1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

dds.scr causes pc lockup

Discussion in 'Virus & Other Malware Removal' started by ron40, Jan 5, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. ron40

    ron40 Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    313
    First Name:
    Ron
    I received 4 emails that looked like they came from my brother. Each contained an internet link. I foolishly clicked on the 1st 1 & it contained a stupid ad for a ridiculous product which immediately made me suspicious. I should have been more alert but these got by me. I Downloaded Hijackthis, scanned & saved the log file, When I ran dds.scr the message "two logs shall be created etc" stared at me for about 15 min with nothing seeming to happen. I tried to cancel the prog with ctrl-alt-del which only caused the screen to lock up. I had to hit the power switch to reboot. I tried several times to run the prog with the same result each time.
    I hope this is something simple

    Ron Kappes
     
  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Post the log from HJT if you have it, also run the following and post that log:

    download RogueKiller from here http://tigzy.geekstogo.com/Tools/RogueKiller.exe or here http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe and save Direct to your Desktop.

    • Quit all running programs
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
    • Wait until Prescan has finished...
    • The following EULA will appear, please select accept

      [​IMG]
    • Ensure MBR scan, Check faked and AntiRootkit are checked
    • Select Scan

      [​IMG]
    • When the scan completes select Report, copy and paste that to your reply.

      [​IMG]
    • The log should be found in RKreport[?].txt on your Desktop
    • Exit/Close RogueKiller

    Kevin
     
  3. ron40

    ron40 Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    313
    First Name:
    Ron
  4. ron40

    ron40 Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    313
    First Name:
    Ron
    I just looked at the screen shot & it's very unclear. Here is a cropped version. FYI: The download section (blue shaded) has "Failed--geekstop.com" on the 2nd line. The Norton warning on the lower right says: GqMvQ13_.exe.part is not safe and has been removed

    http://img20.imageshack.us/img20/5041/screencapturehs.jpg
     
  5. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    What Operating System do you have, Windows 7, Vista or XP
     
  6. ron40

    ron40 Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    313
    First Name:
    Ron
    Windows 7 home premium
     
  7. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Download Farbar Recovery Scan Tool on a clean PC (if possible) and save to a flash drive (memory stick). Use which ever of the folllowing is applicable to your system. (32 or 64 bit)

    Download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ <--- 64 bit version Save to USB flash drive

    Download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ <--- 32 bit version Save to USB Flash drive

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options I give two methods, use whichever is convenient for you.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select Your Country as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select Your Country as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  8. ron40

    ron40 Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    313
    First Name:
    Ron
    Hi Kevin:
    My wife & I are leaving in an hour & coming back tomorrow (monday) afternoon. I will use my laptop at that time to download the file & put it on a flash drive & continue this.
    Thanks for your patience
     
  9. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Thats OK, just post back anytime you`re ready.....(y)
     
  10. ron40

    ron40 Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    313
    First Name:
    Ron
    Here is the scan result. I'm using my laptop to send this. My infected pc is asking from the "Farbar Recovery scan tool" if I want to shutdown or restart. Should I shut it down or wait for your instruction to "fix" or something else?`


    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-12-2012 (ATTENTION: FRST version is 7 days old)
    Ran by SYSTEM at 07-01-2013 19:14:56
    Running from G:\
    Windows 7 Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet002

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [] [x]
    HKLM\...\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" [997320 2012-11-17] ()
    HKLM\...\Run: [ROC_ROC_JULY_P1] "C:\Program Files\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1 [1022048 2012-08-29] ()
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
    HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
    HKLM\...\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized [1466760 2012-06-04] (Garmin)
    HKLM\...\Run: [Essential Fax Print Controller] "C:\Program Files\EssentialFax\essfaxcontrol.exe" [94208 2009-09-01] ()
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)
    HKU\Ron Kappes\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
    HKU\Ron Kappes\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-04-20] (Google Inc.)
    HKU\Ron Kappes\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [x]
    HKU\Ron Kappes\...\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [109336 2013-01-03] (Siber Systems)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

    ==================== Services (Whitelisted) ===================

    2 AcfXAudioService; C:\Windows\system32\ACFXAU32.dll [410624 2009-04-28] (Conexant Systems, Inc.)
    2 AcrSch2Svc; "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe" [821048 2012-06-28] (Acronis)
    2 AdobeActiveFileMonitor7.0; C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [169312 2008-09-16] (Adobe Systems Incorporated)
    2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3459024 2012-07-13] (Acronis)
    3 BrYNSvc; "C:\Program Files\Browny02\BrYNSvc.exe" [245760 2010-01-25] (Brother Industries, Ltd.)
    2 N360; "C:\Program Files\Norton 360\Engine\6.4.0.9\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton 360\Engine\6.4.0.9\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)
    2 syncagentsrv; "C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe" [5915352 2012-06-28] (Acronis)
    2 vToolbarUpdater13.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [711112 2012-11-17] ()
    2 PSI_SVC_2; "c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [x]

    ==================== Drivers (Whitelisted) ====================

    3 61883; C:\Windows\System32\DRIVERS\61883.sys [46976 2009-07-13] (Microsoft Corporation)
    3 acfva; C:\Windows\System32\DRIVERS\ACFVA32.sys [87424 2009-09-02] (Conexant Systems Inc.)
    3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [121080 2012-03-26] (SlySoft, Inc.)
    1 avgtp; \??\C:\Windows\system32\drivers\avgtpx86.sys [26984 2012-11-17] (AVG Technologies)
    1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.2.1.5\Definitions\BASHDefs\20121130.005\BHDrvx86.sys [995488 2012-10-23] (Symantec Corporation)
    1 ccSet_N360; C:\Windows\system32\drivers\N360\0604000.009\ccSetx86.sys [132768 2012-06-06] (Symantec Corporation)
    3 cpudrv; \??\C:\Program Files\SystemRequirementsLab\cpudrv.sys [11336 2009-12-18] ()
    3 dgcfltr; C:\Windows\System32\DRIVERS\ACFDCP32.sys [28928 2009-04-28] (Conexant Systems, Inc.)
    1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-11] (Symantec Corporation)
    1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [31088 2010-12-16] (Elaborate Bytes AG)
    3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-11-22] (Symantec Corporation)
    1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.2.1.5\Definitions\IPSDefs\20130104.001\IDSvix86.sys [386720 2012-11-15] (Symantec Corporation)
    2 mdmxsdk; C:\Windows\System32\DRIVERS\ACFSDK32.sys [12672 2007-03-15] (Conexant)
    3 NAL; \??\C:\Windows\system32\Drivers\iqvw32.sys [30880 2009-06-23] (Intel Corporation )
    3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.2.1.5\Definitions\VirusDefs\20130105.017\NAVENG.SYS [92704 2012-12-05] (Symantec Corporation)
    3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.2.1.5\Definitions\VirusDefs\20130105.017\NAVEX15.SYS [1601184 2012-12-05] (Symantec Corporation)
    3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [734208 2009-05-25] (Ralink Technology Corp.)
    3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [21520 2010-07-21] (Microsoft Corporation)
    3 PalmUSBD; C:\Windows\System32\drivers\PalmUSBD.sys [16640 2007-12-04] (PalmSource, Inc.)
    3 rcmirror; C:\Windows\System32\DRIVERS\rcmirror.sys [3200 2010-01-18] (Windows (R) Win 7 DDK provider)
    0 sptd; C:\Windows\System32\Drivers\sptd.sys [697328 2010-10-07] (Duplex Secure Ltd.)
    1 SRTSP; C:\Windows\System32\Drivers\N360\0604000.009\SRTSP.SYS [574112 2012-07-05] (Symantec Corporation)
    1 SRTSPX; C:\Windows\system32\drivers\N360\0604000.009\SRTSPX.SYS [32928 2012-07-05] (Symantec Corporation)
    0 SymDS; C:\Windows\System32\drivers\N360\0604000.009\SYMDS.SYS [340088 2012-03-28] (Symantec Corporation)
    0 SymEFA; C:\Windows\System32\drivers\N360\0604000.009\SYMEFA.SYS [924320 2012-05-21] (Symantec Corporation)
    3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [141944 2012-05-28] (Symantec Corporation)
    1 SymIRON; C:\Windows\system32\drivers\N360\0604000.009\Ironx86.SYS [149624 2012-03-28] (Symantec Corporation)
    1 SymNetS; C:\Windows\System32\Drivers\N360\0604000.009\SYMNETS.SYS [318584 2012-03-28] (Symantec Corporation)
    0 tdrpman; C:\Windows\System32\DRIVERS\tdrpman.sys [775232 2012-07-13] (Acronis)
    3 usbbus; C:\Windows\System32\DRIVERS\lgusbbus.sys [13056 2011-02-14] (LG Electronics Inc.)
    3 UsbDiag; C:\Windows\System32\DRIVERS\lgusbdiag.sys [20864 2011-02-14] (LG Electronics Inc.)
    3 UsbFltr; C:\Windows\System32\Drivers\UsbFltr.sys [9600 2007-04-09] (Waytech Development, Inc.)
    3 USBModem; C:\Windows\System32\DRIVERS\lgusbmodem.sys [25216 2011-02-14] (LG Electronics Inc.)
    0 vididr; C:\Windows\System32\DRIVERS\vididr.sys [126880 2012-07-13] (Acronis)
    0 vidsflt67; C:\Windows\System32\DRIVERS\vsflt67.sys [86496 2012-07-13] (Acronis)
    2 XAudio; C:\Windows\System32\DRIVERS\ACFXAU32.sys [8704 2009-04-28] (Conexant Systems, Inc.)
    3 IntcAzAudAddService; C:\Windows\System32\drivers\RTKVHDA.sys [x]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-01-07 19:14 - 2013-01-07 19:14 - 00000000 ____D C:\FRST
    2013-01-05 14:58 - 2013-01-05 14:57 - 00688992 ____R (Swearware) C:\Users\Ron Kappes\Desktop\dds.scr
    2013-01-05 14:50 - 2013-01-05 19:26 - 00015876 ____A C:\Users\Ron Kappes\Desktop\hijackthis.log
    2013-01-05 14:49 - 2013-01-05 14:38 - 00388608 ____A (Trend Micro Inc.) C:\Users\Ron Kappes\Desktop\HijackThis.exe
    2012-12-21 12:47 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
    2012-12-21 12:47 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
    2012-12-17 14:46 - 2012-12-17 14:46 - 00000000 ____D C:\Users\All Users\188F1432-103A-4ffb-80F1-36B633C5C9E1
    2012-12-17 14:46 - 2012-12-17 14:46 - 00000000 ____D C:\Program Files\iPod
    2012-12-12 17:24 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-12-12 17:24 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-12-12 17:24 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-12-12 17:24 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-12-12 17:24 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-12-12 17:24 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-12-12 17:24 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-12-12 17:24 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-12-12 17:24 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-12-12 17:24 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-12-12 17:24 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
    2012-12-12 17:24 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2012-12-12 17:24 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-12-12 17:24 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-12-12 17:24 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-12-12 17:24 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-12-12 09:50 - 2012-11-21 18:56 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-12-12 09:50 - 2012-11-01 21:11 - 00376832 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll
    2012-12-12 09:50 - 2012-10-04 08:47 - 00169984 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
    2012-12-12 09:50 - 2012-10-04 08:43 - 00868352 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
    2012-12-12 09:50 - 2012-10-04 08:43 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 06:57 - 00271360 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
    2012-12-12 09:50 - 2012-10-04 06:41 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 06:41 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 06:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
    2012-12-12 09:50 - 2012-10-04 06:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
    2012-12-12 09:49 - 2012-11-08 20:42 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
    2012-12-09 15:47 - 2012-12-09 15:47 - 00249544 ___AH C:\Windows\System32\mlfcache.dat
    2012-12-08 15:04 - 2012-12-08 15:04 - 00001970 ____A C:\Users\Ron Kappes\Desktop\FF PROFILE.lnk

    ==================== One Month Modified Files and Folders ========

    2013-01-06 10:53 - 2010-04-14 23:00 - 01850225 ____A C:\Windows\WindowsUpdate.log
    2013-01-06 10:52 - 2010-04-14 10:51 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-01-06 10:52 - 2010-04-14 10:51 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-01-06 10:37 - 2012-04-05 06:12 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-01-06 07:53 - 2006-04-25 11:21 - 00000000 ____D C:\DOWNLOAD
    2013-01-06 07:15 - 2009-07-13 20:34 - 00014288 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-01-06 07:15 - 2009-07-13 20:34 - 00014288 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-01-06 07:08 - 2010-04-15 05:52 - 00000000 ____D C:\Users\All Users\NVIDIA
    2013-01-06 07:08 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-01-06 07:08 - 2009-07-13 20:39 - 00198944 ____A C:\Windows\setupact.log
    2013-01-05 21:04 - 2010-04-14 23:27 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-01-05 19:26 - 2013-01-05 14:50 - 00015876 ____A C:\Users\Ron Kappes\Desktop\hijackthis.log
    2013-01-05 15:09 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
    2013-01-05 14:57 - 2013-01-05 14:58 - 00688992 ____R (Swearware) C:\Users\Ron Kappes\Desktop\dds.scr
    2013-01-05 14:38 - 2013-01-05 14:49 - 00388608 ____A (Trend Micro Inc.) C:\Users\Ron Kappes\Desktop\HijackThis.exe
    2013-01-05 13:17 - 2010-04-14 10:46 - 00169536 ____A C:\Windows\PFRO.log
    2013-01-05 12:36 - 2012-04-24 18:00 - 00000000 _RSHD C:\acroldr
    2012-12-29 17:11 - 2010-06-01 16:05 - 00000000 ____D C:\Users\All Users\DVD Shrink
    2012-12-26 22:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
    2012-12-25 13:43 - 2012-06-23 19:48 - 00000054 ____A C:\GG.txt
    2012-12-22 16:53 - 2011-12-14 09:11 - 00000000 ____D C:\Users\Ron Kappes\AppData\Roaming\Skype
    2012-12-22 11:49 - 2010-05-02 20:09 - 00000000 ____D C:\Users\Ron Kappes\AppData\Local\CrashDumps
    2012-12-21 14:13 - 2009-07-13 20:33 - 00487872 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-12-21 10:43 - 2010-04-14 08:31 - 00000000 ____D C:\users\Ron Kappes
    2012-12-19 09:19 - 2012-11-20 18:18 - 00000000 ___SD C:\Users\Ron Kappes\Google Drive
    2012-12-17 14:47 - 2012-09-18 07:16 - 00001753 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-12-17 14:46 - 2012-12-17 14:46 - 00000000 ____D C:\Users\All Users\188F1432-103A-4ffb-80F1-36B633C5C9E1
    2012-12-17 14:46 - 2012-12-17 14:46 - 00000000 ____D C:\Program Files\iPod
    2012-12-17 14:46 - 2010-05-07 09:47 - 00000000 ____D C:\Program Files\iTunes
    2012-12-17 14:46 - 2010-04-20 12:14 - 00000000 ____D C:\Program Files\Common Files\Apple
    2012-12-16 06:13 - 2012-12-21 12:47 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
    2012-12-16 06:13 - 2012-12-21 12:47 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
    2012-12-14 08:25 - 2010-12-30 11:16 - 00000000 ____D C:\Users\Ron Kappes\AppData\Roaming\DVD Flick
    2012-12-13 14:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
    2012-12-12 17:24 - 2010-04-14 09:42 - 00000000 ____D C:\Users\All Users\Microsoft Help
    2012-12-12 17:21 - 2010-04-14 13:34 - 65087872 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-12-11 20:37 - 2012-04-05 06:12 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-12-11 20:37 - 2011-05-24 15:43 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-12-09 15:47 - 2012-12-09 15:47 - 00249544 ___AH C:\Windows\System32\mlfcache.dat
    2012-12-08 15:04 - 2012-12-08 15:04 - 00001970 ____A C:\Users\Ron Kappes\Desktop\FF PROFILE.lnk


    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-12-20 13:13:17
    Restore point made on: 2012-12-21 12:47:07
    Restore point made on: 2012-12-28 14:03:17
    Restore point made on: 2013-01-05 11:35:51

    ==================== Memory info ===========================

    Percentage of memory in use: 13%
    Total physical RAM: 4022.43 MB
    Available physical RAM: 3477.22 MB
    Total Pagefile: 4020.71 MB
    Available Pagefile: 3494.84 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1962.3 MB

    ==================== Partitions =============================

    1 Drive c: () (Fixed) (Total:465.76 GB) (Free:254.72 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (2TB Disk) (Fixed) (Total:1862.89 GB) (Free:1181.66 GB) NTFS
    3 Drive e: () (Fixed) (Total:465.76 GB) (Free:261.69 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: (GRMCHPFRER_EN_DVD) (CDROM) (Total:2.33 GB) (Free:0 GB) UDF
    5 Drive g: (ZIP DRIVE) (Removable) (Total:14.93 GB) (Free:11.77 GB) FAT32
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 0 B
    Disk 1 Online 1863 GB 0 B *
    Disk 2 Online 465 GB 0 B
    Disk 3 Online 14 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 465 GB 1024 KB

    =========================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 465 GB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Reserved 128 MB 17 KB
    Partition 2 Primary 1862 GB 129 MB

    =========================================================

    Disk: 1
    Partition 1
    Type : e3c9e316-0b5c-4db8-817d-f92df00215ae
    Hidden : Yes
    Required: No
    Attrib : 0000000000000000

    There is no volume associated with this partition.

    =========================================================

    Disk: 1
    Partition 2
    Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Hidden : No
    Required: No
    Attrib : 0X0000000000000004

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D 2TB Disk NTFS Partition 1862 GB Healthy

    =========================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 465 GB 1024 KB

    =========================================================

    Disk: 2
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E NTFS Partition 465 GB Healthy

    =========================================================

    Partitions of Disk 3:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 14 GB 16 KB

    =========================================================

    Disk: 3
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G ZIP DRIVE FAT32 Removable 14 GB Healthy

    =========================================================

    Last Boot: 2013-01-03 23:12

    ==================== End Of Log ============================
     
  11. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Thanks for the log, do not see anything obvious to cause concern. OK run the following:

    Download http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner by Xplode onto your Desktop.

    • Please close all open programs and internet browsers.
    • Double click on Adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

    Next,

    1. Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/
    2. Unzip the File to a convenient location. (Recommend the Desktop)
    3. Open the folder where the contents were unzipped to run mbar.exe

    [​IMG]

    4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

    [​IMG]

    5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

    6. The following image opens, select Next.

    [​IMG]

    7. The following image opens, select Update

    [​IMG]

    8. When the Update completes, select Next

    [​IMG]

    9. In the following window ensure "Targets" are ticked. Then select "Scan"

    [​IMG]

    10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:

    [​IMG]

    11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:

    [​IMG]

    12. Select "Yes" to close down the program. If NO infections were found you will see the following image:

    [​IMG]

    13. Select "Exit" to close down.
    14. Copy and paste the two following logs from the mbar folder:

    System - log
    Mbar - log Date and time of scan will also be shown

    [​IMG]

    Post those two logs in your reply.


    Next,

    Download Security Check by screen317 from either of the following:
    http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Let me see those logs in next reply..

    Kevin
     
  12. ron40

    ron40 Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    313
    First Name:
    Ron
    Hi Kevin:
    I did this after a "normal" start of my deskop. If I was supposed to do it in safe or clean mode let me know & I'll repeat it.
    Ron




    # AdwCleaner v2.105 - Logfile created 01/08/2013 at 11:26:01
    # Updated 08/01/2013 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
    # User : Ron Kappes - RONKAPPES-PC
    # Boot Mode : Normal
    # Running from : C:\DOWNLOAD\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Found : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
    File Found : C:\Users\Ron Kappes\AppData\Roaming\Mozilla\Firefox\Profiles\o7swtwcx.default\searchplugins\safesearch.xml
    Folder Found : C:\Program Files\Astroburn Toolbar
    Folder Found : C:\Program Files\AVG Secure Search
    Folder Found : C:\Program Files\Common Files\AVG Secure Search
    Folder Found : C:\Program Files\Conduit
    Folder Found : C:\Program Files\DAEMON Tools Toolbar
    Folder Found : C:\Program Files\Softonic_English_FF
    Folder Found : C:\ProgramData\AVG Secure Search
    Folder Found : C:\Users\Ron Kappes\AppData\Local\AVG Secure Search
    Folder Found : C:\Users\Ron Kappes\AppData\Local\Conduit
    Folder Found : C:\Users\Ron Kappes\AppData\LocalLow\AVG Secure Search
    Folder Found : C:\Users\Ron Kappes\AppData\LocalLow\boost_interprocess
    Folder Found : C:\Users\Ron Kappes\AppData\LocalLow\Conduit
    Folder Found : C:\Users\Ron Kappes\AppData\LocalLow\PriceGong
    Folder Found : C:\Users\Ron Kappes\AppData\LocalLow\Softonic_English_FF

    ***** [Registry] *****

    Key Found : HKCU\Software\AppDataLow\Software\Conduit
    Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
    Key Found : HKCU\Software\AppDataLow\Software\PriceGong
    Key Found : HKCU\Software\AppDataLow\Software\SmartBar
    Key Found : HKCU\Software\AppDataLow\Software\Softonic_English_FF
    Key Found : HKCU\Software\AppDataLow\Toolbar
    Key Found : HKCU\Software\AVG Secure Search
    Key Found : HKCU\Software\IGearSettings
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{5F970FDE-702B-4EF9-920C-5F2848A5AF26}
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8}
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FFA0793E-3980-4BE4-8234-048FA665F700}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{23225757-5F06-46F9-A057-DBB93A89DCE4}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFA0793E-3980-4BE4-8234-048FA665F700}
    Key Found : HKCU\Software\Zugo
    Key Found : HKLM\SOFTWARE\14919ea49a8f3b4aa3cf1058d9a64cec
    Key Found : HKLM\Software\AVG Secure Search
    Key Found : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
    Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
    Key Found : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
    Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
    Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
    Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
    Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{23225757-5F06-46F9-A057-DBB93A89DCE4}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{FFA0793E-3980-4BE4-8234-048FA665F700}
    Key Found : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj
    Key Found : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj.1
    Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
    Key Found : HKLM\SOFTWARE\Classes\Prod.cap
    Key Found : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
    Key Found : HKLM\SOFTWARE\Classes\S
    Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
    Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
    Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2207613
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
    Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
    Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
    Key Found : HKLM\Software\Conduit
    Key Found : HKLM\Software\Freeze.com
    Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
    Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{187D7866-BA18-4F9C-B36A-515665D3820F}
    Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{49D66F04-F404-43C7-80D2-81156F81DB1E}
    Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
    Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFA0793E-3980-4BE4-8234-048FA665F700}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{23225757-5F06-46F9-A057-DBB93A89DCE4}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Softonic_English_FF Toolbar
    Key Found : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
    Key Found : HKLM\Software\Softonic_English_FF
    Key Found : HKU\S-1-5-21-850064655-2486408983-3711719723-1000\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
    Key Found : HKU\S-1-5-21-850064655-2486408983-3711719723-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5F970FDE-702B-4EF9-920C-5F2848A5AF26}
    Key Found : HKU\S-1-5-21-850064655-2486408983-3711719723-1000\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Found : HKU\S-1-5-21-850064655-2486408983-3711719723-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8}
    Key Found : HKU\S-1-5-21-850064655-2486408983-3711719723-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
    Key Found : HKU\S-1-5-21-850064655-2486408983-3711719723-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]
    Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
    Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
    Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{FFA0793E-3980-4BE4-8234-048FA665F700}]
    Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{FFA0793E-3980-4BE4-8234-048FA665F700}]
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{FFA0793E-3980-4BE4-8234-048FA665F700}]
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{FFA0793E-3980-4BE4-8234-048FA665F700}]
    Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [[email protected]]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16457

    [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page Restore] = hxxp://www.ask.com/?o=14597&l=dis

    -\\ Mozilla Firefox v17.0.1 (en-US)

    File : C:\Users\Ron Kappes\AppData\Roaming\Mozilla\Firefox\Profiles\o7swtwcx.default\prefs.js

    Found : user_pref("avg.install.installDirPath", "C:\\ProgramData\\AVG Secure Search\\FireFoxExt\\13.2.0.5");
    Found : user_pref("browser.search.defaultenginename", "AVG Secure Search");
    Found : user_pref("keyword.URL", "hxxps://isearch.avg.com/search?cid={6A0B3C86-12F4-4C82-AEEC-E82628892C96}&[...]

    -\\ Google Chrome v23.0.1271.97

    File : C:\Users\Ron Kappes\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [10770 octets] - [08/01/2013 10:45:24]
    AdwCleaner[R2].txt - [10831 octets] - [08/01/2013 10:54:39]
    AdwCleaner[R3].txt - [10745 octets] - [08/01/2013 11:26:01]

    ########## EOF - C:\AdwCleaner[R3].txt - [10806 octets] ##########


    Malwarebytes Anti-Rootkit 1.01.0.1011
    www.malwarebytes.org

    Database version: v2013.01.08.11

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Ron Kappes :: RONKAPPES-PC [administrator]

    1/8/2013 11:45:17 AM
    mbar-log-2013-01-08 (11-45-17).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 31898
    Time elapsed: 11 minute(s), 56 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1

    x86

    Account is Administrative

    Internet Explorer version: 9.0.8112.16421

    Java version: 1.6.0_31

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, E:\

    DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 3.200000 GHz
    Memory total: 3479625728, free: 1694859264

    ------------ Kernel report ------------
    01/08/2013 11:32:12
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntkrnlpa.exe
    \SystemRoot\system32\halmacpi.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot

    \system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\BOOTVID.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\System32\Drivers\spbe.sys
    \SystemRoot\System32\Drivers\WMILIB.SYS
    \SystemRoot\System32\Drivers\SCSIPORT.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\system32\DRIVERS\vsflt67.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\drivers\pciide.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers

    \N360\0604000.009\SYMDS.SYS
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\system32\drivers

    \N360\0604000.009\SYMEFA.SYS
    \SystemRoot\System32\Drivers\PxHelp20.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\DRIVERS\vididr.sys
    \SystemRoot\system32\DRIVERS\timntr.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\system32\DRIVERS\tdrpman.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\system32\DRIVERS\snapman.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\system32\DRIVERS\fltsrv.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS

    \CLASSPNP.SYS
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\drivers

    \N360\0604000.009\ccSetx86.sys
    \SystemRoot\System32\Drivers

    \N360\0604000.009\SRTSP.SYS
    \SystemRoot\system32\drivers

    \N360\0604000.009\Ironx86.SYS
    \SystemRoot\system32\drivers

    \N360\0604000.009\SRTSPX.SYS
    \??\C:\Windows\system32\Drivers

    \SYMEVENT.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \??\C:\Windows\system32\drivers\avgtpx86.sys
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\System32\Drivers\tosrfcom.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \SystemRoot\System32\Drivers

    \N360\0604000.009\SYMNETS.SYS
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\Drivers\ElbyCDIO.sys
    \??\C:\Program Files\Common Files\Symantec

    Shared\EENGINE\eeCtrl.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \??\C:\ProgramData\Norton\{0C55C096-0F1D-

    4F28-AAA2-

    85EF591126E7}\N360_6.2.1.5\Definitions

    \BASHDefs\20121130.005\BHDrvx86.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    \SystemRoot\System32\Drivers\nvBridge.kmd
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\e1k6232.sys
    \SystemRoot\system32\drivers\usbehci.sys
    \SystemRoot\system32\drivers\USBPORT.SYS
    \SystemRoot\system32\drivers\HDAudBus.sys
    \SystemRoot\system32\drivers\1394ohci.sys
    \SystemRoot\System32\Drivers\AnyDVD.sys
    \SystemRoot\system32\DRIVERS

    \GEARAspiWDM.sys
    \SystemRoot\System32\Drivers\aoqdu3hk.SYS
    \SystemRoot\system32\drivers

    \CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\VClone.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\tosporte.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\HdAudio.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers

    \dump_dumpata.sys
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\Drivers

    \dump_dumpfve.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\dc3d.sys
    \SystemRoot\system32\DRIVERS

    \HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS

    \HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\NuidFltr.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\point32.sys
    \SystemRoot\system32\DRIVERS\usbser.sys
    \SystemRoot\system32\drivers\modem.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\system32\DRIVERS\netr28u.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\DRIVERS\vwifimp.sys
    \SystemRoot\system32\DRIVERS

    \ACFSDK32.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\system32\drivers\regi.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\system32\DRIVERS

    \ACFXAU32.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\DRIVERS\afcdp.sys
    \SystemRoot\system32\DRIVERS\umpass.sys
    \SystemRoot\system32\DRIVERS\asyncmac.sys
    \??\C:\ProgramData\Norton\{0C55C096-0F1D-

    4F28-AAA2-

    85EF591126E7}\N360_6.2.1.5\Definitions

    \VirusDefs\20130107.023\NAVEX15.SYS
    \??\C:\ProgramData\Norton\{0C55C096-0F1D-

    4F28-AAA2-

    85EF591126E7}\N360_6.2.1.5\Definitions

    \VirusDefs\20130107.023\NAVENG.SYS
    \??\C:\ProgramData\Norton\{0C55C096-0F1D-

    4F28-AAA2-

    85EF591126E7}\N360_6.2.1.5\Definitions

    \IPSDefs\20130105.001\IDSvix86.sys
    \??\C:\Windows\system32\drivers

    \mbamchameleon.sys
    \??\C:\Windows\system32\drivers

    \mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Program Files\DAEMON Tools Lite\Engine.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk2\DR2
    Upper Device Object: 0xffffffff87c711f8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide

    \IdeDeviceP2T0L0-2\
    Lower Device Object: 0xffffffff87ac2030
    Lower Device Driver Name: \Driver\atapi\
    Driver name found: atapi
    DriverEntry returned 0x0
    Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR1
    Upper Device Object: 0xffffffff87c6f030
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide

    \IdeDeviceP1T0L0-1\
    Lower Device Object: 0xffffffff87ac0908
    Lower Device Driver Name: \Driver\atapi\
    Driver name found: atapi
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff87c6c030
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide

    \IdeDeviceP0T0L0-0\
    Lower Device Object: 0xffffffff86dbe908
    Lower Device Driver Name: \Driver\atapi\
    Driver name found: atapi
    Downloaded database version: v2013.01.08.11
    Downloaded database version: v2013.01.04.01
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff87c6c030,

    DeviceName: \Device\Harddisk0\DR0\,

    DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff87c6cd10, DeviceName:

    Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff87c6c030, DeviceName:

    \Device\Harddisk0\DR0\, DriverName: \Driver

    \Disk\
    DevicePointer: 0xffffffff87c6bb50, DeviceName:

    Unknown, DriverName: \Driver\vidsflt67\
    DevicePointer: 0xffffffff87acc918, DeviceName:

    Unknown, DriverName: \Driver\ACPI\
    DevicePointer: 0xffffffff86dbe908, DeviceName:

    \Device\Ide\IdeDeviceP0T0L0-0\, DriverName:

    \Driver\atapi\
    ------------ End ----------
    Upper DeviceData: 0xffffffff8e46d5b0,

    0xffffffff87c6c030, 0xffffffff8a855ac8
    Lower DeviceData: 0xffffffffdbb66750,

    0xffffffff86dbe908, 0xffffffff8a295308
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096,

    MFTRecordSize = 1024, MFTIndexSize = 4096

    bytes
    Scanning directory: C:\Windows

    \system32\drivers...
    File user open failed: C:\Windows

    \system32\drivers\sptd.sys (0x00000020)
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 2B533857

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec =

    976771072
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 500107862016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space

    on drive 0 (1-2047-976753168-976773168)...
    Physical Sector Size: 512
    Drive: 1, DevicePointer: 0xffffffff87c6f030,

    DeviceName: \Device\Harddisk1\DR1\,

    DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff87c6fd10, DeviceName:

    Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff87c6f030, DeviceName:

    \Device\Harddisk1\DR1\, DriverName: \Driver

    \Disk\
    DevicePointer: 0xffffffff87c6eb08, DeviceName:

    Unknown, DriverName: \Driver\vidsflt67\
    DevicePointer: 0xffffffff87ac1408, DeviceName:

    Unknown, DriverName: \Driver\ACPI\
    DevicePointer: 0xffffffff87ac0908, DeviceName:

    \Device\Ide\IdeDeviceP1T0L0-1\, DriverName:

    \Driver\atapi\
    ------------ End ----------
    Upper DeviceData: 0xffffffff8b82d998,

    0xffffffff87c6f030, 0xffffffff8b019568
    Lower DeviceData: 0xffffffff8b9cb520,

    0xffffffff87ac0908, 0xffffffff8a28d818
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    This drive is a GPT Drive.
    MBR Signature: 55AA
    Disk Signature: 3B952B1B

    GPT Protective MBR Partition information:

    Partition 0 type is Other (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1 Numsec =

    3907029167

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    GPT Partition information:

    GptHeader Signature 4546492050415254
    GptHeader Revision 65536 Size 92 CRC

    2953826610
    GptHeader CurrentLba = 1 BackupLba

    3907029167
    GptHeader FirstUsableLba 34 LastUsableLba

    3907029134
    GptHeader Guid cc45f166-959c-4811-9d95-

    318eeae6f26
    GptHeader 128 Partitions starting at LBA 2
    GptHeader Partition entry size = 128

    Backup GptHeader Signature

    4546492050415254
    Backup GptHeader Revision 65536 Size 92

    CRC 2953826610
    Backup GptHeader CurrentLba = 3907029167

    BackupLba 1
    Backup GptHeader FirstUsableLba 34

    LastUsableLba 3907029134
    Backup GptHeader Guid cc45f166-959c-4811

    -9d95-318eeae6f26
    Backup GptHeader 128 Partitions starting at

    LBA 3907029135
    Backup GptHeader Partition entry size = 128
    Partition 0 Type e3c9e316-b5c-4db8-817d-

    f92df0215ae
    Partition ID 198b9937-b804-4a9a-b89f-

    d8893727710
    FirstLBA 34 Last LBA 262177
    Attributes 0
    Partition Name

    Partition 1 Type ebd0a0a2-b9e5-4433-87c0-

    68b6b72699c7
    Partition ID e485f454-39f6-4d29-9e3d-

    2aab4fe6aba1
    FirstLBA 264192 Last LBA 3907028991
    Attributes 4
    Partition Name

    Disk Size: 2000398934016 bytes
    Sector size: 512 bytes

    Physical Sector Size: 512
    Drive: 2, DevicePointer: 0xffffffff87c711f8,

    DeviceName: \Device\Harddisk2\DR2\,

    DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff87c72020, DeviceName:

    Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff87c711f8, DeviceName:

    \Device\Harddisk2\DR2\, DriverName: \Driver

    \Disk\
    DevicePointer: 0xffffffff87c71ea0, DeviceName:

    Unknown, DriverName: \Driver\vidsflt67\
    DevicePointer: 0xffffffff87abff08, DeviceName:

    Unknown, DriverName: \Driver\ACPI\
    DevicePointer: 0xffffffff87ac2030, DeviceName:

    \Device\Ide\IdeDeviceP2T0L0-2\, DriverName:

    \Driver\atapi\
    ------------ End ----------
    Upper DeviceData: 0xffffffffe5393998,

    0xffffffff87c711f8, 0xffffffff8af63ac8
    Lower DeviceData: 0xffffffffe52d0aa0,

    0xffffffff87ac2030, 0xffffffff88433788
    Drive 2
    Scanning MBR on drive 2...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 29DD1809

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec =

    976771072
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 500107862016 bytes
    Sector size: 512 bytes

    Done!
    Performing system, memory and registry scan...
    Done!
    Scan finished
    =====================================

    ==

    Results of screen317's Security Check version 0.99.56
    Windows 7 Service Pack 1 x86 (UAC is disabled!)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Disabled!
    Norton 360
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    Java(TM) 6 Update 31
    Java version out of Date!
    Adobe Flash Player 11.5.502.135
    Adobe Reader 9 Adobe Reader out of Date!
    Mozilla Firefox (17.0.1)
    Mozilla Thunderbird (17.0.)
    Google Chrome 23.0.1271.95
    Google Chrome 23.0.1271.97
    ````````Process Check: objlist.exe by Laurent````````
    Norton ccSvcHst.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 1%
    ````````````````````End of Log``````````````````````
     
  13. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    It would seem that you ran "Search" in AdwCleaner, I asked that you use the "Delete" function. Can you run AdwCleaner again, this time only select the Delete tab...... follow the prompts and post that log..

    Next,

    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    • Ensure that Combofix is saved directly to the Desktop <--- Very important
    • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

    Kevin
     
  14. ron40

    ron40 Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    313
    First Name:
    Ron
    I'm writing this from my laptop (the uninfected pc). I ran adware like you said but I have probs with combofix. The blue screen hangs with the message: "Scanning for infected files. This typicallly doesn't take more than 10 min...etc." Of note: The HDD light goes out at this point meaning the HDD is turned off. I don't hear any writing in there. So I'm looking at a blue screen but nothing is happening.It feels like there is an evil spirit in there that's doing this. (just kidding). Everything is locked up. If I try to shut down it doesn't respond, I have to cut the power to shutdown (which I just did.
    Do you want the adware log? It's on the other pc. If so I'll send it when I restart it.
    Eagerly waiting for your reply.

    Ron
     
  15. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    OK, if there are still issues we`ll have to try another way, see if you can create and run the following:

    you have access to another PC to create the Widows Defender Offline Tool, I give the instructions to load to a USB flash drive.

    Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.
    You will have to select the correct version for your system, either 32 or 64 bit

    [​IMG]

    Double click [​IMG] to run the tool, Windows 7 or Vista user right click and select "Run as Administrator"

    Read the instructions in the new window and select "Next"

    [​IMG]

    In the new window accept the agreement:

    [​IMG]

    In the new window select your USB Flash Drive, then select "Next"

    [​IMG]

    In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"

    [​IMG]

    In the new window accept the formatting alert by selecting "Next"

    [​IMG]

    Files will be Downloaded:

    [​IMG]

    Files will be processed and created

    [​IMG]

    Flash drive will be formatted and prepared

    [​IMG]

    Files will be added to the Flash Drive and the tool will be created.

    [​IMG]

    The procedure is finished and the Tool created, click on "Finish" to complete.

    [​IMG]

    Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required, Use F12 as it boots, change options...
    As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.
    When complete do a full scan, deal with what it finds.
    When finished, remove the USB stick then press the Esc key to boot into regular windows.
    Navigate to the following file:
    "C:\windows\windows defender offline\support\mssWrapper.log" Open with notepad and copy and paste it into a reply.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1083934

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice