Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan:JS/BlacoleRef.T [Solved]


  • This topic is locked This topic is locked

#1
estheblessed

estheblessed

    New Member

  • Member
  • Pip
  • 7 posts
Hi,

I recently discovered my btinternet email account was being hacked into. It seems they were trying to send email from my address to other email addresses. I have since changed my password on a non-infected machine.
I then got an alert from Microsoft security essentials telling me that it had found a virus - Trojan:JS/BlacoleRef.T.
This is when I disconnected the machine from the internet and began trying to fix it.

Please can you help me clean my machine ... many thanks:

OTL logfile created on: 11/01/2012 09:02:08 - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\JEZ\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.91 Gb Total Physical Memory | 2.32 Gb Available Physical Memory | 59.24% Memory free
7.83 Gb Paging File | 6.23 Gb Available in Paging File | 79.62% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 475.68 Gb Total Space | 418.81 Gb Free Space | 88.04% Space Free | Partition Type: NTFS
Drive E: | 443.33 Gb Total Space | 340.34 Gb Free Space | 76.77% Space Free | Partition Type: NTFS
Drive H: | 1009.72 Mb Total Space | 1009.14 Mb Free Space | 99.94% Space Free | Partition Type: FAT

Computer Name: JEZ-PC | User Name: JEZ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/11 09:00:18 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\JEZ\Desktop\OTL.exe
PRC - [2010/11/05 22:54:22 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2010/11/05 22:54:20 | 000,283,160 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
PRC - [2010/03/23 12:19:32 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/15 11:23:13 | 000,475,648 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\4ffea70edf9aa81cba6a5be8070d3dd9\IAStorUtil.ni.dll
MOD - [2011/10/15 11:23:13 | 000,014,336 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\6aef03034d33721bfbd588d9d7fffe60\IAStorCommon.ni.dll
MOD - [2011/10/14 22:26:48 | 000,771,584 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b2622080e047040fa044dd21a04ff10d\System.Runtime.Remoting.ni.dll
MOD - [2011/10/14 22:26:32 | 012,433,408 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6e592e424a204aafeadbe22b6b31b9db\System.Windows.Forms.ni.dll
MOD - [2011/10/14 22:26:28 | 001,587,200 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\3b2cfd85528a27eb71dc41d8067359a1\System.Drawing.ni.dll
MOD - [2011/10/14 22:26:26 | 000,025,600 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\31fce331fded94dd06627603f6fe4562\Accessibility.ni.dll
MOD - [2011/10/14 22:26:19 | 003,347,968 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\d7a64c28cf0c90e6c48af4f7d6f9ed41\WindowsBase.ni.dll
MOD - [2011/10/14 22:26:15 | 005,453,312 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\130ad4d9719e566ca933ac7158a04203\System.Xml.ni.dll
MOD - [2011/10/14 22:26:13 | 000,971,264 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d5bcbeb9475ef62189f605bcca1cec6\System.Configuration.ni.dll
MOD - [2011/10/14 22:26:12 | 007,963,648 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System\abab08afa60a6f06bdde0fcc9649c379\System.ni.dll
MOD - [2011/10/14 22:26:09 | 011,490,304 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
MOD - [2011/03/16 23:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/10/20 14:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/04/27 16:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2011/04/27 16:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2010/09/22 17:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/07/14 01:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/01/06 21:04:18 | 000,013,160 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\599\g2aservice.exe -- (GoToAssist)
SRV - [2011/11/05 05:23:28 | 000,419,624 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/11/05 22:54:22 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel®
SRV - [2010/03/23 12:19:32 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/01/29 23:40:16 | 001,043,584 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)
SRV - [2009/06/10 21:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/06/14 11:21:34 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/06/14 11:21:34 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/04/27 14:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2011/04/10 10:51:06 | 012,223,936 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2011/03/21 20:22:06 | 000,452,200 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/03/18 15:05:20 | 000,070,928 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ifP60x64.sys -- (IFCoEVB)
DRV:64bit: - [2011/03/18 15:05:18 | 000,349,968 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ifM60x64.sys -- (IFCoEMP)
DRV:64bit: - [2011/02/09 13:26:50 | 000,026,712 | ---- | M] (JMicron Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\johci.sys -- (johci)
DRV:64bit: - [2010/11/25 10:27:40 | 000,120,408 | ---- | M] (JMicron Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\jraid.sys -- (JRAID)
DRV:64bit: - [2010/11/21 03:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/21 03:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/21 03:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/11/05 22:45:48 | 000,438,808 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2010/10/29 15:11:42 | 000,250,984 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2010/10/01 10:35:06 | 000,302,120 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mv91xx.sys -- (mv91xx)
DRV:64bit: - [2010/10/01 10:34:40 | 000,023,080 | ---- | M] (Marvell Semiconductor Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mv91cons.sys -- (mv91cons)
DRV:64bit: - [2010/08/13 03:04:22 | 000,127,088 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vcrdrx64.sys -- (vcrdrx64)
DRV:64bit: - [2010/08/09 10:01:58 | 000,088,912 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\EUCR6SK.sys -- (EUCR)
DRV:64bit: - [2010/03/23 12:29:46 | 000,304,784 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV:64bit: - [2010/02/26 14:32:12 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)
DRV:64bit: - [2010/02/11 11:01:20 | 000,026,776 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\xfiltx64.sys -- (xfiltx64)
DRV:64bit: - [2010/02/11 11:00:22 | 000,015,000 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\videX64.sys -- (videX64)
DRV:64bit: - [2010/02/08 07:32:00 | 000,014,992 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CVirtA64.sys -- (CVirtA)
DRV:64bit: - [2009/11/24 17:33:50 | 000,028,264 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvamacpi.sys -- (nvamacpi)
DRV:64bit: - [2009/11/16 06:45:26 | 000,042,192 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\qd262x64.sys -- (ioatdma2) Intel®
DRV:64bit: - [2009/11/16 06:45:22 | 000,040,144 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\qd162x64.sys -- (ioatdma1)
DRV:64bit: - [2009/11/16 06:27:44 | 000,046,792 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\ioatdma.sys -- (ioatdma) Intel®
DRV:64bit: - [2009/10/23 08:26:14 | 000,028,672 | ---- | M] (Alcor Micro, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AmUStor.sys -- (AmUStor)
DRV:64bit: - [2009/08/01 15:08:26 | 000,067,104 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sisagpx.sys -- (uagp35)
DRV:64bit: - [2009/08/01 15:08:26 | 000,067,104 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sisagpx.sys -- (SISAGP)
DRV:64bit: - [2009/07/14 01:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 01:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 01:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 20:34:41 | 000,057,344 | ---- | M] (Microsoft Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dc21x4vm.sys -- (dc21x4vm)
DRV:64bit: - [2009/06/10 20:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 20:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 20:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 20:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008/11/16 17:39:44 | 000,157,968 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dne64x.sys -- (DNE)
DRV:64bit: - [2008/11/12 09:00:00 | 000,059,392 | ---- | M] (ITE Tech. Inc. ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\itecir.sys -- (itecir)
DRV:64bit: - [2007/07/11 04:00:50 | 000,006,656 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hidshim.sys -- (hidshim)
DRV:64bit: - [2007/07/11 04:00:46 | 000,025,088 | ---- | M] (Winbond Electronics Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\winbondhidcir.sys -- (winbondhidcir)
DRV:64bit: - [2007/06/24 03:37:00 | 000,065,024 | ---- | M] (Winbond Electronics Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wbondir.sys -- (wbondir)
DRV:64bit: - [2007/03/28 04:50:18 | 000,046,592 | ---- | M] (Winbond Electronics Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\winbondcir.sys -- (winbondcir)
DRV:64bit: - [2005/03/29 00:30:38 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV - [2009/07/14 01:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm






IE - HKU\S-1-5-21-3914302624-1360635431-3408457340-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nmd.msn.com
IE - HKU\S-1-5-21-3914302624-1360635431-3408457340-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://nmd.msn.com
IE - HKU\S-1-5-21-3914302624-1360635431-3408457340-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"


FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\JEZ\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\JEZ\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/11/14 21:01:34 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2011/09/02 19:04:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\JEZ\AppData\Roaming\Mozilla\Extensions
[2011/11/05 11:52:35 | 000,000,000 | ---D | M] (No name found) -- C:\Users\JEZ\AppData\Roaming\Mozilla\Firefox\Profiles\ijgoc6n3.default\extensions
[2011/09/04 07:56:39 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Users\JEZ\AppData\Roaming\Mozilla\Firefox\Profiles\ijgoc6n3.default\extensions\[email protected]
[2011/09/02 19:04:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
() (No name found) -- C:\USERS\JEZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\IJGOC6N3.DEFAULT\EXTENSIONS\{C45C406E-AB73-11D8-BE73-000A95BE3B12}.XPI
() (No name found) -- C:\USERS\JEZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\IJGOC6N3.DEFAULT\EXTENSIONS\[email protected]
[2011/11/14 21:01:34 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/11/14 21:01:33 | 000,001,538 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/11/14 21:01:33 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2011/11/14 21:01:33 | 000,000,947 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/11/14 21:01:33 | 000,001,180 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/11/14 21:01:33 | 000,001,135 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-en-GB.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\JEZ\AppData\Local\Google\Chrome\Application\16.0.912.63\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\JEZ\AppData\Local\Google\Chrome\Application\16.0.912.63\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\JEZ\AppData\Local\Google\Chrome\Application\16.0.912.63\pdf.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Google Update (Enabled) = C:\Users\JEZ\AppData\Local\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\JEZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.2_0\
CHR - Extension: Google Search = C:\Users\JEZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\
CHR - Extension: Gmail = C:\Users\JEZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.4_0\

O1 HOSTS File: ([2011/09/05 17:50:35 | 000,001,794 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 adobe.activate.com
O1 - Hosts: 127.0.0.1 adobeereg.com
O1 - Hosts: 127.0.0.1 www.adobeereg.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 125.252.224.90
O1 - Hosts: 127.0.0.1 125.252.224.91
O1 - Hosts: 127.0.0.1 hl2rcv.adobe.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C50B204A-645F-43B4-B0E3-4E4621D82BD4}: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\599\G2AWinLogon_x64.dll) - C:\Program Files (x86)\Citrix\GoToAssist\599\g2awinlogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/11 09:02:00 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\JEZ\Desktop\OTL.exe
[2012/01/11 08:41:13 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{B0669AAB-7931-45A3-95F5-00A43A98C3C7}
[2012/01/11 08:38:08 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{54884FA4-F937-4B31-9DCC-8772E0EA9FB4}
[2012/01/11 08:34:33 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{33CB002D-7546-43BC-83EA-48E0BF224A19}
[2012/01/10 21:42:09 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{BD4296B0-3BBA-449D-9BB6-FE355FB3C1ED}
[2012/01/10 21:38:39 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{3C5D6693-CF07-43B5-BF67-2950783C8597}
[2012/01/10 21:25:55 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{73F49B99-13B9-44A0-AA0F-1044C06BFB72}
[2012/01/10 21:25:23 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{43EBBA3A-505C-4154-9A24-55789A1E7B68}
[2012/01/06 21:05:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Citrix
[2012/01/06 21:04:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Citrix
[2012/01/06 21:04:11 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\Citrix
[2012/01/06 21:03:46 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\Deployment
[2012/01/06 21:03:46 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\Apps
[2012/01/06 19:54:37 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{DBB998C0-8057-4724-98F3-D5C4ABD6B547}
[2012/01/06 19:54:27 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{A07F0308-CAEF-4254-9183-637B5D8AF93B}
[2012/01/05 22:38:13 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{3597AAFC-B915-482D-B4C3-54258017F14B}
[2012/01/05 22:38:03 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{B3D1F725-6DDB-418A-A0B9-E77D7201A0F3}
[2012/01/04 20:00:23 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{FA09404C-411C-47D2-99C3-8174567DE93F}
[2012/01/04 20:00:12 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{F924BE2B-29D9-4200-8CAF-D17D6AAD6989}
[2012/01/03 18:45:34 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{931086E3-D6FE-42BD-A273-F874ECD25117}
[2012/01/03 18:45:24 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{62688939-3710-4ED5-98C9-2A1AEA5C5984}
[2012/01/02 13:55:16 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{06EEDDEC-BB35-4A31-82AF-B5ABEF127646}
[2012/01/02 13:55:06 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{3975F66B-4431-4CEF-BB6F-48AF7AB023BD}
[2012/01/01 13:49:02 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{09C8B0BE-66E6-4731-A668-D276732A687F}
[2012/01/01 13:48:52 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{EFAEEA87-027C-49E2-ADC3-CFC510D48C5A}
[2012/01/01 01:03:29 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{D4E39340-497D-4AC4-8278-CFF5E1908058}
[2012/01/01 01:03:19 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{A21D805A-16DC-454D-A566-9D6DDA2D5CCC}
[2011/12/31 12:25:38 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{29EFEDB9-5220-42E2-A3F5-330D7D07EFB0}
[2011/12/30 11:57:00 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{D7E7C854-ED86-497D-BFD3-8A16BB4A52AA}
[2011/12/30 11:56:50 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{7D7B6721-05F3-4892-84EB-3FCED415213D}
[2011/12/29 21:14:15 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{3B4F9A7F-8C67-43B9-81A0-3D94DB3224AB}
[2011/12/29 21:14:05 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{A371C8F2-620F-4780-86EA-0293FDB63821}
[2011/12/28 21:12:22 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{24C01338-1EC3-4439-952B-8A3B795ED32F}
[2011/12/28 21:12:10 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{BE049017-A0C3-421E-A993-EA64E26E75B8}
[2011/12/28 19:17:26 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{38C0B08B-2A50-45A3-86BE-51EACF98D8BE}
[2011/12/28 12:40:48 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{3A0C79F1-DEE6-4AA6-A391-B9600FDB06DF}
[2011/12/26 11:55:13 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{2930F6A4-E811-4F0C-9197-DBDA6E5AC35C}
[2011/12/26 11:55:03 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{63651A93-B563-4E6A-864C-02AA39652F55}
[2011/12/25 21:32:24 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{96F424C3-D1CC-46CE-8E23-948382908F93}
[2011/12/25 21:32:14 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{66910462-0FC7-4508-93F8-31566AE23E21}
[2011/12/24 13:50:32 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{EA41A69E-5DF8-4A02-A047-318A97C40CE8}
[2011/12/24 13:50:22 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{588381AF-FB46-435C-9504-A05B41ADCCC1}
[2011/12/23 11:06:43 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{572F3FE8-5DD9-493A-A95C-7C47CA28C36C}
[2011/12/23 11:06:33 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{2A3EAD09-045C-437A-B911-9CBC61A10C3C}
[2011/12/22 23:06:09 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{D1A57B5E-F3B9-4207-A448-33CA722E7B7F}
[2011/12/22 23:06:00 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{5F414DFC-448F-4BF9-812B-74B2766DA0DF}
[2011/12/22 10:27:25 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{8A2876FF-20F4-4E1C-8393-EF74B00F9673}
[2011/12/22 10:27:15 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{3C4AC7FC-B1F9-486F-A749-7CCAFAC5B7B1}
[2011/12/20 18:22:39 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{243C6DF9-FE60-4ACE-8D95-55FF84D3290E}
[2011/12/20 18:22:28 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{33F537DC-2262-4E33-B11A-FF2B17C1B257}
[2011/12/19 21:58:05 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{E2B8FB82-95EA-443F-96A9-EAEE16FECA8F}
[2011/12/19 21:57:55 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{40162461-79BF-427D-9547-7FFBB416E05F}
[2011/12/18 21:37:41 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{4125149B-537E-4CD2-8F1A-F8D86C8938DD}
[2011/12/18 14:30:37 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{EDF7E1AF-BED4-4344-8AFA-271137388AE6}
[2011/12/18 11:39:35 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{F76BF960-A144-43EE-931C-BBB0E42828D6}
[2011/12/17 12:08:22 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{D72952C1-1987-4228-8716-67F4D76C07B4}
[2011/12/17 12:08:12 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{0EDF5DD8-8062-428A-A318-98BBB0446AB4}
[2011/12/16 18:15:30 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{07530D7E-250E-45FB-86C7-3CF2CA7880F6}
[2011/12/16 18:15:20 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{8FE4A4CF-9293-488E-B47D-F1F4FE2004D5}
[2011/12/15 21:05:54 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{483AB780-79A8-4B69-8445-29978ACABC41}
[2011/12/15 21:05:44 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{604CFE26-F661-49E0-AFC5-500825D168A3}
[2011/12/14 18:44:32 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{FDCA399E-D30B-4AA4-8834-9E7B6CF1EBD0}
[2011/12/14 18:44:22 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{0D288DB2-E0C4-4C0E-87C8-CFB1ACE70F91}
[2011/12/12 19:10:54 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{A4CCABE7-0132-45FB-9EFA-38D5AFB033D3}
[2011/12/12 19:10:44 | 000,000,000 | ---D | C] -- C:\Users\JEZ\AppData\Local\{DFB7EBBE-B97D-4B47-AD8F-C5EFA00F8CD5}

========== Files - Modified Within 30 Days ==========

[2012/01/11 09:00:18 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\JEZ\Desktop\OTL.exe
[2012/01/11 08:45:50 | 000,729,688 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2012/01/11 08:45:50 | 000,630,124 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2012/01/11 08:45:50 | 000,111,208 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2012/01/11 08:39:42 | 000,025,600 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/11 08:39:42 | 000,025,600 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/11 08:34:13 | 000,000,900 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-3914302624-1360635431-3408457340-1000UA.job
[2012/01/11 08:32:03 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012/01/11 08:32:00 | 3152,510,976 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/10 21:34:00 | 000,000,848 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-3914302624-1360635431-3408457340-1000Core.job
[2012/01/06 21:04:10 | 000,103,784 | ---- | M] () -- C:\Users\JEZ\GoToAssistDownloadHelper.exe
[2012/01/02 16:14:37 | 000,012,793 | ---- | M] () -- C:\Users\JEZ\Desktop\mbam - Shortcut.lnk
[2011/12/22 20:04:28 | 000,001,456 | ---- | M] () -- C:\Users\JEZ\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/12/22 12:20:06 | 000,002,054 | -H-- | M] () -- C:\Users\JEZ\Documents\Default.rdp
[2011/12/19 21:47:51 | 000,002,397 | ---- | M] () -- C:\Users\JEZ\Desktop\Google Chrome.lnk
[2011/12/15 21:04:34 | 004,897,192 | ---- | M] () -- C:\windows\SysNative\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2012/01/06 21:04:09 | 000,103,784 | ---- | C] () -- C:\Users\JEZ\GoToAssistDownloadHelper.exe
[2012/01/02 16:14:37 | 000,012,793 | ---- | C] () -- C:\Users\JEZ\Desktop\mbam - Shortcut.lnk
[2011/09/26 21:36:40 | 000,173,373 | ---- | C] () -- C:\windows\hpoins46.dat
[2011/09/26 21:36:40 | 000,000,532 | ---- | C] () -- C:\windows\hpomdl46.dat
[2011/09/16 09:08:26 | 000,001,456 | ---- | C] () -- C:\Users\JEZ\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/05/26 13:06:08 | 000,722,382 | ---- | C] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2011/05/23 10:46:08 | 000,361,808 | ---- | C] () -- C:\windows\EMCRI_E.dll
[2011/05/23 10:12:00 | 000,963,116 | ---- | C] () -- C:\windows\SysWow64\igkrng600.bin
[2011/05/23 10:11:58 | 000,218,304 | ---- | C] () -- C:\windows\SysWow64\igfcg600m.bin
[2011/05/23 10:11:57 | 000,056,832 | ---- | C] () -- C:\windows\SysWow64\igdde32.dll
[2011/05/23 10:11:56 | 000,145,804 | ---- | C] () -- C:\windows\SysWow64\igcompkrng600.bin
[2011/05/23 10:11:55 | 013,356,032 | ---- | C] () -- C:\windows\SysWow64\ig4icd32.dll
[2009/07/14 05:38:36 | 000,067,584 | --S- | C] () -- C:\windows\bootstat.dat
[2009/07/14 02:35:51 | 000,000,741 | ---- | C] () -- C:\windows\SysWow64\NOISE.DAT
[2009/07/14 02:34:42 | 000,215,943 | ---- | C] () -- C:\windows\SysWow64\dssec.dat
[2009/07/14 00:10:29 | 000,043,131 | ---- | C] () -- C:\windows\mib.bin
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\windows\SysWow64\BWContextHandler.dll
[2009/07/13 21:03:59 | 000,364,544 | ---- | C] () -- C:\windows\SysWow64\msjetoledb40.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\windows\SysWow64\mlang.dat

========== LOP Check ==========

[2011/11/25 18:30:13 | 000,000,000 | ---D | M] -- C:\Users\Bella\AppData\Roaming\Windows Live Writer
[2011/12/28 19:17:42 | 000,000,000 | ---D | M] -- C:\Users\JEZ\AppData\Roaming\Azureus
[2012/01/06 20:41:22 | 000,000,000 | ---D | M] -- C:\Users\JEZ\AppData\Roaming\FileZilla
[2011/09/05 20:11:01 | 000,000,000 | ---D | M] -- C:\Users\JEZ\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2011/09/06 17:22:05 | 000,000,000 | ---D | M] -- C:\Users\JEZ\AppData\Roaming\Windows Live Writer
[2011/11/08 20:24:31 | 000,032,636 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
Hi, estheblessed! Welcome to GeeksToGo! My name is BlackOxide and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :)

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just incase you are unable to access this site.

Please note the following:
  • Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply, unless I specifically need you to attach them.
  • Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for me to analyse and fix your PC in the long run.
  • I will always try and respond to replies as soon as possible, but please be patient as some logs require more time than others to fully analyse.
  • If you are not sure of anything along the way, just ask.

OK, lets start ;)



I have since changed my password on a non-infected machine.

:thumbsup:


Your OTL log looks good. Let's move on to some other scans...


1)
Download aswMBR.exe (1.8mb) to your desktop.

Double click aswMBR.exe to run it.

If it asks to download the Avast defintions, just click No.

Click the "Scan" button to start the scan.

Posted Image


On completion of the scan click save log, save it to your desktop and post it in your next reply.

Posted Image




2)
Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.




3)
Download Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.




In your next reply
Please post the contents of...
aswMBR log
MBAM log
Security Check log

  • 0

#3
estheblessed

estheblessed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi,

Firstly thanks for your time BlackOxide.

Just an update ... I have had my machine offline since I found out my email was hacked into and since then I have discovered that my FTP accounts were compromised and the sites were targeted with malicious javascript code. Since then I have changed FTP passwords (on a safe machine) and restored the sites back to how they were.

Anyway, after following your instructions the logs go as follows:

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-12 21:29:26
-----------------------------
21:29:26.517 OS Version: Windows x64 6.1.7601 Service Pack 1
21:29:26.517 Number of processors: 4 586 0x2A07
21:29:26.517 ComputerName: JEZ-PC UserName: JEZ
21:29:27.827 Initialize success
21:29:35.535 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:29:35.535 Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 3
21:29:35.535 Disk 0 MBR read successfully
21:29:35.535 Disk 0 MBR scan
21:29:35.535 Disk 0 Windows 7 default MBR code
21:29:35.551 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 12800 MB offset 2048
21:29:35.551 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 487095 MB offset 26216448
21:29:35.566 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 453971 MB offset 1023787008
21:29:35.582 Service scanning
21:29:36.877 Service MpNWMon C:\windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
21:29:37.516 Modules scanning
21:29:37.516 Disk 0 trace - called modules:
21:29:37.563 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
21:29:37.563 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80065fb060]
21:29:37.563 3 CLASSPNP.SYS[fffff88000dc843f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004753050]
21:29:37.579 Scan finished successfully
21:30:06.408 Disk 0 MBR has been saved successfully to "C:\Users\JEZ\Desktop\MBR.dat"
21:30:06.423 The log file has been saved successfully to "C:\Users\JEZ\Desktop\aswMBR.txt"



Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.12.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
JEZ :: JEZ-PC [administrator]

12/01/2012 21:32:36
mbam-log-2012-01-12 (21-32-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 189563
Time elapsed: 1 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)





Results of screen317's Security Check version 0.99.30
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox 8.0. Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````




I shall await your next instructions.

Many thanks
  • 0

#4
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
Thanks for the update. So far so good on the logs. Let's continue our search to see if anything is still lurking...



1)
Lets get your Adobe Reader and Firefox updated to their latest versions:

Adobe Reader updates
  • Open Adobe Reader
  • Click Help on the menu at the top
  • Click Check for Updates
  • Allow any updates to be downloaded and installed


Update Firefox
  • Click Help at the top (or the orange Firefox button if it is visible), then About Firefox
  • It will automatically check for updates
  • Click the Apply Update button when it is visible
  • Firefox will now update itself to the latest verision




2)
Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now



In your next reply
Please post the contents of...
ComboFix log
  • 0

#5
estheblessed

estheblessed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi,

Computer is running fine but I am extremely paranoid about there still being something lurking on my machine. I'm just curious how they would of got my FTP details and (attempted) to hack my email?

Here is the combofix log anyway:

ComboFix 12-01-13.05 - JEZ 14/01/2012 11:27:05.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4009.2426 [GMT 0:00]
Running from: c:\users\JEZ\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\JEZ\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-14 to 2012-01-14 )))))))))))))))))))))))))))))))
.
.
2012-01-14 11:21 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{958E87AE-2A5D-4576-979F-C1EEE08B0288}\mpengine.dll
2012-01-14 11:18 . 2012-01-14 11:18 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-01-14 11:18 . 2012-01-14 11:18 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2012-01-14 11:18 . 2012-01-14 11:18 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2012-01-14 11:18 . 2012-01-14 11:18 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2012-01-06 21:05 . 2012-01-06 21:05 -------- d-----w- c:\program files (x86)\Citrix
2012-01-06 21:04 . 2012-01-06 21:04 -------- d-----w- c:\programdata\Citrix
2012-01-06 21:04 . 2012-01-06 21:04 -------- d-----w- c:\users\JEZ\AppData\Local\Citrix
2012-01-06 21:03 . 2012-01-06 21:04 -------- d-----w- c:\users\JEZ\AppData\Local\Deployment
2012-01-06 21:03 . 2012-01-06 21:03 -------- d-----w- c:\users\JEZ\AppData\Local\Apps
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 15:24 . 2011-10-25 19:45 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 04:52 . 2011-12-14 18:39 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 11:40 . 2011-09-02 19:10 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-05 05:32 . 2011-12-14 18:39 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 04:26 . 2011-12-14 18:39 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-11-04 01:53 . 2011-12-14 22:09 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-11-04 01:44 . 2011-12-14 22:09 1390080 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 01:44 . 2011-12-14 22:09 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 01:34 . 2011-12-14 22:09 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-11-03 22:47 . 2011-12-14 22:09 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-11-03 22:40 . 2011-12-14 22:09 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-11-03 22:39 . 2011-12-14 22:09 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2011-11-03 22:31 . 2011-12-14 22:09 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-10-26 05:21 . 2011-12-14 18:39 43520 ----a-w- c:\windows\system32\csrsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-05 283160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-05 13336]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [x]
R3 dc21x4vm;dc21x4vm;c:\windows\system32\DRIVERS\dc21x4vm.sys [x]
R3 EUCR;EUCR;c:\windows\system32\drivers\EUCR6SK.SYS [x]
R3 hidshim;Service for HID-KMDF Shim layer;c:\windows\system32\drivers\hidshim.sys [x]
R3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM60x64.sys [x]
R3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP60X64.sys [x]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [x]
R3 ioatdma1;ioatdma1;c:\windows\System32\Drivers\qd162x64.sys [x]
R3 ioatdma2;Intel® QuickData Technology device ver.2;c:\windows\System32\Drivers\qd262x64.sys [x]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [x]
R3 johci;JMicron 1394 Filter Driver;c:\windows\system32\drivers\johci.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-12-27 31124344]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 mv91cons;mv91cons;c:\windows\system32\drivers\mv91cons.sys [x]
R3 mv91xx;mv91xx;c:\windows\system32\drivers\mv91xx.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 nvamacpi;nvamacpi;c:\windows\system32\drivers\NVAMACPI.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 vcrdrx64;VIA MSP Card Reader Host Controller;c:\windows\system32\drivers\vcrdrx64.sys [x]
R3 videX64;videX64;c:\windows\system32\drivers\videX64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 wbondir;Winbond CIR Transceiver;c:\windows\system32\drivers\wbondir.sys [x]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [x]
R3 winbondhidcir;Winbond HID CIR Receiver;c:\windows\system32\drivers\winbondhidcir.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 ioatdma;Intel® QuickData Technology device;c:\windows\System32\Drivers\ioatdma.sys [x]
S0 xfiltx64;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfiltx64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3914302624-1360635431-3408457340-1000Core.job
- c:\users\JEZ\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-02 20:09]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3914302624-1360635431-3408457340-1000UA.job
- c:\users\JEZ\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-02 20:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-05-03 11842152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-13 168216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-13 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-13 416024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://nmd.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\JEZ\AppData\Roaming\Mozilla\Firefox\Profiles\ijgoc6n3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\0c\05\09\0c\1f\11?"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe
.
**************************************************************************
.
Completion time: 2012-01-14 11:33:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-14 11:33
.
Pre-Run: 453,602,070,528 bytes free
Post-Run: 453,229,461,504 bytes free
.
- - End Of File - - 7F69D0058A486214532F757695BE987F

Edited by estheblessed, 14 January 2012 - 05:49 AM.

  • 0

#6
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts

Computer is running fine but I am extremely paranoid about there still being something lurking on my machine. I'm just curious how they would of got my FTP details and (attempted) to hack my email?

It's tricky sometimes to find out how and when the details got obtained. There is a chance it could still be on your PC, or it could be an infection that has stolen your details and then been sent a command to remove itself. It could of also happened on another PC, do you access your FTP server or emails on another PC/Laptop?


I'd like to see what Kaspersky's Virus Removal Tool finds now. This will be a full scan of the PC so it may take a bit of time:


Kaspersky Virus Removal Tool

Click here to download the Kaspersky Virus Removal Tool.
  • Save it to your desktop.
  • Double click the setup file to run it.
  • Follow the onscreen prompts until it is installed
  • Click the Options button (the 'cog' icon), then make sure only the following are ticked:

  • System Memory
  • Hidden startup objects
  • Disk boot sectors
  • Local Disk (C:)
  • Also any other drives (Removable that you may have)


  • Then click on Actions on the left hand side
  • Click Select Action, then make sure both Disinfect and Delete if disinfection fails are ticked
  • Click on Automatic Scan
  • Now click the Start Scanning button, to run the scan
  • After the scan is complete, click the reports button ('Paper icon', next to the 'cog' icon) on the right hand side
  • Click Detected threats on the left
  • Now click the Save button, and save it as kaslog.txt to your Desktop
  • Please copy and paste the contents of kaslog.txt in your next reply.



In your next reply
Please post the contents of...
Kaspersky log
  • 0

#7
estheblessed

estheblessed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi,

The scan took a long time! There were a few files that said password protected, looked like they were rar files? Also 4 threats detected, trojans in the firefox directory! Which suggests I got the viruses while browsing I guess?

It kept asking me what I wanted to do with them but I clicked skip and now on the reports screen next to the save button there is a disinfect button, should I disinfect?

To answer your earlier question ... no, this is the only machine where they could of got my ftp details, only I dont understand how? Unless filezilla keeps the passwords in a file somewhere?

Here are the threats:

Status: Detected (events: 4)
14/01/2012 15:06:38 Detected Trojan program Trojan-Downloader.JS.DarDuk.ei C:\Documents and Settings\JEZ\AppData\Local\Mozilla\Firefox\Profiles\ijgoc6n3.default\Cache\3\C5\F9658d01//ijgoc6n3 High
14/01/2012 15:47:07 Detected Trojan program Trojan-Downloader.JS.DarDuk.ei C:\Documents and Settings\JEZ\Local Settings\Mozilla\Firefox\Profiles\ijgoc6n3.default\Cache\3\C5\F9658d01//ijgoc6n3 High
14/01/2012 16:57:10 Detected Trojan program Trojan-Downloader.JS.DarDuk.ei C:\Users\JEZ\AppData\Local\Mozilla\Firefox\Profiles\ijgoc6n3.default\Cache\3\C5\F9658d01//ijgoc6n3 High
14/01/2012 17:49:06 Detected Trojan program Trojan-Downloader.JS.DarDuk.ei C:\Users\JEZ\Local Settings\Mozilla\Firefox\Profiles\ijgoc6n3.default\Cache\3\C5\F9658d01//ijgoc6n3 High
  • 0

#8
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts

There were a few files that said password protected, looked like they were rar files? Also 4 threats detected, trojans in the firefox directory! Which suggests I got the viruses while browsing I guess?

Most Anti Virus software will list password protected files due to them not being able to scan the contents as they will be locked. It doesn't necessarily mean it's bad, but if you don't know where the RAR files came from and you don't need them, I'd just remove them.

It looks like this could be where your malware originated from with these Trojan Downloaders in Firefox. We'll clear the Firefox Cache now to make sure they are gone. If you still have the Kaspersky Window open, by all means use the Disninfect or the Delete option :)



To answer your earlier question ... no, this is the only machine where they could of got my ftp details, only I dont understand how? Unless filezilla keeps the passwords in a file somewhere?

Yep unfortunately FileZilla still stores the passwords in plain text in an XML file, so it wouldn't have been hard to scan for the file and extract the password(s). It might be worth telling FileZilla to not store the password anymore, to be on the safe side.



Lets now remove the Firefox Cache to make sure these aren't still lingering:

Clear Firefox Cache
  • Click the orange Firefox button at the top left (or Tools at the top if it's visible)
  • Then click Options
  • Click Privacy along the top of this window
  • Click clear your recent history
  • Make sure the Time Range is set to Everything
  • Make sure just Cache is ticked
  • Click Clear Now to remove Firefox's Cache



Lets also remove other Temp files on your PC. Just run TFC to do this:

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

  • 0

#9
estheblessed

estheblessed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks ...

It turns out the RAR files were nothing to worry about. So I went ahead and deleted those files and did as you said regarding clearing the cache in FF and using TFP.

Please advise on how to proceed.
  • 0

#10
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
:thumbsup:

Your logs look good now to be honest with you. The MBR is fine, no signs of any Rootkits and the only infections found were those Java exploit Trojan Downloaders. I believe you should be OK now, you did the right thing earlier in changing the passwords for your email and FTP on a clean machine. Just make sure your Microsoft Security Essentials is Enabled and Updated to it's latest definitions. If you do have any other queries just let me know. Otherwise I'll post my cleanup steps which will remove some of the tools we have used and provide you with some tips on staying safe :)
  • 0

#11
estheblessed

estheblessed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Excellent, I really appreciate your help.

Any advice on Filezilla password safety would be great. Also, Firefox safety too as I am normally pretty safe about what sites I visit but obviously something has got through?
  • 0

#12
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
No problem, you're welcome.

With FileZilla there doesn't seem to be a solution, other than to not let it store your details in it's Site Manager and then once you have finished your session, clear the History for Quickconnect. Trouble with that is, you would need to manually enter your details each time you want to connect to your FTP Server. There may be another FTP client out there that manages saved passwords securely, but off hand I don't know of one. I don't use FTP much, but I have FileZilla on my machine and I'm not that familiar with any of the others. Shame the developer of a popular program, doesn't include such a basic security feature :confused:


Best way to make Firefox secure in my opinion, is to have the latest version installed (which you have), and install the following Addons:

AdBlock Plus (Blocks a lot of unwanted Ads from displaying, or being accidentally clicked on)
KeyScrambler (Basically scrambles your typed keys within Firefox, so if any Keyloggers are present, they would just obtain random characters and not the keystrokes you typed)
NoScript (This one is very good but takes a bit of getting used to and is better suited for Intermediate or Advanced Users. You manually Allow or Block scripts which run on webpages. If you don't Allow a malicious script, it simply cannot run. A good video introduction, recommended by the developer of the Addon, can be found here.

Have a play around with the addons and let me know how you get on.


I'll post my general cleanup steps below for you to run through, as we can remove most of the tools we have used in the cleanup :)



Good stuff, your logs now appear clean :cool:

Thank you for following the procedures, your system now appears free from Malware. It's now time to remove the programs we have used throughout this cleanup and make sure important programs are updated to their latest versions. This all helps in the fight against being reinfected.

Please make sure you follow the steps below, as they are highly recommended.

TFC and MBAM can be left on your PC, as they are useful to run every week or two.


========== CLEANUP ==========

Remove the Tools used in this cleanup

1)
Tools on the Desktop:
You can now safely remove aswMBR and Security Check from the Desktop (if present)

2)
Remove ComboFix

  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled

3)
Clear Old Restore Points
  • Run OTL, copy and paste the following into the Custom Scans/Fixes area at the bottom
    :Commands
    [CLEARALLRESTOREPOINTS]
  • Then Click Run Fix

4)
OTL Cleanup
  • Open OTL
  • Click the CleanUp button at the top, it will ask to reboot your PC, please allow it to do so



========== Anti Malware Protection ==========

Having a good Anti Virus program and an on-access Anti Malware program, is great in the battle against malware and various other forms of infections. You should aways make sure your Anti Virus is Enabled and has the latest defintions downloaded (Anti Virus software will nearly always update it's definitions automatically)

Here are some recommendations:

Free Anti Virus Protection...
If you haven't got an AntiVirus or are thinking of changing, my personal recommendations are Microsoft Security Essentials and Avast, both are free to use. Remember though, you can only have one Anti Virus installed at any one given time.

Paid Anti Virus Protection...
If you want a bit more than just an Anti Virus and would like extra features such as Firewall and Anti Spam, you will have to look at purchasing an Anti Virus product. A lot of people do use free AV software as these products use the same virus databases as the paid ones, but some people prefer to have the extra features and the help and support that the paid products tend to offer. If you are looking into purchasing one, my recommendations would be Kaspersky Internet Security or ESET Smart Security. There are however many different ones out there and it is wise to just download trial versions to see which ones suit you best, before actually buying.

MalwareBytes Anti-Malware
This is an excellent Anti-Malware product. It is recommended to periodically run a Quick Scan to keep your PC as clean as possible. Remember to check for updates before running a scan, so click the Update tab along the top, then click Check for Updates.



========== Updates ==========

Keeping your PC updated is vital in the battle against infections and exploits. This is where a lot of people fall down, as there are many infections which will exploit loopholes within Windows itself, Java and Adobe Reader. Keeping these updated is a very worthwhile habit to get into.

Windows Updates

Updates to your Operating System are vital in closing loopholes and fixing bugs which some infections exploit.
Here's how to check to see if you are missing any updates. Just click your version of Windows below, to see how to check...
Windows XP
Windows Vista
Windows 7

Java updates
  • Click the Start button
  • Click Control Panel
  • Double Click Java
    (If you don't see the Java icon - In XP, click Switch to Category View. In Vista, click Classic View. In Windows 7, click View By: in the top right and change it to Large Icons)
  • Click the Update tab
  • Click Update Now
  • Allow any updates to be downloaded and installed
Adobe Reader updates
  • Open Adobe Reader
  • Click Help on the menu at the top
  • Click Check for Updates
  • Allow any updates to be downloaded and installed



========== Key Tips ==========

- Never be tempted to download software you didn't ask for
If for example you see a "Free Registry Booster" or "Get rid of all your malware problems or blue screens by using this software", don't be tempted to click on them. The software is often useless, could actually be harmful to your PC and they are generally just out to get your money. If you didn't ask for the software, don't download it ;)

- Run regular scans
Set yourself a date, approximately every 2, 3 or 4 weeks, whereby you run a Full Scan with your Anti Virus and a scan with any Anti Malware/Spyware program you may have installed, like Malwarebytes' Anti Malware.


Have fun and stay safe online ;)
BlackOxide

  • 0

#13
estheblessed

estheblessed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Many, many thanks!

I just had 1 question ... there wasn't a Java option in control panel?
  • 0

#14
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
That's fine, no need to worry about that then, not everybody has the Java Console installed. If it's not there, you don't need to update it :)
  • 0

#15
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP