Inactive Virus wont allow me to download antivirus

scgoh123 · 2013/07/07

[Inactive] Virus wont allow me to download antivirus

I suspected that my teacher's computer is infected with virus.
When some documents is transferred from the computer to the pendrive, the files is set to HIDDEN BY DEFAULT. NO CHANGES CAN BE MADE TO SHOW TO FOLDERS.

I followed the instructions thread, however i cant even download a single tool!!
They showed this:
Oops! Google Chrome could not find www.malwarebytes.org
Try reloading: www.*malwarebytes.*org/*products/*malwarebytes_fre*e
Additional suggestions:
Access a cached copy of www.*malwarebytes.*org/*products/*malwarebytes_fre*e

what should I do??

scgoh123 · 2013/07/07

DDS log:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7600.16385
Run by User at 11:52:35 on 2013-07-08
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1952.969 [GMT 8:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Yes\Connect\GCTWiMaxServiceD.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\mspaint.exe
C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe
C:\Program Files\Yes\Connect\Connect.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.391.0\BingExt.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe "
uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Screen Saver Pro 3.1] c:\users\user\appdata\roaming\ScreenSaverPro.scr
uRun: [Vdvwvr] c:\users\user\appdata\roaming\microsoft\Vdvwvr.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe "
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe "
mRun: [LaunchYTLCM] c:\program files\yes\connect\Connect.exe
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 183.78.96.76 183.78.96.79
TCP: Interfaces\{01895802-141E-4AA5-A689-53BD5DC93B28} : DHCPNameServer = 183.78.96.76 183.78.96.79
TCP: Interfaces\{A3C02DD1-920C-4A82-997C-23136360821D} : NameServer = 203.82.64.129 203.82.64.145
TCP: Interfaces\{C3418D74-4F30-4BBD-AF6B-1AD9FD029F48} : DHCPNameServer = 192.168.1.1 1.9.1.9 202.188.0.133
TCP: Interfaces\{C3418D74-4F30-4BBD-AF6B-1AD9FD029F48}\7596649604D456C616B6160233 : DHCPNameServer = 192.168.1.1 1.9.1.9 202.188.0.133
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\j6zka6kw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\user\appdata\local\google\update\1.3.21.135\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R2 GCTWiMaxServiceD;Connect Service Daemon;c:\program files\yes\connect\GCTWiMaxServiceD.exe [2013-2-4 598109]
R2 GdmWmPrt;Yes Go Protocol Driver;c:\windows\system32\drivers\gdmwmprt.sys [2013-2-4 24576]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2012-3-28 2280312]
R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\drivers\EtronHub3.sys [2011-6-30 42880]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\drivers\EtronXHCI.sys [2011-6-30 63232]
R3 GdmUWm;Yes Go;c:\windows\system32\drivers\gdmuwm.sys [2013-2-4 92160]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2012-3-27 269824]
R3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2012-3-27 41088]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2012-3-27 391272]
S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2012-8-28 198656]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-3-28 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
S3 GDMINIT;GCT Initial Device Driver;c:\windows\system32\drivers\gdminit.sys [2013-2-4 26112]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2012-8-28 101120]
S3 netr28u;TP-LINK Wireless USB Adapter;c:\windows\system32\drivers\netr28u.sys [2012-4-2 1174880]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2013-07-07 23:01:14 163840 --sha-w- c:\users\user\appdata\roaming\microsoft\Vdvwvr.exe
2013-07-02 01:10:16 163840 ----a-w- c:\users\user\appdata\roaming\temp.bin
.
==================== Find3M ====================
.
.
============= FINISH: 11:52:46.39 ===============

