system doctor 2014 Virus

[mohadeeb]

I made the mistake of opening a email and clicking a download .

DDS.Txt
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16576  BrowserJavaVersion: 10.21.2
Run by Joseph at 14:58:36 on 2013-06-02
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.24567.22228 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe,
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [hascs] "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\hascs.dll",Method_Self
uRun: [uinalo] "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\uinalo.dll",vGetOptions
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{989ED2C1-880F-4EDD-93D3-F27F51D62BD9} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-1-20 230320]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-1-20 130008]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-3-14 383264]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-5-2 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-5-2 57856]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-4-30 1255736]
SUnknown iuweipxx;iuweipxx;

.
=============== File Associations ===============
.
FileExt: .txt: txtfile=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-06-02 19:25:34   --------   d-----w-   C:\Users\Joseph\AppData\Roaming\Malwarebytes
2013-06-02 19:25:15   --------   d-----w-   C:\ProgramData\Malwarebytes
2013-06-02 19:25:13   25928   ----a-w-   C:\Windows\System32\drivers\mbam.sys
2013-06-02 19:25:13   --------   d-----w-   C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-06-02 19:19:40   --------   d-----w-   C:\Program Files\CCleaner
2013-06-02 07:40:50   964552   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2059AB76-1D93-4110-9DD8-CB4BAC55F550}\gapaengine.dll
2013-06-02 07:40:47   9460464   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CB1AC2D4-EBC1-4996-B081-A9DD7CF63385}\mpengine.dll
2013-06-02 07:39:50   --------   d-----w-   C:\Program Files (x86)\Microsoft Security Client
2013-06-02 07:39:49   --------   d-----w-   C:\Program Files\Microsoft Security Client
2013-06-02 07:26:28   9460464   ----a-w-   C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3F4C508B-827D-4609-B1F5-B06F0104A195}\mpengine.dll
2013-06-01 19:04:51   --------   d-----w-   C:\Users\Joseph\AppData\Roaming\dadfRidR
2013-06-01 19:02:21   487424   ----a-w-   C:\Users\Joseph\AppData\Roaming\uinalo.dll
2013-06-01 19:02:16   872448   ----a-w-   C:\Users\Joseph\AppData\Roaming\hascs.dll
2013-05-28 16:22:15   --------   d-----w-   C:\Users\Joseph\AppData\Local\TSVNCache
2013-05-28 11:08:13   --------   d-----w-   C:\Users\Joseph\AppData\Roaming\TortoiseSVN
2013-05-28 11:05:59   --------   d-----w-   C:\Users\Joseph\AppData\Roaming\Subversion
2013-05-28 11:04:14   --------   d-----w-   C:\Program Files (x86)\Common Files\TortoiseOverlays
2013-05-28 11:04:13   --------   d-----w-   C:\Program Files\TortoiseSVN
2013-05-28 11:04:13   --------   d-----w-   C:\Program Files\Common Files\TortoiseOverlays
2013-05-28 10:58:36   --------   d-----w-   C:\ProgramData\APN
2013-05-28 10:05:02   --------   d-----w-   C:\Users\Joseph\AppData\Local\Adobe
2013-05-28 09:45:57   --------   d-----w-   C:\Users\Joseph\AppData\Local\HonorbuddyMeshes
2013-05-27 12:37:07   --------   d-----w-   C:\Program Files (x86)\MPC-HC
2013-05-27 12:36:48   --------   d-----w-   C:\Users\Joseph\AppData\Local\Programs
2013-05-27 12:33:59   --------   d-----w-   C:\Program Files (x86)\SPlayer
2013-05-04 22:47:31   --------   d-----w-   C:\Windows\SysWow64\RTCOM
2013-05-04 22:28:16   53248   ----a-w-   C:\Windows\SysWow64\CSVer.dll
2013-05-04 22:28:07   --------   d-----w-   C:\Intel
2013-05-04 21:58:30   --------   d-----w-   C:\Users\Joseph\AppData\Roaming\DriverFinder
2013-05-04 21:38:50   16896   ----a-w-   C:\Windows\AsTaskSched.dll
2013-05-04 21:36:59   --------   d-----w-   C:\Program Files\Realtek
2013-05-04 21:36:53   1631264   ----a-w-   C:\Windows\System32\RtkAPO64.dll
2013-05-04 21:36:51   --------   d--h--w-   C:\Program Files (x86)\Temp
2013-05-04 21:36:50   757760   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2013-05-04 21:36:50   69715   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2013-05-04 21:36:50   65024   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
2013-05-04 21:36:50   32768   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2013-05-04 21:36:50   274432   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2013-05-04 21:36:50   204800   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2013-05-04 21:36:49   331908   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2013-05-04 21:36:49   200836   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2013-05-04 05:48:39   9460464   ----a-w-   C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
.
==================== Find3M  ====================
.
2013-05-16 14:34:58   71048   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-16 14:34:58   692104   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-04 22:46:54   1247776   ----a-w-   C:\Windows\RtlExUpd.dll
2013-05-02 15:29:56   278800   ------w-   C:\Windows\System32\MpSigStub.exe
2013-05-02 13:55:31   175616   ----a-w-   C:\Windows\System32\msclmd.dll
2013-05-02 13:55:31   152576   ----a-w-   C:\Windows\SysWow64\msclmd.dll
2013-05-01 01:32:09   95648   ----a-w-   C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-05-01 01:32:09   866720   ----a-w-   C:\Windows\SysWow64\npDeployJava1.dll
2013-05-01 01:32:09   788896   ----a-w-   C:\Windows\SysWow64\deployJava1.dll
2013-04-13 05:49:23   135168   ----a-w-   C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19   350208   ----a-w-   C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19   308736   ----a-w-   C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19   111104   ----a-w-   C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16   474624   ----a-w-   C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15   2176512   ----a-w-   C:\Windows\apppatch\AcGenral.dll
2013-04-12 14:45:08   1656680   ----a-w-   C:\Windows\System32\drivers\ntfs.sys
2013-04-10 06:01:54   265064   ----a-w-   C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 06:01:53   983400   ----a-w-   C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-10 03:30:50   3153920   ----a-w-   C:\Windows\System32\win32k.sys
2013-04-05 06:52:14   2242048   ----a-w-   C:\Windows\System32\wininet.dll
2013-04-05 06:50:36   3958784   ----a-w-   C:\Windows\System32\jscript9.dll
2013-04-05 06:50:31   67072   ----a-w-   C:\Windows\System32\iesetup.dll
2013-04-05 06:50:31   136704   ----a-w-   C:\Windows\System32\iesysprep.dll
2013-04-05 05:28:24   1767424   ----a-w-   C:\Windows\SysWow64\wininet.dll
2013-04-05 05:26:26   2877440   ----a-w-   C:\Windows\SysWow64\jscript9.dll
2013-04-05 05:26:21   61440   ----a-w-   C:\Windows\SysWow64\iesetup.dll
2013-04-05 05:26:21   109056   ----a-w-   C:\Windows\SysWow64\iesysprep.dll
2013-04-05 04:43:00   2706432   ----a-w-   C:\Windows\System32\mshtml.tlb
2013-04-05 04:29:45   2706432   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2013-04-05 03:51:11   89600   ----a-w-   C:\Windows\System32\RegisterIEPKEYs.exe
2013-04-05 03:38:25   71680   ----a-w-   C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-03-19 06:04:06   5550424   ----a-w-   C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:53:58   48640   ----a-w-   C:\Windows\System32\wwanprotdim.dll
2013-03-19 05:53:58   230400   ----a-w-   C:\Windows\System32\wwansvc.dll
2013-03-19 05:46:56   43520   ----a-w-   C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13   3968856   ----a-w-   C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10   3913560   ----a-w-   C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50   6656   ----a-w-   C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33   112640   ----a-w-   C:\Windows\System32\smss.exe
2013-03-15 04:16:18   3477280   ----a-w-   C:\Windows\System32\nvsvc64.dll
2013-03-15 04:16:17   6398240   ----a-w-   C:\Windows\System32\nvcpl.dll
2013-03-15 04:16:10   877856   ----a-w-   C:\Windows\System32\nvvsvc.exe
2013-03-15 04:16:10   63776   ----a-w-   C:\Windows\System32\nvshext.dll
2013-03-15 04:16:10   237856   ----a-w-   C:\Windows\System32\nvmctray.dll
2013-03-15 03:07:52   559904   ----a-w-   C:\Windows\SysWow64\nvStreaming.exe
2013-03-13 16:24:01   3065455   ----a-w-   C:\Windows\System32\nvcoproc.bin
.
============= FINISH: 14:58:41.89 ===============
ATTACH > TXT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume3
Install Date: 4/30/2013 19:03:42
System Uptime: 6/2/2013 14:57:06 (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | SABERTOOTH X58
Processor: Intel(R) Core(TM) i7 CPU         950  @ 3.07GHz | LGA1366 | 3068/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 119 GiB total, 26.929 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 0 GiB total, 0.059 GiB free.
F: is FIXED (NTFS) - 931 GiB total, 657.721 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_84131043&REV_03\4&CF85AA7&0&0010
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_84131043&REV_03\4&CF85AA7&0&0010
Service:
.
==== System Restore Points ===================
.
RP259: 4/27/2013 21:39:21 - Scheduled Checkpoint
RP260: 4/28/2013 02:31:15 - Windows Update
RP261: 4/30/2013 11:42:53 - Installed Samsung Data Migration
RP262: 4/30/2013 11:47:55 - Installed Samsung Data Migration
RP263: 5/1/2013 07:53:54 - Windows Update
RP22: 5/28/2013 06:01:33 - Installed TortoiseSVN 1.7.12.24070 (64 bit)
RP23: 5/28/2013 14:56:49 - Windows Update
RP25: 6/1/2013 13:45:57 - Windows Defender Checkpoint
RP264: 6/1/2013 14:16:49 - Windows Update
RP265: 6/1/2013 20:38:23 - Windows Update
RP26: 6/2/2013 02:26:23 - Windows Update
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Reader XI (11.0.03)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
CCleaner
Google Toolbar for Internet Explorer
Google Update Helper
iTunes
Java 7 Update 21
Java Auto Updater
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
MPC-HC 1.6.7.7114 (9eb64ec)
Mumble 1.2.3
NVIDIA 3D Vision Controller Driver 314.22
NVIDIA 3D Vision Driver 314.22
NVIDIA Control Panel 314.22
NVIDIA Graphics Driver 314.22
NVIDIA Install Application
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.1031
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 1.12.12
NVIDIA Update Components
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
SPlayer
TortoiseSVN 1.7.12.24070 (64 bit)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Vuze
WinRAR 4.20 (32-bit)
WinRAR 4.20 (64-bit)
World of Warcraft
.
==== End Of File ===========================


[recovering disk space, attachment deleted by admin]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please run MBAM again and "remove the infections".
*************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
**********************************************
Download Combofix from any of the links below, and save it to your DESKTOP. 
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

[mohadeeb]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Professional x64
Ran by Joseph on Tue 06/04/2013 at  5:55:54.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\softonic



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 06/04/2013 at  5:57:36.49
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


[recovering disk space, attachment deleted by admin]

[mohadeeb]

ok ran Microsoft security essentials it found .

Category: Trojan Downloader

Description: This program is dangerous and downloads other programs.

Recommended action: Remove this software immediately.

Items:

file:C:\Users\Joseph\AppData\Local\xuonskex.exe
regkey:HKCU@S-1-5-21-2977072465-1446538436-779564955-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\ettvtwqj
runkey:HKCU@S-1-5-21-2977072465-1446538436-779564955-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\ettvtwqj

Security Essentials encountered the following error: Error code 0x80508023. The program could not find the malware and other potentially unwanted software on this computer.

Category: Trojan
Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items:
process:pid:8256

Category: Exploit
Description: This program is dangerous and exploits the computer on which it is run.

Recommended action: Remove this software immediately.

Items:
containerfile:C:\Users\Joseph\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\16579cf6-367cb00a
file:C:\Users\Joseph\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\16579cf6-367cb00a->bytecodes.class
file:C:\Users\Joseph\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\16579cf6-367cb00a->sress.class

Category: Exploit

Description: This program is dangerous and exploits the computer on which it is run.

Recommended action: Remove this software immediately.

Items:
containerfile:C:\Users\Joseph\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\2413290-1a9a40b2
file:C:\Users\Joseph\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\2413290-1a9a40b2->gfh.class

[SuperDave]

ok ran Microsoft security essentials it found .

That's why you need to run MBAM again and remove the infections. Please post the log.

• Download RogueKiller on the desktop
  
• Close all the running programs
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  
• Otherwise just double-click on RogueKiller.exe
  
• Pre-scan will start. Let it finish.
• Click on SCAN button.
  
• A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
  

[mohadeeb]

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Joseph [Admin rights]
Mode : Scan -- Date : 06/04/2013 18:41:13
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> F:\windows\system32\config\SOFTWARE
-> F:\windows\system32\config\SYSTEM
-> F:\Users\Default\NTUSER.DAT
-> F:\Users\Default User\NTUSER.DAT
-> F:\Users\Joseph\NTUSER.DAT
-> F:\Users\TEMP\NTUSER.DAT
-> F:\Documents and Settings\Default\NTUSER.DAT
-> F:\Documents and Settings\Default User\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS721010CLA332 ATA Device +++++
--- User ---
[MBR] 53418f8e367a5571a1d2123c1ff70f9e
[BSP] 274ebdbe5f85793455517b2cd5f5a971 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Samsung SSD 840 PRO Series ATA Device +++++
--- User ---
[MBR] 716eb6bcbced3811795310dc8c7036aa
[BSP] 96759625040f532d97d1a3184a65992e : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 122102 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_06042013_02d1841.txt >>
RKreport[1]_S_06042013_02d1841.txt

[mohadeeb]

ok i loged on and couldnt run anything they need internet . windows cant be fixed. tryed to restore and it tryed to fix its self on restart.  Formating

[SuperDave]

ok i loged on and couldnt run anything they need internet . windows cant be fixed. tryed to restore and it tryed to fix its self on restart.  Formating

Ok. Do you need help with re-formatting?

To wipe the drive clean, re-format and reinstall the OS.