Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

been infiltrated and can't clean out malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: been infiltrated and can't clean out malware

Unread postby Tom N » June 17th, 2013, 10:28 am

Here is the contents of the "addition" log:
------------------------------------------------------
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-06-2013 01
Ran by Owner (administrator) on 17-06-2013 07:16:14
Running from C:\Users\Owner\Downloads
Windows Vista (TM) Ultimate Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\ProgramData\BrowserDefender\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe
(Intel(R) Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
() C:\ProgramData\BrowserDefender\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(National Instruments Corporation) C:\Windows\system32\nisvcloc.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft\BingBar\SeaPort.EXE
(IDT, Inc.) C:\Windows\system32\STacSV.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(AVG Secure Search) C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
(WebCake LLC) C:\Program Files\WebCake\WebCakeDesktop.Updater.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apoint.exe
(IDT, Inc.) C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\Update\realsched.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(AVG Secure Search) C:\Program Files\AVG SafeGuard toolbar\vprot.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corp.) C:\Program Files\Microsoft Money\System\mnyexpr.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(WebCake LLC) C:\Users\Owner\AppData\Roaming\WebCake\WebCakeDesktop.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Dropbox, Inc.) C:\Users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Conexant Systems, Inc.) C:\Windows\system32\DRIVERS\xaudio.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(National Instruments Corporation) C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe
(Safer Networking Ltd.) C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
(National Instruments Corporation) C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apntex.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\HidFind.exe
(Microsoft Corporation) C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-18] (Microsoft Corporation)
HKLM\...\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe [151552 2006-09-09] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2007-09-13] (IDT, Inc.)
HKLM\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [128296 2008-02-26] (CyberLink Corp.)
HKLM\...\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [153136 2007-03-01] (Nero AG)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM\...\Run: [ROC_ROC_JULY_P1] "C:\Program Files\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1 [x]
HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [ROC_ROC_NT] "C:\Program Files\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT [x]
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot [295512 2013-03-29] (RealNetworks, Inc.)
HKLM\...\Run: [vProt] "C:\Program Files\AVG SafeGuard toolbar\vprot.exe" [1226928 2013-06-10] (AVG Secure Search)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [x]
HKCU\...\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun [1233920 2009-04-10] (Microsoft Corporation)
HKCU\...\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" [200704 2003-06-18] (Microsoft Corp.)
HKCU\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKCU\...\Run: [WebCake Desktop] "C:\Users\Owner\AppData\Roaming\WebCake\WebCakeDesktop.exe" [47896 2013-06-07] (WebCake LLC)
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\Owner\AppData\Local\Temp\swceyqr\spfnqoo\wow.dll ATTENTION! ====> ZeroAccess
Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickSet.lnk
ShortcutTarget: QuickSet.lnk -> C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
ShortcutTarget: ERUNT AutoBackup.lnk -> C:\Program Files\ERUNT\AUTOBACK.EXE ()
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL =
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = https://isearch.avg.com/search?cid={A3848765-2D63-4F79-BE2B-4F40BE4F2999}&mid=7fe58b6cc28f47d0b0d9d15c83dbf598-5e4a85687f9bf032fcdead5aee0dd3ce0ab580d9&lang=en&ds=AVG&pr=fr&d=2012-10-01 17:45:43&v=12.2.5.34&sap=dsp&q={searchTerms}
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" No File
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" No File
Toolbar: HKLM - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} - No File
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} http://208.85.206.67/SysCamInst.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} http://208.86.38.180/kxhcm10.ocx
DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} http://204.14.142.236/JpegInst.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab
DPF: {DEB50B04-2723-4E8B-8125-F336CEDA40F1} http://173.8.163.20/videoinsight4/utili ... lient4.CAB
DPF: {EAEFAD15-8753-45EF-94B0-1BAA7970CC21} http://206.128.122.196/MpegInst.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll No File
Handler: msdaipp - No CLSID Value -
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\15.2.0\ViProtocol.dll (AVG Secure Search)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog5 08 C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll [24216] (National Instruments Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

Chrome:
=======
CHR HomePage: hxxp://www.delta-search.com/?affID=1193 ... 15C53F1C6B
CHR RestoreOnStartup: "hxxp://www.bing.com/"
CHR DefaultSearchURL: (Bing) - http://www.bing.com/search?setmkt=en-US&q={searchTerms}
CHR DefaultSuggestURL: (Bing) - http://api.bing.com/osjson.aspx?query={searchTerms}&language={language}
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\22.0.1229.92\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\27.0.1453.110\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\27.0.1453.110\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Download Plugin) - C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
CHR Plugin: (RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll No File
CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (RealNetworks(tm) Chrome Background Extension Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Delta Toolbar) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\eooncjejnppfjjklapaamhcdmjbilmde\1.4_0
CHR Extension: (WebCake) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh\1.0.3_0
CHR Extension: (RealDownloader) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji\1.3.1_0
CHR Extension: (AVG SafeGuard toolbar) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof\15.2.0.5_0

========================== Services (Whitelisted) =================

R2 BrowserDefendert; C:\ProgramData\BrowserDefender\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe [2827728 2013-05-23] ()
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 nicconfigsvc; C:\Program Files\Dell\QuickSet\NicConfigSvc.exe [390424 2007-07-20] (Dell Inc.)
R2 niLXIDiscovery; C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe [131704 2009-03-05] (National Instruments Corporation)
R2 nimDNSResponder; C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [193648 2009-12-01] (National Instruments Corporation)
R2 niSvcLoc; C:\Windows\system32\nisvcloc.exe [13896 2009-06-04] (National Instruments Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-03-06] ()
R2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
R2 vToolbarUpdater15.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [1015984 2013-06-10] (AVG Secure Search)
R2 WebCake Desktop Updater; C:\Users\Owner\AppData\Roaming\WebCake\WebCakeDesktop.exe [47896 2013-06-07] (WebCake LLC)
S3 msiserver; %systemroot%\system32\msiexec /V [x]

==================== Drivers (Whitelisted) ====================

R1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [37664 2013-06-10] (AVG Technologies)
R2 CommSB96; C:\Windows\System32\Drivers\CommSB96.sys [24776 2005-10-07] (Motorola)
R2 CommSBEP; C:\Windows\System32\Drivers\CommSBEP.sys [44236 2005-10-07] (Motorola)
R2 cpuz135; C:\Windows\system32\drivers\cpuz135_x32.sys [21992 2011-09-21] (CPUID)
S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [61704 2011-05-31] (FTDI Ltd.)
S3 fudally; C:\Windows\System32\drivers\fudally.sys [12928 2012-10-24] (Motorola, Inc.)
R3 guardian2; C:\Windows\System32\Drivers\oz776.sys [68696 2007-12-23] (O2Micro)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 niorbk; C:\Windows\system32\drivers\niorbkl.sys [11344 2009-06-14] (National Instruments Corporation)
S3 nipalfwedl; C:\Windows\System32\drivers\nipalfwedl.sys [11904 2010-01-10] (National Instruments Corporation)
R0 NIPALK; C:\Windows\System32\drivers\nipalk.sys [597592 2010-01-10] (National Instruments Corporation)
S3 nipalusbedl; C:\Windows\System32\drivers\nipalusbedl.sys [11896 2010-01-10] (National Instruments Corporation)
R0 nipbcfk; C:\Windows\System32\drivers\nipbcfk.sys [15448 2009-07-07] (National Instruments Corporation)
S4 blbdrive; No ImagePath
S3 IpInIp; No ImagePath
S3 NwlnkFlt; No ImagePath
S3 NwlnkFwd; No ImagePath
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-17 07:15 - 2013-06-17 07:15 - 00000000 ____D C:\FRST
2013-06-17 07:14 - 2013-06-17 07:14 - 01365333 ____A (Farbar) C:\Users\Owner\Downloads\FRST.exe
2013-06-16 09:50 - 2013-06-16 09:50 - 00000000 ____D C:\_OTL
2013-06-16 09:42 - 2013-06-16 09:42 - 00000113 ____A C:\Users\Owner\Desktop\White Trader.url
2013-06-16 09:31 - 2013-06-16 10:08 - 00005011 ____A C:\Users\Owner\Desktop\OTL_custom scan_fix.txt
2013-06-16 09:19 - 2013-06-16 09:22 - 00000000 ____D C:\Malware-Virus_stuff
2013-06-16 00:43 - 2013-06-16 00:44 - 02218636 ____A C:\Users\Owner\Downloads\tdsskiller.zip
2013-06-16 00:18 - 2013-06-17 00:58 - 00000005 ____A C:\Users\Owner\AppData\Roaming\WBPU-TTL.DAT
2013-06-15 07:26 - 2013-06-15 07:55 - 00024124 ____A C:\Users\Owner\Downloads\SystemLook.txt
2013-06-15 07:25 - 2013-06-15 07:25 - 00075264 ____A C:\Users\Owner\Downloads\SystemLook.exe
2013-06-15 07:21 - 2013-06-15 07:24 - 00064204 ____A C:\Users\Owner\Downloads\Extras.Txt
2013-06-15 07:20 - 2013-06-15 07:24 - 00100454 ____A C:\Users\Owner\Downloads\OTL.Txt
2013-06-14 17:42 - 2013-06-14 17:42 - 00648201 ____A C:\Users\Owner\Downloads\adwcleaner.exe
2013-06-14 17:39 - 2013-06-14 17:39 - 00000207 ____A C:\Windows\tweaking.com-regbackup-DELL-D620-Microsoft®-Windows-Vista™-Ultimate-(32-bit).dat
2013-06-14 17:37 - 2013-06-14 17:37 - 00000000 ____D C:\RegBackup
2013-06-14 17:33 - 2013-06-14 17:33 - 00000000 ____D C:\Program Files\Tweaking.com
2013-06-14 17:30 - 2013-06-14 17:30 - 03858143 ____A C:\Users\Owner\Downloads\tweaking.com_registry_backup_setup.exe
2013-06-12 20:28 - 2013-06-12 20:28 - 00791393 ____A (Lars Hederer ) C:\Users\Owner\Downloads\erunt-setup.exe
2013-06-12 20:28 - 2013-06-12 20:28 - 00000714 ____A C:\Users\Owner\Desktop\ERUNT.lnk
2013-06-12 20:28 - 2013-06-12 20:28 - 00000000 ____D C:\Program Files\ERUNT
2013-06-12 19:53 - 2013-06-12 19:53 - 00602112 ____A (OldTimer Tools) C:\Users\Owner\Downloads\OTL.exe
2013-06-12 19:52 - 2013-06-12 19:52 - 00688992 ____A (Swearware) C:\Users\Owner\Downloads\dds.scr
2013-06-12 03:03 - 2013-05-16 16:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-12 03:03 - 2013-05-16 15:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-12 03:03 - 2013-05-16 15:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-12 03:03 - 2013-05-16 15:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-12 03:03 - 2013-05-16 15:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-12 03:03 - 2013-05-16 15:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-12 03:03 - 2013-05-16 15:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-12 03:03 - 2013-05-16 15:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-12 03:03 - 2013-05-16 15:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-12 03:03 - 2013-05-16 15:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-12 03:03 - 2013-05-16 15:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-12 03:03 - 2013-05-16 15:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-12 03:03 - 2013-05-16 15:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-12 03:03 - 2013-05-16 15:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-12 03:03 - 2013-05-16 15:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-12 03:03 - 2013-05-16 15:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-11 21:57 - 2013-05-07 21:37 - 00905576 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-11 21:57 - 2013-05-01 21:04 - 00443904 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-11 21:57 - 2013-05-01 21:03 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\printcom.dll
2013-06-11 21:57 - 2013-04-23 21:00 - 00985600 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-11 21:57 - 2013-04-23 21:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-11 21:57 - 2013-04-23 21:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-11 21:57 - 2013-04-23 21:00 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-11 21:57 - 2013-04-23 18:46 - 00812544 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-11 21:56 - 2013-05-02 15:03 - 03603832 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-06-11 21:56 - 2013-05-02 15:03 - 03551096 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-06-11 21:56 - 2013-04-17 05:30 - 00024576 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-10 22:42 - 2013-06-11 21:39 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-10 21:51 - 2013-06-17 06:58 - 00000286 ____A C:\Windows\Tasks\DSite.job
2013-06-10 21:51 - 2013-06-10 21:52 - 00001137 ____A C:\Users\Public\Desktop\Norton Security Scan.LNK
2013-06-10 21:51 - 2013-06-10 21:51 - 00000000 ____D C:\Windows\System32\Drivers\NSS
2013-06-10 21:51 - 2013-06-10 21:51 - 00000000 ____D C:\Program Files\Norton Security Scan
2013-06-10 21:34 - 2013-06-10 21:34 - 00000000 ____D C:\Users\Owner\AppData\Local\AVG SafeGuard toolbar
2013-06-10 21:31 - 2013-06-10 21:31 - 00000000 ____D C:\Windows\System32\searchplugins
2013-06-10 21:31 - 2013-06-10 21:31 - 00000000 ____D C:\Windows\System32\Extensions
2013-06-10 20:46 - 2013-06-10 20:46 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-10 20:46 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-06-10 20:45 - 2013-06-10 20:45 - 00000282 ____A C:\Windows\Tasks\EPUpdater.job
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Users\Owner\AppData\Roaming\WebCake
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Users\Owner\AppData\Roaming\BabSolution
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\ProgramData\BrowserDefender
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Program Files\WebCake
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Program Files\Delta
2013-06-10 20:44 - 2013-06-10 20:44 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Delta
2013-06-10 20:44 - 2013-06-10 20:44 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Babylon
2013-06-10 20:44 - 2013-06-10 20:44 - 00000000 ____D C:\ProgramData\Babylon
2013-06-10 20:39 - 2013-06-10 20:39 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Zip Opener Packages
2013-06-10 20:39 - 2013-06-10 20:39 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
2013-06-10 20:38 - 2013-06-10 21:51 - 00000000 ____D C:\ProgramData\Norton
2013-06-10 20:38 - 2013-06-10 20:38 - 00037664 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys
2013-06-10 20:38 - 2013-06-10 20:38 - 00000000 ____D C:\ProgramData\Symantec
2013-06-10 20:38 - 2013-06-10 20:38 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2013-06-10 20:38 - 2013-06-10 20:38 - 00000000 ____D C:\Program Files\AVG SafeGuard toolbar
2013-06-10 20:37 - 2013-06-10 20:37 - 00000000 ____D C:\Users\Owner\AppData\Roaming\DSite
2013-06-09 15:32 - 2013-06-09 15:33 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\Owner\Downloads\mbam-setup-1.75.0.1300.exe
2013-06-09 14:14 - 2013-06-09 14:14 - 01814144 ____A (Bleeping Computer, LLC) C:\Users\Owner\Downloads\rkill.com
2013-06-06 10:20 - 2013-06-06 10:20 - 00001501 ____A C:\Users\Owner\Desktop\carla2_cdm750_450.cpg
2013-06-06 10:20 - 2013-06-06 10:20 - 00000000 ____A C:\Users\Owner\Desktop\carla2_cdm750_450.cpglog
2013-06-05 18:30 - 2013-06-05 18:30 - 00000000 ____D C:\Users\Owner\Documents\Kenwood
2013-06-05 18:28 - 2013-06-05 18:28 - 00000000 ____D C:\Program Files\Kenwood
2013-06-05 18:27 - 2013-06-05 18:27 - 03565874 ____A C:\Users\Owner\Downloads\M2A321.zip
2013-06-04 08:43 - 2013-06-04 08:45 - 00000000 ____D C:\Users\Owner\Desktop\sort more pix
2013-05-28 12:26 - 2013-05-28 12:26 - 00000000 ____D C:\ProgramData\Licenses
2013-05-28 11:33 - 2008-01-02 16:33 - 00172032 ____A (Intel Corporation) C:\Windows\System32\igfxres.dll
2013-05-28 11:22 - 2013-05-28 11:47 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini

==================== One Month Modified Files and Folders ========

2013-06-17 07:15 - 2013-06-17 07:15 - 00000000 ____D C:\FRST
2013-06-17 07:14 - 2013-06-17 07:14 - 01365333 ____A (Farbar) C:\Users\Owner\Downloads\FRST.exe
2013-06-17 07:01 - 2012-08-13 20:12 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-17 06:58 - 2013-06-10 21:51 - 00000286 ____A C:\Windows\Tasks\DSite.job
2013-06-17 06:57 - 2006-11-02 05:51 - 01185440 ____A C:\Windows\WindowsUpdate.log
2013-06-17 06:56 - 2012-08-07 23:50 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-17 01:01 - 2012-08-13 20:12 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-17 00:58 - 2013-06-16 00:18 - 00000005 ____A C:\Users\Owner\AppData\Roaming\WBPU-TTL.DAT
2013-06-17 00:28 - 2006-11-02 05:46 - 00003648 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-17 00:28 - 2006-11-02 05:46 - 00003648 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-16 20:36 - 2012-12-23 13:38 - 00000000 ____D C:\Program Files\MyDVR
2013-06-16 20:22 - 2013-04-27 13:25 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Dropbox
2013-06-16 12:35 - 2006-11-02 03:33 - 00759910 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-16 12:30 - 2013-04-27 13:29 - 00000000 ___RD C:\Users\Owner\Dropbox
2013-06-16 12:28 - 2006-11-02 06:00 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-16 12:27 - 2006-11-02 06:00 - 00032560 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-16 10:08 - 2013-06-16 09:31 - 00005011 ____A C:\Users\Owner\Desktop\OTL_custom scan_fix.txt
2013-06-16 09:50 - 2013-06-16 09:50 - 00000000 ____D C:\_OTL
2013-06-16 09:42 - 2013-06-16 09:42 - 00000113 ____A C:\Users\Owner\Desktop\White Trader.url
2013-06-16 09:30 - 2012-11-13 07:58 - 00000000 ____D C:\Program Files\Java
2013-06-16 09:30 - 2012-11-13 07:58 - 00000000 ____D C:\Program Files\Common Files\Java
2013-06-16 09:28 - 2012-07-12 21:07 - 00000000 ____D C:\Windows\System32\appmgmt
2013-06-16 09:22 - 2013-06-16 09:19 - 00000000 ____D C:\Malware-Virus_stuff
2013-06-16 01:01 - 2012-09-07 09:37 - 00000600 ____A C:\Users\Owner\AppData\Local\PUTTY.RND
2013-06-16 00:44 - 2013-06-16 00:43 - 02218636 ____A C:\Users\Owner\Downloads\tdsskiller.zip
2013-06-15 07:55 - 2013-06-15 07:26 - 00024124 ____A C:\Users\Owner\Downloads\SystemLook.txt
2013-06-15 07:25 - 2013-06-15 07:25 - 00075264 ____A C:\Users\Owner\Downloads\SystemLook.exe
2013-06-15 07:24 - 2013-06-15 07:21 - 00064204 ____A C:\Users\Owner\Downloads\Extras.Txt
2013-06-15 07:24 - 2013-06-15 07:20 - 00100454 ____A C:\Users\Owner\Downloads\OTL.Txt
2013-06-14 17:42 - 2013-06-14 17:42 - 00648201 ____A C:\Users\Owner\Downloads\adwcleaner.exe
2013-06-14 17:39 - 2013-06-14 17:39 - 00000207 ____A C:\Windows\tweaking.com-regbackup-DELL-D620-Microsoft®-Windows-Vista™-Ultimate-(32-bit).dat
2013-06-14 17:37 - 2013-06-14 17:37 - 00000000 ____D C:\RegBackup
2013-06-14 17:33 - 2013-06-14 17:33 - 00000000 ____D C:\Program Files\Tweaking.com
2013-06-14 17:30 - 2013-06-14 17:30 - 03858143 ____A C:\Users\Owner\Downloads\tweaking.com_registry_backup_setup.exe
2013-06-13 22:29 - 2012-08-21 09:43 - 06066176 ____A C:\Users\Owner\Documents\2003.mny
2013-06-13 22:29 - 2012-08-20 21:27 - 06068040 ___RA C:\Users\Owner\Documents\2012 Backup.mbf
2013-06-13 13:08 - 2013-03-31 15:17 - 00000000 ____D C:\Users\Owner\AppData\Roaming\FileZilla
2013-06-12 20:28 - 2013-06-12 20:28 - 00791393 ____A (Lars Hederer ) C:\Users\Owner\Downloads\erunt-setup.exe
2013-06-12 20:28 - 2013-06-12 20:28 - 00000714 ____A C:\Users\Owner\Desktop\ERUNT.lnk
2013-06-12 20:28 - 2013-06-12 20:28 - 00000000 ____D C:\Program Files\ERUNT
2013-06-12 20:25 - 2012-08-20 22:10 - 00049152 ____A C:\Users\Owner\Documents\Account info.xls
2013-06-12 19:53 - 2013-06-12 19:53 - 00602112 ____A (OldTimer Tools) C:\Users\Owner\Downloads\OTL.exe
2013-06-12 19:52 - 2013-06-12 19:52 - 00688992 ____A (Swearware) C:\Users\Owner\Downloads\dds.scr
2013-06-12 03:39 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\rescache
2013-06-12 03:05 - 2012-08-30 07:24 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-06-12 03:01 - 2006-11-02 03:24 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-06-11 23:21 - 2012-08-07 23:50 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-11 23:21 - 2012-08-07 23:50 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-11 21:39 - 2013-06-10 22:42 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-11 08:20 - 2012-07-12 22:10 - 00025794 ____A C:\Windows\PFRO.log
2013-06-10 21:52 - 2013-06-10 21:51 - 00001137 ____A C:\Users\Public\Desktop\Norton Security Scan.LNK
2013-06-10 21:51 - 2013-06-10 21:51 - 00000000 ____D C:\Windows\System32\Drivers\NSS
2013-06-10 21:51 - 2013-06-10 21:51 - 00000000 ____D C:\Program Files\Norton Security Scan
2013-06-10 21:51 - 2013-06-10 20:38 - 00000000 ____D C:\ProgramData\Norton
2013-06-10 21:34 - 2013-06-10 21:34 - 00000000 ____D C:\Users\Owner\AppData\Local\AVG SafeGuard toolbar
2013-06-10 21:31 - 2013-06-10 21:31 - 00000000 ____D C:\Windows\System32\searchplugins
2013-06-10 21:31 - 2013-06-10 21:31 - 00000000 ____D C:\Windows\System32\Extensions
2013-06-10 20:46 - 2013-06-10 20:46 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-10 20:45 - 2013-06-10 20:45 - 00000282 ____A C:\Windows\Tasks\EPUpdater.job
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Users\Owner\AppData\Roaming\WebCake
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Users\Owner\AppData\Roaming\BabSolution
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\ProgramData\BrowserDefender
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Program Files\WebCake
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Program Files\Delta
2013-06-10 20:44 - 2013-06-10 20:44 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Delta
2013-06-10 20:44 - 2013-06-10 20:44 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Babylon
2013-06-10 20:44 - 2013-06-10 20:44 - 00000000 ____D C:\ProgramData\Babylon
2013-06-10 20:39 - 2013-06-10 20:39 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Zip Opener Packages
2013-06-10 20:39 - 2013-06-10 20:39 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
2013-06-10 20:38 - 2013-06-10 20:38 - 00037664 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys
2013-06-10 20:38 - 2013-06-10 20:38 - 00000000 ____D C:\ProgramData\Symantec
2013-06-10 20:38 - 2013-06-10 20:38 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2013-06-10 20:38 - 2013-06-10 20:38 - 00000000 ____D C:\Program Files\AVG SafeGuard toolbar
2013-06-10 20:37 - 2013-06-10 20:37 - 00000000 ____D C:\Users\Owner\AppData\Roaming\DSite
2013-06-10 19:32 - 2012-08-20 22:56 - 00000000 ____D C:\Users\Owner\Documents\CARLA
2013-06-09 15:33 - 2013-06-09 15:32 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\Owner\Downloads\mbam-setup-1.75.0.1300.exe
2013-06-09 14:14 - 2013-06-09 14:14 - 01814144 ____A (Bleeping Computer, LLC) C:\Users\Owner\Downloads\rkill.com
2013-06-06 10:20 - 2013-06-06 10:20 - 00001501 ____A C:\Users\Owner\Desktop\carla2_cdm750_450.cpg
2013-06-06 10:20 - 2013-06-06 10:20 - 00000000 ____A C:\Users\Owner\Desktop\carla2_cdm750_450.cpglog
2013-06-06 10:01 - 2012-08-21 09:28 - 00008642 ____A C:\Windows\setupact.log
2013-06-05 18:30 - 2013-06-05 18:30 - 00000000 ____D C:\Users\Owner\Documents\Kenwood
2013-06-05 18:28 - 2013-06-05 18:28 - 00000000 ____D C:\Program Files\Kenwood
2013-06-05 18:28 - 2012-07-12 09:23 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2013-06-05 18:27 - 2013-06-05 18:27 - 03565874 ____A C:\Users\Owner\Downloads\M2A321.zip
2013-06-04 08:45 - 2013-06-04 08:43 - 00000000 ____D C:\Users\Owner\Desktop\sort more pix
2013-05-28 19:59 - 2006-11-02 05:46 - 00372832 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-28 13:01 - 2012-10-02 22:51 - 00005892 ____A C:\Users\Owner\AppData\Local\d3d9caps.dat
2013-05-28 12:26 - 2013-05-28 12:26 - 00000000 ____D C:\ProgramData\Licenses
2013-05-28 12:26 - 2012-07-12 15:36 - 00000000 ____D C:\Program Files\SpywareBlaster
2013-05-28 11:47 - 2013-05-28 11:22 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini

Files to move or delete:
====================
C:\Users\Owner\AppData\Roaming\skype.ini
C:\Users\Owner\Application Data\skype.ini

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-06-17 00:36

==================== End Of Log ============================
Tom N
Regular Member
 
Posts: 19
Joined: June 12th, 2013, 10:57 pm
Advertisement
Register to Remove

Re: been infiltrated and can't clean out malware

Unread postby Gary R » June 17th, 2013, 5:33 pm

OK, let's have another go at removing your infection.

First

Please go to Control Panel > Programs > Uninstall a program and Uninstall the following:

Spybot S&D


... as it may be interfering with the removal process.

Reboot your computer once it is uninstalled

We can re-install it later when your machine is clean of infection.

Next

  • Double click AdwCleaner.exe to run it.
  • Click Delete.
  • Click OK to the prompt.
  • The tool will run & your computer will be rebooted automatically. A logfile will open after the restart.
  • Post the contents of the logfile with your next reply.
  • You can also find the logfile at C:\AdwCleaner[s1].txt.

Next

  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad. (starting with start and ending with end)
Code: Select all
Start
() C:\ProgramData\BrowserDefender\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe
() C:\ProgramData\BrowserDefender\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe
(WebCake LLC) C:\Program Files\WebCake\WebCakeDesktop.Updater.exe
(WebCake LLC) C:\Users\Owner\AppData\Roaming\WebCake\WebCakeDesktop.exe
HKCU\...\Run: [WebCake Desktop] "C:\Users\Owner\AppData\Roaming\WebCake\WebCakeDesktop.exe" [47896 2013-06-07] (WebCake LLC)
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\Owner\AppData\Local\Temp\swceyqr\spfnqoo\wow.dll ATTENTION! ====> ZeroAccess
Toolbar: HKLM - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} - No File
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} http://208.86.38.180/kxhcm10.ocx
DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} http://204.14.142.236/JpegInst.cab
CHR HomePage: hxxp://www.delta-search.com/?affID=1193 ... 15C53F1C6B
CHR Extension: (Delta Toolbar) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\eooncjejnppfjjklapaamhcdmjbilmde\1.4_0
CHR Extension: (WebCake) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh\1.0.3_0
R2 BrowserDefendert; C:\ProgramData\BrowserDefender\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe [2827728 2013-05-23] ()
R2 WebCake Desktop Updater; C:\Users\Owner\AppData\Roaming\WebCake\WebCakeDesktop.exe [47896 2013-06-07] (WebCake LLC)
2013-06-16 09:42 - 2013-06-16 09:42 - 00000113 ____A C:\Users\Owner\Desktop\White Trader.url
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Users\Owner\AppData\Roaming\WebCake
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Users\Owner\AppData\Roaming\BabSolution
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\ProgramData\BrowserDefender
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Program Files\WebCake
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Program Files\Delta
2013-06-10 20:44 - 2013-06-10 20:44 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Delta
2013-06-10 20:44 - 2013-06-10 20:44 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Babylon
2013-06-10 20:44 - 2013-06-10 20:44 - 00000000 ____D C:\ProgramData\Babylon
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Users\Owner\AppData\Roaming\WebCake
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Users\Owner\AppData\Roaming\BabSolution
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\ProgramData\BrowserDefender
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Program Files\WebCake
2013-06-10 20:45 - 2013-06-10 20:45 - 00000000 ____D C:\Program Files\Delta
2013-06-10 20:44 - 2013-06-10 20:44 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Delta
2013-06-10 20:44 - 2013-06-10 20:44 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Babylon
2013-06-10 20:44 - 2013-06-10 20:44 - 00000000 ____D C:\ProgramData\Babylon
Reg: reg delete "HKEY_CURRENT_USER\Software\DataMngr"
Reg: reg delete "HKEY_CURRENT_USER\Software\DataMngr_Toolbar"
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr"
Reg: reg delete "HKEY_USERS\S-1-5-21-3530627855-2043338132-2572937388-1001\Software\DataMngr"
Reg: reg delete "HKEY_USERS\S-1-5-21-3530627855-2043338132-2572937388-1001\Software\DataMngr_Toolbar"
Reg: reg delete "HKEY_CURRENT_USER\Software\Trolltech"
Reg: reg delete "HKEY_USERS\S-1-5-21-3530627855-2043338132-2572937388-1001\Software\Trolltech"
Reg: reg delete "HKEY_CURRENT_USER\Software\5c57d9dae53ce814\2.6.1339.144"
Reg: reg delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}"
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Babylon"
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}"
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}"
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}"
Reg: reg delete "HKEY_USERS\S-1-5-21-3530627855-2043338132-2572937388-1001\Software\5c57d9dae53ce814\2.6.1339.144"
Reg: reg delete "HKEY_USERS\S-1-5-21-3530627855-2043338132-2572937388-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}"
C:\Users\Owner\AppData\Roaming\skype.ini
C:\Users\Owner\Application Data\skype.ini
End

  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fixlist.txt to your Desktop (Must be in this location)

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST/FRST64 and press the Fix button just once and wait.
  • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

Summary of the logs I need from you in your next post:
  • AdwCleaner[s1].txt
  • Fixlog.txt


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: been infiltrated and can't clean out malware

Unread postby Tom N » June 18th, 2013, 9:55 am

Gary, I ran both programs and the FRST one seemed to get stuck in a loop; showing the progress bar moving and hard drive flickering but this went on for a couple of hours until I tried to close it and it didn't respond. I let it continue and went to bed and it was still there in the morning when I finally forced it to end. There was a saved log and it seems to indicate files were deleted/cleaned so I've pasted it and the first one (Adwcleaner) below. It didn't seem to have rebooted on its own so I am doing that after sending this to you.
---------------------------------
# AdwCleaner v2.303 - Logfile created 06/17/2013 at 19:15:08
# Updated 08/06/2013 by Xplode
# Operating system : Windows Vista (TM) Ultimate Service Pack 2 (32 bits)
# User : Owner - DELL-D620
# Boot Mode : Normal
# Running from : C:\Users\Owner\Downloads\adwcleaner (1).exe
# Option [Delete]


***** [Services] *****

Stopped & Deleted : BrowserDefendert
Stopped & Deleted : WebCake Desktop Updater

***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search
File Deleted : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\bProtector Web Data
File Deleted : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\bprotectorpreferences
File Deleted : C:\Users\Owner\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Windows\Tasks\DSite.job
File Deleted : C:\Windows\Tasks\EPUpdater.job
Folder Deleted : C:\Program Files\Common Files\Wondershare
Folder Deleted : C:\Program Files\Delta
Folder Deleted : C:\Program Files\WebCake
Folder Deleted : C:\Program Files\Wondershare
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\BrowserDefender
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\ProgramData\Wondershare
Folder Deleted : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\eooncjejnppfjjklapaamhcdmjbilmde
Folder Deleted : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh
Folder Deleted : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Folder Deleted : C:\Users\Owner\AppData\Local\Temp\avg@toolbar
Folder Deleted : C:\Users\Owner\AppData\Local\Wondershare
Folder Deleted : C:\Users\Owner\AppData\Roaming\BabSolution
Folder Deleted : C:\Users\Owner\AppData\Roaming\Babylon
Folder Deleted : C:\Users\Owner\AppData\Roaming\Delta
Folder Deleted : C:\Users\Owner\AppData\Roaming\DSite
Folder Deleted : C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowserDefender
Folder Deleted : C:\Users\Owner\AppData\Roaming\WebCake

***** [Registry] *****

Key Deleted : HKCU\Software\5c57d9dae53ce814
Key Deleted : HKCU\Software\BabSolution
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\Delta
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Delta
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Delta Chrome Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{82E1477C-B154-48D3-9891-33D83C26BCD3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{82E1477C-B154-48D3-9891-33D83C26BCD3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\SOFTWARE\5c57d9dae53ce814
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{39CB8175-E224-4446-8746-00566302DF8D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{261DD098-8A3E-43D4-87AA-63324FA897D8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{86838207-681D-469D-9511-D0DCC6F19F9B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltaappCore
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltaappCore.1
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltadskBnd
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltadskBnd.1
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltaHlpr
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltaHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
Key Deleted : HKLM\SOFTWARE\Classes\esrv.deltaESrvc
Key Deleted : HKLM\SOFTWARE\Classes\esrv.deltaESrvc.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1231839B-064E-4788-B865-465A1B5266FD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2DAC2231-CC35-482B-97C5-CED1D4185080}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F1CD84C-04A3-4EA0-9EA1-7D134FD66C82}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F83A9CA-B5F0-44EC-9357-35BB3E84B07F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{47E520EA-CAD2-4F51-8F30-613B3A1C33EB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{57C91446-8D81-4156-A70E-624551442DE9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{70AFB7B2-9FB5-4A70-905B-0E9576142E1D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7AD65FD1-79E0-406D-B03C-DD7C14726D69}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{97DD820D-2E20-40AD-B01E-6730B2FCE630}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B177446D-54A4-4869-BABC-8566110B4BE0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D9D1DFC5-502D-43E4-B1BB-4D0B7841489A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E0B07188-A528-4F9E-B2F7-C7FDE8680AE4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{39CB8175-E224-4446-8746-00566302DF8D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\Delta
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eooncjejnppfjjklapaamhcdmjbilmde
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Delta
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Delta Chrome Toolbar
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\Software\Tarma Installer
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Main [bprotector start page]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [bProtectorDefaultScope]
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [WebCake Desktop]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16490

[OK] Registry is clean.

-\\ Google Chrome v27.0.1453.110

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.2117] : homepage = "hxxp://www.delta-search.com/?affID=119351&babsrc=HP_ss&mntrId=7A730015C53F1C6B",

*************************

AdwCleaner[S1].txt - [11599 octets] - [17/06/2013 19:15:08]

########## EOF - C:\AdwCleaner[S1].txt - [11660 octets] ##########
Tom N
Regular Member
 
Posts: 19
Joined: June 12th, 2013, 10:57 pm

Re: been infiltrated and can't clean out malware

Unread postby Tom N » June 18th, 2013, 9:59 am

Here is the fixlog.txt contents. Actually, it looks like maybe it didn't finish perhaps. I'll just hang tight and will not reboot or re-run it until I hear back from you.
--------------------------------------
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-06-2013
Ran by Owner at 2013-06-17 19:50:35 Run:1
Running from C:\Users\Owner\Desktop
Boot Mode: Normal

==============================================

C:\ProgramData\BrowserDefender\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe => No running process found
C:\ProgramData\BrowserDefender\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe => No running process found
C:\Program Files\WebCake\WebCakeDesktop.Updater.exe => No running process found
C:\Users\Owner\AppData\Roaming\WebCake\WebCakeDesktop.exe => No running process found
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\WebCake Desktop => Value not found.
HKCR\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\\Default => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{95B7759C-8C7F-4BF1-B163-73684A933233} => Value not found.
HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found.
HKCR\CLSID\{2E28242B-A689-11D4-80F2-0040266CBB8D} => Key deleted successfully.
HKCR\CLSID\{33704B0F-9EB7-434B-B752-EA6CFFB87423} => Key deleted successfully.
CHR HomePage: hxxp://www.delta-search.com/?affID=1193 ... 15C53F1C6B ==> The Chrome "Settings" can be used to fix the entry.
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\eooncjejnppfjjklapaamhcdmjbilmde directory not found.
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh directory not found.
BrowserDefendert => Service not found.
WebCake Desktop Updater => Service not found.
C:\Users\Owner\Desktop\White Trader.url => Moved successfully.
C:\Users\Owner\AppData\Roaming\WebCake => File/Directory not found.
C:\Users\Owner\AppData\Roaming\BabSolution => File/Directory not found.
C:\ProgramData\BrowserDefender => File/Directory not found.
C:\Program Files\WebCake => File/Directory not found.
C:\Program Files\Delta => File/Directory not found.
C:\Users\Owner\AppData\Roaming\Delta => File/Directory not found.
C:\Users\Owner\AppData\Roaming\Babylon => File/Directory not found.
C:\ProgramData\Babylon => File/Directory not found.
C:\Users\Owner\AppData\Roaming\WebCake => File/Directory not found.
C:\Users\Owner\AppData\Roaming\BabSolution => File/Directory not found.
C:\ProgramData\BrowserDefender => File/Directory not found.
C:\Program Files\WebCake => File/Directory not found.
C:\Program Files\Delta => File/Directory not found.
C:\Users\Owner\AppData\Roaming\Delta => File/Directory not found.
C:\Users\Owner\AppData\Roaming\Babylon => File/Directory not found.
C:\ProgramData\Babylon => File/Directory not found.

========= reg delete "HKEY_CURRENT_USER\Software\DataMngr" =========
Tom N
Regular Member
 
Posts: 19
Joined: June 12th, 2013, 10:57 pm

Re: been infiltrated and can't clean out malware

Unread postby Gary R » June 18th, 2013, 11:04 am

Reboot your computer, then try to run a new scan with OTL, and post me the log ... OTL.txt ... no need to post Extras.txt, I don't need that.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: been infiltrated and can't clean out malware

Unread postby Tom N » June 18th, 2013, 11:41 am

Here you go...
-------------------------
OTL logfile created on: 6/18/2013 8:19:55 AM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Malware-Virus_stuff
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.73 Gb Available Physical Memory | 57.90% Memory free
6.20 Gb Paging File | 5.00 Gb Available in Paging File | 80.69% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 30.53 Gb Free Space | 20.48% Space Free | Partition Type: NTFS
Drive F: | 29.87 Gb Total Space | 14.88 Gb Free Space | 49.83% Space Free | Partition Type: FAT32

Computer Name: DELL-D620 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/06/12 19:53:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Malware-Virus_stuff\OTL.exe
PRC - [2013/06/10 20:38:05 | 001,015,984 | ---- | M] (AVG Secure Search) -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
PRC - [2013/05/28 22:27:40 | 000,825,808 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Chrome\Application\chrome.exe
PRC - [2013/05/24 17:47:30 | 027,776,968 | ---- | M] (Dropbox, Inc.) -- C:\Users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2013/04/04 14:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2013/03/29 09:26:05 | 000,295,512 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2013/03/06 02:21:52 | 000,039,056 | ---- | M] () -- C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
PRC - [2012/12/18 07:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/03/28 12:21:16 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2009/12/01 14:59:16 | 000,193,648 | ---- | M] (National Instruments Corporation) -- C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe
PRC - [2009/06/04 04:14:28 | 000,013,896 | ---- | M] (National Instruments Corporation) -- C:\Windows\System32\nisvcloc.exe
PRC - [2009/05/21 14:28:38 | 000,874,768 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2009/05/21 13:04:14 | 000,473,360 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2009/04/10 23:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/05 15:17:12 | 000,131,704 | ---- | M] (National Instruments Corporation) -- C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe
PRC - [2008/02/26 10:57:28 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2008/01/18 23:38:40 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/09/13 14:45:38 | 000,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/09/13 14:44:48 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
PRC - [2007/07/20 18:13:26 | 001,180,952 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2007/07/20 18:11:12 | 000,390,424 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2006/09/09 05:10:22 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\hidfind.exe
PRC - [2006/09/09 05:06:08 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2006/09/09 04:54:30 | 000,042,544 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApMsgFwd.exe
PRC - [2006/09/09 04:19:46 | 000,151,552 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2003/06/18 12:00:00 | 000,200,704 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft Money\System\mnyexpr.exe


========== Modules (No Company Name) ==========

MOD - [2013/05/28 22:27:38 | 000,393,168 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\27.0.1453.110\ppgooglenaclpluginchrome.dll
MOD - [2013/05/28 22:27:35 | 004,051,408 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\27.0.1453.110\pdf.dll
MOD - [2013/05/28 22:26:36 | 001,597,392 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\27.0.1453.110\ffmpegsumo.dll
MOD - [2013/03/13 13:48:52 | 024,978,944 | ---- | M] () -- C:\Users\Owner\AppData\Roaming\Dropbox\bin\libcef.dll
MOD - [2012/11/29 14:59:32 | 000,093,696 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
MOD - [2012/11/13 16:32:50 | 003,558,400 | ---- | M] () -- C:\Users\Owner\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll
MOD - [2012/05/30 20:06:48 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/05/30 20:06:30 | 001,242,512 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll


========== Services (SafeList) ==========

SRV - [2013/06/11 23:21:14 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/06/10 20:38:05 | 001,015,984 | ---- | M] (AVG Secure Search) [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe -- (vToolbarUpdater15.2.0)
SRV - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2013/03/06 02:21:52 | 000,039,056 | ---- | M] () [Auto | Running] -- C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe -- (RealNetworks Downloader Resolver Service)
SRV - [2013/01/17 22:24:48 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2012/12/18 07:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/04/01 12:14:30 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/03/28 12:21:16 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2009/12/01 14:59:16 | 000,193,648 | ---- | M] (National Instruments Corporation) [Auto | Running] -- C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe -- (nimDNSResponder)
SRV - [2009/06/04 04:14:28 | 000,013,896 | ---- | M] (National Instruments Corporation) [Auto | Running] -- C:\Windows\System32\nisvcloc.exe -- (niSvcLoc)
SRV - [2009/05/21 14:28:38 | 000,874,768 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2009/05/21 13:04:14 | 000,473,360 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV - [2009/03/05 15:17:12 | 000,131,704 | ---- | M] (National Instruments Corporation) [Auto | Running] -- C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe -- (niLXIDiscovery)
SRV - [2008/01/18 23:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/09/13 14:45:38 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/07/20 18:11:12 | 000,390,424 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (nicconfigsvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\vmnetadapter.sys -- (VMnetAdapter)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (IpInIp)
DRV - [2013/06/10 20:38:05 | 000,037,664 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtpx86.sys -- (avgtp)
DRV - [2013/04/04 14:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/10/24 11:18:22 | 000,012,928 | ---- | M] (Motorola, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\fudally.sys -- (fudally)
DRV - [2011/09/21 10:25:34 | 000,021,992 | ---- | M] (CPUID) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\cpuz135_x32.sys -- (cpuz135)
DRV - [2011/05/31 16:26:10 | 000,073,096 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ftser2k.sys -- (FTSER2K)
DRV - [2011/05/31 16:26:09 | 000,061,704 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ftdibus.sys -- (FTDIBUS)
DRV - [2010/01/10 03:53:04 | 000,011,904 | ---- | M] (National Instruments Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nipalfwedl.sys -- (nipalfwedl)
DRV - [2010/01/10 03:52:36 | 000,597,592 | ---- | M] (National Instruments Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nipalk.sys -- (NIPALK)
DRV - [2010/01/10 03:51:00 | 000,011,896 | ---- | M] (National Instruments Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nipalusbedl.sys -- (nipalusbedl)
DRV - [2009/07/07 10:23:02 | 000,015,448 | ---- | M] (National Instruments Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nipbcfk.sys -- (nipbcfk)
DRV - [2009/06/14 15:32:28 | 000,011,344 | ---- | M] (National Instruments Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\niorbkl.sys -- (niorbk)
DRV - [2009/05/28 22:41:28 | 004,233,728 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32)
DRV - [2008/01/18 21:49:32 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbccid.sys -- (USBCCID)
DRV - [2008/01/18 20:25:06 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32)
DRV - [2007/12/23 17:18:48 | 000,068,696 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\oz776.sys -- (guardian2)
DRV - [2007/09/13 14:46:06 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2006/10/13 20:04:33 | 004,422,560 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2006/08/04 16:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/07/28 11:03:44 | 000,139,776 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2005/10/07 16:39:08 | 000,044,236 | R--- | M] (Motorola) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\COMMSBEP.sys -- (CommSBEP)
DRV - [2005/10/07 16:39:08 | 000,024,776 | R--- | M] (Motorola) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\COMMSB96.sys -- (CommSB96)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_37: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=16.0.1.18: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.3.1: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.3.1: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlpepperflashvideoshim;version=1.3.1: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=16.0.1.18: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.4: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{DAC3F861-B30D-40dd-9166-F4E75327FAC7}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ [2013/03/29 09:27:12 | 000,000,000 | ---D | M]

[2013/06/10 20:45:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

========== Chrome ==========

CHR - default_search_provider: Bing (Enabled)
CHR - default_search_provider: search_url = http://www.bing.com/search?setmkt=en-US&q={searchTerms}
CHR - default_search_provider: suggest_url = http://api.bing.com/osjson.aspx?query={searchTerms}&language={language}
CHR - homepage: http://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\22.0.1229.92\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.110\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.110\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Download Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll
CHR - plugin: RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: RealNetworks(tm) Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: RealDownloader = C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji\1.3.1_0\

O1 HOSTS File: ([2012/07/12 15:34:38 | 000,443,459 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15235 more lines...
O2 - BHO: (RealNetworks Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [ROC_ROC_JULY_P1] "C:\Program Files\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1 File not found
O4 - HKLM..\Run: [ROC_ROC_NT] "C:\Program Files\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT File not found
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [MoneyAgent] C:\Program Files\Microsoft Money\System\mnyexpr.exe (Microsoft Corp.)
O4 - Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll (National Instruments Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} http://208.85.206.67/SysCamInst.cab (Panasonic Network Camera)
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} http://208.86.38.180/kxhcm10.ocx (Reg Error: Key error.)
O16 - DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} http://204.14.142.236/JpegInst.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab (Shockwave Flash Object)
O16 - DPF: {DEB50B04-2723-4E8B-8125-F336CEDA40F1} http://173.8.163.20/videoinsight4/utili ... lient4.CAB (VIClientControl Class)
O16 - DPF: {EAEFAD15-8753-45EF-94B0-1BAA7970CC21} http://206.128.122.196/MpegInst.cab (pmpeg4cam Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0F1EB107-A095-4CBF-A48F-E844AB9FB9C0}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img17.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img17.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/06/17 19:49:38 | 001,365,717 | ---- | C] (Farbar) -- C:\Users\Owner\Desktop\FRST.exe
[2013/06/17 19:47:27 | 000,000,000 | ---D | C] -- C:\FRST
[2013/06/16 09:50:07 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/06/16 09:19:37 | 000,000,000 | ---D | C] -- C:\Malware-Virus_stuff
[2013/06/14 17:37:51 | 000,000,000 | ---D | C] -- C:\RegBackup
[2013/06/14 17:33:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
[2013/06/14 17:33:56 | 000,000,000 | ---D | C] -- C:\Program Files\Tweaking.com
[2013/06/12 20:28:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2013/06/12 20:28:43 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2013/06/12 03:03:59 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/06/12 03:03:58 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/06/12 03:03:58 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/06/12 03:03:58 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/06/12 03:03:58 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/06/12 03:03:57 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/06/12 03:03:57 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/06/12 03:03:56 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/06/11 21:57:09 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printcom.dll
[2013/06/11 21:57:04 | 000,812,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\certutil.exe
[2013/06/11 21:57:03 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\certenc.dll
[2013/06/11 21:56:57 | 003,603,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2013/06/11 21:56:56 | 003,551,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2013/06/11 21:56:50 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cryptdlg.dll
[2013/06/10 22:42:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2013/06/10 21:51:38 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NSS
[2013/06/10 21:51:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security Scan
[2013/06/10 21:51:38 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Security Scan
[2013/06/10 21:51:38 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NSS\0400010.010
[2013/06/10 21:34:30 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\AVG SafeGuard toolbar
[2013/06/10 21:31:51 | 000,000,000 | ---D | C] -- C:\Windows\System32\searchplugins
[2013/06/10 21:31:51 | 000,000,000 | ---D | C] -- C:\Windows\System32\Extensions
[2013/06/10 20:46:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/06/10 20:46:22 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013/06/10 20:46:22 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/06/10 20:45:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/06/10 20:39:08 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Zip Opener Packages
[2013/06/10 20:39:04 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG SafeGuard toolbar
[2013/06/10 20:38:54 | 000,037,664 | ---- | C] (AVG Technologies) -- C:\Windows\System32\drivers\avgtpx86.sys
[2013/06/10 20:38:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVG Secure Search
[2013/06/10 20:38:47 | 000,000,000 | ---D | C] -- C:\Program Files\AVG SafeGuard toolbar
[2013/06/10 20:38:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec
[2013/06/10 20:38:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2013/06/10 20:38:17 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2013/06/10 20:38:16 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2013/06/05 18:30:11 | 000,000,000 | ---D | C] -- C:\Users\Owner\Documents\Kenwood
[2013/06/05 18:29:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KENWOOD
[2013/06/05 18:28:56 | 000,000,000 | ---D | C] -- C:\Program Files\Kenwood
[2013/06/04 08:43:46 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\sort more pix
[2013/05/28 12:26:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Licenses
[2013/05/28 11:33:48 | 000,172,032 | ---- | C] (Intel Corporation) -- C:\Windows\System32\igfxres.dll

========== Files - Modified Within 30 Days ==========

[2013/06/18 08:21:15 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/06/18 08:18:32 | 000,643,562 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/06/18 08:18:32 | 000,119,722 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/06/18 08:11:23 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/06/18 08:11:21 | 000,003,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/06/18 08:11:21 | 000,003,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/06/18 08:11:14 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/06/18 08:11:06 | 3210,866,688 | -HS- | M] () -- C:\hiberfil.sys
[2013/06/18 08:01:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/06/18 07:26:30 | 000,000,113 | ---- | M] () -- C:\Users\Owner\Desktop\White Trader.url
[2013/06/17 19:45:26 | 001,365,717 | ---- | M] (Farbar) -- C:\Users\Owner\Desktop\FRST.exe
[2013/06/17 19:21:04 | 000,000,115 | ---- | M] () -- C:\Windows\DeleteOnReboot.bat
[2013/06/17 10:35:35 | 005,636,096 | ---- | M] () -- C:\Users\Owner\Documents\2003.mny
[2013/06/17 10:35:31 | 006,461,352 | R--- | M] () -- C:\Users\Owner\Documents\2012 Backup.mbf
[2013/06/17 00:58:19 | 000,000,005 | ---- | M] () -- C:\Users\Owner\AppData\Roaming\WBPU-TTL.DAT
[2013/06/16 01:01:58 | 000,000,600 | ---- | M] () -- C:\Users\Owner\AppData\Local\PUTTY.RND
[2013/06/14 17:39:07 | 000,000,207 | ---- | M] () -- C:\Windows\tweaking.com-regbackup-DELL-D620-Microsoft®-Windows-Vista™-Ultimate-(32-bit).dat
[2013/06/13 13:07:48 | 002,501,856 | ---- | M] () -- C:\Users\Owner\Documents\CCW_App.pdf
[2013/06/12 20:28:58 | 000,000,913 | ---- | M] () -- C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2013/06/12 20:28:44 | 000,000,714 | ---- | M] () -- C:\Users\Owner\Desktop\ERUNT.lnk
[2013/06/12 14:36:51 | 000,536,208 | ---- | M] () -- C:\Users\Owner\Documents\dmv14.pdf
[2013/06/11 23:21:13 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/06/11 23:21:13 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/06/10 21:52:34 | 000,001,137 | ---- | M] () -- C:\Users\Public\Desktop\Norton Security Scan.LNK
[2013/06/10 20:38:05 | 000,037,664 | ---- | M] (AVG Technologies) -- C:\Windows\System32\drivers\avgtpx86.sys
[2013/06/06 10:20:38 | 000,001,501 | ---- | M] () -- C:\Users\Owner\Desktop\carla2_cdm750_450.cpg
[2013/06/06 10:20:38 | 000,000,000 | ---- | M] () -- C:\Users\Owner\Desktop\carla2_cdm750_450.cpglog
[2013/06/05 22:17:27 | 000,000,951 | ---- | M] () -- C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2013/05/28 19:59:32 | 000,372,832 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/05/28 13:01:06 | 000,005,892 | ---- | M] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat
[2013/05/28 11:47:38 | 000,000,004 | ---- | M] () -- C:\Users\Owner\AppData\Roaming\skype.ini
[2013/05/22 00:53:40 | 000,000,172 | ---- | M] () -- C:\Windows\System32\drivers\NSS\0400010.010\isolate.ini

========== Files Created - No Company Name ==========

[2013/06/18 07:26:30 | 000,000,113 | ---- | C] () -- C:\Users\Owner\Desktop\White Trader.url
[2013/06/17 19:20:46 | 000,000,115 | ---- | C] () -- C:\Windows\DeleteOnReboot.bat
[2013/06/16 00:18:00 | 000,000,005 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\WBPU-TTL.DAT
[2013/06/14 17:39:07 | 000,000,207 | ---- | C] () -- C:\Windows\tweaking.com-regbackup-DELL-D620-Microsoft®-Windows-Vista™-Ultimate-(32-bit).dat
[2013/06/13 13:07:48 | 002,501,856 | ---- | C] () -- C:\Users\Owner\Documents\CCW_App.pdf
[2013/06/12 20:28:58 | 000,000,913 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2013/06/12 20:28:44 | 000,000,714 | ---- | C] () -- C:\Users\Owner\Desktop\ERUNT.lnk
[2013/06/12 14:36:51 | 000,536,208 | ---- | C] () -- C:\Users\Owner\Documents\dmv14.pdf
[2013/06/11 21:41:22 | 3210,866,688 | -HS- | C] () -- C:\hiberfil.sys
[2013/06/10 21:51:44 | 000,001,137 | ---- | C] () -- C:\Users\Public\Desktop\Norton Security Scan.LNK
[2013/06/10 21:51:38 | 000,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NSS\0400010.010\isolate.ini
[2013/06/06 10:20:38 | 000,001,501 | ---- | C] () -- C:\Users\Owner\Desktop\carla2_cdm750_450.cpg
[2013/06/06 10:20:38 | 000,000,000 | ---- | C] () -- C:\Users\Owner\Desktop\carla2_cdm750_450.cpglog
[2013/05/28 11:22:30 | 000,000,004 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\skype.ini
[2013/04/07 08:26:30 | 000,053,248 | R--- | C] () -- C:\Windows\System32\RegAccess.dll
[2013/03/14 11:01:04 | 000,060,864 | ---- | C] () -- C:\Users\Owner\g2mdlhlpx.exe
[2013/01/17 22:28:23 | 000,000,125 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
[2012/10/30 22:28:45 | 000,073,220 | ---- | C] () -- C:\Windows\System32\EPPICPrinterDB.dat
[2012/10/30 22:28:45 | 000,031,053 | ---- | C] () -- C:\Windows\System32\EPPICPattern131.dat
[2012/10/30 22:28:45 | 000,029,114 | ---- | C] () -- C:\Windows\System32\EPPICPattern1.dat
[2012/10/30 22:28:45 | 000,027,417 | ---- | C] () -- C:\Windows\System32\EPPICPattern121.dat
[2012/10/30 22:28:45 | 000,021,021 | ---- | C] () -- C:\Windows\System32\EPPICPattern3.dat
[2012/10/30 22:28:45 | 000,015,670 | ---- | C] () -- C:\Windows\System32\EPPICPattern5.dat
[2012/10/30 22:28:45 | 000,013,280 | ---- | C] () -- C:\Windows\System32\EPPICPattern2.dat
[2012/10/30 22:28:45 | 000,010,673 | ---- | C] () -- C:\Windows\System32\EPPICPattern4.dat
[2012/10/30 22:28:45 | 000,004,943 | ---- | C] () -- C:\Windows\System32\EPPICPattern6.dat
[2012/10/30 22:28:45 | 000,001,140 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_PT.dat
[2012/10/30 22:28:45 | 000,001,140 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_BP.dat
[2012/10/30 22:28:45 | 000,001,137 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_ES.dat
[2012/10/30 22:28:45 | 000,001,130 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_FR.dat
[2012/10/30 22:28:45 | 000,001,130 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_CF.dat
[2012/10/30 22:28:45 | 000,001,104 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_EN.dat
[2012/10/30 22:28:45 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2012/10/02 22:51:01 | 000,005,892 | ---- | C] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat
[2012/09/21 08:20:10 | 000,007,680 | ---- | C] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/09/07 09:37:52 | 000,000,600 | ---- | C] () -- C:\Users\Owner\AppData\Local\PUTTY.RND
[2012/08/31 09:51:46 | 000,012,858 | ---- | C] () -- C:\Windows\hpwscr14.dat
[2012/08/31 09:50:16 | 000,179,441 | ---- | C] () -- C:\Windows\hpwins14.dat
[2012/08/31 09:50:16 | 000,001,108 | ---- | C] () -- C:\Windows\hpwmdl14.dat
[2012/08/20 21:56:27 | 000,618,496 | ---- | C] () -- C:\Windows\System32\stlpmt45.dll
[2012/07/12 19:37:03 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2012/07/12 10:42:13 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2012/07/12 10:42:06 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2012/07/12 10:41:16 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2012/07/12 10:41:16 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2012/07/12 09:13:48 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2012/07/11 21:42:06 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en

========== ZeroAccess Check ==========

[2006/11/02 05:53:06 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 10:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 10:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/10 23:28:20 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/10 23:28:26 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\Owner\Documents\Radio Mobile:Roxio EMC Stream
@Alternate Data Stream - 180 bytes -> C:\Users\Owner\Documents\PGE_NEM_Signature_page.JPG:3or4kl4x13tuuug3Byamue2s4b
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:5C321E34

< End of report >
Tom N
Regular Member
 
Posts: 19
Joined: June 12th, 2013, 10:57 pm

Re: been infiltrated and can't clean out malware

Unread postby Gary R » June 18th, 2013, 12:13 pm

OK, that looks pretty good. There's no signs of infection, so looks like we've managed to remove most if not all the things we needed to.

I just need to know now if we got everything, so I'm afraid I need you to run a couple more scans for me ...

First

  • Double-click SystemLook.exe to run it.
  • Copy and paste the contents of the following codebox into the main textfield:
    Code: Select all
    :filefind
    *datamngr*
    *trolltech*
    *babylon*
    
    :folderfind
    *datamngr*
    *trolltech*
    *babylon*
    
    :Regfind
    datamngr
    trolltech
    babylon
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Next

Please run a scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on Run ESET Online Scanner
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed click on Start to start the scan.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed you will be presented with a list of found threats ....
    • Click on the List of found threats link
    • Click on Export to text file
    • Save as ESET.txt to your Desktop
  • Exit out of ESET Online Scanner.
  • Post me the contents of ESET.txt please.

Summary of the logs I need from you in your next post:
  • SystemLook.txt
  • e-Set log
  • Let me know how your computer is behaving now please.


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: been infiltrated and can't clean out malware

Unread postby Tom N » June 19th, 2013, 2:27 am

Looks like there is still some stuff that hasn't been completely deleted per the logs and what I still see. It seems at one point the website link was gone on my desktop but came back for some reason. Maybe from a restart at some point with the previous routines I ran?
----------------------------------

SystemLook 04.09.10 by jpshortstuff
Log created at 09:20 on 18/06/2013 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "*datamngr*"
No files found.

Searching for "*trolltech*"
No files found.

Searching for "*babylon*"
C:\Users\Owner\AppData\Local\Temp\9E026804-BAB0-7891-BA1E-3845C3ACFA11\Latest\Babylon.dat --a---- 12384 bytes [03:44 11/06/2013] [12:17 19/02/2013] 825E5733974586A0A1229A53361ED13E
C:\Users\Owner\AppData\Local\Temp\9E026804-BAB0-7891-BA1E-3845C3ACFA11\Latest\MyBabylonTB.exe --a---- 1769152 bytes [08:44 04/06/2013] [08:44 04/06/2013] 0E8F2F37A37C95DF90D462C93A648B0E
C:\Users\Owner\Music\iTunes\iTunes Media\Music\Thievery Corporation\The Richest Man In Babylon\11 The Richest Man In Babylon.m4a --a---- 7965626 bytes [20:20 01/07/2012] [20:20 01/07/2012] CA6D6AA29D1C445DC68BD25A15045846

========== folderfind ==========

Searching for "*datamngr*"
No folders found.

Searching for "*trolltech*"
No folders found.

Searching for "*babylon*"
C:\Users\Owner\Music\iTunes\iTunes Media\Music\Thievery Corporation\The Richest Man In Babylon d------ [17:35 21/08/2012]

========== Regfind ==========

Searching for "datamngr"
No data found.

Searching for "trolltech"
[HKEY_CURRENT_USER\Software\Trolltech]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.3\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.6\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-3530627855-2043338132-2572937388-1001\Software\Trolltech]
[HKEY_USERS\S-1-5-21-3530627855-2043338132-2572937388-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.3\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-3530627855-2043338132-2572937388-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.6\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-3530627855-2043338132-2572937388-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]

Searching for "babylon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
"DllName"="BabylonToolbar.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
"DllName"="BabylonToolbar.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
"DllName"="BabylonToolbarTlbr.dll"

-= EOF =-


ESET Results:
--------------------------------C:\Current Build Software\02_AuslogicRegClnr\registry-cleaner-setup.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Current Build Software\04_AuslogigDiskDefrag\disk-defrag-setup.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Current Build Software\10_Cpuz\cpu-z_1.60-setup-en.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Current Build Software\AuslogicRegDefrag\registry-defrag-setup.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UR6NCF8C\WebCakesetup[1].exe multiple threats
C:\Users\Owner\AppData\Local\Temp\9E026804-BAB0-7891-BA1E-3845C3ACFA11\Latest\IEHelper.dll a variant of Win32/Toolbar.Babylon.E application
C:\Users\Owner\AppData\Local\Temp\9E026804-BAB0-7891-BA1E-3845C3ACFA11\Latest\Setup.exe a variant of Win32/Toolbar.Babylon.E application
C:\Users\Owner\AppData\Local\Temp\is357113909\DeltaTB.exe a variant of Win32/Toolbar.Babylon.E application
C:\Users\Owner\AppData\Local\Temp\is357113909\dp.exe Win32/DealPly.B application
C:\Users\Owner\AppData\Local\Temp\is357113909\LyricsFinder.exe multiple threats
C:\Users\Owner\AppData\Local\Temp\is357113909\uninstaller.exe a variant of Win32/InstallCore.AZ application
C:\Users\Owner\AppData\Roaming\Zip Opener Packages\uninstaller.exe a variant of Win32/InstallCore.AZ application
Tom N
Regular Member
 
Posts: 19
Joined: June 12th, 2013, 10:57 pm

Re: been infiltrated and can't clean out malware

Unread postby Gary R » June 19th, 2013, 4:54 am

OK, lets have another go at getting rid of these remnants.

First

I think the problems we've had running fixes has more likely been caused by your defensive programs rather than your infection, which usually comes out without problem, so ....

Please go to Control Panel > Programs > Uninstall a program and Uninstall the following:

AVG SafeGuard toolbar
SpywareBlaster 5.0


Reboot your computer after they've both been uninstalled.

Next

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Files
C:\Users\Owner\AppData\Local\Temp\9E026804-BAB0-7891-BA1E-3845C3ACFA11\Latest\Babylon.dat 
C:\Users\Owner\AppData\Local\Temp\9E026804-BAB0-7891-BA1E-3845C3ACFA11\Latest\MyBabylonTB.exe
C:\Current Build Software\02_AuslogicRegClnr\registry-cleaner-setup.exe
C:\Current Build Software\04_AuslogigDiskDefrag\disk-defrag-setup.exe
C:\Current Build Software\10_Cpuz\cpu-z_1.60-setup-en.exe
C:\Current Build Software\AuslogicRegDefrag\registry-defrag-setup.exe 
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UR6NCF8C\WebCakesetup[1].exe
C:\Users\Owner\AppData\Local\Temp\9E026804-BAB0-7891-BA1E-3845C3ACFA11\Latest\IEHelper.dll
C:\Users\Owner\AppData\Local\Temp\9E026804-BAB0-7891-BA1E-3845C3ACFA11\Latest\Setup.exe
C:\Users\Owner\AppData\Local\Temp\is357113909\DeltaTB.exe 
C:\Users\Owner\AppData\Local\Temp\is357113909\dp.exe
C:\Users\Owner\AppData\Local\Temp\is357113909\LyricsFinder.exe 
C:\Users\Owner\AppData\Local\Temp\is357113909\uninstaller.exe
C:\Users\Owner\AppData\Roaming\Zip Opener Packages\uninstaller.exe
ipconfig /flushdns /c

:Reg
[-HKEY_CURRENT_USER\Software\Trolltech]
[-HKEY_USERS\S-1-5-21-3530627855-2043338132-2572937388-1001\Software\Trolltech]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]

:Commands
[emptytemp]
[resethosts]


  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: been infiltrated and can't clean out malware

Unread postby Tom N » June 19th, 2013, 10:48 am

I wasn't able to uninstall the AVG program. Windows asks me for permission to modify it but then nothing happens. The spyblaster one was uninstalled fine.

There's still a shortcut on the desktop that prompted all this but I didn't want to delete it until I checked with you. Every time I did it in the past, it would eventually restore it.
------------------------------------------
All processes killed
========== FILES ==========
C:\Users\Owner\AppData\Local\Temp\9E026804-BAB0-7891-BA1E-3845C3ACFA11\Latest\Babylon.dat moved successfully.
C:\Users\Owner\AppData\Local\Temp\9E026804-BAB0-7891-BA1E-3845C3ACFA11\Latest\MyBabylonTB.exe moved successfully.
C:\Current Build Software\02_AuslogicRegClnr\registry-cleaner-setup.exe moved successfully.
C:\Current Build Software\04_AuslogigDiskDefrag\disk-defrag-setup.exe moved successfully.
C:\Current Build Software\10_Cpuz\cpu-z_1.60-setup-en.exe moved successfully.
C:\Current Build Software\AuslogicRegDefrag\registry-defrag-setup.exe moved successfully.
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UR6NCF8C\WebCakesetup[1].exe moved successfully.
C:\Users\Owner\AppData\Local\Temp\9E026804-BAB0-7891-BA1E-3845C3ACFA11\Latest\IEHelper.dll moved successfully.
C:\Users\Owner\AppData\Local\Temp\9E026804-BAB0-7891-BA1E-3845C3ACFA11\Latest\Setup.exe moved successfully.
C:\Users\Owner\AppData\Local\Temp\is357113909\DeltaTB.exe moved successfully.
C:\Users\Owner\AppData\Local\Temp\is357113909\dp.exe moved successfully.
C:\Users\Owner\AppData\Local\Temp\is357113909\LyricsFinder.exe moved successfully.
C:\Users\Owner\AppData\Local\Temp\is357113909\uninstaller.exe moved successfully.
C:\Users\Owner\AppData\Roaming\Zip Opener Packages\uninstaller.exe moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Malware-Virus_stuff\cmd.bat deleted successfully.
C:\Malware-Virus_stuff\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Trolltech\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-3530627855-2043338132-2572937388-1001\Software\Trolltech\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98889811-442D-49DD-99D7-DC866BE87DBC}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner
->Temp folder emptied: 1260818833 bytes
->Temporary Internet Files folder emptied: 428303368 bytes
->Java cache emptied: 480100 bytes
->Google Chrome cache emptied: 188913138 bytes
->Flash cache emptied: 15703 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 366640543 bytes
RecycleBin emptied: 96166606 bytes

Total Files Cleaned = 2,233.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.69.0 log created on 06192013_072941

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
Tom N
Regular Member
 
Posts: 19
Joined: June 12th, 2013, 10:57 pm

Re: been infiltrated and can't clean out malware

Unread postby Gary R » June 19th, 2013, 10:58 am

No worries about AVG, OTL appears to have been successful in removing the items we scripted.

If you have a shortcut on your Desktop, right click it, and select Delete. Let me know if it won't go.

Is your computer working OK now ? if it is, then let me know. If not, then tell me what problems you're still experiencing.

We still need to clear out the programs we've been using to clean your machine, but I'll wait to hear back from you before I give you details of how to do that.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: been infiltrated and can't clean out malware

Unread postby Tom N » June 19th, 2013, 12:12 pm

So far so good. The shortcut hasn't come back...yet.

I am not able to remove a Norton scanner product that was loaded when I was trying different things.

After we finish the housekeeping aspect if you don't mind, could you tell me what you recommend for good protection products that will offer the 'best bang for the buck' so to speak?
Some of the products/suites I've had in the past seem overly cumbersome and bog things down to the point that I turned off some stuff and hence, here we are.

Any other info/tips you're willing to put forward would be appreciated.
Tom N
Regular Member
 
Posts: 19
Joined: June 12th, 2013, 10:57 pm

Re: been infiltrated and can't clean out malware

Unread postby Gary R » June 19th, 2013, 12:40 pm

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:OTL
[2013/06/10 21:51:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security Scan
[2013/06/10 21:51:38 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Security Scan
[2013/06/10 21:51:38 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NSS\0400010.010
[2013/06/10 20:38:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2013/06/10 20:38:17 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2013/06/10 20:38:16 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2013/06/10 21:52:34 | 000,001,137 | ---- | M] () -- C:\Users\Public\Desktop\Norton Security Scan.LNK

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: been infiltrated and can't clean out malware

Unread postby Tom N » June 19th, 2013, 1:26 pm

========== OTL ==========
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security Scan folder moved successfully.
C:\Program Files\Norton Security Scan\Engine\4.0.1.16 folder moved successfully.
C:\Program Files\Norton Security Scan\Engine folder moved successfully.
C:\Program Files\Norton Security Scan folder moved successfully.
C:\Windows\System32\drivers\NSS\0400010.010 folder moved successfully.
C:\ProgramData\Norton\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS_4.0.1.16\Temp folder moved successfully.
C:\ProgramData\Norton\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS_4.0.1.16\itbLUReg folder moved successfully.
C:\ProgramData\Norton\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS_4.0.1.16\diMaster folder moved successfully.
C:\ProgramData\Norton\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS_4.0.1.16\Connections folder moved successfully.
C:\ProgramData\Norton\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS_4.0.1.16 folder moved successfully.
C:\ProgramData\Norton\{397E31AA-0D78-4649-A01C-339D73A2ED35} folder moved successfully.
C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963} folder moved successfully.
C:\ProgramData\Norton folder moved successfully.
C:\Program Files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\_lck folder moved successfully.
C:\Program Files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.0.1.16\Images folder moved successfully.
C:\Program Files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.0.1.16\09\01 folder moved successfully.
C:\Program Files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.0.1.16\09 folder moved successfully.
C:\Program Files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\4.0.1.16 folder moved successfully.
C:\Program Files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType folder moved successfully.
C:\Program Files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS folder moved successfully.
C:\Program Files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35} folder moved successfully.
C:\Program Files\NortonInstaller\_lck folder moved successfully.
C:\Program Files\NortonInstaller folder moved successfully.
C:\ProgramData\NortonInstaller\Settings folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\2013-06-19-08h08m13s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\2013-06-19-08h06m59s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\2013-06-12-15h59m34s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\2013-06-12-15h54m28s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\2013-06-12-15h53m25s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\2013-06-12-14h38m28s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\2013-06-10-21h51m36s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\2013-06-10-21h42m07s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\2013-06-10-20h38m16s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs folder moved successfully.
C:\ProgramData\NortonInstaller folder moved successfully.
File C:\Users\Public\Desktop\Norton Security Scan.LNK not found.

OTL by OldTimer - Version 3.2.69.0 log created on 06192013_102511
Tom N
Regular Member
 
Posts: 19
Joined: June 12th, 2013, 10:57 pm

Re: been infiltrated and can't clean out malware

Unread postby Gary R » June 19th, 2013, 3:29 pm

OK, that should have got rid of the Norton program for you, if it hasn't please let me know.

Assuming it has, and assuming you don't have any more issues to deal with, then it's time to clear out the tools we've been using to clean your computer.

First

Let's clear out OTL and the files and folders it created. This will also remove SystemLook and TDSSKiller.
  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

Next

Please delete the following ....

ADWCleaner.exe
C:\AdwCleaner[R1].txt
C:\AdwCleaner[s1].txt
FRST.exe
FRST.txt
Addition.txt
Fixlog.txt


Next

Please go to Control Panel > Programs > Uninstall a program and Uninstall the following:

Tweaking.com Registry Backup


As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 293 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware