nsa virus moneypak

[magnolia245]

 

[Fiery]

Hi and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
O4 - Startup: C:\Documents and Settings\CPW\Start Menu\Programs\Startup\rlc1a8zlc.lnk = X:\I386\SYSTEM32\RUNDLL32.EXE (Microsoft Corporation)
[2013/10/29 15:54:39 | 000,139,264 | ---- | C] (Sekizenkan Company) -- C:\Documents and Settings\All Users\Application Data\clz8a1clr.dss
[2013/10/30 17:29:37 | 095,025,368 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\rlc1a8zlc.bxx
[2013/10/30 17:29:15 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\rlc1a8zlc.fvv
[2013/10/29 15:56:50 | 000,000,399 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\rlc1a8zlc.reg
[2013/10/29 15:54:39 | 000,139,264 | ---- | M] (Sekizenkan Company) -- C:\Documents and Settings\All Users\Application Data\clz8a1clr.dss
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP1B5B4F1

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click Scan then Clean
• Please post the content of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner\Adwcleaner[S0].txt

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

 

[magnolia245]

Hi and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
O4 - Startup: C:\Documents and Settings\CPW\Start Menu\Programs\Startup\rlc1a8zlc.lnk = X:\I386\SYSTEM32\RUNDLL32.EXE (Microsoft Corporation)
[2013/10/29 15:54:39 | 000,139,264 | ---- | C] (Sekizenkan Company) -- C:\Documents and Settings\All Users\Application Data\clz8a1clr.dss
[2013/10/30 17:29:37 | 095,025,368 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\rlc1a8zlc.bxx
[2013/10/30 17:29:15 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\rlc1a8zlc.fvv
[2013/10/29 15:56:50 | 000,000,399 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\rlc1a8zlc.reg
[2013/10/29 15:54:39 | 000,139,264 | ---- | M] (Sekizenkan Company) -- C:\Documents and Settings\All Users\Application Data\clz8a1clr.dss
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP1B5B4F1

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click Scan then Clean
• Please post the content of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner\Adwcleaner[S0].txt

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

# AdwCleaner v3.010 - Report created 31/10/2013 at 10:47:14
# Updated 20/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : CPW - PETER
# Running from : C:\Documents and Settings\CPW\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : Application Updater

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
Folder Deleted : C:\Documents and Settings\All Users\Application Data\ParetoLogic
Folder Deleted : C:\Documents and Settings\All Users\Application Data\PC Optimizer Pro
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Premium
Folder Deleted : C:\Documents and Settings\All Users\Application Data\SpeedyPC Software
Folder Deleted : C:\Program Files\Application Updater
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\IObit Apps Toolbar
Folder Deleted : C:\Program Files\registry mechanic
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Program Files\Common Files\ParetoLogic
Folder Deleted : C:\Program Files\Common Files\spigot
Folder Deleted : C:\Documents and Settings\CPW\Local Settings\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\CPW\Local Settings\Application Data\AVG Security Toolbar
Folder Deleted : C:\Documents and Settings\CPW\Local Settings\Application Data\PackageAware
Folder Deleted : C:\Documents and Settings\CPW\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\CPW\Application Data\DriverCure
Folder Deleted : C:\Documents and Settings\CPW\Application Data\registry mechanic
Folder Deleted : C:\Documents and Settings\CPW\Application Data\Search Settings
Folder Deleted : C:\Documents and Settings\CPW\Application Data\SpeedyPC Software
Folder Deleted : C:\Documents and Settings\CPW\Application Data\Mozilla\Firefox\Profiles\mknq500a.default\ConduitCommon
Folder Deleted : C:\Documents and Settings\CPW\Application Data\Mozilla\Firefox\Profiles\mknq500a.default\Extensions\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}
[!] Folder Deleted : C:\Documents and Settings\CPW\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
File Deleted : C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\e136b25o.default\.autoreg
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Deleted : C:\Documents and Settings\CPW\Application Data\Mozilla\Firefox\Profiles\mknq500a.default\user.js
File Deleted : C:\WINDOWS\Tasks\paretologic registration3.job
File Deleted : C:\WINDOWS\Tasks\paretologic update version3.job

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\driverscanner
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.eb_explorerbar
Key Deleted : HKLM\SOFTWARE\Classes\toolband.eb_explorerbar.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.fh_hookeventsink
Key Deleted : HKLM\SOFTWARE\Classes\toolband.fh_hookeventsink.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitem
Key Deleted : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitem.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_dialogeventshandler
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_dialogeventshandler.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_launcher
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_launcher.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_printmanager
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_printmanager.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallback
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallback.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandler
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandler.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_printdialogcallback
Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_printdialogcallback.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.tbtoolband
Key Deleted : HKLM\SOFTWARE\Classes\toolband.tbtoolband.1
Key Deleted : HKLM\SOFTWARE\Classes\toolband.useroptions
Key Deleted : HKLM\SOFTWARE\Classes\toolband.useroptions.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{03EB0E9C-7A91-4381-A220-9B52B641CDB1}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{327C2873-E90D-4C37-AA9D-10AC9BABA46C}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{03EB0E9C-7A91-4381-A220-9B52B641CDB1}]
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKCU\Software\pc optimizer pro
Key Deleted : HKCU\Software\Search Settings
Key Deleted : HKCU\Software\SpeedyPC Software
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings
Key Deleted : HKLM\Software\Application Updater
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\ParetoLogic
Key Deleted : HKLM\Software\pc optimizer pro
Key Deleted : HKLM\Software\Search Settings
Key Deleted : HKLM\Software\SpeedyPC Software
Key Deleted : HKLM\Software\Uniblue\DriverScanner
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v3.6.13 (en-US)

[ File : C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\e136b25o.default\prefs.js ]


[ File : C:\Documents and Settings\CPW\Application Data\Mozilla\Firefox\Profiles\mknq500a.default\prefs.js ]

Line Deleted : user_pref("CT3196716..clientLogIsEnabled", false);
Line Deleted : user_pref("CT3196716..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");
Line Deleted : user_pref("CT3196716..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/RegisterToolbarUninstallation");
Line Deleted : user_pref("CT3196716.ALLOW_SHOWING_HIDDEN_TOOLBAR", false);
Line Deleted : user_pref("CT3196716.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Line Deleted : user_pref("CT3196716.AppTrackingLastCheckTime", "Tue Aug 28 2012 08:25:23 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.BrowserCompStateIsOpen_129774122767598898", true);
Line Deleted : user_pref("CT3196716.BrowserCompStateIsOpen_3263554499264134319", true);
Line Deleted : user_pref("CT3196716.BrowserCompStateIsOpen_4711547172607932304", true);
Line Deleted : user_pref("CT3196716.CT3196716", "CT3196716");
Line Deleted : user_pref("CT3196716.CurrentServerDate", "19-9-2012");
Line Deleted : user_pref("CT3196716.DSInstall", false);
Line Deleted : user_pref("CT3196716.DialogsAlignMode", "LTR");
Line Deleted : user_pref("CT3196716.DialogsGetterLastCheckTime", "Wed Sep 19 2012 11:26:43 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.DownloadReferralCookieData", "");
Line Deleted : user_pref("CT3196716.EMailNotifierPollDate", "Wed Sep 19 2012 14:09:59 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.ExternalComponentPollDate129755756828511878", "Wed Sep 19 2012 11:26:41 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.ExternalComponentPollDate129757581393447276", "Wed Sep 19 2012 11:26:41 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.ExternalComponentPollDate129844886196746599", "Wed Aug 15 2012 16:15:29 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.ExternalComponentPollDate129844886197059098", "Wed Aug 15 2012 16:15:29 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.FirstServerDate", "11-7-2012");
Line Deleted : user_pref("CT3196716.FirstTime", true);
Line Deleted : user_pref("CT3196716.FirstTimeFF3", true);
Line Deleted : user_pref("CT3196716.FirstTimeHiddenVer", true);
Line Deleted : user_pref("CT3196716.FixPageNotFoundErrors", true);
Line Deleted : user_pref("CT3196716.GroupingServerCheckInterval", 1440);
Line Deleted : user_pref("CT3196716.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Line Deleted : user_pref("CT3196716.HPInstall", false);
Line Deleted : user_pref("CT3196716.HasUserGlobalKeys", true);
Line Deleted : user_pref("CT3196716.HomePageProtectorEnabled", false);
Line Deleted : user_pref("CT3196716.HomepageBeforeUnload", "resource:/browserconfig.properties");
Line Deleted : user_pref("CT3196716.Initialize", true);
Line Deleted : user_pref("CT3196716.InitializeCommonPrefs", true);
Line Deleted : user_pref("CT3196716.InstallationAndCookieDataSentCount", 3);
Line Deleted : user_pref("CT3196716.InstallationType", "Unknown");
Line Deleted : user_pref("CT3196716.InstalledDate", "Tue Jul 10 2012 17:37:06 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.InvalidateCache", false);
Line Deleted : user_pref("CT3196716.IsAlertDBUpdated", true);
Line Deleted : user_pref("CT3196716.IsGrouping", false);
Line Deleted : user_pref("CT3196716.IsInitSetupIni", true);
Line Deleted : user_pref("CT3196716.IsMulticommunity", false);
Line Deleted : user_pref("CT3196716.IsOpenThankYouPage", true);
Line Deleted : user_pref("CT3196716.IsOpenUninstallPage", true);
Line Deleted : user_pref("CT3196716.IsProtectorsInit", true);
Line Deleted : user_pref("CT3196716.LanguagePackLastCheckTime", "Wed Sep 19 2012 11:26:43 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.LanguagePackReloadIntervalMM", 1440);
Line Deleted : user_pref("CT3196716.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx");
Line Deleted : user_pref("CT3196716.LastLogin_3.13.0.6", "Wed Sep 19 2012 11:26:43 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.LatestVersion", "3.13.0.6");
Line Deleted : user_pref("CT3196716.Locale", "en");
Line Deleted : user_pref("CT3196716.MCDetectTooltipHeight", "83");
Line Deleted : user_pref("CT3196716.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Line Deleted : user_pref("CT3196716.MCDetectTooltipWidth", "295");
Line Deleted : user_pref("CT3196716.MyStuffEnabledAtInstallation", true);
Line Deleted : user_pref("CT3196716.OriginalFirstVersion", "3.13.0.6");
Line Deleted : user_pref("CT3196716.RadioIsPodcast", false);
Line Deleted : user_pref("CT3196716.RadioLastCheckTime", "Wed Sep 19 2012 11:26:45 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.RadioLastUpdateIPServer", "3");
Line Deleted : user_pref("CT3196716.RadioLastUpdateServer", "3");
Line Deleted : user_pref("CT3196716.RadioMediaID", "9962");
Line Deleted : user_pref("CT3196716.RadioMediaType", "Media Player");
Line Deleted : user_pref("CT3196716.RadioMenuSelectedID", "EBRadioMenu_CT31967169962");
Line Deleted : user_pref("CT3196716.RadioShrinkedFromSetup", false);
Line Deleted : user_pref("CT3196716.RadioStationName", "California%20Rock");
Line Deleted : user_pref("CT3196716.RadioStationURL", "hxxp://feedlive.net/california.asx");
Line Deleted : user_pref("CT3196716.SearchCaption", "WiseConvert Customized Web Search");
Line Deleted : user_pref("CT3196716.SearchEngineBeforeUnload", "Yahoo");
Line Deleted : user_pref("CT3196716.SearchFromAddressBarIsInit", true);
Line Deleted : user_pref("CT3196716.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3230028&SearchSource=2&q=");
Line Deleted : user_pref("CT3196716.SearchInNewTabEnabled", true);
Line Deleted : user_pref("CT3196716.SearchInNewTabIntervalMM", 1440);
Line Deleted : user_pref("CT3196716.SearchInNewTabLastCheckTime", "Wed Sep 19 2012 11:26:41 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_TOOLBAR_ID");
Line Deleted : user_pref("CT3196716.SearchProtectorEnabled", false);
Line Deleted : user_pref("CT3196716.SearchProtectorToolbarDisabled", false);
Line Deleted : user_pref("CT3196716.SendProtectorDataViaLogin", true);
Line Deleted : user_pref("CT3196716.ServiceMapLastCheckTime", "Wed Sep 19 2012 11:26:41 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.SettingsLastCheckTime", "Wed Sep 19 2012 14:09:57 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.SettingsLastUpdate", "1347263642");
Line Deleted : user_pref("CT3196716.TBHomePageUrl", "hxxp://search.conduit.com/?ctid=CT3230028&SearchSource=13");
Line Deleted : user_pref("CT3196716.ThirdPartyComponentsInterval", 504);
Line Deleted : user_pref("CT3196716.ThirdPartyComponentsLastCheck", "Thu Sep 06 2012 19:04:51 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.ThirdPartyComponentsLastUpdate", "1331805997");
Line Deleted : user_pref("CT3196716.ToolbarShrinkedFromSetup", false);
Line Deleted : user_pref("CT3196716.TrusteLinkUrl", "hxxp://trust.conduit.com/CT3196716");
Line Deleted : user_pref("CT3196716.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,client.conduit-storage.com,OurToolbar.com,CommunityToolbars.com,ForumToolbar.com,MyBlogToolbar.com,MyCity[...]
Line Deleted : user_pref("CT3196716.UserID", "UN29353480679681254");
Line Deleted : user_pref("CT3196716.ValidationData_Toolbar", 2);
Line Deleted : user_pref("CT3196716.WeatherNetwork", "");
Line Deleted : user_pref("CT3196716.WeatherPollDate", "Wed Sep 19 2012 14:10:08 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.WeatherUnit", "F");
Line Deleted : user_pref("CT3196716.alertChannelId", "1613210");
Line Deleted : user_pref("CT3196716.backendstorage.cb_experience_000", "37");
Line Deleted : user_pref("CT3196716.backendstorage.cb_firstuse0100", "31");
Line Deleted : user_pref("CT3196716.backendstorage.cb_user_id_000", "43423730373538353234343739355F46697265666F78");
Line Deleted : user_pref("CT3196716.backendstorage.cbcountry_001", "5553");
Line Deleted : user_pref("CT3196716.backendstorage.cbfirsttime", "576564204A756C20313120323031322030393A35313A343220474D542D3034303020284561737465726E204461796C696768742054696D6529");
Line Deleted : user_pref("CT3196716.backendstorage.event_data", "253542253544");
Line Deleted : user_pref("CT3196716.backendstorage.fired_events", "");
Line Deleted : user_pref("CT3196716.backendstorage.key_date", "3139");
Line Deleted : user_pref("CT3196716.backendstorage.shoppingapp.gk.exipres", "4D6F6E2053657020323420323031322031313A32363A343720474D542D3034303020284561737465726E204461796C696768742054696D6529");
Line Deleted : user_pref("CT3196716.backendstorage.shoppingapp.gk.geolocation", "756E6974656420737461746573");
Line Deleted : user_pref("CT3196716.backendstorage.url_history0001", "687474703A2F2F7777772E6D63616665652E636F6D2F617070732F667265652D746F6F6C732F7465726D736F667573652E617370783F75726C3D2F75732F646F776E6C6F6164732F6[...]
Line Deleted : user_pref("CT3196716.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.conduit.com;apps.conduit.com;services.apps.conduit.com\",\"AppsDetectionUrlPattern\":\"hxxp://appdown[...]
Line Deleted : user_pref("CT3196716.globalFirstTimeInfoLastCheckTime", "Thu Sep 13 2012 09:31:11 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.homepageProtectorEnableByLogin", true);
Line Deleted : user_pref("CT3196716.initDone", true);
Line Deleted : user_pref("CT3196716.isAppTrackingManagerOn", false);
Line Deleted : user_pref("CT3196716.isFirstRadioInstallation", false);
Line Deleted : user_pref("CT3196716.isRevertToBase", true);
Line Deleted : user_pref("CT3196716.myStuffEnabled", true);
Line Deleted : user_pref("CT3196716.myStuffPublihserMinWidth", 400);
Line Deleted : user_pref("CT3196716.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOrigin=29&ctid=EB_TOOLBAR_ID&octid=EB_ORIGINAL_CTID");
Line Deleted : user_pref("CT3196716.myStuffServiceIntervalMM", 1440);
Line Deleted : user_pref("CT3196716.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?ComponentId=EB_MY_STUFF_INSTANCE_GUID&lut=EB_MY_STUFF_LUT");
Line Deleted : user_pref("CT3196716.navigateToUrlOnSearch", false);
Line Deleted : user_pref("CT3196716.oldAppsList", "129844886193934115,129844886196434100,111,129844886196746599,129844886197059098,1000082,1000234,1000034,129876925791481060,129844886198309094,129844886198621593,326[...]
Line Deleted : user_pref("CT3196716.revertSettingsEnabled", false);
Line Deleted : user_pref("CT3196716.searchProtectorDialogDelayInSec", 10);
Line Deleted : user_pref("CT3196716.searchProtectorEnableByLogin", true);
Line Deleted : user_pref("CT3196716.testingCtid", "CT3230028");
Line Deleted : user_pref("CT3196716.toolbarAppMetaDataLastCheckTime", "Wed Sep 19 2012 11:26:43 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.toolbarContextMenuLastCheckTime", "Thu Sep 06 2012 19:04:53 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3196716.usagesFlag", 2);
Line Deleted : user_pref("CT3230028.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,client.conduit-storage.com,OurToolbar.com,CommunityToolbars.com,ForumToolbar.com,MyBlogToolbar.com,MyCity[...]
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT3196716/CT3196716", "\"169cafff13ecdda0aec439f00cc2fa352\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT3230028/CT3230028", "\"62be2d848ed0d730914f237e4e6afdf42\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1667895/1660359/US", "\"0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT3196716", "\"1340259244\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT3230028", "\"1340015020\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=en", "G9mW7heT/8xIX1frcduu0A==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=en", "mfQ70fvlD2zuBxSBj8rQqA==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=en", "k9un27OkAvkwB2ZmvXxTnA==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=en", "4BgM4MhF/sOgPsDNmIs3Yw==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\"8076e3ce381dcd1:151f\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.13.0.6", "\"0e0a4327275cd1:151f\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT3196716", "\"f1c77625c0e9bd1c80a2fd6901845fa9\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT3230028", "\"c912886ea3ba021d3a9ef2d6ad700899\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en", "\"9df6571d7c57f86c70978aa18a1ecbea\"");
Line Deleted : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Documents and Settings\\CPW\\Application Data\\Mozilla\\Firefox\\Profiles\\mknq500a.default\\conduitCommon\\modules\\3.13.0.6");
Line Deleted : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.13.0.6");
Line Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=380920&p=");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT3196716");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT3196716");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList4", "CT3196716");
Line Deleted : user_pref("CommunityToolbar.facebook.settingsLastCheckTime", "Wed Aug 15 2012 16:18:02 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.globalUserId", "4d531829-12e4-4cd2-9bf5-31e570ffd67e");
Line Deleted : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
Line Deleted : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
Line Deleted : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Sat Sep 15 2012 22:16:08 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.notifications.alertEnabled", false);
Line Deleted : user_pref("CommunityToolbar.notifications.alertInfoInterval", 60);
Line Deleted : user_pref("CommunityToolbar.notifications.alertInfoLastCheckTime", "Tue Jul 10 2012 17:37:08 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.notifications.clientsServerUrl", "hxxp://alert.client.conduit.com");
Line Deleted : user_pref("CommunityToolbar.notifications.locale", "en");
Line Deleted : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);
Line Deleted : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Wed Sep 19 2012 11:26:46 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611");
Line Deleted : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);
Line Deleted : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com");
Line Deleted : user_pref("CommunityToolbar.notifications.showTrayIcon", false);
Line Deleted : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);
Line Deleted : user_pref("CommunityToolbar.notifications.userId", "73fe9205-dd08-49f1-9a0a-a02d3855f78f");
Line Deleted : user_pref("CommunityToolbar.originalHomepage", "resource:/browserconfig.properties");
Line Deleted : user_pref("CommunityToolbar.originalSearchEngine", "Yahoo");
Line Deleted : user_pref("avg.install.installDirPath", "C:\\Documents and Settings\\All Users\\Application Data\\AVG Secure Search\\12.2.5.32");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.homepage", "hxxp://home.mywebsearch.com/index.jhtml?ptb=95C09887-79DF-44BE-BDD6-8C36FB028B40&n=77ee10fb&ptnrS=XPman000");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.initialized", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.installation.contextKey", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.installation.installDate", "2012090619");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.installation.partnerId", "XPman000");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.installation.partnerSubId", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.installation.success", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.installation.toolbarId", "95C09887-79DF-44BE-BDD6-8C36FB028B40");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.lastActivePing", "1348068398454");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.options.defaultSearch", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.options.homePageEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.options.keywordEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.options.tabEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.searchHistory", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._64Members_.weather.location", "29201");
Line Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "televisionfanatic@mindspark.com");

-\\ Google Chrome v30.0.1599.101

[ File : C:\Documents and Settings\CPW\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [29982 octets] - [31/10/2013 10:45:36]
AdwCleaner[S0].txt - [30588 octets] - [31/10/2013 10:47:14]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [30649 octets] ##########

RogueKiller V8.7.6 [Oct 28 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : CPW [Admin rights]
Mode : Remove -- Date : 10/31/2013 11:00:05
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V1][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\WINDOWS\TEMP\{2B2F280E-8104-4AF7-A3C6-16BB0F04852A}.exe - --uninstall=1 [x] -> DELETED

¤¤¤ Startup Entries : 2 ¤¤¤
[LocalService][SUSP UNIC] Maxtor EasyManage?.lnk : C:\Documents and Settings\LocalService\Start Menu\Programs\Startup\Maxtor EasyManage?.lnk [x] ->
[NetworkService][SUSP UNIC] Maxtor EasyManage?.lnk : C:\Documents and Settings\NetworkService\Start Menu\Programs\Startup\Maxtor EasyManage?.lnk [x] ->

¤¤¤ Web browsers : 1 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] U : C:\Documents and Settings\CPW\Local Settings\Application Data\{44d0e339-4172-5a4e-c336-07a0b263fef5}\U [-] --> DELETED
[ZeroAccess][Folder] L : C:\Documents and Settings\CPW\Local Settings\Application Data\{44d0e339-4172-5a4e-c336-07a0b263fef5}\L [-] --> DELETED

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[122] : NtOpenProcess @ 0x80574BC1 -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xA8605A24)
[Address] SSDT[128] : NtOpenThread @ 0x80590CFC -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xA8605B70)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) FUJITSU MHV2040AH +++++
--- User ---
[MBR] ad361b15c0b8a11de893a4095f42e8ea
[BSP] 43a93dad14f188a51be236d04433a179 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38146 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_10312013_110005.txt >>
RKreport[0]_S_10312013_105901.txt



Thanks for your help.

 

[Fiery]

Hi,

Did you run the OTL script? If so, please post that log, it should in C:\_OTL\MovedFiles

Also, did you run malwarebytes anti-rootkit?

 

[magnolia245]

Hi,

Did you run the OTL script? If so, please post that log, it should in C:\_OTL\MovedFiles

Also, did you run malwarebytes anti-rootkit?

yes to both, see below.
========== OTL ==========
C:\Documents and Settings\CPW\Start Menu\Programs\Startup\rlc1a8zlc.lnk moved successfully.
File move failed. X:\I386\SYSTEM32\RUNDLL32.EXE scheduled to be moved on reboot.
C:\Documents and Settings\All Users\Application Data\clz8a1clr.dss moved successfully.
C:\Documents and Settings\All Users\Application Data\rlc1a8zlc.bxx moved successfully.
C:\Documents and Settings\All Users\Application Data\rlc1a8zlc.fvv moved successfully.
C:\Documents and Settings\All Users\Application Data\rlc1a8zlc.reg moved successfully.
File C:\Documents and Settings\All Users\Application Data\clz8a1clr.dss not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP1B5B4F1 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 20827649 bytes
->Temporary Internet Files folder emptied: 98881 bytes

User: All Users

User: CPW
->Temp folder emptied: 18630288 bytes
->Temporary Internet Files folder emptied: 821005 bytes
->Java cache emptied: 9936 bytes
->FireFox cache emptied: 75664681 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1273 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56468 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 5509272615 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 3350564 bytes
->Flash cache emptied: 37416 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2566570 bytes
%systemroot%\System32 .tmp files removed: 7741440 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 91098 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 511886018 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

Total Files Cleaned = 5,866.00 mb


OTLPE by OldTimer - Version 3.1.48.0 log created on 10312013_101651

Files\Folders moved on Reboot...
File\Folder X:\I386\SYSTEM32\RUNDLL32.EXE not found!

Registry entries deleted on Reboot...

mbar logs below,
Malwarebytes Anti-Rootkit BETA 1.07.0.1007
www.malwarebytes.org

Database version: v2013.10.31.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
CPW :: PETER [administrator]

10/31/2013 09:44:03
mbar-log-2013-10-31 (09-44-03).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 221225
Time elapsed: 26 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 6
c:\windows\$ntuninstallkb48221$\1265104698 (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\l (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\u (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\690749675 (Backdoor.0Access) -> Delete on reboot.
C:\WINDOWS\Installer\{44d0e339-4172-5a4e-c336-07a0b263fef5}\L (Backdoor.0Access) -> Delete on reboot.
C:\WINDOWS\Installer\{44d0e339-4172-5a4e-c336-07a0b263fef5}\U (Backdoor.0Access) -> Delete on reboot.

Files Detected: 17
C:\Documents and Settings\CPW\Local Settings\Application Data\{44d0e339-4172-5a4e-c336-07a0b263fef5}\@ (Backdoor.0Access) -> Delete on reboot.
C:\WINDOWS\Installer\{44d0e339-4172-5a4e-c336-07a0b263fef5}\@ (Backdoor.0Access) -> Delete on reboot.
C:\WINDOWS\Installer\{44d0e339-4172-5a4e-c336-07a0b263fef5}\L\00000004.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\l\akygdmgo (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\u\00000001.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\u\00000002.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\u\00000004.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\u\80000000.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\u\80000004.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\u\80000032.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\bckfg.tmp (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\cfg.ini (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\desktop.ini (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\keywords (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb48221$\1265104698\kwrd.dll (Backdoor.0Access) -> Delete on reboot.
C:\WINDOWS\Installer\{44d0e339-4172-5a4e-c336-07a0b263fef5}\L\201d3dde (Backdoor.0Access) -> Delete on reboot.

Physical Sectors Detected: 0
(No malicious items detected)

(end)

Malwarebytes Anti-Rootkit BETA 1.07.0.1007
www.malwarebytes.org

Database version: v2013.10.31.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
CPW :: PETER [administrator]

10/31/2013 10:22:16
mbar-log-2013-10-31 (10-22-16).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 221253
Time elapsed: 17 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

mbar system log

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_22

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.729000 GHz
Memory total: 1601552384, free: 660017152

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_22

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.729000 GHz
Memory total: 1601552384, free: 966295552

Could not load protection driver
Downloaded database version: v2013.10.31.03
Downloaded database version: v2013.10.11.02
=======================================
Initializing...
------------ Kernel report ------------
10/31/2013 09:43:50
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\System32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
pcmcia.sys
MountMgr.sys
ftdisk.sys
ACPIEC.sys
\WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
DRVMCDB.SYS
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
avgrkx86.sys
avglogx.sys
avgmfx86.sys
avgidshx.sys
\SystemRoot\System32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\ialmnt5.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\b57xp32.sys
\SystemRoot\System32\DRIVERS\usbuhci.sys
\SystemRoot\System32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\System32\DRIVERS\w29n51.sys
\SystemRoot\system32\drivers\tifm21.sys
\SystemRoot\System32\DRIVERS\sdbus.sys
\SystemRoot\system32\DRIVERS\gtipci21.sys
\SystemRoot\system32\DRIVERS\SMCLIB.SYS
\SystemRoot\system32\drivers\ac97intc.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\smserial.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\System32\DRIVERS\serial.sys
\SystemRoot\System32\DRIVERS\serenum.sys
\SystemRoot\System32\DRIVERS\smcirda.sys
\SystemRoot\System32\DRIVERS\irenum.sys
\SystemRoot\System32\DRIVERS\parport.sys
\SystemRoot\System32\DRIVERS\IFXTPM.SYS
\SystemRoot\System32\DRIVERS\i8042prt.sys
\SystemRoot\System32\DRIVERS\HpqKbFiltr.sys
\SystemRoot\System32\DRIVERS\WDFLDR.SYS
\SystemRoot\System32\DRIVERS\Wdf01000.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\SynTP.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\System32\DRIVERS\cdrom.sys
\SystemRoot\System32\DRIVERS\CmBatt.sys
\SystemRoot\System32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\btkrnl.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasirda.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\DLACDBHM.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\Drivers\DLARTL_M.SYS
\??\C:\WINDOWS\system32\drivers\avgtpx86.sys
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\System32\DRIVERS\ipsec.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\avgtdix.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\avgldx86.sys
\SystemRoot\system32\DRIVERS\avgidsshimx.sys
\SystemRoot\system32\DRIVERS\avgidsdriverx.sys
\SystemRoot\system32\DRIVERS\avgdiskx.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ialmdnt5.dll
\SystemRoot\System32\ialmrnt5.dll
\SystemRoot\System32\ialmdev5.DLL
\SystemRoot\System32\ialmdd5.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\Drivers\DRVNDDM.SYS
\SystemRoot\System32\DLA\DLADResM.SYS
\SystemRoot\System32\DLA\DLAIFS_M.SYS
\SystemRoot\System32\DLA\DLAOPIOM.SYS
\SystemRoot\System32\DLA\DLAPoolM.SYS
\SystemRoot\System32\DLA\DLABMFSM.SYS
\SystemRoot\System32\DLA\DLABOIOM.SYS
\SystemRoot\System32\DLA\DLAUDFAM.SYS
\SystemRoot\System32\DLA\DLAUDF_M.SYS
\SystemRoot\System32\DRIVERS\irda.sys
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\System32\Drivers\StarOpen.SYS
\??\C:\Program Files\Broadcom\MgmtAgent\BASFND.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a67dab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-4\
Lower Device Object: 0xffffffff8a68a940
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a67dab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a655b70, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a67dab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a67f9e8, DeviceName: \Device\00000087\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8a68a940, DeviceName: \Device\Ide\IdeDeviceP0T0L0-4\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D8CCD8CC

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 78124977
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 40007761920 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-78120160-78140160)...
Done!
Read File: File "c:\documents and settings\all users\application data\avg2014\chjw\42f0708bf0708747.dat:45f2fa6c-73a2-4652-b580-f537be8ba932" is sparse (flags = 32768)
Infected: C:\Documents and Settings\CPW\Local Settings\Application Data\{44d0e339-4172-5a4e-c336-07a0b263fef5}\@ --> [Backdoor.0Access]
Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Avg2014\log\avgcore.log.1" is compressed (flags = 1)
Infected: C:\WINDOWS\Installer\{44d0e339-4172-5a4e-c336-07a0b263fef5}\@ --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{44d0e339-4172-5a4e-c336-07a0b263fef5}\L\00000004.@ --> [Backdoor.0Access]
Read File: File "c:\windows\$ntuninstallkb48221$\1265104698\@" is compressed (flags = 1)
Read File: File "c:\windows\$ntuninstallkb48221$\1265104698\bckfg.tmp" is compressed (flags = 1)
Read File: File "c:\windows\$ntuninstallkb48221$\1265104698\cfg.ini" is compressed (flags = 1)
Read File: File "c:\windows\$ntuninstallkb48221$\1265104698\desktop.ini" is compressed (flags = 1)
Read File: File "c:\windows\$ntuninstallkb48221$\1265104698\kwrd.dll" is compressed (flags = 1)
Read File: File "c:\windows\$ntuninstallkb48221$\1265104698\l\akygdmgo" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb48221$\1265104698\l\akygdmgo --> [Backdoor.0Access]
Read File: File "c:\windows\$ntuninstallkb48221$\1265104698\u\00000001.@" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb48221$\1265104698\u\00000001.@ --> [Backdoor.0Access]
Read File: File "c:\windows\$ntuninstallkb48221$\1265104698\u\00000002.@" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb48221$\1265104698\u\00000002.@ --> [Backdoor.0Access]
Read File: File "c:\windows\$ntuninstallkb48221$\1265104698\u\00000004.@" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb48221$\1265104698\u\00000004.@ --> [Backdoor.0Access]
Read File: File "c:\windows\$ntuninstallkb48221$\1265104698\u\80000000.@" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb48221$\1265104698\u\80000000.@ --> [Backdoor.0Access]
Read File: File "c:\windows\$ntuninstallkb48221$\1265104698\u\80000004.@" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb48221$\1265104698\u\80000004.@ --> [Backdoor.0Access]
Read File: File "c:\windows\$ntuninstallkb48221$\1265104698\u\80000032.@" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb48221$\1265104698\u\80000032.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb48221$\1265104698 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb48221$\1265104698\@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb48221$\1265104698\bckfg.tmp --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb48221$\1265104698\cfg.ini --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb48221$\1265104698\desktop.ini --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb48221$\1265104698\keywords --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb48221$\1265104698\kwrd.dll --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb48221$\1265104698\l --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb48221$\1265104698\u --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb48221$\690749675 --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{44d0e339-4172-5a4e-c336-07a0b263fef5}\L --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{44d0e339-4172-5a4e-c336-07a0b263fef5}\L\201d3dde --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{44d0e339-4172-5a4e-c336-07a0b263fef5}\U --> [Backdoor.0Access]
Scan finished
Creating System Restore point...
Cleaning up...
Executing an action fixdamage.exe...
Success!
Queuing an action fixdamage.exe
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_63_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_22

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.729000 GHz
Memory total: 1601552384, free: 1032228864

=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_22

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.729000 GHz
Memory total: 1601552384, free: 973094912

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_22

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.729000 GHz
Memory total: 1601552384, free: 1013817344

Could not load protection driver
Downloaded database version: v2013.10.31.04
=======================================
Initializing...
------------ Kernel report ------------
10/31/2013 10:22:04
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\System32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
pcmcia.sys
MountMgr.sys
ftdisk.sys
ACPIEC.sys
\WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
DRVMCDB.SYS
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
avgrkx86.sys
avglogx.sys
avgmfx86.sys
avgidshx.sys
\SystemRoot\System32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\ialmnt5.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\b57xp32.sys
\SystemRoot\System32\DRIVERS\usbuhci.sys
\SystemRoot\System32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\System32\DRIVERS\w29n51.sys
\SystemRoot\system32\drivers\tifm21.sys
\SystemRoot\System32\DRIVERS\sdbus.sys
\SystemRoot\system32\DRIVERS\gtipci21.sys
\SystemRoot\system32\DRIVERS\SMCLIB.SYS
\SystemRoot\system32\drivers\ac97intc.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\smserial.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\System32\DRIVERS\serial.sys
\SystemRoot\System32\DRIVERS\serenum.sys
\SystemRoot\System32\DRIVERS\smcirda.sys
\SystemRoot\System32\DRIVERS\irenum.sys
\SystemRoot\System32\DRIVERS\parport.sys
\SystemRoot\System32\DRIVERS\IFXTPM.SYS
\SystemRoot\System32\DRIVERS\i8042prt.sys
\SystemRoot\System32\DRIVERS\HpqKbFiltr.sys
\SystemRoot\System32\DRIVERS\WDFLDR.SYS
\SystemRoot\System32\DRIVERS\Wdf01000.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\SynTP.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\System32\DRIVERS\cdrom.sys
\SystemRoot\System32\DRIVERS\CmBatt.sys
\SystemRoot\System32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\btkrnl.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasirda.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\DLACDBHM.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\Drivers\DLARTL_M.SYS
\??\C:\WINDOWS\system32\drivers\avgtpx86.sys
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\System32\DRIVERS\ipsec.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\avgtdix.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\DRIVERS\ipnat.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\avgldx86.sys
\SystemRoot\system32\DRIVERS\avgidsshimx.sys
\SystemRoot\system32\DRIVERS\avgidsdriverx.sys
\SystemRoot\system32\DRIVERS\avgdiskx.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ialmdnt5.dll
\SystemRoot\System32\ialmrnt5.dll
\SystemRoot\System32\ialmdev5.DLL
\SystemRoot\System32\ialmdd5.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\Drivers\DRVNDDM.SYS
\SystemRoot\System32\DLA\DLADResM.SYS
\SystemRoot\System32\DLA\DLAIFS_M.SYS
\SystemRoot\System32\DLA\DLAOPIOM.SYS
\SystemRoot\System32\DLA\DLAPoolM.SYS
\SystemRoot\System32\DLA\DLABMFSM.SYS
\SystemRoot\System32\DLA\DLABOIOM.SYS
\SystemRoot\System32\DLA\DLAUDFAM.SYS
\SystemRoot\System32\DLA\DLAUDF_M.SYS
\SystemRoot\System32\DRIVERS\irda.sys
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\System32\Drivers\StarOpen.SYS
\??\C:\Program Files\Broadcom\MgmtAgent\BASFND.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a63eab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-4\
Lower Device Object: 0xffffffff8a69a940
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a63eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a68ab70, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a63eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a69c9e8, DeviceName: \Device\00000086\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8a69a940, DeviceName: \Device\Ide\IdeDeviceP0T0L0-4\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D8CCD8CC

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 78124977
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 40007761920 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-78120160-78140160)...
Done!
Read File: File "c:\documents and settings\all users\application data\avg2014\chjw\42f0708bf0708747.dat:45f2fa6c-73a2-4652-b580-f537be8ba932" is sparse (flags = 32768)
Scan finished
=======================================


Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_63_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_22

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.729000 GHz
Memory total: 1601552384, free: 1112489984

=======================================

Thanks again for your help.

 

[Fiery]

Hi,

It's looking better now, still need some work.

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

Please download Malwarebytes' Anti-Malware from here to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• When it prompts you to try their 30-day trail, click decline
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt