Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Possible Malware/Spyware infection possibly incompatible with current

  • This topic is locked This topic is locked



    New Member

  • Member
  • Pip
  • 6 posts
Hi. I believe through my searching for a VSTi Plugin for music recording (I'm an avid musician), I may have stumbled upon a malware infection in Firefox. However, rather than most infections, like search engine redirects or complete overtake, the browser just crashes on start up. That makes me think that I may actually have a virus that's incompatible with my version of Firefox (16.0), or not designed to run on a x64 Version of Windows 7.

My symptoms are generally not that severe, but it makes me curious, and I'd like to know what's causing it. Here's the steps I've taken.

-Reinstalled Firefox
-Ran MSE Multiple times
-Process checked with Hijack This
-Removed all Firefox registry entries before reinstall, so it's like it never was installed before.

I'd like your guys help if that's possible. I'm pretty intuitive when it comes to computer stuff, but this is throwing me. Usually I can find an infected or respawning temp directory, or find a corrupt/unwanted BHO, but I'm not finding anything. Firefox is just crashing non stop. I'll post an Hijack This or OTL log if you need or want one. I'll also run MBAM to check for anything, but I won't run a fix just yet.

  • 0




    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I need to get some reports to get a base to start from so I need you to run these programs first.


  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-Download DDS-

  • Please download DDS from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop


    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs

  • In your next post I need the following

  • both reports from DDS
  • report from security check
  • let me know of any problems you may have had


  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for the help Gringo!

First up, Security Check -

Results of screen317's Security Check version 0.99.53
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Firewall Disabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
JavaFX 2.1.1
Java 7 Update 7
Java version out of Date!
Adobe Flash Player 11.3.300.265 Flash Player out of Date!
Mozilla Firefox (16.0.1)
Google Chrome 21.0.1180.89
Google Chrome 22.0.1229.79
Google Chrome 22.0.1229.92
Google Chrome 22.0.1229.94
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

Now, the DDS logs.


DDS (Ver_2012-10-19.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by Razz at 23:44:13 on 2012-10-22
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3558.1615 [GMT -7:00]
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Program Files (x86)\Launch Manager\LMutilps32.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe
C:\Dolby PCEE4\pcee4.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Program Files\ComicRack\ComicRack.exe
C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
C:\Program Files (x86)\Acer\clear.fi\MVP\.\Kernel\DMR\DMREngine.exe
C:\Windows\system32\svchost.exe --HiddenServiceDir "C:\Users\Razz\AppData\Roaming\tor\hidden_service" --HiddenServicePort "55080"
C:\Windows\system32\svchost.exe (null)
C:\Windows\system32\svchost.exe ext "C:\Users\Razz\AppData\Roaming\Yfki\ywty.exe"
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\EgisTec IPS\PMMUpdate.exe
C:\Program Files\EgisTec IPS\EgisUpdate.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k defragsvc
============== Pseudo HJT Report ===============
uStart Page = hxxp://acer.msn.com
uDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
mDefault_Page_URL = hxxp://acer.msn.com
uProxyOverride = <local>
mWinlogon: Userinit = userinit.exe
BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\AMD\SteadyVideo\SteadyVideo.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Spotify Web Helper] "C:\Users\Razz\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
uRun: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
uRun: [Google Update] "C:\Users\Razz\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Akamai NetSession Interface] "C:\Users\Razz\AppData\Local\Akamai\netsession_win.exe"
uRun: [{9336C397-5CBF-5CE4-D9F7-BFBB95A88110}] C:\Users\Razz\AppData\Roaming\Yfki\ywty.exe
mRun: [BackupManagerTray] "C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Dolby Advanced Audio v2] "C:\Dolby PCEE4\pcee4.exe" -autostart
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [ArcadeMovieService] "C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe"
mRun: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid}
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
TCP: NameServer =
TCP: Interfaces\{5B284EF4-03CD-4E46-A1ED-C28EB609E65C} : DHCPNameServer =
TCP: Interfaces\{8C4B8EDF-262F-47D3-9A66-0099E1C401C8} : DHCPNameServer =
TCP: Interfaces\{8C4B8EDF-262F-47D3-9A66-0099E1C401C8}\14E64627F69646455647865627 : DHCPNameServer =
TCP: Interfaces\{8C4B8EDF-262F-47D3-9A66-0099E1C401C8}\4556E676F694E6475627E65647E223330363 : DHCPNameServer =
TCP: Interfaces\{8C4B8EDF-262F-47D3-9A66-0099E1C401C8}\4556E676F694E6475627E65647E223431353 : DHCPNameServer =
TCP: Interfaces\{8C4B8EDF-262F-47D3-9A66-0099E1C401C8}\6596277696E6D4F62696C65602D4966496232303030214739302355636572756 : DHCPNameServer =
TCP: Interfaces\{8C4B8EDF-262F-47D3-9A66-0099E1C401C8}\74C41644F435 : DHCPNameServer =
TCP: Interfaces\{8C4B8EDF-262F-47D3-9A66-0099E1C401C8}\C696E6B6379737 : DHCPNameServer =
TCP: Interfaces\{CF925227-409A-486E-A644-E2252D9B9551} : DHCPNameServer =
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg pku2u livessp
x64-mStart Page = hxxp://acer.msn.com
x64-mDefault_Page_URL = hxxp://acer.msn.com
x64-BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg_Dolby] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [Power Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
================= FIREFOX ===================
FF - ProfilePath - C:\Users\Razz\AppData\Roaming\Mozilla\Firefox\Profiles\wrlql4dj.default\
FF - plugin: C:\Users\Razz\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Razz\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
============= SERVICES / DRIVERS ===============
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2012-5-14 79488]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2012-5-14 40064]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-7-24 283200]
R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\System32\drivers\mwlPSDFilter.sys [2012-5-14 22648]
R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\System32\drivers\mwlPSDNserv.sys [2012-5-14 20520]
R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\System32\drivers\mwlPSDVDisk.sys [2012-5-14 62776]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-5-14 204288]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2012-5-14 352336]
R2 ePowerSvc;ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2012-5-14 872552]
R2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2011-5-29 36456]
R2 Live Updater Service;Live Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2011-11-2 255376]
R2 NIHardwareService;NIHardwareService;C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [2011-12-5 5739008]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 128456]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [2011-4-23 256832]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2012-5-14 10207232]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2012-5-14 317952]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-14 114704]
R3 b57xdbd;Broadcom xD Picture Bus Driver Service;C:\Windows\System32\drivers\b57xdbd.sys [2011-1-20 67624]
R3 b57xdmp;Broadcom xD Picture vstorp client drv;C:\Windows\System32\drivers\b57xdmp.sys [2011-1-20 19496]
R3 bScsiMSa;bScsiMSa;C:\Windows\System32\drivers\bScsiMSa.sys [2011-4-12 51240]
R3 bScsiSDa;bScsiSDa;C:\Windows\System32\drivers\bScsiSDa.sys [2011-1-13 85544]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2011-2-14 412712]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);C:\Windows\System32\drivers\tap0901t.sys [2012-9-4 31232]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2012-5-14 53376]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-9-10 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-7-23 257224]
S3 EgisTec Ticket Service;EgisTec Ticket Service;C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2011-6-21 173424]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-10-22 115168]
S3 NWUSBCDFIL64;Novatel Wireless Installation CD;C:\Windows\System32\drivers\NwUsbCdFil64.sys [2009-4-7 25600]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\Windows\System32\drivers\nwusbser2.sys [2009-2-23 213376]
S3 StMp3Recx64;Player Recovery Device Control Driver;C:\Windows\System32\drivers\StMp3Recx64.sys [2007-1-12 26112]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 TunngleService;TunngleService;C:\Program Files (x86)\Tunngle\TnglCtrl.exe [2012-9-4 738152]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-7-24 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
=============== Created Last 30 ================
2012-10-23 06:42:59 9291768 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{67A9A93C-8CF4-487E-BD3B-DB8AB96B9DEC}\mpengine.dll
2012-10-22 23:19:09 388096 ----a-r- C:\Users\Razz\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-10-22 23:19:08 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-10-22 12:17:02 -------- d-----w- C:\Users\Razz\AppData\Roaming\cYo
2012-10-22 12:17:02 -------- d-----w- C:\Users\Razz\AppData\Local\cYo
2012-10-22 12:14:08 -------- d-----w- C:\Program Files\ComicRack
2012-10-22 07:57:27 -------- d-----w- C:\Users\Razz\AppData\Roaming\Yfki
2012-10-22 07:57:27 -------- d-----w- C:\Users\Razz\AppData\Roaming\Raav
2012-10-22 07:57:24 -------- d-----w- C:\Users\Razz\AppData\Roaming\tor
2012-10-22 06:00:50 9291768 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-21 09:07:15 -------- d-----w- C:\Users\Razz\AppData\Local\SKIDROW
2012-10-21 09:05:01 -------- d-----w- C:\Program Files (x86)\NAMCO BANDAI Games
2012-10-19 21:50:09 972192 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A4256662-D822-48D6-814F-07A4C76F04FE}\gapaengine.dll
2012-10-19 17:47:11 -------- d-----w- C:\Users\Razz\AppData\Roaming\Ubisoft
2012-10-19 09:12:51 -------- d-----w- C:\Users\Razz\AppData\Local\Newshosting
2012-10-19 09:12:50 -------- d-----w- C:\Users\Razz\AppData\Local\CrashRpt
2012-10-19 09:12:45 -------- d-----w- C:\ProgramData\Caphyon
2012-10-19 09:04:25 -------- d-----w- C:\Users\Razz\AppData\Roaming\Newshosting
2012-10-17 09:26:24 -------- d-----w- C:\Program Files (x86)\The Walking Dead
2012-10-13 05:29:22 -------- d-----w- C:\Users\Razz\AppData\Local\FFsplit
2012-10-13 05:26:09 -------- d-----w- C:\Program Files (x86)\FFsplit
2012-10-13 05:20:30 -------- d-----w- C:\Users\Razz\AppData\Local\SplitMediaLabs
2012-10-13 05:18:10 -------- d-----w- C:\ProgramData\SplitMediaLabs
2012-10-13 05:18:10 -------- d-----w- C:\Program Files (x86)\SplitMediaLabs
2012-10-13 05:17:09 -------- d-----w- C:\Users\Razz\AppData\Roaming\SplitMediaLabs
2012-10-13 03:22:13 -------- d-----w- C:\ProgramData\RELOADED
2012-10-13 02:53:01 -------- d-----w- C:\Program Files (x86)\Bethesda Softworks
2012-10-11 19:08:07 -------- d-----w- C:\Users\Razz\AppData\Local\sabnzbd
2012-10-11 19:04:58 -------- d-----w- C:\Program Files (x86)\SABnzbd
2012-10-11 03:50:36 -------- d-----w- C:\Program Files (x86)\StarCraft
2012-10-10 07:18:39 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-10-10 07:18:39 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2012-10-10 07:18:39 1159680 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-10-10 07:18:38 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-10-10 07:18:38 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-10-10 07:18:38 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-10-10 07:18:26 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-10-06 07:19:29 -------- d-----w- C:\ProgramData\.mono
2012-10-06 07:19:25 -------- d-----w- C:\Users\Razz\AppData\Roaming\.mono
2012-10-06 07:17:31 -------- d-----w- C:\Users\Razz\AppData\Roaming\Pokémon Trading Card Game Online
2012-10-06 02:43:56 -------- d-----w- C:\Users\Razz\AppData\Roaming\Rovio
2012-10-06 02:42:31 -------- d-----w- C:\Program Files (x86)\Rovio
2012-10-02 10:12:26 972192 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-09-28 09:54:15 -------- d-----w- C:\Users\Razz\AppData\Roaming\Mimo
2012-09-27 04:34:39 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-26 02:18:27 -------- d-----w- C:\Users\Razz\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2012-09-26 02:18:19 -------- d-----w- C:\Program Files (x86)\Adobe Download Assistant
2012-09-25 20:17:17 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
2012-09-24 23:57:59 -------- d-----w- C:\Users\Razz\AppData\Local\{BC40CE9E-F6BF-4EF9-A302-EE507A12B382}
2012-09-24 23:57:59 -------- d-----w- C:\Users\Razz\AppData\Local\{30D22333-912B-4403-9832-DDDAE205962B}
==================== Find3M ====================
2012-10-07 05:22:11 16 ----a-w- C:\Users\Razz\AppData\Roaming\msregsvv.dll
2012-09-27 04:34:28 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-09-27 04:34:28 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-09-21 21:03:49 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-21 21:03:49 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-09-08 10:22:19 1700352 ----a-w- C:\Windows\SysWow64\gdiplus.dll
2012-08-31 05:03:48 228768 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2012-08-31 05:03:48 128456 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll
2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-08-23 03:58:44 112640 ----a-w- C:\Windows\SysWow64\ff_vfw.dll
2012-08-23 03:56:40 47616 ----a-w- C:\Windows\SysWow64\ff_acm.acm
2012-08-22 18:12:50 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-08-20 18:48:44 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-08-20 18:48:44 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-08-20 18:48:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-08-20 18:48:43 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-08-20 18:48:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-08-20 18:48:35 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2012-08-20 18:46:22 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-08-20 17:40:21 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-08-20 17:38:44 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2012-08-20 17:38:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-08-20 17:37:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-08-20 17:37:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-08-20 15:38:21 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-08-20 15:38:20 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-08-20 15:33:28 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-08-11 00:56:03 715776 ----a-w- C:\Windows\System32\kerberos.dll
2012-08-10 23:56:14 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll
2012-08-02 17:58:52 574464 ----a-w- C:\Windows\System32\d3d10level9.dll
2012-08-02 16:57:20 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2012-07-25 22:51:44 42440 ----a-w- C:\Windows\SysWow64\xfcodec.dll
2012-07-25 22:51:44 28104 ----a-w- C:\Windows\System32\xfcodec64.dll
============= FINISH: 23:44:42.67 ===============



DDS (Ver_2012-10-19.01)
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 7/23/2012 8:30:19 PM
System Uptime: 10/22/2012 8:45:14 PM (3 hours ago)
Motherboard: Acer | | Aspire 5560
Processor: AMD A6-3420M APU with Radeon™ HD Graphics | Socket FS1 | 1500/100mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 450 GiB total, 190.481 GiB free.
D: is CDROM ()
F: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP85: 10/22/2012 4:18:42 PM - Installed HiJackThis
==== Installed Programs ======================
7-Zip 9.20 (x64 edition)
Acer Backup Manager
Acer Crystal Eye Webcam
Acer ePower Management
Acer eRecovery Management
Acer Games
Acer Registration
Acer ScreenSaver
Acer Updater
Adobe AIR
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Agatha Christie - Death on the Nile
Akamai NetSession Interface
AMD Catalyst Install Manager
AMD Media Foundation Decoders
AMD Steady Video Plug-In
AMD VISION Engine Control Center
Amnesia - The Dark Descent
AmpliTube 3 version 3.8.0
Apple Application Support
Apple Software Update
Assassin's Creed
Assassin's Creed II
Backup Manager V3
Bad Piggies
Bejeweled 2 Deluxe
Broadcom Card Reader Driver Installer
Broadcom Gigabit NetLink Controller
Build-a-lot 4 - Power Source
Castle Crashers
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Chronicles of Albian
Chuzzle Deluxe
clear.fi Client
ComicRack v0.9.156
Cradle of Rome 2
DAEMON Tools Lite
Dolby Advanced Audio v2
Dora's World Adventure
Dual-Core Optimizer
DVD Flick
Evernote v. 4.5.1
FATE: The Cursed King
ffdshow v1.2.4486 [2012-08-25]
FFsplit version Alpha
Final Drive: Nitro
FL Studio 10
Galerie de photos Windows Live
Google Chrome
Google Talk Plugin
Governor of Poker 2 Premium Edition
Guitar Pro 5.2
Guitar Pro 6
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
I Am Alive
Identity Card
IK Multimedia Authorization Manager version 1.0.5
IL Download Manager
Java 7 Update 7
Java Auto Updater
JavaFX 2.1.1
Jewel Match 3
Junk Mail filter update
Launch Manager
League of Legends
Lexicon Alpha Driver
Media Go
Media Go Video Playback Engine
Media Manager for WALKMAN 1.2
Mesh Runtime
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mobile Broadband Generic Drivers
Mozilla Firefox 16.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT Redists
Mystery of Mortlake Mansion
MyWinLocker 4
MyWinLocker Suite
Native Instruments Controller Editor
Native Instruments Guitar Rig 5
Native Instruments Service Center
NTI Media Maker 9
Pando Media Booster
Plants vs. Zombies - Game of the Year
Pokémon Trading Card Game Online
Polar Bowler
Polar Golfer
Rayman Origins
Realtek High Definition Audio Driver
REAPER (x64)
Resident Evil: Operation Raccoon City
Ridge Racer Unbounded
RocketDock 1.3.5
SABnzbd 0.7.4
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Skype™ 5.11
StarCraft II
Super Meat Boy
Super Street Fighter IV: Arcade Edition
Synaptics Pointing Device Driver
System Requirements Lab CYRI
Team Fortress 2
The Binding of Isaac
The KMPlayer (remove only)
The Walking Dead © 3 version 1
Tunngle beta
Ubisoft Game Launcher
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update Installer for WildTangent Games App
Vegas Pro 11.0
Virtual Villagers 5 - New Believers
VLC media player 2.0.3
Welcome Center
WildTangent Games App (Acer Games)
Windows Live
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
Xfire (remove only)
Zuma's Revenge
==== Event Viewer Messages From Past Week ========
10/22/2012 3:50:52 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
10/22/2012 1:56:57 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft....atid=2147629622 Name: Worm:Win32/Rebhip.A ID: 2147629622 Severity: Severe Category: Worm Path: containerfile:_C:\Users\Razz\Downloads\htd-re4.iso;file:_C:\Users\Razz\AppData\Roaming\Microsoft\Windows\Recent\htd-re4.iso.lnk;file:_C:\Users\Razz\Downloads\htd-re4.iso->install.exe->(WExtract)->1.exe;file:_C:\Users\Razz\Downloads\htd-re4.iso->launcher.exe->(WExtract)->1.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: User User: HomosaurusRex\Razz Process Name: Unknown Action: Remove Action Status: No additional actions required Error Code: 0x800700df Error description: The file size exceeds the limit allowed and cannot be saved. Signature Version: AV:, AS:, NIS: Engine Version: AM: 1.1.8904.0, NIS: 2.1.8600.0
10/20/2012 8:53:17 PM, Error: Tcpip [4199] - The system detected an address conflict for IP address with the system having network hardware address 00-0A-E4-40-85-6D. Network operations on this system may be disrupted as a result.
10/15/2012 11:02:26 AM, Error: Tcpip [4199] - The system detected an address conflict for IP address with the system having network hardware address D8-6B-F7-C3-84-FC. Network operations on this system may be disrupted as a result.
==== End Of File ===========================

Just a quick note -
That "worm" alert from MSE was a false positive from something else I was installing off a disc copy I hade made the day prior. And the conflicting network address is from my router resetting while me and other users were connected. My IPA that was assigned to my computer was given to someone else before my computer requested a new one.
  • 0



    Trusted Helper

  • Malware Removal
  • 7,268 posts

These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.


  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

  • 0



    Trusted Helper

  • Malware Removal
  • 7,268 posts

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Sorry. Been busy with work, I'll post the logs in a moment, going to run the utilities now.
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
# AdwCleaner v2.005 - Logfile created 10/25/2012 at 22:56:20
# Updated 14/10/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# Boot Mode : Normal
# Running from : C:\Users\Razz\Downloads\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\Users\Razz\AppData\Local\Software

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.1 (en-US)

Profile name : default
File : C:\Users\Razz\AppData\Roaming\Mozilla\Firefox\Profiles\wrlql4dj.default\prefs.js

C:\Users\Razz\AppData\Roaming\Mozilla\Firefox\Profiles\wrlql4dj.default\user.js ... Deleted !

[OK] File is clean.

-\\ Google Chrome v22.0.1229.94

File : C:\Users\Razz\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.


AdwCleaner[S1].txt - [1542 octets] - [25/10/2012 22:56:20]

########## EOF - C:\AdwCleaner[S1].txt - [1602 octets] ##########

RogueKiller V8.2.0 [10/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Razz [Admin rights]
Mode : Remove -- Date : 10/25/2012 23:00:22

¤¤¤ Bad processes : 3 ¤¤¤
[SVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : {9336C397-5CBF-5CE4-D9F7-BFBB95A88110} (C:\Users\Razz\AppData\Roaming\Yfki\ywty.exe) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK5059GSXP SATA Disk Device +++++
--- User ---
[MBR] 83fdc831d3c9a14f1071710967bf3191
[BSP] 0b84e17d70472873924ebec7a5885277 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 16500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 33794048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 33998848 | Size: 460338 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

Edited by NickRazzie, 26 October 2012 - 12:02 AM.

  • 0



    Trusted Helper

  • Malware Removal
  • 7,268 posts

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I tested Firefox and it seems to be running fine. Is the combofix step necessary?
  • 0



    Trusted Helper

  • Malware Removal
  • 7,268 posts
I Think it would be a good idea just to make sure it comes back clean

  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Okay then. Will run it before work and post the results in the morning, thanks!
  • 0



    Trusted Helper

  • Malware Removal
  • 7,268 posts
  • 0



    Trusted Helper

  • Malware Removal
  • 7,268 posts

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

  • 0



    Trusted Helper

  • Malware Removal
  • 7,268 posts

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

  • 0



    Trusted Helper

  • Malware Removal
  • 7,268 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP