Desktop\coolcat.txt
2013-05-29 04:57 - 2013-05-29 04:57 - 01402880 ____A C:\Users\Ratopia\Downloads\HiJackThis.msi
2013-05-29 04:43 - 2013-05-29 04:43 - 00812344 ____A (Trend Micro Inc.) C:\Users\Ratopia\Downloads\HJTInstall.exe
2013-05-29 03:52 - 2006-11-02 10:21 - 00308168 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-29 03:05 - 2006-11-02 07:35 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-05-29 00:57 - 2013-05-29 00:57 - 00002029 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-05-29 00:57 - 2009-05-08 00:45 - 00000000 ____D C:\Program Files (x86)\Google
2013-05-29 00:56 - 2013-05-29 00:56 - 00781800 ____A (Google Inc.) C:\Users\Ratopia\Desktop\ChromeSetup.exe
2013-05-29 00:49 - 2009-05-08 00:57 - 00000000 ____D C:\Users\Ratopia\AppData\Local\Google
2013-05-29 00:28 - 2009-05-08 00:44 - 00000000 ____D C:\users\Ratopia
2013-05-29 00:27 - 2006-11-02 08:34 - 00000000 ____D C:\Windows\System32\Msdtc
2013-05-29 00:27 - 2006-11-02 07:33 - 77594624 ____A C:\Windows\System32\config\software_previous
2013-05-29 00:27 - 2006-11-02 07:33 - 52428800 ____A C:\Windows\System32\config\components_previous
2013-05-29 00:27 - 2006-11-02 07:33 - 27262976 ____A C:\Windows\System32\config\system_previous
2013-05-29 00:27 - 2006-11-02 07:33 - 00524288 ____A C:\Windows\System32\config\default_previous
2013-05-29 00:27 - 2006-11-02 07:33 - 00262144 ____A C:\Windows\System32\config\security_previous
2013-05-29 00:27 - 2006-11-02 07:33 - 00262144 ____A C:\Windows\System32\config\sam_previous
2013-05-29 00:17 - 2009-12-31 18:32 - 00000000 ____D C:\Windows\System32\spool
2013-05-29 00:17 - 2009-05-19 19:50 - 00000000 ____D C:\Users\Ratopia\AppData\Roaming\Winamp
2013-05-29 00:17 - 2006-11-02 08:33 - 00000000 __RSD C:\Windows\Media
2013-05-29 00:17 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\registration
2013-05-28 23:42 - 2010-06-12 04:39 - 00000680 ____A C:\Users\Ratopia\AppData\Local\d3d9caps.dat
2013-05-28 20:37 - 2013-04-30 16:01 - 00000000 ____D C:\Users\Ratopia\Desktop\Outdoors Iowa
2013-05-28 19:34 - 2013-05-28 19:34 - 00000195 ____A C:\Users\Ratopia\Desktop\1st post.txt
2013-05-27 11:10 - 2013-05-27 05:20 - 00000000 ____D C:\Users\Ratopia\Desktop\Oxana
2013-05-27 06:01 - 2013-04-24 08:43 - 00000000 ___RD C:\Users\Ratopia\Desktop\Pontu 2013
2013-05-26 21:57 - 2009-10-04 16:01 - 00000426 ____A C:\Users\Ratopia\AppData\Roaming\wklnhst.dat
2013-05-26 07:35 - 2013-05-26 07:35 - 00000202 ____A C:\Users\Ratopia\Desktop\bald eagle behavior.txt
2013-05-22 02:33 - 2013-05-22 02:33 - 00000011 ____A C:\Users\Ratopia\Desktop\storm chasers.txt
2013-05-20 13:18 - 2012-04-04 17:34 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-20 13:18 - 2011-05-15 18:58 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-20 09:12 - 2013-05-20 09:12 - 00000369 ____A C:\Users\Ratopia\Desktop\HELLGATE - Shortcut.lnk
2013-05-20 09:10 - 2013-05-20 09:10 - 00000390 ____A C:\Users\Ratopia\Desktop\MADIS & ESTONIA - Shortcut.lnk
2013-05-20 08:49 - 2013-03-13 16:38 - 00000000 ____D C:\Users\Ratopia\Desktop\NEW SONY CYBERSHOT PIX
2013-05-20 08:48 - 2013-01-28 23:42 - 00000000 ____D C:\Users\Ratopia\Desktop\LOT AUCTIONS
2013-05-20 08:41 - 2013-05-19 00:08 - 00000000 ___RD C:\Users\Ratopia\Desktop\Monty
2013-05-20 08:36 - 2012-07-20 15:09 - 00000000 ____D C:\ProgramData\Viewpoint
2013-05-20 08:36 - 2012-07-20 15:09 - 00000000 ____D C:\Program Files (x86)\Viewpoint
2013-05-20 08:36 - 2009-05-20 00:27 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-19 01:33 - 2013-01-17 06:08 - 00000322 ____A C:\Users\Ratopia\Desktop\WAR.txt
2013-05-17 08:00 - 2013-01-28 23:40 - 00000000 ____D C:\Users\Ratopia\Desktop\AUCTIONS
2013-05-16 08:31 - 2012-07-20 15:09 - 00000000 ____D C:\ProgramData\Viewpoint(176)
2013-05-15 21:41 - 2009-05-18 20:47 - 00000000 ___RD C:\Users\Ratopia\Desktop\Antivirus
2013-05-15 08:08 - 2013-05-15 08:08 - 00006836 ____A C:\Users\Ratopia\Desktop\raptor mating.txt
2013-05-13 06:57 - 2013-05-13 06:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware(108)
2013-05-13 01:26 - 2013-05-13 01:26 - 00000050 ____A C:\Users\Ratopia\Desktop\bengazi.txt
2013-05-06 07:35 - 2013-05-06 07:35 - 00000000 ____D C:\Users\Ratopia\Desktop\kathy freeze
2013-05-05 16:36 - 2013-05-29 03:01 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-05 16:16 - 2013-05-29 03:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-05 14:25 - 2013-05-29 03:01 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-05 14:12 - 2013-05-29 03:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-04 05:57 - 2013-05-04 05:57 - 00000582 ____A C:\Users\Ratopia\Desktop\fiends mafia.txt
2013-05-03 15:57 - 2013-05-03 15:56 - 00000032 ____A C:\Users\Ratopia\Desktop\sprint.txt
2013-05-02 06:33 - 2013-04-23 01:47 - 00005904 ____A C:\Users\Ratopia\Desktop\osprey behavior.txt
2013-04-30 15:52 - 2012-11-28 18:03 - 00000000 ____D C:\Users\Ratopia\Desktop\weird stuff in the woods

Other Malware:
===========
C:\Users\Ratopia\avg_free_stb_all_9_114_cnet.exe
C:\Users\Ratopia\install_flash_player.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


Last Boot: 2013-05-30 19:25

==================== End Of Log ============================

Addition.txt log

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 30-05-2013 01
Ran by Ratopia at 2013-05-30 20:38:47 Run:
Running from C:\Users\Ratopia\Desktop
Boot Mode: Normal
==========================================================


==================== Installed Programs =======================

Update for Microsoft Office 2007 (KB2508958)
AAC Decoder (Version: 7.1.0)
Acer Arcade Deluxe (Version: 2.0.5702)
Acer Assist
Acer Crystal Eye Webcam 2.0.8 (Version: 2.0.8)
Acer eAudio Management (Version: 3.0.3009)
Acer eDataSecurity Management (Version: 3.0.3065)
Acer Empowering Technology (Version: 3.0.3010)
Acer ePower Management (Version: 3.0.3014)
Acer eSettings Management (Version: 3.0.3007)
Acer GameZone Console 2.0.1.1
Acer GridVista (Version: 2.72.317)
Acer Mobility Center Plug-In (Version: 3.0.3000)
Acer Registration
Acer ScreenSaver (Version: 1.11.0701)
Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.1.377)
Activation Assistant for the 2007 Microsoft Office suites
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0)
Adobe AIR (Version: 2.0.2.12610)
Adobe Flash Player 11 ActiveX (Version: 11.7.700.202)
Adobe Flash Player 11 Plugin (Version: 11.7.700.202)
Adobe Reader X (10.1.7) (Version: 10.1.7)
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
Apple Application Support (Version: 1.4.1)
Apple Software Update (Version: 2.1.1.116)
AT&T Yahoo! Internet Mail
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver (Version: 1.0.0.30)
AutoUpdate (Version: 1.1)
Avira Free Antivirus (Version: 13.0.0.3640)
Azada
Backspin Billiards
Bing Bar (Version: 7.0.609.0)
Bookworm Deluxe
Bricks of Egypt
CCleaner (remove only)
Chuzzle
CyberLink PowerDirector (Version: 6.5.3023e)
D3DX10 (Version: 15.4.2368.0902)
DivX Codec (Version: 6.8.5)
DivX Converter (Version: 7.1.0)
DivX Player (Version: 7.2.0)
DivX Plus DirectShow Filters
DivX Version Checker (Version: 7.1.0.2)
DivX Web Player (Version: 1.5.0)
Download Updater (AOL LLC)
Easy CD-DA Extractor 15 (Version: 15.2.5)
eSobi v2 (Version: 2.0.3.000201)
Flip Words 2
Google Chrome (Version: 27.0.1453.94)
Google Earth Plug-in (Version: 7.0.3.8542)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.4.3607.2246)
Google Update Helper (Version: 1.3.21.145)
H.264 Decoder (Version: 1.1.0)
HDAUDIO Soft Data Fax Modem with SmartCP (Version: 7.73.00.52)
HiJackThis (Version: 1.0.0)
HijackThis 2.0.2 (Version: 2.0.2)
Info Center 1.0.0.6 (Version: 1.0.0.6)
InstallIQ Updater (Version: 1.4.2.0)
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java 7 Update 17 (Version: 7.0.170)
Java Auto Updater (Version: 2.0.2.4)
Java™ 6 Update 30 (64-bit) (Version: 6.0.300)
Java™ 6 Update 31 (Version: 6.0.310)
JavaFX 2.1.1 (Version: 2.1.1)
Jewel Quest Solitaire
Kick N Rush
Launch Manager
LightScribe 1.4.142.1 (Version: 1.4.142.1)
Mahjong Escape Ancient China
Mahjongg Artifacts
Malwarebytes Anti-Malware version 1.70.0.1100 (Version: 1.70.0.1100)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Default Manager (Version: 2.1.54.0)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office Live Add-in 1.5 (Version: 2.0.4024.1)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft UI Engine (Version: 4.0.0318.1)
Microsoft VC9 runtime libraries (Version: 1.0.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Works (Version: 08.05.0818)
MKV Splitter (Version: 1.0.1)
Mozilla Firefox 17.0.1 (x86 en-US) (Version: 17.0.1)
Mozilla Maintenance Service (Version: 17.0.1)
MSVCRT (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Mystery Case Files - Huntsville
Mystery Solitaire - Secret Island
NeoDownloader Lite 2.9.4
NTI Backup Now 5 (Version: 5.1.2.606)
NTI Backup Now Standard (Version: 5.1.2.606)
NTI Media Maker 8 (Version: 8.0.2.6329)
Photodex Presenter
PhotoNow! (Version: 1.1.4619)
PlayMemories Home (Version: 6.0.02.14151)
QuickTime (Version: 7.69.80.9)
RealDownloader (Version: 1.3.0)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0)
RealPlayer (Version: 16.0.0)
Realtek High Definition Audio Driver (Version: 6.0.1.5704)
Realtek USB 2.0 Card Reader (Version: )
RealUpgrade 1.1 (Version: 1.1.0)
Replay Media Catcher 3.02 (Version: 3.02)
Revo Uninstaller Pro 2.5.7 (Version: 2.5.7)
RTC Client API v1.2 (Version: 1.2.0000)
Seagate Manager Installer (Version: 2.01.0109)
Seagate Manager Installer (Version: 2.01.0600)
Segoe UI (Version: 15.4.2271.0615)
Spybot - Search & Destroy (Version: 1.6.2)
Synaptics Pointing Device Driver (Version: 11.1.4.0)
Uninstall AOL Emergency Connect Utility 1.0
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
V - The File Viewer
VC80CRTRedist - 8.0.50727.762 (Version: 1.0.0)
Viewpoint Media Player
Visual C++ 8.0 Runtime Setup Package (x64) (Version: 9.0.0.623)
Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)
Winamp (Version: 5.572 )
Winamp Detector Plug-in (Version: 1.0.0.1)
Winbond CIR Device Drivers (Version: 7.60.1012)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3508.1109)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3508.1109)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
Windows Mobile Device Updater Component (Version: 04.08.2345.00)
WinZip 12.1 (Version: 12.1.8519)
Yahoo! BrowserPlus 2.9.8
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Toolbar
Zuma Deluxe
Zune (Version: 04.08.2345.00)
Zune Language Pack (CHS) (Version: 04.08.2345.00)
Zune Language Pack (CHT) (Version: 04.08.2345.00)
Zune Language Pack (CSY) (Version: 04.08.2345.00)
Zune Language Pack (DAN) (Version: 04.08.2345.00)
Zune Language Pack (DEU) (Version: 04.08.2345.00)
Zune Language Pack (ELL) (Version: 04.08.2345.00)
Zune Language Pack (ESP) (Version: 04.08.2345.00)
Zune Language Pack (FIN) (Version: 04.08.2345.00)
Zune Language Pack (FRA) (Version: 04.08.2345.00)
Zune Language Pack (HUN) (Version: 04.08.2345.00)
Zune Language Pack (IND) (Version: 04.08.2345.00)
Zune Language Pack (ITA) (Version: 04.08.2345.00)
Zune Language Pack (JPN) (Version: 04.08.2345.00)
Zune Language Pack (KOR) (Version: 04.08.2345.00)
Zune Language Pack (MSL) (Version: 04.08.2345.00)
Zune Language Pack (NLD) (Version: 04.08.2345.00)
Zune Language Pack (NOR) (Version: 04.08.2345.00)
Zune Language Pack (PLK) (Version: 04.08.2345.00)
Zune Language Pack (PTB) (Version: 04.08.2345.00)
Zune Language Pack (PTG) (Version: 04.08.2345.00)
Zune Language Pack (RUS) (Version: 04.08.2345.00)
Zune Language Pack (SVE) (Version: 04.08.2345.00)

==================== Restore Points =========================

29-05-2013 09:57:39 Installed HiJackThis
30-05-2013 08:00:12 Windows Update

==================== Faulty Device Manager Devices =============

Name: Microsoft 6to4 Adapter
Description: Microsoft 6to4 Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver


==================== Event log errors: =========================

Application errors:
==================
Error: (05/30/2013 07:23:10 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\RATOPIA\APPDATA\LOCAL\MICROSOFT\WINDOWS\HISTORY\HISTORY.IE5\MSHIST012013053020130531> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (05/30/2013 07:17:09 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/30/2013 03:49:09 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/30/2013 00:56:44 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/29/2013 07:37:06 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/29/2013 05:15:31 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/29/2013 05:15:31 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/29/2013 05:12:26 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/29/2013 04:34:31 AM) (Source: MsiInstaller) (User: ARWEN)
Description: Product: Adobe Reader X (10.1.7) -- Error 1704.An installation for Microsoft .NET Framework 4 Client Profile is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes?

Error: (05/29/2013 03:52:54 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (05/30/2013 07:17:29 PM) (Source: Service Control Manager) (User: )
Description: Beep

Error: (05/30/2013 03:49:31 PM) (Source: Service Control Manager) (User: )
Description: Beep

Error: (05/30/2013 00:57:13 AM) (Source: Service Control Manager) (User: )
Description: Beep

Error: (05/29/2013 05:11:34 PM) (Source: ipnathlp) (User: )
Description: The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Error: (05/29/2013 05:11:31 PM) (Source: ipnathlp) (User: )
Description: The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Error: (05/29/2013 05:11:26 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.104 for the Network Card with network address 0016EAA33014 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (05/29/2013 07:37:24 AM) (Source: Service Control Manager) (User: )
Description: Beep

Error: (05/29/2013 07:36:57 AM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.100 for the Network Card with network address 0016EAA33014 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Error: (05/29/2013 05:23:44 AM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.104 for the Network Card with network address 0016EAA33014 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (05/29/2013 05:12:52 AM) (Source: Service Control Manager) (User: )
Description: Beep


Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
Date: 2013-02-07 07:46:26.905
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SysHook.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-02-07 07:46:26.686
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SysHook.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-01-23 23:36:08.759
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SysHook.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-01-23 23:36:08.416
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SysHook.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-01-23 23:32:57.935
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SysHook.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-01-23 23:32:57.630
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SysHook.dll because the set of per-page image hashes could not be found on the system.

Date: 2012-09-09 11:40:11.999
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SysHook.dll because the set of per-page image hashes could not be found on the system.

Date: 2012-09-09 11:40:11.808
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SysHook.dll because the set of per-page image hashes could not be found on the system.

Date: 2012-09-04 07:33:19.900
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SysHook.dll because the set of per-page image hashes could not be found on the system.

Date: 2012-09-04 07:33:19.714
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SysHook.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 55%
Total physical RAM: 4023.93 MB
Available physical RAM: 1778.39 MB
Total Pagefile: 8249.15 MB
Available Pagefile: 5409.93 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: (ACER) (Fixed) (Total:143.04 GB) (Free:73.8 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:139.5 GB) (Free:98.08 GB) NTFS (Disk=0 Partition=3)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298 GB) (Disk ID: 50A5B170)
Partition 1: (Not Active) - (Size=12 GB) - (Type=27)
Partition 2: (Active) - (Size=143 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=140 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=4 GB) - (Type=12)

==================== End Of Log ============================

Attached Files

  • Attached File  MBR.zip   568bytes   373 downloads

#4 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 30 May 2013 - 08:51 PM

Hi CoolCat,

1. Disable SpyBot's TeaTimer

  • Go to your desktop and double click on the "Spybot-S&D Start Center".
  • Now activate the "Experienced User Mode" at top by ticking the checkbox.
  • In the area "Settings & More Tools" please click on "Services".
  • Now start the "On-Access Monitor" by ticking the "Start" button.
  • Close the "Spybot - Search & Destroy Services" window.
=========================

2. RogueKiller

Download to your desktop RogueKiller (by tigzy)

Right click and select "Run as Administrator"
  • Quit all programs
  • Wait until Prescan has finished ...
  • Click on Scan, Do Not Fix Anything at this point.
  • Click the Report button, save the report to your desktop
=========================


3. ComboFix

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

=========================

In your next post please provide the following:

  • RKreport[1].txt
  • Combofix.txt
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

#5 CoolCat

CoolCat

    Silver Member

  • Authentic Member
  • PipPipPip
  • 498 posts

Posted 30 May 2013 - 10:57 PM

Hi OCD, OK, I am confused here with SpyBot. I don't have it on my desktop for one thing - it's in a folder on the desktop. I can not find anything that says "Start Center" and I see nothing that says experienced user mode or a tick box. Not that I recongnize from the following description. Help!!! :unsure: 1. Disable SpyBot's TeaTimer Go to your desktop and double click on the "Spybot-S&D Start Center". Now activate the "Experienced User Mode" at top by ticking the checkbox. In the area "Settings & More Tools" please click on "Services". Now start the "On-Access Monitor" by ticking the "Start" button. Close the "Spybot - Search & Destroy Services" window.

#6 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 30 May 2013 - 11:01 PM

Hi CoolCat,

Let's just skip that step for now. We usually disable SpyBot's TeaTimer just in case it interferes with the removal of malware. If we run into issues we will address it then. Please continue with the next step. :D
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

#7 CoolCat

CoolCat

    Silver Member

  • Authentic Member
  • PipPipPip
  • 498 posts

Posted 31 May 2013 - 07:32 PM

OK, I just disabled SpyBot or it's protection - not sure which. I also disabled Avira to run the tests. Please be advised, there is a version of Bitdefender in the computer that I have never run, yet I can't remove it and it shows up on reports. It is not running and never did but it's laying there, dormant, I suppose. :lol:

Here are the 2 logs. I did NOT tell combofix to fix anything, yet while the scan was running, it appeares that it removed a rootkit and an ini file of some sort, I believe. I also saw there was a message, twice, saying

"Failed to get data for EnableLUA"
attempting to creat a new system restore point.

Then later in the scan, again "Failed to get data for EnableLUA"

----------------------------------------------------

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...files/file/413-

roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64

bits version
Started in : Normal mode
User : Ratopia [Admin rights]
Mode : Scan -- Date : 05/31/2013 19:52:53
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[TASK][ROGUE ST] 0 : c:\program files (x86)\internet

explorer\iexplore.exe -> FOUND
[TASK][ROGUE ST] 4901 : wscript.exe

C:\Users\Ratopia\AppData\Local\Temp\launchie.vbs //B ->

FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System :

DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B

-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-

9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-

89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-

A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS543232L9A300 +++++
--- User ---
[MBR] f12a4d9680d71f07e18a92d32e54e4db
[BSP] 547e854e45c483c9bbec9a48293d8fd8 : Acer MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size:

12288 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 25167872 |

Size: 146477 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 325152768

| Size: 142848 Mo
3 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors):

617705472 | Size: 3630 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_05312013_02d1952.txt >>
RKreport[1]_S_05312013_02d1952.txt

---------------------------------------------

ComboFix 13-05-31.02 - Ratopia 05/31/2013 20:10:22.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4024.2613 [GMT -5:00]
Running from: c:\users\Ratopia\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Ratopia\AppData\Local\temp\RtkBtMnt.exe
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2013-05-01 to 2013-06-01 )))))))))))))))))))))))))))))))
.
.
2013-06-01 01:20 . 2013-06-01 01:20 -------- d-----w- c:\users\Ratopia\AppData\Local\temp
2013-06-01 01:20 . 2013-06-01 01:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-31 01:36 . 2013-05-31 01:36 -------- d-----w- C:\FRST
2013-05-29 10:29 . 2013-05-29 10:29 -------- d-----w- c:\users\Ratopia\AppData\Local\Adobe
2013-05-29 09:58 . 2013-05-29 09:58 388096 ----a-r- c:\users\Ratopia\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-05-29 08:10 . 2013-04-05 01:03 887808 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2013-05-29 08:10 . 2013-04-05 01:02 499200 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll
2013-05-29 08:10 . 2013-04-04 22:05 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
2013-05-29 08:10 . 2013-04-04 22:04 387584 ----a-w- c:\program files (x86)\Internet Explorer\jsdbgui.dll
2013-05-29 08:10 . 2013-04-05 01:19 10926080 ----a-w- c:\windows\system32\ieframe.dll
2013-05-29 08:01 . 2013-05-05 21:36 17818624 ----a-w- c:\windows\system32\mshtml.dll
2013-05-29 08:01 . 2013-05-05 21:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-29 08:01 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2013-05-29 05:50 . 2013-04-09 01:55 2774016 ----a-w- c:\windows\system32\win32k.sys
2013-05-29 05:49 . 2013-04-15 14:17 901496 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-29 05:49 . 2013-04-13 03:34 47104 ----a-w- c:\windows\system32\cdd.dll
2013-05-13 11:57 . 2013-05-13 11:57 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware(108)
2013-05-10 07:57 . 2013-05-10 07:57 187456 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2013-05-10 07:57 . 2013-05-10 07:57 187456 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-29 08:05 . 2006-11-02 12:35 75016696 ----a-w- c:\windows\system32\mrt.exe
2013-05-20 18:18 . 2012-04-04 22:34 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-20 18:18 . 2011-05-15 23:58 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-20 13:40 . 2010-06-24 16:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-03-28 06:23 . 2013-03-28 06:24 28600 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-03-28 06:23 . 2013-03-28 06:24 130016 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-03-28 06:23 . 2013-03-28 06:24 100712 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-03-13 22:44 . 2013-03-13 22:45 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-13 22:44 . 2012-05-11 07:31 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-13 22:44 . 2010-06-28 21:17 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-11 13:33 . 2013-04-09 21:00 4691304 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-09 04:16 . 2013-04-09 21:00 85504 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-09 01:48 . 2013-04-09 21:00 75264 ----a-w- c:\windows\system32\smss.exe
2013-03-08 04:18 . 2013-04-09 21:00 451072 ----a-w- c:\windows\system32\winsrv.dll
2013-03-08 04:17 . 2013-04-09 21:00 2425344 ----a-w- c:\windows\system32\mstscax.dll
2013-03-08 03:52 . 2013-04-09 21:00 2067968 ----a-w- c:\windows\SysWow64\mstscax.dll
2013-03-03 19:13 . 2013-04-09 21:00 1513320 ----a-w- c:\windows\system32\drivers\ntfs.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 01:52 121392 ----a-w- c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-08 68856]
"SpybotSD TeaTimer"="d:\spybot - search & destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"eAudio"="c:\program files\Acer\Empowering Technology\eAudio\eAudio.exe" [2008-09-12 781824]
"BkupTray"="c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"LManager"="c:\progra~2\LAUNCH~1\QtZgAcer.EXE" [2008-06-04 817672]
"ArcadeDeluxeAgent"="c:\program files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-07-24 147456]
"CLMLServer"="c:\program files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-07-24 167936]
"Acer Assist Launcher"="c:\program files (x86)\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acer Product Registration"="c:\program files (x86)\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"HostManager"="c:\program files (x86)\Common Files\AOL\1242688622\ee\AOLSoftware.exe" [2008-06-24 41824]
"MaxMenuMgr"="c:\program files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2013-01-11 295072]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-05-20 345312]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe" [2012-02-16 688184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-05-29 05:57 1165776 ----a-w- c:\program files (x86)\Google\Chrome\Application\27.0.1453.94\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 18:18]
.
2013-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-15 19:46]
.
2013-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-15 19:46]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 01:53 50736 ----a-w- c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x64\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-20 182808]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-08-01 481792]
"eDataSecurity Loader"="c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x64\eDSloader.exe" [2008-07-30 561200]
"RtHDVCpl"="RAVCpl64.exe" [2008-09-18 6495264]
"Skytel"="Skytel.exe" [2008-09-18 1833504]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1237288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 97.64.183.164 97.64.209.37
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Ratopia\AppData\Roaming\Mozilla\Firefox\Profiles\yas9n9so.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - ExtSQL: !HIDDEN! 2009-07-10 22:09; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Notify-igfxcui - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-RealPlayer 16.0 - c:\program files (x86)\real\realplayer\Update\r1puninst.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files (x86)\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
@DACL=(02 0011)
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@DACL=(02 0011)
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@DACL=(02 0011)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2013-05-31 20:24:56
ComboFix-quarantined-files.txt 2013-06-01 01:24
ComboFix2.txt 2012-04-13 02:45
ComboFix3.txt 2012-01-30 23:58
ComboFix4.txt 2012-01-30 21:56
ComboFix5.txt 2013-06-01 01:07
.
Pre-Run: 77,329,481,728 bytes free
Post-Run: 77,094,821,888 bytes free
.
- - End Of File - - AFDBE09374667EDF86A59C08F3C20F84

#8 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 31 May 2013 - 10:05 PM

Hi CoolCat,

I did NOT tell combofix to fix anything, yet while the scan was running, it appeares that it removed a rootkit and an ini file of some sort, I believe.

That's normal for ComboFix to remove items on the initial scan. :thumbup:

1. Remove Word Wrap in Notepad
  • Click the Windows “Start” button.
  • Enter “Notepad” into the search box and double-click the application from the list of search results that appears. The Notepad application opens.
  • Click “Format” from the main menu in Notepad to display the formatting drop-down menu. You will see a check mark next to the words “Word Wrap,” which indicates that the Word Wrap feature is currently inserting line endings into your Notepad files.
  • Click “Word Wrap” to remove line endings. The check mark that used to appear next to “Word Wrap” disappears, indicating that you have successfully disabled this feature and removed all line endings from your document.
=========================

2. Re-run RogueKiller

Right click and select "Run as Administrator"
  • Quit all programs
  • Wait until Prescan has finished ...
  • Click on Scan.
  • After the scan has completed click on the Registry tab
  • Place a check mark next to each of the following entries:

    • [TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> FOUND
      [TASK][ROGUE ST] 4901 : wscript.exe C:\Users\Ratopia\AppData\Local\Temp\launchie.vbs //B ->FOUND
      [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
      [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
      [HJPOL] HKLM\[...]\Wow6432Node\System :DisableRegistryTools (0) -> FOUND
  • Remove the check mark from all other entries listed
  • Click the Delete button
  • Click the Report button, save the report to your desktop
=========================

3. ComboFix Script

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the code-box below into it:

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, please post the C:\ComboFix.txt for further review.

=========================

In your next post please provide the following:
  • RKreport[2].txt
  • ComboFix.txt
  • How is the computer running?
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

#9 CoolCat

CoolCat

    Silver Member

  • Authentic Member
  • PipPipPip
  • 498 posts

Posted 31 May 2013 - 10:11 PM

OK! :thumbup:

#10 CoolCat

CoolCat

    Silver Member

  • Authentic Member
  • PipPipPip
  • 498 posts

Posted 31 May 2013 - 11:26 PM

OK, there was a bit of a problem.

I could not locate [HJPOL] HKLM\[...]\Wow6432Node\System :DisableRegistryTools (0) -> FOUND

I found other entries but the numbers were different and nothing apparently starting with wow. The window on the RK program is not wide enough for me to read the entire entry and there are other things in between [HJPOL] HKLM and the entries that are given for me to delete. These are blocking my view from being able to see the entire entry and the window will not expand.

I thought I had checked off the 4 entries I did find but once the scanner ran, it only deleted 3 of them, I believe.

Oh and at first, the computer would not connect to any websites such as Facebook or a streaming video site where I watch osprey on live cam. All I got was Page Not Found, then I rebooted and now it appears to be ok.

Here are the logs. Thank you!

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Ratopia [Admin rights]
Mode : Remove -- Date : 05/31/2013 23:33:01
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> DELETED
[TASK][ROGUE ST] 4901 : wscript.exe C:\Users\Ratopia\AppData\Local\Temp\launchie.vbs //B -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> NOT SELECTED
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS543232L9A300 +++++
--- User ---
[MBR] f12a4d9680d71f07e18a92d32e54e4db
[BSP] 547e854e45c483c9bbec9a48293d8fd8 : Acer MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12288 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 25167872 | Size: 146477 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 325152768 | Size: 142848 Mo
3 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 617705472 | Size: 3630 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3]_D_05312013_02d2333.txt >>
RKreport[1]_S_05312013_02d1952.txt ; RKreport[2]_S_05312013_02d2320.txt ; RKreport[3]_D_05312013_02d2333.txt



---------------------------------------------------------------------------

ComboFix 13-05-31.02 - Ratopia 05/31/2013 23:39:54.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4024.2456 [GMT -5:00]
Running from: c:\users\Ratopia\Desktop\ComboFix.exe
Command switches used :: c:\users\Ratopia\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-05-01 to 2013-06-01 )))))))))))))))))))))))))))))))
.
.
2013-06-01 04:50 . 2013-06-01 04:50 -------- d-----w- c:\users\Ratopia\AppData\Local\temp
2013-06-01 04:50 . 2013-06-01 04:50 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-06-01 04:50 . 2013-06-01 04:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-31 01:36 . 2013-05-31 01:36 -------- d-----w- C:\FRST
2013-05-29 10:29 . 2013-05-29 10:29 -------- d-----w- c:\users\Ratopia\AppData\Local\Adobe
2013-05-29 09:58 . 2013-05-29 09:58 388096 ----a-r- c:\users\Ratopia\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-05-29 08:10 . 2013-04-05 01:03 887808 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2013-05-29 08:10 . 2013-04-05 01:02 499200 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll
2013-05-29 08:10 . 2013-04-04 22:05 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
2013-05-29 08:10 . 2013-04-04 22:04 387584 ----a-w- c:\program files (x86)\Internet Explorer\jsdbgui.dll
2013-05-29 08:10 . 2013-04-05 01:19 10926080 ----a-w- c:\windows\system32\ieframe.dll
2013-05-29 08:01 . 2013-05-05 21:36 17818624 ----a-w- c:\windows\system32\mshtml.dll
2013-05-29 08:01 . 2013-05-05 21:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-29 08:01 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2013-05-29 05:50 . 2013-04-09 01:55 2774016 ----a-w- c:\windows\system32\win32k.sys
2013-05-29 05:49 . 2013-04-15 14:17 901496 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-29 05:49 . 2013-04-13 03:34 47104 ----a-w- c:\windows\system32\cdd.dll
2013-05-13 11:57 . 2013-05-13 11:57 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware(108)
2013-05-10 07:57 . 2013-05-10 07:57 187456 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2013-05-10 07:57 . 2013-05-10 07:57 187456 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-29 08:05 . 2006-11-02 12:35 75016696 ----a-w- c:\windows\system32\mrt.exe
2013-05-20 18:18 . 2012-04-04 22:34 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-20 18:18 . 2011-05-15 23:58 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-20 13:40 . 2010-06-24 16:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-03-28 06:23 . 2013-03-28 06:24 28600 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-03-28 06:23 . 2013-03-28 06:24 130016 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-03-28 06:23 . 2013-03-28 06:24 100712 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-03-13 22:44 . 2013-03-13 22:45 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-13 22:44 . 2012-05-11 07:31 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-13 22:44 . 2010-06-28 21:17 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-11 13:33 . 2013-04-09 21:00 4691304 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-09 04:16 . 2013-04-09 21:00 85504 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-09 01:48 . 2013-04-09 21:00 75264 ----a-w- c:\windows\system32\smss.exe
2013-03-08 04:18 . 2013-04-09 21:00 451072 ----a-w- c:\windows\system32\winsrv.dll
2013-03-08 04:17 . 2013-04-09 21:00 2425344 ----a-w- c:\windows\system32\mstscax.dll
2013-03-08 03:52 . 2013-04-09 21:00 2067968 ----a-w- c:\windows\SysWow64\mstscax.dll
2013-03-03 19:13 . 2013-04-09 21:00 1513320 ----a-w- c:\windows\system32\drivers\ntfs.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 01:52 121392 ----a-w- c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-08 68856]
"SpybotSD TeaTimer"="d:\spybot - search & destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"eAudio"="c:\program files\Acer\Empowering Technology\eAudio\eAudio.exe" [2008-09-12 781824]
"BkupTray"="c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"LManager"="c:\progra~2\LAUNCH~1\QtZgAcer.EXE" [2008-06-04 817672]
"ArcadeDeluxeAgent"="c:\program files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-07-24 147456]
"CLMLServer"="c:\program files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-07-24 167936]
"Acer Assist Launcher"="c:\program files (x86)\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acer Product Registration"="c:\program files (x86)\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"HostManager"="c:\program files (x86)\Common Files\AOL\1242688622\ee\AOLSoftware.exe" [2008-06-24 41824]
"MaxMenuMgr"="c:\program files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2013-01-11 295072]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-05-20 345312]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe" [2012-02-16 688184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfxcui]
[BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-05-29 05:57 1165776 ----a-w- c:\program files (x86)\Google\Chrome\Application\27.0.1453.94\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 18:18]
.
2013-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-15 19:46]
.
2013-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-15 19:46]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 01:53 50736 ----a-w- c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x64\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-20 182808]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-08-01 481792]
"eDataSecurity Loader"="c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x64\eDSloader.exe" [2008-07-30 561200]
"RtHDVCpl"="RAVCpl64.exe" [2008-09-18 6495264]
"Skytel"="Skytel.exe" [2008-09-18 1833504]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1237288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 97.64.183.164 97.64.209.37
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Ratopia\AppData\Roaming\Mozilla\Firefox\Profiles\yas9n9so.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - ExtSQL: !HIDDEN! 2009-07-10 22:09; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-RealPlayer 16.0 - c:\program files (x86)\real\realplayer\Update\r1puninst.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files (x86)\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
@DACL=(02 0011)
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@DACL=(02 0011)
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@DACL=(02 0011)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2013-05-31 23:53:53
ComboFix-quarantined-files.txt 2013-06-01 04:53
ComboFix2.txt 2013-06-01 01:24
ComboFix3.txt 2012-04-13 02:45
ComboFix4.txt 2012-01-30 23:58
ComboFix5.txt 2013-06-01 04:37
.
Pre-Run: 77,111,521,280 bytes free
Post-Run: 77,076,639,744 bytes free
.
- - End Of File - - D07513714F3279061094E4C4A90C47C9

