24 replies to this topic

[Lytnup]

Are you still with me?

Sorry man...I was out of town and when I came back to finish this I ran into some problems.

 

Eset took 3 hours to run.

Mbam finished but crashed at the end.  I turned off the computer and waited till today to see if it would work.  It did, so I ran the Mbam again.  I have attached two (2) of those logs - the older one was the one generated right before the crash, the second was run tonight.

 

 OTL(after fix).Txt   77.94KB   239 downloads

 

 threats found.txt   9.01KB   340 downloads

 

 

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.11.06.03

 

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 10.0.9200.16721

Chuck :: CHUCK-PC [administrator]

 

Protection: Enabled

 

11/6/2013 6:04:40 AM

mbam-log-2013-11-06 (06-04-40).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 251818

Time elapsed: 7 minute(s), 42 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 15

C:\Users\Chuck\Downloads\BestCodecsPack (1).exe (Adware.InstallBrain) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\BestCodecsPack (2).exe (Adware.InstallBrain) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\BestCodecsPack (3).exe (Adware.InstallBrain) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\BestCodecsPack (4).exe (Adware.InstallBrain) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\BestCodecsPack.exe (Adware.InstallBrain) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\converterlite_d793189.exe (PUP.Optional.InstallIQ.A) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\ffdshow_Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\KingsoftOfficeSetup (1).exe (PUP.Optional.Installcore) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\RegCleanPro.exe (PUP.Optional.InstallCore) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\setup (1).exe (PUP.Optional.OutBrowse) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\setup (2).exe (PUP.Optional.OutBrowse) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\setup (3).exe (PUP.Optional.OutBrowse) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\setup (4).exe (PUP.Optional.OutBrowse) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\setup (5).exe (PUP.Optional.OutBrowse) -> Quarantined and deleted successfully.

C:\Users\Chuck\Downloads\setup (6).exe (PUP.Optional.OutBrowse) -> Quarantined and deleted successfully.

 

(end)

 

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.11.06.03

 

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 10.0.9200.16721

Chuck :: CHUCK-PC [administrator]

 

Protection: Disabled

 

11/7/2013 7:37:54 PM

mbam-log-2013-11-07 (19-37-54).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 251752

Time elapsed: 9 minute(s), 17 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 2

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (PUP.Optional.FunWebProducts.A) -> Quarantined and deleted successfully.

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

 

Hope this helps.

 

Chuck

Lytnup

[Conspire]

Hi Chuck,

Apparently MBAM wasn't updated when you ran it previously and it missed some of the threats.

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

  :Files
  C:\Program Files (x86)\Uninstall Information\ib_uninst_342\uninstall.exe
  C:\Program Files (x86)\Uninstall Information\ib_uninst_343\uninstall.exe
  C:\Program Files (x86)\Uninstall Information\ib_uninst_454\uninstall.exe
  C:\Program Files (x86)\Uninstall Information\ib_uninst_518\uninstall.exe
  C:\Program Files (x86)\Uninstall Information\ib_uninst_519\uninstall.exe
  C:\Users\Chuck\Downloads\BestCodecsPack (1).exe
  C:\Users\Chuck\Downloads\BestCodecsPack (2).exe
  C:\Users\Chuck\Downloads\BestCodecsPack (3).exe
  C:\Users\Chuck\Downloads\BestCodecsPack (4).exe
  C:\Users\Chuck\Downloads\BestCodecsPack.exe
  C:\Users\Chuck\Downloads\RegCleanPro.exe
  C:\Users\Chuck\Downloads\setup (1).exe
  C:\Users\Chuck\Downloads\setup (2).exe
  C:\Users\Chuck\Downloads\setup (3).exe
  C:\Users\Chuck\Downloads\setup (4).exe
  C:\Users\Chuck\Downloads\setup (5).exe
  C:\Users\Chuck\Downloads\setup (6).exe
  C:\Users\Chuck\Downloads\setup.exe
  C:\Users\Chuck\Downloads\uplayermediaplayer-setup.exe
  C:\Windows.old\Program Files (x86)\Zynga\tbZyn1.dll
  C:\Windows.old\Program Files (x86)\Zynga\tbZyng.dll
  
  :Commands
  [EMPTYTEMP]
  [CREATERESTOREPOINT]
  

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post Fix OTL log as well as a new OTL log by rerunning it after reboot without custom scans script.

[Lytnup]

Conspire,

 

All processes killed

========== FILES ==========

C:\Program Files (x86)\Uninstall Information\ib_uninst_342\uninstall.exe moved successfully.

C:\Program Files (x86)\Uninstall Information\ib_uninst_343\uninstall.exe moved successfully.

C:\Program Files (x86)\Uninstall Information\ib_uninst_454\uninstall.exe moved successfully.

File\Folder C:\Program Files (x86)\Uninstall not found.

File\Folder Information\ib_uninst_518\uninstall.exe not found.

C:\Program Files (x86)\Uninstall Information\ib_uninst_519\uninstall.exe moved successfully.

File\Folder C:\Users\Chuck\Downloads\BestCodecsPack (1).exe not found.

File\Folder C:\Users\Chuck\Downloads\BestCodecsPack (2).exe not found.

File\Folder C:\Users\Chuck\Downloads\BestCodecsPack (3).exe not found.

File\Folder C:\Users\Chuck\Downloads\BestCodecsPack (4).exe not found.

File\Folder C:\Users\Chuck\Downloads\BestCodecsPack.exe not found.

File\Folder C:\Users\Chuck\Downloads\RegCleanPro.exe not found.

File\Folder C:\Users\Chuck\Downloads\setup (1).exe not found.

File\Folder C:\Users\Chuck\Downloads\setup (2).exe not found.

File\Folder C:\Users\Chuck\Downloads\setup (3).exe not found.

File\Folder C:\Users\Chuck\Downloads\setup (4).exe not found.

File\Folder C:\Users\Chuck\Downloads\setup (5).exe not found.

File\Folder C:\Users\Chuck\Downloads\setup (6).exe not found.

C:\Users\Chuck\Downloads\setup.exe moved successfully.

C:\Users\Chuck\Downloads\uplayermediaplayer-setup.exe moved successfully.

C:\Windows.old\Program Files (x86)\Zynga\tbZyn1.dll moved successfully.

C:\Windows.old\Program Files (x86)\Zynga\tbZyng.dll moved successfully.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: All Users

 

User: Chuck

->Temp folder emptied: 1348036 bytes

->Temporary Internet Files folder emptied: 938763 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Google Chrome cache emptied: 280625053 bytes

->Apple Safari cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: Default

->Temp folder emptied: 0 bytes

 

Clean OTL

 

OTL logfile created on: 11/7/2013 10:34:51 PM - Run 4

OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Chuck\Downloads

64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 9.10.9200.16721)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

 

1.87 Gb Total Physical Memory | 0.19 Gb Available Physical Memory | 10.11% Memory free

3.75 Gb Paging File | 1.46 Gb Available in Paging File | 38.95% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 297.99 Gb Total Space | 196.25 Gb Free Space | 65.86% Space Free | Partition Type: NTFS

Drive D: | 438.49 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Drive E: | 100.00 Mb Total Space | 70.31 Mb Free Space | 70.31% Space Free | Partition Type: NTFS

 

Computer Name: CHUCK-PC | User Name: Chuck | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 

========== Processes (SafeList) ==========

 

PRC - C:\Users\Chuck\Downloads\OTL.exe (OldTimer Tools)

PRC - C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler.exe (Google Inc.)

PRC - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)

PRC - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)

PRC - C:\Program Files (x86)\AVG\AVG2014\avgui.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe ()

PRC - C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)

PRC - C:\Program Files (x86)\SpeedBit Video Accelerator\VideoAcceleratorService.exe (SpeedBit Ltd.)

PRC - C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)

PRC - C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe ()

PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)

PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)

PRC - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

 

 

========== Modules (No Company Name) ==========

 

MOD - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\ppgooglenaclpluginchrome.dll ()

MOD - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\pdf.dll ()

MOD - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\libglesv2.dll ()

MOD - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\libegl.dll ()

MOD - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\ffmpegsumo.dll ()

MOD - C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe ()

MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll ()

MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll ()

MOD - C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll ()

 

 

========== Services (SafeList) ==========

 

SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SRV:64bit: - (NisSrv) -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)

SRV:64bit: - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)

SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

SRV - (LMIMaint) -- C:\Program Files (x86)\LogMeIn\x64\ramaint.exe (LogMeIn, Inc.)

SRV - (LMIGuardianSvc) -- C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe (LogMeIn, Inc.)

SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)

SRV - (AVGIDSAgent) -- C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe (AVG Technologies CZ, s.r.o.)

SRV - (avgwd) -- C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)

SRV - (VideoAcceleratorService) -- C:\Program Files (x86)\SpeedBit Video Accelerator\VideoAcceleratorService.exe (SpeedBit Ltd.)

SRV - (RealNetworks Downloader Resolver Service) -- C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe ()

SRV - (LogMeIn) -- C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe (LogMeIn, Inc.)

SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)

SRV - (HPSLPSVC) -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL (Hewlett-Packard Co.)

SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

SRV - (YahooAUService) -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

 

 

========== Driver Services (SafeList) ==========

 

DRV:64bit: - (LMIRfsClientNP) -- C:\Windows\SysNative\LMIRfsClientNP.dll (LogMeIn, Inc.)

DRV:64bit: - (avgtp) -- C:\Windows\SysNative\drivers\avgtpx64.sys (AVG Technologies)

DRV:64bit: - (Avgdiska) -- C:\Windows\SysNative\drivers\avgdiska.sys (AVG Technologies CZ, s.r.o.)

DRV:64bit: - (Avgrkx64) -- C:\Windows\SysNative\drivers\avgrkx64.sys (AVG Technologies CZ, s.r.o.)

DRV:64bit: - (Avgldx64) -- C:\Windows\SysNative\drivers\avgldx64.sys (AVG Technologies CZ, s.r.o.)

DRV:64bit: - (Avgloga) -- C:\Windows\SysNative\drivers\avgloga.sys (AVG Technologies CZ, s.r.o.)

DRV:64bit: - (AVGIDSHA) -- C:\Windows\SysNative\drivers\avgidsha.sys (AVG Technologies CZ, s.r.o.)

DRV:64bit: - (AVGIDSDriver) -- C:\Windows\SysNative\drivers\avgidsdrivera.sys (AVG Technologies CZ, s.r.o.)

DRV:64bit: - (Avgmfx64) -- C:\Windows\SysNative\drivers\avgmfx64.sys (AVG Technologies CZ, s.r.o.)

DRV:64bit: - (Avgtdia) -- C:\Windows\SysNative\drivers\avgtdia.sys (AVG Technologies CZ, s.r.o.)

DRV:64bit: - (LMIRfsDriver) -- C:\Windows\SysNative\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)

DRV:64bit: - (lmimirr) -- C:\Windows\SysNative\drivers\lmimirr.sys (LogMeIn, Inc.)

DRV:64bit: - (USBAAPL64) -- C:\Windows\SysNative\drivers\usbaapl64.sys (Apple, Inc.)

DRV:64bit: - (GEARAspiWDM) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys (GEAR Software Inc.)

DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)

DRV:64bit: - (ssadmdm) -- C:\Windows\SysNative\drivers\ssadmdm.sys (MCCI Corporation)

DRV:64bit: - (ssadbus) -- C:\Windows\SysNative\drivers\ssadbus.sys (MCCI Corporation)

DRV:64bit: - (androidusb) -- C:\Windows\SysNative\drivers\ssadadb.sys (Google Inc)

DRV:64bit: - (ssadmdfl) -- C:\Windows\SysNative\drivers\ssadmdfl.sys (MCCI Corporation)

DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)

DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)

DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)

DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)

DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)

DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)

DRV:64bit: - (Point64) -- C:\Windows\SysNative\drivers\point64.sys (Microsoft Corporation)

DRV:64bit: - (dc3d) -- C:\Windows\SysNative\drivers\dc3d.sys (Microsoft Corporation)

DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)

DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)

DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)

DRV:64bit: - (NVENETFD) -- C:\Windows\SysNative\drivers\nvm62x64.sys (NVIDIA Corporation)

DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)

DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)

DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)

DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)

DRV:64bit: - (LVUSBS64) -- C:\Windows\SysNative\drivers\LVUSBS64.sys (Logitech Inc.)

DRV:64bit: - (PID_PEPI) -- C:\Windows\SysNative\drivers\LV302V64.SYS (Logitech Inc.)

DRV:64bit: - (LVRS64) -- C:\Windows\SysNative\drivers\lvrs64.sys (Logitech Inc.)

DRV:64bit: - (lvpepf64) -- C:\Windows\SysNative\drivers\lv302a64.sys (Logitech Inc.)

DRV - (LMIInfo) -- C:\Program Files (x86)\LogMeIn\x64\rainfo.sys (LogMeIn, Inc.)

DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)

 

 

========== Standard Registry (SafeList) ==========

 

 

========== Internet Explorer ==========

 

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKLM\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - SOFTWARE\Classes\CLSID\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\InprocServer32 File not found

IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT2438727

IE - HKLM\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.sof...q={searchTerms}

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A0 D9 98 2A 8D B3 CB 01  [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = E0 73 7F 01 CE 92 DB 49 93 44 82 6E 48 3E BC 6F  [binary data]

IE - HKCU\..\URLSearchHook:  - No CLSID value found

IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll (Yahoo! Inc.)

IE - HKCU\..\SearchScopes,DefaultScope = 

IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC

IE - HKCU\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo....ms}&fr=chr-tyc8

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

 

 

========== FireFox ==========

 

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.0.12\\npsitesafety.dll File not found

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.10.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.10.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=16.0.0.282: c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.3.0: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.3.0: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprndlpepperflashvideoshim;version=1.3.0: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=16.0.0.282: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)

FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Chuck\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)

 

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/01/15 19:39:36 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\17.0.1.12 [2013/10/02 05:01:17 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{34712C68-7391-4c47-94F3-8F88D49AD632}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ [2013/02/03 13:54:23 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013/02/03 13:54:23 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/01/15 19:39:36 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\games@acandy.com: C:\Users\Chuck\AppData\Local\ArcadeCandy\games@acandy.com

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\module@com.arcadesafari.firefox: C:\Users\Chuck\AppData\Local\Arcadesafari\module@com.arcadesafari.firefox [2013/02/10 14:29:30 | 000,000,000 | ---D | M]

 

[2012/03/22 16:44:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chuck\AppData\Roaming\Mozilla\Extensions

[2013/11/02 07:02:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chuck\AppData\Roaming\Mozilla\Firefox\Profiles\ddlo8ag6.default\extensions

[2012/03/22 16:44:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions

[2012/03/12 23:38:32 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

[2012/03/12 23:38:32 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

 

========== Chrome  ==========

 

CHR - default_search_provider: Google (Enabled)

CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}

CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},

CHR - homepage: http://search.babylo...00000306721c308

CHR - Extension: ShopAtHome.com extension = C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlmebkoiahbppacaicbgncnjhbpdfkcc\7.1.0.16_0\

CHR - Extension: ShopAtHome.com extension = C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlmebkoiahbppacaicbgncnjhbpdfkcc\7.1.0.16_1\

CHR - Extension: RealDownloader = C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji\1.3.0_1\

CHR - Extension: Google Wallet = C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0\

 

O1 HOSTS File: ([2013/11/01 07:59:57 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O1 - Hosts: 127.0.0.1       localhost

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll (Yahoo! Inc.)

O2 - BHO: (no name) - {1036AD63-AEAC-460B-9060-C96005D4DC86} - No CLSID value found.

O2 - BHO: (RealNetworks Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)

O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

O2 - BHO: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files (x86)\Zynga\tbZyng.dll File not found

O2 - BHO: (AVG SafeGuard toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\17.0.1.12\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)

O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)

O3 - HKLM\..\Toolbar: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files (x86)\Zynga\tbZyng.dll File not found

O3 - HKLM\..\Toolbar: (AVG SafeGuard toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\17.0.1.12\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)

O3 - HKLM\..\Toolbar: (no name) - {98889811-442D-49dd-99D7-DC866BE87DBC} - No CLSID value found.

O3 - HKLM\..\Toolbar: (no name) - {C80BDEB2-8735-44C6-BD55-A1CCD555667A} - No CLSID value found.

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll (Yahoo! Inc.)

O4:64bit: - HKLM..\Run: [IntelliPoint] c:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)

O4:64bit: - HKLM..\Run: [LogMeIn GUI] C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe (LogMeIn, Inc.)

O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [AVG_UI] C:\Program Files (x86)\AVG\AVG2014\avgui.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)

O4 - HKLM..\Run: [vProt] C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe ()

O4 - HKCU..\Run: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe (Apple Inc.)

O4 - HKCU..\Run: [Facebook Update] C:\Users\Chuck\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)

O4 - Startup: C:\Users\Chuck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8:64bit: - Extra context menu item: Open with WordPerfect - c:\Program Files (x86)\Corel\WordPerfect Office X6\Programs\WPLauncher.hta File not found

O8 - Extra context menu item: Open with WordPerfect - c:\Program Files (x86)\Corel\WordPerfect Office X6\Programs\WPLauncher.hta File not found

O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files (x86)\SpeedBit Video Accelerator\SBLSP.dll (SpeedBit)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files (x86)\SpeedBit Video Accelerator\SBLSP.dll (SpeedBit)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files (x86)\SpeedBit Video Accelerator\SBLSP.dll (SpeedBit)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files (x86)\SpeedBit Video Accelerator\SBLSP.dll (SpeedBit)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files (x86)\SpeedBit Video Accelerator\SBLSP.dll (SpeedBit)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files (x86)\SpeedBit Video Accelerator\SBLSP.dll (SpeedBit)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files (x86)\SpeedBit Video Accelerator\SBLSP.dll (SpeedBit)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files (x86)\SpeedBit Video Accelerator\SBLSP.dll (SpeedBit)

O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files (x86)\SpeedBit Video Accelerator\SBLSP.dll (SpeedBit)

O13 - gopher Prefix: missing

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll (Installation Support)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.250.0.12

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C4738B20-4F64-4786-8651-8E1176449D3B}: DhcpNameServer = 192.168.1.1 71.250.0.12

O18:64bit: - Protocol\Handler\ipp - No CLSID value found

O18:64bit: - Protocol\Handler\ipp\0x00000001 - No CLSID value found

O18:64bit: - Protocol\Handler\linkscanner - No CLSID value found

O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found

O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found

O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found

O18:64bit: - Protocol\Handler\viprotocol - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\linkscanner - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.0.12\ViProtocol.dll File not found

O20 - AppInit_DLLs: (c:\progra~3\bprote~1\21419~1.7\protec~1.dll) -  File not found

O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [1995/12/03 20:00:00 | 000,000,053 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O35 - HKCU\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

 

========== Files/Folders - Created Within 30 Days ==========

 

[2013/11/06 06:03:08 | 000,000,000 | ---D | C] -- C:\Users\Chuck\AppData\Roaming\Malwarebytes

[2013/11/06 06:02:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2013/11/06 06:02:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2013/11/06 06:02:55 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys

[2013/11/06 06:02:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware

[2013/11/06 06:00:56 | 000,000,000 | ---D | C] -- C:\Users\Chuck\AppData\Local\Programs

[2013/11/05 19:06:26 | 000,000,000 | ---D | C] -- C:\_OTL

[2013/11/05 06:27:04 | 000,000,000 | ---D | C] -- C:\Users\Chuck\Desktop\(26 unread) - temco20@verizon.net - Verizon Yahoo Mail_files

[2013/11/02 07:23:03 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT

[2013/11/01 14:00:45 | 000,000,000 | ---D | C] -- C:\AdwCleaner

[2013/11/01 08:03:35 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2013/11/01 07:47:42 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2013/11/01 07:47:42 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2013/11/01 07:47:42 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2013/11/01 07:47:11 | 000,000,000 | ---D | C] -- C:\Qoobox

[2013/10/31 12:47:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite

[2013/10/31 12:47:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities

[2013/10/30 21:03:35 | 000,000,000 | ---D | C] -- C:\Users\Chuck\Desktop\Virus Files

[2013/10/19 10:43:42 | 000,000,000 | ---D | C] -- C:\Users\Chuck\AppData\Local\Kingsoft

[2013/10/19 10:42:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kingsoft Office

[2013/10/19 10:41:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Kingsoft

[2013/10/19 10:41:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Kingsoft

[2013/10/19 10:41:10 | 000,000,000 | ---D | C] -- C:\Users\Chuck\AppData\Roaming\Kingsoft

[2013/10/19 10:31:31 | 000,000,000 | ---D | C] -- C:\Users\Chuck\AppData\Roaming\1O1L1I1PtF1F1C1N

[2013/10/19 10:27:49 | 000,000,000 | ---D | C] -- C:\Users\Chuck\AppData\Local\avgchrome

[2013/10/19 10:15:12 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\appmgmt

[2013/10/19 10:12:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\File Association Manager

[2013/10/14 22:07:26 | 000,000,000 | ---D | C] -- C:\Users\Chuck\AppData\Roaming\AVG2014

[2013/10/14 22:02:39 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2014

[2013/10/14 21:28:10 | 000,000,000 | ---D | C] -- C:\Users\Chuck\AppData\Local\Avg2014

[2013/10/09 21:46:59 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll

[2013/10/09 21:46:58 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll

[2013/10/09 21:46:58 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll

[2013/10/09 21:46:57 | 000,136,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll

[2013/10/09 21:46:57 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll

[2013/10/09 21:46:57 | 000,089,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RegisterIEPKEYs.exe

[2013/10/09 21:46:57 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RegisterIEPKEYs.exe

[2013/10/09 21:46:57 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll

[2013/10/09 21:46:57 | 000,051,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe

[2013/10/09 21:46:57 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll

[2013/10/09 21:46:57 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll

[2013/10/09 21:46:55 | 000,855,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll

[2013/10/09 21:46:55 | 000,690,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll

[2013/10/09 21:46:55 | 000,603,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll

[2013/10/09 21:46:54 | 003,959,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll

[2013/10/09 21:42:03 | 000,000,000 | ---D | C] -- C:\52c475938af82c11600971

[2013/10/09 21:33:23 | 000,000,000 | ---D | C] -- C:\45e5ff06080eec68cdc8aec4d49a

[2013/10/09 04:57:18 | 000,633,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\comctl32.dll

[2013/10/09 04:57:15 | 000,368,128 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll

[2013/10/09 04:57:15 | 000,295,424 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll

[2013/10/09 04:57:15 | 000,100,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\fontsub.dll

[2013/10/09 04:57:15 | 000,070,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\fontsub.dll

[2013/10/09 04:57:15 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll

[2013/10/09 04:57:15 | 000,041,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\lpk.dll

[2013/10/09 04:57:15 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll

[2013/10/09 04:57:15 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dciman32.dll

[2013/10/09 04:57:11 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\hidclass.sys

[2013/10/09 04:57:11 | 000,032,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\hidparse.sys

[2013/10/09 04:57:08 | 000,102,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\davclnt.dll

[2013/10/09 04:56:56 | 005,549,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe

[2013/10/09 04:56:56 | 000,878,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\advapi32.dll

[2013/10/09 04:56:55 | 003,969,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe

[2013/10/09 04:56:54 | 003,914,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe

[2013/10/09 04:56:54 | 001,732,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntdll.dll

[2013/10/09 04:56:54 | 000,859,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\tdh.dll

[2013/10/09 04:56:54 | 000,619,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\tdh.dll

[2013/10/09 04:56:53 | 000,243,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll

[2013/10/09 04:56:48 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll

[2013/10/09 04:56:47 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe

[2013/10/09 04:56:47 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe

[2013/10/09 04:56:47 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll

[2013/10/09 04:56:47 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe

[2013/10/09 04:56:24 | 000,124,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\PresentationCFFRasterizerNative_v0300.dll

[2013/10/09 04:56:24 | 000,102,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll

[2013/10/09 04:56:19 | 000,461,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\scavengeui.dll

[2013/10/09 04:56:05 | 000,325,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\usbport.sys

[2013/10/09 04:56:05 | 000,007,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\usbd.sys

[6 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]

 

========== Files - Modified Within 30 Days ==========

 

[2013/11/07 22:38:07 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job

[2013/11/07 22:35:22 | 000,014,816 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2013/11/07 22:35:22 | 000,014,816 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2013/11/07 22:30:23 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2013/11/07 22:30:18 | 000,000,402 | ---- | M] () -- C:\Windows\tasks\Free File Viewer Update Checker.job

[2013/11/07 22:30:14 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\ContinueToSaveUpdaterTask{84A2E8B7-B46B-4050-B93A-5F893E706D55}.job

[2013/11/07 22:30:03 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2013/11/07 22:30:00 | 1508,761,600 | -HS- | M] () -- C:\hiberfil.sys

[2013/11/07 21:55:00 | 000,000,374 | ---- | M] () -- C:\Windows\tasks\WpsUpdateTask_Chuck.job

[2013/11/07 21:50:00 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2013/11/07 21:12:01 | 000,000,928 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2109932682-201200126-2622220936-1000UA.job

[2013/11/07 20:22:42 | 000,000,464 | ---- | M] () -- C:\Windows\tasks\Arcadesafari.job

[2013/11/07 18:12:00 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2109932682-201200126-2622220936-1000Core.job

[2013/11/07 04:49:56 | 000,749,358 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2013/11/07 04:49:56 | 000,639,172 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2013/11/07 04:49:56 | 000,113,508 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2013/11/06 06:02:57 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2013/11/05 06:27:04 | 000,393,059 | ---- | M] () -- C:\Users\Chuck\Desktop\(26 unread) - temco20@verizon.net - Verizon Yahoo Mail.htm

[2013/11/01 07:59:57 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts

[2013/10/31 12:47:25 | 000,001,134 | ---- | M] () -- C:\Users\Public\Desktop\Express Zip.lnk

[2013/10/25 04:49:02 | 000,107,368 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIRfsClientNP.dll

[2013/10/25 04:49:01 | 000,092,488 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIinit.dll

[2013/10/25 04:49:01 | 000,035,656 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIport.dll

[2013/10/24 20:58:09 | 000,000,164 | ---- | M] () -- C:\Windows\SysNative\cc_20131024_215801.reg

[2013/10/24 20:57:28 | 000,075,972 | ---- | M] () -- C:\Windows\SysNative\cc_20131024_215713.reg

[2013/10/20 09:27:48 | 000,332,960 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

[2013/10/19 10:42:40 | 000,001,404 | ---- | M] () -- C:\Users\Public\Desktop\Kingsoft Writer.lnk

[2013/10/19 10:42:40 | 000,001,402 | ---- | M] () -- C:\Users\Public\Desktop\Kingsoft Presentation.lnk

[2013/10/19 10:42:40 | 000,001,383 | ---- | M] () -- C:\Users\Public\Desktop\Kingsoft Spreadsheets.lnk

[2013/10/19 10:27:25 | 000,001,165 | ---- | M] () -- C:\Users\Chuck\Desktop\Continue Kingsoft Office Free Download Installation.lnk

[2013/10/17 09:02:56 | 000,107,368 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIRfsClientNP.dll.000.bak

[2013/10/14 22:05:29 | 000,000,965 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2014.lnk

[2013/10/09 11:33:17 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe

[2013/10/09 11:33:17 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

[6 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]

 

========== Files Created - No Company Name ==========

 

[2013/11/06 06:02:57 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2013/11/05 06:27:03 | 000,393,059 | ---- | C] () -- C:\Users\Chuck\Desktop\(26 unread) - temco20@verizon.net - Verizon Yahoo Mail.htm

[2013/11/01 07:47:42 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2013/11/01 07:47:42 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2013/11/01 07:47:42 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2013/11/01 07:47:42 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2013/11/01 07:47:42 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2013/10/31 12:47:25 | 000,001,146 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Express Zip.lnk

[2013/10/31 12:47:25 | 000,001,134 | ---- | C] () -- C:\Users\Public\Desktop\Express Zip.lnk

[2013/10/24 20:58:03 | 000,000,164 | ---- | C] () -- C:\Windows\SysNative\cc_20131024_215801.reg

[2013/10/24 20:57:19 | 000,075,972 | ---- | C] () -- C:\Windows\SysNative\cc_20131024_215713.reg

[2013/10/19 10:42:41 | 000,000,374 | ---- | C] () -- C:\Windows\tasks\WpsUpdateTask_Chuck.job

[2013/10/19 10:42:40 | 000,001,404 | ---- | C] () -- C:\Users\Public\Desktop\Kingsoft Writer.lnk

[2013/10/19 10:42:40 | 000,001,402 | ---- | C] () -- C:\Users\Public\Desktop\Kingsoft Presentation.lnk

[2013/10/19 10:42:40 | 000,001,383 | ---- | C] () -- C:\Users\Public\Desktop\Kingsoft Spreadsheets.lnk

[2013/10/19 10:27:25 | 000,001,165 | ---- | C] () -- C:\Users\Chuck\Desktop\Continue Kingsoft Office Free Download Installation.lnk

[2013/10/14 22:05:28 | 000,000,965 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2014.lnk

[2013/05/20 19:29:16 | 000,135,280 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat

[2013/02/02 11:18:27 | 000,210,841 | ---- | C] () -- C:\Windows\hpoins21.dat.temp

[2013/02/02 11:18:27 | 000,005,474 | ---- | C] () -- C:\Windows\hpomdl21.dat.temp

[2013/01/12 16:56:01 | 000,000,207 | ---- | C] () -- C:\Windows\tweaking.com-regbackup-CHUCK-PC-Microsoft-Windows-7-Ultimate-(64-bit).dat

[2012/06/28 18:39:15 | 000,348,160 | ---- | C] () -- C:\Windows\SysWow64\cdga.dll

[2011/01/15 11:58:23 | 000,000,093 | ---- | C] () -- C:\Users\Chuck\AppData\Local\fusioncache.dat

 

========== ZeroAccess Check ==========

 

[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

 

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

 

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

 

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

 

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

 

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

"" = C:\Windows\SysNative\shell32.dll -- [2013/07/25 21:24:57 | 014,172,672 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

 

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shell32.dll -- [2013/07/25 20:55:59 | 012,872,704 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

 

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

 

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\SysWow64\wbem\fastprox.dll -- [2010/11/20 07:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

 

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

 

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

 

========== Alternate Data Streams ==========

 

@Alternate Data Stream - 195 bytes -> C:\ProgramData\TEMP:A3E39C6A

@Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:3A0561F3

@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:0B4227B4

 

< End of report >

 

[Conspire]

Chuck,

Are there any crashes after the last one? Any new issues that you have encountered?

[Lytnup]

Seems ok...haven't noticed anything.

 

Chuck,

Lytnup

[Conspire]

Alright, you're good to go then!

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

===================================================

Thank you for your patience, and performing all of the procedures requested. I would also like to take this opportunity to apologize for any delay that may have occurred.

--------------------------------------------------------------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.


Passwords
It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them and consider a password keeper, to keep all your passwords safe.


SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• • How Did I Get Infected In The First Place? by TonyKlein
  • How to Prevent Malware by miekiemoes
  • PC Safety and Security--What Do I Need?

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an add-on available for both Firefox and IE.

• SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here

• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  • Download Host.zip and Save it to your Desktop.
  • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
  • Follow the prompts and click 'Finish'.
  • This will open the newly created hosts folder on your Desktop.
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  • Once updated you should see another prompt that the task was completed.

Follow this list and keep your antivirus program and antispyware programs updated and scan with them on a regular basis. By doing so, your potential for being infected again will reduce dramatically.

Hopefully this should take care of your problems! Good luck.

Do you have any questions or problems to ask? Please do not hesitate to do so.

**Please respond this one more time to ensure it is resolved and close this topic.

[Lytnup]

Conspire,

 

Thanks...again.

 

One more question.

 

Every now and then I get a pop up about Oracle "JustCheck".  Is this something to be concerned about?

 

Chuck

[Conspire]

Is it asking you to update Java?

 

One more thing, I forgot to include Combofix removal instructions. I am so sorry for being tardy and this is what I would like you to do.

 

Download ComboFix here and save to your desktop. Don't need to run it again.

 

Follow these steps to uninstall Combofix

• Click START then RUN
• Now copy/paste the code into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Combofix /Uninstall

[Conspire]

Thanks for your donation BTW

[Conspire]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.