Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91699 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

leftover malware / virus on this machine? [Solved]


  • This topic is locked This topic is locked
28 replies to this topic

#16 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 25 January 2014 - 01:36 PM

Here's the JRT log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.0 (01.07.2014:1)
OS: Windows Vista ™ Business x86
Ran by Kristianna on Sat 01/25/2014 at  9:27:15.38
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\Kristianna\AppData\Roaming\mozilla\firefox\profiles\swwh6nj9.default\minidumps [10 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 01/25/2014 at  9:30:34.18
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


    Advertisements

Register to Remove


#17 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 25 January 2014 - 01:45 PM

...and here is the OTL log:

 

OTL logfile created on: 1/25/2014 1:37:35 PM - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Kristianna\Desktop
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.99 Gb Total Physical Memory | 1.05 Gb Available Physical Memory | 52.82% Memory free
4.21 Gb Paging File | 2.93 Gb Available in Paging File | 69.52% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 8.74 Gb Free Space | 11.73% Space Free | Partition Type: NTFS
Drive D: | 5.30 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 930.86 Gb Total Space | 416.13 Gb Free Space | 44.70% Space Free | Partition Type: NTFS
Drive F: | 442.98 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
 
Computer Name: KMKW | User Name: Kristianna | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Windows\System32\rpcnetp.exe ()
PRC - C:\Users\Kristianna\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\HP\HP Officejet 6700\Bin\ScanToPCActivationApp.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\HP\HP Officejet 6700\Bin\HPNetworkCommunicator.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\BOINC\boincmgr.exe (World Community Grid)
PRC - C:\Program Files\BOINC\boinctray.exe (Space Sciences Laboratory)
PRC - C:\Program Files\BOINC\boinc.exe (World Community Grid)
PRC - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe (Western Digital)
PRC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC)
PRC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe (WDC)
PRC - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe (Memeo)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Users\Kristianna\AppData\Roaming\Mozilla\Firefox\Profiles\swwh6nj9.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\f453ecc6bb7fc8d52d61247676944623\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\73d9bc894522543b561a0342dac87c06\System.Windows.Forms.ni.dll ()
MOD - C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\c0cc4069b1d17f3f7e9d9ec857d797d4\Microsoft.VisualBasic.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\e77e7cdf3072d5a658832b8863ff439e\System.Management.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\5974034f0f53755b11bde4c9698261cb\System.ServiceProcess.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\59eba2680c01c33b2b3f5385979e32c6\System.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b167ef6967ad27503c6ac6aabcef1aff\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\09f5b3f7a363b742a73937e818595597\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\c0df7e124d8d5e2821fd7d3921d404f7\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\1eff630f4194c74287d1dd4a859693f7\System.Data.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\d7153acb7b6ccb5a6a886d6f0ab732b1\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\6a938df70a8b7996a3890b4f34c83906\mscorlib.ni.dll ()
MOD - C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl ()
MOD - C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl ()
MOD - C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll ()
MOD - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\Memeo.API.dll ()
MOD - C:\Program Files\BOINC\zlib1.dll ()
MOD - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\sqlite3.dll ()
MOD - C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll ()
 
 
========== Services (SafeList) ==========
 
SRV - (SDWSCService) -- C:\Program Files\Spybot File not found
SRV - (SDUpdateService) -- C:\Program Files\Spybot File not found
SRV - (SDScannerService) -- C:\Program Files\Spybot File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (NisSrv) -- c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (Microsoft SharePoint Workspace Audit Service) -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE (Microsoft Corporation)
SRV - (WDDMService) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe (WDC)
SRV - (WDSmartWareBackgroundService) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe (Memeo)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (NisDrv) -- C:\Windows\System32\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV - (WDC_SAM) -- C:\Windows\System32\drivers\wdcsam.sys (Western Digital Technologies)
DRV - (NETw5v32) -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation)
DRV - (e1express) -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (WSDPrintDevice) -- C:\Windows\System32\drivers\WSDPrint.sys (Microsoft Corporation)
DRV - (NETw3v32) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (GTIPCI21) -- C:\Windows\System32\drivers\gtipci21.sys (Texas Instruments)
DRV - (tifm21) -- C:\Windows\System32\drivers\tifm21.sys (Texas Instruments)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 90 56 A9 C6 9B 05 CF 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope =
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{C486C653-55EF-4064-8FA1-861A14BCF2CE}: "URL" = https://www.google.c...q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8080
 
========== FireFox ==========
 
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledAddons: support%40lastpass.com:3.0.12
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:26.0
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 26.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 26.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
 
[2013/08/08 07:06:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kristianna\AppData\Roaming\Mozilla\Extensions
[2013/12/22 13:26:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kristianna\AppData\Roaming\Mozilla\Firefox\Profiles\swwh6nj9.default\extensions
[2013/11/29 14:00:11 | 000,000,000 | ---D | M] (LastPass) -- C:\Users\Kristianna\AppData\Roaming\Mozilla\Firefox\Profiles\swwh6nj9.default\extensions\support@lastpass.com
[2014/01/21 19:55:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2014/01/21 19:55:23 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2014/01/21 19:29:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\updated\browser\extensions
[2014/01/21 19:30:22 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\updated\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},
CHR - homepage: http://www.google.com
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\31.0.1650.63\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\31.0.1650.63\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\31.0.1650.63\pdf.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: Google Docs = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\
CHR - Extension: Google Drive = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: avast! Online Security = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki\9.0.2011.70_0\
CHR - Extension: LastPass = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd\3.0.19_0\
CHR - Extension: Google Wallet = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.0_0\
CHR - Extension: Gmail = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2006/09/18 15:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (LastPass Vault) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [boincmgr] C:\Program Files\BOINC\boincmgr.exe (World Community Grid)
O4 - HKLM..\Run: [boinctray] C:\Program Files\BOINC\boinctray.exe (Space Sciences Laboratory)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SDTray] C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [EADM] C:\Program Files\Origin\Origin.exe (Electronic Arts)
O4 - HKCU..\Run: [HP Officejet 6700 (NET)] C:\Program Files\HP\HP Officejet 6700\Bin\ScanToPCActivationApp.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Users\Kristianna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: LastPass - file://C:\Users\Kristianna\AppData\LocalLow\LastPass\context.html?cmd=lastpass File not found
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\Kristianna\AppData\LocalLow\LastPass\context.html?cmd=fillforms File not found
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
O9 - Extra 'Tools' menuitem : LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.2.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3EEF5C47-3339-48E5-94EC-65F7AB7F1E82}: DhcpNameServer = 192.168.0.1 205.171.2.25
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) -  File not found
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) -  File not found
O24 - Desktop WallPaper: C:\Users\Kristianna\Pictures\Airplane in a Thunderstorm.jpg
O24 - Desktop BackupWallPaper: C:\Users\Kristianna\Pictures\Airplane in a Thunderstorm.jpg
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/09/16 01:07:13 | 000,054,544 | R--- | M] (Electronic Arts) - D:\Autorun.exe -- [ UDF ]
O32 - AutoRun File - [2011/09/15 22:58:13 | 000,000,049 | R--- | M] () - D:\Autorun.inf -- [ UDF ]
O32 - AutoRun File - [2010/01/28 14:00:27 | 000,000,088 | ---- | M] () - F:\autorun.inf -- [ UDF ]
O33 - MountPoints2\{3c31c24d-fffb-11e2-bb2a-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{3c31c24d-fffb-11e2-bb2a-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Autorun.exe -- [2011/09/16 01:07:13 | 000,054,544 | R--- | M] (Electronic Arts)
O33 - MountPoints2\{6a4e5ea5-8303-11e3-8514-00e0b8cc5e72}\Shell - "" = AutoRun
O33 - MountPoints2\{6a4e5ea5-8303-11e3-8514-00e0b8cc5e72}\Shell\AutoRun\command - "" = F:\WD SmartWare.exe -- [2010/01/21 18:13:40 | 003,330,848 | ---- | M] (Western Digital)
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (sdnclean.exe)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/01/25 09:27:03 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014/01/25 09:24:17 | 001,037,068 | ---- | C] (Thisisu) -- C:\Users\Kristianna\Desktop\JRT.exe
[2014/01/23 20:05:35 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/01/22 19:57:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2014/01/22 19:54:48 | 000,074,456 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamchameleon.sys
[2014/01/22 19:54:29 | 000,000,000 | ---D | C] -- C:\Users\Kristianna\Desktop\mbar
[2014/01/21 21:01:19 | 000,000,000 | ---D | C] -- C:\ProgramData\WD_SmartWareCommon
[2014/01/21 21:00:41 | 000,000,000 | ---D | C] -- C:\Users\Kristianna\AppData\Local\Western_Digital
[2014/01/21 20:57:07 | 000,000,000 | ---D | C] -- C:\Users\Kristianna\AppData\Roaming\Western Digital
[2014/01/21 20:54:48 | 000,000,000 | ---D | C] -- C:\Program Files\Western Digital
[2014/01/21 20:54:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WD SmartWare
[2014/01/21 20:25:28 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2014/01/21 20:21:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Western Digital
[2014/01/21 20:20:39 | 000,000,000 | ---D | C] -- C:\Users\Kristianna\AppData\Local\Western Digital
[2014/01/21 20:11:18 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Kristianna\Desktop\OTL.exe
[2014/01/21 20:11:09 | 012,582,688 | ---- | C] (Malwarebytes Corp.) -- C:\Users\Kristianna\Desktop\mbar-1.07.0.1008.exe
[2014/01/20 09:02:04 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Kristianna\Desktop\HiJackThis.exe
[2014/01/11 21:52:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
[2014/01/11 21:52:21 | 000,018,968 | ---- | C] (Safer Networking Limited) -- C:\Windows\System32\sdnclean.exe
[2014/01/11 21:52:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2014/01/11 21:51:47 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2014/01/11 10:55:48 | 000,104,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2013/08/08 19:43:24 | 011,019,776 | ---- | C] (LastPass) -- C:\Program Files\Common Files\lpuninstall.exe
[1 C:\Users\Kristianna\Documents\*.tmp files -> C:\Users\Kristianna\Documents\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2014/01/25 13:18:11 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2014/01/25 13:18:11 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2014/01/25 12:53:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014/01/25 12:53:00 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/01/25 12:52:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/01/25 09:24:26 | 001,037,068 | ---- | M] (Thisisu) -- C:\Users\Kristianna\Desktop\JRT.exe
[2014/01/25 09:18:40 | 000,000,644 | ---- | M] () -- C:\Windows\tasks\Check for updates (Spybot - Search & Destroy).job
[2014/01/25 09:18:13 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.dll
[2014/01/25 09:18:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/01/25 09:18:02 | 2137,448,448 | -HS- | M] () -- C:\hiberfil.sys
[2014/01/25 09:17:58 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.exe
[2014/01/23 20:03:51 | 001,236,282 | ---- | M] () -- C:\Users\Kristianna\Desktop\AdwCleaner.exe
[2014/01/22 19:57:46 | 000,104,664 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2014/01/22 19:54:48 | 000,074,456 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamchameleon.sys
[2014/01/22 19:49:20 | 000,000,616 | ---- | M] () -- C:\Windows\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2014/01/21 20:55:47 | 000,001,242 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WDSmartWare.lnk
[2014/01/21 20:55:46 | 000,001,181 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WDDMStatus.lnk
[2014/01/21 20:46:31 | 000,039,418 | ---- | M] () -- C:\Users\Kristianna\Documents\cc_20140121_204616.reg
[2014/01/21 20:25:34 | 000,000,764 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2014/01/21 20:24:21 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2014/01/21 20:24:21 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2014/01/21 20:12:41 | 012,582,688 | ---- | M] (Malwarebytes Corp.) -- C:\Users\Kristianna\Desktop\mbar-1.07.0.1008.exe
[2014/01/21 20:11:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kristianna\Desktop\OTL.exe
[2014/01/21 20:10:56 | 000,987,425 | ---- | M] () -- C:\Users\Kristianna\Desktop\SecurityCheck.exe
[2014/01/21 19:55:40 | 000,000,830 | ---- | M] () -- C:\Users\Kristianna\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2014/01/21 19:55:40 | 000,000,806 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2014/01/20 09:02:10 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Kristianna\Desktop\HiJackThis.exe
[2014/01/19 01:32:23 | 000,231,584 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2014/01/12 20:29:43 | 000,000,446 | ---- | M] () -- C:\Windows\tasks\Scan the system (Spybot - Search & Destroy).job
[2014/01/12 18:05:33 | 000,043,008 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\agremove.exe
[2014/01/11 21:52:33 | 000,001,918 | ---- | M] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[1 C:\Users\Kristianna\Documents\*.tmp files -> C:\Users\Kristianna\Documents\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2014/01/23 20:03:37 | 001,236,282 | ---- | C] () -- C:\Users\Kristianna\Desktop\AdwCleaner.exe
[2014/01/21 20:55:47 | 000,001,242 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WDSmartWare.lnk
[2014/01/21 20:55:46 | 000,001,181 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WDDMStatus.lnk
[2014/01/21 20:46:24 | 000,039,418 | ---- | C] () -- C:\Users\Kristianna\Documents\cc_20140121_204616.reg
[2014/01/21 20:25:34 | 000,000,764 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2014/01/21 20:10:43 | 000,987,425 | ---- | C] () -- C:\Users\Kristianna\Desktop\SecurityCheck.exe
[2014/01/12 20:58:50 | 2137,448,448 | -HS- | C] () -- C:\hiberfil.sys
[2014/01/11 21:53:32 | 000,000,446 | ---- | C] () -- C:\Windows\tasks\Scan the system (Spybot - Search & Destroy).job
[2014/01/11 21:53:29 | 000,000,616 | ---- | C] () -- C:\Windows\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2014/01/11 21:53:26 | 000,000,644 | ---- | C] () -- C:\Windows\tasks\Check for updates (Spybot - Search & Destroy).job
[2014/01/11 21:52:33 | 000,001,930 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2014/01/11 21:52:33 | 000,001,918 | ---- | C] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2014/01/11 07:39:10 | 000,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.exe
[2013/12/24 12:00:53 | 000,003,584 | ---- | C] () -- C:\Users\Kristianna\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/12/21 18:00:16 | 000,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.dll
[2013/08/28 20:42:06 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini
[2013/08/10 17:34:29 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2013/08/10 17:34:29 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2013/08/10 17:33:38 | 000,643,072 | ---- | C] () -- C:\Windows\System32\autochk.exe
[2013/08/10 17:32:43 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2013/08/08 19:25:05 | 000,000,175 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys.sum
[2013/08/08 19:25:05 | 000,000,175 | ---- | C] () -- C:\Windows\System32\drivers\aswSP.sys.sum
[2013/08/08 19:25:05 | 000,000,175 | ---- | C] () -- C:\Windows\System32\drivers\aswSnx.sys.sum
[2013/08/08 08:15:28 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2013/08/08 06:47:54 | 000,000,680 | ---- | C] () -- C:\Users\Kristianna\AppData\Local\d3d9caps.dat
 
========== ZeroAccess Check ==========
 
[2006/11/02 06:54:18 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 11:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 00:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 00:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >
 



#18 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 26 January 2014 - 01:26 AM

Hi 1695814,

you can run chkdsk like paws suggested in your other topic:
Link
Graduate of the WTT Classroom
Cheers,
Jo

#19 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 26 January 2014 - 01:04 PM

Hi 1695814,

1. Please RUN HijackThis.

HijackThis includes a backup and restoral procedure in the event that you erroneously remove an entry that is actually legitimate. If you have configured HijackThis properly and placed it in a permanent folder of its own, you should be able to restore entries that were previously deleted. If you had HijackThis running from a temporary directory, then the restoral procedure will not work. Prior to using fixing anything with HijackThis make sure the configuration setting "Make backups before fixing items" is checked. HijackThis will then make a backup of any entries that you fix in a directory called "backups" that resides in the same location as Hijackthis.exe. Start HijackThis, click on "Config", and then the "Backup" button to view a listing of all the items that were fixed previously with the option of restoring them. Once you restore an item that is listed, the entries will show up again upon scanning with HijackThis.

  • Click the SCAN button to produce a log.
  • Place a check mark beside each one of the following items, if still present:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8080
    
  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button.
    Close the HijackThis window.
Now check, if you can use the internet, send + receive emails.
If you have problems, the Fix HijackThis did, can be restored.



***


2. Run OTL again.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • don't check the boxes beside LOP Check and Purity Check this time.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open a notepad window OTL.Txt.
  • Please copy (Edit->Select All, Edit->Copy) the content of the file and post it with your next reply.

***


Graduate of the WTT Classroom
Cheers,
Jo

#20 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 26 January 2014 - 04:32 PM

I followed your instructions for HJT, removing that proxy server.  Everything seems to be working fine.

 

Here is the OTL log:

OTL logfile created on: 1/26/2014 4:23:20 PM - Run 3
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Kristianna\Desktop
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.99 Gb Total Physical Memory | 1.21 Gb Available Physical Memory | 60.79% Memory free
4.21 Gb Paging File | 3.00 Gb Available in Paging File | 71.16% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 7.70 Gb Free Space | 10.33% Space Free | Partition Type: NTFS
Drive D: | 5.30 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
 
Computer Name: KMKW | User Name: Kristianna | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Windows\System32\rpcnetp.exe ()
PRC - C:\Users\Kristianna\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\crashreporter.exe (Mozilla Foundation)
PRC - c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\HP\HP Officejet 6700\Bin\ScanToPCActivationApp.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\HP\HP Officejet 6700\Bin\HPNetworkCommunicator.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\BOINC\boincmgr.exe (World Community Grid)
PRC - C:\Program Files\BOINC\boinctray.exe (Space Sciences Laboratory)
PRC - C:\Program Files\BOINC\boinc.exe (World Community Grid)
PRC - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe (Western Digital)
PRC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC)
PRC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe (WDC)
PRC - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe (Memeo)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\f453ecc6bb7fc8d52d61247676944623\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\73d9bc894522543b561a0342dac87c06\System.Windows.Forms.ni.dll ()
MOD - C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\c0cc4069b1d17f3f7e9d9ec857d797d4\Microsoft.VisualBasic.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\e77e7cdf3072d5a658832b8863ff439e\System.Management.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\5974034f0f53755b11bde4c9698261cb\System.ServiceProcess.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\59eba2680c01c33b2b3f5385979e32c6\System.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b167ef6967ad27503c6ac6aabcef1aff\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\09f5b3f7a363b742a73937e818595597\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\c0df7e124d8d5e2821fd7d3921d404f7\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\1eff630f4194c74287d1dd4a859693f7\System.Data.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\d7153acb7b6ccb5a6a886d6f0ab732b1\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\6a938df70a8b7996a3890b4f34c83906\mscorlib.ni.dll ()
MOD - C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl ()
MOD - C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl ()
MOD - C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll ()
MOD - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\Memeo.API.dll ()
MOD - C:\Program Files\BOINC\zlib1.dll ()
MOD - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\sqlite3.dll ()
MOD - C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll ()
 
 
========== Services (SafeList) ==========
 
SRV - (SDWSCService) -- C:\Program Files\Spybot File not found
SRV - (SDUpdateService) -- C:\Program Files\Spybot File not found
SRV - (SDScannerService) -- C:\Program Files\Spybot File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (NisSrv) -- c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (Microsoft SharePoint Workspace Audit Service) -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE (Microsoft Corporation)
SRV - (WDDMService) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe (WDC)
SRV - (WDSmartWareBackgroundService) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe (Memeo)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (NisDrv) -- C:\Windows\System32\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV - (WDC_SAM) -- C:\Windows\System32\drivers\wdcsam.sys (Western Digital Technologies)
DRV - (NETw5v32) -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation)
DRV - (e1express) -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (WSDPrintDevice) -- C:\Windows\System32\drivers\WSDPrint.sys (Microsoft Corporation)
DRV - (NETw3v32) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (GTIPCI21) -- C:\Windows\System32\drivers\gtipci21.sys (Texas Instruments)
DRV - (tifm21) -- C:\Windows\System32\drivers\tifm21.sys (Texas Instruments)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 90 56 A9 C6 9B 05 CF 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope =
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{C486C653-55EF-4064-8FA1-861A14BCF2CE}: "URL" = https://www.google.c...q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
 
========== FireFox ==========
 
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledAddons: support%40lastpass.com:3.0.12
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:26.0
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 26.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 26.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
 
[2013/08/08 07:06:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kristianna\AppData\Roaming\Mozilla\Extensions
[2013/12/22 13:26:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kristianna\AppData\Roaming\Mozilla\Firefox\Profiles\swwh6nj9.default\extensions
[2013/11/29 14:00:11 | 000,000,000 | ---D | M] (LastPass) -- C:\Users\Kristianna\AppData\Roaming\Mozilla\Firefox\Profiles\swwh6nj9.default\extensions\support@lastpass.com
[2014/01/21 19:55:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2014/01/21 19:55:23 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2014/01/21 19:29:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\updated\browser\extensions
[2014/01/21 19:30:22 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\updated\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},
CHR - homepage: http://www.google.com
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\31.0.1650.63\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\31.0.1650.63\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\31.0.1650.63\pdf.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: Google Docs = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\
CHR - Extension: Google Drive = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: avast! Online Security = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki\9.0.2011.70_0\
CHR - Extension: LastPass = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd\3.0.19_0\
CHR - Extension: Google Wallet = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.0_0\
CHR - Extension: Gmail = C:\Users\Kristianna\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2006/09/18 15:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (LastPass Vault) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [boincmgr] C:\Program Files\BOINC\boincmgr.exe (World Community Grid)
O4 - HKLM..\Run: [boinctray] C:\Program Files\BOINC\boinctray.exe (Space Sciences Laboratory)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SDTray] C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [EADM] C:\Program Files\Origin\Origin.exe (Electronic Arts)
O4 - HKCU..\Run: [HP Officejet 6700 (NET)] C:\Program Files\HP\HP Officejet 6700\Bin\ScanToPCActivationApp.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Users\Kristianna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: LastPass - file://C:\Users\Kristianna\AppData\LocalLow\LastPass\context.html?cmd=lastpass File not found
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\Kristianna\AppData\LocalLow\LastPass\context.html?cmd=fillforms File not found
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
O9 - Extra 'Tools' menuitem : LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.2.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3EEF5C47-3339-48E5-94EC-65F7AB7F1E82}: DhcpNameServer = 192.168.0.1 205.171.2.25
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) -  File not found
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) -  File not found
O24 - Desktop WallPaper: C:\Users\Kristianna\Pictures\Airplane in a Thunderstorm.jpg
O24 - Desktop BackupWallPaper: C:\Users\Kristianna\Pictures\Airplane in a Thunderstorm.jpg
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/09/16 01:07:13 | 000,054,544 | R--- | M] (Electronic Arts) - D:\Autorun.exe -- [ UDF ]
O32 - AutoRun File - [2011/09/15 22:58:13 | 000,000,049 | R--- | M] () - D:\Autorun.inf -- [ UDF ]
O33 - MountPoints2\{3c31c24d-fffb-11e2-bb2a-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{3c31c24d-fffb-11e2-bb2a-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Autorun.exe -- [2011/09/16 01:07:13 | 000,054,544 | R--- | M] (Electronic Arts)
O33 - MountPoints2\{6a4e5ea5-8303-11e3-8514-00e0b8cc5e72}\Shell - "" = AutoRun
O33 - MountPoints2\{6a4e5ea5-8303-11e3-8514-00e0b8cc5e72}\Shell\AutoRun\command - "" = "F:\WD SmartWare.exe" autoplay=true
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (sdnclean.exe)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/01/26 16:13:18 | 000,000,000 | ---D | C] -- C:\Users\Kristianna\Desktop\backups
[2014/01/25 09:27:03 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014/01/25 09:24:17 | 001,037,068 | ---- | C] (Thisisu) -- C:\Users\Kristianna\Desktop\JRT.exe
[2014/01/23 20:05:35 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/01/22 19:57:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2014/01/22 19:54:48 | 000,074,456 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamchameleon.sys
[2014/01/22 19:54:29 | 000,000,000 | ---D | C] -- C:\Users\Kristianna\Desktop\mbar
[2014/01/21 21:01:19 | 000,000,000 | ---D | C] -- C:\ProgramData\WD_SmartWareCommon
[2014/01/21 21:00:41 | 000,000,000 | ---D | C] -- C:\Users\Kristianna\AppData\Local\Western_Digital
[2014/01/21 20:57:07 | 000,000,000 | ---D | C] -- C:\Users\Kristianna\AppData\Roaming\Western Digital
[2014/01/21 20:54:48 | 000,000,000 | ---D | C] -- C:\Program Files\Western Digital
[2014/01/21 20:54:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WD SmartWare
[2014/01/21 20:25:28 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2014/01/21 20:21:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Western Digital
[2014/01/21 20:20:39 | 000,000,000 | ---D | C] -- C:\Users\Kristianna\AppData\Local\Western Digital
[2014/01/21 20:11:18 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Kristianna\Desktop\OTL.exe
[2014/01/21 20:11:09 | 012,582,688 | ---- | C] (Malwarebytes Corp.) -- C:\Users\Kristianna\Desktop\mbar-1.07.0.1008.exe
[2014/01/20 09:02:04 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Kristianna\Desktop\HiJackThis.exe
[2014/01/11 21:52:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
[2014/01/11 21:52:21 | 000,018,968 | ---- | C] (Safer Networking Limited) -- C:\Windows\System32\sdnclean.exe
[2014/01/11 21:52:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2014/01/11 21:51:47 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2014/01/11 10:55:48 | 000,104,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2013/08/08 19:43:24 | 011,019,776 | ---- | C] (LastPass) -- C:\Program Files\Common Files\lpuninstall.exe
[1 C:\Users\Kristianna\Documents\*.tmp files -> C:\Users\Kristianna\Documents\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2014/01/26 15:53:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014/01/26 15:52:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/01/26 15:18:14 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2014/01/26 15:18:14 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2014/01/26 12:53:00 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/01/25 09:24:26 | 001,037,068 | ---- | M] (Thisisu) -- C:\Users\Kristianna\Desktop\JRT.exe
[2014/01/25 09:18:40 | 000,000,644 | ---- | M] () -- C:\Windows\tasks\Check for updates (Spybot - Search & Destroy).job
[2014/01/25 09:18:13 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.dll
[2014/01/25 09:18:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/01/25 09:18:02 | 2137,448,448 | -HS- | M] () -- C:\hiberfil.sys
[2014/01/25 09:17:58 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.exe
[2014/01/23 20:03:51 | 001,236,282 | ---- | M] () -- C:\Users\Kristianna\Desktop\AdwCleaner.exe
[2014/01/22 19:57:46 | 000,104,664 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2014/01/22 19:54:48 | 000,074,456 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamchameleon.sys
[2014/01/22 19:49:20 | 000,000,616 | ---- | M] () -- C:\Windows\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2014/01/21 20:55:47 | 000,001,242 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WDSmartWare.lnk
[2014/01/21 20:55:46 | 000,001,181 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WDDMStatus.lnk
[2014/01/21 20:46:31 | 000,039,418 | ---- | M] () -- C:\Users\Kristianna\Documents\cc_20140121_204616.reg
[2014/01/21 20:25:34 | 000,000,764 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2014/01/21 20:24:21 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2014/01/21 20:24:21 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2014/01/21 20:12:41 | 012,582,688 | ---- | M] (Malwarebytes Corp.) -- C:\Users\Kristianna\Desktop\mbar-1.07.0.1008.exe
[2014/01/21 20:11:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kristianna\Desktop\OTL.exe
[2014/01/21 20:10:56 | 000,987,425 | ---- | M] () -- C:\Users\Kristianna\Desktop\SecurityCheck.exe
[2014/01/21 19:55:40 | 000,000,830 | ---- | M] () -- C:\Users\Kristianna\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2014/01/21 19:55:40 | 000,000,806 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2014/01/20 09:02:10 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Kristianna\Desktop\HiJackThis.exe
[2014/01/19 01:32:23 | 000,231,584 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2014/01/12 20:29:43 | 000,000,446 | ---- | M] () -- C:\Windows\tasks\Scan the system (Spybot - Search & Destroy).job
[2014/01/12 18:05:33 | 000,043,008 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\agremove.exe
[2014/01/11 21:52:33 | 000,001,918 | ---- | M] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[1 C:\Users\Kristianna\Documents\*.tmp files -> C:\Users\Kristianna\Documents\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2014/01/23 20:03:37 | 001,236,282 | ---- | C] () -- C:\Users\Kristianna\Desktop\AdwCleaner.exe
[2014/01/21 20:55:47 | 000,001,242 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WDSmartWare.lnk
[2014/01/21 20:55:46 | 000,001,181 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WDDMStatus.lnk
[2014/01/21 20:46:24 | 000,039,418 | ---- | C] () -- C:\Users\Kristianna\Documents\cc_20140121_204616.reg
[2014/01/21 20:25:34 | 000,000,764 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2014/01/21 20:10:43 | 000,987,425 | ---- | C] () -- C:\Users\Kristianna\Desktop\SecurityCheck.exe
[2014/01/12 20:58:50 | 2137,448,448 | -HS- | C] () -- C:\hiberfil.sys
[2014/01/11 21:53:32 | 000,000,446 | ---- | C] () -- C:\Windows\tasks\Scan the system (Spybot - Search & Destroy).job
[2014/01/11 21:53:29 | 000,000,616 | ---- | C] () -- C:\Windows\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2014/01/11 21:53:26 | 000,000,644 | ---- | C] () -- C:\Windows\tasks\Check for updates (Spybot - Search & Destroy).job
[2014/01/11 21:52:33 | 000,001,930 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2014/01/11 21:52:33 | 000,001,918 | ---- | C] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2014/01/11 07:39:10 | 000,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.exe
[2013/12/24 12:00:53 | 000,003,584 | ---- | C] () -- C:\Users\Kristianna\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/12/21 18:00:16 | 000,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.dll
[2013/08/28 20:42:06 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini
[2013/08/10 17:34:29 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2013/08/10 17:34:29 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2013/08/10 17:33:38 | 000,643,072 | ---- | C] () -- C:\Windows\System32\autochk.exe
[2013/08/10 17:32:43 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2013/08/08 19:25:05 | 000,000,175 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys.sum
[2013/08/08 19:25:05 | 000,000,175 | ---- | C] () -- C:\Windows\System32\drivers\aswSP.sys.sum
[2013/08/08 19:25:05 | 000,000,175 | ---- | C] () -- C:\Windows\System32\drivers\aswSnx.sys.sum
[2013/08/08 08:15:28 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2013/08/08 06:47:54 | 000,000,680 | ---- | C] () -- C:\Users\Kristianna\AppData\Local\d3d9caps.dat
 
========== ZeroAccess Check ==========
 
[2006/11/02 06:54:18 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 11:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 00:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 00:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >
 



#21 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 26 January 2014 - 07:41 PM

I just ran chkdsk, too.  I wasn't able to make note of any of the messages there, however, but the overall vibe I got was things worked out well.


Edited by 1695814, 26 January 2014 - 08:12 PM.


#22 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 27 January 2014 - 10:33 AM

Hi 1695814,

1. Java
1.1 Uninstall old Java versions (if present):
  • Please go to Start > Control Panel > Programs and Features .
  • Locate all Java Updates
  • Uninstall them all.
1.2 Install latest Java 7 update. Click this link and click on the Free JAVA Download.

1.3 Find here instructions how to clear the java cache.
Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
Under Temporary Internet Files, click the Delete Files button.
There are options in the window to clear the cache - Leave ALL Checked
  • Applications and Applets
  • Trace and log files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel.

 

***


2. Malwarebytes' Anti-Malware
Download the free version of Malwarebytes' Anti-Malware and save it to your desktop.
Double-click mbam-setup****.exe and follow the prompts to install the program.
Note to Vista | Windows 7/8 users, please right-click and select Run as Administrator.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware.
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply.
Note 1: The log can also be found via the Logs tab when Malwarebytes' Anti-Malware is started.
Note 2: If you receive a notice that some of the items couldn't be removed and they have been added to the delete on reboot list, please reboot.


***


3. ESET Online Scanner

Connect any existing external hard drives and / or other removable media.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as MyEsetScan. Alternatively, look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
  • Push the Back button.
  • Select Uninstall application on close check box and push esetFinish.png

***


How the computer is running now?
Graduate of the WTT Classroom
Cheers,
Jo

#23 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 28 January 2014 - 07:08 AM

I updated Java, ran MBAM (No malicious items detected), & ran ESET (no threat found).

 

As far as I can tell, the computer is running fine now.

 

Here's the MBAM log:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.28.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Kristianna :: KMKW [administrator]

1/27/2014 10:57:53 PM
mbam-log-2014-01-27 (22-57-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195592
Time elapsed: 9 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 


Edited by 1695814, 28 January 2014 - 07:09 AM.


#24 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 28 January 2014 - 12:51 PM

Hi 1695814,
  • Update Internet Explorer to v11
Vista | Windows 7/8 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems.



***


Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    
    :Commands
    [purity]
    [emptytemp]
    


    NOTICE: This script was written specifically for this user, for use on that particular machine.
    Running this on another machine may cause damage to your operating system.
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post Fix OTL log as well as a new OTL log by rerunning it after reboot without custom scans script.

***


Graduate of the WTT Classroom
Cheers,
Jo

#25 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 28 January 2014 - 08:45 PM

my understanding is that everything after IE9 requires Windows 7 or later.  However, this is a Vista machine.  (My profile may refer to a Win 7 machine, but that's a different computer.)

 

Here is the OTL message:

 

All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Kristianna
->Temp folder emptied: 1115169640 bytes
->Temporary Internet Files folder emptied: 28637248 bytes
->Java cache emptied: 1 bytes
->FireFox cache emptied: 386130491 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1090 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 188566 bytes
RecycleBin emptied: 11206040 bytes
 
Total Files Cleaned = 1,470.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 01282014_202550

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 


Edited by 1695814, 28 January 2014 - 08:47 PM.

    Advertisements

Register to Remove


#26 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 29 January 2014 - 08:13 AM

Hi 1695814,

well done. :)

It Appears That Your Pc Is Now Clean!
 

***


Clean up:

Right-click AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

***


Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :Files
    C:\Users\Kristianna\Desktop\mbar
    C:\Users\Kristianna\Desktop\mbar-1.07.0.1008.exe
    C:\Users\Kristianna\Desktop\JRT.exe
    C:\Users\Kristianna\Desktop\SecurityCheck.exe
    
    :Commands
    [emptytemp]
    [clearallrestorepoints]
    
  • Close all other programs apart from OTL as this step may require a reboot
  • Then click the Run Fix button at the top
  • Let the program run unhindered.
  • Say Yes to the prompt and then allow the program to reboot your computer.

***


Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.


***


Here are some Preventive tips to reduce the potential for spyware infection in the future:

1. Browse more secure2. Enable Protected Mode in Internet Explorer. This helps Windows Vista, 7 / 8 users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
  • Open Internet Explorer
  • Click on Tools > Internet Options
  • Press Security tab
  • Select Internet zone then place check next to Enable Protected Mode if not already done
  • Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
  • Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Make sure you keep your Windows OS current.
  • Windows XP users can visit Windows update regularly to download and install any critical updates and service packs.
  • Windows Vista / 7 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
4. Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.
5. Use only one anti-virus software and keep it up-to-date.

6. Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

7. Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

8. Use Strong passwords!

9. Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/
Graduate of the WTT Classroom
Cheers,
Jo

#27 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 29 January 2014 - 09:42 PM

Thank you, Jo*, for all of your help.

 

Tausend Dank,

###



#28 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 30 January 2014 - 07:59 AM

You are very welcome, 1695814.
Glad we could help.
Graduate of the WTT Classroom
Cheers,
Jo

#29 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 31 January 2014 - 11:00 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.
Graduate of the WTT Classroom
Cheers,
Jo

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users