    Advertisements

Register to Remove

#11 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 31 May 2013 - 11:47 PM

Hi CoolCat,

1. Re-run RogueKiller

Right click and select "Run as Administrator"
  • Quit all programs
  • Wait until Prescan has finished ...
  • Click on Scan, Do Not Fix Anything at this point.
  • Click the Report button, save the report to your desktop
=========================

In your next post please provide the following:
  • RKreport.txt
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

#12 CoolCat

CoolCat

    Silver Member

  • Authentic Member
  • PipPipPip
  • 498 posts

Posted 31 May 2013 - 11:52 PM

Ok, going to do that right now.

#13 CoolCat

CoolCat

    Silver Member

  • Authentic Member
  • PipPipPip
  • 498 posts

Posted 01 June 2013 - 12:11 AM

Alright, had problems accessing the internet, again, and had to reboot, again. This is not normal for this computer.

Here is the next log.

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Ratopia [Admin rights]
Mode : Scan -- Date : 06/01/2013 00:55:06
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS543232L9A300 +++++
--- User ---
[MBR] f12a4d9680d71f07e18a92d32e54e4db
[BSP] 547e854e45c483c9bbec9a48293d8fd8 : Acer MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12288 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 25167872 | Size: 146477 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 325152768 | Size: 142848 Mo
3 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 617705472 | Size: 3630 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4]_S_06012013_02d0055.txt >>
RKreport[1]_S_05312013_02d1952.txt ; RKreport[2]_S_05312013_02d2320.txt ; RKreport[3]_D_05312013_02d2333.txt ; RKreport[4]_S_06012013_02d0055.txt

#14 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 01 June 2013 - 12:30 AM

Hi CoolCat,

1. Re-run RogueKiller

Right click and select "Run as Administrator"
  • Quit all programs
  • Wait until Prescan has finished ...
  • Click on Scan.
  • After the scan has completed click on the Registry tab
  • Place a check mark next to each of the following entries:


    • [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
      [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND

  • If you cannot see the complete line to be selected, place the cursor on the line between "Key" and "Value" menu header.
  • Left click and drag the window to the right to expand the field.
  • Use the scroll bar at the bottom of the programs window to view the full path.

  • Remove the check mark from all other entries listed
  • Click the Delete button
  • Click the Report button, save the report to your desktop
=========================

2. Launch the Command Prompt as an Administrator.
  • Click on the Start menu, then selecting All Programs, and then Accessories.
  • You will now see a shortcut labeled Command Prompt.
  • Right-click on it and select Run as administrator as shown below.

Posted Image


When you select Run as administrator a User Account Control prompt will appear asking if you would like to allow the Command Prompt to be able to make changes on your computer.


Posted Image


Click on the Yes button and you will now be at the Elevated Command Prompt as shown below.


Posted Image

  • Type "ipconfig/flushdns" (without quotes), hit Enter
  • Close the Command Prompt
=========================

3. Malwarebytes' Anti-Malware

Locate Malwarebytes' Anti-Malware (it should be on your desktop).
If not, download it here
  • Right click and select "Run as Administrator" mbam-setup.exe and follow the prompts to run the program..
  • Once the program has loaded, select the Update tab to get the latest updates before performing the scan.
  • Select Perform quick scan, then click Scan.

    Posted Image

  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample: and click Remove Selected .

    Posted Image
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
=========================


4. OTL

Download OTL to your desktop.
  • Make sure all other windows are closed and to let it run uninterrupted.
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under Custom Scan paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    services.exe
    /md5stop
    %systemroot%\*. /rp /s
    %systemdrive%\$Recycle.Bin|@;true;true;true
    %USERPROFILE%\..|smtmp;true;true;true /FP
    %temp%\smtmp\*.* /s >
    BASESERVICES
    DRIVES
    CREATERESTOREPOINT

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
    • You may need two posts to fit them both in.
=========================

In your next post please provide the following:
  • RKreport.txt
  • MBAM log
  • OTL.txt
  • Do Not post the Extras.txt

I will review the logs later today.
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

#15 CoolCat

CoolCat

    Silver Member

  • Authentic Member
  • PipPipPip
  • 498 posts

Posted 01 June 2013 - 01:05 AM

Alright, the same thing happened. It did not delete one of the entries I had selected. The line also would not drag as directed or any other way and i tried multiple times. I will await your advise before I proceed with the other programs. Here is the log.

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Ratopia [Admin rights]
Mode : Remove -- Date : 06/01/2013 02:02:54
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> NOT SELECTED
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS543232L9A300 +++++
--- User ---
[MBR] f12a4d9680d71f07e18a92d32e54e4db
[BSP] 547e854e45c483c9bbec9a48293d8fd8 : Acer MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12288 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 25167872 | Size: 146477 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 325152768 | Size: 142848 Mo
3 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 617705472 | Size: 3630 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3]_D_06012013_02d0202.txt >>
RKreport[1]_S_05312013_02d1952.txt ; RKreport[2]_S_06012013_02d0153.txt ; RKreport[3]_D_06012013_02d0202.txt

Edited by CoolCat, 01 June 2013 - 01:06 AM.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·