PDA

View Full Version : Strange voices from speakers, frequent 'Malicious URL Blocked' messages from Avast!


hstumpf
2013-07-10, 02:49
My PC started acting very strange a week or two ago. Occasionally strange voices come from the speakers. Sometimes they sound like ads, other times they seem random. They even come from the speakers while the PC is shutting down, after the user is logged off. Also, Avast! Free AV pops up red messages all the time saying 'Malicious URL Blocked'. The message always says the the process is C:\System32\svchost.exe. Also, CPU usage is up to 100% most of the time in Task Manager. Again, the culprit is always one of the several svchost processes running. A partial sample URL that is blocked is 'http://...check.php?tim=1373413030.2...'. I have Windows Home Server creating periodic backups, and the only thing I tried to fix the problem was to restore a backup from about a week ago. That didn't solve the problem

Here are the two logs.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16611 BrowserJavaVersion: 10.25.2
Run by Mary at 19:00:12 on 2013-07-09
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Home Server\esClient.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files\Common Files\Raxco\Shared\PDEngine.exe
C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\MDM.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: BrowserHelper Class: {9A065C65-4EE7-4DDD-9918-F129089A894A} - c:\program files\windows home server\WHSDeskBands.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Home Server Banner: {D73E76A3-F902-45BD-8FC8-95AE8E014671} - c:\program files\windows home server\WHSDeskBands.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: LocalAccountTokenFilterPolicy = dword:1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{0ACFF909-4D89-4317-B1F5-62BCCE4E8641} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\mary\appdata\roaming\mozilla\firefox\profiles\dg8b26c6.default\
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\Npindeo.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-07-07 20:51; http://forums.spybot.info/misc.php?do=email_dev&email=d3JjQGF2YXN0LmNvbQ==; c:\progra~1\avasts~1\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? getbus;getbus
R? RdpVideoMiniport;Remote Desktop Video Miniport Driver
R? SkypeUpdate;Skype Updater
R? TsUsbFlt;TsUsbFlt
R? TsUsbGD;Remote Desktop Generic USB Device
R? WatAdminSvc;Windows Activation Technologies Service
R? wlcrasvc;Windows Live Mesh remote connections service
R? WMSVC;Web Management Service
S? arXfrSvc;Windows Media Center TV Archive Transfer Service
S? aswFsBlk;aswFsBlk
S? aswMonFlt;aswMonFlt
S? aswRvrt;aswRvrt
S? aswSnx;aswSnx
S? aswSP;aswSP
S? aswVmm;aswVmm
S? avast! Antivirus;avast! Antivirus
S? esClient;Windows Media Center Client Service
S? FETND6V;VIA Rhine Family Fast Ethernet Adapter Driver
S? HPMSSConnectorSvc;HPMSSConnectorService
S? MediaCollectorService;MediaCollectorService
S? PDFSFilter;PDFSFilter
S? SDScannerService;Spybot-S&D 2 Scanner Service
S? SDUpdateService;Spybot-S&D 2 Updating Service
S? SDWSCService;Spybot-S&D 2 Security Center Service
S? WHSConnector;Windows Home Server Connector Service
.
=============== Created Last 30 ================
.
2013-07-09 22:15:10 -------- d-----w- c:\users\mary\appdata\local\{146F2547-B211-4286-81BC-838319073E7F}
2013-07-09 12:43:13 60872 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{6d26d81c-d83d-45e6-9935-8c52690e3ec6}\offreg.dll
2013-07-09 10:16:14 7068072 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{6d26d81c-d83d-45e6-9935-8c52690e3ec6}\mpengine.dll
2013-07-09 10:14:01 -------- d-----w- c:\users\mary\appdata\local\{21FCE9B9-73CD-46B6-A2FD-88C8311FA141}
2013-07-08 22:13:02 -------- d-----w- c:\users\mary\appdata\local\{38E9DC84-551D-4E4A-8606-2D5CAD75DD9C}
2013-07-08 10:12:24 -------- d-----w- c:\users\mary\appdata\local\{436762B8-F551-40AC-BF03-7BFE58DFF367}
2013-07-08 01:11:16 -------- d-----w- c:\users\mary\appdata\roaming\Windows Home Server
2013-07-08 01:00:30 61680 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-07-08 01:00:25 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-07-08 01:00:17 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-07-08 01:00:14 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-07-08 01:00:06 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-07-08 00:36:45 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-07-08 00:36:40 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-08 00:34:38 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-07 18:10:36 -------- d-----w- c:\users\mary\appdata\local\{234DE1E8-5FD3-4108-9115-A56201ADEC25}
2013-07-07 15:32:01 41664 ----a-w- c:\windows\avastSS.scr
2013-07-07 15:31:02 -------- d-----w- c:\program files\AVAST Software
2013-07-07 15:20:25 -------- d-----w- c:\programdata\AVAST Software
2013-07-03 00:56:44 -------- d-----w- c:\users\mary\appdata\local\{D576B55C-58E8-4027-8B56-09D56FE856C5}
2013-07-02 12:56:32 -------- d-----w- c:\users\mary\appdata\local\{3855B8F8-4E2E-4C51-8306-E5571D4BE293}
2013-07-02 00:56:04 -------- d-----w- c:\users\mary\appdata\local\{812FE831-99E3-4F63-8911-750F4AF213A0}
2013-07-01 21:58:31 -------- d-----w- c:\users\mary\appdata\local\Macromedia
2013-07-01 12:55:49 -------- d-----w- c:\users\mary\appdata\local\{C389991A-1BCE-4AD9-B2C1-E3CE3CBCA256}
2013-07-01 00:55:11 -------- d-----w- c:\users\mary\appdata\local\{198382B1-F01C-426B-A926-3BA1C275A670}
2013-06-30 12:52:15 -------- d-----w- c:\users\mary\appdata\local\{425EC9DD-9EBC-4D47-BE00-0EC96F614553}
2013-06-30 00:51:46 -------- d-----w- c:\users\mary\appdata\local\{1125EA97-F162-4374-9F88-8CB649968347}
2013-06-29 12:51:21 -------- d-----w- c:\users\mary\appdata\local\{8A80A831-9892-4CD2-8F12-C2BF1972C7E5}
2013-06-29 00:50:56 -------- d-----w- c:\users\mary\appdata\local\{B3A2FC70-91A7-46A1-87BF-2AA1252DABFF}
2013-06-28 12:50:44 -------- d-----w- c:\users\mary\appdata\local\{79A4B26C-FF75-48E8-9B6E-7D31003C7F43}
2013-06-28 00:50:17 -------- d-----w- c:\users\mary\appdata\local\{0595ED40-E88B-4AFA-A26F-A8C981A62F22}
2013-06-27 12:50:05 -------- d-----w- c:\users\mary\appdata\local\{7ACD872F-2692-404D-B097-47D743D489D5}
2013-06-27 00:49:40 -------- d-----w- c:\users\mary\appdata\local\{A40A0150-237B-4475-9AB8-7AC793015CC1}
2013-06-26 12:49:28 -------- d-----w- c:\users\mary\appdata\local\{F62183F1-40BA-431F-84C3-02FF705E5E9A}
2013-06-26 00:49:01 -------- d-----w- c:\users\mary\appdata\local\{1ABB8B73-4E5F-4F5E-948D-70365535A608}
2013-06-25 12:48:36 -------- d-----w- c:\users\mary\appdata\local\{896364A8-7BC8-437A-AFB6-E71DAD196DA9}
2013-06-25 00:47:58 -------- d-----w- c:\users\mary\appdata\local\{87345A2F-033D-40C2-9792-A5175F2DD28F}
2013-06-24 12:47:45 -------- d-----w- c:\users\mary\appdata\local\{BB7F6E76-15C7-47B0-A4AE-3AE14DB06CB9}
2013-06-24 00:45:57 -------- d-----w- c:\users\mary\appdata\local\{D9EE6A53-720B-4C81-973D-233C65660A60}
2013-06-21 00:57:23 -------- d-----w- c:\users\mary\appdata\local\{C62B65C5-3562-4B30-864E-AB20CB4A248C}
2013-06-20 12:57:10 -------- d-----w- c:\users\mary\appdata\local\{8CA0D75F-4CA4-444A-BE5C-61483E80D57F}
2013-06-20 00:56:44 -------- d-----w- c:\users\mary\appdata\local\{7E8655C5-C2E9-4D06-96DF-429D183D5EB9}
2013-06-19 12:56:32 -------- d-----w- c:\users\mary\appdata\local\{32AA10D3-C0A6-4243-8DD3-C15AF2E02C3E}
2013-06-19 00:56:06 -------- d-----w- c:\users\mary\appdata\local\{4543B1ED-C42E-4110-935B-EB2D758B8FDC}
2013-06-18 12:55:54 -------- d-----w- c:\users\mary\appdata\local\{0254564D-CF08-4EA0-9BEC-04E079AC3830}
2013-06-18 00:55:27 -------- d-----w- c:\users\mary\appdata\local\{71A525AB-B5B7-4B47-9153-4183E47D3970}
2013-06-17 12:55:15 -------- d-----w- c:\users\mary\appdata\local\{82C2F687-5F48-4E08-8C26-67035650FD39}
2013-06-17 00:54:50 -------- d-----w- c:\users\mary\appdata\local\{F5F55885-BB7F-42DA-977D-E986A522EF84}
2013-06-16 12:54:37 -------- d-----w- c:\users\mary\appdata\local\{552B9C6E-1215-4577-B204-159617AA0650}
2013-06-16 00:54:03 -------- d-----w- c:\users\mary\appdata\local\{7EDE00D3-814E-4FF2-BC84-155DCCA66DE8}
2013-06-15 12:53:51 -------- d-----w- c:\users\mary\appdata\local\{7EC5352A-A4FA-400A-BFEF-CB031D385A91}
2013-06-15 00:53:26 -------- d-----w- c:\users\mary\appdata\local\{BCCFFCBD-20A2-44F7-9AA7-74C87339D73F}
2013-06-14 12:53:14 -------- d-----w- c:\users\mary\appdata\local\{8A7CCE35-82AB-4CC7-9843-3D75EA948A49}
2013-06-14 00:52:48 -------- d-----w- c:\users\mary\appdata\local\{5470458C-A491-44A6-A89A-13C8EC14E28F}
2013-06-13 12:52:36 -------- d-----w- c:\users\mary\appdata\local\{812A789E-E52A-49CF-AEA6-19679FE0A635}
2013-06-13 03:19:00 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-06-13 03:18:59 218112 ----a-w- c:\program files\internet explorer\sqmapi.dll
2013-06-13 00:52:11 -------- d-----w- c:\users\mary\appdata\local\{08CE2DA3-C873-4C88-BFEE-A19DE0AC2052}
2013-06-12 16:44:30 1505280 ----a-w- c:\windows\system32\d3d11.dll
2013-06-12 16:44:24 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-06-12 16:44:19 492544 ----a-w- c:\windows\system32\win32spl.dll
2013-06-12 16:44:17 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-06-12 16:44:16 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-12 16:44:14 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-06-12 16:44:09 903168 ----a-w- c:\windows\system32\certutil.exe
2013-06-12 16:44:08 1160192 ----a-w- c:\windows\system32\crypt32.dll
2013-06-12 16:44:08 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-06-12 16:44:07 43008 ----a-w- c:\windows\system32\certenc.dll
2013-06-12 16:44:07 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-06-12 16:44:00 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-12 12:51:59 -------- d-----w- c:\users\mary\appdata\local\{246BC40C-67CE-4448-9AA9-5663D474A1F6}
2013-06-12 00:51:15 -------- d-----w- c:\users\mary\appdata\local\{1F3BB7E8-43DD-444E-9FE1-C6B53037257F}
2013-06-11 12:51:03 -------- d-----w- c:\users\mary\appdata\local\{52190430-48A0-422C-9456-12C7021AE147}
2013-06-11 00:50:37 -------- d-----w- c:\users\mary\appdata\local\{D7715B9F-C674-49AF-8B3F-CCD545AFD21E}
2013-06-10 12:50:25 -------- d-----w- c:\users\mary\appdata\local\{2E697CFA-8ECF-457C-87C8-82628DD2449B}
2013-06-10 00:50:00 -------- d-----w- c:\users\mary\appdata\local\{F14869AC-F436-4DC8-A7DE-2B96806CBF35}
.
==================== Find3M ====================
.
2013-07-01 21:58:07 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-01 21:58:07 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-17 01:25:57 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-05-17 01:25:27 2877440 ----a-w- c:\windows\system32\jscript9.dll
2013-05-17 01:25:26 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-05-17 01:25:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-05-14 08:40:13 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-05-02 06:06:08 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-13 04:45:16 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45:29 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
.
============= FINISH: 19:14:21.42 ===============


aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-07-09 19:19:37
-----------------------------
19:19:37.062 OS Version: Windows 6.1.7601 Service Pack 1
19:19:37.062 Number of processors: 1 586 0x2C00
19:19:37.087 ComputerName: SEABISCUIT UserName: Mary
19:19:41.367 Initialze error 0
19:19:44.590 AVAST engine defs: 13070902
19:20:36.467 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
19:20:36.497 Disk 0 Vendor: WDC_WD800JD-00LSA0 06.01D06 Size: 76319MB BusType: 3
19:20:36.525 Device \Driver\atapi -> MajorFunction 8613dc10
19:20:36.562 Disk 0 MBR read successfully
19:20:36.588 Disk 0 MBR scan
19:20:36.665 Disk 0 Windows 7 default MBR code
19:20:36.714 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76316 MB offset 63
19:20:36.787 Disk 0 scanning sectors +156296385
19:20:36.841 Disk 0 scanning C:\Windows\system32\drivers
19:20:36.853 Service scanning
19:20:38.594 Modules scanning
19:21:00.384 Disk 0 trace - called modules:
19:21:02.262 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8613dc10]<<
19:21:04.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85de2460]
19:21:04.230 3 CLASSPNP.SYS[88d9459e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x85935908]
19:21:04.605 \Driver\atapi[0x85f4c1a0] -> IRP_MJ_CREATE -> 0x8613dc10
19:21:05.495 AVAST engine scan C:\Windows
19:21:06.321 AVAST engine scan C:\Windows\system32
19:21:09.378 AVAST engine scan C:\Windows\system32\drivers
19:21:10.194 AVAST engine scan C:\Users\Mary
19:21:10.715 AVAST engine scan C:\ProgramData
19:21:10.733 Scan finished successfully
19:22:47.128 Disk 0 MBR has been saved successfully to "C:\Users\Mary\Desktop\MBR.dat"
19:22:47.147 The log file has been saved successfully to "C:\Users\Mary\Desktop\aswMBR.txt"


Please help. Thanks, Harry

10815
ken545
2013-07-16, 02:53
:welcome:

There may be a rootkit underfoot

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)
hstumpf
2013-07-16, 04:23
[ATTACH]10829[/ATTACH

]Ken, I ran the scan and it found one serious threat. Then I rebooted and the PC ran the Microsoft Malware Removal program, then ran the TDSS Killer scan again. I had to zip the logs for the two scans and attach the zip file. They were too long to paste into the posting.

Thanks for your help. Harry
ken545
2013-07-16, 10:55
Good Morning Harry,

That was a serious threat. Have the sounds from the speakers stopped ?

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
hstumpf
2013-07-17, 07:44
Ken,

The threat that I removed with TDSS Killer made the PC run much better. And the strange voices are no longer coming from the speakers. Thanks!

I ran Combo Fix. I first disabled Avast! but that wasn't enough to get it to run. I had to disable three Spybot services first. Combo Fix didn't install the Microsoft Recovery Console. That surprised me -- I didn't think that it was already installed.

Here's the log from Combo Fix.

ComboFix 13-07-15.01 - Mary 07/17/2013 0:08.1.1 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2014.1159 [GMT -4:00]
Running from: c:\users\Mary\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Spybot - Search and Destroy *Disabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-06-17 to 2013-07-17 )))))))))))))))))))))))))))))))
.
.
2013-07-17 04:27 . 2013-07-17 04:27 -------- d-----w- c:\users\Mary\AppData\Local\temp
2013-07-16 10:00 . 2013-07-17 04:12 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{942A8DE7-C713-49AA-ADDB-E691D6C0CF2E}\offreg.dll
2013-07-16 09:27 . 2013-07-02 06:54 7143960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{942A8DE7-C713-49AA-ADDB-E691D6C0CF2E}\mpengine.dll
2013-07-16 00:55 . 2013-07-16 00:55 -------- d-----w- C:\TDSSKiller_Quarantine
2013-07-12 12:24 . 2013-06-11 23:43 817664 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-07-12 12:24 . 2013-06-11 23:43 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-07-12 12:24 . 2013-06-12 00:23 770648 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2013-07-11 20:37 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\system32\DWrite.dll
2013-07-11 20:37 . 2013-05-06 04:56 1620480 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-11 20:37 . 2013-06-04 04:53 509440 ----a-w- c:\windows\system32\qedit.dll
2013-07-11 20:37 . 2013-06-05 03:05 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-07-11 20:37 . 2013-04-10 05:03 936448 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-11 20:37 . 2013-04-10 05:03 988672 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2013-07-11 20:37 . 2013-04-10 05:03 969216 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-07-11 20:36 . 2013-04-10 05:04 1221632 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2013-07-11 20:36 . 2013-05-27 04:57 680960 ----a-w- c:\program files\Windows Defender\MpSvc.dll
2013-07-11 20:36 . 2013-05-27 04:57 392704 ----a-w- c:\program files\Windows Defender\MpClient.dll
2013-07-11 20:36 . 2013-05-27 04:57 224768 ----a-w- c:\program files\Windows Defender\MpCommu.dll
2013-07-09 22:51 . 2013-07-09 22:51 -------- d-----w- c:\program files\ERUNT
2013-07-08 01:11 . 2013-07-08 01:11 -------- d-----w- c:\users\Mary\AppData\Roaming\Windows Home Server
2013-07-08 01:00 . 2013-05-09 08:59 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-07-08 01:00 . 2013-07-08 01:01 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-07-08 01:00 . 2013-05-09 08:59 61680 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-07-08 01:00 . 2013-05-09 08:59 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-07-08 01:00 . 2013-07-08 01:01 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-07-08 01:00 . 2013-07-08 01:01 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-07-08 01:00 . 2013-05-09 08:59 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-07-08 01:00 . 2013-05-09 08:59 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-07-08 00:59 . 2013-05-09 08:58 229648 ----a-w- c:\windows\system32\aswBoot.exe
2013-07-08 00:36 . 2013-07-08 00:23 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-07-08 00:36 . 2013-07-08 00:23 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-08 00:34 . 2013-07-08 00:25 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-07 23:54 . 2013-07-07 23:54 -------- d-----w- c:\programdata\McAfee
2013-07-07 19:09 . 2013-07-07 19:09 -------- d-----w- c:\windows\Sun
2013-07-07 15:32 . 2013-05-09 08:58 41664 ----a-w- c:\windows\avastSS.scr
2013-07-07 15:31 . 2013-07-07 15:31 -------- d-----w- c:\program files\AVAST Software
2013-07-07 15:20 . 2013-07-08 00:33 -------- d-----w- c:\programdata\AVAST Software
2013-07-01 21:58 . 2013-07-01 21:58 -------- d-----w- c:\users\Mary\AppData\Local\Macromedia
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-01 21:58 . 2013-05-07 21:11 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-01 21:58 . 2013-05-07 21:11 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-13 10:32 . 2011-03-28 22:36 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-13 04:45 . 2013-06-12 16:44 1160192 ----a-w- c:\windows\system32\crypt32.dll
2013-05-13 04:45 . 2013-06-12 16:44 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-05-13 04:45 . 2013-06-12 16:44 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-05-13 03:08 . 2013-06-12 16:44 903168 ----a-w- c:\windows\system32\certutil.exe
2013-05-13 03:08 . 2013-06-12 16:44 43008 ----a-w- c:\windows\system32\certenc.dll
2013-05-10 03:20 . 2013-06-12 16:44 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-05-08 05:38 . 2013-06-12 16:44 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-05-06 05:06 . 2013-06-12 16:44 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-06 05:06 . 2013-06-12 16:44 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-05-02 06:06 . 2011-02-22 17:52 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-26 04:55 . 2013-06-12 16:44 492544 ----a-w- c:\windows\system32\win32spl.dll
2013-04-25 23:30 . 2013-06-12 16:44 1505280 ----a-w- c:\windows\system32\d3d11.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-05-09 08:58 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2008-09-10 604704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968]
.
c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
"LocalAccountTokenFilterPolicy"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-01-08 161536]
R3 getbus;getbus;c:\users\hstumpf\AppData\Local\Temp\getbus.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 27136]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-03-25 1343400]
R3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2009-07-14 9728]
R4 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-11-13 1103392]
R4 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-11-13 1369624]
R4 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-11-13 168384]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 aswRvrt;aswRvrt; [x]
S0 aswVmm;aswVmm; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2011-01-10 239472]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-05-09 66336]
S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [2011-01-10 97136]
S2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [2009-10-05 20992]
S2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [2009-10-05 81920]
S2 PDFSFilter;PDFSFilter;c:\windows\system32\DRIVERS\PDFsFilter.sys [2012-08-23 69016]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [2011-01-10 376688]
S3 FETND6V;VIA Rhine Family Fast Ethernet Adapter Driver;c:\windows\system32\DRIVERS\fetnd6v.sys [2008-12-04 43520]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - tifsfilter
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-07 21:58]
.
2013-03-23 c:\windows\Tasks\User_Feed_Synchronization-{424FA5FE-1452-4209-8E99-6E15185E9311}.job
- c:\windows\system32\msfeedssync.exe [2013-03-25 18:22]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\dg8b26c6.default\
FF - ExtSQL: 2013-07-07 20:51; wrc@avast.com; c:\progra~1\AVASTS~1\Avast\WebRep\FF
.
- - - - ORPHANS REMOVED - - - -
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe
Notify-SDWinLogon - SDWinLogon.dll
SafeBoot-64694629.sys
AddRemove-Microsoft Visual Studio 2005 Standard Edition - ENU - c:\program files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Standard Edition - ENU\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{D73E76A3-F902-45BD-8FC8-95AE8E014671}"=hex:51,66,7a,6c,4c,1d,38,12,cd,75,2d,
d3,30,b7,d3,00,f0,de,d6,ee,8b,5f,02,65
"{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}"=hex:51,66,7a,6c,4c,1d,38,12,3a,25,4d,
8a,1f,e3,d1,0d,d3,3b,92,3f,05,d7,c9,12
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9A065C65-4EE7-4DDD-9918-F129089A894A}"=hex:51,66,7a,6c,4c,1d,38,12,0b,5f,15,
9e,d5,00,b3,08,e6,0e,b2,69,0d,c4,cd,5e
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{C1B5F1C3-6B6A-4890-A0CB-EAF0DF160E69}"=hex:51,66,7a,6c,4c,1d,38,12,ad,f2,a6,
c5,58,25,fe,0d,df,dd,a9,b0,da,48,4a,7d
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:94,2e,fe,77,4e,7f,ce,01
.
[HKEY_USERS\S-1-5-21-3845936323-2724631369-1939821654-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (S-1-5-21-3845936323-2724631369-1939821654-1002)
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3845936323-2724631369-1939821654-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (S-1-5-21-3845936323-2724631369-1939821654-1002)
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-07-17 00:31:24
ComboFix-quarantined-files.txt 2013-07-17 04:31
.
Pre-Run: 9,421,250,560 bytes free
Post-Run: 11,196,891,136 bytes free
.
- - End Of File - - 7C253D412A24A2BD1BA00C4AABA612FF
A36C5E4F47E84449FF07ED3517B43A31

Regards, Harry
ken545
2013-07-17, 11:33
Good Morning Harry,

You where infected with the TDSS Rootkit , what this rootkit did was infect the Master Boot Record on your hard drive so everytime you booted your computer up the infection became active, but looks likes its gone now :)

Most newer computers have a Recovery Console , when Combofix runs it first checks to make sure one is present and if not prompts you to install it.


Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.

Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan as shown below.

http://i1224.photobucket.com/albums/ee380/jeffce74/MBAM-2.jpg

When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
hstumpf
2013-07-19, 11:47
Ken,

I read about the TDSS Rootkit on the Internet. Scary stuff. Thanks for helping me remove it.

My PC is old. It started out with Windows XP, was upgraded to Windows Vista, then to Windows 7. It was hardly used until the Windows 7 upgrade.

I ran Malwarebytes Anti-Malware and it found no threats. Here's the log.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.19.03

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16635
Mary :: SEABISCUIT [administrator]

7/19/2013 4:17:11 AM
mbam-log-2013-07-19 (04-17-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra |

Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 313621
Time elapsed: 19 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Thanks again, Harry
ken545
2013-07-19, 12:21
:bigthumb:

Everything running ok ?
hstumpf
2013-07-19, 15:04
Everything is running just fine.

I'm going to go through the 'So how did I get infected in the first place?' thread and apply as many of the suggestions as I can (to all of my PCs, not just this one). Also, I'll make sure that people log on with administrator privileges only rarely.

Thanks for all the help you've given me. I might have never found the problem without your help.

:D: Harry :D:
ken545
2013-07-19, 15:23
Harry. Thats great. I am at work and on my phone. I will post some info for you a bit later
ken545
2013-07-19, 23:29
Hello Harry,

Been retired for about 3 months but my company wont let me go, they asked me to work all this week :lip:

Nice people so in reality I really don't mind. :)


Been a pleasure working with you and glad things are back to normal, here are instructions to update your Java (Very important ) you should check for new versions at least once a month and then uninstall any previous versions.


Update your Java to keep you more secure

Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 7 Update 25, if not proceed with the instructions.

Go to the update Tab and update it
Important, during the upgrade UNCHECK ASK TOOL BAR. ( you do not need or want this )

Then go to your Add Remove Programs (WIN XP) or Programs and Features (Vista / Win 7) in the Control Panel and uninstall all previous versions.


You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)





Harry, let me take one final look to make sure nothing was missed

OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
hstumpf
2013-07-20, 20:06
Ken,

Congrats on your retirement. :crowned: I'm old enough to retire, but don't plan to do so for another five years or so. And since they keep making you work, I'm glad you don't mind. :bigthumb:

I ran OTL and have attached the logs in a zip file. Then I checked Java and had the latest version. I uninstalled four old versions (all from Sun Microsystems).

10833

Harry

OTL logfile created on: 7/20/2013 11:31:35 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Mary\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16635)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.97 Gb Total Physical Memory | 1.32 Gb Available Physical Memory | 66.87% Memory free
3.93 Gb Paging File | 3.05 Gb Available in Paging File | 77.56% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 9.48 Gb Free Space | 12.72% Space Free | Partition Type: NTFS

Computer Name: SEABISCUIT | User Name: Mary | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Mary\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe (Raxco Software, Inc.)
PRC - C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe (Raxco Software, Inc.)
PRC - C:\Program Files\Common Files\Raxco\Shared\PDEngine.exe (Raxco Software, Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Home Server\WHSConnector.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Home Server\esClient.exe (Microsoft Corporation)
PRC - C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe (HP)
PRC - c:\Program Files\Windows Defender\MpCmdRun.exe (Microsoft Corporation)
PRC - C:\Windows\System32\inetsrv\inetinfo.exe (Microsoft Corporation)
PRC - C:\Windows\SOUNDMAN.EXE (Realtek Semiconductor Corp.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl ()
MOD - C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl ()
MOD - C:\Program Files\Spybot - Search & Destroy 2\VirtualTreesDXE150.bpl ()
MOD - C:\Program Files\Spybot - Search & Destroy 2\JSDialogPack150.bpl ()
MOD - C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl ()


========== Services (SafeList) ==========

SRV - (SDWSCService) -- C:\Program Files\Spybot File not found
SRV - (SDUpdateService) -- C:\Program Files\Spybot File not found
SRV - (SDScannerService) -- C:\Program Files\Spybot File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (PDAgent) -- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe (Raxco Software, Inc.)
SRV - (PDEngine) -- C:\Program Files\Common Files\Raxco\Shared\PDEngine.exe (Raxco Software, Inc.)
SRV - (arXfrSvc) -- C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe (Microsoft Corporation)
SRV - (WHSConnector) -- C:\Program Files\Windows Home Server\WHSConnector.exe (Microsoft Corporation)
SRV - (esClient) -- C:\Program Files\Windows Home Server\esClient.exe (Microsoft Corporation)
SRV - (WAS) -- C:\Windows\System32\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (W3SVC) -- C:\Windows\System32\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (AppHostSvc) -- C:\Windows\System32\inetsrv\apphostsvc.dll (Microsoft Corporation)
SRV - (MediaCollectorService) -- C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe (Hewlett-Packard Company)
SRV - (HPMSSConnectorSvc) -- C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe (HP)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (WMSVC) -- C:\Windows\System32\inetsrv\WMSvc.exe (Microsoft Corporation)
SRV - (IISADMIN) -- C:\Windows\System32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (LVSrvLauncher) -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe (Logitech Inc.)


========== Driver Services (SafeList) ==========

DRV - (LVMVDrv) -- system32\DRIVERS\LVMVDrv.sys File not found
DRV - (Lvckap) -- system32\DRIVERS\LVcKap.sys File not found
DRV - (getbus) -- C:\Users\hstumpf\AppData\Local\Temp\getbus.sys File not found
DRV - (catchme) -- C:\Users\Mary\AppData\Local\Temp\catchme.sys File not found
DRV - (aswVmm) -- C:\Windows\System32\drivers\aswVmm.sys ()
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswSnx) -- C:\Windows\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr2.sys (AVAST Software)
DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswRvrt) -- C:\Windows\System32\drivers\aswRvrt.sys ()
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (DefragFS) -- C:\Windows\System32\drivers\DefragFs.sys (Raxco Software, Inc.)
DRV - (PDFSFilter) -- C:\Windows\System32\drivers\PDFsFilter.sys (Raxco Software, Inc.)
DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV - (TsUsbGD) -- C:\Windows\System32\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (FETND6V) -- C:\Windows\System32\drivers\fetnd6v.sys (VIA Technologies, Inc. )
DRV - (ALCXWDM) -- C:\Windows\System32\drivers\RTKVAC.SYS (Realtek Semiconductor Corp.)
DRV - (nvmpu401) -- C:\Windows\System32\drivers\nvmpu401.sys (NVIDIA Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3845936323-2724631369-1939821654-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-3845936323-2724631369-1939821654-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-3845936323-2724631369-1939821654-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 43 23 C8 AF E2 82 CE 01 [binary data]
IE - HKU\S-1-5-21-3845936323-2724631369-1939821654-1002\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3845936323-2724631369-1939821654-1002\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR
IE - HKU\S-1-5-21-3845936323-2724631369-1939821654-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:22.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.25.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\PROGRA~1\AVASTS~1\Avast\WebRep\FF [2013/07/07 20:51:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2013/03/31 11:07:12 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mary\AppData\Roaming\Mozilla\Extensions
[2013/07/07 20:00:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/06/27 06:51:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/06/27 06:52:48 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

O1 HOSTS File: ([2013/07/17 00:27:43 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (BrowserHelper Class) - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Program Files\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (Home Server Banner) - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Program Files\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SDTray] C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [SoundMan] C:\Windows\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - Startup: C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LocalAccountTokenFilterPolicy = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3845936323-2724631369-1939821654-1002\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3845936323-2724631369-1939821654-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 10.25.2)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 10.25.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0ACFF909-4D89-4317-B1F5-62BCCE4E8641}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (PDBoot.exe)
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/07/20 11:21:49 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Mary\Desktop\OTL.exe
[2013/07/20 07:10:34 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{DC70E249-12D2-4E16-8632-67D917C6EB30}
[2013/07/19 09:45:18 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{422707BB-6B2A-4CC0-B08A-79148BBD6D17}
[2013/07/19 04:16:13 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Roaming\Malwarebytes
[2013/07/19 04:15:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/07/19 04:15:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/07/19 04:15:51 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013/07/19 04:15:51 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/07/18 21:44:23 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{96363A3C-0F3A-4768-B962-47FEA9D5FD3C}
[2013/07/18 21:27:45 | 010,285,040 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Mary\Desktop\mbam-setup-1.75.0.1300.exe
[2013/07/18 09:44:11 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{A0A85B40-EE8A-4A9A-8725-25ACDE369AE2}
[2013/07/17 21:43:46 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{BD854A47-EA2B-4F8C-8D05-F99188F4095B}
[2013/07/17 09:43:34 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{FC0D9BF5-3D3E-40E5-8D99-03E20A89720F}
[2013/07/17 00:31:31 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/07/17 00:31:27 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\temp
[2013/07/17 00:27:42 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/07/17 00:04:16 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/07/17 00:04:16 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/07/17 00:04:16 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/07/16 23:41:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/07/16 22:46:16 | 005,089,088 | R--- | C] (Swearware) -- C:\Users\Mary\Desktop\ComboFix.exe
[2013/07/16 21:43:08 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{97AD31E7-9EB7-4C0C-8EA6-FB28ED95AB3F}
[2013/07/16 09:42:56 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{13C4ACF1-FDA7-4CAA-B5DE-AB3243085625}
[2013/07/15 21:42:29 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{9AE7A034-D1E3-4E1B-86C6-3CB9499F7CFE}
[2013/07/15 20:55:59 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2013/07/15 09:41:58 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{9EF31D11-980B-4E6E-9F69-96A90FEA5F31}
[2013/07/14 21:40:50 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{D0C92016-275A-4745-BDC2-4A4F947071FA}
[2013/07/14 09:40:21 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{1409CAAB-8692-4919-98A1-FDA512820547}
[2013/07/13 21:38:28 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{DFC460EB-B8BA-4EFD-A2E6-2A95812C8252}
[2013/07/13 07:21:49 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{CFB5098E-C3E2-4BC6-B2C6-50E7714FA3DB}
[2013/07/12 18:45:47 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{0BB49373-4748-45E1-9AC5-FA95282B3965}
[2013/07/12 08:57:49 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2013/07/12 08:25:47 | 002,706,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/07/12 08:25:29 | 002,877,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/07/12 08:25:22 | 000,039,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/07/12 08:25:21 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2013/07/12 08:25:13 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/07/12 08:25:04 | 000,493,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/07/12 08:25:03 | 000,042,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2013/07/12 08:25:03 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2013/07/12 08:25:02 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2013/07/12 08:25:01 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2013/07/12 06:45:09 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{A6861E7E-2944-45E4-B4F0-7D77255CE767}
[2013/07/11 18:21:16 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{B62F9530-33AC-4A79-BC98-FA2188E44027}
[2013/07/11 16:37:15 | 001,247,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2013/07/11 16:37:10 | 001,620,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WMVDECOD.DLL
[2013/07/11 16:37:07 | 000,509,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\qedit.dll
[2013/07/11 16:37:04 | 002,347,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/07/11 06:19:46 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{6DF18D74-35FF-4387-BED6-2737F7273D1F}
[2013/07/10 18:17:46 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{9D15DC59-57C7-45A7-8310-368E5ACDA4F0}
[2013/07/10 06:16:25 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{C88A5F3E-D651-49AD-9FAD-6EBF671EBA25}
[2013/07/09 18:56:45 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2013/07/09 18:51:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2013/07/09 18:51:31 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2013/07/09 18:15:10 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{146F2547-B211-4286-81BC-838319073E7F}
[2013/07/09 06:14:01 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{21FCE9B9-73CD-46B6-A2FD-88C8311FA141}
[2013/07/08 18:13:02 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{38E9DC84-551D-4E4A-8606-2D5CAD75DD9C}
[2013/07/08 06:12:24 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{436762B8-F551-40AC-BF03-7BFE58DFF367}
[2013/07/07 21:11:16 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Roaming\Windows Home Server
[2013/07/07 21:00:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2013/07/07 21:00:43 | 000,029,816 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2013/07/07 21:00:40 | 000,369,584 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2013/07/07 21:00:30 | 000,061,680 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr2.sys
[2013/07/07 21:00:27 | 000,056,080 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2013/07/07 21:00:25 | 000,770,344 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2013/07/07 21:00:06 | 000,066,336 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2013/07/07 20:59:59 | 000,229,648 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2013/07/07 20:39:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2013/07/07 20:36:45 | 000,789,416 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\deployJava1.dll
[2013/07/07 20:36:40 | 000,867,240 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\npDeployJava1.dll
[2013/07/07 20:36:40 | 000,263,592 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2013/07/07 20:34:38 | 000,094,632 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2013/07/07 20:34:37 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2013/07/07 20:34:36 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2013/07/07 19:54:16 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2013/07/07 15:09:16 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2013/07/07 14:38:11 | 000,000,000 | ---D | C] -- C:\Users\Mary\Documents\Blackbody_files
[2013/07/07 14:37:42 | 000,000,000 | ---D | C] -- C:\Users\Mary\Desktop\New Files
[2013/07/07 14:13:02 | 000,000,000 | ---D | C] -- C:\Users\Mary\Desktop\Mail Drafts
[2013/07/07 14:10:36 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{234DE1E8-5FD3-4108-9115-A56201ADEC25}
[2013/07/07 11:32:01 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2013/07/07 11:31:02 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2013/07/07 11:20:25 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2013/07/02 20:56:44 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{D576B55C-58E8-4027-8B56-09D56FE856C5}
[2013/07/02 08:56:32 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{3855B8F8-4E2E-4C51-8306-E5571D4BE293}
[2013/07/01 20:56:04 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{812FE831-99E3-4F63-8911-750F4AF213A0}
[2013/07/01 17:58:31 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\Macromedia
[2013/07/01 14:33:08 | 000,000,000 | ---D | C] -- C:\Users\Mary\Documents\Perlite_files
[2013/07/01 14:32:42 | 000,000,000 | ---D | C] -- C:\Users\Mary\Documents\Thermal diffusivity_files
[2013/07/01 08:55:49 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{C389991A-1BCE-4AD9-B2C1-E3CE3CBCA256}
[2013/06/30 20:55:11 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{198382B1-F01C-426B-A926-3BA1C275A670}
[2013/06/30 08:52:15 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{425EC9DD-9EBC-4D47-BE00-0EC96F614553}
[2013/06/29 20:51:46 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{1125EA97-F162-4374-9F88-8CB649968347}
[2013/06/29 08:51:21 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{8A80A831-9892-4CD2-8F12-C2BF1972C7E5}
[2013/06/28 20:50:56 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{B3A2FC70-91A7-46A1-87BF-2AA1252DABFF}
[2013/06/28 08:50:44 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{79A4B26C-FF75-48E8-9B6E-7D31003C7F43}
[2013/06/27 20:50:17 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{0595ED40-E88B-4AFA-A26F-A8C981A62F22}
[2013/06/27 08:50:05 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{7ACD872F-2692-404D-B097-47D743D489D5}
[2013/06/27 06:51:41 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/06/26 20:49:40 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{A40A0150-237B-4475-9AB8-7AC793015CC1}
[2013/06/26 08:49:28 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{F62183F1-40BA-431F-84C3-02FF705E5E9A}
[2013/06/25 20:49:01 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{1ABB8B73-4E5F-4F5E-948D-70365535A608}
[2013/06/25 08:48:36 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{896364A8-7BC8-437A-AFB6-E71DAD196DA9}
[2013/06/24 20:47:58 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{87345A2F-033D-40C2-9792-A5175F2DD28F}
[2013/06/24 08:47:45 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{BB7F6E76-15C7-47B0-A4AE-3AE14DB06CB9}
[2013/06/23 20:45:57 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{D9EE6A53-720B-4C81-973D-233C65660A60}
[2013/06/20 20:57:23 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\{C62B65C5-3562-4B30-864E-AB20CB4A248C}

========== Files - Modified Within 30 Days ==========

[2013/07/20 11:30:46 | 000,000,314 | ---- | M] () -- C:\Users\Mary\Desktop\Strange voices from speakers, frequent 'Malicious URL Blocked' messages from Avast! - Page 2.URL
[2013/07/20 11:19:09 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Mary\Desktop\OTL.exe
[2013/07/20 11:16:04 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/07/20 07:18:14 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/07/20 07:18:14 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/07/20 07:07:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/07/20 07:07:25 | 1584,259,072 | -HS- | M] () -- C:\hiberfil.sys
[2013/07/19 04:15:57 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/07/18 21:09:42 | 010,285,040 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Mary\Desktop\mbam-setup-1.75.0.1300.exe
[2013/07/17 00:27:43 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2013/07/16 22:58:32 | 005,089,088 | R--- | M] (Swearware) -- C:\Users\Mary\Desktop\ComboFix.exe
[2013/07/15 21:18:22 | 000,051,142 | ---- | M] () -- C:\Users\Mary\Desktop\TDSS Killer Logs.zip
[2013/07/15 20:52:31 | 002,237,968 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Mary\Desktop\TDSSKiller.exe
[2013/07/15 20:32:59 | 002,218,636 | ---- | M] () -- C:\Users\Mary\Desktop\tdsskiller.zip
[2013/07/12 10:32:24 | 000,394,000 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/07/12 09:28:27 | 000,691,532 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/07/12 09:28:27 | 000,129,530 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/07/12 08:17:00 | 000,000,129 | ---- | M] () -- C:\Windows\System32\MRT.INI
[2013/07/09 19:22:47 | 000,000,512 | ---- | M] () -- C:\Users\Mary\Desktop\MBR.dat
[2013/07/09 19:16:17 | 000,003,649 | ---- | M] () -- C:\Users\Mary\Desktop\attach.zip
[2013/07/09 18:51:40 | 000,001,116 | ---- | M] () -- C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2013/07/09 18:51:35 | 000,000,917 | ---- | M] () -- C:\Users\Mary\Desktop\ERUNT.lnk
[2013/07/07 21:26:11 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013/07/07 21:01:38 | 000,000,175 | ---- | M] () -- C:\Windows\System32\drivers\aswVmm.sys.sum
[2013/07/07 21:01:37 | 000,175,176 | ---- | M] () -- C:\Windows\System32\drivers\aswVmm.sys
[2013/07/07 21:01:36 | 000,369,584 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2013/07/07 21:01:36 | 000,000,175 | ---- | M] () -- C:\Windows\System32\drivers\aswSP.sys.sum
[2013/07/07 21:01:34 | 000,000,175 | ---- | M] () -- C:\Windows\System32\drivers\aswSnx.sys.sum
[2013/07/07 21:01:33 | 000,770,344 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2013/07/07 21:00:55 | 000,002,117 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013/07/07 21:00:05 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2013/07/07 20:25:48 | 000,094,632 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2013/07/07 20:24:24 | 000,263,592 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2013/07/07 20:24:23 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2013/07/07 20:24:12 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2013/07/07 20:23:52 | 000,867,240 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\npDeployJava1.dll
[2013/07/07 20:23:49 | 000,789,416 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\deployJava1.dll
[2013/07/07 20:11:26 | 000,007,605 | ---- | M] () -- C:\Users\Mary\AppData\Local\Resmon.ResmonCfg
[2013/07/04 20:12:19 | 000,016,415 | ---- | M] () -- C:\Users\Mary\Documents\Blackbody.htm
[2013/07/02 11:48:01 | 000,089,962 | ---- | M] () -- C:\Users\Mary\Documents\Schjeldahl_NotesBeauty.pdf
[2013/07/02 10:47:12 | 001,167,754 | ---- | M] () -- C:\Users\Mary\Documents\Review Beauty by Roger Scruton Books The Observer.mht
[2013/07/01 17:58:07 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/07/01 17:58:07 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/07/01 14:33:08 | 000,016,926 | ---- | M] () -- C:\Users\Mary\Documents\Perlite.htm
[2013/07/01 14:32:43 | 000,016,616 | ---- | M] () -- C:\Users\Mary\Documents\Thermal diffusivity.htm
[2013/06/30 20:45:50 | 000,002,027 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2013/06/30 20:14:55 | 000,444,880 | ---- | M] () -- C:\Users\Mary\Documents\WPC Maillard.pdf
[2013/06/29 12:55:27 | 000,012,292 | -H-- | M] () -- C:\.DS_Store
[2013/06/26 21:51:24 | 000,071,024 | ---- | M] () -- C:\Users\Mary\Documents\Slavoj Zizek-Bibliography-The Interpassive Subject-Lacan Dot Com.htm

========== Files Created - No Company Name ==========

[2013/07/20 11:30:46 | 000,000,314 | ---- | C] () -- C:\Users\Mary\Desktop\Strange voices from speakers, frequent 'Malicious URL Blocked' messages from Avast! - Page 2.URL
[2013/07/19 04:15:57 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/07/17 00:04:16 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/07/17 00:04:16 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/07/17 00:04:16 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/07/17 00:04:16 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/07/17 00:04:16 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/07/15 21:18:22 | 000,051,142 | ---- | C] () -- C:\Users\Mary\Desktop\TDSS Killer Logs.zip
[2013/07/15 20:51:58 | 002,218,636 | ---- | C] () -- C:\Users\Mary\Desktop\tdsskiller.zip
[2013/07/12 08:16:55 | 000,000,129 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2013/07/09 19:22:47 | 000,000,512 | ---- | C] () -- C:\Users\Mary\Desktop\MBR.dat
[2013/07/09 19:16:15 | 000,003,649 | ---- | C] () -- C:\Users\Mary\Desktop\attach.zip
[2013/07/09 18:51:40 | 000,001,116 | ---- | C] () -- C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2013/07/09 18:51:35 | 000,000,917 | ---- | C] () -- C:\Users\Mary\Desktop\ERUNT.lnk
[2013/07/07 21:01:41 | 000,000,175 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys.sum
[2013/07/07 21:01:40 | 000,000,175 | ---- | C] () -- C:\Windows\System32\drivers\aswSnx.sys.sum
[2013/07/07 21:01:39 | 000,000,175 | ---- | C] () -- C:\Windows\System32\drivers\aswSP.sys.sum
[2013/07/07 21:00:54 | 000,002,117 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013/07/07 21:00:17 | 000,175,176 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys
[2013/07/07 21:00:14 | 000,049,376 | ---- | C] () -- C:\Windows\System32\drivers\aswRvrt.sys
[2013/07/07 16:16:04 | 000,007,605 | ---- | C] () -- C:\Users\Mary\AppData\Local\Resmon.ResmonCfg
[2013/07/07 14:38:05 | 000,016,415 | ---- | C] () -- C:\Users\Mary\Documents\Blackbody.htm
[2013/07/07 09:54:38 | 1584,259,072 | -HS- | C] () -- C:\hiberfil.sys
[2013/07/02 11:48:00 | 000,089,962 | ---- | C] () -- C:\Users\Mary\Documents\Schjeldahl_NotesBeauty.pdf
[2013/07/02 10:47:07 | 001,167,754 | ---- | C] () -- C:\Users\Mary\Documents\Review Beauty by Roger Scruton Books The Observer.mht
[2013/07/01 14:36:11 | 000,460,682 | ---- | C] () -- C:\Users\Mary\Documents\apfelschnitzer.pdf
[2013/07/01 14:33:07 | 000,016,926 | ---- | C] () -- C:\Users\Mary\Documents\Perlite.htm
[2013/07/01 14:32:41 | 000,016,616 | ---- | C] () -- C:\Users\Mary\Documents\Thermal diffusivity.htm
[2013/06/30 20:45:50 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
[2013/06/30 20:45:50 | 000,002,027 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2013/06/30 19:29:20 | 000,444,880 | ---- | C] () -- C:\Users\Mary\Documents\WPC Maillard.pdf
[2013/06/29 12:37:12 | 000,012,292 | -H-- | C] () -- C:\.DS_Store
[2013/06/26 21:51:23 | 000,071,024 | ---- | C] () -- C:\Users\Mary\Documents\Slavoj Zizek-Bibliography-The Interpassive Subject-Lacan Dot Com.htm
[2013/05/12 21:16:22 | 000,012,292 | -H-- | C] () -- C:\Users\Mary\.DS_Store
[2013/03/23 17:50:34 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2013/03/23 15:36:15 | 000,021,316 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat

========== ZeroAccess Check ==========

[2009/07/14 00:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/02/27 00:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 17:29:20 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 21:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013/03/23 15:09:16 | 000,000,000 | ---D | M] -- C:\Users\hstumpf\AppData\Roaming\Acronis
[2013/03/23 15:09:17 | 000,000,000 | ---D | M] -- C:\Users\hstumpf\AppData\Roaming\Blackberry Desktop
[2013/03/23 15:09:17 | 000,000,000 | ---D | M] -- C:\Users\hstumpf\AppData\Roaming\Configuration
[2013/03/23 15:09:17 | 000,000,000 | ---D | M] -- C:\Users\hstumpf\AppData\Roaming\GlobalSCAPE
[2013/03/23 15:09:18 | 000,000,000 | ---D | M] -- C:\Users\hstumpf\AppData\Roaming\JAM Software
[2013/03/23 15:09:19 | 000,000,000 | ---D | M] -- C:\Users\hstumpf\AppData\Roaming\JDiskReport
[2013/03/23 15:09:37 | 000,000,000 | ---D | M] -- C:\Users\hstumpf\AppData\Roaming\Research In Motion
[2008/09/13 18:34:30 | 000,000,000 | ---D | M] -- C:\Users\hstumpf\AppData\Roaming\Temp
[2013/07/07 21:11:16 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Windows Home Server
[2013/03/31 04:00:02 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Windows Live Writer

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 889 bytes -> C:\Users\Mary\Documents\THE ART OF FASHION_ Valentino.eml:OECustomProperty
@Alternate Data Stream - 780 bytes -> C:\Users\Mary\Documents\your pan is on the way.eml:OECustomProperty
@Alternate Data Stream - 769 bytes -> C:\Users\Mary\Documents\Julia and universal lids.eml:OECustomProperty
@Alternate Data Stream - 748 bytes -> C:\Users\Mary\Documents\Re_ a question of copper.eml:OECustomProperty
@Alternate Data Stream - 708 bytes -> C:\Users\Mary\Documents\snowhound hounding.eml:OECustomProperty
@Alternate Data Stream - 708 bytes -> C:\Users\Mary\Documents\more for snowhound.eml:OECustomProperty
@Alternate Data Stream - 704 bytes -> C:\Users\Mary\Documents\Re_ round steamer___.eml:OECustomProperty
@Alternate Data Stream - 60 bytes -> C:\Users\Mary\.DS_Store:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\.DS_Store:AFP_AfpInfo

< End of report >
ken545
2013-07-20, 23:03
:bigthumb:



Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png




Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.


Malwarebytes is the free version and yours to keep and will not be removed



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
hstumpf
2013-07-23, 00:59
Ken,

I thought I'd do all the things in the links you sent me, and then get back to you. But in all of those links there are so many things to do! I will develop a plan -- what to do initially to all of my PCs, what to do on a schedule for them, what to do differently for the Windows XP and Windows 7 PCs, and so on.

Thanks for getting my PC back in working order. I couldn't have done it without you. It's actually my wife's PC, and in her despair she wanted me to buy her a new computer. We were able to avoid that.

I did find problems with two of your links. The link to WhattheTech doesn't work. And the link to Dslreports redirecta me to the correct link. The others are all fine.

I have one more question. Should I run TDSS Killer on all of my PCs, maybe every week or so, or is there a reason why I shouldn't?

Once again, thanks.


Harry :D:
ken545
2013-07-23, 01:47
Hello Harry,

On my systems I have one Anti Virus program ( more than one is overkill and can cause problems ) I also have Spybot Search and Destroy and Malwarebytes. You should keep these updated and run regular scans maybe weekly.

We have many many tools and there run to remove a particular infection that there designed to remove. You where infected with a variant of the TDSS Rootkit and TDSSKiller was written to remove that infection, if your not infected with TDSS that running that tool will do no good, besides all our tools are updated on a regular basis and an old version would really not help, another downside is that as a helper on the forums I am notified about any potential problems with a tool and the tool is pulled, the average user is not so running a particular tool when its not needed can cause you other problems.

Another program you can run is a free online virus scanner, just have it run and you can post the results in the forum, dont have it remove anything as sometimes they pick up false positives.

This is one of the better ones, if you have the time run it and if it finds anything post the log


ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.



All those links worked for me , unsure why they wouldn't open for you
hstumpf
2013-07-25, 23:47
Ken,

I ran the scan -- it ran for many, many hours! Here is the log.

C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\0F7B25C9-00011348.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\12EF47B7-000128B6.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\150948C0-000115B8.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\15432CFC-000112A3.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\240371CC-00012768.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\24CC4ACC-00011249.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\30664F79-00011314.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\3B4C2481-00012826.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\441E4550-0001285B.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\4ADC3400-000112ED.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\4BFF704C-0001155E.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\52EA650A-0001125D.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\539E7B44-000129F2.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\576B1F02-00011263.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\5B9F7083-000115F3.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\61FE1C3F-00012718.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\655269A0-000112E6.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\688A2E43-00011590.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\6F563B7C-0001161A.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\75266AA6-00011246.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\7A8521C9-000125D5.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\7B3A624E-0001162A.eml HTML/Phishing.gen trojan
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\7C88076A-00011243.eml HTML/Phishing.gen trojan


Thanks again for your help.

Harry
ken545
2013-07-26, 00:33
Looks like some bad entries in your Windows Mail were removed.

All ok ?
hstumpf
2013-07-26, 01:46
Ken, all seems OK. But the entries weren't removed. You said to uncheck 'Remove found threats'. Should I run it again and remove them?

Harry
ken545
2013-07-26, 02:33
Ahh, hate to make you run that long scan again, it looks like what ESET found where deleted items in your mail.

Go here
C:\Users\hstumpf\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items <-- And see if you can delete all thats in there but not that folder itself

Let me know , we can try it another way if need be
ken545
2013-07-29, 14:25
Still with me ?
hstumpf
2013-07-30, 01:00
Yes, Ken, I'm back. Sorry I disappeared for a couple of days. I've done every thing you said, including the email messages that the last scan picked up.

The PC is working like a charm now. Thanks for saving it! You've been great to work with.

Is there anything else I should do?

Harry
ken545
2013-07-30, 01:54
Looks like your good to go Harry, been a pleasure :)

Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.


Malwarebytes is the free version and yours to keep and will not be removed



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken
ken545
2013-08-02, 20:52
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.