also @ TechSpot: Samsung to debut 3200x1800, 298 PPI 13.3" LCD panel (and more)

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Read instructions -- but cannot access antivirus sites for step 1

Discussion in 'Virus and Malware Removal' started by Phil Ancell, Sep 30, 2012.

Post New Reply

Page 1 of 2

Phil Ancell Newcomer, in training Posts: 21

Hi guys

Have read you fab instructions and compliment you on the work that you do.

My university student daughter came home with her PC, which I had previously installed the Windows Vista PC with MSE as the antivirus and malware protector. This was working fine when I last looked at it a few months ago, and I had downloaded all the lates important updates from microsoft.

This weekend when she brought it home however, I noticed not only the MSE was not present, I couldn't access any of the mentioned antivirus sites nor Microsoft.com to remediate.

I have read through the 5 steps you have provided, but I am not not ready to go to step 2 until I can actually get an antivirus program operating, as you have suggested in Step 1.

I saved all her important data to a new USB stick, noting that I cannot put it into any other PC in case it has a virus.

If you could please advise what I should do re bothe the data and remediating the PC.

Regards,
Phil

Phil Ancell, Sep 30, 2012

#1
Broni Malware Annihilator Posts: 39,313 +175
Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===================================

Skip step 1 and complete as many steps as you can.
Broni, Sep 30, 2012

#2
Phil Ancell Newcomer, in training Posts: 21

Thanks Broni.
I got through Steps 2 and 3 ok, but when I got to Step 4 to download DDS, I got "404. That's an error. The requested URL /sUBs/DDS.scr was not found on this server." for both links.
I noticed download.bleeping.computer.com/sUBs/dds.com as one of the attempted links for the DDS.com link, and when trying DDS.pif, it went to forospyware.com/sUBS/ then changed to infospyware.com/utiles/dds - the site was in Spanish and gave a 404 message when I tried to download. If those mean anything to you.

Anyway, here are the results to date:

Step 1 - ignored as instructed

Step 2 - Ran Malwarebytes as instructed and here is the log:
Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org
Database version: v2012.09.30.06
Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
Alison :: ALISON-PC [administrator]
Protection: Enabled
1/10/2012 9:36:16 AM
mbam-log-2012-10-01 (09-36-16).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201905
Time elapsed: 7 minute(s), 22 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 1
C:\ProgramData\Windows\msdr.dll (Trojan.Sinowal) -> Delete on reboot.
Registry Keys Detected: 2
HKCR\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} (Trojan.Sinowal) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.
Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\Alison\AppData\Local\{27785302-92ce-583f-e9a2-93c72cea99d8}\n. -> Quarantined and deleted successfully.
Registry Data Items Detected: 2
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-18\$2778530292ce583fe9a293c72cea99d8\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.
HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-21-3856432456-3556964881-2861625783-1003\$2778530292ce583fe9a293c72cea99d8\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 7
C:\ProgramData\Windows\msdr.dll (Trojan.Sinowal) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-18\$2778530292ce583fe9a293c72cea99d8\n (Trojan.0Access) -> Delete on reboot.
C:\$Recycle.Bin\S-1-5-21-3856432456-3556964881-2861625783-1003\$2778530292ce583fe9a293c72cea99d8\n (Trojan.0Access) -> Delete on reboot.
C:\Users\Alison\AppData\Local\Temp\~!#7B1A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alison\AppData\Local\Temp\~!#89CC.tmp (Trojan.Lameshield) -> Quarantined and deleted successfully.
C:\Users\Alison\AppData\Local\Temp\390A.tmp (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\Alison\Local Settings\Application Data\ekmljjdxfr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
I then rebooted as instructed, and proceeded with Step 3.

Step 3
On running GMER.exe, I got a message: "GMER Load Driver ("C:\Users\Alison\Appdata\Local\Temp\fgliqpoc.sys") error 0xC000010E. An instance of the service is already running.

I pressed ok, and it proceeded to run anyway quickly scanning, and I was able to save a GMER.log file. On opening the file, it was empty.

I then proceeded to look to see if I could find my Anti virus, and re-enable the firewall in Control Panel, but got an error message "Due to an unidentified problem Windows cannot display Windows Firewall Settings.

Would be grateful if you could continue with your assistance.
Many thanks, Phil

Phil Ancell, Sep 30, 2012

#3
Broni Malware Annihilator Posts: 39,313 +175
For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.

As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.

Use the arrow keys to select the Repair your computer menu item.

Select US as the keyboard language settings, and then click Next.

Select the operating system you want to repair, and then click Next.

Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.

Restart your computer.

If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.

Click Repair your computer.

Select US as the keyboard language settings, and then click Next.

Select the operating system you want to repair, and then click Next.

Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt

In the command window type in notepad and press Enter.

The notepad opens. Under File menu select Open.

Select "Computer" and find your flash drive letter and close the notepad.

In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.

The tool will start to run.

When the tool opens click Yes to disclaimer.

Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next...

Re-run FRST again.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes in your reply.

I'll expect two logs:
- FRST.txt
- Search.txt
Broni, Sep 30, 2012

#4
Phil Ancell Newcomer, in training Posts: 21

Hi Broni

Apologies, but on clicking on the 32-Bit Farbar Recovery Scan Tool link, it went to bleepingcomputer.com, said it was downloading the Farbar Tool, but then produced the 404 message:
404.
That’s an error.
The requested URL /dl/37a3e74b2d15a41cf9f592e75c10b140/5069082c/windows/security/security-utilities/f/farbar-recovery-scan-tool/32/FRST.exe was not found on this server.
That’s all we know.

Cheers, Phil

Phil Ancell, Sep 30, 2012

#5

Broni Malware Annihilator Posts: 39,313 +175

See if this download will work: http://www.filedropper.com/frst

Broni, Sep 30, 2012

#6

Phil Ancell Newcomer, in training Posts: 21

Hi Broni.
Yes I was able to download the FRST.exe from that site onto a USB Stick.

The next step you have prescribed, I'm getting a bit anxious - I should be able to get into the advanced boot options via F8, but I do not have a Windows Vista Installation Disc. Is this going to be a problem?
It is a Toshiba Satellite L300, and I thought it was supposed to have a restore partition - but the boot options are F2 for CMOS and F12 for Boot menu, which simply lists the sources for boot ie HDD, Floppy Drive, USB Memory, CD/DVD.

Should I just go ahead and do the F8 option you stated regardless or am I going to run into trouble.

Sorry!

Phil

Phil Ancell, Sep 30, 2012

#7
Broni Malware Annihilator Posts: 39,313 +175

Go ahead with F8 and let me know if you find described options.
If not we'll use different way.

Broni, Sep 30, 2012

#8
Phil Ancell Newcomer, in training Posts: 21

Ok, I went ahead with F8 and selected the Repair your computer option.

It then went into a screen saying, "Windows is loading files" - but it just sat there, no disk activity or any movement along the white bar at the bottom. I waited about 5 mins - should I have waited longer?

Phil Ancell, Oct 1, 2012

#9
Broni Malware Annihilator Posts: 39,313 +175

No.

Create Vista recovery disk: http://www.smartestcomputing.us.com/topic/54874-how-to-create-vista-recovery-disc/#entry195753 and use 2nd option:

To enter System Recovery Options by using Windows installation disc:

Broni, Oct 1, 2012

#10
Phil Ancell Newcomer, in training Posts: 21

Ok, I followed the instructions there, downloaded the recdisk.exe, modified the permissions to Administrators full control on the old file in the System32 directory, successfully renamed it, copied the new file there, ran it from within that system32, and it prompted me to insert a disk - when I pressed ok, I got an Error Message:
"The system cannot find the specified file. (0x80070002)"

Phil Ancell, Oct 1, 2012

#11
Phil Ancell Newcomer, in training Posts: 21

Broni I do have original disks of Windows XP Professional for my home PC - I am assuming this cannot be used on a Vista PC to run the Frst.exe tool in a DOS window?

Phil Ancell, Oct 1, 2012

#12
Phil Ancell Newcomer, in training Posts: 21

Hi Broni
I know you must be rolling your eyes by now, and I apologise whole heartedly for that. Thanks so much for your attention so far.

I managed to download DDS.com onto another clean computer, and saved to DVD - do you want me to run Steps 2 - 4 again on the virus affected PC?

I guess if this is looking like a lost cause, let me know, as my strategy is this:

1. my prime concern is to get my daughter's data off the computer onto another so that she can continue her studies. I have copied all her valuable data to a USB stick, and labelled it "Virus", with enough to know that this USB will now most likely contain a trojan/rootkit virus. Can it be cleaned or made safe to put into another PC? Her data is mainly jpg's (she is a makeup artist), word docs, ppt's and .pub files. If not, can these files be uploaded to Skydrive for example, and transferred to another PC?

2. obviously I would like to recover the affected PC as well, and if that means buying a new OS, then so be it - but I assume the PC needs to be made safe before doing that.

If you could give me your thoughts, I'd greatly appreciate that. Once again apologies for this - I have tried to instill in my daughter the need to apply patches and keep the anti virus up to date - but I guess we often only learn after a disaster.

Cheers,
Phil

Phil Ancell, Oct 1, 2012

#13
Broni Malware Annihilator Posts: 39,313 +175
Well, we still have couple of tools we can use.

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.

Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

Your system should now display a REATOGO-X-PE desktop.

Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.

Double-click on the OTLPE icon.

When asked Do you wish to load the remote registry, select Yes

When asked Do you wish to load remote user profile(s) for scanning, select Yes

Ensure the box Automatically Load All Remaining Users" is checked and press OK

OTL should now start.

Press Run Scan to start the scan.

When finished, the file will be saved in drive C:\OTL.txt

Copy this file to your USB drive if you do not have internet connection on this system

Please post the contents of the OTL.txt file in your reply.
Broni, Oct 1, 2012

#14
Phil Ancell Newcomer, in training Posts: 21

Hi Broni
Thanks so much for your attention to this - I'm back at work now :-( so there will be some delays (I'm in Adelaide and won't be able to try till I get home tonight in about 9 hrs) between replies, so apologise for that.

Just so that I have this right - to create the Bootable CD with OTLPEN.exe, does this need to be done on the infected Vista PC? or can this be created on my clean PC, (which is W7), to then use on the Vista PC?
Also, when I do copy the OTL.txt file to a USB drive, can I copy this to the likely infected USB or do I need to insert a clean one?
Just want to ensure I'm doing the right thing.

Cheers,
Phil

Phil Ancell, Oct 1, 2012

#15
Broni Malware Annihilator Posts: 39,313 +175

You can create that CD on any computer.

To protect your clean computer...
Install Panda USB Vaccine, or BitDefender’s USB Immunizer on GOOD computer to protect it from any infected USB device.
Then you can use any USB drive.

Broni, Oct 1, 2012

#16
Phil Ancell Newcomer, in training Posts: 21

Ok - just one more quick question before I get into trouble at work here - the likely infected USB that I have with my daughter's .docx, jpg's .pubs, .ppt's - will that be ok to transfer to the clean PC if I use the Panda USB Vaccine on the clean PC? or is that too risky?

Cheers,
Phil

Phil Ancell, Oct 1, 2012

#17
Broni Malware Annihilator Posts: 39,313 +175

You have to scan all those files with updated AV program right after inserting that stick into clean computer.
If nothing found you can transfer files.

Broni, Oct 1, 2012

#18
Phil Ancell Newcomer, in training Posts: 21

Hi Broni

I managed to do the above and produce the OTL.txt report displayed below.

Just for info, with the instructions, when I double-clicked on OTLE icon, it executed and displayed a dialog asking for drive to browse. I selected C: - it gave error messages saying System was not W2000 or later, but finally when I selected C:\windows, the scanner program loaded.
When it prompted however, it did not ask if I wished to load the remote registry, only asked do you wish to load remote user profile(s) which I responded yes ensuring all remaining profiles option was checked.

Anyhow, here is the report:
OTL logfile created on: 10/2/2012 8:32:50 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Windows Vista (TM) Home Premium Service Pack 1 (Version = 6.0.6001) - Type = System
Internet Explorer (Version = 8.0.6001.19088)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 104.33 Gb Total Space | 46.82 Gb Free Space | 44.88% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2012/09/07 03:34:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/07 03:34:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/05/10 00:46:50 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/03/14 08:27:33 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/06/13 07:39:22 | 000,267,568 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Microsoft Fix it Center\Matsvc.exe -- (MatSvc)
SRV - [2008/04/06 18:47:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2008/01/21 02:24:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto] -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/01/17 01:57:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/12/25 17:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2007/12/03 02:33:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 21:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/10/29 10:05:40 | 000,937,984 | ---- | M] (Atheros Communications, Inc.) [On_Demand] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2006/10/05 00:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 02:09:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
DRV - File not found [Kernel | System] -- -- (mimyzlbo)
DRV - File not found [Kernel | System] -- -- (khztokbd)
DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
DRV - File not found [Kernel | System] -- -- (ikvbbhiq)
DRV - File not found [Kernel | System] -- -- (gglvftzk)
DRV - [2012/09/07 03:34:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/06/22 18:51:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2009/05/10 19:34:34 | 000,036,608 | ---- | M] () [Kernel | On_Demand] -- C:\Windows\System32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2009/04/27 18:14:56 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2009/04/27 18:14:54 | 000,105,344 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2009/04/27 18:14:42 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2009/04/27 18:14:34 | 000,009,728 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\Windows\System32\drivers\massfilter.sys -- (massfilter)
DRV - [2008/07/28 14:35:04 | 000,919,552 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/01/21 01:12:24 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\tos_sps32.sys -- (tos_sps32)
DRV - [2007/11/08 23:30:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/09/17 01:23:26 | 000,021,632 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/08/31 03:13:32 | 000,020,352 | ---- | M] (Atheros Communications, Inc.) [Kernel | System] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
DRV - [2006/11/28 03:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 18:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/10/18 15:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {3bbd3c14-4c16-4989-8366-95bc9179779d} - C:\Program Files\FLV_Runner\prxtbFLV_.dll (Conduit Ltd.)

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Alison_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\Alison_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\Alison_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Alison_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.defaultthis.engineName: "MakeMeBabies 2.0 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3027459&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "MakeMeBabies 2.0 Customized Web Search"
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3027459&SearchSource=13"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1410
FF - prefs.js..keyword.URL: "http://search.avg.com/?d=4d609352&I=23&tp=ab&nt=1&q="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\System32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/10 00:46:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/09 19:41:28 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{9E2C191D-C57A-11E1-8270-B8AC6F996F26}: C:\Users\Alison\AppData\Local\{9E2C191D-C57A-11E1-8270-B8AC6F996F26}\ [2012/07/03 21:50:24 | 000,000,000 | ---D | M]

[2009/07/17 21:29:57 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Alison\AppData\Roaming\Mozilla\Extensions
[2012/09/28 08:38:52 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Alison\AppData\Roaming\Mozilla\Firefox\Profiles\a12r84fu.default\extensions
[2012/08/27 04:07:32 | 000,000,000 | ---D | M] (MakeMeBabies 2.0 Community Toolbar) -- C:\Users\Alison\AppData\Roaming\Mozilla\Firefox\Profiles\a12r84fu.default\extensions\{d4330680-c0ae-4226-8a21-0afe2fd1ac24}
[2012/04/05 00:05:34 | 000,000,935 | ---- | M] () -- C:\Users\Alison\AppData\Roaming\Mozilla\Firefox\Profiles\a12r84fu.default\searchplugins\conduit.xml
[2011/11/13 06:31:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
[2012/07/03 21:50:24 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\USERS\ALISON\APPDATA\LOCAL\{9E2C191D-C57A-11E1-8270-B8AC6F996F26}
() (No name found) -- C:\USERS\ALISON\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\A12R84FU.DEFAULT\EXTENSIONS\{C45C406E-AB73-11D8-BE73-000A95BE3B12}.XPI
[2012/05/10 00:46:48 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/05/10 00:46:41 | 000,001,525 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/03/24 04:49:35 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/05/10 00:46:41 | 000,000,935 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/05/10 00:46:41 | 000,001,166 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/05/10 00:46:50 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
[2012/05/10 00:46:41 | 000,001,121 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (FLV Runner Toolbar) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - C:\Program Files\FLV_Runner\prxtbFLV_.dll (Conduit Ltd.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (FLV Runner Toolbar) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - C:\Program Files\FLV_Runner\prxtbFLV_.dll (Conduit Ltd.)
O3 - HKU\Alison_ON_C\..\Toolbar\WebBrowser: (FLV Runner Toolbar) - {3BBD3C14-4C16-4989-8366-95BC9179779D} - C:\Program Files\FLV_Runner\prxtbFLV_.dll (Conduit Ltd.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [autodetect] C:\Windows\System32\SupportAppXL\AutoDect.exe ()
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKU\Alison_ON_C..\Run: [Waafloete] C:\Users\Alison\AppData\Roaming\Ossa\vyod.exe ()
O4 - HKU\LocalService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\NetworkService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\Windows\System32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Alison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = File not found
O4 - Startup: C:\Users\Alison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sidebar.lnk = File not found
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\Alison_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\Alison_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Alison_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 1
O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 203.12.160.35 203.12.160.36
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{262ac3aa-d4c5-11de-a9ba-001e3354005b}\Shell - "" = AutoRun
O33 - MountPoints2\{262ac3aa-d4c5-11de-a9ba-001e3354005b}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\runMe.htm
O33 - MountPoints2\{4537bbab-d24a-11dd-80e7-001e3354005b}\Shell - "" = AutoRun
O33 - MountPoints2\{4537bbab-d24a-11dd-80e7-001e3354005b}\Shell\AutoRun\command - "" = D:\DPFMate.exe
O33 - MountPoints2\{d659fae0-bc98-11df-abb6-9df7a1e37b3f}\Shell - "" = AutoRun
O33 - MountPoints2\{d659fae0-bc98-11df-abb6-9df7a1e37b3f}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{dc6de24a-9e94-11dd-88df-a75e1266564d}\Shell\AutoRun\command - "" = D:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe
O33 - MountPoints2\{dc6de24a-9e94-11dd-88df-a75e1266564d}\Shell\open\command - "" = D:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/10/01 03:48:39 | 000,905,740 | ---- | C] (Farbar) -- C:\Users\Alison\Desktop\FRST.exe
[2012/10/01 03:48:39 | 000,607,260 | ---- | C] (Swearware) -- C:\Users\Alison\Desktop\dds.com
[2012/10/01 03:48:31 | 010,524,080 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Alison\Desktop\mbam-setup-1.65.0.1400.exe
[2012/10/01 03:48:04 | 000,000,000 | ---D | C] -- C:\Users\Alison\Desktop\Attempt1
[2012/09/30 20:05:09 | 000,000,000 | ---D | C] -- C:\Users\Alison\AppData\Roaming\Malwarebytes
[2012/09/30 20:04:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/09/30 20:04:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/09/30 20:04:43 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/09/30 20:04:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/09/28 05:31:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/09/28 05:30:24 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/09/28 05:30:18 | 000,000,000 | ---D | C] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2012/09/28 05:23:18 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/09/28 02:57:11 | 000,000,000 | ---D | C] -- C:\ProgramData\HP Photo Creations
[2012/09/28 02:57:11 | 000,000,000 | ---D | C] -- C:\Program Files\HP Photo Creations
[2012/09/28 02:56:01 | 000,000,000 | ---D | C] -- C:\Users\Alison\AppData\Roaming\HpUpdate
[2012/09/28 02:55:46 | 000,544,616 | ---- | C] (Hewlett-Packard Co.) -- C:\Windows\System32\HPDiscoPMA611.dll
[2012/09/28 02:55:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
[2012/09/28 02:53:23 | 000,000,000 | ---D | C] -- C:\ProgramData\HP
[2012/09/28 02:52:57 | 000,000,000 | ---D | C] -- C:\Program Files\HP
[2012/09/28 02:52:06 | 000,000,000 | ---D | C] -- C:\Users\Alison\AppData\Local\HP
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/10/01 07:46:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/10/01 07:41:32 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{F286256D-BAC5-40C4-B58B-2459DA730926}.job
[2012/10/01 07:32:33 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/10/01 07:32:33 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/10/01 07:31:01 | 000,000,258 | ---- | M] () -- C:\Windows\tasks\HP Photo Creations Messager.job
[2012/10/01 03:34:51 | 000,905,740 | ---- | M] (Farbar) -- C:\Users\Alison\Desktop\FRST.exe
[2012/10/01 03:32:37 | 000,607,260 | ---- | M] (Swearware) -- C:\Users\Alison\Desktop\dds.com
[2012/10/01 03:31:40 | 000,302,592 | ---- | M] () -- C:\Users\Alison\Desktop\Gmerrbhhj6er.exe
[2012/10/01 03:30:40 | 010,524,080 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Alison\Desktop\mbam-setup-1.65.0.1400.exe
[2012/10/01 01:39:14 | 000,600,770 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/10/01 01:39:14 | 000,106,244 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/10/01 01:32:24 | 2136,969,216 | -HS- | M] () -- C:\hiberfil.sys
[2012/10/01 00:26:40 | 000,192,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\recdisc.exe
[2012/10/01 00:19:24 | 000,117,168 | ---- | M] () -- C:\Users\Alison\Desktop\recdisc_x86.zip
[2012/09/30 21:47:31 | 000,002,311 | ---- | M] () -- C:\Users\Alison\Desktop\[Active] - Read Instructions - but cannot access antivirus sites for Step 1 - TechSpot Forums#post-1236488#post-1236488.url
[2012/09/30 20:04:45 | 000,000,951 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/30 20:04:45 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/09/29 02:25:07 | 000,173,056 | ---- | M] () -- C:\Users\Alison\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/09/28 22:22:53 | 000,002,305 | ---- | M] () -- C:\Users\Alison\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2012/09/28 21:51:03 | 000,002,651 | ---- | M] () -- C:\Users\Alison\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007.lnk
[2012/09/28 05:31:47 | 000,001,709 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/09/28 05:31:47 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/09/28 05:24:33 | 000,001,854 | ---- | M] () -- C:\Users\Public\Desktop\Safari.lnk
[2012/09/28 05:24:33 | 000,001,854 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Safari.lnk
[2012/09/28 02:57:19 | 000,001,833 | ---- | M] () -- C:\Users\Public\Desktop\HP Photo Creations.lnk
[2012/09/28 02:57:19 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
[2012/09/28 02:55:45 | 000,002,160 | ---- | M] () -- C:\Users\Public\Desktop\HP Photosmart 7510 series.lnk
[2012/09/28 02:55:45 | 000,001,128 | ---- | M] () -- C:\Users\Public\Desktop\Shop for Supplies - HP Photosmart 7510 series.lnk
[2012/09/28 02:55:44 | 000,001,795 | ---- | M] () -- C:\Users\Public\Desktop\HP ePrintCenter - HP Photosmart 7510 series.lnk
[2012/09/28 02:52:47 | 000,000,057 | ---- | M] () -- C:\ProgramData\Ament.ini
[2012/09/16 07:00:07 | 000,000,374 | ---- | M] () -- C:\Users\Alison\Desktop\Media Makeup Character Assignment.pdf - Shortcut.lnk
[2012/09/10 21:38:36 | 001,063,607 | ---- | M] () -- C:\Users\Alison\Documents\Slim-Down-Meal-Plan.pdf
[2012/09/07 03:34:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/10/01 03:48:28 | 000,302,592 | ---- | C] () -- C:\Users\Alison\Desktop\Gmerrbhhj6er.exe
[2012/10/01 00:18:59 | 000,117,168 | ---- | C] () -- C:\Users\Alison\Desktop\recdisc_x86.zip
[2012/09/30 21:47:31 | 000,002,311 | ---- | C] () -- C:\Users\Alison\Desktop\[Active] - Read Instructions - but cannot access antivirus sites for Step 1 - TechSpot Forums#post-1236488#post-1236488.url
[2012/09/30 20:04:45 | 000,000,951 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/28 05:31:47 | 000,001,709 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/09/28 02:57:19 | 000,001,833 | ---- | C] () -- C:\Users\Public\Desktop\HP Photo Creations.lnk
[2012/09/28 02:57:16 | 000,000,258 | ---- | C] () -- C:\Windows\tasks\HP Photo Creations Messager.job
[2012/09/28 02:55:45 | 000,002,160 | ---- | C] () -- C:\Users\Public\Desktop\HP Photosmart 7510 series.lnk
[2012/09/28 02:55:45 | 000,001,128 | ---- | C] () -- C:\Users\Public\Desktop\Shop for Supplies - HP Photosmart 7510 series.lnk
[2012/09/28 02:55:44 | 000,001,795 | ---- | C] () -- C:\Users\Public\Desktop\HP ePrintCenter - HP Photosmart 7510 series.lnk
[2012/09/28 02:52:47 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini
[2012/09/16 07:00:07 | 000,000,374 | ---- | C] () -- C:\Users\Alison\Desktop\Media Makeup Character Assignment.pdf - Shortcut.lnk
[2012/09/10 21:38:36 | 001,063,607 | ---- | C] () -- C:\Users\Alison\Documents\Slim-Down-Meal-Plan.pdf
[2012/06/05 02:07:34 | 000,000,041 | ---- | C] () -- C:\Users\Alison\AppData\Roaming\FEE514.dat
[2012/04/02 02:14:17 | 000,000,256 | -H-- | C] () -- C:\ProgramData\HUp5kSreidwXln
[2011/11/12 22:19:42 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/11/12 22:19:42 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2010/06/28 07:45:51 | 000,000,014 | ---- | C] () -- C:\Windows\System32\systeminfo.dll
[2009/12/27 05:24:53 | 000,110,592 | ---- | C] () -- C:\Windows\System32\FsUsbExDevice.Dll
[2009/12/27 05:24:53 | 000,036,608 | ---- | C] () -- C:\Windows\System32\FsUsbExDisk.Sys
[2009/12/02 18:57:30 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/01/22 20:44:33 | 000,303,104 | ---- | C] () -- C:\Windows\System32\FXStudioDLL.dll
[2009/01/22 20:44:24 | 000,131,072 | ---- | C] () -- C:\Windows\System32\RapBoxDSP.dll
[2009/01/22 20:44:23 | 000,126,976 | ---- | C] () -- C:\Windows\System32\NewWaveAnzeige.dll
[2009/01/22 20:44:23 | 000,045,056 | ---- | C] () -- C:\Windows\System32\fader.dll
[2009/01/22 20:44:20 | 000,235,532 | ---- | C] () -- C:\Windows\System32\loadimage.dll
[2009/01/22 20:44:20 | 000,081,920 | ---- | C] () -- C:\Windows\System32\eJ_Tool.dll
[2009/01/22 20:44:10 | 000,307,200 | ---- | C] () -- C:\Windows\System32\fxstudio.dll
[2009/01/22 20:44:10 | 000,075,976 | ---- | C] () -- C:\Windows\System32\Bassdec.dll
[2009/01/22 20:44:10 | 000,032,768 | ---- | C] () -- C:\Windows\System32\WndRgn.dll
[2009/01/22 20:44:05 | 000,360,448 | ---- | C] () -- C:\Windows\System32\pxd32d5.dll
[2009/01/22 20:44:05 | 000,029,696 | ---- | C] () -- C:\Windows\System32\pthread.dll
[2009/01/22 20:44:00 | 000,147,456 | ---- | C] () -- C:\Windows\System32\lttls13n.dll
[2009/01/22 20:43:59 | 000,796,672 | ---- | C] () -- C:\Windows\System32\LTRTN13n.DLL
[2009/01/22 20:43:44 | 000,708,608 | ---- | C] () -- C:\Windows\System32\ltcry13n.dll
[2009/01/22 20:43:40 | 000,031,744 | ---- | C] () -- C:\Windows\System32\lfvec13n.dll
[2009/01/22 20:43:35 | 000,118,784 | ---- | C] () -- C:\Windows\System32\lfkodak.dll
[2009/01/22 20:43:31 | 000,338,944 | ---- | C] () -- C:\Windows\System32\lffpx7.dll
[2008/10/21 07:19:35 | 000,024,206 | -H-- | C] () -- C:\Users\Alison\AppData\Roaming\UserTile.png
[2008/10/21 07:10:43 | 000,173,056 | ---- | C] () -- C:\Users\Alison\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/18 00:26:42 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/10/17 06:08:05 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2008/10/17 06:08:05 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2008/10/17 06:08:05 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2008/10/17 06:08:05 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2008/10/17 06:08:05 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2008/10/17 06:08:05 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2008/10/17 05:50:09 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2008/10/17 05:50:09 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2008/10/17 05:50:09 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2008/10/17 05:50:09 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2008/10/17 05:47:43 | 000,000,680 | -H-- | C] () -- C:\Users\Alison\AppData\Local\d3d9caps.dat
[2008/02/11 20:10:35 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008/02/11 19:16:12 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/02/11 19:05:13 | 001,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2008/02/11 19:05:13 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2008/02/11 19:05:13 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll
[2008/02/11 19:05:13 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2007/10/25 02:56:10 | 000,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 001,740,464 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,600,770 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,106,244 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2011/11/09 18:33:35 | 000,000,000 | -H-D | M] -- C:\Users\Alison\AppData\Roaming\AVG
[2012/06/29 08:45:54 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Caguah
[2012/10/01 01:34:26 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Dropbox
[2012/06/27 07:56:41 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Gely
[2012/04/02 02:28:55 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\GetRightToGo
[2012/06/16 23:10:07 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Giyw
[2012/07/15 21:03:22 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Heesyx
[2012/07/03 21:49:13 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Idicw
[2012/07/06 07:31:52 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Izefw
[2010/12/26 00:45:21 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\LimeWire
[2012/07/31 08:47:04 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Lite
[2012/07/15 21:03:22 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Ossa
[2009/12/28 19:47:42 | 000,000,000 | -H-D | M] -- C:\Users\Alison\AppData\Roaming\PC Suite
[2012/07/08 00:01:00 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Qukun
[2011/11/08 07:38:49 | 000,000,000 | -H-D | M] -- C:\Users\Alison\AppData\Roaming\Samsung
[2008/10/24 07:51:57 | 000,000,000 | -H-D | M] -- C:\Users\Alison\AppData\Roaming\toshiba
[2011/11/08 06:14:24 | 000,000,000 | -H-D | M] -- C:\Users\Alison\AppData\Roaming\Ulead Systems
[2012/06/28 20:57:18 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Vacy
[2012/10/01 07:36:06 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Yblys
[2012/06/14 22:37:48 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Ysf
[2012/09/28 05:31:39 | 000,000,000 | ---D | M] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2011/11/16 06:58:46 | 000,000,000 | -H-D | M] -- C:\ProgramData\Aiseesoft Studio
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2011/11/12 00:26:04 | 000,000,000 | -H-D | M] -- C:\ProgramData\AVG10
[2011/11/09 19:22:20 | 000,000,000 | -H-D | M] -- C:\ProgramData\BlazeVideo
[2011/02/20 00:05:01 | 000,000,000 | -H-D | M] -- C:\ProgramData\Common Files
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2011/11/12 00:22:56 | 000,000,000 | -H-D | M] -- C:\ProgramData\MFAData
[2009/12/28 19:47:44 | 000,000,000 | -H-D | M] -- C:\ProgramData\PC Suite
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2011/11/09 23:40:19 | 000,000,000 | ---D | M] -- C:\ProgramData\Temp
[2006/11/02 09:02:04 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2008/10/17 06:04:44 | 000,000,000 | -H-D | M] -- C:\ProgramData\Toshiba
[2012/04/02 02:27:51 | 000,000,000 | ---D | M] -- C:\ProgramData\Ulead Systems
[2012/09/30 20:14:56 | 000,000,000 | ---D | M] -- C:\ProgramData\Windows
[2009/08/28 03:36:35 | 000,000,000 | -H-D | M] -- C:\ProgramData\WindowsSearch
[2010/05/28 03:38:14 | 000,000,000 | ---D | M] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/11/09 17:54:53 | 000,000,000 | -H-D | M] -- C:\ProgramData\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
[2012/10/01 01:13:52 | 000,032,540 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/10/01 07:41:32 | 000,000,424 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{F286256D-BAC5-40C4-B58B-2459DA730926}.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 22528 bytes -> C:\Windows\System32\autochk.exe:BAK
@Alternate Data Stream - 131 bytes -> C:\ProgramData\Temp:0B4227B4
< End of report >

Phil Ancell, Oct 2, 2012

#19
Broni Malware Annihilator Posts: 39,313 +175
Do this on the computer you are posting from:
Copy the text in the codebox below:

Code:

:OTL DRV - File not found [Kernel | System] -- -- (mimyzlbo) DRV - File not found [Kernel | System] -- -- (khztokbd) DRV - File not found [Kernel | System] -- -- (ikvbbhiq) DRV - File not found [Kernel | System] -- -- (gglvftzk) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O4 - HKLM..\Run: [] File not found O4 - HKU\Alison_ON_C..\Run: [Waafloete] C:\Users\Alison\AppData\Roaming\Ossa\vyod.exe () O33 - MountPoints2\{262ac3aa-d4c5-11de-a9ba-001e3354005b}\Shell - "" = AutoRun O33 - MountPoints2\{262ac3aa-d4c5-11de-a9ba-001e3354005b}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\runMe.htm O33 - MountPoints2\{4537bbab-d24a-11dd-80e7-001e3354005b}\Shell - "" = AutoRun O33 - MountPoints2\{4537bbab-d24a-11dd-80e7-001e3354005b}\Shell\AutoRun\command - "" = D:\DPFMate.exe O33 - MountPoints2\{d659fae0-bc98-11df-abb6-9df7a1e37b3f}\Shell - "" = AutoRun O33 - MountPoints2\{d659fae0-bc98-11df-abb6-9df7a1e37b3f}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true O33 - MountPoints2\{dc6de24a-9e94-11dd-88df-a75e1266564d}\Shell\AutoRun\command - "" = D:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe O33 - MountPoints2\{dc6de24a-9e94-11dd-88df-a75e1266564d}\Shell\open\command - "" = D:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe [2012/04/02 02:14:17 | 000,000,256 | -H-- | C] () -- C:\ProgramData\HUp5kSreidwXln [2012/06/16 23:10:07 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Giyw [2012/07/15 21:03:22 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Heesyx [2012/07/03 21:49:13 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Idicw [2012/07/06 07:31:52 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Izefw [2012/06/28 20:57:18 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Vacy [2012/10/01 07:36:06 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Yblys [2012/06/14 22:37:48 | 000,000,000 | ---D | M] -- C:\Users\Alison\AppData\Roaming\Ysf @Alternate Data Stream - 22528 bytes -> C:\Windows\System32\autochk.exe:BAK @Alternate Data Stream - 131 bytes -> C:\ProgramData\Temp:0B4227B4 :Commands [purity]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive

On the infected computer the following...

Run OTLPE

Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.

(The content of Fix.txt should appear in the box)

Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post the log produced (you'll need to transfer it with USB stick)

Remove the CD and shut down computer manually.

Attempt to reboot normally into Windows.

=====================================

See if you can do the following...

Create new restore point before proceeding with the next step....
How to:
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

==================================

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
If restarting doesn't help use restore point you created prior to running Combofix.

Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
Broni, Oct 2, 2012

#20

Page 1 of 2

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.