also @ TechSpot: Google, NASA join forces to build quantum computing laboratory

Infected... "sirefef" keeps returning

Discussion in 'Virus and Malware Removal' started by John Sharp, Nov 22, 2012.

Post New Reply
Page 2 of 3

  1. Broni Malware Annihilator Posts: 39,189   +175

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

    ==============================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    3. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
    Broni, Nov 23, 2012
    #21

  2. Broni Malware Annihilator Posts: 39,189   +175

    Still with me?
    Broni, Nov 28, 2012
    #22

  3. Broni Malware Annihilator Posts: 39,189   +175

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
    Broni, Dec 3, 2012
    #23

  4. Broni Malware Annihilator Posts: 39,189   +175

    Reopened.
    Broni, Dec 4, 2012
    #24

  5. John Sharp Newcomer, in training Posts: 23

    Thank you..I am sorry. Here are my logs.

    OTL
    All processes killed
    ========== OTL ==========
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: jah
    ->Temp folder emptied: 19763580 bytes
    ->Temporary Internet Files folder emptied: 199380275 bytes
    ->Java cache emptied: 17760 bytes
    ->FireFox cache emptied: 133554914 bytes
    ->Flash cache emptied: 88056 bytes

    User: JMS
    ->Temp folder emptied: 66784 bytes
    ->Temporary Internet Files folder emptied: 28831368 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 93385479 bytes
    ->Flash cache emptied: 694 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 211301 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes
    RecycleBin emptied: 94690707 bytes

    Total Files Cleaned = 544.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: jah
    ->Java cache emptied: 0 bytes

    User: JMS
    ->Java cache emptied: 0 bytes

    User: Public

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: jah
    ->Flash cache emptied: 0 bytes

    User: JMS
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 12042012_185306

    Files\Folders moved on Reboot...
    C:\Users\jah\AppData\Local\Temp\13DC.tmp moved successfully.
    C:\Users\jah\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File\Folder C:\Users\jah\AppData\Local\Temp\~DF435FBE2422B32E4B.TMP not found!
    File\Folder C:\Users\jah\AppData\Local\Temp\~DF6AC7763C287A74A8.TMP not found!
    File\Folder C:\Users\jah\AppData\Local\Temp\~DF6F29F10DBCAAC0E2.TMP not found!
    File\Folder C:\Users\jah\AppData\Local\Temp\~DFA0168015862E40D6.TMP not found!
    File\Folder C:\Users\jah\AppData\Local\Temp\~DFA69E36B3C8996701.TMP not found!
    File\Folder C:\Users\jah\AppData\Local\Temp\~DFBD1169CB6E337804.TMP not found!
    File\Folder C:\Users\jah\AppData\Local\Temp\~DFC1A45638AFD1C570.TMP not found!
    File\Folder C:\Users\jah\AppData\Local\Temp\~DFE48C5F85AEE04A96.TMP not found!
    File\Folder C:\Users\jah\AppData\Local\Temp\~DFE4F81341B72B85C2.TMP not found!
    File\Folder C:\Users\jah\AppData\Local\Temp\~DFEA278AB93167C60B.TMP not found!
    File\Folder C:\Users\jah\AppData\Local\Temp\~DFEBB078BB67454A85.TMP not found!
    File\Folder C:\Users\jah\AppData\Local\Temp\~DFF856DB0ACFA0EBAF.TMP not found!
    C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZUTSVEPX\feed[1].css moved successfully.
    C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZUTSVEPX\feed[1].js moved successfully.
    File\Folder C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZUTSVEPX\jquery-ui.min[1].js not found!
    C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZUTSVEPX\smartmomdeals_com[1].htm moved successfully.
    C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZUTSVEPX\style_2.1.1[1].css moved successfully.
    C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B01IAKAG\inlinekeywords[1].js moved successfully.
    C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B01IAKAG\jquery-1.4.2.min[1].js moved successfully.
    C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B01IAKAG\pconfig[1].js moved successfully.
    C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B01IAKAG\script_2.1.1[1].js moved successfully.
    C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B01IAKAG\styles[1].css moved successfully.
    File\Folder C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A099X3PP\all[1].js not found!
    File\Folder C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A099X3PP\google_service[1].js not found!
    File move failed. C:\Windows\temp\sndappv2.log scheduled to be moved on reboot.
    C:\Windows\temp\~DF5181E2C023A22A4D.TMP moved successfully.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...


    Security Check
    Results of screen317's Security Check version 0.99.56
    Windows 7 x64 (UAC is enabled)
    Out of date service pack!!
    Internet Explorer 8 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.65.1.1000
    Java(TM) 6 Update 37
    Java version out of Date!
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Flash Player 11.4.402.287 Flash Player out of Date!
    Adobe Reader 9 Adobe Reader out of Date!
    Mozilla Firefox 16.0.2 Firefox out of Date!
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````

    FSS
    Farbar Service Scanner Version: 04-12-2012
    Ran by jah (administrator) on 04-12-2012 at 19:07:29
    Running from "C:\Users\jah\Desktop"
    Windows 7 Home Premium (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is offline
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****

    Waiting on EST...will post when complete...
    John Sharp, Dec 4, 2012
    #25

  6. John Sharp Newcomer, in training Posts: 23

    Dupe
    John Sharp, Dec 4, 2012
    #26
     

  7. John Sharp Newcomer, in training Posts: 23

    ESET found no files, but I am still getting occasional redirects...especially from google searches
    John Sharp, Dec 4, 2012
    #27

  8. Broni Malware Annihilator Posts: 39,189   +175

    Which browser is affected?
    What about other browser(s)?
    Broni, Dec 4, 2012
    #28

  9. John Sharp Newcomer, in training Posts: 23

    Firefox and IE... I happens prob 1 out of 10 clicks or so
    John Sharp, Dec 6, 2012
    #29

  10. Broni Malware Annihilator Posts: 39,189   +175

    Let's start with IE.
    Open it go Tools>Internet options>Advanced tab and click on "Reset" button.
    Restart IE use it for a while and let me know how it goes.
    Broni, Dec 6, 2012
    #30

  11. John Sharp Newcomer, in training Posts: 23

    Still getting re-directs...

    IE example: searching from google for "tire help", click on a link for goodyear, it directs to compare.us.com/xxxxxxxxxxxxx
    John Sharp, Dec 7, 2012
    #31

  12. Broni Malware Annihilator Posts: 39,189   +175

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
    Broni, Dec 7, 2012
    #32

  13. John Sharp Newcomer, in training Posts: 23

    FRST

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-12-2012
    Ran by SYSTEM at 10-12-2012 10:00:11
    Running from E:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2122536 2010-05-07] (Synaptics Incorporated)
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10144288 2010-04-13] (Realtek Semiconductor)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x]
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
    HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [Sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe" [82792 2012-11-26] (Sendori, Inc.)
    HKU\jah\...\Run: [Novatel Wireless] Rundll32.exe "C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll",ompd_free_thread_info [760320 2012-12-04] ()
    Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
    Tcpip\..\Interfaces\{00DB6E6E-F3AB-4C9D-8D23-EDB53E8402C6}: [NameServer]192.168.9.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Jungle Disk Desktop.lnk
    ShortcutTarget: Jungle Disk Desktop.lnk -> C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe (Jungle Disk, Inc.)
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\jah\Start Menu\Programs\Startup\PdaNet Desktop.lnk
    ShortcutTarget: PdaNet Desktop.lnk -> C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe ()

    ==================== Services (Whitelisted) ===================

    2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [118632 2012-11-26] (Sendori, Inc.)
    2 JungleDiskService; "C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe" --service [9761096 2011-05-17] (Jungle Disk, Inc.)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
    2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [14696 2012-11-26] (sendori)
    2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3569512 2012-11-26] (Sendori)

    ==================== Drivers (Whitelisted) =====================

    1 cbfs3; C:\Windows\System32\Drivers\cbfs3.sys [321424 2010-11-30] (EldoS Corporation)
    0 mbamchameleon; C:\Windows\System32\Drivers\mbamchameleon.sys [36680 2012-11-23] ()
    0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
    3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
    0 mbamswissarmy; C:\Windows\System32\drivers\mbamswissarmy.sys [x]
    3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2012-12-08 11:00 - 2011-10-04 04:22 - 00203320 ____A (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\ssudmdm.sys
    2012-12-08 11:00 - 2011-10-04 04:22 - 00095544 ____A (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\ssudbus.sys
    2012-12-08 10:59 - 2012-12-08 10:59 - 00000000 ____D C:\Program Files\SAMSUNG
    2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Samsung
    2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Application Data\Samsung
    2012-12-08 10:57 - 2012-12-08 10:58 - 00000000 ____D C:\Samsung Galaxy S3 QCom ToolKit
    2012-12-08 10:57 - 2012-12-08 10:57 - 00001651 ____A C:\Users\jah\Desktop\Samsung GS3 QCom ToolKit.lnk
    2012-12-08 10:26 - 2012-12-08 10:26 - 07444480 ____A C:\Users\jah\Desktop\recovery-clockwork-touch-6.0.1.2-d2spr.tar
    2012-12-08 10:25 - 2012-12-08 10:25 - 06410240 ____A C:\Users\jah\Desktop\Sprint_Stock_Recovery.tar
    2012-12-08 09:45 - 2012-12-08 09:45 - 00000000 ____D C:\Users\jah\Desktop\Odin3-v1.85
    2012-12-08 09:42 - 2012-12-08 09:42 - 01461029 ____A (Farbar) C:\Users\jah\Desktop\FRST64(1).exe
    2012-12-07 14:09 - 2012-12-07 14:09 - 00683568 ____A C:\Windows\Minidump\120712-18876-01.dmp
    2012-12-06 18:06 - 2012-12-06 18:07 - 00000030 ____A C:\Users\jah\Desktop\New Text Document.txt
    2012-12-06 14:06 - 2012-12-06 14:07 - 00683568 ____A C:\Windows\Minidump\120612-17799-01.dmp
    2012-12-04 18:15 - 2012-12-04 18:15 - 00000000 ____D C:\Program Files (x86)\ESET
    2012-12-04 18:14 - 2012-12-04 18:14 - 02322184 ____A (ESET) C:\Users\jah\Downloads\esetsmartinstaller_enu.exe
    2012-12-04 18:02 - 2012-12-04 18:02 - 00448512 ____A (OldTimer Tools) C:\Users\jah\Desktop\TFC.exe
    2012-12-04 18:01 - 2012-12-04 18:02 - 00696153 ____A (Farbar) C:\Users\jah\Desktop\FSS.exe
    2012-12-04 18:01 - 2012-12-04 18:01 - 00856731 ____A C:\Users\jah\Desktop\SecurityCheck.exe
    2012-12-04 17:53 - 2012-12-04 17:53 - 00000000 ____D C:\_OTL
    2012-12-04 17:51 - 2012-12-04 17:52 - 00602112 ____A (OldTimer Tools) C:\Users\jah\Desktop\OTL.exe
    2012-11-27 14:54 - 2012-12-04 17:58 - 00000000 ____D C:\Users\jah\Local Settings\Novatel Wireless
    2012-11-27 14:54 - 2012-12-04 17:58 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Novatel Wireless
    2012-11-27 14:54 - 2012-12-04 17:58 - 00000000 ____D C:\Users\jah\AppData\Local\Novatel Wireless
    2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\PDF Architect
    2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\Application Data\PDF Architect
    2012-11-26 19:36 - 2012-11-26 19:36 - 00069384 ____A C:\Users\JMS\Downloads\TS010169559.dotx
    2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\Application Data\PDF Architect
    2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\AppData\Roaming\PDF Architect
    2012-11-26 19:28 - 2012-11-29 21:05 - 00000000 ____D C:\Users\All Users\Sendori
    2012-11-26 19:28 - 2012-11-29 21:05 - 00000000 ____D C:\Users\All Users\Application Data\Sendori
    2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\Application Data\APP_NAME_NON_STRING
    2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\AppData\Roaming\APP_NAME_NON_STRING
    2012-11-26 19:28 - 2012-11-26 13:12 - 00321384 ____A (Sendori) C:\Windows\SysWOW64\Sendori.dll
    2012-11-26 19:27 - 2012-11-29 21:06 - 00000000 ____D C:\Program Files (x86)\Sendori
    2012-11-26 19:27 - 2012-11-26 19:28 - 00000000 ____D C:\Program Files (x86)\PDFCreator
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\pdfforge
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\OpenCandy
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\pdfforge
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\OpenCandy
    2012-11-26 19:27 - 2012-10-28 17:32 - 00103936 ____A (pdfforge GbR) C:\Windows\System32\pdfcmon.dll
    2012-11-26 19:27 - 2012-05-05 09:54 - 01071088 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
    2012-11-26 19:27 - 2012-05-05 09:54 - 00662288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCT2.OCX
    2012-11-26 19:27 - 2012-05-05 09:54 - 00137000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSMAPI32.OCX
    2012-11-26 19:27 - 2012-05-05 09:54 - 00023552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSMPIDE.DLL
    2012-11-26 19:21 - 2012-11-26 19:21 - 00457048 ____A (pdfforge GbR ) C:\Users\JMS\Downloads\PDFCreatorWebSetup.exe
    2012-11-26 19:17 - 2012-11-26 20:04 - 00000000 ____D C:\Users\JMS\Application Data\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 20:04 - 00000000 ____D C:\Users\JMS\AppData\Roaming\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\AppData\Local\SoftGrid Client
    2012-11-23 18:09 - 2012-11-23 18:18 - 00000000 ____D C:\Qoobox
    2012-11-23 18:09 - 2012-11-23 18:16 - 00000000 ____D C:\Windows\erdnt
    2012-11-23 18:09 - 2011-06-26 00:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-11-23 18:09 - 2010-11-07 11:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-11-23 18:09 - 2009-04-19 22:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00098816 ____A C:\Windows\sed.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00080412 ____A C:\Windows\grep.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00068096 ____A C:\Windows\zip.exe
    2012-11-23 15:18 - 2012-11-23 15:18 - 00279088 ____A C:\Windows\Minidump\112312-19936-01.dmp
    2012-11-23 13:34 - 2012-11-23 13:34 - 00000317 ____A C:\Users\jah\Downloads\fixlist.txt
    2012-11-23 13:07 - 2012-11-23 13:07 - 01461039 ____A (Farbar) C:\Users\jah\Downloads\FRST64.exe
    2012-11-23 11:17 - 2012-11-23 11:17 - 00036680 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
    2012-11-22 23:15 - 2012-11-22 23:17 - 12961620 ____A C:\Users\jah\Downloads\mbar-1.01.0.1009.zip
    2012-11-22 19:02 - 2012-11-22 19:02 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-11-22 18:25 - 2012-11-22 18:45 - 13529576 ____A (Microsoft Corporation) C:\Users\jah\Downloads\mseinstall.exe
    2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\Application Data\Malwarebytes
    2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\AppData\Roaming\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-11-22 18:13 - 2012-09-29 18:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-11-22 18:05 - 2012-11-22 18:12 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\jah\Downloads\mbam-setup-1.65.1.1000.exe
    2012-11-15 10:26 - 2012-01-31 06:44 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe


    ==================== One Month Modified Files and Folders =======

    2012-12-10 08:57 - 2009-07-13 23:10 - 01199752 ____A C:\Windows\WindowsUpdate.log
    2012-12-10 08:56 - 2009-07-13 22:51 - 00030623 ____A C:\Windows\setupact.log
    2012-12-08 11:24 - 2009-07-13 22:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-12-08 11:24 - 2009-07-13 22:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-12-08 11:21 - 2009-07-13 23:13 - 00714754 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-12-08 11:17 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-12-08 10:59 - 2012-12-08 10:59 - 00000000 ____D C:\Program Files\SAMSUNG
    2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Samsung
    2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Application Data\Samsung
    2012-12-08 10:58 - 2012-12-08 10:57 - 00000000 ____D C:\Samsung Galaxy S3 QCom ToolKit
    2012-12-08 10:57 - 2012-12-08 10:57 - 00001651 ____A C:\Users\jah\Desktop\Samsung GS3 QCom ToolKit.lnk
    2012-12-08 10:26 - 2012-12-08 10:26 - 07444480 ____A C:\Users\jah\Desktop\recovery-clockwork-touch-6.0.1.2-d2spr.tar
    2012-12-08 10:25 - 2012-12-08 10:25 - 06410240 ____A C:\Users\jah\Desktop\Sprint_Stock_Recovery.tar
    2012-12-08 09:45 - 2012-12-08 09:45 - 00000000 ____D C:\Users\jah\Desktop\Odin3-v1.85
    2012-12-08 09:42 - 2012-12-08 09:42 - 01461029 ____A (Farbar) C:\Users\jah\Desktop\FRST64(1).exe
    2012-12-07 14:09 - 2012-12-07 14:09 - 00683568 ____A C:\Windows\Minidump\120712-18876-01.dmp
    2012-12-07 14:09 - 2012-09-08 22:42 - 00000000 ____D C:\Windows\Minidump
    2012-12-07 14:09 - 2012-09-08 22:41 - 374365794 ____A C:\Windows\MEMORY.DMP
    2012-12-06 19:11 - 2012-10-29 14:52 - 00000000 ____D C:\Users\jah\My Documents\Misc
    2012-12-06 19:11 - 2012-10-29 14:52 - 00000000 ____D C:\Users\jah\Documents\Misc
    2012-12-06 18:07 - 2012-12-06 18:06 - 00000030 ____A C:\Users\jah\Desktop\New Text Document.txt
    2012-12-06 14:07 - 2012-12-06 14:06 - 00683568 ____A C:\Windows\Minidump\120612-17799-01.dmp
    2012-12-05 09:28 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\Application Data\SoftGrid Client
    2012-12-05 09:28 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\AppData\Roaming\SoftGrid Client
    2012-12-04 18:15 - 2012-12-04 18:15 - 00000000 ____D C:\Program Files (x86)\ESET
    2012-12-04 18:14 - 2012-12-04 18:14 - 02322184 ____A (ESET) C:\Users\jah\Downloads\esetsmartinstaller_enu.exe
    2012-12-04 18:02 - 2012-12-04 18:02 - 00448512 ____A (OldTimer Tools) C:\Users\jah\Desktop\TFC.exe
    2012-12-04 18:02 - 2012-12-04 18:01 - 00696153 ____A (Farbar) C:\Users\jah\Desktop\FSS.exe
    2012-12-04 18:01 - 2012-12-04 18:01 - 00856731 ____A C:\Users\jah\Desktop\SecurityCheck.exe
    2012-12-04 17:58 - 2012-11-27 14:54 - 00000000 ____D C:\Users\jah\Local Settings\Novatel Wireless
    2012-12-04 17:58 - 2012-11-27 14:54 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Novatel Wireless
    2012-12-04 17:58 - 2012-11-27 14:54 - 00000000 ____D C:\Users\jah\AppData\Local\Novatel Wireless
    2012-12-04 17:53 - 2012-12-04 17:53 - 00000000 ____D C:\_OTL
    2012-12-04 17:52 - 2012-12-04 17:51 - 00602112 ____A (OldTimer Tools) C:\Users\jah\Desktop\OTL.exe
    2012-11-29 21:06 - 2012-11-26 19:27 - 00000000 ____D C:\Program Files (x86)\Sendori
    2012-11-29 21:05 - 2012-11-26 19:28 - 00000000 ____D C:\Users\All Users\Sendori
    2012-11-29 21:05 - 2012-11-26 19:28 - 00000000 ____D C:\Users\All Users\Application Data\Sendori
    2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\PDF Architect
    2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\Application Data\PDF Architect
    2012-11-27 09:30 - 2010-11-17 20:47 - 00010474 ____A C:\Windows\PFRO.log
    2012-11-26 20:04 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Application Data\SoftGrid Client
    2012-11-26 20:04 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\AppData\Roaming\SoftGrid Client
    2012-11-26 19:36 - 2012-11-26 19:36 - 00069384 ____A C:\Users\JMS\Downloads\TS010169559.dotx
    2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\Application Data\PDF Architect
    2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\AppData\Roaming\PDF Architect
    2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\Application Data\APP_NAME_NON_STRING
    2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\AppData\Roaming\APP_NAME_NON_STRING
    2012-11-26 19:28 - 2012-11-26 19:27 - 00000000 ____D C:\Program Files (x86)\PDFCreator
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\pdfforge
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\OpenCandy
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\pdfforge
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\OpenCandy
    2012-11-26 19:21 - 2012-11-26 19:21 - 00457048 ____A (pdfforge GbR ) C:\Users\JMS\Downloads\PDFCreatorWebSetup.exe
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\AppData\Local\SoftGrid Client
    2012-11-26 13:12 - 2012-11-26 19:28 - 00321384 ____A (Sendori) C:\Windows\SysWOW64\Sendori.dll
    2012-11-23 18:18 - 2012-11-23 18:09 - 00000000 ____D C:\Qoobox
    2012-11-23 18:18 - 2009-07-13 21:20 - 00000000 __RHD C:\users\Default
    2012-11-23 18:16 - 2012-11-23 18:09 - 00000000 ____D C:\Windows\erdnt
    2012-11-23 18:15 - 2009-07-13 20:34 - 00000215 ____A C:\Windows\system.ini
    2012-11-23 17:42 - 2012-11-03 11:46 - 00000000 ____D C:\Users\jah\Desktop\From Phone
    2012-11-23 15:18 - 2012-11-23 15:18 - 00279088 ____A C:\Windows\Minidump\112312-19936-01.dmp
    2012-11-23 13:34 - 2012-11-23 13:34 - 00000317 ____A C:\Users\jah\Downloads\fixlist.txt
    2012-11-23 13:07 - 2012-11-23 13:07 - 01461039 ____A (Farbar) C:\Users\jah\Downloads\FRST64.exe
    2012-11-23 11:17 - 2012-11-23 11:17 - 00036680 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
    2012-11-22 23:17 - 2012-11-22 23:15 - 12961620 ____A C:\Users\jah\Downloads\mbar-1.01.0.1009.zip
    2012-11-22 19:02 - 2012-11-22 19:02 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-11-22 18:45 - 2012-11-22 18:25 - 13529576 ____A (Microsoft Corporation) C:\Users\jah\Downloads\mseinstall.exe
    2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\Application Data\Malwarebytes
    2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\AppData\Roaming\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-11-22 18:12 - 2012-11-22 18:05 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\jah\Downloads\mbam-setup-1.65.1.1000.exe
    2012-11-15 09:05 - 2010-11-17 19:29 - 00000000 ____D C:\Program Files (x86)\Dell
    2012-11-13 18:51 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\System32\NDF
    2012-11-13 18:40 - 2011-01-15 07:44 - 00000073 ____A C:\Windows\SysWOW64\ToasterLauncherLog.log
    2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\Local Settings\SoftThinks
    2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\SoftThinks
    2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\AppData\Local\SoftThinks
    2012-11-11 14:49 - 2012-11-06 17:22 - 00000000 ____D C:\Users\JMS\Application Data\JungleDisk
    2012-11-11 14:49 - 2012-11-06 17:22 - 00000000 ____D C:\Users\JMS\AppData\Roaming\JungleDisk


    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\@
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\00000004.@
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\4cce1f70
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\55490ac4

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-11-22 17:49:08
    Restore point made on: 2012-11-22 23:18:28
    Restore point made on: 2012-11-22 23:50:24
    Restore point made on: 2012-11-23 11:37:24
    Restore point made on: 2012-11-23 18:01:27
    Restore point made on: 2012-11-26 19:18:30
    Restore point made on: 2012-11-27 09:33:25
    Restore point made on: 2012-11-29 11:40:36
    Restore point made on: 2012-11-30 12:43:18
    Restore point made on: 2012-12-03 13:23:44
    Restore point made on: 2012-12-05 18:31:14
    Restore point made on: 2012-12-07 09:02:34

    ==================== Memory info ===========================

    Percentage of memory in use: 14%
    Total physical RAM: 3892.52 MB
    Available physical RAM: 3339.3 MB
    Total Pagefile: 3890.67 MB
    Available Pagefile: 3328.34 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.89 MB

    ==================== Partitions =============================

    1 Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:417.64 GB) NTFS
    3 Drive e: (XP-KOMKU) (Removable) (Total:3.73 GB) (Free:2.67 GB) FAT
    4 Drive f: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 Online 3821 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 101 MB 31 KB
    Partition 2 Primary 14 GB 101 MB
    Partition 3 Primary 451 GB 14 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 FAT Partition 101 MB Healthy Hidden

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 F RECOVERY NTFS Partition 14 GB Healthy

    =========================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 451 GB Healthy

    =========================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3821 MB 31 KB

    ==================================================================================

    Disk: 2
    Partition 1
    Type : 0E
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 E XP-KOMKU FAT Removable 3821 MB Healthy

    =========================================================

    Last Boot: 2012-12-05 18:57

    ==================== End Of Log =============================
    John Sharp, Dec 10, 2012
    #33

  14. Broni Malware Annihilator Posts: 39,189   +175

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally and check for redirections.

    Attached Files:

    Broni, Dec 10, 2012
    #34

  15. John Sharp Newcomer, in training Posts: 23

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-12-2012
    Ran by SYSTEM at 2012-12-11 16:38:33 Run:1
    Running from E:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b moved successfully.

    ==== End of Fixlog ====


    Still getting redirects from google searches
    John Sharp, Dec 11, 2012
    #35

  16. Broni Malware Annihilator Posts: 39,189   +175

    Which browser?

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ********************************************

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
    Broni, Dec 11, 2012
    #36

  17. John Sharp Newcomer, in training Posts: 23

    Both firefox and IE

    I tried to download MBAR again and it the site seems to be down and MBAR that I downloaded previously says it is outdated and will not run
    John Sharp, Dec 11, 2012
    #37

  18. Broni Malware Annihilator Posts: 39,189   +175

    Broni, Dec 11, 2012
    #38

  19. John Sharp Newcomer, in training Posts: 23

    Thanks..not sure why, the Mbyte site loads, but will not connect to the file..anyway here are the logs
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7600 Windows 7 x64

    Account is Administrative

    Internet Explorer version: 8.0.7600.16385

    Java version: 1.6.0_37

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 4081606656, free: 2555224064

    Initializing...
    Done!
    Scanning directory: C:\Windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 7F2837E

    Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 208782

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 208845 Numsec = 30720000
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 30928845 Numsec = 945842275

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 500107862016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 217934C

    Partition information:

    Partition 0 type is Other (0xe)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 7827329
    Partition file system is FAT
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 4007624704 bytes
    Sector size: 512 bytes

    Done!
    Performing system, memory and registry scan...
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Novatel Wireless --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\Local Settings\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\Local Settings\Application Data\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Done!
    Scan finished
    Creating System Restore point...
    Scheduling clean up...
    Removal scheduling successful. System shutdown needed.
    System shutdown occurred
    =======================================


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7600 Windows 7 x64

    Account is Administrative

    Internet Explorer version: 8.0.7600.16385

    Java version: 1.6.0_37

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 4081606656, free: 2974633984






    Malwarebytes Anti-Rootkit 1.01.0.1011
    www.malwarebytes.org

    Database version: v2012.12.03.14

    Windows 7 x64 NTFS
    Internet Explorer 8.0.7600.16385
    jah :: JAH-PC [administrator]

    12/11/2012 6:11:15 PM
    mbar-log-2012-12-11 (18-11-15).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 26433
    Time elapsed: 12 minute(s), 2 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 8
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Novatel Wireless (Spyware.Password) -> Data: Rundll32.exe "C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll",ompd_free_thread_info -> Delete on reboot.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\Local Settings\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\Local Settings\Application Data\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.

    (end)
    John Sharp, Dec 11, 2012
    #39

  20. Broni Malware Annihilator Posts: 39,189   +175

    It looks like you got reinfected at some point.

    Re-run Combofix and post new log.
    Broni, Dec 11, 2012
    #40
Page 2 of 3

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.