scgoh123 · 2013/07/07

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 27-03-2012 3:06:17 PM
System Uptime: 08-07-2013 6:55:01 AM (5 hours ago)
.
Motherboard: Acer | | Aspire M1930
Processor: Intel(R) Pentium(R) CPU G630 @ 2.70GHz | CPU 1 | 2700/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 244 GiB total, 216.547 GiB free.
D: is FIXED (NTFS) - 222 GiB total, 220.512 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 77 GiB total, 64.056 GiB free.
G: is FIXED (NTFS) - 77 GiB total, 76.409 GiB free.
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP65: 12-03-2013 7:38:28 AM - Scheduled Checkpoint
RP66: 19-03-2013 8:11:56 AM - Scheduled Checkpoint
RP67: 01-04-2013 9:02:20 AM - Scheduled Checkpoint
RP68: 09-04-2013 7:39:53 AM - Scheduled Checkpoint
RP69: 16-04-2013 7:50:47 AM - Scheduled Checkpoint
RP70: 24-04-2013 7:31:24 AM - Scheduled Checkpoint
RP71: 02-05-2013 7:43:43 AM - Scheduled Checkpoint
RP72: 09-05-2013 7:57:08 AM - Scheduled Checkpoint
RP73: 17-05-2013 8:02:43 AM - Scheduled Checkpoint
RP74: 31-05-2013 9:19:14 AM - Scheduled Checkpoint
RP75: 07-06-2013 12:22:39 PM - Scheduled Checkpoint
RP76: 17-06-2013 8:16:40 AM - Scheduled Checkpoint
RP77: 25-06-2013 7:21:23 AM - Scheduled Checkpoint
RP78: 02-07-2013 7:41:54 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Reader 9.1
Bing Bar
Celcom Broadband Manager
Connect
D3DX10
Etron USB3.0 Host Controller
GOM Player
Google Chrome
Intel(R) Processor Graphics
Junk Mail filter update
K-Lite Codec Pack 8.4.0 (Full)
Mesh Runtime
Messenger Companion
Microsoft Application Error Reporting
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mozilla Firefox 7.0 (x86 en-US)
MSVCRT
Nero 7 Ultra Edition
neroxml
Picasa 3
PowerDVD
RealPlayer
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
RealUpgrade 1.0
Skype™ 5.6
Smart Library Lite
TeamViewer 6
The KMPlayer (remove only)
VLC media player 1.1.4
Winamp
Winamp Detector Plug-in
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Movie Maker 2.6
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
08-07-2013 9:29:54 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR3.
08-07-2013 10:47:45 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR4.
.
==== End Of File ===========================

broni · 2013/07/07

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=================================

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.

Press Scan button.

It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

The first time the tool is run, it makes also another log (Addition.txt). Please copy and paste it to your reply.

scgoh123 · 2013/07/09

This case is so serious that it affects my pendrive too.

These 2 culprits are: Win32:Z-Bot-RME (Tr)
I'll post the log tomorrow, but can i download the other tools first (OTL, Combofix,MBAM, antivirus software installer) and wait for your instructions tomorrow??

How can I restore the attributes of my files so that it is not hidden again?

broni · 2013/07/09

Let's focus on your computer for now.
All I need is FRST log.

How can I restore the attributes of my files so that it is not hidden again?
Click to expand...

We'll see about it later. For now we need to make your computer more stable.

