Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Program Can't Start Because %hs is missing.


  • Please log in to reply

#1
FYATroll

FYATroll

    New Member

  • Member
  • Pip
  • 8 posts
So, I've got this gem. This comes after I had contracted malware, specifically the TR/Atraps.gen2 thing. My Avira noticed it, I ran a full scan, it found bad files, I quarantined and rebooted as instructed by avira. It was then that this started. Can't boot in safe mode, the system recovery tool doesn't fix anything, and system restore doesn't work (currently using Windows 7 64). The standard fix associated with AVG does not work, as I've used the recovery prompt and located the registry and it is the correct one. So, any ideas out there? Any sort of program I should save to a flash and try to run through the prompt via the recovery console?

Also, and sadly, I didn't copy the report from the full Avira scan, which I'm sure would help. Also, it is important to note that after contracting the malware I restarted my comp multiple times with no hick-up. IT was only after running the full Avira scan and rebooting as instructed that I encountered a problem. So my best (and that's not very good) guess is that Avira deleted something that didn't need to be deleted.
  • 0

Advertisements


#2
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
Welcome to GTG. I'll be helping you out with your malware problem, but please keep in mind that my subsequent responses may be delayed as I'm still a trainee and need to have an expert to approve of all of my fixes before they are submitted here.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
  • 0

#3
FYATroll

FYATroll

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks a ton man. Here is frst.txt pasted.

Scan result of Farbar Recovery Scan Tool Version: 19-05-2012
Ran by SYSTEM at 22-05-2012 11:11:56
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8067616 2009-08-18] (Realtek Semiconductor)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [166424 2009-10-07] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [390168 2009-10-07] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [408600 2009-10-07] (Intel Corporation)
HKLM-x32\...\Run: [RunAIShell] C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe [225280 2009-08-19] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-09-23] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2010-12-13] (Apple Inc.)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [273544 2011-05-04] (RealNetworks, Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [343168 2011-12-05] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [348624 2012-05-01] (Avira Operations GmbH & Co. KG)
HKU\Owner\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4240760 2010-09-22] (Microsoft Corporation)
HKU\Owner\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1242448 2012-02-06] (Valve Corporation)
HKU\Owner\...\Run: [igndlm.exe] C:\Program Files (x86)\Download Manager\DLM.exe /windowsstart /startifwork [1103216 2009-10-27] (IGN Entertainment)
HKU\Owner\...\Run: [ATT-SST] C:\Program Files (x86)\ATT-SST\McciBrowser.exe -AppKey=ATT-SST -URL=file://C:\Program Files (x86)\ATT-SST\OCB\08d40af2-12dd-46f7-9cbe-44052b2120c7\Start.htm?VendorID=ATT-SST,isHidden=false,ConnectivityRequired=true,flowId=HOMEPAGE,FlowParams= [x]
HKU\Owner\...\Run: [Weather] C:\Program Files (x86)\AWS\WeatherBug\Weather.exe 1 [x]
HKU\Owner\...\Run: [Media Finder] "C:\Program Files (x86)\Media Finder\MF.exe" /opentotray [x]
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2009-07-13] (Microsoft Corporation)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1082440 2012-04-04] (Malwarebytes Corporation)
Winlogon\Notify\DfLogon: LogonDll.dll [X]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
SubSystems: [Windows] ATTENTION! ====> ZeroAccess

==================== Services (Whitelisted) ======

2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [86224 2012-05-01] (Avira Operations GmbH & Co. KG)
2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [110032 2012-05-01] (Avira Operations GmbH & Co. KG)
2 Device Handle Service; C:\Windows\SysWOW64\AsHookDevice.exe [196608 2009-08-19] (ASUSTeK Computer Inc.)
2 enum1394; C:\Windows\System32\svchost.exe -k netsvcs [27136 2009-07-13] (Microsoft Corporation)
2 enum1394; C:\Windows\SysWow64\svchost.exe -k netsvcs [20992 2009-07-13] (Microsoft Corporation)
2 McciCMService; "C:\Program Files (x86)\Common Files\Motive\McciCMService.exe" [319488 2011-03-24] (Alcatel-Lucent)
2 McciCMService64; "C:\Program Files\Common Files\Motive\McciCMService.exe" [517632 2011-03-24] (Alcatel-Lucent)
3 ose64; "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [174440 2010-01-09] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

2 ASInsHelp; \??\C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] ()
1 AsIO; C:\Windows\SysWow64\Drivers\AsIO.sys [13440 2009-08-03] ()
1 AsUpIO; C:\Windows\SysWow64\Drivers\AsUpIO.sys [13368 2009-07-06] ()
2 avgntflt; C:\Windows\System32\Drivers\avgntflt.sys [98848 2012-04-24] (Avira GmbH)
1 avipbb; C:\Windows\System32\Drivers\avipbb.sys [132832 2012-04-27] (Avira GmbH)
1 avkmgr; C:\Windows\System32\Drivers\avkmgr.sys [27760 2012-05-02] (Avira GmbH)
3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [7749408 2009-10-07] (Intel Corporation)
3 Linksys_adapter_H; C:\Windows\System32\DRIVERS\AE1200w764.sys [1254464 2011-03-29] (Broadcom Corporation)
3 MREMP50; \??\C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [21248 2010-07-27] (Printing Communications Assoc., Inc. (PCAUSA))
3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [43008 2010-07-27] (Printing Communications Assoc., Inc. (PCAUSA))
3 MRESP50; \??\C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [20096 2010-07-27] (Printing Communications Assoc., Inc. (PCAUSA))
3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [40960 2010-07-27] (Printing Communications Assoc., Inc. (PCAUSA))
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] ()
3 netr28ux; C:\Windows\System32\Drivers\netr28ux.sys [867328 2009-06-10] (Ralink Technology Corp.)
2 RtNdPt60; C:\Windows\System32\Drivers\RtNdPt60.sys [26624 2007-12-11] (Windows ® Codename Longhorn DDK provider)
3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam60.sys [43008 2008-10-24] (Realtek Corporation)
3 RTVLANPT; C:\Windows\System32\DRIVERS\RtVlan60.sys [24064 2007-12-03] (Windows ® Codename Longhorn DDK provider)
3 TEAM; C:\Windows\System32\DRIVERS\RtTeam60.sys [43008 2008-10-24] (Realtek Corporation)
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
3 tmlwf; [x]
3 tmwfp; [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: bthpan
NETSVC: enum1394

============ One Month Created Files and Folders ==============

2012-05-22 11:11 - 2012-05-22 11:12 - 0000000 ____D C:\FRST
2012-05-21 16:58 - 2012-05-21 16:58 - 0148346 ____A C:\Windows\ntbtlog.txt
2012-05-21 15:28 - 2012-05-21 15:28 - 0000000 ____D C:\avrescue
2012-05-21 13:21 - 2012-05-21 13:21 - 0000000 ____D C:\Users\Owner\AppData\Local\{84812F46-D083-4F38-8899-79390883158F}
2012-05-21 13:10 - 2012-05-21 20:10 - 0000000 ____D C:\Windows\pss
2012-05-21 13:04 - 2012-05-21 13:04 - 0000000 ____D C:\Users\Owner\AppData\Local\{5CCA1A2F-3204-4108-A00F-C2F4524A1C88}
2012-05-21 13:00 - 2012-05-21 13:00 - 0000000 ____D C:\Users\Owner\AppData\Local\{8920F540-600C-4CDD-860C-FB7F14321C44}
2012-05-21 12:53 - 2012-05-21 12:53 - 0000000 ____D C:\Users\Owner\AppData\Local\{B2D34393-2D24-4D3E-A201-8794F80CE7E7}
2012-05-21 12:30 - 2012-05-21 12:30 - 0000000 ____D C:\Users\Owner\AppData\Local\{5CC2ABBA-F011-4579-8365-C3EFD6C2FA4F}
2012-05-21 12:22 - 2012-05-21 20:10 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-05-21 12:22 - 2012-05-21 12:22 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Owner\Downloads\mbam-setup-1.61.0.1400.exe
2012-05-21 12:22 - 2012-05-21 12:22 - 0001117 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-21 12:22 - 2012-05-21 12:22 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Malwarebytes
2012-05-21 12:22 - 2012-05-21 12:22 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-05-21 12:22 - 2012-05-21 12:22 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-05-21 12:22 - 2012-04-04 11:56 - 0024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-05-21 12:14 - 2012-05-21 12:14 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Avira
2012-05-21 12:10 - 2012-05-21 12:10 - 0001998 ____A C:\Users\Public\Desktop\Avira Control Center.lnk
2012-05-21 12:10 - 2012-05-21 12:10 - 0000000 ____D C:\Users\Owner\AppData\Local\{86495266-5DB3-44C0-8665-46206B260ACB}
2012-05-21 12:10 - 2012-05-21 12:10 - 0000000 ____D C:\Users\All Users\Avira
2012-05-21 12:10 - 2012-05-21 12:10 - 0000000 ____D C:\ProgramData\Avira
2012-05-21 12:10 - 2012-05-21 12:10 - 0000000 ____D C:\Program Files (x86)\Avira
2012-05-21 12:10 - 2012-05-02 11:24 - 0027760 ____A (Avira GmbH) C:\Windows\System32\Drivers\avkmgr.sys
2012-05-21 12:10 - 2012-04-27 06:20 - 0132832 ____A (Avira GmbH) C:\Windows\System32\Drivers\avipbb.sys
2012-05-21 12:10 - 2012-04-24 20:32 - 0098848 ____A (Avira GmbH) C:\Windows\System32\Drivers\avgntflt.sys
2012-05-21 12:01 - 2012-05-21 12:01 - 0013833 ____A C:\Users\Owner\Documents\THISTHISTHIS.docx
2012-05-20 21:29 - 2012-05-20 21:30 - 99218336 ____A C:\Users\Owner\Downloads\avira_free_antivirus_en.exe
2012-05-20 21:18 - 2012-05-20 21:19 - 0000000 ____D C:\Users\Owner\AppData\Local\{7FB5B1E3-4E3B-4347-987C-06BB03FB24EE}
2012-05-20 19:55 - 2012-05-21 13:12 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-20 19:54 - 2012-05-20 19:54 - 0000000 ____D C:\Windows\system64
2012-05-19 00:18 - 2012-05-19 00:18 - 0000000 ____D C:\Program Files (x86)\Graboid
2012-05-18 23:59 - 2012-05-18 23:59 - 1863680 ____A (Microsoft Corporation) C:\Windows\System32\ExplorerFrame.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 1837568 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 1540608 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 1495040 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 1170944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 1133568 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 1074176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0982912 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2012-05-18 23:59 - 2012-05-18 23:59 - 0902656 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0739840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0662528 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0470016 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0442880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0320512 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0283648 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0265088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2012-05-18 23:59 - 2012-05-18 23:59 - 0229888 ____A (Microsoft Corporation) C:\Windows\System32\XpsRasterService.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0218624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0197120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0135168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsRasterService.dll
2012-05-18 23:58 - 2012-05-18 23:59 - 0002152 ____A C:\Windows\IE9_main.log
2012-05-18 23:58 - 2012-05-18 23:58 - 0543024 ____A (Microsoft Corporation) C:\Users\Owner\Downloads\IE9-Windows7-x64-enu.exe
2012-05-14 14:34 - 2012-05-14 23:37 - 0000000 ____D C:\Program Files (x86)\Diablo III
2012-05-14 14:34 - 2012-05-14 14:36 - 0001197 ____A C:\Users\Public\Desktop\Diablo III.lnk
2012-05-14 14:33 - 2012-05-14 14:33 - 32288896 ____A (Blizzard Entertainment) C:\Users\Owner\Downloads\Diablo-III-Setup-enUS.exe
2012-05-01 20:51 - 2012-05-02 19:48 - 0034308 ____A C:\Users\Owner\Documents\PROP 2 OUTLINE.docx
2012-04-27 11:43 - 2012-04-28 20:18 - 0021085 ____A C:\Users\Owner\Documents\CIV PRO OUTLINE.docx
2012-04-26 08:42 - 2012-04-26 08:42 - 0012885 ____A C:\Users\Owner\Documents\DRAFT SHEET.docx
2012-04-26 08:37 - 2012-04-26 08:37 - 0000000 ____D C:\Users\Owner\AppData\Local\{819D4644-9551-4B65-B177-89009C7E10D9}
2012-04-25 22:43 - 2012-05-04 12:57 - 0026305 ____A C:\Users\Owner\Documents\CON LAW OUTLINE.docx
2012-04-24 20:15 - 2012-05-10 07:43 - 0017051 ____A C:\Users\Owner\Documents\Products Liability Outline.docx
2012-04-23 14:17 - 2012-05-07 15:19 - 0023559 ____A C:\Users\Owner\Documents\CONTRACTS OUTLINE II.docx

============ 3 Months Modified Files and Folders =============

2012-05-21 20:54 - 2010-01-14 12:03 - 2090115072 __ASH C:\hiberfil.sys
2012-05-21 20:10 - 2012-05-21 13:10 - 0000000 ____D C:\Windows\pss
2012-05-21 20:10 - 2012-05-21 12:22 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-05-21 20:10 - 2012-04-10 16:15 - 0000000 ____D C:\Windows\System32\Macromed
2012-05-21 20:10 - 2010-09-25 08:31 - 0000000 ____D C:\Program Files (x86)\Steam
2012-05-21 20:10 - 2010-09-02 14:01 - 0000000 ____D C:\users\Owner
2012-05-21 20:10 - 2009-11-13 09:03 - 0000000 ____D C:\Windows\SysWOW64\Macromed
2012-05-21 20:10 - 2009-07-13 23:44 - 0000000 ___RD C:\Users\Public\Recorded TV
2012-05-21 20:10 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\AppCompat
2012-05-21 20:10 - 2009-07-13 19:18 - 0000000 __SHD C:\$Recycle.Bin
2012-05-21 16:58 - 2012-05-21 16:58 - 0148346 ____A C:\Windows\ntbtlog.txt
2012-05-21 15:28 - 2012-05-21 15:28 - 0000000 ____D C:\avrescue
2012-05-21 15:28 - 2010-01-14 12:14 - 1281568 ____A C:\Windows\WindowsUpdate.log
2012-05-21 15:01 - 2011-01-27 17:15 - 0000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-05-21 13:27 - 2009-07-13 21:13 - 0713888 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-21 13:27 - 2009-07-13 20:45 - 0009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-21 13:27 - 2009-07-13 20:45 - 0009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-21 13:21 - 2012-05-21 13:21 - 0000000 ____D C:\Users\Owner\AppData\Local\{84812F46-D083-4F38-8899-79390883158F}
2012-05-21 13:20 - 2011-01-27 17:15 - 0000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-05-21 13:20 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-05-21 13:20 - 2009-07-13 20:51 - 0052583 ____A C:\Windows\setupact.log
2012-05-21 13:12 - 2012-05-20 19:55 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-21 13:04 - 2012-05-21 13:04 - 0000000 ____D C:\Users\Owner\AppData\Local\{5CCA1A2F-3204-4108-A00F-C2F4524A1C88}
2012-05-21 13:00 - 2012-05-21 13:00 - 0000000 ____D C:\Users\Owner\AppData\Local\{8920F540-600C-4CDD-860C-FB7F14321C44}
2012-05-21 12:53 - 2012-05-21 12:53 - 0000000 ____D C:\Users\Owner\AppData\Local\{B2D34393-2D24-4D3E-A201-8794F80CE7E7}
2012-05-21 12:30 - 2012-05-21 12:30 - 0000000 ____D C:\Users\Owner\AppData\Local\{5CC2ABBA-F011-4579-8365-C3EFD6C2FA4F}
2012-05-21 12:29 - 2010-01-14 12:03 - 0155266 ____A C:\Windows\PFRO.log
2012-05-21 12:22 - 2012-05-21 12:22 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Owner\Downloads\mbam-setup-1.61.0.1400.exe
2012-05-21 12:22 - 2012-05-21 12:22 - 0001117 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-21 12:22 - 2012-05-21 12:22 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Malwarebytes
2012-05-21 12:22 - 2012-05-21 12:22 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-05-21 12:22 - 2012-05-21 12:22 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-05-21 12:14 - 2012-05-21 12:14 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Avira
2012-05-21 12:10 - 2012-05-21 12:10 - 0001998 ____A C:\Users\Public\Desktop\Avira Control Center.lnk
2012-05-21 12:10 - 2012-05-21 12:10 - 0000000 ____D C:\Users\Owner\AppData\Local\{86495266-5DB3-44C0-8665-46206B260ACB}
2012-05-21 12:10 - 2012-05-21 12:10 - 0000000 ____D C:\Users\All Users\Avira
2012-05-21 12:10 - 2012-05-21 12:10 - 0000000 ____D C:\ProgramData\Avira
2012-05-21 12:10 - 2012-05-21 12:10 - 0000000 ____D C:\Program Files (x86)\Avira
2012-05-21 12:01 - 2012-05-21 12:01 - 0013833 ____A C:\Users\Owner\Documents\THISTHISTHIS.docx
2012-05-20 21:30 - 2012-05-20 21:29 - 99218336 ____A C:\Users\Owner\Downloads\avira_free_antivirus_en.exe
2012-05-20 21:19 - 2012-05-20 21:18 - 0000000 ____D C:\Users\Owner\AppData\Local\{7FB5B1E3-4E3B-4347-987C-06BB03FB24EE}
2012-05-20 19:54 - 2012-05-20 19:54 - 0000000 ____D C:\Windows\system64
2012-05-20 19:54 - 2012-04-10 16:15 - 0419488 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-05-20 19:54 - 2011-06-15 12:57 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-05-19 00:18 - 2012-05-19 00:18 - 0000000 ____D C:\Program Files (x86)\Graboid
2012-05-18 23:59 - 2012-05-18 23:59 - 1863680 ____A (Microsoft Corporation) C:\Windows\System32\ExplorerFrame.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 1837568 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 1540608 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 1495040 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 1170944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 1133568 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 1074176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0982912 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2012-05-18 23:59 - 2012-05-18 23:59 - 0902656 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0739840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0662528 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0470016 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0442880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0320512 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0283648 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0265088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2012-05-18 23:59 - 2012-05-18 23:59 - 0229888 ____A (Microsoft Corporation) C:\Windows\System32\XpsRasterService.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0218624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0197120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2012-05-18 23:59 - 2012-05-18 23:59 - 0135168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsRasterService.dll
2012-05-18 23:59 - 2012-05-18 23:58 - 0002152 ____A C:\Windows\IE9_main.log
2012-05-18 23:58 - 2012-05-18 23:58 - 0543024 ____A (Microsoft Corporation) C:\Users\Owner\Downloads\IE9-Windows7-x64-enu.exe
2012-05-14 23:37 - 2012-05-14 14:34 - 0000000 ____D C:\Program Files (x86)\Diablo III
2012-05-14 14:36 - 2012-05-14 14:34 - 0001197 ____A C:\Users\Public\Desktop\Diablo III.lnk
2012-05-14 14:33 - 2012-05-14 14:33 - 32288896 ____A (Blizzard Entertainment) C:\Users\Owner\Downloads\Diablo-III-Setup-enUS.exe
2012-05-10 07:43 - 2012-04-24 20:15 - 0017051 ____A C:\Users\Owner\Documents\Products Liability Outline.docx
2012-05-07 15:19 - 2012-04-23 14:17 - 0023559 ____A C:\Users\Owner\Documents\CONTRACTS OUTLINE II.docx
2012-05-04 12:57 - 2012-04-25 22:43 - 0026305 ____A C:\Users\Owner\Documents\CON LAW OUTLINE.docx
2012-05-02 19:48 - 2012-05-01 20:51 - 0034308 ____A C:\Users\Owner\Documents\PROP 2 OUTLINE.docx
2012-05-02 11:24 - 2012-05-21 12:10 - 0027760 ____A (Avira GmbH) C:\Windows\System32\Drivers\avkmgr.sys
2012-04-28 20:18 - 2012-04-27 11:43 - 0021085 ____A C:\Users\Owner\Documents\CIV PRO OUTLINE.docx
2012-04-27 06:20 - 2012-05-21 12:10 - 0132832 ____A (Avira GmbH) C:\Windows\System32\Drivers\avipbb.sys
2012-04-26 08:42 - 2012-04-26 08:42 - 0012885 ____A C:\Users\Owner\Documents\DRAFT SHEET.docx
2012-04-26 08:37 - 2012-04-26 08:37 - 0000000 ____D C:\Users\Owner\AppData\Local\{819D4644-9551-4B65-B177-89009C7E10D9}
2012-04-24 20:32 - 2012-05-21 12:10 - 0098848 ____A (Avira GmbH) C:\Windows\System32\Drivers\avgntflt.sys
2012-04-21 08:20 - 2012-04-21 08:20 - 0000000 ____D C:\Program Files (x86)\Apple Software Update
2012-04-20 10:39 - 2011-07-26 18:15 - 0000000 ____D C:\Users\Owner\riotsGamesLogs
2012-04-20 10:32 - 2012-04-20 10:32 - 0000000 ____D C:\Users\Owner\Documents\Diablo III
2012-04-20 10:32 - 2012-04-20 10:32 - 0000000 ____D C:\Users\All Users\Blizzard Entertainment
2012-04-20 10:32 - 2012-04-20 10:32 - 0000000 ____D C:\ProgramData\Blizzard Entertainment
2012-04-20 10:32 - 2012-04-20 08:14 - 0000000 ____D C:\Program Files (x86)\Diablo III Beta
2012-04-20 08:14 - 2012-04-20 08:14 - 0001267 ____A C:\Users\Public\Desktop\Diablo III Beta.lnk
2012-04-20 08:13 - 2012-04-20 08:13 - 46104904 ____A (Blizzard Entertainment) C:\Users\Owner\Downloads\Diablo-III-Beta-enUS-Setup.exe
2012-04-20 08:13 - 2012-04-20 08:13 - 0000000 ____D C:\Users\All Users\Battle.net
2012-04-20 08:13 - 2012-04-20 08:13 - 0000000 ____D C:\ProgramData\Battle.net
2012-04-19 21:22 - 2012-04-14 22:59 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Skype
2012-04-19 17:52 - 2012-04-19 17:52 - 0000000 ____D C:\Users\Owner\AppData\Local\{D104F501-3C68-4914-9B3C-A5F0BD193E48}
2012-04-18 12:34 - 2012-02-18 10:50 - 0000000 ____D C:\Users\Owner\AppData\Roaming\Media Finder
2012-04-18 12:32 - 2012-04-18 12:32 - 0000000 ____D C:\Users\Owner\Desktop\Download
2012-04-16 10:42 - 2012-04-16 10:41 - 0000000 ____D C:\Users\Owner\AppData\Local\{98A7EF39-A8AC-49B1-AC73-DFF52F7F9A09}
2012-04-15 11:14 - 2012-04-15 11:12 - 0013557 ____A C:\Users\Owner\Documents\Liquidated damages.docx
2012-04-14 22:59 - 2012-04-14 22:59 - 0002515 ____A C:\Users\Public\Desktop\Skype.lnk
2012-04-14 22:59 - 2012-04-14 22:59 - 0000000 ___RD C:\Program Files (x86)\Skype
2012-04-14 22:58 - 2012-04-14 22:58 - 0944264 ____A (Skype Technologies S.A.) C:\Users\Owner\Downloads\SkypeSetup.exe
2012-04-14 22:58 - 2012-04-14 22:58 - 0000000 ____D C:\Users\All Users\Skype
2012-04-14 22:58 - 2012-04-14 22:58 - 0000000 ____D C:\ProgramData\Skype
2012-04-11 10:32 - 2012-04-11 10:31 - 5408666 ____A C:\Users\Owner\Downloads\Draft_Sheet 1.bmp
2012-04-05 14:09 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-04-04 11:56 - 2012-05-21 12:22 - 0024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-03-30 14:21 - 2012-03-30 14:21 - 0012676 ____A C:\Users\Owner\Documents\Food stamps.docx
2012-03-29 16:03 - 2012-03-29 16:03 - 0031744 ____A C:\Users\Owner\Downloads\FBA Extern Scholarship Application 2012-13.DOC
2012-03-29 15:34 - 2012-03-29 15:34 - 3888389 ____A C:\Users\Owner\Downloads\Stepping Up To the Podium with Confidence.pdf
2012-03-29 11:37 - 2012-03-28 21:16 - 0019224 ____A C:\Users\Owner\Documents\Essay on ACA coercion argument.docx
2012-03-28 11:47 - 2012-03-28 11:47 - 0000000 ____D C:\Users\Owner\AppData\Local\{D1A3A808-367D-479A-B9E5-FF604BC45E15}
2012-03-28 10:28 - 2011-01-11 14:33 - 0019291 ____A C:\Users\Owner\Documents\Work Resume..docx
2012-03-27 13:03 - 2012-03-27 13:03 - 0240128 ____A C:\Users\Owner\Downloads\Externship Explanation & Application.revised.doc
2012-03-22 00:15 - 2012-03-22 00:15 - 0000219 ____A C:\Users\Owner\Desktop\Dota 2.url
2012-03-21 12:40 - 2012-03-21 12:40 - 0000000 ____D C:\Users\Owner\AppData\Local\{12C650D4-8281-4A43-AABC-B1BD505FD239}
2012-03-18 17:56 - 2012-03-18 17:56 - 0000000 ____D C:\Users\Owner\AppData\Local\{3237DDF8-3B8F-482D-BD55-5B77C8688798}
2012-03-16 07:23 - 2012-03-16 07:22 - 0000000 ____D C:\Users\Owner\AppData\Local\{1321A84A-2183-478B-8739-3B00EE4A134A}
2012-03-15 21:13 - 2012-03-14 18:53 - 0041443 ____A C:\Users\Owner\Documents\SUM JUDG.docx
2012-03-15 20:46 - 2012-02-29 21:04 - 0030993 ____A C:\Users\Owner\Documents\MEMO AGAINST.docx
2012-03-15 19:10 - 2012-03-15 19:10 - 0013972 ____A C:\Users\Owner\Documents\MSJ Motion.docx
2012-03-14 19:22 - 2012-03-14 19:22 - 0050176 ____A C:\Users\Owner\Documents\MSJ Deposition Transcript Meecham B3 (numbered).doc
2012-03-14 18:36 - 2012-03-14 18:36 - 0076800 ____A C:\Users\Owner\Documents\MSJ Deposition Transcript McClellan B3 (numbered).doc
2012-03-14 14:50 - 2012-03-14 14:50 - 0027136 ____A C:\Users\Owner\Documents\Prima Facie Case Handout.doc
2012-03-11 09:50 - 2012-03-11 09:49 - 0000000 ____D C:\Users\Owner\AppData\Local\{F6DDE75F-2C04-4DBA-96E6-FB54D1DD8071}
2012-03-08 20:52 - 2012-03-08 19:53 - 0000000 ____D C:\Users\Owner\AppData\Local\PAYDAY
2012-03-08 19:52 - 2010-01-14 12:23 - 0068288 ____A C:\Windows\DirectX.log
2012-03-08 19:51 - 2010-09-04 14:37 - 0000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2012-03-07 14:10 - 2012-03-07 14:10 - 0014808 ____A C:\Users\Owner\Downloads\McCreedy.docx
2012-03-07 08:21 - 2012-03-07 08:21 - 0013876 ____A C:\Users\Owner\Documents\Richard McCreedy Outline.docx
2012-03-05 15:35 - 2012-03-05 15:35 - 62256420 ____A C:\Users\Owner\Downloads\bestcm.mov
2012-03-03 08:41 - 2012-03-03 08:41 - 0000000 ____D C:\Users\Owner\AppData\Local\{83DDB61D-5D3F-4BE8-988C-C06C8E189803}
2012-02-26 20:51 - 2012-02-26 20:50 - 0013329 ____A C:\Users\Owner\Downloads\Contingency_Clause.docx
2012-02-26 19:57 - 2012-02-26 19:57 - 0000000 ____D C:\Users\Owner\AppData\Local\{793A3E77-0C16-44FD-A983-8EE879277CD2}


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 8119.05 MB
Available physical RAM: 7374.01 MB
Total Pagefile: 8117.2 MB
Available Pagefile: 7353.18 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

======================= Partitions =========================

1 Drive c: (WIN7) (Fixed) (Total:372.61 GB) (Free:244.95 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:550.9 GB) (Free:550.79 GB) NTFS
4 Drive f: (USB20FD) (Removable) (Total:7.53 GB) (Free:2.45 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 7728 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 8 GB 31 KB
Partition 2 Primary 372 GB 8 GB
Partition 3 Primary 550 GB 380 GB

======================================================================================================

Disk: 0
Partition 1
Type : 1B
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C WIN7 NTFS Partition 372 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D DATA NTFS Partition 550 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7727 MB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F USB20FD FAT32 Removable 7727 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-05-19 01:32

======================= End Of Log ==========================
  • 0

#4
FYATroll

FYATroll

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Any ideas yet my man? I can see the zero access listed, which looks like a trojan.
  • 0

#5
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
Yes, it's a ZeroAccess 64 variant. What happened is that Avira removed a malicious file without fixing a certain hijacked value in the Registry. That is why your system refuses to boot.

I'm currently waiting for my next proposed fix to be approved by an expert, so until then, we'll have to wait.
  • 0

#6
FYATroll

FYATroll

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Yea, I didn't see anyone else out there with a complaint like this relating to Avira. I'd also like to say that I had ran malware bytes and it found some bad files as well. So I'm not totally sure whether it was Avira or Malware Bytes that caused the problem.
  • 0

#7
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
Hey, FYATroll. Here's what I'd like you to do next:

  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the flashdrive as fixlist.txt

SubSystems: [Windows] ATTENTION! ====> ZeroAccess
2012-05-20 19:54 - 2012-05-20 19:54 - 0000000 ____D C:\Windows\system64

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt). Please make sure you post it in your next reply.

Now restart your computer and see if it boots into Windows successfully now. Fingers crossed.
  • 0

#8
FYATroll

FYATroll

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Brilliance my friend. It booted.

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 19-05-2012
Ran by SYSTEM at 2012-05-23 04:22:41 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
C:\Windows\system64 moved successfully.

==== End of Fixlog ====
  • 0

#9
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
Hey, FYATroll. That's good news indeed. But we're not done yet. Please do the following:

Step 1

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image

Step 2

  • Open Malwarebytes' Anti-Malware.
  • Select the Update tab.
  • Click Check for Updates.
  • After the update has been completed, select the Scanner tab.
  • Select Perform quick scan, then click on the Scan button.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Make sure all items are checked and click on Remove Selected.
  • If asked to restart the computer, please do so immediately.
  • Post the contents of the resultant log in your next reply. You can access the log in the Logs tab.

Step 3

Download OTL to your Desktop
  • Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in

    msconfig
    safebootminimal
    safebootnetwork
    activex
    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\*.*
    %systemroot%\Tasks\*.job
    
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

  • 0

#10
FYATroll

FYATroll

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ok, so here are the aswMBR logs and the OTL logs. Didn't save Malware because it didn't find anything.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-23 14:10:22
-----------------------------
14:10:22.650 OS Version: Windows x64 6.1.7600
14:10:22.650 Number of processors: 4 586 0x2502
14:10:22.650 ComputerName: AR74SB2GKZ UserName: Owner
14:10:25.677 Initialize success
14:10:33.851 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:10:33.851 Disk 0 Vendor: ST31000528AS CC44 Size: 953869MB BusType: 3
14:10:33.867 Disk 0 MBR read successfully
14:10:33.867 Disk 0 MBR scan
14:10:33.867 Disk 0 unknown MBR code
14:10:33.882 Disk 0 Partition 1 00 1B Hidd FAT32 NTFS 8197 MB offset 63
14:10:33.882 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 381551 MB offset 16787925
14:10:33.898 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 564118 MB offset 798205590
14:10:33.913 Disk 0 scanning C:\Windows\system32\drivers
14:10:39.498 Service scanning
14:10:47.517 Modules scanning
14:10:47.517 Disk 0 trace - called modules:
14:10:47.532 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
14:10:47.532 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007cea060]
14:10:48.031 3 CLASSPNP.SYS[fffff880018f743f] -> nt!IofCallDriver -> [0xfffffa8007abc520]
14:10:48.031 5 ACPI.sys[fffff88000e0b781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007aa6060]
14:10:48.031 Scan finished successfully
14:11:08.046 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Desktop\MBR.dat"
14:11:08.046 The log file has been saved successfully to "C:\Users\Owner\Desktop\aswMBR.txt"

Attached Files

  • Attached File  OTL.Txt   109.83KB   117 downloads
  • Attached File  Extras.Txt   80.65KB   115 downloads

  • 0

#11
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
Hey, FYATroll.

Please keep in mind that what caused this issue is a backdoor infection. Please read the following carefully:

Note: You have a backdoor infection.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and has been killed for now, because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall



Let me know what you wish to do. If you wish not to do a format and reinstall, please continue reading this post to do the following:

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#12
FYATroll

FYATroll

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
And here is the combofix.txt

ComboFix 12-05-25.03 - Owner 05/25/2012 13:36:57.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8119.6784 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\dfinstall.log
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\security\Database\tmp.edb
c:\windows\system32\dds_trash_log.cmd
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\pthreadVC.dll
c:\windows\SysWow64\WanPacket.dll
c:\windows\SysWow64\wpcap.dll
D:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-25 to 2012-05-25 )))))))))))))))))))))))))))))))
.
.
2012-05-24 05:32 . 2012-05-24 05:32 -------- d-----w- c:\users\Owner\AppData\Roaming\LolClient2
2012-05-22 19:11 . 2012-05-22 19:12 -------- d-----w- C:\FRST
2012-05-21 20:22 . 2012-05-21 20:22 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2012-05-21 20:22 . 2012-05-21 20:22 -------- d-----w- c:\programdata\Malwarebytes
2012-05-21 20:22 . 2012-05-22 04:10 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-21 20:22 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-21 20:14 . 2012-05-21 20:14 -------- d-----w- c:\users\Owner\AppData\Roaming\Avira
2012-05-21 20:10 . 2012-05-02 19:24 27760 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-05-21 20:10 . 2012-04-27 14:20 132832 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-05-21 20:10 . 2012-04-25 04:32 98848 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-21 20:10 . 2012-05-21 20:10 -------- d-----w- c:\programdata\Avira
2012-05-21 20:10 . 2012-05-21 20:10 -------- d-----w- c:\program files (x86)\Avira
2012-05-19 08:18 . 2012-05-19 08:18 -------- d-----w- c:\program files (x86)\Graboid
2012-05-14 22:34 . 2012-05-15 07:37 -------- d-----w- c:\program files (x86)\Diablo III
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-21 03:54 . 2012-04-11 00:15 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-21 03:54 . 2011-06-15 20:57 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-02-07 1242448]
"igndlm.exe"="c:\program files (x86)\Download Manager\DLM.exe" [2009-10-27 1103216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RunAIShell"="c:\program files (x86)\ASUS\AI Manager\AsShellApplication.exe" [2009-08-20 225280]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-12-14 421160]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2011-05-05 273544]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-12-06 343168]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-05-02 348624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-28 136176]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-04-05 158856]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-28 136176]
R3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [x]
R3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [x]
R3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.0);c:\windows\system32\DRIVERS\RtVlan60.sys [x]
R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2012-05-02 86224]
S2 Device Handle Service;Device Handle Service;c:\windows\SysWOW64\AsHookDevice.exe [2009-08-20 196608]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2011-03-24 517632]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\DRIVERS\AE1200w764.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-28 01:15]
.
2012-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-28 01:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}]
2011-12-07 22:28 414720 ----a-w- c:\users\Owner\AppData\Roaming\Media Finder\Extensions\IEPlugin64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-08-18 8067616]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-08 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-08 390168]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-08 408600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
bthpan
enum1394
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Download with &Media Finder - c:\program files (x86)\Media Finder\hook.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: $talisma_url$
Trusted Zone: case.edu\law
Trusted Zone: freetoolsassociation.com\activegs
Trusted Zone: law.edu\case
Trusted Zone: redstate.com\www
TCP: DhcpNameServer = 192.168.1.1
DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-ATT-SST - c:\program files (x86)\ATT-SST\McciBrowser.exe
Wow6432Node-HKCU-Run-Weather - c:\program files (x86)\AWS\WeatherBug\Weather.exe
Wow6432Node-HKCU-Run-Media Finder - c:\program files (x86)\Media Finder\MF.exe
Toolbar-Locked - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-{8BCAFB73-49AE-4AC4-00A1-70E4EC38BD4E} - c:\program files (x86)\Electronic Arts\The Lord of the Rings
AddRemove-Rise of the Witch King Unofficial Patch 2.02 - c:\program files (x86)\Electronic Arts\The Lord of the Rings
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1610665126-3064120472-4280316559-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1610665126-3064120472-4280316559-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\Motive\McciCMService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
.
**************************************************************************
.
Completion time: 2012-05-25 13:48:31 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-25 17:48
.
Pre-Run: 254,711,283,712 bytes free
Post-Run: 255,402,254,336 bytes free
.
- - End Of File - - CE939C98F8D7DD9C04559C61EC34B00C
  • 0

#13
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
Hi, FYATroll. How's your computer going?

Let's do a short OTL fix.

Open OTL and paste in the following:

:OTL
IE - HKU\.DEFAULT\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=RGxdm112YYUS&ptnrS=RGxdm112YYUS&ptb=A_1vf4BJ_Sfrwai_0RGtrA&ind=2012013014&n=77ece1d6&psa=&st=sb&searchfor={searchTerms}
IE - HKU\S-1-5-18\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=RGxdm112YYUS&ptnrS=RGxdm112YYUS&ptb=A_1vf4BJ_Sfrwai_0RGtrA&ind=2012013014&n=77ece1d6&psa=&st=sb&searchfor={searchTerms}

:COMMANDS
[EMPTYTEMP]

Then click on Run Fix and paste the content of the resultant log (after it restarts).
  • 0

#14
FYATroll

FYATroll

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here's the log

========== OTL ==========
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56256A51-B582-467e-B8D4-7786EDA79AE0}\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56256A51-B582-467e-B8D4-7786EDA79AE0}\ not found.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.43.1 log created on 05262012_235847
  • 0

#15
Amlak

Amlak

    Member 1K

  • Member
  • PipPipPipPip
  • 1,470 posts
Your Adobe Reader is out of date. It needs to be updated to the latest version as older versions tend to have security holes that malware can exploit. Uninstall the current version of Adobe Reader that you have on your system and download (then install) the latest one from here.

Next, do the following:

Run ESET Online Scan

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Vista / 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Please go here then click on: Posted Image

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the following instructions work with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow Add-On/Active X to install.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP