Internet Security Pro/ madefender.exe

Inactive
By jephph
May 9, 2014
  1. Hey guys. I've got a laptop here that's been infected. I looked up the specific virus removal, and they all have you run a program to try to remove the infection. The problem is that I can't run any of the programs, no matter how they're masked. I've tried all of the MBAM Chameleon files, and all of the RKIll extensions as well. The only thing I can run on the computer is text files. I tried renaming some of the programs to text files, but that didn't work either. I've tried it all in safe mode as well. Nothing runs. I noticed that most of the instructions for removing Internet Security virus are from 2013. Maybe this is a new version of the virus..? Any help would be much appreciated.
  2. Broni

    Broni Malware Annihilator Posts: 46,341   +252

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =================================

    What Windows version is it?
  3. jephph

    jephph Newcomer, in training Topic Starter Posts: 77

    Windows 7. Not sure exact version because comp properties won't open.
  4. Broni

    Broni Malware Annihilator Posts: 46,341   +252

    NOTE 1. Use another working computer to download Farbar Recovery Scan Tool. Use USB flash drive to transfer it from good computer to the bad one.
    NOTE 2. Install Panda USB Vaccine, or BitDefenderā€™s USB Immunizer on GOOD computer to protect it from any infected USB device.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note:
      Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  5. jephph

    jephph Newcomer, in training Topic Starter Posts: 77

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-05-2014
    Ran by Alicia (administrator) on ALICIA-HP on 10-05-2014 13:15:26
    Running from C:\Users\Alicia\Desktop
    Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
    Internet Explorer Version 11
    Boot Mode: Normal

    The only official download link for FRST:
    Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
    Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
    Download link from any site other than Bleeping Computer is unpermitted or outdated.
    See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgrsa.exe
    (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
    (Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
    ( ) C:\Windows\System32\lxdxcoms.exe
    (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    (Intel Corporation) C:\Windows\System32\igfxtray.exe
    (Intel Corporation) C:\Windows\System32\hkcmd.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe


    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2480936 2010-12-20] (Synaptics Incorporated)
    HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6602856 2011-01-11] (Realtek Semiconductor)
    HKLM\...\Run: [HPWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-07-21] (Hewlett-Packard Company)
    HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [37960 2013-05-10] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-11-02] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [421736 2011-12-08] (Apple Inc.)
    HKLM-x32\...\Run: [HPOSD] => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [577408 2012-02-15] (Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [103768 2009-09-13] (Citrix Systems, Inc.)
    HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
    HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [2552856 2014-04-21] ()
    HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2014\avgui.exe [4971024 2014-03-19] (AVG Technologies CZ, s.r.o.)
    HKLM\...\RunOnce: [NCPluginUpdater] - "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" Update [21720 2014-04-22] (Hewlett-Packard)
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKU\.DEFAULT\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_12_0_0_77_ActiveX.exe -update activex
    HKU\S-1-5-21-1005116257-878886063-1618395364-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [17351304 2011-10-13] (Skype Technologies S.A.)
    HKU\S-1-5-21-1005116257-878886063-1618395364-1001\...\Run: [AVG-Secure-Search-Update_0913a] => C:\Users\Alicia\AppData\Roaming\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid 8723bb1e3a6147d3a1aafd3fcc0676f4-934d5dc3d8dc8e769db1ba664331484d722e8777 --CMPID 0913a
    HKU\S-1-5-21-1005116257-878886063-1618395364-1001\...\MountPoints2: {43ac5068-5432-11e2-959b-2c768ae29f07} - G:\MotorolaDeviceManagerSetup.exe -a
    HKU\S-1-5-21-1005116257-878886063-1618395364-1001\...\MountPoints2: {aec6d3b1-4fa5-11e2-941b-2c768ae29f07} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\TL-Bootstrap.exe
    HKU\S-1-5-21-1005116257-878886063-1618395364-1001\...\MountPoints2: {b285fc39-4d00-11e2-ba06-2c768ae29f07} - F:\MotorolaDeviceManagerSetup.exe -a

    ==================== Internet (Whitelisted) ====================

    HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT/1
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
    HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=CPNTDF
    SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPNTDF
    SearchScopes: HKLM - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
    SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
    SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=CPNTDF
    SearchScopes: HKLM-x32 - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPNTDF
    SearchScopes: HKLM-x32 - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
    SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
    SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=CPNTDF
    SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
    SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={s...e=W3i_DS,136,0_0,Search,20120205,17118,0,18,0
    SearchScopes: HKCU - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
    SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
    BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
    BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
    BHO-x32: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
    BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    BHO-x32: RewardsArcadeSuite - {B6EF6C45-5E8D-4c3b-B580-A5073261A381} - C:\Program Files (x86)\RewardsArcadeSuite\RewardsArcadeSuite.dll (215 Apps)
    BHO-x32: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
    BHO-x32: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
    Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    Toolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No File
    Handler-x32: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll No File
    Handler-x32: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll No File
    Handler-x32: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll No File
    Handler-x32: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll No File
    Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    Handler-x32: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll No File
    Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\3.0.0\ViProtocol.dll (AVG Secure Search)
    Tcpip\Parameters: [DhcpNameServer] 192.168.254.254

    FireFox:
    ========
    FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF Plugin: @microsoft.com/GENUINE - disabled No File
    FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\3.0.0\\npsitesafety.dll No File
    FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
    FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 - C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\4\NP_wtapp.dll ()
    FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF HKLM-x32\...\Firefox\Extensions: [crossriderapp1950@crossrider.com] - C:\Users\Alicia\AppData\Local\RewardsArcadeSuite\1950\Firefox
    FF Extension: RewardsArcade Suite - C:\Users\Alicia\AppData\Local\RewardsArcadeSuite\1950\Firefox [2012-02-02]

    Chrome:
    =======
    CHR HomePage: hxxp://mysearch.avg.com?cid={FEBF0440-BDCE-4CC4-9F8D-0C621736013E}&mid=8723bb1e3a6147d3a1aafd3fcc0676f4-934d5dc3d8dc8e769db1ba664331484d722e8777&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2014-04-21 10:05:25&v=3.0.0.2&pid=wtu&sg=&sap=hp
    CHR StartupUrls: "hxxp://mysearch.avg.com?cid={FEBF0440-BDCE-4CC4-9F8D-0C621736013E}&mid=8723bb1e3a6147d3a1aafd3fcc0676f4-934d5dc3d8dc8e769db1ba664331484d722e8777&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2014-04-21 10:05:25&v=3.0.0.2&pid=wtu&sg=&sap=hp"
    CHR DefaultSearchKeyword: mysearch.avg.com
    CHR DefaultSearchURL: http://mysearch.avg.com/search?cid=...ng=en&ds=AVG&coid=avgtbavg&pr=fr&d=2014-04-21 10:05:25&v=3.0.0.2&pid=wtu&sg=&sap=dsp&q={searchTerms}
    CHR Extension: (Google Docs) - C:\Users\Alicia\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-01-28]
    CHR Extension: (RewardsArcade Suite) - C:\Users\Alicia\AppData\Local\Google\Chrome\User Data\Default\Extensions\ielefkgbofdpglioecfjcbikholflklb [2013-02-06]
    CHR Extension: (Google Wallet) - C:\Users\Alicia\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-05]
    CHR HKLM-x32\...\Chrome\Extension: [ielefkgbofdpglioecfjcbikholflklb] - C:\Users\Alicia\AppData\Local\RewardsArcadeSuite\1950\Chrome\rewardsarcade-suite.crx [2011-12-22]

    ==================== Services (Whitelisted) =================

    S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3782672 2014-02-23] (AVG Technologies CZ, s.r.o.)
    S2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-24] (AVG Technologies CZ, s.r.o.)
    R2 lxdx_device; C:\Windows\system32\lxdxcoms.exe [1039872 2009-10-16] ( )
    S2 Motorola Device Manager; C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [116632 2012-07-17] ()
    S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
    S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
    S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)
    S2 vToolbarUpdater3.0.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\3.0.0\ToolbarUpdater.exe [1801240 2014-04-21] (AVG Secure Search)
    S3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [X]

    ==================== Drivers (Whitelisted) ====================

    R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-03-27] (AVG Technologies CZ, s.r.o.)
    R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [237336 2014-04-18] (AVG Technologies CZ, s.r.o.)
    R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [192792 2014-03-27] (AVG Technologies CZ, s.r.o.)
    R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [236824 2014-03-27] (AVG Technologies CZ, s.r.o.)
    R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [324376 2014-03-27] (AVG Technologies CZ, s.r.o.)
    R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [130840 2014-03-31] (AVG Technologies CZ, s.r.o.)
    R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [32536 2014-03-27] (AVG Technologies CZ, s.r.o.)
    R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-03-31] (AVG Technologies CZ, s.r.o.)
    R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50464 2014-04-21] (AVG Technologies)
    S3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [X]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2014-05-10 13:15 - 2014-05-10 13:16 - 00016734 _____ () C:\Users\Alicia\Desktop\FRST.txt
    2014-05-10 13:15 - 2014-05-10 13:15 - 00000000 ____D () C:\Users\Alicia\Desktop\FRST-OlderVersion
    2014-05-10 13:14 - 2014-05-10 13:15 - 02065408 _____ (Farbar) C:\Users\Alicia\Desktop\FRST64.exe
    2014-05-09 20:18 - 2014-05-10 13:15 - 00000000 ____D () C:\FRST
    2014-05-09 10:15 - 2014-05-09 10:13 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Alicia\Desktop\rkill.rtf.com
    2014-05-09 10:15 - 2014-05-09 10:12 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Alicia\Desktop\rkill (1).exe
    2014-05-09 09:57 - 2014-05-09 09:58 - 00000000 ____D () C:\Users\Alicia\Desktop\Pics
    2014-05-09 09:57 - 2014-05-09 09:51 - 49566984 _____ (GridinSoft LLC) C:\Users\Alicia\Desktop\gtk-2.2.2.9-setup.exe
    2014-05-09 09:57 - 2014-05-09 09:47 - 04164448 _____ (Kaspersky Lab ZAO) C:\Users\Alicia\Desktop\tdsskiller (3).exe
    2014-05-09 09:57 - 2014-05-09 09:47 - 00015648 _____ (GridinSoft LLC. All rights reserved.) C:\Users\Alicia\Desktop\madefender.exe.exe
    2014-05-09 09:36 - 2014-05-09 09:47 - 00000000 ____D () C:\Users\Alicia\Desktop\mbam-chameleon-1.62.1.1000
    2014-05-03 11:52 - 2014-05-09 09:59 - 00110553 _____ () C:\Windows\WindowsUpdate.log
    2014-05-03 11:49 - 2014-05-10 13:13 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2014-05-03 11:49 - 2014-05-03 11:49 - 00001112 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
    2014-04-21 10:05 - 2014-04-22 06:13 - 00000000 ____D () C:\ProgramData\AVG Security Toolbar
    2014-04-21 10:05 - 2014-04-22 06:09 - 00000000 ____D () C:\Users\Alicia\AppData\Local\AVG Web TuneUp
    2014-04-21 10:05 - 2014-04-21 10:03 - 00050464 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx64.sys
    2014-04-21 10:04 - 2014-04-21 10:05 - 00000000 ____D () C:\ProgramData\AVG Web TuneUp
    2014-04-21 10:04 - 2014-04-21 10:04 - 00000000 ____D () C:\ProgramData\AVG Secure Search
    2014-04-21 10:04 - 2014-04-21 10:04 - 00000000 ____D () C:\Program Files (x86)\AVG Web TuneUp
    2014-04-18 15:01 - 2014-04-18 15:01 - 00237336 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsdrivera.sys
    2014-04-11 08:55 - 2014-03-30 21:16 - 23134208 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
    2014-04-11 08:55 - 2014-03-30 21:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
    2014-04-11 08:55 - 2014-03-04 05:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
    2014-04-11 08:55 - 2014-03-04 05:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
    2014-04-11 08:55 - 2014-03-04 05:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
    2014-04-11 08:55 - 2014-03-04 05:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
    2014-04-11 08:55 - 2014-02-03 22:35 - 00274880 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msiscsi.sys
    2014-04-11 08:55 - 2014-02-03 22:35 - 00190912 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
    2014-04-11 08:55 - 2014-02-03 22:35 - 00027584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Diskdump.sys
    2014-04-11 08:55 - 2014-02-03 22:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\iologmsg.dll
    2014-04-11 08:55 - 2013-12-24 09:42 - 01162240 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
    2014-04-11 08:53 - 2014-01-23 22:37 - 01684928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
    2014-04-10 08:08 - 2014-04-10 08:28 - 00000000 ____D () C:\Users\Alicia\Desktop\alicia's phone

    ==================== One Month Modified Files and Folders =======

    2014-05-10 17:12 - 2012-01-14 16:15 - 00000000 ____D () C:\Users\Alicia
    2014-05-10 13:16 - 2014-05-10 13:15 - 00016734 _____ () C:\Users\Alicia\Desktop\FRST.txt
    2014-05-10 13:15 - 2014-05-10 13:15 - 00000000 ____D () C:\Users\Alicia\Desktop\FRST-OlderVersion
    2014-05-10 13:15 - 2014-05-10 13:14 - 02065408 _____ (Farbar) C:\Users\Alicia\Desktop\FRST64.exe
    2014-05-10 13:15 - 2014-05-09 20:18 - 00000000 ____D () C:\FRST
    2014-05-10 13:13 - 2014-05-03 11:49 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2014-05-10 13:13 - 2009-07-14 00:51 - 00084048 _____ () C:\Windows\setupact.log
    2014-05-09 13:32 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\registration
    2014-05-09 10:13 - 2014-05-09 10:15 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Alicia\Desktop\rkill.rtf.com
    2014-05-09 10:12 - 2014-05-09 10:15 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Alicia\Desktop\rkill (1).exe
    2014-05-09 09:59 - 2014-05-03 11:52 - 00110553 _____ () C:\Windows\WindowsUpdate.log
    2014-05-09 09:58 - 2014-05-09 09:57 - 00000000 ____D () C:\Users\Alicia\Desktop\Pics
    2014-05-09 09:51 - 2014-05-09 09:57 - 49566984 _____ (GridinSoft LLC) C:\Users\Alicia\Desktop\gtk-2.2.2.9-setup.exe
    2014-05-09 09:47 - 2014-05-09 09:57 - 04164448 _____ (Kaspersky Lab ZAO) C:\Users\Alicia\Desktop\tdsskiller (3).exe
    2014-05-09 09:47 - 2014-05-09 09:57 - 00015648 _____ (GridinSoft LLC. All rights reserved.) C:\Users\Alicia\Desktop\madefender.exe.exe
    2014-05-09 09:47 - 2014-05-09 09:36 - 00000000 ____D () C:\Users\Alicia\Desktop\mbam-chameleon-1.62.1.1000
    2014-05-09 09:42 - 2009-07-14 00:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2014-05-09 09:42 - 2009-07-14 00:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2014-05-09 09:41 - 2009-07-14 01:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
    2014-05-03 11:57 - 2012-01-14 13:21 - 00003934 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{406271A2-5C4F-4B73-A93B-115D35C5CAA7}
    2014-05-03 11:49 - 2014-05-03 11:49 - 00001112 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
    2014-04-30 13:02 - 2011-04-09 17:03 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
    2014-04-29 17:13 - 2013-08-13 17:50 - 00000000 ____D () C:\ProgramData\MFAData
    2014-04-29 17:09 - 2010-11-20 23:47 - 00360316 _____ () C:\Windows\PFRO.log
    2014-04-28 16:06 - 2012-04-01 09:03 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2014-04-26 10:19 - 2014-02-19 17:49 - 00003192 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForAlicia
    2014-04-22 06:13 - 2014-04-21 10:05 - 00000000 ____D () C:\ProgramData\AVG Security Toolbar
    2014-04-22 06:10 - 2012-01-24 19:35 - 00000000 ____D () C:\Users\Alicia\AppData\Roaming\Skype
    2014-04-22 06:09 - 2014-04-21 10:05 - 00000000 ____D () C:\Users\Alicia\AppData\Local\AVG Web TuneUp
    2014-04-21 10:05 - 2014-04-21 10:04 - 00000000 ____D () C:\ProgramData\AVG Web TuneUp
    2014-04-21 10:04 - 2014-04-21 10:04 - 00000000 ____D () C:\ProgramData\AVG Secure Search
    2014-04-21 10:04 - 2014-04-21 10:04 - 00000000 ____D () C:\Program Files (x86)\AVG Web TuneUp
    2014-04-21 10:03 - 2014-04-21 10:05 - 00050464 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx64.sys
    2014-04-18 15:01 - 2014-04-18 15:01 - 00237336 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsdrivera.sys
    2014-04-13 18:34 - 2012-01-30 15:58 - 00000000 _____ () C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
    2014-04-12 19:17 - 2014-04-02 17:39 - 00000000 ____D () C:\Windows\system32\MpEngineStore
    2014-04-12 18:59 - 2013-08-13 19:43 - 00000000 ____D () C:\Windows\system32\MRT
    2014-04-12 18:46 - 2013-08-13 19:43 - 90655440 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
    2014-04-11 12:18 - 2011-04-09 17:13 - 00000000 ____D () C:\ProgramData\RoxioNow
    2014-04-10 08:28 - 2014-04-10 08:08 - 00000000 ____D () C:\Users\Alicia\Desktop\alicia's phone

    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


    LastRegBack: 2014-02-21 06:51

    ==================== End Of Log ============================
  6. Broni

    Broni Malware Annihilator Posts: 46,341   +252

    I don't actually see anything malicious on your computer.

    What does actually happen when you try to run programs?
  7. jephph

    jephph Newcomer, in training Topic Starter Posts: 77

    I'll double click, or right click->run as admin, and they will either do nothing, or the UAC will pop up, and I'll say yes, and then nothing happens. Sometimes, I'll see the little loading circle for a fraction of a second after I double click, or right after I say yes to UAC, but then nothing.
  8. Broni

    Broni Malware Annihilator Posts: 46,341   +252

    Did you try system restore to some date before it happened?
  9. jephph

    jephph Newcomer, in training Topic Starter Posts: 77

    None available.
  10. Broni

    Broni Malware Annihilator Posts: 46,341   +252

    See if you can run this...

    Download Windows Repair (All in One) from this site

    Install the program then run it.

    NOTE 1. In Windows Vista, 7 and 8 right click on the program, click "Run As Administrator".
    NOTE 2. Disable your antivirus program before running Windows Repair.


    Go to Step 3 and click on Check button next to 1. See If Check Disk Is Needed.
    If the tool that the Check Disk is needed click on Do It button next to 2. Check Disk.
    In that case make sure you restart computer.

    [​IMG]


    Once the above is done go to Step 4 and allow it to run System File Check by clicking on Do It button:

    [​IMG]


    Go to Step 5 and under "System Restore" click on Create button:

    [​IMG]


    Go to Start Repairs tab and click Start button.

    Leave all checkmarks as they're.
    NOTE for Windows 8 users. Reset Registry Permissions is NOT checked by design.

    Click on Start button.

    [​IMG]

    Post Windows Repair log which is located in the following folder:
    64-bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
    32-bit systems - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs
  11. jephph

    jephph Newcomer, in training Topic Starter Posts: 77

    Also won't run.
     
  12. Broni

    Broni Malware Annihilator Posts: 46,341   +252

  13. jephph

    jephph Newcomer, in training Topic Starter Posts: 77

    For anyone else who may have this issue, the resolution involved using Farbar Recovery Scan Tool to move kernel32.dll back to where it was removed from (probably by a virus)
  14. Broni

    Broni Malware Annihilator Posts: 46,341   +252

    Where exactly did you move it?
    FRST shows it here:
    C:\Windows\system32\kernel32.dll
    It looks like a right location.
  15. jephph

    jephph Newcomer, in training Topic Starter Posts: 77

    It wasn't me, another guy helped me out. It was moved to C:\Windows\SysWOW64\kernel32.dll
    EDIT: I should say "copied", not "moved".
  16. Broni

    Broni Malware Annihilator Posts: 46,341   +252

    Interesting...thanks :)


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.