malwarebytes not finding malware, issues with running scan and bluescreen

Gbaby614

New Member
Thread author
Verified
Jan 28, 2013
232
I searched an issue that I'm having with my pc, and found that you helped someone else who was having the same issue. I tried to run the Anti-Malwarebytes and Anti-rootkit and was kicked several times to bluescreen.. I logged the last reason which says files to describe the problem are C:\WINDOWS\MINIDUMP\MINI012813-03, C:USERS\MICHELLE\APPDATA\LOCAL\TEMP\WER-58562-0.SYSDATA.XML, AND C:\USERS\MICHELLE\APPDATA\LOCAL\TEMP\WER868D.TMP.VERSION.TXT.
I WAS FOLLOWING THE INSTRUCTIONS YOU GAVE ANOTHER MEMBER ON POST /THREAD-CANNOT-RUN-SCAN-IN-MALWAREBYTES AND GOT TO THE DL OF ROGUEKILLER.EXE and it has a few things in the scan and I really don't want to delete them until you advise me to do so. There are several files in the minidump, but I could not attach them per rules.
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi and welcome to MalwareTips! :)

My name is Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:
  • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
  • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
  • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
  • The absence of symptoms does not mean your PC is fully disinfected.
  • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
  • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.




Download Farbar Recovery Scan Tool from the below link:
<ul><li>For x32 (x86) bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save it to a flash drive.
For x64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>
<>To enter System Recovery Options by using Windows installation disc:</>
<ul>
<li>Insert the installation disc.</li>
<li>Restart your computer.</li>
<li>If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.</li>
<li>Click <>Repair your computer</>.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account and click <>Next</>.</li>
</ul>
<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst.exe</> (for x64 bit version type <><span style="color: #ff0000;">e</span>:\frst64</>) and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close out this message, then type the following into the search box:
<>services.exe</></li>
<li>Now press the <>Search</> button</li>
<li>When the search is complete, search.txt will also be written to your USB</li>
<li>Type <>exit</> and reboot the computer normally</li>
<li>Please copy and paste both logs in your reply.(FRST.txt and Search.txt)</li></li>
</ol>
</ul>
 
Last edited by a moderator:

Gbaby614

New Member
Thread author
Verified
Jan 28, 2013
232
Fiery said:
Hi and welcome to MalwareTips! :)

My name is Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:
  • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
  • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
  • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
  • The absence of symptoms does not mean your PC is fully disinfected.
  • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
  • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.




Download Farbar Recovery Scan Tool from the below link:
<ul><li>For x32 (x86) bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save it to a flash drive.
For x64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>
<>To enter System Recovery Options by using Windows installation disc:</>
<ul>
<li>Insert the installation disc.</li>
<li>Restart your computer.</li>
<li>If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.</li>
<li>Click <>Repair your computer</>.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account and click <>Next</>.</li>
</ul>
<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst.exe</> (for x64 bit version type <><span style="color: #ff0000;">e</span>:\frst64</>) and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close out this message, then type the following into the search box:
<>services.exe</></li>
<li>Now press the <>Search</> button</li>
<li>When the search is complete, search.txt will also be written to your USB</li>
<li>Type <>exit</> and reboot the computer normally</li>
<li>Please copy and paste both logs in your reply.(FRST.txt and Search.txt)</li></li>
</ol>
</ul>



I don't currently have a flash drive handy.. is it necessary?
 
Last edited by a moderator:

Gbaby614

New Member
Thread author
Verified
Jan 28, 2013
232
Gbaby614 said:
Fiery said:
Hi and welcome to MalwareTips! :)

My name is Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:
  • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
  • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
  • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
  • The absence of symptoms does not mean your PC is fully disinfected.
  • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
  • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.




Download Farbar Recovery Scan Tool from the below link:
<ul><li>For x32 (x86) bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save it to a flash drive.
For x64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>
<>To enter System Recovery Options by using Windows installation disc:</>
<ul>
<li>Insert the installation disc.</li>
<li>Restart your computer.</li>
<li>If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.</li>
<li>Click <>Repair your computer</>.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account and click <>Next</>.</li>
</ul>
<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst.exe</> (for x64 bit version type <><span style="color: #ff0000;">e</span>:\frst64</>) and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close out this message, then type the following into the search box:
<>services.exe</></li>
<li>Now press the <>Search</> button</li>
<li>When the search is complete, search.txt will also be written to your USB</li>
<li>Type <>exit</> and reboot the computer normally</li>
<li>Please copy and paste both logs in your reply.(FRST.txt and Search.txt)</li></li>
</ol>
</ul>



I don't currently have a flash drive handy.. is it necessary?



will any memory stick work, im searching to see if there is room on one i have photos on..
 
Last edited by a moderator:

Fiery

Level 1
Jan 11, 2011
2,007
If you can find a flash/memory drive, that would be best. The tool isn't too big, only 888 KBs. You can transfer some of the photo to another computer to make room. It will only need 1 photo's worth of space.

If not, do the following:

Please do the following in safe mode. If you don't know how to access safe mode, follow the instructions here

Download and run RKill
Download mirror 1 - Download mirror 2 - Download mirror 3


  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run. If it does not run, try another download link from above.
<img title="RKILL Command prompt" src="http://malwaretips.com/images/removalguide/rkill2.png" alt="[Image: run-rkill-2.png]" width="507" height="256" border="0" />
  • When Rkill has completed its task, it will <>generate a log</>. You can then <>proceed with the rest of the guide</>.

<img title="RKILL LOG" src="http://malwaretips.com/images/removalguide/rkill3.png" alt="[Image: XP Defender 2013 rkill3.jpg]" width="414" height="187" border="0" /></li>
</ol><br>
<br><>WARNING: Do not reboot your computer after running RKill as the malware process will start again , preventing you from properly performing the next step.</>



Download OTL by Old Timer from here and save it to your Desktop. If you can't access the internet on your infected PC, download it on a clean PC, transfer it to your infected PC using a USB/flash drive.
  • Double click on OTL.exe to run it.
  • Click the Scan All Users checkbox.
  • Change Standard Registry to All
  • Check the boxes beside LOP Check and Purity Check
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.




  1. Download aswmbr.exe from the below link:
    aswMBR DOWNLOAD LINK <em>(This link will automatically download aswMBR on your computer)</em>
  2. Double click the aswMBR.exe to run it.
  3. Click the [Scan] button to start scan
    avast-mbr-1.png
  4. On completion of the scan click [Save log], save it to your desktop and post in your next reply.
    avast-mbr-2.png
 
Last edited by a moderator:

Gbaby614

New Member
Thread author
Verified
Jan 28, 2013
232
I was able to fit the prog on a flash drive I had, I just hope I didn't make an error on the FRST.txt file as at the end I typed exit on the search bar and couldn't stop it, but here are the logs:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-01-2013 02 (ATTENTION: FRST version is 7 days old)
Ran by SYSTEM at 28-01-2013 11:31:51
Running from G:\
Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [IgfxTray] "C:\Windows\system32\igfxtray.exe" [153624 2008-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe" [225816 2008-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] "C:\Windows\system32\igfxpers.exe" [199704 2008-08-25] (Intel Corporation)
HKLM\...\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [1533736 2008-06-19] (Synaptics, Inc.)
HKLM\...\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [912688 2008-09-23] (Hewlett-Packard)
HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1584184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [lxdumon.exe] "C:\Program Files (x86)\Lexmark 5600-6600 Series\lxdumon.exe" [676520 2008-09-10] ()
HKLM\...\Run: [lxduamon] "C:\Program Files (x86)\Lexmark 5600-6600 Series\lxduamon.exe" [16040 2008-09-10] ()
HKLM\...\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe [441344 2008-09-11] (IDT, Inc.)
HKLM-x32\...\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [1148200 2008-09-26] (CyberLink Corp.)
HKLM-x32\...\Run: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [1152296 2008-09-25] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [189736 2008-09-25] (CyberLink)
HKLM-x32\...\Run: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam" [210216 2008-06-13] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [210216 2008-06-13] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2008-09-26] (CyberLink Corp.)
HKLM-x32\...\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start [202032 2008-08-01] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [210216 2008-06-13] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0" [210216 2008-06-13] (CyberLink Corp.)
HKLM-x32\...\Run: [HP Health Check Scheduler] "c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [75008 2008-06-16] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] "C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [54840 2007-05-08] (Hewlett-Packard)
HKLM-x32\...\Run: [hpWirelessAssistant] "C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [887976 2011-08-23] (Ask)
HKLM-x32\...\Run: [WRSVC] "C:\Program Files (x86)\Webroot\WRSA.exe" -ul [733808 2012-12-19] (Webroot)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-09-30] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-09-30] (Hewlett-Packard)
HKU\Michelle\...\Run: [LightScribe Control Panel] "C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" -hidden [2363392 2008-06-09] (Hewlett-Packard Company)
HKU\Michelle\...\Run: [HPAdvisor] "C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" autorun=AUTORUN [972080 2008-09-30] (Hewlett-Packard)
HKU\Michelle\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet [5252408 2010-06-01] (Yahoo! Inc.)
HKU\Michelle\...\Run: [Facebook Update] "C:\Users\Michelle\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-11] (Facebook Inc.)
HKU\Michelle\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5629312 2012-11-01] (SUPERAntiSpyware.com)
HKU\Michelle\...\Policies\system: [DisableCMD] 0
HKU\Michelle\...\Policies\system: [NoDispAppearancePage] 0
HKU\Michelle\...\Policies\system: [NoDispBackgroundPage] 0
HKU\Michelle\...\Policies\system: [NoDispSettingsPage] 0
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2012-07-11] (SUPERAntiSpyware.com)
2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_bd5387da\AESTSr64.exe [89088 2008-06-27] (Andrea Electronics Corporation)
2 lxdu_device; C:\Windows\system32\lxducoms.exe -service [1040552 2008-05-23] ( )
2 lxdu_device; C:\Windows\SysWow64\lxducoms.exe -service [594600 2008-05-23] ( )
2 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365904 2008-09-23] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [241734 2008-06-29] ()
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_bd5387da\STacSV64.exe [279040 2008-09-11] (IDT, Inc.)
2 WRSVC; "C:\Program Files (x86)\Webroot\WRSA.exe" -service [733808 2012-12-19] (Webroot)
2 Norton Internet Security; "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 [x]

==================== Drivers (Whitelisted) =====================

1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
0 WRkrn; C:\Windows\System32\Drivers\WRkrn.sys [111776 2012-12-19] (Webroot)
2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [27632 2008-09-26] (Cyberlink Corp.)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\ENG64.SYS [x]
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\EX64.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
1 SRTSP; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS [x]
1 SRTSPX; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-01-28 07:04 - 2013-01-28 08:01 - 00004880 ____A C:\Users\Michelle\Desktop\instructions.txt
2013-01-28 07:03 - 2013-01-28 07:03 - 00000000 ____A C:\Users\Michelle\Desktop\New Text Document.txt
2013-01-28 07:00 - 2013-01-28 07:00 - 01464303 ____A (Farbar) C:\Users\Michelle\Downloads\FRST64.exe
2013-01-28 03:59 - 2013-01-28 04:00 - 00000000 ____D C:\Users\Michelle\Desktop\Shortcuts
2013-01-28 03:32 - 2013-01-28 03:32 - 00002124 ____A C:\Users\Michelle\Desktop\RKreport[1]_S_01282013_02d0632.txt
2013-01-28 03:31 - 2013-01-28 03:32 - 00000000 ____D C:\Users\Michelle\Desktop\RK_Quarantine
2013-01-28 03:30 - 2013-01-28 03:30 - 00768512 ____A C:\Users\Michelle\Downloads\RogueKiller.exe
2013-01-28 01:43 - 2013-01-28 01:43 - 00282008 ____A C:\Windows\Minidump\Mini012813-03.dmp
2013-01-28 00:12 - 2013-01-28 00:12 - 00282008 ____A C:\Windows\Minidump\Mini012813-02.dmp
2013-01-27 22:46 - 2013-01-27 22:46 - 00277824 ____A C:\Windows\Minidump\Mini012813-01.dmp
2013-01-27 14:27 - 2013-01-27 21:17 - 00002091 ____A C:\Users\Michelle\Desktop\popups to rid.txt
2013-01-26 23:03 - 2013-01-09 11:27 - 01356360 ____A (Malwarebytes Corporation) C:\Users\Michelle\Desktop\mbar.exe
2013-01-26 20:06 - 2013-01-26 20:06 - 00000529 ____A C:\Users\Michelle\Desktop\mbar-1.01.0.1016 - Shortcut.lnk
2013-01-26 19:23 - 2013-01-26 19:23 - 00000000 ____D C:\Users\Michelle\My Documents\mbar-1.01.0.1016
2013-01-26 19:23 - 2013-01-26 19:23 - 00000000 ____D C:\Users\Michelle\Documents\mbar-1.01.0.1016
2013-01-26 18:51 - 2013-01-26 18:51 - 00000000 ____D C:\Users\Michelle\Application Data\Malwarebytes
2013-01-26 18:51 - 2013-01-26 18:51 - 00000000 ____D C:\Users\Michelle\AppData\Roaming\Malwarebytes
2013-01-26 18:51 - 2013-01-26 18:51 - 00000000 ____D C:\Users\All Users\Malwarebytes
2013-01-26 18:51 - 2013-01-26 18:51 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2013-01-26 18:51 - 2013-01-26 18:51 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-26 18:51 - 2012-12-14 13:49 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-01-26 18:49 - 2013-01-26 18:49 - 10156424 ____A (Malwarebytes Corporation ) C:\Users\Michelle\Downloads\mbam-setup.exe
2013-01-26 16:29 - 2013-01-27 15:10 - 00000000 ____D C:\Users\Michelle\Application Data\QuickScan
2013-01-26 16:29 - 2013-01-27 15:10 - 00000000 ____D C:\Users\Michelle\AppData\Roaming\QuickScan
2013-01-25 10:30 - 2013-01-25 10:30 - 00000000 ____D C:\Users\Michelle\Application Data\SUPERAntiSpyware.com
2013-01-25 10:30 - 2013-01-25 10:30 - 00000000 ____D C:\Users\Michelle\AppData\Roaming\SUPERAntiSpyware.com
2013-01-25 10:29 - 2013-01-25 10:29 - 00001756 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2013-01-25 10:29 - 2013-01-25 10:29 - 00001756 ____A C:\Users\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
2013-01-25 10:28 - 2013-01-25 10:30 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-01-25 10:28 - 2013-01-25 10:28 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2013-01-25 10:28 - 2013-01-25 10:28 - 00000000 ____D C:\Users\All Users\Application Data\SUPERAntiSpyware.com
2013-01-25 10:25 - 2013-01-25 10:25 - 23508968 ____A (SUPERAntiSpyware.com) C:\Users\Michelle\Downloads\SUPERAntiSpyware.exe
2013-01-25 10:08 - 2013-01-25 10:09 - 80047680 ____A (Microsoft Corporation) C:\Users\Michelle\Downloads\msert.exe
2013-01-24 20:29 - 2013-01-24 20:28 - 00859552 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-01-24 20:29 - 2013-01-24 20:28 - 00261024 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-01-24 20:29 - 2013-01-24 20:28 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-01-24 20:29 - 2013-01-24 20:28 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-01-24 20:29 - 2013-01-24 20:28 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-01-24 20:26 - 2013-01-24 20:27 - 31473568 ____A (Oracle Corporation) C:\Users\Michelle\Downloads\jre-7u11-windows-i586.exe
2013-01-23 21:20 - 2013-01-23 21:20 - 00733296 ____A (Webroot) C:\Users\Michelle\Downloads\wsainstall.exe
2013-01-23 21:07 - 2013-01-23 21:08 - 00275848 ____A (Webroot Software Inc (www.webroot.com)) C:\Users\Michelle\Downloads\CleanWDF.exe
2013-01-23 15:40 - 2013-01-23 15:40 - 00281952 ____A C:\Windows\Minidump\Mini012313-01.dmp
2013-01-23 09:42 - 2013-01-23 09:42 - 00004539 ____A C:\Users\Michelle\Desktop\webroot fix.txt
2013-01-18 17:51 - 2013-01-18 17:51 - 00282008 ____A C:\Windows\Minidump\Mini011813-01.dmp
2013-01-18 15:09 - 2013-01-18 15:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-01-09 06:05 - 2012-11-19 20:22 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2013-01-09 06:05 - 2012-11-19 20:21 - 00253952 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2013-01-09 06:04 - 2012-11-22 17:54 - 02770432 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-01-09 06:04 - 2012-11-02 02:47 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2013-01-09 06:04 - 2012-11-02 02:47 - 01794560 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2013-01-09 06:04 - 2012-11-02 02:19 - 01400832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2013-01-09 06:04 - 2012-11-02 02:19 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2013-01-09 06:02 - 2012-11-21 20:22 - 00456192 ____A (Microsoft Corporation) C:\Windows\System32\shlwapi.dll
2013-01-09 06:02 - 2012-11-21 19:54 - 00353280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shlwapi.dll
2013-01-02 18:12 - 2013-01-28 03:58 - 00000000 ____D C:\Users\Michelle\Desktop\various
2013-01-02 17:59 - 2013-01-02 17:59 - 00001637 ____A C:\Users\Michelle\Desktop\Paint.lnk
2013-01-02 17:40 - 2013-01-02 17:40 - 00000134 ____A C:\Users\Michelle\Desktop\Windows Defender - Shortcut.lnk
2013-01-02 17:37 - 2013-01-02 17:37 - 00000000 ____D C:\Users\Michelle\Local Settings\IsolatedStorage
2013-01-02 17:37 - 2013-01-02 17:37 - 00000000 ____D C:\Users\Michelle\Local Settings\Application Data\IsolatedStorage
2013-01-02 17:37 - 2013-01-02 17:37 - 00000000 ____D C:\Users\Michelle\AppData\Local\IsolatedStorage
2013-01-01 12:30 - 2013-01-24 19:49 - 00000732 ____A C:\Users\Michelle\Local Settings\d3d9caps64.dat
2013-01-01 12:30 - 2013-01-24 19:49 - 00000732 ____A C:\Users\Michelle\Local Settings\Application Data\d3d9caps64.dat
2013-01-01 12:30 - 2013-01-24 19:49 - 00000732 ____A C:\Users\Michelle\AppData\Local\d3d9caps64.dat
2012-12-30 14:24 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2012-12-30 14:24 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2012-12-30 14:23 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2012-12-30 14:23 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys
2012-12-30 14:23 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll
2012-12-30 14:23 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe
2012-12-30 14:23 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll
2012-12-30 14:23 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll
2012-12-30 14:23 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll
2012-12-30 14:23 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll
2012-12-30 14:23 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys
2012-12-30 14:23 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys
2012-12-30 14:23 - 2009-07-14 04:19 - 00020480 ____A (Microsoft Corporation) C:\Windows\System32\winusb.dll
2012-12-30 14:23 - 2009-07-14 04:12 - 00016896 ____A (Microsoft Corporation) C:\Windows\SysWOW64\winusb.dll
2012-12-30 13:54 - 2012-11-13 23:06 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-12-30 13:54 - 2012-11-13 22:32 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-12-30 13:54 - 2012-11-13 22:11 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-12-30 13:54 - 2012-11-13 22:04 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-12-30 13:54 - 2012-11-13 22:04 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-12-30 13:54 - 2012-11-13 22:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-12-30 13:54 - 2012-11-13 22:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-12-30 13:54 - 2012-11-13 21:59 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-12-30 13:54 - 2012-11-13 21:58 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-12-30 13:54 - 2012-11-13 21:57 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-12-30 13:54 - 2012-11-13 21:57 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-12-30 13:54 - 2012-11-13 21:55 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-12-30 13:54 - 2012-11-13 21:55 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-12-30 13:54 - 2012-11-13 21:53 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-12-30 13:54 - 2012-11-13 21:52 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-12-30 13:54 - 2012-11-13 21:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-12-30 13:54 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-12-30 13:54 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-12-30 13:54 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-12-30 13:54 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-12-30 13:54 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-12-30 13:54 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-12-30 13:54 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-12-30 13:54 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-12-30 13:54 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-12-30 13:54 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-12-30 13:54 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-12-30 13:54 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-12-30 13:54 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-12-30 13:54 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-12-30 13:54 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-12-30 13:54 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-12-30 13:41 - 2012-12-16 05:31 - 00048128 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-30 13:41 - 2012-12-16 05:12 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2012-12-30 13:41 - 2012-12-16 03:08 - 00368128 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-30 13:41 - 2012-12-16 02:50 - 00293376 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-30 13:04 - 2012-12-30 13:04 - 00049872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bmepmwfm.sys
2012-12-30 08:28 - 2012-12-30 13:07 - 00000866 ____A C:\Windows\SysWOW64\InstallUtil.InstallLog
2012-12-30 08:27 - 2012-12-30 08:27 - 00000000 ____D C:\Users\Michelle\Local Settings\visi_coupon
2012-12-30 08:27 - 2012-12-30 08:27 - 00000000 ____D C:\Users\Michelle\Local Settings\Application Data\visi_coupon
2012-12-30 08:27 - 2012-12-30 08:27 - 00000000 ____D C:\Users\Michelle\AppData\Local\visi_coupon
2012-12-30 02:06 - 2012-12-30 02:07 - 00277288 ____A C:\Windows\Minidump\Mini123012-01.dmp
2012-12-29 09:37 - 2012-12-30 13:03 - 00000000 ____D C:\Users\Michelle\Local Settings\Conduit
2012-12-29 09:37 - 2012-12-30 13:03 - 00000000 ____D C:\Users\Michelle\Local Settings\Application Data\Conduit
2012-12-29 09:37 - 2012-12-30 13:03 - 00000000 ____D C:\Users\Michelle\AppData\Local\Conduit


==================== One Month Modified Files and Folders =======

2013-01-28 11:17 - 2013-01-28 11:17 - 00000000 ____D C:\FRST
2013-01-28 08:01 - 2013-01-28 07:04 - 00004880 ____A C:\Users\Michelle\Desktop\instructions.txt
2013-01-28 08:01 - 2011-05-18 23:22 - 01845073 ____A C:\Windows\WindowsUpdate.log
2013-01-28 08:01 - 2006-11-02 07:42 - 00032656 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-01-28 08:01 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-28 08:01 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-28 08:01 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-28 07:51 - 2012-06-28 18:41 - 00000940 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3488472860-609737526-646370250-1000UA.job
2013-01-28 07:40 - 2011-07-29 13:15 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-28 07:03 - 2013-01-28 07:03 - 00000000 ____A C:\Users\Michelle\Desktop\New Text Document.txt
2013-01-28 07:02 - 2006-11-02 04:46 - 00703388 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-28 07:00 - 2013-01-28 07:00 - 01464303 ____A (Farbar) C:\Users\Michelle\Downloads\FRST64.exe
2013-01-28 06:56 - 2006-11-02 07:27 - 00125032 ____A C:\Windows\setupact.log
2013-01-28 04:00 - 2013-01-28 03:59 - 00000000 ____D C:\Users\Michelle\Desktop\Shortcuts
2013-01-28 03:58 - 2013-01-02 18:12 - 00000000 ____D C:\Users\Michelle\Desktop\various
2013-01-28 03:32 - 2013-01-28 03:32 - 00002124 ____A C:\Users\Michelle\Desktop\RKreport[1]_S_01282013_02d0632.txt
2013-01-28 03:32 - 2013-01-28 03:31 - 00000000 ____D C:\Users\Michelle\Desktop\RK_Quarantine
2013-01-28 03:30 - 2013-01-28 03:30 - 00768512 ____A C:\Users\Michelle\Downloads\RogueKiller.exe
2013-01-28 03:26 - 2011-12-09 15:24 - 00000000 ____D C:\Users\All Users\WRData
2013-01-28 03:26 - 2011-12-09 15:24 - 00000000 ____D C:\Users\All Users\Application Data\WRData
2013-01-28 03:23 - 2011-06-05 05:54 - 00000680 ____A C:\Users\Michelle\Local Settings\d3d9caps.dat
2013-01-28 03:23 - 2011-06-05 05:54 - 00000680 ____A C:\Users\Michelle\Local Settings\Application Data\d3d9caps.dat
2013-01-28 03:23 - 2011-06-05 05:54 - 00000680 ____A C:\Users\Michelle\AppData\Local\d3d9caps.dat
2013-01-28 03:22 - 2011-07-29 13:15 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-28 01:43 - 2013-01-28 01:43 - 00282008 ____A C:\Windows\Minidump\Mini012813-03.dmp
2013-01-28 01:43 - 2011-09-21 15:22 - 00000000 ____D C:\Windows\Minidump
2013-01-28 01:43 - 2011-09-21 15:20 - 803643669 ____A C:\Windows\MEMORY.DMP
2013-01-28 00:12 - 2013-01-28 00:12 - 00282008 ____A C:\Windows\Minidump\Mini012813-02.dmp
2013-01-27 22:46 - 2013-01-27 22:46 - 00277824 ____A C:\Windows\Minidump\Mini012813-01.dmp
2013-01-27 21:17 - 2013-01-27 14:27 - 00002091 ____A C:\Users\Michelle\Desktop\popups to rid.txt
2013-01-27 15:10 - 2013-01-26 16:29 - 00000000 ____D C:\Users\Michelle\Application Data\QuickScan
2013-01-27 15:10 - 2013-01-26 16:29 - 00000000 ____D C:\Users\Michelle\AppData\Roaming\QuickScan
2013-01-27 14:30 - 2011-05-19 03:49 - 00359860 ____A C:\Users\Michelle\My Documents\unicode.txt
2013-01-27 14:30 - 2011-05-19 03:49 - 00359860 ____A C:\Users\Michelle\Documents\unicode.txt
2013-01-27 13:51 - 2012-06-28 18:41 - 00000918 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3488472860-609737526-646370250-1000Core.job
2013-01-26 20:06 - 2013-01-26 20:06 - 00000529 ____A C:\Users\Michelle\Desktop\mbar-1.01.0.1016 - Shortcut.lnk
2013-01-26 19:23 - 2013-01-26 19:23 - 00000000 ____D C:\Users\Michelle\My Documents\mbar-1.01.0.1016
2013-01-26 19:23 - 2013-01-26 19:23 - 00000000 ____D C:\Users\Michelle\Documents\mbar-1.01.0.1016
2013-01-26 19:03 - 2008-01-20 19:26 - 00184774 ____A C:\Windows\PFRO.log
2013-01-26 18:51 - 2013-01-26 18:51 - 00000000 ____D C:\Users\Michelle\Application Data\Malwarebytes
2013-01-26 18:51 - 2013-01-26 18:51 - 00000000 ____D C:\Users\Michelle\AppData\Roaming\Malwarebytes
2013-01-26 18:51 - 2013-01-26 18:51 - 00000000 ____D C:\Users\All Users\Malwarebytes
2013-01-26 18:51 - 2013-01-26 18:51 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2013-01-26 18:51 - 2013-01-26 18:51 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-26 18:49 - 2013-01-26 18:49 - 10156424 ____A (Malwarebytes Corporation ) C:\Users\Michelle\Downloads\mbam-setup.exe
2013-01-26 16:32 - 2011-05-21 15:12 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2013-01-25 10:30 - 2013-01-25 10:30 - 00000000 ____D C:\Users\Michelle\Application Data\SUPERAntiSpyware.com
2013-01-25 10:30 - 2013-01-25 10:30 - 00000000 ____D C:\Users\Michelle\AppData\Roaming\SUPERAntiSpyware.com
2013-01-25 10:30 - 2013-01-25 10:28 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-01-25 10:29 - 2013-01-25 10:29 - 00001756 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2013-01-25 10:29 - 2013-01-25 10:29 - 00001756 ____A C:\Users\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
2013-01-25 10:28 - 2013-01-25 10:28 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2013-01-25 10:28 - 2013-01-25 10:28 - 00000000 ____D C:\Users\All Users\Application Data\SUPERAntiSpyware.com
2013-01-25 10:25 - 2013-01-25 10:25 - 23508968 ____A (SUPERAntiSpyware.com) C:\Users\Michelle\Downloads\SUPERAntiSpyware.exe
2013-01-25 10:09 - 2013-01-25 10:08 - 80047680 ____A (Microsoft Corporation) C:\Users\Michelle\Downloads\msert.exe
2013-01-24 20:35 - 2008-10-24 00:04 - 00000000 ____D C:\Users\All Users\Application Data\Adobe
2013-01-24 20:35 - 2008-10-24 00:04 - 00000000 ____D C:\Users\All Users\Adobe
2013-01-24 20:28 - 2013-01-24 20:29 - 00859552 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-01-24 20:28 - 2013-01-24 20:29 - 00261024 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-01-24 20:28 - 2013-01-24 20:29 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-01-24 20:28 - 2013-01-24 20:29 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-01-24 20:28 - 2013-01-24 20:29 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-01-24 20:28 - 2011-07-09 07:02 - 00780192 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-01-24 20:28 - 2008-10-24 00:21 - 00000000 ____D C:\Program Files (x86)\Java
2013-01-24 20:27 - 2013-01-24 20:26 - 31473568 ____A (Oracle Corporation) C:\Users\Michelle\Downloads\jre-7u11-windows-i586.exe
2013-01-24 20:12 - 2012-06-21 10:20 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-01-24 20:12 - 2011-05-19 05:57 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-01-24 19:49 - 2013-01-01 12:30 - 00000732 ____A C:\Users\Michelle\Local Settings\d3d9caps64.dat
2013-01-24 19:49 - 2013-01-01 12:30 - 00000732 ____A C:\Users\Michelle\Local Settings\Application Data\d3d9caps64.dat
2013-01-24 19:49 - 2013-01-01 12:30 - 00000732 ____A C:\Users\Michelle\AppData\Local\d3d9caps64.dat
2013-01-23 21:20 - 2013-01-23 21:20 - 00733296 ____A (Webroot) C:\Users\Michelle\Downloads\wsainstall.exe
2013-01-23 21:19 - 2012-01-30 15:42 - 00000000 ____D C:\Program Files (x86)\Webroot
2013-01-23 21:08 - 2013-01-23 21:07 - 00275848 ____A (Webroot Software Inc (www.webroot.com)) C:\Users\Michelle\Downloads\CleanWDF.exe
2013-01-23 20:14 - 2006-11-02 07:21 - 00310712 ____A C:\Windows\System32\FNTCACHE.DAT
2013-01-23 19:16 - 2006-11-02 04:35 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-01-23 15:40 - 2013-01-23 15:40 - 00281952 ____A C:\Windows\Minidump\Mini012313-01.dmp
2013-01-23 09:42 - 2013-01-23 09:42 - 00004539 ____A C:\Users\Michelle\Desktop\webroot fix.txt
2013-01-18 17:51 - 2013-01-18 17:51 - 00282008 ____A C:\Windows\Minidump\Mini011813-01.dmp
2013-01-18 17:51 - 2012-06-03 13:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-01-18 15:09 - 2013-01-18 15:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-01-09 11:27 - 2013-01-26 23:03 - 01356360 ____A (Malwarebytes Corporation) C:\Users\Michelle\Desktop\mbar.exe
2013-01-02 17:59 - 2013-01-02 17:59 - 00001637 ____A C:\Users\Michelle\Desktop\Paint.lnk
2013-01-02 17:40 - 2013-01-02 17:40 - 00000134 ____A C:\Users\Michelle\Desktop\Windows Defender - Shortcut.lnk
2013-01-02 17:37 - 2013-01-02 17:37 - 00000000 ____D C:\Users\Michelle\Local Settings\IsolatedStorage
2013-01-02 17:37 - 2013-01-02 17:37 - 00000000 ____D C:\Users\Michelle\Local Settings\Application Data\IsolatedStorage
2013-01-02 17:37 - 2013-01-02 17:37 - 00000000 ____D C:\Users\Michelle\AppData\Local\IsolatedStorage
2013-01-02 07:45 - 2006-11-02 04:33 - 65798144 ____A C:\Windows\System32\config\software_previous
2013-01-02 07:45 - 2006-11-02 04:33 - 18874368 ____A C:\Windows\System32\config\system_previous
2013-01-02 07:44 - 2006-11-02 05:34 - 00000000 ____D C:\Windows\System32\spool
2013-01-02 07:44 - 2006-11-02 05:34 - 00000000 ____D C:\Windows\System32\Msdtc
2013-01-02 07:44 - 2006-11-02 05:33 - 00000000 __RSD C:\Windows\Media
2013-01-02 07:44 - 2006-11-02 05:33 - 00000000 ____D C:\Windows\rescache
2013-01-02 07:43 - 2011-05-19 01:50 - 00000000 ____D C:\Users\All Users\Yahoo! Companion
2013-01-02 07:43 - 2011-05-19 01:50 - 00000000 ____D C:\Users\All Users\Application Data\Yahoo! Companion
2013-01-02 07:43 - 2006-11-02 05:33 - 00000000 ____D C:\Windows\registration
2013-01-02 07:28 - 2006-11-02 04:33 - 62652416 ____A C:\Windows\System32\config\components_previous
2013-01-02 07:28 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\sam_previous
2013-01-02 04:47 - 2011-05-18 21:38 - 00000000 ____D C:\users\Michelle
2013-01-02 04:24 - 2012-12-06 11:39 - 00000000 ____D C:\Users\Michelle\Local Settings\Unity
2013-01-02 04:24 - 2012-12-06 11:39 - 00000000 ____D C:\Users\Michelle\Local Settings\Application Data\Unity
2013-01-02 04:24 - 2012-12-06 11:39 - 00000000 ____D C:\Users\Michelle\AppData\Local\Unity
2013-01-02 04:23 - 2008-10-23 23:28 - 00000000 ____D C:\Users\All Users\WildTangent
2013-01-02 04:23 - 2008-10-23 23:28 - 00000000 ____D C:\Users\All Users\Application Data\WildTangent
2013-01-02 04:23 - 2008-10-23 23:28 - 00000000 ____D C:\Program Files (x86)\HP Games
2012-12-30 13:07 - 2012-12-30 08:28 - 00000866 ____A C:\Windows\SysWOW64\InstallUtil.InstallLog
2012-12-30 13:04 - 2012-12-30 13:04 - 00049872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bmepmwfm.sys
2012-12-30 13:03 - 2012-12-29 09:37 - 00000000 ____D C:\Users\Michelle\Local Settings\Conduit
2012-12-30 13:03 - 2012-12-29 09:37 - 00000000 ____D C:\Users\Michelle\Local Settings\Application Data\Conduit
2012-12-30 13:03 - 2012-12-29 09:37 - 00000000 ____D C:\Users\Michelle\AppData\Local\Conduit
2012-12-30 08:27 - 2012-12-30 08:27 - 00000000 ____D C:\Users\Michelle\Local Settings\visi_coupon
2012-12-30 08:27 - 2012-12-30 08:27 - 00000000 ____D C:\Users\Michelle\Local Settings\Application Data\visi_coupon
2012-12-30 08:27 - 2012-12-30 08:27 - 00000000 ____D C:\Users\Michelle\AppData\Local\visi_coupon
2012-12-30 08:24 - 2006-11-02 05:33 - 00000000 ____D C:\Windows\Resources
2012-12-30 02:07 - 2012-12-30 02:06 - 00277288 ____A C:\Windows\Minidump\Mini123012-01.dmp
2012-12-30 00:02 - 2011-06-08 10:54 - 00028672 ____A C:\Users\Michelle\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-12-30 00:02 - 2011-06-08 10:54 - 00028672 ____A C:\Users\Michelle\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-12-30 00:02 - 2011-06-08 10:54 - 00028672 ____A C:\Users\Michelle\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2012-12-12 01:09] - [2012-08-21 03:50] - 0267648 ____A (Microsoft Corporation) 582F710097B46140F5A89A19A6573D4B


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-24 23:39:23
Restore point made on: 2013-01-25 17:24:34
Restore point made on: 2013-01-26 19:55:46
Restore point made on: 2013-01-28 07:37:11

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 3998.27 MB
Available physical RAM: 3203.44 MB
Total Pagefile: 3675.47 MB
Available Pagefile: 3265.25 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:453.29 GB) (Free:389.25 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:12.47 GB) (Free:1.98 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive g: () (Removable) (Total:3.76 GB) (Free:3.55 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 1024 KB
Disk 1 No Media 0 B 0 B
Disk 2 Online 3856 MB 0 B

Partitions of Disk 0:
===============

Disk ID: 7E2456CC

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 453 GB 32 KB
Partition 2 Primary 12 GB 453 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 453 GB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 12 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Disk ID: 04DD5721

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3856 MB 32 KB

==================================================================================

Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 3856 MB Healthy

=========================================================

Last Boot: 2013-01-28 03:28

==================== End Of Log =============================

Farbar Recovery Scan Tool (x64) Version: 21-01-2013 02
Ran by SYSTEM at 2013-01-28 11:24:03
Running from G:\

================== Search: "services.exe" ===================

C:\WINDOWS\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2011-05-20 11:38] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\WINDOWS\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\WINDOWS\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2011-05-20 11:39] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\WINDOWS\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\WINDOWS\SysWOW64\services.exe
[2011-05-20 11:38] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\WINDOWS\System32\services.exe
[2011-05-20 11:39] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

====== End Of Search ======
 

Gbaby614

New Member
Thread author
Verified
Jan 28, 2013
232
okay thanks.. and I am really concerned about the Conduit and Unity.. I think these are causing the popups, and I thought I deleted these.. can we check them?
 

Fiery

Level 1
Jan 11, 2011
2,007
We will delete those. Before i give you a fix, Are you using a program called Visi Coupon? If not, i will also include that in the fix
 

Gbaby614

New Member
Thread author
Verified
Jan 28, 2013
232
I don't think so.. I did sign up for free samples that offer coupons as well, but I should not have downloaded any programs for it.. at least I didn't knowledgly do it. It's ok to rid it, if I need it, I'm sure the site will offer it again.
 

Gbaby614

New Member
Thread author
Verified
Jan 28, 2013
232
I do think that visi is malware, I checked the date and issues began between Nov 13-17 and again Dec 29-30
 

Gbaby614

New Member
Thread author
Verified
Jan 28, 2013
232
also, I forgot to mention links of popups, if its helpful to you they were:
Code:
http://www.iminent.com/LandingDirect/367/texteffects?refid=367&SourceId=355&CreativeId=17690425&LineItemId=5974234&PublisherId=730044&SectionId=304183587&ym=00004fdfad60130e94c83a635a7869065c233

http://nym1.ib.adnxs.com/pop?enc=s14M5UQ78T-zXgzlRDvxPwAAAAAAAPA_s14M5UQ78T-zXgzlRDvxP3MQLcqGhudf8qc8AyIEkFDMvAVRAAAAAPRnDQAdAgAAHQIAAAIAAAACK0gAlEECAAAAAQBVU0QAVVNEANACLAEHBAAAqV8AAgQCAQUAAIQA7R85eAAAAAA.&cnd=!FCHCBAjk_jgQgtagAhgAIJSDCTADOIeICEAESJ0EUPTPNVgAYLoCaABwAHgAgAEAiAEAkAEBmAEBoAEKqAEAsAEAuQEpulpbRTvxP8EBKbpaW0U78T_JARUB2CliHfM_2QEAAAAAAADwP-ABhIsC&udj=uf%28%27a%27%2C+33304%2C+1359330508%29%3Buf%28%27r%27%2C+4729602%2C+1359330508%29%3B&ccd=!iQW8NAjk_jgQgtagAhiUgwkgBA..&vpid=45&apid=117225&creative_click=http%3A%2F%2F5bd2b-thss72qcx1ohv25n9u5r.hop.clickbank.net%2F%3Ftid%3DCPXEARTH&dlo=1

http://nym1.ib.adnxs.com/pop?enc=pDSbx2Gw6z-kNJvHYbDrPwAAAAAAAPA_pDSbx2Gw6z-kNJvHYbDrP0YKu5HvRMk98qc8AyIEkFB_3AVRAAAAAPRnDQAdAgAAHQIAAAIAAAADykMAlEECAAAAAQBVU0QAVVNEANACLAEHBAAATlYAAgQCAQUAAIQAECNdzgAAAAA.&cnd=!bSeswQjJ8zEQg5SPAhgAIJSDCTADOIeICEAESJ0EUPTPNVgAYLoCaABwAHgAgAEEiAH4C5ABAZgBAaABCqgBALABALkB8xOszmKw6z_BAfMTrM5isOs_yQHy5b5d65HuP9kBAAAAAAAA8D_gAaSBAg..&udj=uf%28%27a%27%2C+81804%2C+1359338623%29%3Buf%28%27r%27%2C+4442627%2C+1359338623%29%3B&ccd=!CgWPLwjJ8zEQg5SPAhiUgwkgBA..&vpid=45&apid=115778&creative_click=http%3A%2F%2Ftracktrk.net%2F%3Fa%3D362%26c%3D5010%26s1%3D&dlo=1

http://www.playwartune.com/a?entrypt=wt-aff_iqu---@73--iqu-6125--subid3

http://nym1.ib.adnxs.com/pop?enc=mPp5U5GK6j-Y-nlTkYrqPwAAAAAAAPA_mPp5U5GK6j-Y-nlTkYrqP6TB7zFLQ-MZ8qc8AyIEkFCcCQZRAAAAAPRnDQAdAgAAHQIAAAIAAACuy0MAlEECAAAAAQBVU0QAVVNEAOcD5wMHBAAARmAAAgQCAQUAAIQAzCSfOwAAAAA.&cnd=!sCMBGQiw8TEQrpePAhgAIJSDCTADOIeICEAESJ0EUPTPNVgAYLoCaABwAHgAgAEAiAEAkAEBmAEBoAEKqAEAsAEAuQHeYuamkYrqP8EB3mLmppGK6j_JAYpCOxJxj_k_2QEAAAAAAADwP-ABAA..&udj=uf%28%27a%27%2C+22256%2C+1359350172%29%3Buf%28%27r%27%2C+4443054%2C+1359350172%29%3Bppv%2815630%2C+%271865408660900921764%27%2C+1359350172%2C+1361942172%2C+817328%2C+147860%2C+0%2C+4%2C+10368000%29%3B&ccd=!HQXgLwiw8TEQrpePAhiUgwkgBA..&vpid=45&apid=115778&dlo=1

I'm sure you are way ahead of me on this though....
 

Fiery

Level 1
Jan 11, 2011
2,007
Open notepad and copy & paste the following:

HKLM-x32\...\Run: [] [x]
2012-12-29 09:37 - 2012-12-30 13:03 - 00000000 ____D C:\Users\Michelle\Local Settings\Conduit
2012-12-29 09:37 - 2012-12-30 13:03 - 00000000 ____D C:\Users\Michelle\Local Settings\Application Data\Conduit
2012-12-29 09:37 - 2012-12-30 13:03 - 00000000 ____D C:\Users\Michelle\AppData\Local\Conduit
2013-01-28 08:01 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-02 04:24 - 2012-12-06 11:39 - 00000000 ____D C:\Users\Michelle\Local Settings\Unity
2013-01-02 04:24 - 2012-12-06 11:39 - 00000000 ____D C:\Users\Michelle\Local Settings\Application Data\Unity
2013-01-02 04:24 - 2012-12-06 11:39 - 00000000 ____D C:\Users\Michelle\AppData\Local\Unity
2012-12-30 08:27 - 2012-12-30 08:27 - 00000000 ____D C:\Users\Michelle\Local Settings\visi_coupon
2012-12-30 08:27 - 2012-12-30 08:27 - 00000000 ____D C:\Users\Michelle\Local Settings\Application Data\visi_coupon
2012-12-30 08:27 - 2012-12-30 08:27 - 00000000 ____D C:\Users\Michelle\AppData\Local\visi_coupon

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Reboot to normal mode (or safe mode if normal mode doesn't work. Then perform the following:

Please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>

<>* IMPORTANT !!! Save ComboFix to your Desktop as Combo-Fix.exe</>
<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
<li>As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's ly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.</li>
<li>Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.</li>
</ul>
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

<img src="http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif" alt="Posted Image" />
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

<img src="http://img.photobucket.com/albums/v706/ried7/whatnext.png" alt="Posted Image" />
Click on <>Yes</>, to continue scanning for malware.

When finished, ComboFix will produce a log.

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
 
Last edited by a moderator:

Gbaby614

New Member
Thread author
Verified
Jan 28, 2013
232
I have one quick question, when I save it as fixlist.txt onto the flash drive then boot to system recovery and plug in the flash drive, then open FRST and click fix do I have to insert fixlist.txt somewhere or will it know what to do when I click fix?
 

Gbaby614

New Member
Thread author
Verified
Jan 28, 2013
232
also I just noticed there is a chance I may have to boot in safe mode, should I dl combofix before booting to system recovery or boot in safe mode w networking afterwards? Sorry for the questions, just trying to avoid errors...
 

Fiery

Level 1
Jan 11, 2011
2,007
If you have questions, please let me know!

Run the FRST fix first then boot to normal mode if you can. If you can't then boot to safe mode, download combofix and run it
 

Gbaby614

New Member
Thread author
Verified
Jan 28, 2013
232
I ran combo-fix.exe but I am really concerned about some deletions, to begin with, I saw my HP webcam sofware in there which had to be downloaded from the internet after a comptuer fix and my cyberlink software is in there as well, can that stuff be restored???
Here is the log:
ComboFix 13-01-28.02 - Michelle 01/28/2013 16:03:15.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3998.2526 [GMT -5:00]
Running from: c:\users\Michelle\Desktop\Combo-fix.exe.exe
AV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
SP: Webroot SecureAnywhere *Disabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe
c:\programdata\SymUpdate.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-28 to 2013-01-28 )))))))))))))))))))))))))))))))
.
.
2013-01-28 21:35 . 2013-01-28 21:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-28 19:17 . 2013-01-28 19:17 -------- d-----w- C:\FRST
2013-01-27 02:51 . 2013-01-27 02:51 -------- d-----w- c:\users\Michelle\AppData\Roaming\Malwarebytes
2013-01-27 02:51 . 2013-01-27 02:51 -------- d-----w- c:\programdata\Malwarebytes
2013-01-27 02:51 . 2013-01-27 02:51 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-01-27 02:51 . 2012-12-14 21:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-27 00:29 . 2013-01-27 23:10 -------- d-----w- c:\users\Michelle\AppData\Roaming\QuickScan
2013-01-25 23:22 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{866E36F0-9CD6-489A-8422-2EC4A904F72F}\mpengine.dll
2013-01-25 18:30 . 2013-01-25 18:30 -------- d-----w- c:\users\Michelle\AppData\Roaming\SUPERAntiSpyware.com
2013-01-25 18:28 . 2013-01-25 18:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-01-25 18:28 . 2013-01-25 18:28 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-01-25 04:29 . 2013-01-25 04:28 859552 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-01-25 04:29 . 2013-01-25 04:28 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-01-09 14:05 . 2012-11-20 04:21 253952 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 14:05 . 2012-11-20 04:22 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll
2013-01-09 14:04 . 2012-11-23 01:54 2770432 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 14:04 . 2012-11-02 10:47 1869824 ----a-w- c:\windows\system32\msxml3.dll
2013-01-09 14:04 . 2012-11-02 10:47 1794560 ----a-w- c:\windows\system32\msxml6.dll
2013-01-09 14:04 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\SysWow64\msxml6.dll
2013-01-09 14:04 . 2012-11-02 10:19 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
2013-01-09 14:02 . 2012-11-22 04:22 456192 ----a-w- c:\windows\system32\shlwapi.dll
2013-01-03 01:37 . 2013-01-03 01:37 -------- d-----w- c:\users\Michelle\AppData\Local\IsolatedStorage
2012-12-30 21:54 . 2012-11-14 05:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-12-30 21:41 . 2012-12-16 13:31 48128 ----a-w- c:\windows\system32\atmlib.dll
2012-12-30 21:41 . 2012-12-16 13:12 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-30 21:41 . 2012-12-16 11:08 368128 ----a-w- c:\windows\system32\atmfd.dll
2012-12-30 21:41 . 2012-12-16 10:50 293376 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-30 21:04 . 2012-12-30 21:04 49872 ----a-w- c:\windows\system32\drivers\bmepmwfm.sys
2012-12-30 16:32 . 2012-12-30 16:46 -------- d-----w- C:\Temp
2012-12-30 16:27 . 2012-12-30 16:27 -------- d-----w- c:\users\Michelle\AppData\Local\visi_coupon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-25 04:28 . 2011-07-09 15:02 780192 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-01-25 04:12 . 2012-06-21 18:20 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-25 04:12 . 2011-05-19 13:57 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-24 03:16 . 2006-11-02 12:35 67599240 ----a-w- c:\windows\system32\mrt.exe
2012-12-19 23:59 . 2012-04-03 21:22 151880 ----a-w- c:\windows\SysWow64\WRusr.dll
2012-12-19 23:59 . 2012-04-03 21:22 111776 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2012-12-19 23:59 . 2012-04-03 21:22 105024 ----a-w- c:\windows\system32\WRusr.dll
2012-11-14 18:43 . 2012-11-14 18:43 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-11-14 18:43 . 2012-11-14 18:43 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-11-14 18:43 . 2012-11-14 18:43 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-11-14 18:43 . 2012-11-14 18:43 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-11-14 18:43 . 2012-11-14 18:43 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-11-14 18:43 . 2012-11-14 18:43 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-11-14 18:43 . 2012-11-14 18:43 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-11-14 18:43 . 2012-11-14 18:43 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-11-14 18:43 . 2012-11-14 18:43 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-11-14 18:42 . 2012-11-14 18:42 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-11-14 18:42 . 2012-11-14 18:42 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-11-14 18:42 . 2012-11-14 18:42 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-11-14 18:42 . 2012-11-14 18:42 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-11-14 18:42 . 2012-11-14 18:42 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-11-14 18:42 . 2012-11-14 18:42 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-11-14 18:42 . 2012-11-14 18:42 222208 ----a-w- c:\windows\system32\msls31.dll
2012-11-14 18:42 . 2012-11-14 18:42 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-11-14 18:42 . 2012-11-14 18:42 267776 ----a-w- c:\windows\system32\ieaksie.dll
2012-11-14 18:42 . 2012-11-14 18:42 197120 ----a-w- c:\windows\system32\msrating.dll
2012-11-14 18:42 . 2012-11-14 18:42 163840 ----a-w- c:\windows\system32\ieakui.dll
2012-11-14 18:42 . 2012-11-14 18:42 12288 ----a-w- c:\windows\system32\mshta.exe
2012-11-14 18:42 . 2012-11-14 18:42 114176 ----a-w- c:\windows\system32\admparse.dll
2012-11-14 18:42 . 2012-11-14 18:42 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-11-14 18:42 . 2012-11-14 18:42 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-11-14 18:42 . 2012-11-14 18:42 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-11-14 18:42 . 2012-11-14 18:42 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-11-14 18:42 . 2012-11-14 18:42 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-11-14 18:42 . 2012-11-14 18:42 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2012-11-14 18:42 . 2012-11-14 18:42 448512 ----a-w- c:\windows\system32\html.iec
2012-11-14 18:42 . 2012-11-14 18:42 282112 ----a-w- c:\windows\system32\dxtrans.dll
2012-11-14 18:42 . 2012-11-14 18:42 160256 ----a-w- c:\windows\system32\ieakeng.dll
2012-11-14 18:42 . 2012-11-14 18:42 145920 ----a-w- c:\windows\system32\iepeers.dll
2012-11-14 18:42 . 2012-11-14 18:42 136192 ----a-w- c:\windows\system32\advpack.dll
2012-11-14 18:42 . 2012-11-14 18:42 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-11-14 18:42 . 2012-11-14 18:42 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-11-14 18:42 . 2012-11-14 18:42 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2012-11-14 18:42 . 2012-11-14 18:42 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2012-11-14 18:42 . 2012-11-14 18:42 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-11-14 18:42 . 2012-11-14 18:42 82432 ----a-w- c:\windows\system32\icardie.dll
2012-11-14 18:42 . 2012-11-14 18:42 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2012-11-14 18:42 . 2012-11-14 18:42 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2012-11-14 18:42 . 2012-11-14 18:42 39936 ----a-w- c:\windows\system32\iernonce.dll
2012-11-14 18:42 . 2012-11-14 18:42 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2012-11-14 18:42 . 2012-11-14 18:42 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-14 18:42 . 2012-11-14 18:42 249344 ----a-w- c:\windows\system32\webcheck.dll
2012-11-14 18:42 . 2012-11-14 18:42 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-11-14 18:42 . 2012-11-14 18:42 160256 ----a-w- c:\windows\system32\wextract.exe
2012-11-14 18:42 . 2012-11-14 18:42 103936 ----a-w- c:\windows\system32\inseng.dll
2012-11-14 18:42 . 2012-11-14 18:42 65024 ----a-w- c:\windows\system32\pngfilt.dll
2012-11-14 18:42 . 2012-11-14 18:42 149504 ----a-w- c:\windows\system32\occache.dll
2012-11-13 01:45 . 2012-12-12 09:07 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-13 01:29 . 2012-12-12 09:07 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-11-02 10:45 . 2012-12-13 06:59 477696 ----a-w- c:\windows\system32\dpnet.dll
2012-11-02 10:45 . 2012-12-13 06:59 68096 ----a-w- c:\windows\system32\dpnathlp.dll
2012-11-02 10:18 . 2012-12-13 06:59 376320 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-11-02 08:59 . 2012-12-13 06:59 26112 ----a-w- c:\windows\system32\dpnsvr.exe
2012-11-02 08:26 . 2012-12-13 06:59 23040 ----a-w- c:\windows\SysWow64\dpnsvr.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn3\yt.dll" [2012-11-26 1525088]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"HPAdvisor"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"Facebook Update"="c:\users\Michelle\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-09-26 1148200]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-09-26 1152296]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-09-26 189736]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2011-08-24 887976]
"WRSVC"="c:\program files (x86)\Webroot\WRSA.exe" [2012-12-19 733808]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)
"DisableLocalMachineRunOnce"= 0 (0x0)
"DisableCurrentUserRun"= 0 (0x0)
"DisableCurrentUserRunOnce"= 0 (0x0)
"NoFile"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_bd5387da\AESTSr64.exe [2008-06-27 89088]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-25 04:40 1607120 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.56\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-27 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3488472860-609737526-646370250-1000Core.job
- c:\users\Michelle\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-06-29 20:46]
.
2013-01-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3488472860-609737526-646370250-1000UA.job
- c:\users\Michelle\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-06-29 20:46]
.
2013-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-29 21:14]
.
2013-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-29 21:14]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-25 153624]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-25 225816]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-25 199704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-20 1533736]
"lxdumon.exe"="c:\program files (x86)\Lexmark 5600-6600 Series\lxdumon.exe" [2008-09-10 676520]
"lxduamon"="c:\program files (x86)\Lexmark 5600-6600 Series\lxduamon.exe" [2008-09-10 16040]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\2v64zce3.default\
FF - prefs.js: browser.startup.homepage - www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-12-30 11:26; plugin@selectionlinks.com; c:\users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\2v64zce3.default\extensions\plugin@selectionlinks.com
FF - ExtSQL: 2012-12-30 16:02; {40D65E82-75AC-47CA-8A73-1CEDC2668EFF}; c:\program files (x86)\Mozilla Firefox\extensions\{40D65E82-75AC-47CA-8A73-1CEDC2668EFF}
FF - ExtSQL: 2013-01-24 18:59; {e001c731-5e37-4538-a5cb-8168736a2360}; c:\users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\2v64zce3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - ExtSQL: 2013-01-26 22:03; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\2v64zce3.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
.
.
------- File Associations -------
.
inifile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
txtfile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{22dfbf5b-a7cd-4b25-9471-3dc68c71855f} - (no file)
BHO-{300BEC06-B743-4D19-86B9-11DC711D7FFB} - (no file)
Wow6432Node-HKLM-Run-UCam_Menu - c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe
Wow6432Node-HKLM-Run-UpdateLBPShortCut - c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
Wow6432Node-HKLM-Run-UpdatePSTShortCut - c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
Wow6432Node-HKLM-Run-UpdateP2GoShortCut - c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
Wow6432Node-HKLM-Run-UpdatePDIRShortCut - c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
WebBrowser-{22DFBF5B-A7CD-4B25-9471-3DC68C71855F} - (no file)
WebBrowser-{977AE9CC-AF83-45E8-9E03-E2798216E2D5} - (no file)
HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
HKLM-Run-SysTrayApp - c:\program files (x86)\IDT\WDM\sttray64.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{1E61ED7C-7CB8-49D6-B9E9-AB4C880C8414}"=hex:51,66,7a,6c,4c,1d,38,12,12,ee,72,
1a,8a,32,b8,0c,c6,ff,e8,0c,8d,52,c0,00
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}"=hex:51,66,7a,6c,4c,1d,38,12,7e,e6,d6,
d6,5f,f0,a2,07,e0,77,a7,b9,3c,59,c0,60
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,
fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:3f,a5,87,e6,1b,ca,cd,01
.
[HKEY_USERS\S-1-5-21-3488472860-609737526-646370250-1000\È a*Ä*_*w*a*r*e*\Webroot\Log]
"WRFrame.exe_lflast"=dword:0000000c
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2013-01-28 16:37:31
ComboFix-quarantined-files.txt 2013-01-28 21:37
.
Pre-Run: 416,595,140,608 bytes free
Post-Run: 417,669,206,016 bytes free
.
- - End Of File - - BB36116AAA0A10B8765687A17527974D
 

Gbaby614

New Member
Thread author
Verified
Jan 28, 2013
232
also c:\program files (x86)\IDT\WDM\sttray64.exe was my audio file.....:exclamation::(
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi, don't worry, we will restore those files.

Open up Notepad and paste the following:

DeQuarantine::
C:\Qoobox\Quarantine\c\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe.vir
C:\Qoobox\Quarantine\c\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe.vir
C:\Qoobox\Quarantine\c\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe.vir
C:\Qoobox\Quarantine\c\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe.vir
C:\Qoobox\Quarantine\c\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe.vir

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files (x86)\IDT\WDM\sttray64.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartMenu"="c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UCam_Menu"="c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe"

Folder::
c:\users\Michelle\AppData\Local\visi_coupon

File::
C:\Users\Michelle\AppData\Local\Temp\Runner.exe
C:\Users\Michelle\AppData\Local\Temp\DNS.exe

ClearJavaCache::
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below




Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
  • Click delete
  • Please post the content of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt



Download TDSSkiller from here
  • Double-Click on TDSSKiller.exe to run the application
  • When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
  • After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
    clip.jpg
  • click Start scan .
  • If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
  • If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top