dds.scr causes pc lockup

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ron40

Ron
Thread Starter
Joined
Jul 6, 2004
Messages
323
I received 4 emails that looked like they came from my brother. Each contained an internet link. I foolishly clicked on the 1st 1 & it contained a stupid ad for a ridiculous product which immediately made me suspicious. I should have been more alert but these got by me. I Downloaded Hijackthis, scanned & saved the log file, When I ran dds.scr the message "two logs shall be created etc" stared at me for about 15 min with nothing seeming to happen. I tried to cancel the prog with ctrl-alt-del which only caused the screen to lock up. I had to hit the power switch to reboot. I tried several times to run the prog with the same result each time.
I hope this is something simple

Ron Kappes
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
Post the log from HJT if you have it, also run the following and post that log:

download RogueKiller from here http://tigzy.geekstogo.com/Tools/RogueKiller.exe or here http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe and save Direct to your Desktop.

  • Quit all running programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • The following EULA will appear, please select accept


  • Ensure MBR scan, Check faked and AntiRootkit are checked
  • Select Scan


  • When the scan completes select Report, copy and paste that to your reply.


  • The log should be found in RKreport[?].txt on your Desktop
  • Exit/Close RogueKiller

Kevin
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
What Operating System do you have, Windows 7, Vista or XP
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
Download Farbar Recovery Scan Tool on a clean PC (if possible) and save to a flash drive (memory stick). Use which ever of the folllowing is applicable to your system. (32 or 64 bit)

Download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ <--- 64 bit version Save to USB flash drive

Download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ <--- 32 bit version Save to USB Flash drive

Plug the flashdrive into the infected PC.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 

ron40

Ron
Thread Starter
Joined
Jul 6, 2004
Messages
323
Hi Kevin:
My wife & I are leaving in an hour & coming back tomorrow (monday) afternoon. I will use my laptop at that time to download the file & put it on a flash drive & continue this.
Thanks for your patience
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
Thats OK, just post back anytime you`re ready.....(y)
 

ron40

Ron
Thread Starter
Joined
Jul 6, 2004
Messages
323
Here is the scan result. I'm using my laptop to send this. My infected pc is asking from the "Farbar Recovery scan tool" if I want to shutdown or restart. Should I shut it down or wait for your instruction to "fix" or something else?`


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-12-2012 (ATTENTION: FRST version is 7 days old)
Ran by SYSTEM at 07-01-2013 19:14:56
Running from G:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [] [x]
HKLM\...\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" [997320 2012-11-17] ()
HKLM\...\Run: [ROC_ROC_JULY_P1] "C:\Program Files\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1 [1022048 2012-08-29] ()
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
HKLM\...\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized [1466760 2012-06-04] (Garmin)
HKLM\...\Run: [Essential Fax Print Controller] "C:\Program Files\EssentialFax\essfaxcontrol.exe" [94208 2009-09-01] ()
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)
HKU\Ron Kappes\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
HKU\Ron Kappes\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-04-20] (Google Inc.)
HKU\Ron Kappes\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [x]
HKU\Ron Kappes\...\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [109336 2013-01-03] (Siber Systems)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ===================

2 AcfXAudioService; C:\Windows\system32\ACFXAU32.dll [410624 2009-04-28] (Conexant Systems, Inc.)
2 AcrSch2Svc; "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe" [821048 2012-06-28] (Acronis)
2 AdobeActiveFileMonitor7.0; C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [169312 2008-09-16] (Adobe Systems Incorporated)
2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3459024 2012-07-13] (Acronis)
3 BrYNSvc; "C:\Program Files\Browny02\BrYNSvc.exe" [245760 2010-01-25] (Brother Industries, Ltd.)
2 N360; "C:\Program Files\Norton 360\Engine\6.4.0.9\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton 360\Engine\6.4.0.9\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)
2 syncagentsrv; "C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe" [5915352 2012-06-28] (Acronis)
2 vToolbarUpdater13.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [711112 2012-11-17] ()
2 PSI_SVC_2; "c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [x]

==================== Drivers (Whitelisted) ====================

3 61883; C:\Windows\System32\DRIVERS\61883.sys [46976 2009-07-13] (Microsoft Corporation)
3 acfva; C:\Windows\System32\DRIVERS\ACFVA32.sys [87424 2009-09-02] (Conexant Systems Inc.)
3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [121080 2012-03-26] (SlySoft, Inc.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx86.sys [26984 2012-11-17] (AVG Technologies)
1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.2.1.5\Definitions\BASHDefs\20121130.005\BHDrvx86.sys [995488 2012-10-23] (Symantec Corporation)
1 ccSet_N360; C:\Windows\system32\drivers\N360\0604000.009\ccSetx86.sys [132768 2012-06-06] (Symantec Corporation)
3 cpudrv; \??\C:\Program Files\SystemRequirementsLab\cpudrv.sys [11336 2009-12-18] ()
3 dgcfltr; C:\Windows\System32\DRIVERS\ACFDCP32.sys [28928 2009-04-28] (Conexant Systems, Inc.)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-11] (Symantec Corporation)
1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [31088 2010-12-16] (Elaborate Bytes AG)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-11-22] (Symantec Corporation)
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.2.1.5\Definitions\IPSDefs\20130104.001\IDSvix86.sys [386720 2012-11-15] (Symantec Corporation)
2 mdmxsdk; C:\Windows\System32\DRIVERS\ACFSDK32.sys [12672 2007-03-15] (Conexant)
3 NAL; \??\C:\Windows\system32\Drivers\iqvw32.sys [30880 2009-06-23] (Intel Corporation )
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.2.1.5\Definitions\VirusDefs\20130105.017\NAVENG.SYS [92704 2012-12-05] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.2.1.5\Definitions\VirusDefs\20130105.017\NAVEX15.SYS [1601184 2012-12-05] (Symantec Corporation)
3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [734208 2009-05-25] (Ralink Technology Corp.)
3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [21520 2010-07-21] (Microsoft Corporation)
3 PalmUSBD; C:\Windows\System32\drivers\PalmUSBD.sys [16640 2007-12-04] (PalmSource, Inc.)
3 rcmirror; C:\Windows\System32\DRIVERS\rcmirror.sys [3200 2010-01-18] (Windows (R) Win 7 DDK provider)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [697328 2010-10-07] (Duplex Secure Ltd.)
1 SRTSP; C:\Windows\System32\Drivers\N360\0604000.009\SRTSP.SYS [574112 2012-07-05] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360\0604000.009\SRTSPX.SYS [32928 2012-07-05] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\N360\0604000.009\SYMDS.SYS [340088 2012-03-28] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360\0604000.009\SYMEFA.SYS [924320 2012-05-21] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [141944 2012-05-28] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\N360\0604000.009\Ironx86.SYS [149624 2012-03-28] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\N360\0604000.009\SYMNETS.SYS [318584 2012-03-28] (Symantec Corporation)
0 tdrpman; C:\Windows\System32\DRIVERS\tdrpman.sys [775232 2012-07-13] (Acronis)
3 usbbus; C:\Windows\System32\DRIVERS\lgusbbus.sys [13056 2011-02-14] (LG Electronics Inc.)
3 UsbDiag; C:\Windows\System32\DRIVERS\lgusbdiag.sys [20864 2011-02-14] (LG Electronics Inc.)
3 UsbFltr; C:\Windows\System32\Drivers\UsbFltr.sys [9600 2007-04-09] (Waytech Development, Inc.)
3 USBModem; C:\Windows\System32\DRIVERS\lgusbmodem.sys [25216 2011-02-14] (LG Electronics Inc.)
0 vididr; C:\Windows\System32\DRIVERS\vididr.sys [126880 2012-07-13] (Acronis)
0 vidsflt67; C:\Windows\System32\DRIVERS\vsflt67.sys [86496 2012-07-13] (Acronis)
2 XAudio; C:\Windows\System32\DRIVERS\ACFXAU32.sys [8704 2009-04-28] (Conexant Systems, Inc.)
3 IntcAzAudAddService; C:\Windows\System32\drivers\RTKVHDA.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-01-07 19:14 - 2013-01-07 19:14 - 00000000 ____D C:\FRST
2013-01-05 14:58 - 2013-01-05 14:57 - 00688992 ____R (Swearware) C:\Users\Ron Kappes\Desktop\dds.scr
2013-01-05 14:50 - 2013-01-05 19:26 - 00015876 ____A C:\Users\Ron Kappes\Desktop\hijackthis.log
2013-01-05 14:49 - 2013-01-05 14:38 - 00388608 ____A (Trend Micro Inc.) C:\Users\Ron Kappes\Desktop\HijackThis.exe
2012-12-21 12:47 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-21 12:47 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-17 14:46 - 2012-12-17 14:46 - 00000000 ____D C:\Users\All Users\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-17 14:46 - 2012-12-17 14:46 - 00000000 ____D C:\Program Files\iPod
2012-12-12 17:24 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-12-12 17:24 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-12-12 17:24 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-12-12 17:24 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-12-12 17:24 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-12-12 17:24 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-12-12 17:24 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-12-12 17:24 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-12-12 17:24 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-12-12 17:24 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-12-12 17:24 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-12-12 17:24 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-12-12 17:24 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-12-12 17:24 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-12-12 17:24 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-12-12 17:24 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-12-12 09:50 - 2012-11-21 18:56 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-12-12 09:50 - 2012-11-01 21:11 - 00376832 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll
2012-12-12 09:50 - 2012-10-04 08:47 - 00169984 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-12-12 09:50 - 2012-10-04 08:43 - 00868352 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-12-12 09:50 - 2012-10-04 08:43 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 06:57 - 00271360 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-12-12 09:50 - 2012-10-04 06:41 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 06:41 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 06:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-12-12 09:50 - 2012-10-04 06:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-12-12 09:49 - 2012-11-08 20:42 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-12-09 15:47 - 2012-12-09 15:47 - 00249544 ___AH C:\Windows\System32\mlfcache.dat
2012-12-08 15:04 - 2012-12-08 15:04 - 00001970 ____A C:\Users\Ron Kappes\Desktop\FF PROFILE.lnk

==================== One Month Modified Files and Folders ========

2013-01-06 10:53 - 2010-04-14 23:00 - 01850225 ____A C:\Windows\WindowsUpdate.log
2013-01-06 10:52 - 2010-04-14 10:51 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-06 10:52 - 2010-04-14 10:51 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-06 10:37 - 2012-04-05 06:12 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-06 07:53 - 2006-04-25 11:21 - 00000000 ____D C:\DOWNLOAD
2013-01-06 07:15 - 2009-07-13 20:34 - 00014288 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-06 07:15 - 2009-07-13 20:34 - 00014288 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-06 07:08 - 2010-04-15 05:52 - 00000000 ____D C:\Users\All Users\NVIDIA
2013-01-06 07:08 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-06 07:08 - 2009-07-13 20:39 - 00198944 ____A C:\Windows\setupact.log
2013-01-05 21:04 - 2010-04-14 23:27 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-05 19:26 - 2013-01-05 14:50 - 00015876 ____A C:\Users\Ron Kappes\Desktop\hijackthis.log
2013-01-05 15:09 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-01-05 14:57 - 2013-01-05 14:58 - 00688992 ____R (Swearware) C:\Users\Ron Kappes\Desktop\dds.scr
2013-01-05 14:38 - 2013-01-05 14:49 - 00388608 ____A (Trend Micro Inc.) C:\Users\Ron Kappes\Desktop\HijackThis.exe
2013-01-05 13:17 - 2010-04-14 10:46 - 00169536 ____A C:\Windows\PFRO.log
2013-01-05 12:36 - 2012-04-24 18:00 - 00000000 _RSHD C:\acroldr
2012-12-29 17:11 - 2010-06-01 16:05 - 00000000 ____D C:\Users\All Users\DVD Shrink
2012-12-26 22:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2012-12-25 13:43 - 2012-06-23 19:48 - 00000054 ____A C:\GG.txt
2012-12-22 16:53 - 2011-12-14 09:11 - 00000000 ____D C:\Users\Ron Kappes\AppData\Roaming\Skype
2012-12-22 11:49 - 2010-05-02 20:09 - 00000000 ____D C:\Users\Ron Kappes\AppData\Local\CrashDumps
2012-12-21 14:13 - 2009-07-13 20:33 - 00487872 ____A C:\Windows\System32\FNTCACHE.DAT
2012-12-21 10:43 - 2010-04-14 08:31 - 00000000 ____D C:\users\Ron Kappes
2012-12-19 09:19 - 2012-11-20 18:18 - 00000000 ___SD C:\Users\Ron Kappes\Google Drive
2012-12-17 14:47 - 2012-09-18 07:16 - 00001753 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-12-17 14:46 - 2012-12-17 14:46 - 00000000 ____D C:\Users\All Users\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-17 14:46 - 2012-12-17 14:46 - 00000000 ____D C:\Program Files\iPod
2012-12-17 14:46 - 2010-05-07 09:47 - 00000000 ____D C:\Program Files\iTunes
2012-12-17 14:46 - 2010-04-20 12:14 - 00000000 ____D C:\Program Files\Common Files\Apple
2012-12-16 06:13 - 2012-12-21 12:47 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-16 06:13 - 2012-12-21 12:47 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-14 08:25 - 2010-12-30 11:16 - 00000000 ____D C:\Users\Ron Kappes\AppData\Roaming\DVD Flick
2012-12-13 14:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2012-12-12 17:24 - 2010-04-14 09:42 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-12-12 17:21 - 2010-04-14 13:34 - 65087872 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-12-11 20:37 - 2012-04-05 06:12 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-12-11 20:37 - 2011-05-24 15:43 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-12-09 15:47 - 2012-12-09 15:47 - 00249544 ___AH C:\Windows\System32\mlfcache.dat
2012-12-08 15:04 - 2012-12-08 15:04 - 00001970 ____A C:\Users\Ron Kappes\Desktop\FF PROFILE.lnk


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-20 13:13:17
Restore point made on: 2012-12-21 12:47:07
Restore point made on: 2012-12-28 14:03:17
Restore point made on: 2013-01-05 11:35:51

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 4022.43 MB
Available physical RAM: 3477.22 MB
Total Pagefile: 4020.71 MB
Available Pagefile: 3494.84 MB
Total Virtual: 2047.88 MB
Available Virtual: 1962.3 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:465.76 GB) (Free:254.72 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (2TB Disk) (Fixed) (Total:1862.89 GB) (Free:1181.66 GB) NTFS
3 Drive e: () (Fixed) (Total:465.76 GB) (Free:261.69 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (GRMCHPFRER_EN_DVD) (CDROM) (Total:2.33 GB) (Free:0 GB) UDF
5 Drive g: (ZIP DRIVE) (Removable) (Total:14.93 GB) (Free:11.77 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 1863 GB 0 B *
Disk 2 Online 465 GB 0 B
Disk 3 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 465 GB 1024 KB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 465 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Reserved 128 MB 17 KB
Partition 2 Primary 1862 GB 129 MB

=========================================================

Disk: 1
Partition 1
Type : e3c9e316-0b5c-4db8-817d-f92df00215ae
Hidden : Yes
Required: No
Attrib : 0000000000000000

There is no volume associated with this partition.

=========================================================

Disk: 1
Partition 2
Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden : No
Required: No
Attrib : 0X0000000000000004

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D 2TB Disk NTFS Partition 1862 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 465 GB 1024 KB

=========================================================

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E NTFS Partition 465 GB Healthy

=========================================================

Partitions of Disk 3:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 16 KB

=========================================================

Disk: 3
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G ZIP DRIVE FAT32 Removable 14 GB Healthy

=========================================================

Last Boot: 2013-01-03 23:12

==================== End Of Log ============================
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
Thanks for the log, do not see anything obvious to cause concern. OK run the following:

Download http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner by Xplode onto your Desktop.

  • Please close all open programs and internet browsers.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

Next,

1. Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/
2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe



4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:



5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.



7. The following image opens, select Update



8. When the Update completes, select Next



9. In the following window ensure "Targets" are ticked. Then select "Scan"



10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:



11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:



12. Select "Yes" to close down the program. If NO infections were found you will see the following image:



13. Select "Exit" to close down.
14. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log Date and time of scan will also be shown



Post those two logs in your reply.


Next,

Download Security Check by screen317 from either of the following:
http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me see those logs in next reply..

Kevin
 

ron40

Ron
Thread Starter
Joined
Jul 6, 2004
Messages
323
Hi Kevin:
I did this after a "normal" start of my deskop. If I was supposed to do it in safe or clean mode let me know & I'll repeat it.
Ron




# AdwCleaner v2.105 - Logfile created 01/08/2013 at 11:26:01
# Updated 08/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : Ron Kappes - RONKAPPES-PC
# Boot Mode : Normal
# Running from : C:\DOWNLOAD\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Found : C:\Users\Ron Kappes\AppData\Roaming\Mozilla\Firefox\Profiles\o7swtwcx.default\searchplugins\safesearch.xml
Folder Found : C:\Program Files\Astroburn Toolbar
Folder Found : C:\Program Files\AVG Secure Search
Folder Found : C:\Program Files\Common Files\AVG Secure Search
Folder Found : C:\Program Files\Conduit
Folder Found : C:\Program Files\DAEMON Tools Toolbar
Folder Found : C:\Program Files\Softonic_English_FF
Folder Found : C:\ProgramData\AVG Secure Search
Folder Found : C:\Users\Ron Kappes\AppData\Local\AVG Secure Search
Folder Found : C:\Users\Ron Kappes\AppData\Local\Conduit
Folder Found : C:\Users\Ron Kappes\AppData\LocalLow\AVG Secure Search
Folder Found : C:\Users\Ron Kappes\AppData\LocalLow\boost_interprocess
Folder Found : C:\Users\Ron Kappes\AppData\LocalLow\Conduit
Folder Found : C:\Users\Ron Kappes\AppData\LocalLow\PriceGong
Folder Found : C:\Users\Ron Kappes\AppData\LocalLow\Softonic_English_FF

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\AppDataLow\Software\Softonic_English_FF
Key Found : HKCU\Software\AppDataLow\Toolbar
Key Found : HKCU\Software\AVG Secure Search
Key Found : HKCU\Software\IGearSettings
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{5F970FDE-702B-4EF9-920C-5F2848A5AF26}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{32099AAC-C132-4136-9E9A-4E364A424E17}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FFA0793E-3980-4BE4-8234-048FA665F700}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{23225757-5F06-46F9-A057-DBB93A89DCE4}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFA0793E-3980-4BE4-8234-048FA665F700}
Key Found : HKCU\Software\Zugo
Key Found : HKLM\SOFTWARE\14919ea49a8f3b4aa3cf1058d9a64cec
Key Found : HKLM\Software\AVG Secure Search
Key Found : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{23225757-5F06-46F9-A057-DBB93A89DCE4}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FFA0793E-3980-4BE4-8234-048FA665F700}
Key Found : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj
Key Found : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj.1
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2207613
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{187D7866-BA18-4F9C-B36A-515665D3820F}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{49D66F04-F404-43C7-80D2-81156F81DB1E}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFA0793E-3980-4BE4-8234-048FA665F700}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{23225757-5F06-46F9-A057-DBB93A89DCE4}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Softonic_English_FF Toolbar
Key Found : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Found : HKLM\Software\Softonic_English_FF
Key Found : HKU\S-1-5-21-850064655-2486408983-3711719723-1000\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Found : HKU\S-1-5-21-850064655-2486408983-3711719723-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5F970FDE-702B-4EF9-920C-5F2848A5AF26}
Key Found : HKU\S-1-5-21-850064655-2486408983-3711719723-1000\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKU\S-1-5-21-850064655-2486408983-3711719723-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8}
Key Found : HKU\S-1-5-21-850064655-2486408983-3711719723-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKU\S-1-5-21-850064655-2486408983-3711719723-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{FFA0793E-3980-4BE4-8234-048FA665F700}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{FFA0793E-3980-4BE4-8234-048FA665F700}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{FFA0793E-3980-4BE4-8234-048FA665F700}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{FFA0793E-3980-4BE4-8234-048FA665F700}]
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [[email protected]]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page Restore] = hxxp://www.ask.com/?o=14597&l=dis

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Users\Ron Kappes\AppData\Roaming\Mozilla\Firefox\Profiles\o7swtwcx.default\prefs.js

Found : user_pref("avg.install.installDirPath", "C:\\ProgramData\\AVG Secure Search\\FireFoxExt\\13.2.0.5");
Found : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Found : user_pref("keyword.URL", "hxxps://isearch.avg.com/search?cid={6A0B3C86-12F4-4C82-AEEC-E82628892C96}&[...]

-\\ Google Chrome v23.0.1271.97

File : C:\Users\Ron Kappes\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [10770 octets] - [08/01/2013 10:45:24]
AdwCleaner[R2].txt - [10831 octets] - [08/01/2013 10:54:39]
AdwCleaner[R3].txt - [10745 octets] - [08/01/2013 11:26:01]

########## EOF - C:\AdwCleaner[R3].txt - [10806 octets] ##########


Malwarebytes Anti-Rootkit 1.01.0.1011
www.malwarebytes.org

Database version: v2013.01.08.11

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Ron Kappes :: RONKAPPES-PC [administrator]

1/8/2013 11:45:17 AM
mbar-log-2013-01-08 (11-45-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 31898
Time elapsed: 11 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1

x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_31

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\

DRIVE_FIXED, F:\ DRIVE_FIXED
CPU speed: 3.200000 GHz
Memory total: 3479625728, free: 1694859264

------------ Kernel report ------------
01/08/2013 11:32:12
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot

\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\spbe.sys
\SystemRoot\System32\Drivers\WMILIB.SYS
\SystemRoot\System32\Drivers\SCSIPORT.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\system32\DRIVERS\vsflt67.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers

\N360\0604000.009\SYMDS.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers

\N360\0604000.009\SYMEFA.SYS
\SystemRoot\System32\Drivers\PxHelp20.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\vididr.sys
\SystemRoot\system32\DRIVERS\timntr.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\system32\DRIVERS\tdrpman.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\system32\DRIVERS\snapman.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\system32\DRIVERS\fltsrv.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS

\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers

\N360\0604000.009\ccSetx86.sys
\SystemRoot\System32\Drivers

\N360\0604000.009\SRTSP.SYS
\SystemRoot\system32\drivers

\N360\0604000.009\Ironx86.SYS
\SystemRoot\system32\drivers

\N360\0604000.009\SRTSPX.SYS
\??\C:\Windows\system32\Drivers

\SYMEVENT.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\??\C:\Windows\system32\drivers\avgtpx86.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\System32\Drivers\tosrfcom.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\System32\Drivers

\N360\0604000.009\SYMNETS.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\Drivers\ElbyCDIO.sys
\??\C:\Program Files\Common Files\Symantec

Shared\EENGINE\eeCtrl.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-

4F28-AAA2-

85EF591126E7}\N360_6.2.1.5\Definitions

\BASHDefs\20121130.005\BHDrvx86.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\Drivers\nvBridge.kmd
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\e1k6232.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\drivers\1394ohci.sys
\SystemRoot\System32\Drivers\AnyDVD.sys
\SystemRoot\system32\DRIVERS

\GEARAspiWDM.sys
\SystemRoot\System32\Drivers\aoqdu3hk.SYS
\SystemRoot\system32\drivers

\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\VClone.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\tosporte.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers

\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers

\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\dc3d.sys
\SystemRoot\system32\DRIVERS

\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS

\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\NuidFltr.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\point32.sys
\SystemRoot\system32\DRIVERS\usbser.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\netr28u.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\DRIVERS

\ACFSDK32.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\system32\drivers\regi.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS

\ACFXAU32.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\afcdp.sys
\SystemRoot\system32\DRIVERS\umpass.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-

4F28-AAA2-

85EF591126E7}\N360_6.2.1.5\Definitions

\VirusDefs\20130107.023\NAVEX15.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-

4F28-AAA2-

85EF591126E7}\N360_6.2.1.5\Definitions

\VirusDefs\20130107.023\NAVENG.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-

4F28-AAA2-

85EF591126E7}\N360_6.2.1.5\Definitions

\IPSDefs\20130105.001\IDSvix86.sys
\??\C:\Windows\system32\drivers

\mbamchameleon.sys
\??\C:\Windows\system32\drivers

\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Program Files\DAEMON Tools Lite\Engine.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xffffffff87c711f8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide

\IdeDeviceP2T0L0-2\
Lower Device Object: 0xffffffff87ac2030
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff87c6f030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide

\IdeDeviceP1T0L0-1\
Lower Device Object: 0xffffffff87ac0908
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff87c6c030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide

\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff86dbe908
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Downloaded database version: v2013.01.08.11
Downloaded database version: v2013.01.04.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff87c6c030,

DeviceName: \Device\Harddisk0\DR0\,

DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff87c6cd10, DeviceName:

Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff87c6c030, DeviceName:

\Device\Harddisk0\DR0\, DriverName: \Driver

\Disk\
DevicePointer: 0xffffffff87c6bb50, DeviceName:

Unknown, DriverName: \Driver\vidsflt67\
DevicePointer: 0xffffffff87acc918, DeviceName:

Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff86dbe908, DeviceName:

\Device\Ide\IdeDeviceP0T0L0-0\, DriverName:

\Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffff8e46d5b0,

0xffffffff87c6c030, 0xffffffff8a855ac8
Lower DeviceData: 0xffffffffdbb66750,

0xffffffff86dbe908, 0xffffffff8a295308
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096,

MFTRecordSize = 1024, MFTIndexSize = 4096

bytes
Scanning directory: C:\Windows

\system32\drivers...
File user open failed: C:\Windows

\system32\drivers\sptd.sys (0x00000020)
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 2B533857

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec =

976771072
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space

on drive 0 (1-2047-976753168-976773168)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff87c6f030,

DeviceName: \Device\Harddisk1\DR1\,

DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff87c6fd10, DeviceName:

Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff87c6f030, DeviceName:

\Device\Harddisk1\DR1\, DriverName: \Driver

\Disk\
DevicePointer: 0xffffffff87c6eb08, DeviceName:

Unknown, DriverName: \Driver\vidsflt67\
DevicePointer: 0xffffffff87ac1408, DeviceName:

Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff87ac0908, DeviceName:

\Device\Ide\IdeDeviceP1T0L0-1\, DriverName:

\Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffff8b82d998,

0xffffffff87c6f030, 0xffffffff8b019568
Lower DeviceData: 0xffffffff8b9cb520,

0xffffffff87ac0908, 0xffffffff8a28d818
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 3B952B1B

GPT Protective MBR Partition information:

Partition 0 type is Other (0xee)
Partition is NOT ACTIVE.
Partition starts at LBA: 1 Numsec =

3907029167

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

GPT Partition information:

GptHeader Signature 4546492050415254
GptHeader Revision 65536 Size 92 CRC

2953826610
GptHeader CurrentLba = 1 BackupLba

3907029167
GptHeader FirstUsableLba 34 LastUsableLba

3907029134
GptHeader Guid cc45f166-959c-4811-9d95-

318eeae6f26
GptHeader 128 Partitions starting at LBA 2
GptHeader Partition entry size = 128

Backup GptHeader Signature

4546492050415254
Backup GptHeader Revision 65536 Size 92

CRC 2953826610
Backup GptHeader CurrentLba = 3907029167

BackupLba 1
Backup GptHeader FirstUsableLba 34

LastUsableLba 3907029134
Backup GptHeader Guid cc45f166-959c-4811

-9d95-318eeae6f26
Backup GptHeader 128 Partitions starting at

LBA 3907029135
Backup GptHeader Partition entry size = 128
Partition 0 Type e3c9e316-b5c-4db8-817d-

f92df0215ae
Partition ID 198b9937-b804-4a9a-b89f-

d8893727710
FirstLBA 34 Last LBA 262177
Attributes 0
Partition Name

Partition 1 Type ebd0a0a2-b9e5-4433-87c0-

68b6b72699c7
Partition ID e485f454-39f6-4d29-9e3d-

2aab4fe6aba1
FirstLBA 264192 Last LBA 3907028991
Attributes 4
Partition Name

Disk Size: 2000398934016 bytes
Sector size: 512 bytes

Physical Sector Size: 512
Drive: 2, DevicePointer: 0xffffffff87c711f8,

DeviceName: \Device\Harddisk2\DR2\,

DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff87c72020, DeviceName:

Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff87c711f8, DeviceName:

\Device\Harddisk2\DR2\, DriverName: \Driver

\Disk\
DevicePointer: 0xffffffff87c71ea0, DeviceName:

Unknown, DriverName: \Driver\vidsflt67\
DevicePointer: 0xffffffff87abff08, DeviceName:

Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff87ac2030, DeviceName:

\Device\Ide\IdeDeviceP2T0L0-2\, DriverName:

\Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe5393998,

0xffffffff87c711f8, 0xffffffff8af63ac8
Lower DeviceData: 0xffffffffe52d0aa0,

0xffffffff87ac2030, 0xffffffff88433788
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 29DD1809

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec =

976771072
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Done!
Scan finished
=====================================

==

Results of screen317's Security Check version 0.99.56
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Norton 360
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Java(TM) 6 Update 31
Java version out of Date!
Adobe Flash Player 11.5.502.135
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (17.0.1)
Mozilla Thunderbird (17.0.)
Google Chrome 23.0.1271.95
Google Chrome 23.0.1271.97
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
It would seem that you ran "Search" in AdwCleaner, I asked that you use the "Delete" function. Can you run AdwCleaner again, this time only select the Delete tab...... follow the prompts and post that log..

Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the
    icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin
 

ron40

Ron
Thread Starter
Joined
Jul 6, 2004
Messages
323
I'm writing this from my laptop (the uninfected pc). I ran adware like you said but I have probs with combofix. The blue screen hangs with the message: "Scanning for infected files. This typicallly doesn't take more than 10 min...etc." Of note: The HDD light goes out at this point meaning the HDD is turned off. I don't hear any writing in there. So I'm looking at a blue screen but nothing is happening.It feels like there is an evil spirit in there that's doing this. (just kidding). Everything is locked up. If I try to shut down it doesn't respond, I have to cut the power to shutdown (which I just did.
Do you want the adware log? It's on the other pc. If so I'll send it when I restart it.
Eagerly waiting for your reply.

Ron
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
OK, if there are still issues we`ll have to try another way, see if you can create and run the following:

you have access to another PC to create the Widows Defender Offline Tool, I give the instructions to load to a USB flash drive.

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.
You will have to select the correct version for your system, either 32 or 64 bit



Double click
to run the tool, Windows 7 or Vista user right click and select "Run as Administrator"

Read the instructions in the new window and select "Next"



In the new window accept the agreement:



In the new window select your USB Flash Drive, then select "Next"



In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"



In the new window accept the formatting alert by selecting "Next"



Files will be Downloaded:



Files will be processed and created



Flash drive will be formatted and prepared



Files will be added to the Flash Drive and the tool will be created.



The procedure is finished and the Tool created, click on "Finish" to complete.



Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required, Use F12 as it boots, change options...
As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.
When complete do a full scan, deal with what it finds.
When finished, remove the USB stick then press the Esc key to boot into regular windows.
Navigate to the following file:
"C:\windows\windows defender offline\support\mssWrapper.log" Open with notepad and copy and paste it into a reply.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top