Kazy3653 (B), Trojan prorat, W7 erratic & software unresponsive

Chigwells

Chigwells

Level 4
Thread author
Jan 16, 2012
185
Hi All!

Well I've had Bitdefender IS2013 a couple of months now, and am not happy with it. Will be going back to Comodo firewall plus most likely Avira or maybe Avast or Comodo AV when I get my machine clean again.

Symptoms are: software and system freezing frequently. Frequent message from Emsisoft AM that it has quarantined Kazy3653 (B), screenshot 1, followed by a similar announcement by Bitdefender. Only occassionally Emsi requires a restart to remove infection. However, no indication of any new infections in the quarantine though, only in the logs. CORRECTION, I just went to look again in the quarantine to see if it had changed, and it has! Now its showing 9 2013 infections, up until two days ago it was only showing 2012 infections, plus just one in 2013. See screenshot 2 of quarantine. To make this clear, over the past two weeks when I was getting regular messages from Emsi that it had removed infections, there were no such infections listed in the quarantine. Now all of a sudden there are a number, all pretty much at the same date and time too.

Sometimes Bitdefender quarantined infections, sometimes not, screenshots 3 & 4

Had a go at fixing the infection myself since first notification of the infection: ran SAS, MBAM, MBAR, Hitman Pro all in normal mode, all clean. Note: SAS did find Trojan prorat back in March, see screenshot 5. Ran it a second time and it came up clean.
Attempted to run Kaspersky rescue CD following Jack's guide, but after updating the database was showing as CORRUPTED, so I didn't run it.

Then yesterday I followed Jack's 'Malware Removal Guide'. In safe mode with networking I checked for 'no proxy', ran the exe-fix.bat file, ran TDSSKiller at default, then again with all the tick boxes ticked in the 'change parameters'section. Both times came up with nothing. Ran RKill, then full scan in MBAM. MBAM also found nothing.
Reading through Fiery's post Malware Removal Guide for Windows I decided to check my hosts file, it came up a bit strange, showing only the one line (as Fiery indicates for XP), not the two lines he describes, screenshot 6.

There has also been ongoing strange behaviour, that I'm not sure whether is down to malware or not: I can't set a System Restore point (screenshot 7), Bitdefender changed its settings (AntiVirus Control turned itself off), can't open VAIO Care (Sony own maintenance software). In Windows Media Player, I stream to my stereo system. Every time I want to do this, I have to open services.msc in Admin, and start up 'Windows Media Player Network Sharing Services', which always re-sets itself to 'Disabled', regardless of whether I set it to 'Started-manual', or 'Started-automatic'. As an example of how my system is running, I just opened Services.msc to remind myself of the name of said Service. Services.msc took about 15 seconds to open, and then it was (not responding) for about 20 seconds.

I recently discovered and installed CCleaner Enhancer, but as I wasn't sure if it was deleting my settings, I've uninstalled it.I hope this all makes sense, I have tried to be as concise as possible.

Included two scans OTL and aswMBR

Many thanks in advance, Chig

p.s. OTL only delivered one file, OTL.txt, no sign of Extras.txt

OTL logfile created on: 08/05/2013 13:59:21 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Me&My\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

7.67 Gb Total Physical Memory | 4.74 Gb Available Physical Memory | 61.85% Memory free
7.67 Gb Paging File | 4.92 Gb Available in Paging File | 64.19% Paging File free
Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 452.51 Gb Total Space | 109.88 Gb Free Space | 24.28% Space Free | Partition Type: NTFS

Computer Name: ARCHIE-VAIO | User Name: Ronnie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Me&My\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\uTorrent\utorrent.exe (BitTorrent Inc.)
PRC - C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe (Emsisoft GmbH)
PRC - C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe (Emsisoft GmbH)
PRC - C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\Monitor.exe (IObit)
PRC - C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCAvSvc.exe (IOBit)
PRC - C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCSvc.exe (IObit)
PRC - C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCTray.exe (IObit)
PRC - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe (Kaspersky Lab ZAO)
PRC - C:\Program Files (x86)\Secunia\PSI\psia.exe (Secunia)
PRC - C:\Program Files (x86)\Secunia\PSI\sua.exe (Secunia)
PRC - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe (Secunia)
PRC - C:\Program Files\Sony\VAIO Care\VCService.exe (Sony Corporation)
PRC - C:\Program Files\Sony\VAIO Care\listener.exe (Sony of America Corporation)
PRC - C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe (Sony Corporation)
PRC - C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe (Sony Corporation)
PRC - C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
PRC - C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe (ArcSoft, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\cb562e2e4f74ae607f1186f6ec50cec7\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\f7cb3ae5de64f8cbde3ccc57c780743a\IAStorUtil.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\cf827fe7bc99d9bcf0ba3621054ef527\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll ()
MOD - C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\madexcept_.bpl ()
MOD - C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\maddisAsm_.bpl ()
MOD - C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\madbasic_.bpl ()
MOD - C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\webres.dll ()


========== Services (SafeList) ==========

SRV:64bit: - (VSSERV) -- C:\Program Files\Bitdefender\Bitdefender 2013\vsserv.exe (Bitdefender)
SRV:64bit: - (BdDesktopParental) -- C:\Program Files\Bitdefender\Bitdefender 2013\bdparentalservice.exe (Bitdefender)
SRV:64bit: - (UPDATESRV) -- C:\Program Files\Bitdefender\Bitdefender 2013\updatesrv.exe (Bitdefender)
SRV:64bit: - (btwdins) -- c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe (Broadcom Corporation.)
SRV:64bit: - (SbieSvc) -- C:\Program Files\Sandboxie\SbieSvc.exe (SANDBOXIE L.T.D)
SRV:64bit: - (VUAgent) -- C:\Program Files\Sony\VAIO Update\VUAgent.exe (Sony Corporation)
SRV:64bit: - (CGVPNCliSrvc) -- C:\Program Files\CyberGhost VPN\CGVPNCliService.exe (mobile concepts GmbH)
SRV:64bit: - (VCService) -- C:\Program Files\Sony\VAIO Care\VCService.exe (Sony Corporation)
SRV:64bit: - (SampleCollector) -- C:\Program Files\Sony\VAIO Care\VCPerfService.exe (Sony Corporation)
SRV:64bit: - (VAIO Power Management) -- C:\Program Files\Sony\VAIO Power Management\SPMService.exe (Sony Corporation)
SRV:64bit: - (VSNService) -- C:\Program Files\Sony\VAIO Smart Network\VSNService.exe (Sony Corporation)
SRV:64bit: - (EvtEng) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation)
SRV:64bit: - (RegSrvc) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (a2AntiMalware) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe (Emsisoft GmbH)
SRV - (ASCAntivirusSrv) -- C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCAvSvc.exe (IOBit)
SRV - (AdvancedSystemCareService6) -- C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCSvc.exe (IObit)
SRV - (KSS) -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe (Kaspersky Lab ZAO)
SRV - (FLEXnet Licensing Service) -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (Secunia PSI Agent) -- C:\Program Files (x86)\Secunia\PSI\psia.exe (Secunia)
SRV - (Secunia Update Agent) -- C:\Program Files (x86)\Secunia\PSI\sua.exe (Secunia)
SRV - (WAS) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (W3SVC) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (AppHostSvc) -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll (Microsoft Corporation)
SRV - (VAIO Event Service) -- C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe (Sony Corporation)
SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (ACDaemon) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (IAStorDataMgrSvc) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (uCamMonitor) -- C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe (ArcSoft, Inc.)


========== Driver Services (SafeList) ==========

DRV:64bit: - (btwampfl) -- C:\Windows\SysNative\drivers\btwampfl.sys (Broadcom Corporation.)
DRV:64bit: - (btwavdt) -- C:\Windows\SysNative\drivers\btwavdt.sys (Broadcom Corporation.)
DRV:64bit: - (btwaudio) -- C:\Windows\SysNative\drivers\btwaudio.sys (Broadcom Corporation.)
DRV:64bit: - (btwl2cap) -- C:\Windows\SysNative\drivers\btwl2cap.sys (Broadcom Corporation.)
DRV:64bit: - (btwrchid) -- C:\Windows\SysNative\drivers\btwrchid.sys (Broadcom Corporation.)
DRV:64bit: - (sptd) -- C:\Windows\SysNative\drivers\sptd.sys (Duplex Secure Ltd.)
DRV:64bit: - (BdfNdisf) -- c:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfndisf6.sys (BitDefender LLC)
DRV:64bit: - (avc3) -- C:\Windows\SysNative\drivers\avc3.sys (BitDefender)
DRV:64bit: - (avckf) -- C:\Windows\SysNative\drivers\avckf.sys (BitDefender)
DRV:64bit: - (gzflt) -- C:\Windows\SysNative\drivers\gzflt.sys (BitDefender LLC)
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (IntcDAud) -- C:\Windows\SysNative\drivers\IntcDAud.sys (Intel(R) Corporation)
DRV:64bit: - (SbieDrv) -- C:\Program Files\Sandboxie\SbieDrv.sys (SANDBOXIE L.T.D)
DRV:64bit: - (BDSandBox) -- C:\Windows\SysNative\drivers\bdsandbox.sys (BitDefender SRL)
DRV:64bit: - (avchv) -- C:\Windows\SysNative\drivers\avchv.sys (BitDefender)
DRV:64bit: - (trufos) -- C:\Windows\SysNative\drivers\trufos.sys (BitDefender S.R.L.)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (tap0901) -- C:\Windows\SysNative\drivers\tap0901.sys (The OpenVPN Project)
DRV:64bit: - (bdfwfpf) -- C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys (BitDefender LLC)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (SmartDefragDriver) -- C:\Windows\SysNative\drivers\SmartDefragDriver.sys ()
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation)
DRV:64bit: - (PSI) -- C:\Windows\SysNative\drivers\psi_mf.sys (Secunia)
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (risdsnpe) -- C:\Windows\SysNative\drivers\risdsne64.sys (REDC)
DRV:64bit: - (rimspci) -- C:\Windows\SysNative\drivers\rimssne64.sys (REDC)
DRV:64bit: - (ApfiltrService) -- C:\Windows\SysNative\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV:64bit: - (yukonw7) -- C:\Windows\SysNative\drivers\yk62x64.sys (Marvell)
DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.)
DRV:64bit: - (NETw5s64) -- C:\Windows\SysNative\drivers\NETw5s64.sys (Intel Corporation)
DRV:64bit: - (Impcd) -- C:\Windows\SysNative\drivers\Impcd.sys (Intel Corporation)
DRV:64bit: - (HECIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation)
DRV:64bit: - (SFEP) -- C:\Windows\SysNative\drivers\SFEP.sys (Sony Corporation)
DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (ArcSoftKsUFilter) -- C:\Windows\SysNative\drivers\ArcSoftKsUFilter.sys (ArcSoft, Inc.)
DRV:64bit: - (Spyder2) -- C:\Windows\SysNative\drivers\Spyder2.sys ()
DRV - (A2DDA) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys (Emsisoft GmbH)
DRV - (a2util) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys (Emsisoft GmbH)
DRV - (RapportIaso) -- c:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\46125\RapportIaso64.sys (Trusteer Ltd.)
DRV - (a2acc) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys (Emsisoft GmbH)
DRV - (a2injectiondriver) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys (Emsisoft GmbH)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=SVEE&bmod=SVEE
IE - HKCU\..\SearchScopes\{12B77033-590F-4F5D-BAC5-A76B77E74392}: "URL" = http://rover.ebay.com/rover/1/710-42480-16445-15/4?satitle={searchTerms}
IE - HKCU\..\SearchScopes\{B0A2A07B-3FEB-40B6-AE45-CDA8F0EA58F2}: "URL" = http://uk.shopping.com/?linkin_id=8056359
IE - HKCU\..\SearchScopes\{C7F913F1-9FF8-4CF2-9926-F7310FCC61C3}: "URL" = http://services.zinio.com/search?s={searchTerms}&rf=sonyslices
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_169.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@bullguard.com/onlinescanner: C:\Program Files (x86)\BullGuard Ltd\BullGuard Online Scanner\npbgscanner.dll (BullGuard Ltd.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@IObit.com/np_Asc_Plugin: C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\BrowerProtect\np_Asc_plugin.dll (IObit)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\bdThunderbird@bitdefender.com: C:\PROGRAM FILES\BITDEFENDER\BITDEFENDER 2013\BDTBEXT [2013/02/21 23:08:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\bdThunderbird@bitdefender.com: C:\Program Files\Bitdefender\Bitdefender 2013\bdtbext [2013/02/21 23:08:53 | 000,000,000 | ---D | M]

[2013/03/10 14:49:36 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ronnie\AppData\Roaming\Mozilla\Extensions
[2004/06/09 17:03:02 | 000,832,728 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\plugins\NPSWF32.dll

O1 HOSTS File: ([2013/04/13 02:32:21 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O2 - BHO: (Evernote extension) - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
O2 - BHO: (Advanced SystemCare Browser Protection) - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\BrowerProtect\ASCPlugin_Protection.dll (IObit)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (&NetWorx Desk Band) - {FEEA54B4-D80F-41C7-87B9-DC08E6D3255F} - C:\Program Files\NetWorx\deskband.dll (SoftPerfect Research)
O4:64bit: - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4:64bit: - HKLM..\Run: [Bdagent] C:\Program Files\Bitdefender\Bitdefender 2013\bdagent.exe (Bitdefender)
O4:64bit: - HKLM..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe (The Eraser Project)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [NetWorx] C:\Program Files\NetWorx\networx.exe (SoftPerfect Research)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [emsisoft anti-malware] c:\program files (x86)\emsisoft anti-malware\a2guard.exe (Emsisoft GmbH)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [ISBMgr.exe] C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)
O4 - HKCU..\Run: [Advanced SystemCare Ultimate] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCTray.exe (IObit)
O4 - HKCU..\Run: [KSS] C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe (Kaspersky Lab ZAO)
O4 - HKLM..\RunOnce: [C9B06280-BE2C-463B-B204-5AC8818AD0F1] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\RunOnce: [MRUBlaster] C:\Program Files (x86)\MRU-Blaster\indexcleaner.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: Clip selection - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3 File not found
O8:64bit: - Extra context menu item: Clip this page - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1 File not found
O8:64bit: - Extra context menu item: Clip URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0 File not found
O8:64bit: - Extra context menu item: New Note - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html ()
O8 - Extra context menu item: Clip selection - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3 File not found
O8 - Extra context menu item: Clip this page - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1 File not found
O8 - Extra context menu item: Clip URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0 File not found
O8 - Extra context menu item: New Note - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html ()
O9 - Extra Button: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html ()
O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html ()
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{423D4F55-13A2-4D2E-BBDA-A1774A136043}: DhcpNameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8D3A558A-88D0-4D83-9C70-BB9C89B1021E}: NameServer = 208.67.222.222,208.67.220.220
O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (SmartDefragBootTime.exe)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/05/07 19:14:06 | 010,285,040 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Ronnie\Desktop\mbam-setup-1.75.0.1300.exe
[2013/05/07 19:10:14 | 001,752,992 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Ronnie\Desktop\iExplore(1).exe
[2013/05/07 18:59:42 | 002,237,968 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Ronnie\Desktop\iexplore.exe
[2013/05/07 18:57:31 | 000,457,632 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Ronnie\Desktop\FixExec.exe
[2013/05/06 03:35:28 | 000,000,000 | ---D | C] -- C:\Users\Ronnie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Kaspersky Security Scan
[2013/05/06 03:34:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2013/05/06 03:34:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Kaspersky Lab
[2013/05/05 14:00:56 | 000,000,000 | ---D | C] -- C:\Users\Ronnie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bluetooth Devices
[2013/05/05 14:00:49 | 000,000,000 | ---D | C] -- C:\Users\Ronnie\Documents\Bluetooth Exchange Folder
[2013/05/05 14:00:45 | 000,000,000 | ---D | C] -- C:\Users\Ronnie\AppData\Local\Broadcom
[2013/05/05 13:55:08 | 000,210,984 | ---- | C] (Broadcom Corporation.) -- C:\Windows\SysNative\drivers\btwavdt.sys
[2013/05/05 13:55:08 | 000,184,144 | ---- | C] (Broadcom Corporation.) -- C:\Windows\SysNative\drivers\btwaudio.sys
[2013/05/05 13:55:08 | 000,039,976 | ---- | C] (Broadcom Corporation.) -- C:\Windows\SysNative\drivers\btwl2cap.sys
[2013/05/05 13:55:08 | 000,021,544 | ---- | C] (Broadcom Corporation.) -- C:\Windows\SysNative\drivers\btwrchid.sys
[2013/05/05 13:36:26 | 012,593,024 | ---- | C] (Broadcom Corporation.) -- C:\Users\Ronnie\Desktop\SetupBtwDownloadSE.exe
[2013/05/02 22:06:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Alcohol Soft
[2013/05/02 20:46:26 | 000,000,000 | ---D | C] -- C:\Users\Ronnie\AppData\Roaming\uTorrent
[2013/05/02 20:40:33 | 000,564,824 | ---- | C] (Duplex Secure Ltd.) -- C:\Windows\SysNative\drivers\sptd.sys
[2013/05/02 20:08:29 | 000,000,000 | ---D | C] -- C:\Temp
[2013/05/02 19:59:52 | 000,000,000 | ---D | C] -- C:\Program Files\KernSafe
[2013/05/01 19:50:51 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/05/01 19:32:35 | 005,064,153 | R--- | C] (Swearware) -- C:\Users\Ronnie\Desktop\uninstall.exe
[2013/05/01 19:23:10 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2013/05/01 12:24:12 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\AnaSome
[2013/05/01 12:17:05 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\JJ The Man
[2013/04/29 14:29:42 | 000,000,000 | ---D | C] -- C:\Users\Ronnie\AppData\Roaming\PFStaticIP
[2013/04/27 19:10:09 | 000,000,000 | ---D | C] -- C:\ProgramData\DVD Shrink
[2013/04/27 19:01:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVD Shrink
[2013/04/27 19:01:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DVD Shrink
[2013/04/27 17:34:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2013/04/27 12:46:59 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\DVDTOOLs
[2013/04/27 11:07:33 | 000,000,000 | ---D | C] -- C:\Users\Ronnie\Bluetooth Exchange Folder
[2013/04/27 06:53:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BullGuard Ltd
[2013/04/26 21:57:43 | 000,718,840 | ---- | C] (BitDefender) -- C:\Windows\SysNative\drivers\avc3.sys
[2013/04/23 08:08:34 | 000,000,000 | R--D | C] -- C:\Sandbox
[2013/04/23 07:12:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2013/04/20 12:01:17 | 000,000,000 | ---D | C] -- C:\Windows\XSxS
[2013/04/13 16:24:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sandboxie
[2013/04/13 02:37:45 | 000,000,000 | ---D | C] -- C:\Users\Ronnie\AppData\Local\temp
[2013/04/13 02:20:33 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/04/13 02:20:33 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/04/13 02:20:33 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/04/13 02:15:08 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/04/13 02:14:32 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/04/11 23:36:32 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\OneNote Notebooks
[2013/04/11 01:24:18 | 000,000,000 | ---D | C] -- C:\ProgramData\bdch
[2013/04/11 01:03:31 | 000,181,064 | ---- | C] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2013/04/11 00:56:16 | 000,000,000 | ---D | C] -- C:\RegBackup
[2013/04/11 00:53:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Tweaking.com
[2013/04/11 00:50:08 | 000,000,000 | ---D | C] -- C:\Users\Ronnie\AppData\Roaming\Returnil
[2013/04/11 00:17:29 | 000,000,000 | ---D | C] -- C:\Users\Ronnie\AppData\Local\Programs
[2013/04/10 22:53:46 | 000,000,000 | ---D | C] -- C:\Users\Ronnie\AppData\Roaming\EAST Technologies
[2013/04/10 22:53:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Logs
[2013/04/10 22:53:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Licenses
[2013/04/10 22:53:09 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2013/04/10 22:53:09 | 000,000,000 | ---D | C] -- C:\Users\Ronnie\Documents\DbgLogs
[2013/04/10 22:51:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\East-Tec Eraser 2012
[2013/04/10 22:51:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\East-Tec Eraser 2012
[2013/04/10 20:29:37 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Zoolz
[2013/04/10 00:45:10 | 005,550,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2013/04/10 00:45:09 | 003,913,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2013/04/10 00:45:08 | 003,968,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2013/04/10 00:45:07 | 000,112,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\smss.exe
[2013/04/10 00:45:07 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll
[2013/04/10 00:45:06 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\apisetschema.dll
[2013/04/10 00:41:01 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013/04/10 00:41:01 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013/04/10 00:41:01 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013/04/10 00:41:00 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2013/04/10 00:41:00 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2013/04/10 00:40:58 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2013/04/10 00:40:57 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013/04/10 00:40:57 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013/04/10 00:40:57 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013/04/10 00:40:57 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2013/04/10 00:40:57 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2013/04/10 00:40:55 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2013/04/10 00:40:55 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2013/04/10 00:40:54 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2013/04/10 00:40:54 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/05/08 13:56:25 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/05/08 13:51:04 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/05/08 13:49:43 | 000,000,193 | ---- | M] () -- C:\Windows\WORDPAD.INI
[2013/05/08 12:59:05 | 000,008,778 | ---- | M] () -- C:\Windows\Sandboxie.ini
[2013/05/08 12:55:56 | 000,014,144 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/05/08 12:55:56 | 000,014,144 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/05/08 12:47:02 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/05/08 12:44:28 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/05/07 19:14:21 | 010,285,040 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Ronnie\Desktop\mbam-setup-1.75.0.1300.exe
[2013/05/07 19:10:20 | 001,752,992 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\Ronnie\Desktop\iExplore(1).exe
[2013/05/07 18:59:45 | 002,237,968 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Ronnie\Desktop\iexplore.exe
[2013/05/07 18:57:31 | 000,457,632 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\Ronnie\Desktop\FixExec.exe
[2013/05/07 17:26:31 | 000,441,936 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013/05/07 04:43:27 | 000,007,604 | ---- | M] () -- C:\Users\Ronnie\AppData\Local\Resmon.ResmonCfg
[2013/05/06 23:29:25 | 000,830,578 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/05/06 23:29:25 | 000,702,408 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/05/06 23:29:25 | 000,138,666 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/05/06 03:35:20 | 000,001,077 | ---- | M] () -- C:\Users\Ronnie\Desktop\Kaspersky Security Scan.lnk
[2013/05/05 13:56:43 | 000,000,834 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
[2013/05/05 13:52:46 | 000,598,808 | ---- | M] (Broadcom Corporation.) -- C:\Windows\SysNative\drivers\btwampfl.sys
[2013/05/05 13:52:45 | 000,210,984 | ---- | M] (Broadcom Corporation.) -- C:\Windows\SysNative\drivers\btwavdt.sys
[2013/05/05 13:52:45 | 000,184,144 | ---- | M] (Broadcom Corporation.) -- C:\Windows\SysNative\drivers\btwaudio.sys
[2013/05/05 13:52:45 | 000,039,976 | ---- | M] (Broadcom Corporation.) -- C:\Windows\SysNative\drivers\btwl2cap.sys
[2013/05/05 13:52:44 | 000,021,544 | ---- | M] (Broadcom Corporation.) -- C:\Windows\SysNative\drivers\btwrchid.sys
[2013/05/05 13:37:56 | 012,593,024 | ---- | M] (Broadcom Corporation.) -- C:\Users\Ronnie\Desktop\SetupBtwDownloadSE.exe
[2013/05/04 01:42:27 | 000,000,124 | ---- | M] () -- C:\Users\Ronnie\Documents\ax_files.xml
[2013/05/02 20:40:33 | 000,564,824 | ---- | M] (Duplex Secure Ltd.) -- C:\Windows\SysNative\drivers\sptd.sys
[2013/05/02 11:56:06 | 000,000,990 | ---- | M] () -- C:\Users\Ronnie\Desktop\Shortcutz.lnk
[2013/05/01 19:47:31 | 005,064,153 | R--- | M] (Swearware) -- C:\Users\Ronnie\Desktop\uninstall.exe
[2013/05/01 12:02:08 | 000,327,767 | ---- | M] () -- C:\Users\Public\Documents\HMDX-JAM-English-full.pdf
[2013/05/01 12:01:31 | 000,220,844 | ---- | M] () -- C:\Users\Public\Documents\HMDX-JAM-English.pdf
[2013/04/29 14:54:33 | 000,001,680 | ---- | M] () -- C:\Users\Ronnie\Desktop\SpaceSniffer.lnk
[2013/04/29 14:54:10 | 000,001,224 | ---- | M] () -- C:\Users\Ronnie\Desktop\Paint.lnk
[2013/04/29 14:54:05 | 000,001,754 | ---- | M] () -- C:\Users\Ronnie\Desktop\opera.lnk
[2013/04/29 14:53:28 | 000,001,711 | ---- | M] () -- C:\Users\Ronnie\Desktop\FirefoxNoBank.lnk
[2013/04/29 14:53:07 | 000,001,730 | ---- | M] () -- C:\Users\Ronnie\Desktop\Everything.lnk
[2013/04/29 14:52:46 | 000,001,638 | ---- | M] () -- C:\Users\Ronnie\Desktop\My Hacked network.rtf.lnk
[2013/04/26 21:57:43 | 000,718,840 | ---- | M] (BitDefender) -- C:\Windows\SysNative\drivers\avc3.sys
[2013/04/26 21:57:27 | 000,593,144 | ---- | M] (BitDefender) -- C:\Windows\SysNative\drivers\avckf.sys
[2013/04/24 19:39:08 | 000,000,432 | ---- | M] () -- C:\Users\Public\Documents\My Hacked network.rtf
[2013/04/22 21:07:48 | 000,001,360 | ---- | M] () -- C:\Users\Public\Documents\Bitdefender uninstall.rtf
[2013/04/13 02:32:21 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2013/04/11 09:09:30 | 000,002,096 | ---- | M] () -- C:\Users\Ronnie\Desktop\Switch User.lnk
[2013/04/11 01:20:33 | 000,001,177 | ---- | M] () -- C:\temp218.bat
[2013/04/11 01:20:30 | 000,181,064 | ---- | M] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2013/04/11 00:57:16 | 000,000,207 | ---- | M] () -- C:\Windows\tweaking.com-regbackup-ARCHIE-VAIO-Microsoft-Windows-7-Home-Premium-(64-bit).dat
[2013/04/10 23:14:34 | 000,001,296 | ---- | M] () -- C:\Users\Public\Documents\east-tec Eraser 2012.rtf
[2013/04/10 21:06:49 | 000,691,592 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013/04/10 21:06:49 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013/04/10 00:41:01 | 000,729,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013/04/10 00:41:01 | 000,248,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013/04/10 00:41:01 | 000,176,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013/04/10 00:41:00 | 000,096,768 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2013/04/10 00:41:00 | 000,073,216 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2013/04/10 00:40:58 | 000,173,056 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2013/04/10 00:40:58 | 000,142,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2013/04/10 00:40:57 | 002,312,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013/04/10 00:40:57 | 000,816,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013/04/10 00:40:57 | 000,717,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013/04/10 00:40:57 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2013/04/10 00:40:55 | 001,494,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2013/04/10 00:40:55 | 001,427,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2013/04/10 00:40:54 | 000,237,056 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2013/04/10 00:40:54 | 000,231,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/05/07 17:25:38 | 000,441,936 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013/05/06 03:35:28 | 000,001,077 | ---- | C] () -- C:\Users\Ronnie\Desktop\Kaspersky Security Scan.lnk
[2013/05/05 13:56:43 | 000,001,121 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bluetooth Problem Report.lnk
[2013/05/05 13:54:54 | 000,000,834 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
[2013/05/03 00:48:55 | 000,000,124 | ---- | C] () -- C:\Users\Ronnie\Documents\ax_files.xml
[2013/05/02 11:55:45 | 000,000,990 | ---- | C] () -- C:\Users\Ronnie\Desktop\Shortcutz.lnk
[2013/05/01 12:02:08 | 000,327,767 | ---- | C] () -- C:\Users\Public\Documents\HMDX-JAM-English-full.pdf
[2013/05/01 12:01:31 | 000,220,844 | ---- | C] () -- C:\Users\Public\Documents\HMDX-JAM-English.pdf
[2013/04/29 14:54:33 | 000,001,680 | ---- | C] () -- C:\Users\Ronnie\Desktop\SpaceSniffer.lnk
[2013/04/29 14:54:10 | 000,001,224 | ---- | C] () -- C:\Users\Ronnie\Desktop\Paint.lnk
[2013/04/29 14:54:05 | 000,001,754 | ---- | C] () -- C:\Users\Ronnie\Desktop\opera.lnk
[2013/04/29 14:53:28 | 000,001,711 | ---- | C] () -- C:\Users\Ronnie\Desktop\FirefoxNoBank.lnk
[2013/04/29 14:53:07 | 000,001,730 | ---- | C] () -- C:\Users\Ronnie\Desktop\Everything.lnk
[2013/04/29 14:52:46 | 000,001,638 | ---- | C] () -- C:\Users\Ronnie\Desktop\My Hacked network.rtf.lnk
[2013/04/24 19:37:24 | 000,000,432 | ---- | C] () -- C:\Users\Public\Documents\My Hacked network.rtf
[2013/04/22 21:07:48 | 000,001,360 | ---- | C] () -- C:\Users\Public\Documents\Bitdefender uninstall.rtf
[2013/04/13 11:10:17 | 000,000,193 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2013/04/13 02:20:33 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/04/13 02:20:33 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/04/13 02:20:33 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/04/13 02:20:33 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/04/13 02:20:33 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/04/11 09:02:57 | 000,002,096 | ---- | C] () -- C:\Users\Ronnie\Desktop\Switch User.lnk
[2013/04/11 01:20:33 | 000,001,177 | ---- | C] () -- C:\temp218.bat
[2013/04/11 00:57:16 | 000,000,207 | ---- | C] () -- C:\Windows\tweaking.com-regbackup-ARCHIE-VAIO-Microsoft-Windows-7-Home-Premium-(64-bit).dat
[2013/04/10 22:48:48 | 000,001,296 | ---- | C] () -- C:\Users\Public\Documents\east-tec Eraser 2012.rtf
[2013/04/02 22:58:16 | 000,007,604 | ---- | C] () -- C:\Users\Ronnie\AppData\Local\Resmon.ResmonCfg
[2013/01/07 18:04:33 | 000,234,544 | ---- | C] () -- C:\Windows\RegBootClean64.exe
[2012/12/27 07:17:12 | 000,867,020 | ---- | C] () -- C:\Windows\SysWow64\igkrng575.bin
[2012/12/27 07:17:06 | 000,105,608 | ---- | C] () -- C:\Windows\SysWow64\igfcg575m.bin
[2012/12/27 07:17:04 | 013,913,600 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll
[2012/12/27 07:17:04 | 000,128,204 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng575.bin
[2012/05/16 21:48:42 | 000,008,778 | ---- | C] () -- C:\Windows\Sandboxie.ini
[2012/04/14 10:42:10 | 000,816,490 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/09/05 08:19:56 | 000,000,176 | ---- | C] () -- C:\Windows\explorer.exe.config

========== ZeroAccess Check ==========

[2009/07/14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2012/08/21 14:11:31 | 000,857,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\SysWow64\wbem\fastprox.dll -- [2012/08/21 14:37:44 | 000,636,928 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2012/08/21 14:08:38 | 000,453,120 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2013/03/10 14:07:31 | 000,000,000 | ---D | M] -- C:\Users\Ronnie\AppData\Roaming\addpcs
[2013/03/10 13:26:15 | 000,000,000 | ---D | M] -- C:\Users\Ronnie\AppData\Roaming\Bitdefender
[2013/03/29 00:59:08 | 000,000,000 | ---D | M] -- C:\Users\Ronnie\AppData\Roaming\Canneverbe Limited
[2013/04/10 22:53:46 | 000,000,000 | ---D | M] -- C:\Users\Ronnie\AppData\Roaming\EAST Technologies
[2012/12/19 17:21:53 | 000,000,000 | ---D | M] -- C:\Users\Ronnie\AppData\Roaming\EurekaLog
[2013/03/16 14:32:07 | 000,000,000 | ---D | M] -- C:\Users\Ronnie\AppData\Roaming\GlarySoft
[2013/03/10 13:44:18 | 000,000,000 | ---D | M] -- C:\Users\Ronnie\AppData\Roaming\IObit
[2013/03/10 14:39:36 | 000,000,000 | ---D | M] -- C:\Users\Ronnie\AppData\Roaming\Opera
[2013/04/29 14:29:46 | 000,000,000 | ---D | M] -- C:\Users\Ronnie\AppData\Roaming\PFStaticIP
[2013/03/10 13:44:30 | 000,000,000 | ---D | M] -- C:\Users\Ronnie\AppData\Roaming\Process Hacker 2
[2013/03/10 14:50:27 | 000,000,000 | ---D | M] -- C:\Users\Ronnie\AppData\Roaming\QuickScan
[2013/04/11 00:50:10 | 000,000,000 | ---D | M] -- C:\Users\Ronnie\AppData\Roaming\Returnil
[2013/05/02 20:46:26 | 000,000,000 | ---D | M] -- C:\Users\Ronnie\AppData\Roaming\uTorrent

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 185 bytes -> C:\ProgramData\TEMP:C97C8631

< End of report >


aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-05-08 14:31:18
-----------------------------
14:31:18.451 OS Version: Windows x64 6.1.7601 Service Pack 1
14:31:18.451 Number of processors: 4 586 0x2505
14:31:18.451 ComputerName: ARCHIE-VAIO UserName: Ronnie
14:31:25.861 Initialize success
14:34:10.749 AVAST engine defs: 13050800
14:35:34.931 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:35:34.931 Disk 0 Vendor: Size: 476940MB BusType: 0
14:35:36.273 Disk 0 MBR read successfully
14:35:36.273 Disk 0 MBR scan
14:35:36.445 Disk 0 Windows 7 default MBR code
14:35:36.507 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13468 MB offset 2048
14:35:36.663 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 27584512
14:35:36.819 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 463370 MB offset 27789312
14:35:38.067 Disk 0 scanning C:\Windows\system32\drivers
14:36:33.603 Service scanning
14:36:45.334 Service BdfNdisf c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys **LOCKED** 5
14:36:45.522 Service bdfwfpf C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys **LOCKED** 5
14:37:41.650 Modules scanning
14:37:42.165 Disk 0 trace - called modules:
14:37:42.196 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys sptd.sys hal.dll
14:37:42.196 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80094ed060]
14:37:42.212 3 CLASSPNP.SYS[fffff880017ae43f] -> nt!IofCallDriver -> [0xfffffa8007428d10]
14:37:42.212 5 ACPI.sys[fffff880011947a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800742b050]
14:37:45.223 AVAST engine scan C:\Windows
14:38:03.444 AVAST engine scan C:\Windows\system32
14:45:57.654 AVAST engine scan C:\Windows\system32\drivers
14:46:36.761 AVAST engine scan C:\Users\Ronnie
14:49:10.359 AVAST engine scan C:\ProgramData
14:52:15.906 Scan finished successfully
14:52:51.989 Disk 0 MBR has been saved successfully to "C:\Users\Me&My\Desktop\MBR.dat"
14:52:52.145 The log file has been saved successfully to "C:\Users\Me&My\Desktop\aswMBR.txt"
 

Attachments

  • screenshot 1 emsisoft kazy.png
    screenshot 1 emsisoft kazy.png
    10.2 KB · Views: 107
  • screenshot 2 Emsi quarantine.png
    screenshot 2 Emsi quarantine.png
    173.3 KB · Views: 116
  • screenshot 3 BD virus free.png
    screenshot 3 BD virus free.png
    30.2 KB · Views: 114
  • screenshot 4 BD not virus free.png
    screenshot 4 BD not virus free.png
    48.7 KB · Views: 103
  • screenshot 5- Trojan prorat 14.March 2013.png
    screenshot 5- Trojan prorat 14.March 2013.png
    107 KB · Views: 130
  • screenshot 6 hosts file.png
    screenshot 6 hosts file.png
    41.4 KB · Views: 113
  • screenshot 7 sys restore fail 11.4.2013.png
    screenshot 7 sys restore fail 11.4.2013.png
    72.2 KB · Views: 125
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:
  • I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />


STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL
Code: 
:OTL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{423D4F55-13A2-4D2E-BBDA-A1774A136043}: DhcpNameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8D3A558A-88D0-4D83-9C70-BB9C89B1021E}: NameServer = 208.67.222.222,208.67.220.220
[2013/04/11 01:20:33 | 000,001,177 | ---- | M] () -- C:\temp218.bat
@Alternate Data Stream - 185 bytes -> C:\ProgramData\TEMP:C97C8631

:commands
[emptytemp]
[reboot]
<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />
STEP 2: Run a scan with Junkware Removal Tool

Please download Junkware Removal Tool to your desktop from here
  • Turn off your antivirus software now to avoid potential conflicts
  • Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  • The tool will open and start scanning your system
  • Please be patient as this can take a while to complete depending on your system's specifications
  • On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  • Post the contents of JRT.txt into your next reply


STEP 3: Run a scan with AdwCleaner

<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>

<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>
 
Last edited by a moderator:
Chigwells

Chigwells

Level 4
Thread author
Jan 16, 2012
185
Hey Kuttus, thanks for your time.

Here's the logs you asked for. The OTL log was in folder _OTL > moved files.

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{423D4F55-13A2-4D2E-BBDA-A1774A136043}\\DhcpNameServer| /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8D3A558A-88D0-4D83-9C70-BB9C89B1021E}\\NameServer| /E : value set successfully!
C:\temp218.bat moved successfully.
ADS C:\ProgramData\TEMP:C97C8631 deleted successfully.
File ptytemp] not found.
File boot] not found.

OTL by OldTimer - Version 3.2.69.0 log created on 05082013_204740

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

-----------------------------------------------------------------
JRT.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Home Premium x64
Ran by Ronnie on 08/05/2013 at 21:06:05.57
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\partner"
Successfully deleted: [Folder] "C:\Program Files (x86)\conduit"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 08/05/2013 at 21:16:18.34
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Awdcleaner

# AdwCleaner v2.300 - Logfile created 05/08/2013 at 21:24:33
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Ronnie - ARCHIE-VAIO
# Boot Mode : Normal
# Running from : C:\Users\Me&My\AppData\Local\temp\WPDNSE\{00000008-0001-0001-0000-000000000000}\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Users\Ronnie\Desktop\Zynga

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Opera v12.15.1748.0

File : C:\Users\Imagine\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

File : C:\Users\Blanket\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

File : C:\Users\Me&My\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

File : C:\Users\Ronnie\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1216 octets] - [08/05/2013 21:24:33]

########## EOF - \AdwCleaner[S1].txt - [1276 octets] ##########
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)


Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • When it prompts you to try their 30-day trail, click decline
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

 
Chigwells

Chigwells

Level 4
Thread author
Jan 16, 2012
185
Hey again Kuttus,

Here's the results of the scans as you asked.

I downloaded, updated, and ran as Administrator mbar

It came up clean, I didn't reboot.

I reconnected to internet, opened Firefox again and downloaded your second link and installed mbam. Ran update. Following instructions I disconnected from internet and temporarily shut down Bitdefender firewall and AV, although I forgot to shut down Emsi AM. Selected and performed quick scan.

It also came up clean.

I would like to add a couple of points:

1. Last night after I completed your first post I got one Emsi infection message (my first post screenshot 1). Today after I booted up (before I ran your second post scans) I got the infection message one more time.

2. In your first post in 'STEP 1: Run the below OTL fix', there are a couple of IP addresses mentioned: 208.67.222.222,208.67.220.220. These are the two addresses I had to type in when I set up my home Internet connection to go through OpenDNS. Please see screenshot of their website info.

Attached logs: mbar-log.txt, system-log.txt, mbam-log-date (time).txt

Cheers, Chig.
===================================================


Malwarebytes Anti-Rootkit BETA 1.05.0.1001
www.malwarebytes.org

Database version: v2013.05.09.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Ronnie :: ARCHIE-VAIO [administrator]

09/05/2013 18:37:23
mbar-log-2013-05-09 (18-37-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 31021
Time elapsed: 39 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
==============================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.05.0.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.527000 GHz
Memory total: 8235618304, free: 5477761024

------------ Kernel report ------------
05/09/2013 17:56:56
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\sptd.sys
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\compbatt.sys
\SystemRoot\system32\drivers\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\avc3.sys
\SystemRoot\system32\DRIVERS\gzflt.sys
\SystemRoot\system32\DRIVERS\trufos.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\SmartDefragDriver.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\??\C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\??\c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys
\??\C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\blbdrive.sys
\??\C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys
\??\C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw5s64.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\drivers\sdbus.sys
\SystemRoot\system32\drivers\rimssne64.sys
\SystemRoot\system32\drivers\risdsne64.sys
\SystemRoot\system32\DRIVERS\yk62x64.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\Apfiltr.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\SFEP.sys
\SystemRoot\system32\DRIVERS\Impcd.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\drivers\CmBatt.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\tap0901.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\avchv.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\ArcSoftKsUFilter.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\avckf.sys
\??\C:\Program Files\Sandboxie\SbieDrv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\qwavedrv.sys
\SystemRoot\system32\DRIVERS\psi_mf.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80094e8060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa800744b050
Lower Device Driver Name: \Driver\iaStor\
Driver name found: iaStor
Initialization returned 0x0
Load Function returned 0x0
Downloaded database version: v2013.05.09.05
Downloaded database version: v2013.05.07.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 3
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80094e8060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80094e8b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80094e8060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800740a260, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa800744b050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a00bfab580, 0xfffffa80094e8060, 0xfffffa8006d27790
Lower DeviceData: 0xfffff8a004d0a530, 0xfffffa800744b050, 0xfffffa80094832b0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 3
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1B42C395

Partition information:

Partition 0 type is Other (0x27)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 27582464

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 27584512 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 27789312 Numsec = 948981760

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================


Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.09.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Ronnie :: ARCHIE-VAIO [administrator]

09/05/2013 18:50:17
mbam-log-2013-05-09 (18-50-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 322996
Time elapsed: 9 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
=============================================
 

Attachments

  • openDNS.png
    openDNS.png
    49 KB · Views: 102
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Till now everything seems to be good only........ Lets try this one also.


STEP 1: Run a scan with ESET Online Scanner
<ol>
<li>Download ESET Online Scanner utility from the below link
<><a title="External link" href="http://download.eset.com/special/eos/esetsmartinstaller_enu.exe" rel="nofollow">ESET ONLINE SCANNER DOWNLOAD LINK</a></> <em>(This link will automatically download ESET Online Scanner on your computer.)</em></li>
<li>Double click on the Eset installer program (esetsmartinstaller_enu.exe).</li>
<li>Check <>Yes, I accept the Terms of Use</></li>
<li>Click the <>Start</> button.</li>
<li>Check <>Scan archives</></li>
<li>Push the <>Start</> button.</li>
<li>ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.</li>
<li>When the scan completes, push <>List of found threats</></li>
<li>Push <>Export to Text file </> and save the file to your desktop using a unique name, such as <>ESET Scan</>. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.</li>
<li>Push the <>back</> button.</li>
<li>Push <>Finish</></li>
</ol>
<hr />
 
Last edited by a moderator:
Chigwells

Chigwells

Level 4
Thread author
Jan 16, 2012
185
Hi again Kuttus,

Sorry I've been away from my desk. Am starting scans now and will be uploading results within 24 hours.

Btw, have had 5 more of screenshot 1 Kazy notifications from Emsi. And actually just now a notification from BD only, first time that has happened.

Regards, Chig,
 
Chigwells

Chigwells

Level 4
Thread author
Jan 16, 2012
185
Hey Kattus,

Well I'm thoroughly confused and out of my depth, something seems really wrong here, I'll be as precise as I can.

I followed your instruction and ran Eset. As you said, it didn't find anything so there is no report. I left it scanning last night, and when I got up this morning it was only at 84%. Just got in this pm and all finished, no infection found. It took over nine hours to complete the scan on my 450MB hard drive. Thing is, all my desktop icons had changed themselves to super large, screenshot 1. When I right-clicked on the desktop > view, to put them back to 'small', I noticed they were set to medium, not large as I was expecting. So their setting had been changed from small to medium, but their size had gone from small to massive.

[attachment=4417]

Next thing was, I got an infection notification from BD straight away, screenshot 2. So that was the second time from BD only, (mostly its been Emsi first followed by BD a couple of seconds later, or not at all. Sometimes only Emsi notified me).

[attachment=4418]

Then I noticed that the Emsi icon had the download arrow on its icon, even though it wasn't updating. So I went into the Windows orb and opened Emsi AM from the program menu, right-clicked as administrator. As it opened I noticed it hadn't updated for 14 hours, even though my machine has been on all night, normally it updates hourly. So that is maybe why it hadn't registered any infections the last couple of times, as it was stuck or bugged and infected or something.

Next, when I opened my browser in Sandboxie to write this reply I noticed it still had the settings from yesterday before I deleted the sandbox. It should have been a fresh start with a single home page tab. Yesterday I deleted the entire old sandbox system, so today it should have been brand new. So because of this I opened CCleaner to once again give it a clean out. But CCleaner froze and the whole system froze, I had to press the start button to shut it down. When I rebooted it was running really slow so I went to reboot again, but it got stuck shutting down and after a good five minutes of shutting down I pressed the start button again to kill it.

So all this has happened in the past hour since I got in. I should say that there have been three or four notifications from both Emsi first followed by BD of infections, screenshot 3.

[attachment=4419]

So I think what stands out the most is that the scans are coming up clean but the infection notices continue as well. The only difference I noticed was after the OTL script, JTL, adwcleaner work at the beginning here, things seemed quieter for a bit.

Lastly I want to say that I am definitely going back to Comodo firewall after all this lot. Just had yet another Kazy alert from Emsi and then BD!

Thanks for all your support Kuttus,
 

Attachments

  • 1 Kazy Eset large icons.png
    1 Kazy Eset large icons.png
    966.2 KB · Views: 130
  • 2 BD Kazy after Eset.png
    2 BD Kazy after Eset.png
    38.6 KB · Views: 114
  • 3 Emsi BD kazy.png
    3 Emsi BD kazy.png
    725.5 KB · Views: 116
Chigwells

Chigwells

Level 4
Thread author
Jan 16, 2012
185
Hey Kuttus,

Apology time! i was reading through http://malwaretips.com/Thread-comp-acting-odd, And I suddenly had a thought, is it maybe Emsi and BD in conflict, cause Emsi always shows the infection as being in bitdefender/desktop/quarantine.

As no AV is finding anything. So I've checked through and deleted the 200+ items in BD quarantine. Upon reboot everything appears calm!

I should have consulted you first though.

Chig :sad:
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Hi,

I think it is making some conflicts between Emsi and BD. I recommend to use any one of them.

STEP 1: Download and Run Windows Repair (all in one)

Download Windows Repair (all in one)

  • Install the program then run it.
  • Go to step 2 and allow it to run Disc check by clicking Do It
  • Go to step 3 and allow it to run SFC
  • Go to start repairs tab select advanced mode and click start.
  •  Check the box next to "Restart/Shutdown system when finished" and ensure the following is checked along with the default checks
    1. Reset File Permissions
    2. Register System Files
    3. Repair WMI
    4. Remove Policies Set By Infections
    5. Remove Temp Files
  •   Then click Start.
 
Chigwells

Chigwells

Level 4
Thread author
Jan 16, 2012
185
Hi again Kuttus,

Following your directions I turned off BD defences, turned off Emsi defences, installed and ran Windows Repair (all in one), it wanted me to set a system restore and reg backup before Step 4, happily the software was able to do this without a hitch.

Restarted, and system is good. Firefox stalled a couple of times as I opened it to do this reply.

Not a single notification of any infection since I deleted the entire BD quarantine.

Does this mean, do you think, I am now free of any malware? If the answer is no, or maybe, I wish to run more scans.

If the answer is yes, I would like to uninstall BD and I am going to download and install Comodo IS free. folowing Chiron's install guide and tweaks.

Also, yesterday in our 'give aways' section, I downloaded Zemana Anti Logger, I will install this when you say I am clear.

Btw sorry, Since I followed your first set of instructions, OTL, jtl, adwcleaner, I've not had wireless internet, only with ethernet cable. Any suggestions there, if not no problem I can fix that later myself., the internet connection still works for my other devices.

Thanks for your support, chig.
 
Chigwells

Chigwells

Level 4
Thread author
Jan 16, 2012
185
Hi again,

I went into control panel to check Windows firewall status, after running that all-in-one program, glad I did as Window firewall was ALSO turned on, so I had that and BD firewall running.

Hopefully that is why Firefox stalled, great program but I don't want two firewalls runing together, I'll send the developer a mail about this.

Update: posted on Tweaking.com forum.
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Okay... I recommend to use only one Antivirus and Firewall program.... You can remove all other once...

There is no need to run another scans. All seems to be good only........
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Youp. All the logs seems good only........

Please work on your computer like you do normally and check if you are facing any other issues now......
 
Chigwells

Chigwells

Level 4
Thread author
Jan 16, 2012
185
Grand stuff! I'll let you know how the machine performs over the next days.

Thanks Kuttus for great help and support, Chig.
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
You are most welcome. It is my pleasure to assist you at any time......

Double click on OTL to run it
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
  • This will remove itself and other tools we may have used.



Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one

For Vista
Create a restore point
Delete all but the most recent restore point

For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link



Keep your system updated
  • Keeping your programs (especially Adobe and Java products) updated is essential. Update Checker will notify you if any of your programs require an update.
  • Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
  • Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

I also recommend you to switch your antivirus program to a better one. Here are some suggestions:

In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.


Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.
  • KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
  • AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
  • NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
  • Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask :)

<hr />
What's next?
  1. Bulild up your malware defenses by starting a new thread in Security Configuration Wizard forum.
  2. Learn how to avoid malware by reading this article <a href="http://malwaretips.com/blogs/how-to-easily-avoid-pc-infections/">How to easily avoid malware</a>
  3. Be an active member in the MalwareTips community! :)



My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
 
Chigwells

Chigwells

Level 4
Thread author
Jan 16, 2012
185
Hi Kuttus,

As I mentioned in a previous post, I still can't get my wireless connection back. It dropped after I ran the OTL, adwcleaner, JRT. After I followed your firsrt step, I couldn't connect over wireless. Ethernet no problem. Also, my other devices, Android tablet, still connects. I didn't mention it then cause it wasn't a priority, but now my machine is running sweet again I need to get it seen to.

So it's something on my laptop. I've tried everything I can think of. If you don't have any suggestions I'll start up a thread somewhere else.

cheers, Chig. :( :shy: :dance3:
 

Similar threads

K
  • Locked
PowerShell/MaleficAms Powershell Infection Please Help
Replies
2
Views
2,501
Windows Malware Removal Help & Support
nasdaq
nasdaq
F
    • Like
  • Locked
Service Host: Network List Service...Virus?
Replies
11
Views
2,355
Windows Malware Removal Help & Support
nasdaq
nasdaq
J
  • Locked
I need help with a Malware Spanish logs
Replies
2
Views
2,282
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top