scgoh123 · 2013/07/11

sorry for late reply
FRST LOG:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-07-2013 04
Ran by User (administrator) on 11-07-2013 14:07:58
Running from C:\Users\User\Downloads
Microsoft Windows 7 Ultimate (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(GCT Semiconductor, Inc.) C:\Program Files\Yes\Connect\GCTWiMaxServiceD.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(RealNetworks, Inc.) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
(Cyberlink Corp.) C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
(Nullsoft, Inc.) C:\Program Files\Winamp\winampa.exe
(Nero AG) C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
(Nero AG) C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
(Nero AG) C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
(Microsoft Corporation) C:\Windows\system32\mspaint.exe
(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe
(Google Inc.) C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
(One Think Corporation (M) Sdn Bhd) C:\Program Files\Smart School System\SLL-SMK Canossa Convent.exe
(YTL Communications) C:\Program Files\Yes\Connect\Connect.exe
(Google Inc.) C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\IELowutil.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [9841256 2010-11-11] (Realtek Semiconductor)
HKLM\...\Run: [IgfxTray] - C:\Windows\system32\igfxtray.exe [142680 2011-04-07] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [175960 2011-04-07] (Intel Corporation)
HKLM\...\Run: [Persistence] - C:\Windows\system32\igfxpers.exe [177496 2011-04-07] (Intel Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] - "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [GrooveMonitor] - "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [NeroFilterCheck] - C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [153136 2007-03-01] (Nero AG)
HKLM\...\Run: [TkBellExe] - "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [202256 2012-03-28] (RealNetworks, Inc.)
HKLM\...\Run: [RemoteControl] - "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [52832 2006-11-13] (Cyberlink Corp.)
HKLM\...\Run: [WinampAgent] - "C:\Program Files\Winamp\winampa.exe" [74752 2010-07-13] (Nullsoft, Inc.)
HKLM\...\Run: [LaunchYTLCM] - C:\Program Files\Yes\Connect\Connect.exe [4479432 2011-01-20] (YTL Communications)
HKCU\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] - "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [152872 2007-06-27] (Nero AG)
HKCU\...\Run: [Google Update] - "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-03-28] (Google Inc.)
HKCU\...\Run: [Screen Saver Pro 3.1] - C:\Users\User\AppData\Roaming\ScreenSaverPro.scr [x]
HKCU\...\Run: [Vdvwvr] - C:\Users\User\AppData\Roaming\Microsoft\Vdvwvr.exe [163840 2013-07-11] ()
MountPoints2: {363aea0e-f097-11e1-87ef-e840f2112183} - I:\AutoRun.exe
MountPoints2: {363aea1e-f097-11e1-87ef-e840f2112183} - I:\AutoRun.exe
MountPoints2: {7c9cfe8f-8137-11e2-8f54-e840f2112183} - I:\LaunchU3.exe -a
HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [ 2009-07-14] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [ 2009-07-14] (Microsoft Corporation)
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://malaysia.msn.com/?rd=1&ucc=MY&dcc=MY&opt=0&ocid=iehp
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll" No File
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GRA32A~1.DLL (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
ShellExecuteHooks: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL [2210608 2006-10-27] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 183.78.96.76 183.78.96.79
Tcpip\..\Interfaces\{A3C02DD1-920C-4A82-997C-23136360821D}: [NameServer]203.82.64.129 203.82.64.145

FireFox:
========
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\j6zka6kw.default
FF Homepage: hxxp://www.google.com.my/
FF Plugin: @google.com/npPicasa3,version=3.0.0 - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3538.0513 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.12.775 - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=1.0.3.775 - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=1.0.0.0 - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.775 - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\User\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\User\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Extension: Default - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: RealPlayer Browser Record Plugin - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

Chrome:
=======
CHR HomePage: hxxp://www.google.com/
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{googleriginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\User\AppData\Local\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\User\AppData\Local\Google\Chrome\Application\27.0.1453.116\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\User\AppData\Local\Google\Chrome\Application\27.0.1453.116\gcswf32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Picasa) - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
CHR Plugin: (RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Users\User\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation)
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.2_1

========================== Services (Whitelisted) =================

R2 GCTWiMaxServiceD; C:\Program Files\Yes\Connect\GCTWiMaxServiceD.exe [598109 2011-02-09] (GCT Semiconductor, Inc.)

==================== Drivers (Whitelisted) ====================

R3 EtronHub3; C:\Windows\System32\Drivers\EtronHub3.sys [42880 2011-06-30] (Etron Technology Inc)
R3 EtronXHCI; C:\Windows\System32\Drivers\EtronXHCI.sys [63232 2011-06-30] (Etron Technology Inc)
S3 GDMINIT; C:\Windows\System32\DRIVERS\gdminit.sys [26112 2010-07-30] (GCT Semiconductor)
R3 GdmUWm; C:\Windows\System32\DRIVERS\gdmuwm.sys [92160 2010-09-17] (GCT Semiconductor, Inc.)
R2 GdmWmPrt; C:\Windows\System32\DRIVERS\gdmwmprt.sys [24576 2010-09-17] (GCT Semiconductor, Inc.)
S3 hwusbdev; C:\Windows\System32\DRIVERS\ewusbdev.sys [101120 2009-10-12] (Huawei Technologies Co., Ltd.)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
S3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [1174880 2011-03-29] (Ralink Technology Corp.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-11 14:07 - 2013-07-11 14:07 - 00000000 ____D C:\FRST
2013-07-11 14:06 - 2013-07-11 14:07 - 01217338 ____A (Farbar) C:\Users\User\Downloads\FRST.exe
2013-07-08 11:52 - 2013-07-08 11:52 - 00688992 ____R (Swearware) C:\Users\User\Downloads\dds.com
2013-07-08 11:52 - 2013-07-08 11:52 - 00009908 ____A C:\Users\User\Desktop\dds.txt
2013-07-08 11:52 - 2013-07-08 11:52 - 00004434 ____A C:\Users\User\Desktop\attach.txt
2013-07-08 07:59 - 2013-07-08 10:42 - 00000000 ____D C:\Users\User\Downloads\presentation 9.7.2013 edit
2013-07-02 09:10 - 2013-07-08 07:01 - 00163840 __ASH C:\Users\User\AppData\Roaming\temp.bin
2013-06-18 14:40 - 2013-06-18 14:40 - 00000000 ____D C:\Users\User\Documents\The KMPlayer

==================== One Month Modified Files and Folders =======

2013-07-11 14:07 - 2013-07-11 14:07 - 00000000 ____D C:\FRST
2013-07-11 14:07 - 2013-07-11 14:06 - 01217338 ____A (Farbar) C:\Users\User\Downloads\FRST.exe
2013-07-11 14:04 - 2012-03-27 15:06 - 00000000 ____D C:\Users\User\AppData\Local\VirtualStore
2013-07-11 13:52 - 2012-03-28 10:05 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2337985214-3473844126-2056546867-1000UA.job
2013-07-11 09:38 - 2009-07-14 12:34 - 00017136 ___AH C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-11 09:38 - 2009-07-14 12:34 - 00017136 ___AH C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-11 09:35 - 2012-03-27 15:10 - 00713888 ____A C:\Windows\system32\PerfStringBackup.INI
2013-07-11 09:34 - 2012-03-27 15:08 - 01261969 ____A C:\Windows\WindowsUpdate.log
2013-07-11 09:31 - 2009-07-14 12:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-11 09:31 - 2009-07-14 12:39 - 00074900 ____A C:\Windows\setupact.log
2013-07-09 08:52 - 2012-03-28 10:04 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2337985214-3473844126-2056546867-1000Core.job
2013-07-09 08:22 - 2012-09-06 15:41 - 00005632 ____A C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-07-08 11:52 - 2013-07-08 11:52 - 00688992 ____R (Swearware) C:\Users\User\Downloads\dds.com
2013-07-08 11:52 - 2013-07-08 11:52 - 00009908 ____A C:\Users\User\Desktop\dds.txt
2013-07-08 11:52 - 2013-07-08 11:52 - 00004434 ____A C:\Users\User\Desktop\attach.txt
2013-07-08 10:42 - 2013-07-08 07:59 - 00000000 ____D C:\Users\User\Downloads\presentation 9.7.2013 edit
2013-07-08 10:14 - 2012-08-06 11:45 - 00000000 ____D C:\Users\User\Documents\Jadual Waktu
2013-07-08 09:26 - 2013-04-18 07:25 - 00000000 ____D C:\Users\User\Desktop\Magazine Pages
2013-07-08 07:01 - 2013-07-02 09:10 - 00163840 __ASH C:\Users\User\AppData\Roaming\temp.bin
2013-06-27 14:02 - 2013-01-11 08:16 - 00000000 ____D C:\Users\User\Documents\Pengawas PSS
2013-06-27 13:26 - 2013-04-11 10:46 - 00000000 ____D C:\Users\User\Documents\Majalah PCG
2013-06-25 12:23 - 2013-01-11 08:14 - 00000000 ____D C:\Users\User\Documents\Buku
2013-06-25 12:00 - 2013-01-11 08:16 - 00000000 ____D C:\Users\User\Documents\Log Penggunaan
2013-06-25 08:14 - 2009-07-14 10:37 - 00000000 ____D C:\Windows\system32\NDF
2013-06-20 09:54 - 2012-03-28 10:05 - 00002362 ____A C:\Users\User\Desktop\Google Chrome.lnk
2013-06-18 14:40 - 2013-06-18 14:40 - 00000000 ____D C:\Users\User\Documents\The KMPlayer
2013-06-14 07:46 - 2013-01-11 08:17 - 00000000 ____D C:\Users\User\Documents\Surat Khabar
2013-06-11 14:10 - 2013-01-02 06:54 - 00000000 ____D C:\Users\User\Documents\Brosur PSS

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-07-03 07:53

==================== End Of Log ============================

scgoh123 · 2013/07/11

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 10-07-2013 04
Ran by User at 2013-07-11 14:08:17
Running from C:\Users\User\Downloads
Boot Mode: Normal
==========================================================

Acrobat.com (Version: 1.6.65)
Adobe AIR (Version: 1.5.0.7220)
Adobe Reader 9.1 (Version: 9.1.0)
Bing Bar (Version: 7.1.391.0)
Celcom Broadband Manager (Version: 15.001.05.01.91)
Connect (Version: 1.8.1.2)
D3DX10 (Version: 15.4.2368.0902)
Etron USB3.0 Host Controller (Version: 0.103)
GOM Player
Google Chrome (HKCU Version: 27.0.1453.116)
Intel(R) Processor Graphics (Version: 8.15.10.2353)
Junk Mail filter update (Version: 15.4.3502.0922)
K-Lite Codec Pack 8.4.0 (Full) (Version: 8.4.0)
Mesh Runtime (Version: 15.4.5722.2)
Messenger Companion (Version: 15.4.3502.0922)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Enterprise 2007 (Version: 12.0.4518.1014)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Outlook Connector (Version: 14.0.5118.5000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Silverlight (Version: 4.0.50401.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.50727.42)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mozilla Firefox 7.0 (x86 en-US) (Version: 7.0)
MSVCRT (Version: 15.4.2862.0708)
Nero 7 Ultra Edition (Version: 7.02.9753)
neroxml (Version: 1.0.0)
Picasa 3 (Version: 3.1)
PowerDVD
RealPlayer
Realtek Ethernet Controller Driver (Version: 7.45.516.2011)
Realtek High Definition Audio Driver (Version: 6.0.1.6242)
RealUpgrade 1.0 (Version: 1.0.0)
Skypeâ„¢ 5.6 (Version: 5.6.110)
Smart Library Lite
TeamViewer 6 (Version: 6.0.10511)
The KMPlayer (remove only)
VLC media player 1.1.4 (Version: 1.1.4)
Winamp (Version: 5.581 )
Winamp Detector Plug-in (HKCU Version: 1.0.0.1)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3538.0513)
Windows Live Family Safety (Version: 15.4.3538.0513)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3538.0513)
Windows Live Messenger Companion Core (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
Windows Movie Maker 2.6 (Version: 2.6.4037.0)
WinRAR archiver

==================== Restore Points =========================

11-03-2013 23:38:28 Scheduled Checkpoint
19-03-2013 00:11:56 Scheduled Checkpoint
01-04-2013 01:02:20 Scheduled Checkpoint
08-04-2013 23:39:53 Scheduled Checkpoint
15-04-2013 23:50:47 Scheduled Checkpoint
23-04-2013 23:31:24 Scheduled Checkpoint
01-05-2013 23:43:43 Scheduled Checkpoint
08-05-2013 23:57:08 Scheduled Checkpoint
17-05-2013 00:02:43 Scheduled Checkpoint
31-05-2013 01:19:14 Scheduled Checkpoint
07-06-2013 04:22:39 Scheduled Checkpoint
17-06-2013 00:16:40 Scheduled Checkpoint
24-06-2013 23:21:23 Scheduled Checkpoint
01-07-2013 23:41:54 Scheduled Checkpoint
11-07-2013 02:00:13 Scheduled Checkpoint

==================== Hosts content: ==========================

2009-07-14 10:04 - 2009-06-11 05:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {34FF115E-ECC1-4506-BD97-6A0515F482C1} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2337985214-3473844126-2056546867-1000Core => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-28] (Google Inc.)
Task: {B139D2AE-7A93-420E-AD74-10E53A83F3E3} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2337985214-3473844126-2056546867-1000UA => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-28] (Google Inc.)
Task: {B193F747-26E8-4A32-A0BF-ABED06BA3D75} - System32\Tasks\User_Feed_Synchronization-{2991471E-D6F9-44B6-8EDD-AB6DED274E2A} => C:\Windows\system32\msfeedssync.exe [2009-07-14] (Microsoft Corporation)
Task: {B6F4BCC8-BD3D-4691-8373-23102DBA5EDE} - System32\Tasks\RealUpgradeLogonTaskS-1-5-21-2337985214-3473844126-2056546867-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2010-06-03] (RealNetworks, Inc.)
Task: {DD3E0507-A68A-43F7-BF99-3385257062BA} - System32\Tasks\Microsoft\Windows Live\SOXE\Extractor Definitions Update Task
Task: {F3FA9CE8-9054-484D-B9D4-F37E6D185524} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-2337985214-3473844126-2056546867-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2010-06-03] (RealNetworks, Inc.)
Task: {FF60B7FF-CF72-43FF-8980-401010D564E0} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => c:\program files\windows defender\MpCmdRun.exe [2009-07-14] (Microsoft Corporation)
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2337985214-3473844126-2056546867-1000Core.job => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2337985214-3473844126-2056546867-1000UA.job => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (07/11/2013 09:53:25 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1 ".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (07/09/2013 08:21:33 AM) (Source: Application Error) (User: )
Description: Faulting application name: winamp.exe, version: 5.5.8.2985, time stamp: 0x4c3b43ea
Faulting module name: ml_bookmarks.dll, version: 0.0.0.0, time stamp: 0x4c3b43f6
Exception code: 0xc0000005
Fault offset: 0x0000125a
Faulting process id: 0x990
Faulting application start time: 0xwinamp.exe0
Faulting application path: winamp.exe1
Faulting module path: winamp.exe2
Report Id: winamp.exe3

Error: (07/09/2013 07:28:40 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1 ".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (07/08/2013 08:54:19 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/08/2013 08:54:19 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/08/2013 08:54:19 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/08/2013 08:54:19 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/08/2013 08:54:19 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/08/2013 08:54:19 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/08/2013 08:54:19 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

System errors:
=============
Error: (07/09/2013 02:56:14 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 2:55:13 PM on ‎7/‎9/‎2013 was unexpected.

Error: (07/08/2013 10:47:45 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR4.

Error: (07/08/2013 10:47:44 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR4.

Error: (07/08/2013 10:47:44 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR4.

Error: (07/08/2013 10:47:43 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR4.

Error: (07/08/2013 10:47:43 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR4.

Error: (07/08/2013 10:47:42 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR4.

Error: (07/08/2013 10:47:41 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR4.

Error: (07/08/2013 10:47:41 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR4.

Error: (07/08/2013 10:47:40 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR4.

Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Percentage of memory in use: 47%
Total physical RAM: 1952.31 MB
Available physical RAM: 1019.02 MB
Total Pagefile: 3904.63 MB
Available Pagefile: 2783.86 MB
Total Virtual: 2047.88 MB
Available Virtual: 1842.15 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:244.04 GB) (Free:216.33 GB) NTFS
Drive d: () (Fixed) (Total:221.62 GB) (Free:220.49 GB) NTFS
Drive f: () (Fixed) (Total:76.69 GB) (Free:64.06 GB) NTFS
Drive g: () (Fixed) (Total:76.69 GB) (Free:76.41 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 9991EBBC)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=244 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=222 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 153 GB) (Disk ID: C2D5E0A1)
Partition 1: (Active) - (Size=77 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=77 GB) - (Type=OF Extended)

==================== End Of Log ============================

broni · 2013/07/11

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.

Close all the running programs

Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator

Otherwise just double-click on RogueKiller.exe

Pre-scan will start. Let it finish.

Click on SCAN button.

Wait until the Status box shows Scan Finished

Click on Delete.

Wait until the Status box shows Deleting Finished.

Click on Report and copy/paste the content of the Notepad into your next reply.

RKreport.txt could also be found on your desktop.

If more than one log is produced post all logs.

If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

Download Malwarebytes Anti-Rootkit (MBAR) from HERE

Unzip downloaded file.

Open the folder where the contents were unzipped and run mbar.exe

Follow the instructions in the wizard to update and allow the program to scan your computer for threats.

Click on the Cleanup button to remove any threats and reboot if prompted to do so.

Wait while the system shuts down and the cleanup process is performed.

Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

scgoh123 · 2013/07/15

Hi broni,
Can you please keep this thread active this whole week because my school is having exam and I can't gain access to teacher's room (I am taking the exam too)

I'll post the results on next Monday.
Sorry and thanks

broni · 2013/07/15

No problem

scgoh123 · 2013/07/17

Today i can get access to teacher's computer..........

AW bad news:
The school has hired a repairman to repair this infected computer.
I worried that he/she might interfere with our cleaning process.
What should I do?? Should I post FRST log and see what happen?? Or should I leave everything to the repairman????

Broni, please help me

scgoh123 · 2013/07/17

I think I just post all the reports u required. MAYBE you have to close this thread already ( i'll inform u later if this needs to be closed)

fixlog:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 10-07-2013 04
Ran by User at 2013-07-17 14:18:34 Run:1
Running from C:\Users\User\Downloads
Boot Mode: Normal

==============================================

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Screen Saver Pro 3.1 => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Vdvwvr] - C:\Users\User\AppData\Roaming\Microsoft\Vdvwvr.exe [163840 2013-07-11 => Value not found.
"C:\Users\User\AppData\Roaming\ScreenSaverPro.scr" => File/Directory not found.
"C:\Users\User\AppData\Roaming\Microsoft\Vdvwvr.exe" => File/Directory not found.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{363aea0e-f097-11e1-87ef-e840f2112183} => Key deleted successfully.
HKCR\CLSID\{363aea0e-f097-11e1-87ef-e840f2112183} => Key not found.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{363aea1e-f097-11e1-87ef-e840f2112183} => Key deleted successfully.
HKCR\CLSID\{363aea1e-f097-11e1-87ef-e840f2112183} => Key not found.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7c9cfe8f-8137-11e2-8f54-e840f2112183} => Key deleted successfully.
HKCR\CLSID\{7c9cfe8f-8137-11e2-8f54-e840f2112183} => Key not found.

==== End of Fixlog ====

scgoh123 · 2013/07/17

RogueKiller V8.6.2 [Jul 5 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User : User [Admin rights]
Mode : Remove -- Date : 07/17/2013 14:26:36
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Vdvwvr (C:\Users\User\AppData\Roaming\Microsoft\Vdvwvr.exe [x]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-2337985214-3473844126-2056546867-1000\[...]\Run : Vdvwvr (C:\Users\User\AppData\Roaming\Microsoft\Vdvwvr.exe [x]) -> [0x2] The system cannot find the file specified.
[DNS] HKLM\[...]\CCSet\[...]\{A3C02DD1-920C-4A82-997C-23136360821D} : NameServer (203.82.64.129 203.82.64.145) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\CS001\[...]\{A3C02DD1-920C-4A82-997C-23136360821D} : NameServer (203.82.64.129 203.82.64.145) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\CS002\[...]\{A3C02DD1-920C-4A82-997C-23136360821D} : NameServer (203.82.64.129 203.82.64.145) -> NOT REMOVED, USE DNSFIX
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤
-> F:\windows\system32\config\SYSTEM
C:\WINDOWS\system32
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
-> F:\windows\system32\config\SOFTWARE
C:\WINDOWS\system32
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
-> F:\windows\system32\config\SECURITY
C:\WINDOWS\system32
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
-> F:\windows\system32\config\SAM
C:\WINDOWS\system32
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
-> F:\windows\system32\config\DEFAULT
C:\WINDOWS\system32
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
-> F:\Documents and Settings\Administrator\NTUSER.DAT
C:\WINDOWS\system32
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
-> F:\Documents and Settings\All Users\NTUSER.DAT
C:\WINDOWS\system32

-> F:\Documents and Settings\Default User\NTUSER.DAT
C:\WINDOWS\system32
C:\Documents and Settings\Default User\Start Menu\Programs\Startup
-> F:\Documents and Settings\Enduser\NTUSER.DAT
C:\WINDOWS\system32
C:\Documents and Settings\Enduser\Start Menu\Programs\Startup
-> F:\Documents and Settings\LocalService\NTUSER.DAT
C:\WINDOWS\system32
C:\Documents and Settings\LocalService\Start Menu\Programs\Startup
-> F:\Documents and Settings\NetworkService\NTUSER.DAT
C:\WINDOWS\system32
C:\Documents and Settings\NetworkService\Start Menu\Programs\Startup

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKX-221CA1 ATA Device +++++
--- User ---
[MBR] 0ec5965b133dcb274be1e0b3f0821b47
[BSP] 7f1f25a9d292c67794c2558db39a3649 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 249900 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 512002048 | Size: 226938 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD5000AAKX-221CA1 ATA Device +++++
--- User ---
[MBR] 8f60880f7a45c04b676fa324b1c3ecaf
[BSP] f3729c8519a1f4e04881dad8e25d7428 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 78528 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 160826715 | Size: 78528 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_07172013_142636.txt >>
RKreport[0]_S_07172013_142630.txt

scgoh123 · 2013/07/17

THE REPAIRMAN HAS ALREADY MODIFIED THE SYSTEM. HE/SHE HAS INSTALLED THE STUPID KASPERSKY ANTIVIRUS TO INTERRUPT THE WHOLE CLEANING PROCESS.

I KNOW THE SCHOOL AUTHORITIES WONT PLACE TRUST ON ME. BY COMMON SENSE, WHO WILL THEY PLACE TRUST ON, AN ELDER AND EXPERIENCED REPAIRMAN OR A **** 17-YEAR OLD KID WHO HAS TO SEEK HELP IN THE FORUM!!??

P/s: Sorry i was angry just now, sorry if anyone or anything got insulted

BTW, the MBAR file link is invalid, so i cant download MBAR

broni · 2013/07/17

We can't work this way.
Since the computer was taken over by a school tech let it be.
I simply can't work on a computer which constantly changes.

scgoh123 · 2013/07/18

Sorry Broni cuz I felt like I troubled u every time, when everything is in progress and someone interrupted.

I look like so useless

broni · 2013/07/18

You didn't do anything wrong

Log in or Sign up

Inactive Virus wont allow me to download antivirus

scgoh123 Well-Known Member Thread Starter

scgoh123 Well-Known Member Thread Starter

scgoh123 Well-Known Member Thread Starter

broni Moderator Malware Analyst

scgoh123 Well-Known Member Thread Starter

broni Moderator Malware Analyst

scgoh123 Well-Known Member Thread Starter

scgoh123 Well-Known Member Thread Starter

broni Moderator Malware Analyst

Attached Files:

fixlist.txt

scgoh123 Well-Known Member Thread Starter

broni Moderator Malware Analyst

scgoh123 Well-Known Member Thread Starter

scgoh123 Well-Known Member Thread Starter

scgoh123 Well-Known Member Thread Starter

scgoh123 Well-Known Member Thread Starter

broni Moderator Malware Analyst

scgoh123 Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive Virus wont allow me to download antivirus

scgoh123 Well-Known Member Thread Starter

scgoh123 Well-Known Member Thread Starter

scgoh123 Well-Known Member Thread Starter

broni Moderator Malware Analyst

scgoh123 Well-Known Member Thread Starter

broni Moderator Malware Analyst

scgoh123 Well-Known Member Thread Starter

scgoh123 Well-Known Member Thread Starter

broni Moderator Malware Analyst

Attached Files:

fixlist.txt

scgoh123 Well-Known Member Thread Starter

broni Moderator Malware Analyst

scgoh123 Well-Known Member Thread Starter

scgoh123 Well-Known Member Thread Starter

scgoh123 Well-Known Member Thread Starter

scgoh123 Well-Known Member Thread Starter

broni Moderator Malware Analyst

scgoh123 Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches