Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Possible malware: Where to start [Solved]

Started by Janis , Dec 31 2013 09:16 PM

This topic is locked

#16
Janis

Posted 03 January 2014 - 03:04 PM

Member

Topic Starter
Member
333 posts

ADW log

# AdwCleaner v3.016 - Report created 03/01/2014 at 16:01:12
# Updated 23/12/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : USER 1 - WORK-A021E901D4
# Running from : C:\Documents and Settings\USER 1\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v

[ File : C:\Documents and Settings\USER 1\Application Data\Mozilla\Firefox\Profiles\uzh1s7d0.default\prefs.js ]

[ File : C:\Documents and Settings\USER2\Application Data\Mozilla\Firefox\Profiles\ma4r5rri.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [8672 octets] - [02/01/2014 14:23:55]
AdwCleaner[R1].txt - [839 octets] - [03/01/2014 16:01:12]
AdwCleaner[S0].txt - [8816 octets] - [02/01/2014 14:48:16]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [958 octets] ##########

#17
Janis

Posted 03 January 2014 - 03:25 PM

Member

Topic Starter
Member
333 posts

The JRT Log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.9 (01.01.2014:1)
OS: Microsoft Windows XP x86
Ran by USER 1 on Fri 01/03/2014 at 16:07:44.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\domaiq uninstaller
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{044BB46F-EDF0-4D58-947F-554AF9851950}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CBE9E7E6-1E29-48F3-9153-C70CD7A4C2FC}

~~~ Files

~~~ Folders

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 01/03/2014 at 16:19:51.87
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#18
Janis

Posted 03 January 2014 - 03:43 PM

Member

Topic Starter
Member
333 posts

This is the last log. The computer no longer has the unwanted ads. I can't determine if the need to use reload (F5) frequently for websites is the computer or our third rate internet provider. I could not get into geekstogo.com last evening at all, just received error messages. Today it seems to access with no problems.

Is there a tutorial for cleaning a pc , ie getting rid of temp files, cache, etc. with just one program? I use Mozilla not IE. Would clean disk under system tools do the work for me?

#19
pystryker

Posted 03 January 2014 - 04:33 PM

Trusted Helper

Malware Removal
3,912 posts

AdwCleaner[R0].txt - [8672 octets] - [02/01/2014 14:23:55]
AdwCleaner[R1].txt - [839 octets] - [03/01/2014 16:01:12]
AdwCleaner[S0].txt - [8816 octets] - [02/01/2014 14:48:16]

You have run AdwCleaner multiple times, please only run the tools once unless otherwise requested. I need to see the logs entitled:

AdwCleaner[R1].txt
AdwCleaner[S0].txt

Please post these 2 logs so I can take a look at what was removed. :thumbsup:

This is the last log. The computer no longer has the unwanted ads. I can't determine if the need to use reload (F5) frequently for websites is the computer or our third rate internet provider. I could not get into geekstogo.com last evening at all, just received error messages. Today it seems to access with no problems.

I'm glad to hear the ads are not showing up anymore, but stay with me, we still have some work to do to finish cleaning your machine. No worries there about getting into GeeksToGo last night. The site was down so our admins could do some database maintenance. It was down for everyone.

Is there a tutorial for cleaning a pc , ie getting rid of temp files, cache, etc. with just one program? I use Mozilla not IE. Would clean disk under system tools do the work for me?

These are things that we will cover once we are done cleaning your machine. We do have some programs for getting rid of temp files and the like, but we still have a ways to go before we get to that point.

#20
pystryker

Posted 03 January 2014 - 04:40 PM

Trusted Helper

Malware Removal
3,912 posts

This is the last log.

Hi, please read the Things I need to see in your next post at the bottom of Post #14. We need to run an OTL Quick Scan on your machine. Please post it along with the 2 AdwCleaner logs. :thumbsup:

#21
Janis

Posted 03 January 2014 - 05:54 PM

Member

Topic Starter
Member
333 posts

I tried to send all requested. Could you please advise what didn't come through using my regular email? Our connection is iffy right now so I may have some delay in getting back to you.

#22
pystryker

Posted 03 January 2014 - 06:23 PM

Trusted Helper

Malware Removal
3,912 posts

I tried to send all requested. Could you please advise what didn't come through using my regular email? Our connection is iffy right now so I may have some delay in getting back to you.

I have to keep all correspondence in this thread for my teacher's observations.

No worries though, I'll stay with you as long as it takes to get your machine cleaned, spotty connections, delays and all.

Let's do this, I'll post the instructions for the OTL Quick Scan, and instructions for finding the AdwCleaner logs.

Step 1: OTL Quick Scan

Start OTL and this time click the Quick Scan button
OTL will scan your system and produce one log when finished.
Please post that log in your next reply.

Step 2: Location of AdwCleaner Logs

You can find the adwcleaner logs in this location: C:\adwcleaner

Please post the following 2 logs:

AdwCleaner[R1].txt
AdwCleaner[S0].txt

Things I need to see in your next post:

OTL Quick Scan Log

AdwCleaner [R1].txt Log

AdwCleaner[S0].txt Log

#23
Janis

Posted 04 January 2014 - 06:48 AM

Member

Topic Starter
Member
333 posts

Under ADW I found a log listed as ADW2 but not 1. Do I need to rerun ADW to get the first log?
ADW R2
# AdwCleaner v3.016 - Report created 04/01/2014 at 07:30:44
# Updated 23/12/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : USER 1 - WORK-A021E901D4
# Running from : C:\Documents and Settings\USER 1\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v

[ File : C:\Documents and Settings\USER 1\Application Data\Mozilla\Firefox\Profiles\uzh1s7d0.default\prefs.js ]

[ File : C:\Documents and Settings\USER2\Application Data\Mozilla\Firefox\Profiles\ma4r5rri.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [8672 octets] - [02/01/2014 14:23:55]
AdwCleaner[R1].txt - [1037 octets] - [03/01/2014 16:01:12]
AdwCleaner[R2].txt - [899 octets] - [04/01/2014 07:30:44]
AdwCleaner[S0].txt - [8816 octets] - [02/01/2014 14:48:16]

########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [1018 octets] ##########

Also I could not find a quick scan log. I reran quick scan with the following log

OTL logfile created on: 1/4/2014 7:35:51 AM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\USER 1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.35 Gb Available Physical Memory | 78.50% Memory free
4.34 Gb Paging File | 3.69 Gb Available in Paging File | 85.02% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 22.46 Gb Total Space | 8.32 Gb Free Space | 37.05% Space Free | Partition Type: NTFS
Drive D: | 210.42 Gb Total Space | 209.77 Gb Free Space | 99.69% Space Free | Partition Type: NTFS
Drive E: | 7.23 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 339.58 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: WORK-A021E901D4 | User Name: USER 1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/01/01 18:45:34 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\USER 1\Desktop\OTL.exe
PRC - [2013/12/05 20:52:21 | 000,223,112 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.3.22.3\GoogleCrashHandler.exe
PRC - [2013/10/16 00:30:02 | 005,175,856 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgidsagent.exe
PRC - [2013/04/04 13:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2013/04/04 13:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2013/04/04 13:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2013/02/27 16:38:44 | 001,259,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2012/11/27 09:21:31 | 000,916,960 | ---- | M] (Mozilla Corporation) -- D:\firefox.exe
PRC - [2012/11/19 17:25:32 | 002,598,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2012/11/08 03:51:06 | 000,768,632 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2012/03/19 04:18:12 | 000,979,840 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2012/02/14 03:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2012/02/14 03:52:38 | 000,338,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2009/11/06 10:58:38 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/10/31 09:51:52 | 000,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
PRC - [2005/03/22 16:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2001/09/10 06:19:06 | 000,045,108 | ---- | M] (ScanSoft, Inc.) -- D:\Paperport\pptd40nt.exe

========== Modules (No Company Name) ==========

MOD - [2012/11/27 09:21:30 | 002,400,224 | ---- | M] () -- D:\mozjs.dll
MOD - [2012/10/04 17:50:36 | 000,088,688 | ---- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll
MOD - [2005/05/03 06:38:42 | 000,064,512 | R--- | M] () -- C:\WINDOWS\system32\P17.dll
MOD - [2001/09/10 01:05:30 | 000,006,144 | ---- | M] () -- D:\Paperport\BliceCtr.dll

#24
pystryker

Posted 04 January 2014 - 06:58 AM

Trusted Helper

Malware Removal
3,912 posts

The OTL log you posted is only a portion of the log, it has been cut off. As for the AdwCleaner log, let's put that on hold for the moment.

Let's run a brand new OTL Quick scan log. :thumbsup:

Please follow the instructions below.

Start OTL and this time click the Quick Scan button
OTL will scan your system and produce one log when finished.
Please post that log in your next reply.

Things I need to see in your next post:

OTL Quick Scan Log

#25
Janis

Posted 04 January 2014 - 06:18 PM

Member

Topic Starter
Member
333 posts

OTL logfile created on: 1/4/2014 6:53:58 PM - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\USER 1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.27 Gb Available Physical Memory | 75.75% Memory free
4.34 Gb Paging File | 3.76 Gb Available in Paging File | 86.71% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 22.46 Gb Total Space | 8.33 Gb Free Space | 37.10% Space Free | Partition Type: NTFS
Drive D: | 210.42 Gb Total Space | 209.77 Gb Free Space | 99.69% Space Free | Partition Type: NTFS
Drive E: | 7.23 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 982.72 Mb Total Space | 844.27 Mb Free Space | 85.91% Space Free | Partition Type: FAT

Computer Name: WORK-A021E901D4 | User Name: USER 1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/01/01 18:45:34 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\USER 1\Desktop\OTL.exe
PRC - [2013/12/05 20:52:21 | 000,223,112 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.3.22.3\GoogleCrashHandler.exe
PRC - [2013/10/16 00:30:02 | 005,175,856 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgidsagent.exe
PRC - [2013/04/04 13:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2013/04/04 13:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2013/04/04 13:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2013/02/27 16:38:44 | 001,259,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2012/11/19 17:25:32 | 002,598,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2012/11/08 03:51:06 | 000,768,632 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2012/03/19 04:18:12 | 000,979,840 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2012/02/14 03:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2012/02/14 03:52:38 | 000,338,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2009/11/06 10:58:38 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/10/31 09:51:52 | 000,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
PRC - [2005/03/22 16:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2001/09/10 06:19:06 | 000,045,108 | ---- | M] (ScanSoft, Inc.) -- D:\Paperport\pptd40nt.exe
PRC - [2001/03/07 09:11:12 | 010,577,312 | R--- | M] (Microsoft Corporation) -- D:\MSOFFICE\Office10\WINWORD.EXE

========== Modules (No Company Name) ==========

MOD - [2012/10/04 17:50:36 | 000,088,688 | ---- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll
MOD - [2005/05/03 06:38:42 | 000,064,512 | R--- | M] () -- C:\WINDOWS\system32\P17.dll
MOD - [2001/09/10 01:05:30 | 000,006,144 | ---- | M] () -- D:\Paperport\BliceCtr.dll

========== Services (SafeList) ==========

SRV - [2013/12/11 08:05:42 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/10/16 00:30:02 | 005,175,856 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2013/04/04 13:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013/04/04 13:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/02/14 03:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2009/11/06 10:58:38 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\motodrv.sys -- (MotDev)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- system32\drivers\hlnfd.sys -- (hlnfd)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013/08/25 10:30:48 | 000,013,120 | ---- | M] () [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2013/04/11 02:18:40 | 000,302,368 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2013/04/04 13:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/12/10 03:28:36 | 000,142,176 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgidsdriverx.sys -- (AVGIDSDriver)
DRV - [2012/11/08 03:49:26 | 000,250,080 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2012/04/19 03:50:26 | 000,024,896 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\avgidshx.sys -- (AVGIDSHX)
DRV - [2012/01/31 03:46:50 | 000,031,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/12/23 12:32:14 | 000,041,040 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/12/23 12:32:08 | 000,017,232 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgidsshimx.sys -- (AVGIDSShim)
DRV - [2011/12/23 12:32:06 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgidsfilterx.sys -- (AVGIDSFilter)
DRV - [2009/12/02 11:20:54 | 000,122,504 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EuDisk.sys -- (EuDisk)
DRV - [2009/03/25 01:29:52 | 000,130,432 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2007/06/18 19:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2005/11/16 14:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/07/07 03:14:30 | 001,389,056 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\P17.sys -- (P17)
DRV - [2005/05/13 17:27:56 | 000,028,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbccid.sys -- (USBCCID)
DRV - [2005/01/10 05:15:30 | 000,106,496 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2005/01/10 05:15:24 | 000,138,752 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139)
DRV - [2004/08/03 22:31:20 | 000,036,224 | ---- | M] (ADMtek Incorporated.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\an983.sys -- (AN983)
DRV - [2003/11/17 15:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 15:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 15:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\..\SearchScopes,DefaultScope =
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

========== FireFox ==========

FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.order.2: ""
FF - prefs.js..browser.search.param.yahoo-fr: "w3i&type=W3i_DS,157,0_0,Search,20120938,6902,0,29,0"
FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledAddons: %7BF53C93F1-07D5-430c-86D4-C9531B27DFAF%7D:12.0.0.2189
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0
FF - prefs.js..extensions.enabledItems: [email protected]:0.4
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20120515
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:12.0.0.2191
FF - prefs.js..extensions.enabledItems: avg@toolbar:12.2.5.32
FF - prefs.js..extensions.netassistant.keyword.url: "http://click.w3i.com...94&searchterm="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2013/01/30 09:44:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ [2012/07/26 13:25:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/03/07 14:55:46 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011/11/09 21:51:21 | 000,000,000 | ---D | M]

[2011/11/09 21:42:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\USER 1\Application Data\Mozilla\Extensions
[2012/06/22 20:49:51 | 000,001,703 | ---- | M] () -- C:\Documents and Settings\USER 1\Application Data\Mozilla\Firefox\Profiles\uzh1s7d0.default\searchplugins\goodsearch.xml
[2012/07/26 13:25:41 | 000,000,000 | ---D | M] (AVG Do Not Track) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX\DONOTTRACK

O1 HOSTS File: ([2012/06/22 12:12:02 | 000,442,832 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 15216 more lines...
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {41525333-0076-A76A-76A7-7A786E7484D7} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [IndexSearch] D:\Paperport\IndexSearch.exe ()
O4 - HKLM..\Run: [P17Helper] C:\WINDOWS\System32\P17.dll ()
O4 - HKLM..\Run: [PaperPort PTD] D:\Paperport\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = D:\MSOFFICE\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{402C9A1F-B9F1-495E-9ECF-6C283E4C3EB5}: DhcpNameServer = 10.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{62DD19D0-612D-4839-AEB3-0B562FBE31AE}: NameServer = 8.26.56.26,156.154.70.22
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BD94B5BF-5D35-4B2A-9525-624D15CF3255}: DhcpNameServer = 10.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{ECE096E0-3330-45D1-BCAF-CECDF9E33ED9}: NameServer = 8.26.56.26,156.154.70.22
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/24 23:43:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2014/01/03 16:07:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2014/01/03 16:07:08 | 001,036,305 | ---- | C] (Thisisu) -- C:\Documents and Settings\USER 1\Desktop\JRT.exe
[2014/01/02 14:23:44 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/01/02 09:07:14 | 000,000,000 | ---D | C] -- C:\_OTL
[2014/01/01 19:40:16 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\USER 1\Recent
[2014/01/01 18:48:36 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\USER 1\Desktop\OTL.exe
[2013/12/15 18:04:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014/01/04 19:03:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2014/01/04 18:57:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2014/01/04 18:50:25 | 147,899,931 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2014/01/04 18:49:36 | 000,210,735 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2014/01/04 18:22:37 | 000,002,271 | ---- | M] () -- C:\Documents and Settings\USER 1\Desktop\Microsoft Word (2).lnk
[2014/01/04 14:48:14 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2014/01/04 14:48:01 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\ROC_JAN2013_TB_rmv.job
[2014/01/04 14:47:58 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2014/01/04 14:47:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2014/01/04 12:42:53 | 000,009,764 | ---- | M] () -- C:\Documents and Settings\USER 1\My Documents\cake.pdf
[2014/01/03 17:45:49 | 000,000,059 | ---- | M] () -- C:\WINDOWS\BS.INI
[2014/01/03 16:07:12 | 001,036,305 | ---- | M] (Thisisu) -- C:\Documents and Settings\USER 1\Desktop\JRT.exe
[2014/01/02 14:01:44 | 000,001,680 | ---- | M] () -- C:\Documents and Settings\USER 1\Desktop\Mozilla Thunderbird (2).lnk
[2014/01/02 09:06:06 | 001,233,962 | ---- | M] () -- C:\Documents and Settings\USER 1\Desktop\adwcleaner.exe
[2014/01/01 18:45:34 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\USER 1\Desktop\OTL.exe
[2013/12/15 18:04:52 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2013/12/11 08:16:13 | 000,139,648 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2014/01/04 12:42:52 | 000,009,764 | ---- | C] () -- C:\Documents and Settings\USER 1\My Documents\cake.pdf
[2014/01/02 14:01:44 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\USER 1\Desktop\Mozilla Thunderbird (2).lnk
[2014/01/02 09:06:06 | 001,233,962 | ---- | C] () -- C:\Documents and Settings\USER 1\Desktop\adwcleaner.exe
[2013/12/15 18:04:52 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2013/11/02 14:33:35 | 000,026,900 | ---- | C] () -- C:\Documents and Settings\USER 1\Local Settings\Application Data\dt.dat
[2013/09/03 17:51:06 | 000,005,627 | R--- | C] () -- C:\WINDOWS\System32\Ludap17.ini
[2013/09/03 17:51:06 | 000,000,039 | R--- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2013/09/02 19:34:46 | 000,013,120 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2013/08/13 19:50:15 | 000,000,884 | RHS- | C] () -- C:\Documents and Settings\USER 1\ntuser.pol
[2013/02/08 04:03:08 | 002,816,504 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2012/12/08 12:51:18 | 000,073,728 | R--- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2012/09/23 18:54:04 | 000,008,399 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2012/09/21 14:21:43 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2012/09/13 17:52:11 | 000,059,392 | R--- | C] () -- C:\WINDOWS\System32\streamhlp.dll
[2012/09/05 17:12:53 | 000,000,059 | ---- | C] () -- C:\WINDOWS\BS.INI
[2012/08/25 14:31:26 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2012/08/25 14:31:26 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2012/08/25 14:31:24 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\cdTextCtl.dll
[2012/08/25 14:23:01 | 000,178,688 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2012/07/22 15:20:58 | 000,000,767 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2012/06/18 12:03:50 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/03/07 14:51:48 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

========== ZeroAccess Check ==========

[2011/11/30 22:26:07 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/09/27 08:38:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2013/01/28 10:15:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG January 2013 Campaign
[2011/12/27 14:26:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2012/06/28 19:29:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2011/12/27 16:21:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2012/07/09 11:24:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
[2012/06/21 20:14:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2012/07/24 07:55:26 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2011/10/31 17:56:28 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/11/19 19:29:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CPA_VA
[2013/11/14 11:29:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/11/23 21:50:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/06/22 21:25:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\1st Free Solitaire
[2013/12/31 19:03:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Amazon
[2013/06/15 19:35:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Audacity
[2012/07/01 09:40:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Auslogics
[2011/12/27 16:52:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\AVG2012
[2012/07/09 11:24:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Canneverbe Limited
[2012/07/24 07:55:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Canon
[2012/07/03 22:30:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Element Software
[2011/11/09 21:51:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Foxit
[2012/09/04 19:53:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Foxit Software
[2012/08/22 14:35:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Motorola
[2012/08/22 14:36:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Motorola Mobility
[2012/07/23 18:12:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Opera
[2012/11/05 16:29:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\OverDrive
[2012/06/28 19:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Pegasus Mail
[2013/01/11 15:45:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\SanDisk
[2012/09/12 17:55:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Silver Creek Entertainment
[2013/06/15 09:47:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\Thunderbird
[2012/09/13 18:39:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER 1\Application Data\TrojanHunter

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

#26
pystryker

Posted 05 January 2014 - 12:02 PM

Trusted Helper

Malware Removal
3,912 posts

Hi, thank you for the log. We're looking good! Let's run a sweep for remnants and check for any out of date programs on your machine.

Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.

Step 1: Scan with Malwarebytes

I see you have Malwarebytes' Anti-Malware installed.

Please open the program.
Click on the Update tab then click Check for Updates
If an update is found, it will download and install the latest version.
Once the program has loaded, check the following settings:
- On the Settings tab, Scanner Settings, leave the default boxes checked but change the drop-down boxes to Show in results list and check for removal.
On the Scanner tab, check Perform quick scan.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

Step 2: ESET Online Virus Scan

Please note: You can use Internet Explorer or Firefox for this step.

If you use Firefox, you will be prompted to download esetsmartinstaller_enu.exe. Please do so, then double click it to install it.

Please click on this link and then click the ESET Online Scanner bar ----> Posted Image

Select the option YES, I accept the Terms of Use then click on Start
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked.
Make sure that the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on Start
The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically. The scan may take several hours.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
Now click on Finish
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

Step 3: SecurityCheck Scan

Download Security Check Posted Image

by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Things I need to see in your next post:

ESET Scan Log

MBAM Log

SecurityCheck Log

#27
Janis

Posted 06 January 2014 - 10:25 AM

Member

Topic Starter
Member
333 posts

I don't find a log for the online scanner but the finish pages lists no threats found.

The rest:
Results of screen317's Security Check version 0.99.78
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Please wait while WMIC is being installed.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
A
V
G
ECHO is off.
A
n
t
i
V
i
r
u
s
ECHO is off.
F
r
e
ECHO is off.
E
d
i
t
i
o
n
ECHO is off.
2
0
1
2
ECHO is off.
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
SpywareBlaster 4.6
Malwarebytes Anti-Malware version 1.75.0.1300
Adobe Flash Player 11.9.900.170
Mozilla Thunderbird (2.0.0 Thunderbird out of Date!
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 6%
````````````````````End of Log``````````````````````

Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.17.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
USER 1 :: WORK-A021E901D4 [administrator]

Protection: Enabled

7/17/2012 8:18:06 AM
mbam-log-2012-07-17 (08-18-06).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 240156
Time elapsed: 19 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I believe the machine is clean now and wouild like to keep it that way. What adware program(s) are recommended?

#28
pystryker

Posted 06 January 2014 - 11:33 AM

Trusted Helper

Malware Removal
3,912 posts

I believe the machine is clean now and wouild like to keep it that way. What adware program(s) are recommended

Thank you for the logs.

We still have some cleanup procedures to do regarding the tools we installed on your machine, and I will have some information for you about keeping your machine clean as well. :thumbsup:

#29
pystryker

Posted 07 January 2014 - 06:47 AM

Trusted Helper

Malware Removal
3,912 posts

Hello

Great news, your logs are CLEAN! :thumbsup:

We still have a few things we need to address namely:

I need to remove the tools we installed on your machine.
We also have some programs on your machine that need updating to help protect you in the future.
I also have some information for you on how to reduce your chances of infection.

Step 1: Thunderbird Update

Mozilla Thunderbird is out of date, please click here to update it.

Keeping your software updated

Another weapon against malicious programs and viruses is to keeping other programs updated. There are several programs out there that can check for out of date programs on your computer. One is Filehippo. You can run this on a weekly or monthly basis to check your programs for updates and then it will provide a link for you to download them.

Download Filehippo Updatechecker

Step 2: Remove old infected restore points and create a new clean one.

We're going to delete your old system restore points and create a new clean one. We do this so if you need to do a system restore, you will have a clean starting point.

Create New System Restore Point

To set up a restore point, follow these steps:

Close any programs that are open.
Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. The System Restore Wizard opens.
Click Create a restore point, and then click Next.

In Restore point description box, type a description for the restore point. Use a description that is easy to understand. If you are creating a restore point before you install specific software or hardware, you could use that information in the description.

Note The date and time are automatically added to your restore point. Therefore, you do not have to use them in your description.

To finish creating this restore point, click the Create button. The System Restore Wizard notifies you when the restore point is created.
When you are finished, click the Close button.

Remove Old System Restore Point

To do this:

Click Start > All Programs > Accessories > System Tools > Click Disc Cleanup

Now launch this utility and click More Options tab. Under which click System Restore and followed by that click Clean Up tab.

A message will popup -Are you sure you want to delete all but the most recent restore point?

Click Yes then OK. Finally another message will popup-Are you sure you want to perform these actions? Click Yes.

Step 3: Tool Removal

You can delete Junkware Removal Tool from your desktop.
Start AdwCleaner and click the Uninstall button. It will remove the quarantined files and uninstall itself.
Startt OTL and click the Cleanup button. OTL will delete it's quarantined files and then uninstall itself.
You can uninstall ESET Online Scanner at this time.
I'd recommend keeping Malwarebytes Anti-Malware installed as it is an excellent defense against malware. Make sure to update it and run it at least once a week.

Step 4: Tips, Information, and Warning about CryptoLocker

Watch what you open in your emails. If you get an email from an unknown source with any attached files, do not open it.
Be careful of the websites you visit.
When installing new programs, don't be "click happy" and click through the screens. Many programs come with adware in them and are set to install them by default. Several programs require that you uncheck or select no to prevent the installation. Take you time and read each screen as you go.
To help protect yourself while on the web, I recommend you read How did I get infected in the first place?

A warning about CryptoLocker

CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

Please download and install CryptoPrevent to lock your machine down from this infection.

Posted Image