41 replies to this topic

[Sarit]

Okay. I had no idea StopZilla was on here.  I went to go uninstall it per your instructions but it's not listed as a program that is installed.  

 

lol I forgot I had that on there.  That was for a project and I just forgot to delete it.

 

So, I looked where you said about the combofix file and it's not there.  Also, i did some research and apparently the files under that one directory are from Windows PC Defender.  This is a program I have never installed, so I'm assuming it was already on the system when I got the computer.  And again, it is not listed in the list for programs that can be uninstalled under control panel.

 

Fixlog Report

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:12-06-2014 02

Ran by rac at 2014-06-14 12:35:53 Run:1

Running from C:\Users\rac\Desktop

Boot Mode: Normal

 

==============================================

 

Content of fixlist:

*****************

SearchScopes: HKLM - DefaultScope {41396b1b-447e-473b-a34b-bb583136c7fc} URL =

SearchScopes: HKLM - {7BCFC7A9-435C-46D7-917E-81F1A6B16947} URL = http://www.google.co...ge={startPage};

SearchScopes: HKCU - DefaultScope {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL =

SearchScopes: HKCU - {105E99FF-8B9A-4492-B155-06194B9056D2} URL = http://search-gala.c...q={searchTerms}

SearchScopes: HKCU - {7BCFC7A9-435C-46D7-917E-81F1A6B16947} URL = http://search-gala.c...q={searchTerms}

SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo....p={searchTerms}

Toolbar: HKLM - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File

Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File

Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File

FF SearchEngineOrder.1: Ask.com

FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\safeguard-secure-search.xml

FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml

FF Extension: BetterLinks - C:\Users\rac\AppData\Roaming\Mozilla\Firefox\Profiles\q8bpoqvj.default\Extensions\smartlinks@getsmartlinks.com [2036-09-02]

S2 xsewmzvga; \??\C:\Windows\system32\drivers\epwxtgux.sys [X]

2036-05-16 21:35 - 2036-05-16 21:35 - 00000432 _____ () C:\Windows\system32\Drivers\kgpfr2.cfg

2036-05-16 17:27 - 2036-05-16 21:36 - 00009640 _____ () C:\Windows\system32\Drivers\kgpcpy.cfg

2036-05-15 12:34 - 2036-05-15 12:34 - 00000000 _____ () C:\Windows\system32\REN9A6C.tmp

2036-05-15 12:34 - 2036-05-15 12:34 - 00000000 _____ () C:\Windows\system32\REN9A4C.tmp

2036-05-15 12:34 - 2036-05-15 12:34 - 00000000 _____ () C:\Windows\system32\REN9A3B.tmp

2036-05-15 10:20 - 2036-05-10 18:30 - 00000110 _____ () C:\Windows\system32\Drivers\etc\hosts.bak

2036-05-06 20:33 - 2036-05-10 18:20 - 00010756 ___SH () C:\Users\rac\AppData\Local\t0m8ctog368483w04675vl7l06dw6i5r6krf

2036-05-06 20:33 - 2036-05-10 18:20 - 00010756 ___SH () C:\ProgramData\t0m8ctog368483w04675vl7l06dw6i5r6krf

C:\Windows\system32\drivers\epwxtgux.sys

C:\Windows\system32\Drivers\kgpfr2.cfg

C:\Windows\system32\Drivers\kgpcpy.cfg

C:\Windows\system32\REN9A6C.tmp

C:\Windows\system32\REN9A4C.tmp

C:\Windows\system32\REN9A3B.tmp

C:\Windows\system32\Drivers\etc\hosts.bak

C:\Users\rac\AppData\Local\t0m8ctog368483w04675vl7l06dw6i5r6krf

C:\ProgramData\t0m8ctog368483w04675vl7l06dw6i5r6krf

C:\Users\rac\protect.dll

HKU\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Classes\.exe: exefile =>  <===== ATTENTION!

HKU\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Classes\exefile:  <===== ATTENTION!

*****************

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.

'HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7BCFC7A9-435C-46D7-917E-81F1A6B16947}' => Key deleted successfully.

'HKCR\Wow6432Node\CLSID\{7BCFC7A9-435C-46D7-917E-81F1A6B16947}'=> Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.

'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{105E99FF-8B9A-4492-B155-06194B9056D2}' => Key deleted successfully.

'HKCR\Wow6432Node\CLSID\{105E99FF-8B9A-4492-B155-06194B9056D2}'=> Key not found.

'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7BCFC7A9-435C-46D7-917E-81F1A6B16947}' => Key deleted successfully.

'HKCR\Wow6432Node\CLSID\{7BCFC7A9-435C-46D7-917E-81F1A6B16947}'=> Key not found.

'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}' => Key deleted successfully.

'HKCR\Wow6432Node\CLSID\{DECA3892-BA8F-44b8-A993-A466AD694AE4}'=> Key not found.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{95B7759C-8C7F-4BF1-B163-73684A933233} => value deleted successfully.

'HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}'=> Key not found.

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} => value deleted successfully.

'HKCR\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}'=> Key not found.

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => value deleted successfully.

'HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}'=> Key not found.

Firefox SearchEngineOrder.1 deleted successfully.

C:\Program Files\mozilla firefox\searchplugins\safeguard-secure-search.xml => Moved successfully.

C:\Program Files\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml => Moved successfully.

C:\Users\rac\AppData\Roaming\Mozilla\Firefox\Profiles\q8bpoqvj.default\Extensions\smartlinks@getsmartlinks.com => Moved successfully.

xsewmzvga => Service deleted successfully.

C:\Windows\system32\Drivers\kgpfr2.cfg => Moved successfully.

C:\Windows\system32\Drivers\kgpcpy.cfg => Moved successfully.

C:\Windows\system32\REN9A6C.tmp => Moved successfully.

C:\Windows\system32\REN9A4C.tmp => Moved successfully.

C:\Windows\system32\REN9A3B.tmp => Moved successfully.

C:\Windows\system32\Drivers\etc\hosts.bak => Moved successfully.

C:\Users\rac\AppData\Local\t0m8ctog368483w04675vl7l06dw6i5r6krf => Moved successfully.

C:\ProgramData\t0m8ctog368483w04675vl7l06dw6i5r6krf => Moved successfully.

"C:\Windows\system32\drivers\epwxtgux.sys" => File/Directory not found.

"C:\Windows\system32\Drivers\kgpfr2.cfg" => File/Directory not found.

"C:\Windows\system32\Drivers\kgpcpy.cfg" => File/Directory not found.

"C:\Windows\system32\REN9A6C.tmp" => File/Directory not found.

"C:\Windows\system32\REN9A4C.tmp" => File/Directory not found.

"C:\Windows\system32\REN9A3B.tmp" => File/Directory not found.

"C:\Windows\system32\Drivers\etc\hosts.bak" => File/Directory not found.

"C:\Users\rac\AppData\Local\t0m8ctog368483w04675vl7l06dw6i5r6krf" => File/Directory not found.

"C:\ProgramData\t0m8ctog368483w04675vl7l06dw6i5r6krf" => File/Directory not found.

C:\Users\rac\protect.dll => Moved successfully.

'HKU\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Classes\exefile' => Key deleted successfully.

'HKU\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Classes\.exe' => Key deleted successfully.

'HKU\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Classes\exefile'=> Key not found.

 

==== End of Fixlog ====

[Satchfan]

Uninstall Combofix

Follow these steps to uninstall Combofix

• click START then RUN
• now type Combofix /uninstall in the runbox and click OK.

Note the space between the X and the /, it needs to be there.

• please follow the prompts to uninstall Combofix.
• once it's finished uninstalling itself you will receive a message saying Combofix was uninstalled successfully.

===================================================

Please re-run aswMBR according to the previous instructions and send me the resulting log.

Satchfan
 

 

[Sarit]

Okay.  Combofix uninstalled.

 

New report:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software

Run date: 2014-06-14 17:56:48

-----------------------------

17:56:48.763    OS Version: Windows 6.0.6002 Service Pack 2

17:56:48.764    Number of processors: 1 586 0x1601

17:56:48.766    ComputerName: TOMOHISA  UserName: rac

17:56:50.059    Initialize success

18:09:17.085    AVAST engine defs: 14061401

18:10:31.513    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

18:10:31.529    Disk 0 Vendor: TOSHIBA_MK8037GSX DL230M Size: 76319MB BusType: 3

18:10:31.976    Disk 0 MBR read successfully

18:10:32.035    Disk 0 MBR scan

18:10:32.216    Disk 0 Windows VISTA default MBR code

18:10:32.247    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS         1500 MB offset 2048

18:10:32.301    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        69266 MB offset 3074048

18:10:32.345    Disk 0 Partition 3 00     17 Hidd HPFS/NTFS NTFS         5552 MB offset 144930816

18:10:32.394    Disk 0 scanning sectors +156301312

18:10:32.730    Disk 0 scanning C:\Windows\system32\drivers

18:10:56.016    Service scanning

18:11:59.379    Modules scanning

18:12:48.594    Disk 0 trace - called modules:

18:13:32.951    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys tcpip.sys NETIO.SYS ndis.sys athr.sys dxgkrnl.sys igdkmd32.sys 

18:13:34.742    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x849f4208]

18:13:34.786    3 CLASSPNP.SYS[865ab8b3] -> nt!IofCallDriver -> [0x83a411e0]

18:13:34.852    5 acpi.sys[826536bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x83a4a528]

18:13:42.842    AVAST engine scan C:\Windows

18:13:49.066    AVAST engine scan C:\Windows\system32

18:14:14.529    File: C:\Windows\system32\cooper.mine  **INFECTED** Win32:Fraudo [Trj]

18:22:43.943    AVAST engine scan C:\Windows\system32\drivers

18:23:16.067    AVAST engine scan C:\Users\rac

18:25:49.397    File: C:\Users\rac\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\rac\AppData\Local\Microsoft\Windows\TEMPOR~1\VIRTUA~1\C\Users\rac\protect.dll  **INFECTED** Win32:Malware-gen

18:37:36.674    File: C:\Users\rac\Downloads\FileZilla_3.7.4.1_win32-setup.exe  **INFECTED** Win32:Adware-gen [Adw]

18:40:38.421    AVAST engine scan C:\ProgramData

18:51:51.982    Scan finished successfully

19:08:06.092    Disk 0 MBR has been saved successfully to "C:\Users\rac\Desktop\MBR.dat"

19:08:06.120    The log file has been saved successfully to "C:\Users\rac\Desktop\aswMBR1.txt"

[Satchfan]

Please delete the directory C:\ProgramData\e135217

 

===============================================
 

Clear all your temporary files

Download ATF Cleaner

• double-click ATF-Cleaner.exe (on your desktop) to run the program.
• under Main choose: Select All
• click the Empty Selected button.

If you use Firefox browser

• click Firefox at the top and choose: Select All
• click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• click Opera at the top and choose: Select All
• click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu

NOTE: The last update came out before Chrome and the developer of ATF Cleaner hasn't updated it to deal with Chrome yet.

Google Chrome includes its own “Clear Browsing Data” tool that performs the same functions as ATF Cleaner. It clears browsing history, download history, empties Chrome’s cache, deletes cookies and removes all saved autofill entries and passwords.

You can toggle each of these options and select the date range of data you want to remove.

• open Google Chrome
• click on the Customize icon , at the top right
• choose Tools, Clear Browsing Data.

===============================================

Download Malwarebytes-Anti-Malware

Click here (at the top of the page, click on "Download Current Version")
 

• double-click mbam-setup.exe and follow the prompts to install the program – (Note: Vista & Windows 7 users, please right-click and select “Run as Administrator”)
• at the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware. and Launch Malwarebytes' Anti-Malware, then click Finish..
• if an update is found, it will download and install the latest version.
• once the program has loaded, select Perform quick scan, then click Scan.
• when the scan is complete, click OK, then Show Results to view the results.
• be sure that everything is checked, and click Remove Selected.
• when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Satchfan

 

[Sarit]

Whoa two pages lol.

 

Okay.  Deleted that folder in the Program Data folder.  While doing so, I noticed there are a lot of program folders in there that I don't use (Napster for example).  Should I delete those too?

 

It generated two logs.  One called mbabm and one called protection.  I'll include both just in case.

 

Mbam Report

 

<?xml version="1.0" encoding="UTF-16" ?>

<mbam-log>

<header>

<date>2014/06/15 08:52:19 -0400</date>

<logfile>mbam-log-2014-06-15 (08-52-00).xml</logfile>

<isadmin>yes</isadmin>

</header>

<engine>

<version>2.00.2.1012</version>

<malware-database>v2014.03.04.09</malware-database>

<rootkit-database>v2014.02.20.01</rootkit-database>

<license>trial</license>

<file-protection>enabled</file-protection>

<web-protection>enabled</web-protection>

<self-protection>disabled</self-protection>

</engine>

<system>

<osversion>Windows Vista Service Pack 2</osversion>

<arch>x86</arch>

<username>rac</username>

<filesys>NTFS</filesys>

</system>

<summary>

<type>threat</type>

<result>completed</result>

<objects>243759</objects>

<time>2542</time>

<processes>0</processes>

<modules>0</modules>

<keys>10</keys>

<values>4</values>

<datas>2</datas>

<folders>3</folders>

<files>9</files>

<sectors>0</sectors>

</summary>

<options>

<memory>enabled</memory>

<startup>enabled</startup>

<filesystem>enabled</filesystem>

<archives>enabled</archives>

<rootkits>disabled</rootkits>

<deeprootkit>disabled</deeprootkit>

<heuristics>enabled</heuristics>

<pup>enabled</pup>

<pum>enabled</pum>

</options>

<items>

<key><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>68e120dfaad0e84eb2a257057092c13f</hash></key>

<key><path>HKU\S-1-5-21-2030314185-2794812908-1279502003-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>68e120dfaad0e84eb2a257057092c13f</hash></key>

<key><path>HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>68e120dfaad0e84eb2a257057092c13f</hash></key>

<key><path>HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>68e120dfaad0e84eb2a257057092c13f</hash></key>

<key><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>c4857a859fdb1b1be589ce8ee41ecc34</hash></key>

<key><path>HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>c4857a859fdb1b1be589ce8ee41ecc34</hash></key>

<key><path>HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}</path><vendor>Backdoor.Bot</vendor><action>success</action><hash>c4857a859fdb1b1be589ce8ee41ecc34</hash></key>

<key><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{78919608-B066-4B5A-B248-38E12A783E05}</path><vendor>Adware.ArcadeWeb</vendor><action>success</action><hash>7fca7e8137436bcb1b37cb87f40e1de3</hash></key>

<key><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{FE6F06FB-0FC0-4499-828F-EE48088F504F}</path><vendor>PUP.Optional.MyScrapNook.A</vendor><action>success</action><hash>b79220dfed8dac8af76e423309f9b64a</hash></key>

<key><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\AvScan</path><vendor>Trojan.FakeAlert</vendor><action>success</action><hash>9cad5aa572083600a409ca37db2816ea</hash></key>

<value><path>HKU\S-1-5-21-2030314185-2794812908-1279502003-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS\{b3b5c47e-61f7-4d81-af06-461fc86686ce}</path><valuename></valuename><vendor>PUP.Optional.MyScrapNook.A</vendor><action>success</action><valuedata></valuedata><hash>58f1996685f58fa70957c3b27c8601ff</hash></value>

<value><path>HKU\S-1-5-21-2030314185-2794812908-1279502003-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS</path><valuename>{B3B5C47E-61F7-4D81-AF06-461FC86686CE}</valuename><vendor>PUP.Optional.MyScrapNook.A</vendor><action>success</action><valuedata></valuedata><hash>58f1996685f58fa70957c3b27c8601ff</hash></value>

<value><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\NETWORK</path><valuename>UID</valuename><vendor>Malware.Trace</vendor><action>success</action><valuedata>RAC-PC_099F4867</valuedata><hash>77d2956a3e3c95a1a8f10a0e29daa858</hash></value>

<value><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>autochk</valuename><vendor>Trojan.Agent</vendor><action>success</action><valuedata>rundll32.exe C:\Windows\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16</valuedata><hash>c2875ba47802af871dfd0ff7778cf50b</hash></value>

<data><path>HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES</path><valuename>URL</valuename><vendor>Hijack.SearchPage</vendor><action>replaced</action><valuedata>http://search-gala.c...8</hash></data>

<data><path>HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES</path><valuename>URL</valuename><vendor>Hijack.SearchPage</vendor><action>replaced</action><valuedata>http://search-gala.c...3</hash></data>

<folder><path>C:\ProgramData\14617524</path><vendor>Rogue.Multiple</vendor><action>success</action><hash>0b3e3ec11169270f60793e384db5847c</hash></folder>

<folder><path>C:\ProgramData\94627516</path><vendor>Rogue.Multiple</vendor><action>success</action><hash>84c5af50176366d06c6de88e35cd748c</hash></folder>

<folder><path>C:\Windows\System32\lowsec</path><vendor>Stolen.data</vendor><action>success</action><hash>9aaf44bb4139e3536980552c49b924dc</hash></folder>

<file><path>C:\Users\rac\Downloads\Watermark_Software_6.3_Portable.rar_downloader.exe</path><vendor>PUP.Optional.YourFileDownloader</vendor><action>success</action><hash>4603728d62187cba1fca7bf0e31d29d7</hash></file>

<file><path>C:\Users\rac\Downloads\AIM_Install.exe</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>cc7d21de9dddb87e15d13021e222659b</hash></file>

<file><path>C:\Windows\System32\cooper.mine</path><vendor>Trojan.FakeAlert</vendor><action>success</action><hash>b396bc433d3d2e080806fbe332d0f010</hash></file>

<file><path>C:\Windows\System32\drivers\str.sys</path><vendor>Rootkit.Agent</vendor><action>success</action><hash>1e2ba659255592a4c1be934d5fa39967</hash></file>

<file><path>C:\ProgramData\14617524\14617524.glu</path><vendor>Rogue.Multiple</vendor><action>success</action><hash>0b3e3ec11169270f60793e384db5847c</hash></file>

<file><path>C:\ProgramData\14617524\pc14617524cnf</path><vendor>Rogue.Multiple</vendor><action>success</action><hash>0b3e3ec11169270f60793e384db5847c</hash></file>

<file><path>C:\ProgramData\14617524\pc14617524ins</path><vendor>Rogue.Multiple</vendor><action>success</action><hash>0b3e3ec11169270f60793e384db5847c</hash></file>

<file><path>C:\Windows\System32\lowsec\local.ds</path><vendor>Stolen.data</vendor><action>success</action><hash>9aaf44bb4139e3536980552c49b924dc</hash></file>

<file><path>C:\Windows\System32\lowsec\user.ds</path><vendor>Stolen.data</vendor><action>success</action><hash>9aaf44bb4139e3536980552c49b924dc</hash></file>

</items>

</mbam-log>

 

 

 

Protection Report

 

<?xml version="1.0" encoding="UTF-8" ?>

<logs>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T08:47:31.609000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="9a5e7e2f-bd78-4837-87ff-593a519f5e12" result="Starting" subtype="Malware Protection"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T08:47:31.945000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="e629d0f1-0b55-4ff8-89c4-6fe571e03ea6" result="Started" subtype="Malware Protection"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T08:47:32.079000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="251376b9-731e-4a21-9176-9592ca0fb40e" result="Starting" subtype="Malicious Website Protection"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T08:48:59.114000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="72c61ce3-b920-4be6-816a-a3608332130b" result="Started" subtype="Malicious Website Protection"></record>

   <record severity="debug" LoggingEventType="1" datetime="2014-06-15T09:16:19.122000-04:00" source="Scheduler" type="Update" username="SYSTEM" systemname="TOMOHISA" fromVersion="2014.2.20.1" last_modified_tag="5df0f4a5-263b-4a82-a8bf-bf9c3e088e98" name="Rootkit Database" toVersion="2014.6.2.1"></record>

   <record severity="debug" LoggingEventType="1" datetime="2014-06-15T09:16:33.590000-04:00" source="Scheduler" type="Update" username="SYSTEM" systemname="TOMOHISA" fromVersion="2014.3.4.9" last_modified_tag="f300dfd0-b28b-4c98-ac7b-704a81d2b7e0" name="Malware Database" toVersion="2014.6.15.2"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T09:16:35.336000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="1af52d14-df75-4303-97fb-8780e629f21a" result="Starting" subtype="Refresh"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T09:16:35.364000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="7ac52e88-d9ed-48a4-9df3-ad9d4abbee0c" result="Stopping" subtype="Malicious Website Protection"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T09:16:41.092000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="2f1c8475-e00c-4b51-8651-3ec5bf98819d" result="Stopped" subtype="Malicious Website Protection"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T09:20:36.960000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="050f9fdd-143e-4c8b-8366-1587fbbbf67b" result="Success" subtype="Refresh"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T09:20:45.979000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="9c818bd1-ba1b-4feb-8d22-01a23e1a782b" result="Starting" subtype="Malicious Website Protection"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T09:23:27.537000-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="e8042dc6-2e62-4f04-8852-d318630db256" result="Started" subtype="Malicious Website Protection"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:38:05.448193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="2603a32c-099e-481f-8ad8-a44f12ff3841" result="Starting" subtype="Malware Protection"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:38:06.555793-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="c29314f8-abd1-4635-9dd8-7179291e5320" result="Started" subtype="Malware Protection"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:38:07.117393-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="3c9a508b-0d2b-455f-9b7b-2a76668dd451" result="Starting" subtype="Malicious Website Protection"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:39:51.918193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="af401dc4-2146-48a2-8ab0-9c5fa704deb0" result="Started" subtype="Malicious Website Protection"></record>

   <record severity="debug" LoggingEventType="1" datetime="2014-06-15T14:57:23.629193-04:00" source="Scheduler" type="Update" username="SYSTEM" systemname="TOMOHISA" fromVersion="2014.6.15.2" last_modified_tag="7c624d1b-3d2e-4bbc-85b7-fb2eba53bef9" name="Malware Database" toVersion="2014.6.15.5"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:57:25.455193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="8b13490d-1b2c-418a-9bea-50deecff3216" result="Starting" subtype="Refresh"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:57:25.478193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="73ab7352-bd3e-4cce-aa8f-0f12fc45b70c" result="Stopping" subtype="Malicious Website Protection"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:57:28.633193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="d340c8ff-4f25-4138-b3a0-1ab75a10b93c" result="Stopped" subtype="Malicious Website Protection"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:58:34.759193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="b422d597-d0c6-44ff-a89e-a803da352f79" result="Success" subtype="Refresh"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:58:36.315193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="9062ec9b-5d14-4a7b-8337-d8f3a42c0da9" result="Starting" subtype="Malicious Website Protection"></record>

   <record severity="debug" LoggingEventType="2" datetime="2014-06-15T14:59:27.678193-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="TOMOHISA" last_modified_tag="ab4dca67-984a-4196-b625-3dd6079c1c9c" result="Started" subtype="Malicious Website Protection"></record>

</logs>

 

[Satchfan]

The logs you sent were not what I wanted,

The log I’m looking for will be located here:

C:\Users\rac\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs

If you have a problem locating it, let me know.

Satchfan

[Sarit]

I looked and there is no folder under Malwarebytes under that location.  In the program, under History, those two files are the only ones listed.  They are in xml format and not txt, so maybe that's why they look so weird.  And it didn't delete the files, it just quarantined them.  I just selected them all for deletion but no new log was generated when I deleted them.  Should I try running another scan?

[Satchfan]

Yes please and post the Mbam.txt file.

[Sarit]

Okay!  Apparently they changed it.  It doesn't save the file automatically, you have to export it as a txt file.  I managed to get both logs for each scan I did.

 

#1

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 6/15/2014

Scan Time: 8:52:19 AM

Logfile: mbam1.txt

Administrator: Yes

 

Version: 2.00.2.1012

Malware Database: v2014.03.04.09

Rootkit Database: v2014.02.20.01

License: Trial

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Disabled

 

OS: Windows Vista Service Pack 2

CPU: x86

File System: NTFS

User: rac

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 243759

Time Elapsed: 42 min, 22 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 10

Backdoor.Bot, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}, Quarantined, [68e120dfaad0e84eb2a257057092c13f], 

Backdoor.Bot, HKU\S-1-5-21-2030314185-2794812908-1279502003-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}, Quarantined, [68e120dfaad0e84eb2a257057092c13f], 

Backdoor.Bot, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}, Quarantined, [68e120dfaad0e84eb2a257057092c13f], 

Backdoor.Bot, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{19127AD2-394B-70F5-C650-B97867BAA1F7}, Quarantined, [68e120dfaad0e84eb2a257057092c13f], 

Backdoor.Bot, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}, Quarantined, [c4857a859fdb1b1be589ce8ee41ecc34], 

Backdoor.Bot, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}, Quarantined, [c4857a859fdb1b1be589ce8ee41ecc34], 

Backdoor.Bot, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}, Quarantined, [c4857a859fdb1b1be589ce8ee41ecc34], 

Adware.ArcadeWeb, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{78919608-B066-4B5A-B248-38E12A783E05}, Quarantined, [7fca7e8137436bcb1b37cb87f40e1de3], 

PUP.Optional.MyScrapNook.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{FE6F06FB-0FC0-4499-828F-EE48088F504F}, Quarantined, [b79220dfed8dac8af76e423309f9b64a], 

Trojan.FakeAlert, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\AvScan, Quarantined, [9cad5aa572083600a409ca37db2816ea], 

 

Registry Values: 4

PUP.Optional.MyScrapNook.A, HKU\S-1-5-21-2030314185-2794812908-1279502003-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS\{b3b5c47e-61f7-4d81-af06-461fc86686ce}, Quarantined, [58f1996685f58fa70957c3b27c8601ff], 

PUP.Optional.MyScrapNook.A, HKU\S-1-5-21-2030314185-2794812908-1279502003-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS|{B3B5C47E-61F7-4D81-AF06-461FC86686CE}, Quarantined, [58f1996685f58fa70957c3b27c8601ff], 

Malware.Trace, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\NETWORK|UID, RAC-PC_099F4867, Quarantined, [77d2956a3e3c95a1a8f10a0e29daa858]

Trojan.Agent, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|autochk, rundll32.exe C:\Windows\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16, Quarantined, [c2875ba47802af871dfd0ff7778cf50b]

 

Registry Data: 2

Hijack.SearchPage, HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES|URL, http://search-gala.c...om/?&uid=211&q={searchTerms}, Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}), Bad: (http://search-gala.com/?&uid=211&q={searchTerms}),Replaced,[0c3d42bd0d6d70c6d0eec36743c18878]

Hijack.SearchPage, HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES|URL, http://search-gala.c...om/?&uid=211&q={searchTerms}, Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}), Bad: (http://search-gala.com/?&uid=211&q={searchTerms}),Replaced,[65e43bc4afcb5cda5a6453d7e71d3dc3]

 

Folders: 3

Rogue.Multiple, C:\ProgramData\14617524, Quarantined, [0b3e3ec11169270f60793e384db5847c], 

Rogue.Multiple, C:\ProgramData\94627516, Quarantined, [84c5af50176366d06c6de88e35cd748c], 

Stolen.data, C:\Windows\System32\lowsec, Quarantined, [9aaf44bb4139e3536980552c49b924dc], 

 

Files: 9

PUP.Optional.YourFileDownloader, C:\Users\rac\Downloads\Watermark_Software_6.3_Portable.rar_downloader.exe, Quarantined, [4603728d62187cba1fca7bf0e31d29d7], 

PUP.Optional.OpenCandy, C:\Users\rac\Downloads\AIM_Install.exe, Quarantined, [cc7d21de9dddb87e15d13021e222659b], 

Trojan.FakeAlert, C:\Windows\System32\cooper.mine, Quarantined, [b396bc433d3d2e080806fbe332d0f010], 

Rootkit.Agent, C:\Windows\System32\drivers\str.sys, Quarantined, [1e2ba659255592a4c1be934d5fa39967], 

Rogue.Multiple, C:\ProgramData\14617524\14617524.glu, Quarantined, [0b3e3ec11169270f60793e384db5847c], 

Rogue.Multiple, C:\ProgramData\14617524\pc14617524cnf, Quarantined, [0b3e3ec11169270f60793e384db5847c], 

Rogue.Multiple, C:\ProgramData\14617524\pc14617524ins, Quarantined, [0b3e3ec11169270f60793e384db5847c], 

Stolen.data, C:\Windows\System32\lowsec\local.ds, Quarantined, [9aaf44bb4139e3536980552c49b924dc], 

Stolen.data, C:\Windows\System32\lowsec\user.ds, Quarantined, [9aaf44bb4139e3536980552c49b924dc], 

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

#2

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 6/15/2014

Scan Time: 5:54:54 PM

Logfile: mbam.txt

Administrator: Yes

 

Version: 2.00.2.1012

Malware Database: v2014.06.15.06

Rootkit Database: v2014.06.02.01

License: Trial

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Disabled

 

OS: Windows Vista Service Pack 2

CPU: x86

File System: NTFS

User: rac

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 280678

Time Elapsed: 45 min, 24 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 2

PUP.Optional.MindSpark.A, HKLM\SOFTWARE\OurBabyMaker_27, Quarantined, [05bda1d7691237ff691bf201ff04e41c], 

PUP.Optional.MindSpark.A, HKU\S-1-5-21-2030314185-2794812908-1279502003-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\OurBabyMaker_27, Quarantined, [ae14a1d7abd040f65b4c2e77fd050af6], 

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 1

PUP.Optional.InstalleRex, C:\Users\rac\Downloads\Watermark Software 6.3 Portable.rar.exe, Quarantined, [3c86f48436454ceaef59551ec938b64a], 

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

[Satchfan]

I’d like you to try ComboFix again.

Download and run ComboFix

Download Combofix from either of the links below, and save it to your desktop.  

Link 1
Link 2

**Note:  It MUST be saved directly to your desktop. Choose save as and then make sure you choose Desktop

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link [url="http://forums.whatth...om/How_Disable_

If it still doesn’t work, try running it this way:

Click the Windows “Start” button, select Run, then copy/paste the following bolded text into the run box and click OK

"%userprofile%\desktop\combofix.exe" /killall

Satchfan

[Sarit]

Still doesn't work and I tried using that kill all command.  It still just starts to run and then freezes the computer so I have to pull out the battery and restart it.

[Satchfan]

Whatever is stopping ComboFix can’t be good but there may be another reason so we’ll look again.

Re-run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.

• for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
• when the pre-scan is finished, click on Scan
• click on Report and copy/paste the content in your next post

NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

Satchfan

 

 

[Sarit]

Here's the new log:

 

RogueKiller V9.0.3.0 [Jun 17 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.co...es/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User : rac [Admin rights]

Mode : Scan -- Date : 06/17/2014  18:27:12

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 14 ¤¤¤

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 8.8.8.8 8.8.4.4 209.55.27.13  -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 8.8.8.8 8.8.4.4 209.55.27.13  -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 75.75.75.75 75.75.76.76  -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2F9A1A9-AF53-4C0C-97A1-3B90FDBF3E0C} | DhcpNameServer : 208.67.222.222 208.67.220.220 2.2.2.1  -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CEB31E6C-AD0D-4A3B-A5DB-6267DEAC5809} | DhcpNameServer : 8.8.8.8 8.8.4.4 209.55.27.13  -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B2F9A1A9-AF53-4C0C-97A1-3B90FDBF3E0C} | DhcpNameServer : 208.67.222.222 208.67.220.220 2.2.2.1  -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{CEB31E6C-AD0D-4A3B-A5DB-6267DEAC5809} | DhcpNameServer : 8.8.8.8 8.8.4.4 209.55.27.13  -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{B2F9A1A9-AF53-4C0C-97A1-3B90FDBF3E0C} | DhcpNameServer : 208.67.222.222 208.67.220.220 2.2.2.1  -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{CEB31E6C-AD0D-4A3B-A5DB-6267DEAC5809} | DhcpNameServer : 75.75.75.75 75.75.76.76  -> FOUND

[PUM.Policies] HKEY_USERS\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND

[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0  -> FOUND

[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-2030314185-2794812908-1279502003-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> FOUND

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ HOSTS File : 2 ¤¤¤

[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

[C:\Windows\System32\drivers\etc\hosts] ::1 localhost

 

¤¤¤ Antirootkit : 0 ¤¤¤

 

¤¤¤ Web browsers : 1 ¤¤¤

[PUP][CHROME:Addon] Default : AVG Secure Search [ndibdjnfmopecpmkdieinmbadjfpblof] -> FOUND

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK8037GSX ATA Device +++++

--- User ---

[MBR] ef1cf80a887d5867eac45cb539ae2f71

[BSP] 359adfaa6652908a617e4c101297499c : HP MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB

1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 69266 MB

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 144930816 | Size: 5552 MB

User = LL1 ... OK

User = LL2 ... OK

 

 

============================================

RKreport_DEL_06112014_200156.log - RKreport_SCN_06112014_165654.log - RKreport_SCN_06112014_200111.log

[Satchfan]

Hi Sarit

 

I’d like you to try running ComboFix again.

 

 

Download and run ComboFix

Download Combofix from either of the links below. You must rename it to Com123.exe before saving it.

Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

• double click on ComboFix.exe & follow the prompts.
• when finished, it will produce a report: please post the C:\ComboFix.txt log in your reply.

Satchfan
 

[Sarit]

Tried shutting everything down and it didn't freeze the computer this time but the program itself froze and I had to manually restart the computer.