Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware is blank white screen with audio playing that is unintelligibl


  • This topic is locked This topic is locked

#31
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,958 posts
Specially if they are hidden (Rootkits).

  • Download RogueKiller (by tigzy) on the desktop
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan. Once finished, click on Report

Please post the contents of the RKreport.txt in your next Reply.
  • 0

Advertisements


#32
jtroop

jtroop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
I ran the same OTL that you had me do yesterday because I think I forgot to turn off MSE when I ran it. It is showing an infected file this time. I'll be doing the RogueKiller next.



ComboFix 13-06-07.03 - dianne 06/07/2013 21:44:28.4.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4060.1243 [GMT -4:00]
Running from: c:\users\dianne\Desktop\MyPoppy.exe
Command switches used :: c:\users\dianne\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setupx.dll"
"c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
"c:\users\All Users\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setupx.dll"
"c:\users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\netlogon.dll . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2013-05-08 to 2013-06-08 )))))))))))))))))))))))))))))))
.
.
2013-06-08 18:26 . 2013-06-08 18:26 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-06-08 18:26 . 2013-06-08 18:26 -------- d-----w- c:\users\RA Media Server\AppData\Local\temp
2013-06-08 18:26 . 2013-06-08 18:26 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-06-08 18:26 . 2013-06-08 18:26 -------- d-----w- c:\users\Dianeslife\AppData\Local\temp
2013-06-08 18:26 . 2013-06-08 18:26 -------- d-----w- c:\users\Dianeslife.dianne-PC\AppData\Local\temp
2013-06-08 18:26 . 2013-06-08 18:26 -------- d-----w- c:\users\Dianeslife.dianne-PC.000\AppData\Local\temp
2013-06-08 18:26 . 2013-06-08 18:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-08 01:04 . 2013-06-08 01:04 -------- d-----w- C:\_OTL
2013-06-07 22:23 . 2013-06-07 22:23 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4A993FE5-58CD-40DE-AD60-1C49E3DA7F20}\offreg.dll
2013-06-07 21:37 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4A993FE5-58CD-40DE-AD60-1C49E3DA7F20}\mpengine.dll
2013-06-07 16:14 . 2013-06-07 19:26 -------- d-----w- C:\MyPoppy
2013-06-06 21:53 . 2013-06-06 21:53 -------- d-----w- c:\program files (x86)\ESET
2013-06-06 21:24 . 2013-06-06 21:24 -------- d-----w- c:\users\Dianeslife.dianne-PC.000\AppData\Roaming\AVG2013
2013-06-06 21:24 . 2013-06-06 21:26 -------- d-----w- c:\users\Dianeslife.dianne-PC.000\AppData\Local\Avg2013
2013-06-05 22:48 . 2013-06-05 22:48 -------- d-----w- c:\users\dianne\AppData\Roaming\AVG2013
2013-06-05 22:46 . 2013-06-05 22:46 -------- d-----w- c:\program files (x86)\AVG Secure Search
2013-06-05 22:43 . 2013-06-07 01:09 -------- d-----w- C:\$AVG
2013-06-05 22:43 . 2013-06-07 01:10 -------- d-----w- c:\programdata\AVG2013
2013-06-05 22:38 . 2013-06-05 23:16 -------- d-----w- c:\users\dianne\AppData\Local\Avg2013
2013-06-05 22:23 . 2013-06-05 22:23 -------- d-----w- c:\users\dianne\AppData\Local\AVG Secure Search
2013-06-05 22:09 . 2013-06-05 22:09 -------- d-----w- c:\program files (x86)\Roblox
2013-05-31 15:36 . 2013-05-31 15:36 -------- d-----w- c:\windows\Sun
2013-05-27 08:20 . 2013-06-07 20:08 -------- d-----w- c:\users\dianne\AppData\Local\Tuguu SL
2013-05-25 07:31 . 2013-05-25 07:32 -------- d-----w- c:\program files (x86)\Iminent
2013-05-25 07:28 . 2013-05-25 07:28 -------- d-----w- c:\program files\Uninstaller
2013-05-25 07:24 . 2013-06-07 20:09 -------- d-----w- c:\program files (x86)\Vafmusic2
2013-05-25 07:23 . 2013-05-25 07:23 -------- d-----w- c:\users\dianne\AppData\Roaming\Uniblue
2013-05-25 07:23 . 2013-05-25 07:23 -------- d-----w- c:\program files (x86)\Uniblue
2013-05-25 07:22 . 2013-06-07 00:36 -------- d-----w- c:\program files (x86)\SingAlong
2013-05-25 07:22 . 2013-05-25 07:22 -------- d-----w- c:\users\dianne\AppData\Local\DownloadTerms
2013-05-23 08:34 . 2013-05-25 07:26 -------- d-----w- c:\users\dianne\AppData\Local\Systweak
2013-05-23 02:46 . 2013-05-23 02:46 -------- d-----w- c:\users\dianne\AppData\Local\IAC
2013-05-15 06:31 . 2013-06-07 20:10 -------- d-----w- c:\users\dianne\AppData\Roaming\ShopAtHome
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-05 22:17 . 2013-03-11 17:12 45856 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2013-05-05 22:05 . 2013-05-05 22:06 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-05-05 22:05 . 2013-05-05 22:06 866720 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-05-05 22:05 . 2010-12-16 00:16 788896 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-05-05 21:36 . 2013-05-01 17:35 17818624 ----a-w- c:\windows\system32\mshtml.dll
2013-05-05 21:16 . 2013-05-01 17:35 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-05 20:16 . 2013-05-05 20:16 4700 ----a-w- c:\windows\DeleteOnReboot.bat
2013-05-05 19:12 . 2013-05-01 17:35 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2013-05-02 15:29 . 2011-10-28 15:44 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-05-01 17:43 . 2006-11-02 12:35 75016696 ----a-w- c:\windows\system32\mrt.exe
2013-04-30 22:45 . 2012-11-30 05:50 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-04-30 22:45 . 2011-10-18 17:07 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-16 20:38 . 2013-04-16 20:38 49872 ----a-w- c:\windows\system32\drivers\circbogd.sys
2013-04-15 14:17 . 2013-04-30 22:14 901496 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-04-13 03:34 . 2013-04-30 22:14 47104 ----a-w- c:\windows\system32\cdd.dll
2013-04-09 01:55 . 2013-04-30 22:14 2774016 ----a-w- c:\windows\system32\win32k.sys
2013-04-05 01:19 . 2013-05-01 17:47 10926080 ----a-w- c:\windows\system32\ieframe.dll
2013-04-05 01:08 . 2013-05-01 17:47 2312704 ----a-w- c:\windows\system32\jscript9.dll
2013-04-05 01:01 . 2013-05-01 17:47 1346560 ----a-w- c:\windows\system32\urlmon.dll
2013-04-05 01:00 . 2013-05-01 17:47 1392128 ----a-w- c:\windows\system32\wininet.dll
2013-04-05 00:59 . 2013-05-01 17:47 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-05 00:58 . 2013-05-01 17:47 237056 ----a-w- c:\windows\system32\url.dll
2013-04-05 00:57 . 2013-05-01 17:47 85504 ----a-w- c:\windows\system32\jsproxy.dll
2013-04-05 00:56 . 2013-05-01 17:47 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2013-04-05 00:55 . 2013-05-01 17:47 816640 ----a-w- c:\windows\system32\jscript.dll
2013-04-05 00:55 . 2013-05-01 17:47 599040 ----a-w- c:\windows\system32\vbscript.dll
2013-04-05 00:54 . 2013-05-01 17:47 729088 ----a-w- c:\windows\system32\msfeeds.dll
2013-04-05 00:54 . 2013-05-01 17:47 2147840 ----a-w- c:\windows\system32\iertutil.dll
2013-04-05 00:51 . 2013-05-01 17:47 96768 ----a-w- c:\windows\system32\mshtmled.dll
2013-04-05 00:46 . 2013-05-01 17:47 248320 ----a-w- c:\windows\system32\ieui.dll
2013-04-04 22:11 . 2013-05-01 17:47 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2013-04-04 22:02 . 2013-05-01 17:47 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-04-04 22:02 . 2013-05-01 17:47 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2013-04-04 21:58 . 2013-05-01 17:47 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-04-04 21:57 . 2013-05-01 17:47 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-04-04 18:50 . 2013-05-05 20:33 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-11 13:33 . 2013-04-10 00:28 4691304 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn3\yt.dll" [2013-05-01 1500952]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{1AD61D5B-58A3-4592-9B34-DC84688FF805}]
2010-09-28 22:13 107328 ----a-w- c:\program files (x86)\PDF Suite 2010\PDFIEHelper.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2013-06-05 22:46 1991344 ----a-w- c:\program files (x86)\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll" [2013-06-05 1991344]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-05-03 5622512]
"Driver Pro"="c:\program files (x86)\Driver Pro\DPLauncher.exe" [2012-10-30 340512]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2013-06-05 1226928]
.
c:\users\Dianeslife.dianne-PC.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSr64.exe;c:\windows\SYSNATIVE\AERTSr64.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGTP
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-30 22:45]
.
2013-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 02:02]
.
2013-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 02:02]
.
2013-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1424625615-964005803-1290662544-1000Core.job
- c:\users\dianne\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-17 16:22]
.
2013-06-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1424625615-964005803-1290662544-1000UA.job
- c:\users\dianne\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-17 16:22]
.
2013-06-08 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files (x86)\Realtek\RTNICDiag\RTNICDiag.exe [2009-08-12 11:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 182784]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://xfinity.comcast.net/?cid=insDate11132012
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\15.2.0\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2013-06-08 14:31:33
ComboFix-quarantined-files.txt 2013-06-08 18:31
ComboFix2.txt 2013-06-07 19:26
ComboFix3.txt 2013-06-06 02:51
.
Pre-Run: 570,264,158,208 bytes free
Post-Run: 570,176,864,256 bytes free
.
- - End Of File - - 966584254255032643A9F6F5F23DF18D
  • 0

#33
jtroop

jtroop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Here is the RogueKiller report, the adds are still running.

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : dianne [Admin rights]
Mode : Scan -- Date : 06/08/2013 14:40:15
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[TASK][SUSP PATH] Updater19962.exe : C:\Users\dianne\AppData\Local\Updater19962\Updater19962.exe /extensionid=19962 /extensionname="Supreme Savings" /chromeid=ihkeoookbpemkdccdccdmacnidhooohk [x] -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3750528AS ATA Device +++++
--- User ---
[MBR] 9470dcb923b63ce257492ffbc056bd4b
[BSP] 5114e3fd9951cb2acb33983720a9f917 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31569920 | Size: 699988 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 442d87d39801ad1ec8b5d22afaaa20e1
[BSP] 1568ce5951cbde12db3fde761c3636b2 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31569920 | Size: 699988 Mo

Finished : << RKreport[1]_S_06082013_02d1440.txt >>
RKreport[1]_S_06082013_02d1440.txt

Edited by jtroop, 08 June 2013 - 01:05 PM.

  • 0

#34
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,958 posts
Run OTL as follows:
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start.
  • Under the Custom Scan box paste this in



    /md5start
    netlogon.dll
    /md5stop

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
  • Please post the contents of the OTL.txt file and attach the Extras.Txt, if any, in your next reply.

  • 0

#35
jtroop

jtroop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
When I went to the desktop to run OTL, I notice there are 6 RK reports. Are you aware of this? Running OTL now
  • 0

#36
jtroop

jtroop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts

Run OTL as follows:

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start.
  • Under the Custom Scan box paste this in



    /md5start
    netlogon.dll
    /md5stop

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
  • Please post the contents of the OTL.txt file and attach the Extras.Txt, if any, in your next reply.


OTL report:

OTL logfile created on: 6/8/2013 3:44:58 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\dianne\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.97 Gb Total Physical Memory | 0.11 Gb Available Physical Memory | 2.80% Memory free
8.13 Gb Paging File | 1.75 Gb Available in Paging File | 21.53% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 683.58 Gb Total Space | 530.23 Gb Free Space | 77.57% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 0.02 Gb Free Space | 0.12% Space Free | Partition Type: NTFS
Drive E: | 48.38 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: DIANNE-PC | User Name: dianne | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/06/05 18:46:33 | 001,226,928 | ---- | M] (AVG Secure Search) -- C:\Program Files (x86)\AVG Secure Search\vprot.exe
PRC - [2013/06/05 18:17:00 | 001,015,984 | ---- | M] (AVG Secure Search) -- C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
PRC - [2013/05/04 18:45:55 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\dianne\Desktop\OTL.exe
PRC - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/11/22 11:29:16 | 003,290,304 | ---- | M] (Skype Technologies S.A.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2010/09/28 18:13:24 | 000,791,360 | ---- | M] (Interactive Brands Inc.) -- C:\Program Files (x86)\PDF Suite 2010\ConversionService.exe
PRC - [2009/05/21 08:59:14 | 001,025,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\Dell Support Center\gs_agent\dsc.exe
PRC - [2009/05/21 08:59:08 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
PRC - [2009/05/21 08:59:08 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/04/13 09:48:12 | 000,828,656 | ---- | M] (Dell Inc.) -- c:\Program Files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
PRC - [2008/12/18 14:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2007/09/14 14:35:04 | 005,730,304 | ---- | M] () -- C:\Program Files (x86)\Common Files\Dell\MySQL\bin\mysqld.exe


========== Modules (No Company Name) ==========

MOD - [2013/06/05 18:17:03 | 000,158,384 | ---- | M] () -- C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\15.2.0\SiteSafety.dll
MOD - [2013/05/29 01:27:38 | 000,393,168 | ---- | M] () -- C:\Users\dianne\AppData\Local\Google\Chrome\Application\27.0.1453.110\ppgooglenaclpluginchrome.dll
MOD - [2013/05/29 01:27:35 | 004,051,408 | ---- | M] () -- C:\Users\dianne\AppData\Local\Google\Chrome\Application\27.0.1453.110\pdf.dll
MOD - [2013/05/29 01:26:36 | 001,597,392 | ---- | M] () -- C:\Users\dianne\AppData\Local\Google\Chrome\Application\27.0.1453.110\ffmpegsumo.dll
MOD - [2013/01/09 04:31:11 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b757806657fa5db2b1ed1a89b026b463\System.Xml.ni.dll
MOD - [2013/01/09 04:30:09 | 007,977,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\cc149d08e75f8c53cd28ac926b38c370\System.ni.dll
MOD - [2013/01/09 04:30:05 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\2227d1559f87943255069398608d5c56\mscorlib.ni.dll


========== Services (SafeList) ==========

SRV:64bit: - [2012/07/11 14:54:58 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCore64.exe -- (!SASCORE)
SRV:64bit: - [2011/04/27 16:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2011/04/27 16:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/07/09 19:48:34 | 001,044,648 | ---- | M] ( ) [Disabled | Stopped] -- C:\Windows\SysNative\dldtcoms.exe -- (dldt_device)
SRV:64bit: - [2009/07/09 19:48:28 | 000,033,448 | ---- | M] () [Disabled | Stopped] -- C:\Windows\SysNative\spool\DRIVERS\x64\3\\dldtserv.exe -- (dldtCATSCustConnectService)
SRV:64bit: - [2008/12/18 14:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV:64bit: - [2008/07/18 08:42:16 | 000,086,016 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\AERTSr64.exe -- (AERTFilters)
SRV:64bit: - [2008/01/20 22:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2013/06/05 18:17:00 | 001,015,984 | ---- | M] (AVG Secure Search) [Auto | Running] -- C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe -- (vToolbarUpdater15.2.0)
SRV - [2013/04/30 18:45:18 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/11/22 11:29:16 | 003,290,304 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2012/07/13 14:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2010/09/28 18:13:24 | 000,791,360 | ---- | M] (Interactive Brands Inc.) [Auto | Running] -- C:\Program Files (x86)\PDF Suite 2010\ConversionService.exe -- (PDF Suite 2010 Service)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/24 16:42:56 | 000,386,424 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
SRV - [2009/08/11 23:25:12 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/07/09 19:48:28 | 000,033,448 | ---- | M] () [Disabled | Stopped] -- C:\Windows\system32\spool\DRIVERS\x64\3\\dldtserv.exe -- (dldtCATSCustConnectService)
SRV - [2009/05/21 08:59:08 | 000,206,064 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter)
SRV - [2009/04/17 10:17:02 | 000,636,144 | ---- | M] (SoftThinks) [Disabled | Stopped] -- C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe -- (SftService)
SRV - [2009/04/13 09:48:12 | 000,828,656 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\Program Files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe -- (hnmsvc)
SRV - [2009/04/13 09:48:10 | 000,189,680 | ---- | M] (SingleClick Systems) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Dell\Remote Access File Sync Service\dsl_fs_sync.exe -- (dsl-fs-sync)
SRV - [2009/03/30 00:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/11/03 19:15:32 | 000,242,424 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/02/25 12:38:12 | 000,595,184 | ---- | M] ( ) [Disabled | Stopped] -- C:\Windows\SysWOW64\dldtcoms.exe -- (dldt_device)
SRV - [2007/09/21 14:26:34 | 000,015,872 | ---- | M] (Apache Software Foundation) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Dell\apache\bin\httpd.exe -- (Apache2.2)
SRV - [2007/09/14 14:35:04 | 005,730,304 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Common Files\Dell\MySQL\bin\mysqld.exe -- (dsl-db)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2013/06/05 18:17:03 | 000,045,856 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtpx64.sys -- (avgtp)
DRV:64bit: - [2013/04/04 14:50:32 | 000,025,928 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012/02/29 09:52:46 | 000,016,384 | ---- | M] (Microsoft Corporation) [Recognizer | System | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/07/22 12:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2011/07/12 17:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2011/04/27 14:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2010/09/22 23:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2010/08/25 19:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/09/30 20:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2009/02/23 05:47:04 | 000,126,464 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
DRV:64bit: - [2008/07/21 07:18:30 | 000,026,624 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\RtNdPt60.sys -- (RtNdPt60)
DRV:64bit: - [2008/07/15 08:14:10 | 000,395,288 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\iastor.sys -- (iaStor)
DRV:64bit: - [2008/07/10 07:28:50 | 000,170,496 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2008/06/18 17:48:54 | 000,029,184 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\packet.sys -- (Packet)
DRV:64bit: - [2008/01/20 22:46:55 | 000,317,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\e1e6032e.sys -- (e1express)
DRV:64bit: - [2007/11/14 03:00:00 | 000,053,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2007/04/03 10:30:14 | 001,418,112 | ---- | M] (Philips Semiconductors GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\Ph3xIB64.sys -- (Ph3xIB64)
DRV:64bit: - [2006/11/02 03:48:50 | 002,488,320 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\atikmdag.sys -- (R300)
DRV - [2008/06/17 12:01:06 | 000,022,016 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\Windows\SysWOW64\drivers\packet.sys -- (Packet)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope =
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{acbd5593-e5ee-4c15-b48f-1823ce819dec}: "URL" = http://search.mywebs...r={searchTerms}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://xfinity.comca...insDate11132012
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: - No CLSID value found
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {E65EABE4-E694-4222-8333-E9ABBE5AB189}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes\{180780f0-b348-4b44-8210-94a8f3ee15b2}: "URL" = http://search.comcas...q={searchTerms}
IE - HKCU\..\SearchScopes\{1DC242E9-1AB7-4413-8EE9-8A0005BCEC7C}: "URL" = http://search.avg.co...}&iy=b&ychte=us
IE - HKCU\..\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}: "URL" = http://search.alot.c...n=2.5.15000.521
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...1I7ADFA_enUS361
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.c...sa&d=2013-06-05 18:46:55&v=15.2.0.5&pid=avg&sg=&sap=dsp&q={searchTerms}
IE - HKCU\..\SearchScopes\{acbd5593-e5ee-4c15-b48f-1823ce819dec}: "URL" = http://search.mywebs...r={searchTerms}
IE - HKCU\..\SearchScopes\{B2CF385E-4E62-4BDA-A734-DBE9B5C2EB30}: "URL" = http://search.condui...q={searchTerms}
IE - HKCU\..\SearchScopes\{C34CE811-7235-4423-B317-2940DF564B8E}: "URL" = http://ws.infospace....r?_iceUrl=true user_id=%userid&tool_id=60231&qkw={searchTerms}
IE - HKCU\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo....p={searchTerms}
IE - HKCU\..\SearchScopes\{E65EABE4-E694-4222-8333-E9ABBE5AB189}: "URL" = http://search.condui...3829527319&UM=2
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\15.2.0\\npsitesafety.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\npEpicPlayDisplayHost: C:\Program Files (x86)\EpicPlay\npEpicHost.dll ( )
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\dianne\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\dianne\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)

64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}: C:\PROGRAM FILES\UPDATER BY SWEETPACKS\FIREFOX

[2011/02/27 23:36:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\dianne\AppData\Roaming\Mozilla\Extensions

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\dianne\AppData\Local\Google\Chrome\Application\27.0.1453.110\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\dianne\AppData\Local\Google\Chrome\Application\27.0.1453.110\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\dianne\AppData\Local\Google\Chrome\Application\27.0.1453.110\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: EpicPlay NPAPI Display Host (Enabled) = C:\Program Files (x86)\EpicPlay\npEpicHost.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll
CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
CHR - plugin: MindSpark Toolbar Platform Plugin Stub (Enabled) = C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\NP5mStub.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Roblox Launcher Plugin (Enabled) = C:\Users\dianne\AppData\Local\Roblox\Versions\version-09a201d8e5f247c7\\NPRobloxProxy.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: Skype Click to Call = C:\Users\dianne\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\6.4.0.11328_0\
CHR - Extension: Skype Click to Call = C:\Users\dianne\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\6.4.0.11328_0\

O1 - HOSTS file present but inaccessible!
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (PDF Suite Helper) - {1AD61D5B-58A3-4592-9B34-DC84688FF805} - C:\Program Files (x86)\PDF Suite 2010\PDFIEHelper.dll (Interactive Brands Inc.)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll (AVG Secure Search)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (PDF Suite Toolbar) - {261F6A8B-7AAF-4BF5-8552-6610F4D67819} - C:\Program Files (x86)\PDF Suite 2010\PDFIEPlugin.dll (Interactive Brands Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll (AVG Secure Search)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [WPCUMI] C:\Windows\SysNative\WpcUmi.exe (Microsoft Corporation)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [vProt] C:\Program Files (x86)\AVG Secure Search\vprot.exe (AVG Secure Search)
O4 - HKCU..\Run: [Driver Pro] C:\Program Files (x86)\Driver Pro\DPLauncher.exe (PC Utilities Pro)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O9:64bit: - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000019 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.21.2)
O16 - DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_21)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.76.76 75.75.75.75
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9592D7CB-CDCE-4358-BC20-5FC63CC64C0D}: DhcpNameServer = 75.75.76.76 75.75.75.75
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
O18:64bit: - Protocol\Handler\viprotocol - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\15.2.0\ViProtocol.dll (AVG Secure Search)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\1600x1200_blue.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\1600x1200_blue.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/03 12:46:04 | 000,000,101 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/06/08 15:03:13 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/06/08 14:38:26 | 000,000,000 | ---D | C] -- C:\Users\dianne\Desktop\RK_Quarantine
[2013/06/07 21:29:50 | 000,000,000 | ---D | C] -- C:\MyPoppy9426M
[2013/06/07 21:04:08 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/06/07 16:26:34 | 000,263,584 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2013/06/07 16:26:34 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2013/06/07 16:26:33 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2013/06/07 12:14:27 | 000,000,000 | ---D | C] -- C:\MyPoppy
[2013/06/06 21:08:17 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2013/06/06 17:53:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2013/06/05 22:08:39 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/06/05 22:08:39 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/06/05 22:08:39 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/06/05 21:52:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/06/05 21:51:43 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/06/05 21:49:04 | 005,078,746 | R--- | C] (Swearware) -- C:\Users\dianne\Desktop\MyPoppy.exe
[2013/06/05 18:48:48 | 000,000,000 | ---D | C] -- C:\Users\dianne\AppData\Roaming\AVG2013
[2013/06/05 18:46:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG Secure Search
[2013/06/05 18:43:57 | 000,000,000 | ---D | C] -- C:\$AVG
[2013/06/05 18:43:56 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2013
[2013/06/05 18:38:00 | 000,000,000 | ---D | C] -- C:\Users\dianne\AppData\Local\Avg2013
[2013/06/05 18:23:08 | 000,000,000 | ---D | C] -- C:\Users\dianne\AppData\Local\AVG Secure Search
[2013/06/05 18:09:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Roblox
[2013/05/31 11:36:31 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2013/05/27 04:20:49 | 000,000,000 | ---D | C] -- C:\Users\dianne\AppData\Local\Tuguu SL
[2013/05/25 03:31:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Iminent
[2013/05/25 03:28:28 | 000,000,000 | ---D | C] -- C:\Program Files\Uninstaller
[2013/05/25 03:24:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Vafmusic2
[2013/05/25 03:23:17 | 000,000,000 | ---D | C] -- C:\Users\dianne\AppData\Roaming\Uniblue
[2013/05/25 03:23:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Uniblue
[2013/05/25 03:22:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SingAlong
[2013/05/25 03:22:45 | 000,000,000 | ---D | C] -- C:\Users\dianne\AppData\Local\DownloadTerms
[2013/05/23 04:34:59 | 000,000,000 | ---D | C] -- C:\Users\dianne\AppData\Local\Systweak
[2013/05/22 22:46:18 | 000,000,000 | ---D | C] -- C:\Users\dianne\AppData\Local\IAC
[2013/05/15 02:31:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ShopAtHome.com Toolbar
[2013/05/15 02:31:11 | 000,000,000 | ---D | C] -- C:\Users\dianne\AppData\Roaming\ShopAtHome
[2009/08/19 09:41:49 | 008,653,312 | ---- | C] (Dell, Inc. ) -- C:\Users\dianne\AppData\Roaming\DataSafeDotNet.exe

========== Files - Modified Within 30 Days ==========

[2013/06/08 15:45:34 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/06/08 15:40:04 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/06/08 15:39:41 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1424625615-964005803-1290662544-1000UA.job
[2013/06/08 15:02:49 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/06/08 15:02:49 | 000,000,288 | ---- | M] () -- C:\Windows\tasks\RtlNICDiagVistaStart.job
[2013/06/08 15:02:48 | 000,003,744 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/06/08 15:02:48 | 000,003,744 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/06/08 15:02:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/06/08 15:01:55 | 635,361,307 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2013/06/08 14:37:28 | 000,791,040 | ---- | M] () -- C:\Users\dianne\Desktop\RogueKillerX64.exe
[2013/06/07 21:16:06 | 000,272,616 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013/06/07 21:10:26 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2013/06/07 18:32:01 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1424625615-964005803-1290662544-1000Core.job
[2013/06/07 12:13:03 | 005,078,746 | R--- | M] (Swearware) -- C:\Users\dianne\Desktop\MyPoppy.exe
[2013/06/06 17:43:19 | 000,001,810 | ---- | M] () -- C:\Users\dianne\Desktop\Microsoft Security Essentials.lnk
[2013/06/06 17:36:22 | 000,002,090 | ---- | M] () -- C:\Users\dianne\Desktop\Google Chrome.lnk
[2013/06/05 18:17:03 | 000,045,856 | ---- | M] (AVG Technologies) -- C:\Windows\SysNative\drivers\avgtpx64.sys

========== Files Created - No Company Name ==========

[2013/06/08 15:01:55 | 635,361,307 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2013/06/08 14:37:25 | 000,791,040 | ---- | C] () -- C:\Users\dianne\Desktop\RogueKillerX64.exe
[2013/06/07 21:15:46 | 000,272,616 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013/06/06 17:43:19 | 000,001,810 | ---- | C] () -- C:\Users\dianne\Desktop\Microsoft Security Essentials.lnk
[2013/06/05 22:08:39 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/06/05 22:08:39 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/06/05 22:08:39 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/06/05 22:08:39 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/06/05 22:08:39 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/04 14:19:52 | 000,000,632 | RHS- | C] () -- C:\Users\dianne\ntuser.pol
[2011/10/28 11:58:25 | 000,754,664 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/08/25 18:01:22 | 002,052,096 | ---- | C] () -- C:\Users\dianne\s-1-5-21-1424625615-964005803-1290662544-1000.rrr
[2010/07/25 16:25:20 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/10/04 20:39:28 | 000,005,632 | ---- | C] () -- C:\Users\dianne\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/14 20:58:57 | 000,007,728 | ---- | C] () -- C:\Users\dianne\AppData\Local\d3d9caps.dat

========== ZeroAccess Check ==========

[2006/11/02 11:30:40 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 13:59:03 | 012,899,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/04/11 03:11:14 | 000,891,392 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\SysWow64\wbem\fastprox.dll -- [2009/04/11 02:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2008/01/20 22:50:58 | 000,513,024 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\SysWow64\wbem\wbemess.dll

========== Custom Scans ==========

< MD5 for: NETLOGON.DLL >
[2008/01/20 22:51:03 | 000,716,800 | ---- | M] (Microsoft Corporation) MD5=5D0A4891F8CD0E9E64FF57A6A34044F5 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_59d652c6f057598d\netlogon.dll
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\erdnt\cache86\netlogon.dll
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SysWOW64\netlogon.dll
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_6616762521d9e6d4\netlogon.dll
[2009/04/11 03:11:16 | 000,717,312 | ---- | M] (Microsoft Corporation) MD5=A3F1B171702CA04744EE514243B45BFB -- C:\Windows\erdnt\cache64\netlogon.dll
[2009/04/11 03:11:16 | 000,717,312 | ---- | M] (Microsoft Corporation) MD5=A3F1B171702CA04744EE514243B45BFB -- C:\Windows\SysNative\netlogon.dll
[2009/04/11 03:11:16 | 000,717,312 | ---- | M] (Microsoft Corporation) MD5=A3F1B171702CA04744EE514243B45BFB -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_5bc1cbd2ed7924d9\netlogon.dll
[2008/01/20 22:48:28 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_642afd1924b81b88\netlogon.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:5D432CE3

< End of report >
  • 0

#37
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,958 posts

When I went to the desktop to run OTL, I notice there are 6 RK reports. Are you aware of this? Running OTL now

Can you post them all to take a look?

The netlogon.dll does not appear to be infected. I must say it may be a false positive in Combofix.


Download the enclosed file. Attached File  fixlist.txt   98bytes   36 downloads

Save it next to FRST, overwriting the existing one.

Run FRST as you did before, except that this time around click on the Fix button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.
  • 0

#38
jtroop

jtroop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts

When I went to the desktop to run OTL, I notice there are 6 RK reports. Are you aware of this? Running OTL now

Can you post them all to take a look?

The netlogon.dll does not appear to be infected. I must say it may be a false positive in Combofix.


Download the enclosed file. Attached File  fixlist.txt   98bytes   36 downloads

Save it next to FRST, overwriting the existing one.

Run FRST as you did before, except that this time around click on the Fix button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.


I've been wondering, when malwarebytes real time protection is on, it is blocking the malware from accessing the websites such as 46.249.61.87. When I run these different scans, should I turn off malwarebytes protection or allow it to block the malware? I am going to turn it off for this next FRST fixlist. Please advise on this. Okay, here are the six RK reports. :

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : dianne [Admin rights]
Mode : Scan -- Date : 06/08/2013 14:40:15
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[TASK][SUSP PATH] Updater19962.exe : C:\Users\dianne\AppData\Local\Updater19962\Updater19962.exe /extensionid=19962 /extensionname="Supreme Savings" /chromeid=ihkeoookbpemkdccdccdmacnidhooohk [x] -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3750528AS ATA Device +++++
--- User ---
[MBR] 9470dcb923b63ce257492ffbc056bd4b
[BSP] 5114e3fd9951cb2acb33983720a9f917 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31569920 | Size: 699988 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 442d87d39801ad1ec8b5d22afaaa20e1
[BSP] 1568ce5951cbde12db3fde761c3636b2 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31569920 | Size: 699988 Mo

Finished : << RKreport[1]_S_06082013_02d1440.txt >>
RKreport[1]_S_06082013_02d1440.txt



#2

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : dianne [Admin rights]
Mode : Remove -- Date : 06/08/2013 14:44:09
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[TASK][SUSP PATH] Updater19962.exe : C:\Users\dianne\AppData\Local\Updater19962\Updater19962.exe /extensionid=19962 /extensionname="Supreme Savings" /chromeid=ihkeoookbpemkdccdccdmacnidhooohk [x] -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3750528AS ATA Device +++++
--- User ---
[MBR] 9470dcb923b63ce257492ffbc056bd4b
[BSP] 5114e3fd9951cb2acb33983720a9f917 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31569920 | Size: 699988 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 442d87d39801ad1ec8b5d22afaaa20e1
[BSP] 1568ce5951cbde12db3fde761c3636b2 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31569920 | Size: 699988 Mo

Finished : << RKreport[2]_D_06082013_02d1444.txt >>
RKreport[1]_S_06082013_02d1440.txt ; RKreport[2]_D_06082013_02d1444.txt



#3

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : dianne [Admin rights]
Mode : Scan -- Date : 06/08/2013 14:45:57
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3750528AS ATA Device +++++
--- User ---
[MBR] 9470dcb923b63ce257492ffbc056bd4b
[BSP] 5114e3fd9951cb2acb33983720a9f917 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31569920 | Size: 699988 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 442d87d39801ad1ec8b5d22afaaa20e1
[BSP] 1568ce5951cbde12db3fde761c3636b2 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31569920 | Size: 699988 Mo

Finished : << RKreport[3]_S_06082013_02d1445.txt >>
RKreport[1]_S_06082013_02d1440.txt ; RKreport[2]_D_06082013_02d1444.txt ; RKreport[3]_S_06082013_02d1445.txt



#4

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : dianne [Admin rights]
Mode : DNSFix -- Date : 06/08/2013 14:48:53
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT

Finished : << RKreport[4]_DN_06082013_02d1448.txt >>
RKreport[1]_S_06082013_02d1440.txt ; RKreport[2]_D_06082013_02d1444.txt ; RKreport[3]_S_06082013_02d1445.txt ; RKreport[4]_DN_06082013_02d1448.txt


RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : dianne [Admin rights]
Mode : ProxyFix -- Date : 06/08/2013 14:48:59
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT

Finished : << RKreport[5]_PR_06082013_02d1448.txt >>
RKreport[1]_S_06082013_02d1440.txt ; RKreport[2]_D_06082013_02d1444.txt ; RKreport[3]_S_06082013_02d1445.txt ; RKreport[4]_DN_06082013_02d1448.txt ; RKreport[5]_PR_06082013_02d1448.txt


#5

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : dianne [Admin rights]
Mode : ProxyFix -- Date : 06/08/2013 14:48:59
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT

Finished : << RKreport[5]_PR_06082013_02d1448.txt >>
RKreport[1]_S_06082013_02d1440.txt ; RKreport[2]_D_06082013_02d1444.txt ; RKreport[3]_S_06082013_02d1445.txt ; RKreport[4]_DN_06082013_02d1448.txt ; RKreport[5]_PR_06082013_02d1448.txt



#6

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : dianne [Admin rights]
Mode : HOSTSFix -- Date : 06/08/2013 14:49:02
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ Reset HOSTS: ¤¤¤


Finished : << RKreport[6]_H_06082013_02d1449.txt >>
RKreport[1]_S_06082013_02d1440.txt ; RKreport[2]_D_06082013_02d1444.txt ; RKreport[3]_S_06082013_02d1445.txt ; RKreport[4]_DN_06082013_02d1448.txt ; RKreport[5]_PR_06082013_02d1448.txt ;
RKreport[6]_H_06082013_02d1449.txt

Edited by jtroop, 09 June 2013 - 08:10 AM.

  • 0

#39
jtroop

jtroop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
FRST fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-06-2013
Ran by dianne at 2013-06-09 10:13:24 Run:3
Running from F:\
Boot Mode: Normal
==============================================

"C:\Windows\SysNative\drivers\etc\Hosts" => Not found.C:\Windows\SysNative\drivers\etc\Hosts => File/Directory not found.

==== End of Fixlog ====
  • 0

#40
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,958 posts
RogueKiller was ran that number of times and a few entries were fixed. I don't believe the action was harmful. Remove RogueKiller.

  • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [EMPTYJAVA]
    [REBOOT]

  • Return to OTL, right click in the "Custom Scans/Fixes" window and choose Paste.
  • Click the red Run Fix button.
  • The computer will restart
  • A report will be produced and saved in the C:\_OTL\MovedFiles folder. Open that report and post its contents in a reply.

  • 0

Advertisements


#41
jtroop

jtroop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts

RogueKiller was ran that number of times and a few entries were fixed. I don't believe the action was harmful. Remove RogueKiller.

  • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [EMPTYJAVA]
    [REBOOT]

  • Return to OTL, right click in the "Custom Scans/Fixes" window and choose Paste.
  • Click the red Run Fix button.
  • The computer will restart
  • A report will be produced and saved in the C:\_OTL\MovedFiles folder. Open that report and post its contents in a reply.


I am gong to try this again. It has been hung up on "resetting HOSTS file do not interupt" since yesterday afternoon. FYI...I did notice when I started scan, a message appeared saying it couldn't access something. If it does it again, I'll note what the file is.
  • 0

#42
jtroop

jtroop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Well, when I exited out of OTL, this logged popped up. It appears to be the moved files report as it is located in the C:\_OTL\MovedFiles folder, although the machine never rebooted. I will reboot now and let you know if the malware is gone.

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\fla1F74.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\temp\fla28CE.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\temp\fla3C84.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\temp\fla4630.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\temp\fla9DF9.tmp scheduled to be moved on reboot.
C:\Windows\temp\ppcrlui_50416_2 moved successfully.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OV0Y8EBZ\dot[1].gif scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MT4AAB06\content_622_1_bq[1].mp4 scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MT4AAB06\Halo%204%20Forge%20Mode%20-%20Serious%20Building%20Techniques[1].flv scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1V0FC50E\content_379_1_bq[1].mp4 scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#43
jtroop

jtroop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Malwarebytes is still indicating that it is blocking access to the websites. If I were to turn off the real time protection, the ads would start playing again.
  • 0

#44
jtroop

jtroop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Okay, running OTL run fix again. The message I posted in post 41 is: "Cannot open file C:\Windows\System32\drivers\etc\Hosts." I just looked at the file and was tempted to delete it myself, but figured I better wait until you look at this.

Also, a windows message just popped up indicating. "Adobe Flash player update service 11.7r700 stopped working and was closed. A problem caused the application to stop working correctly."

Edited by jtroop, 10 June 2013 - 07:47 AM.

  • 0

#45
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,958 posts
Something is like intervening with the HOSTS and producing .mp4 files in the temp folder. Lets increase the number of days there were changes in the computer.

Run OTL as follows:
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Under File Scans, change File age to 90
  • Under the Custom Scan box paste this in



    /md5start
    HOSTS
    /md5stop

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of the OTL.txt file and attach the Extras.Txt, if any, in your next reply.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP