system
December 7, 2013, 10:01am
1
Some other day I saw that shortcuts of random folders in my pc are being created and when I place cursor above those shortcuts it showes this
“Location: cmd (C:\Windows\system32)” ,when i click Properties in Target section it says
“C:\Windows\system32\cmd.exe /c start wscript.exe WinUsbDriver.vbs&start explorer New” “folder&exit”
I am sure that I got this from one of the computers on my university.
Please help,forward thanks…
system
December 7, 2013, 11:31am
2
Hi!
I’m Machiavelli and I’m the doctor of your PC.
Like in hospital there are rules/tips:
Removing Malware is normally difficult
Please follow the instructions carefully
Please stay in contact with me until the problem is fixed
Please read my posts completely
!NOTE! Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.
I am currently in training and my posts will need to be reviewed by an expert, so expect a slight delay between posts.
Please follow this: http://forum.avast.com/index.php?topic=53253.0 .
system
December 7, 2013, 12:53pm
4
system
December 7, 2013, 1:24pm
5
that link broth me to make this topic and I would like to get similar help as the person who posted this topic http://forum.avast.com/index.php?topic=138715.0
system
December 7, 2013, 1:33pm
6
Nope - there are also instructions. Scroll down and make the OTL Scan and aswmbr scan … Don’t rush so much.
system
December 7, 2013, 1:52pm
7
im not rushing,im just waiting for specific instructions for solving my problem
system
December 7, 2013, 1:57pm
8
The instructions are mentioned in the link , but I’ll post it now here:
[*]Download OTL to your Desktop
[*]Please copy the text in the Quote box below, (Do Not copy the word Quote), and paste it in the
http://1-ps.googleusercontent.com/x/www.geekstogo.com/billy-oneal.com/forums/Canned%20Speeches/speechimages/OTL/xcustomFix.png.pagespeed.ic.KFkWI7c29q.png
box in OTL. To do that :
[*]Highlight everything inside the quote box, (except the word Quote), right click the mouse and click Copy .
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
winsock.*
/md5stop
dir "%systemdrive%\*" /S /A:L /C
CREATERESTOREPOINT
[*]Open
http://2-ps.googleusercontent.com/x/www.geekstogo.com/www.bleepstatic.com/fhost/uploads/0/xotlicon.png.pagespeed.ic.vjkPLmybqE.jpg
on the desktop. To do that:
[*]XP users: Double click on the OTL icon.
[*]Vista / 7 Users : Right click on the icon and click Run as Administrator)
[*]Make sure all other windows are closed.
[*]You will see a console like the one below:
https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif
[list]
[*]Click the box beside Scan All Users at the top of the console
[*]IF you have a 64bit Windows, click the box beside Include 64bit Scans at the top of the console.
[*]Make sure the Output box at the top is set to Standard Output .
[*]Check the boxes beside LOP Check and Purity Check .
Place the mouse pointer inside the
http://1-ps.googleusercontent.com/x/www.geekstogo.com/billy-oneal.com/forums/Canned%20Speeches/speechimages/OTL/xcustomFix.png.pagespeed.ic.KFkWI7c29q.png
box, right click and click Paste. This will put the above script inside OTL
[]Click the
http://2-ps.googleusercontent.com/x/www.geekstogo.com/billy-oneal.com/forums/Canned%20Speeches/speechimages/OTL/xrunscanbutton.png.pagespeed.ic.4PGustUCw9.png
button. Do not change any settings unless otherwise told to do so.
[ ]Let the scan run uninterrupted.
[]When the scan completes, it will open OTL.Txt on the desktop. The Extras.txt file will be minimized on the taskbar. These files is also saved in the same location as OTL (it should be on your desktop).
[ ]Please copy the contents of these files and paste it into your reply. To do that:
[list]
[]On the OTL.txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.
[ ]Right click inside the forum post window then click Paste. This will paste the contents of the OTL.txt file in the in the post window.
[/list]
Repeat for the Extras.txt file.
Then,
aswMBR
Please download aswMBR from one of the links below and save it to your Desktop .
Download Mirror #1
[*]Right-click on aswMBR.exe and select Run as Administrator .
[*]Click Yes when asked to download the Avast! definitions.
[*]Click Scan to initiate the scan.
[*]When the scan finishes, click Save Log and save this to your Desktop .
[*]Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.
[/list]
system
December 8, 2013, 12:10pm
10
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-12-08 13:09:21
13:09:21.405 OS Version: Windows x64 6.1.7601 Service Pack 1
13:09:21.406 Number of processors: 4 586 0x3A09
13:09:21.407 ComputerName: DRAGAN-PC UserName: Dragan
13:09:21.412 Initialze error 1
13:09:24.223 AVAST engine defs: 13120601
13:09:32.593 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
13:09:32.595 Disk 0 Vendor: Hitachi_ GG2O Size: 476940MB BusType: 3
13:09:32.597 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IAAStorageDevice-2
13:09:32.600 Disk 1 Vendor: SanDisk_ 11.5 Size: 22902MB BusType: 3
13:09:32.611 Disk 0 MBR read successfully
13:09:32.614 Disk 0 MBR scan
13:09:32.617 Disk 0 unknown MBR code
13:09:32.620 Disk 0 Partition 1 00 EE GPT 2097151 MB offset 1
13:09:32.623 Disk 0 scanning C:\Windows\system32\drivers
13:09:32.626 Service scanning
13:09:33.163 Modules scanning
13:09:33.167 Disk 0 trace - called modules:
13:09:33.171 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
13:09:33.176 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa80077ca060]
13:09:33.180 3 CLASSPNP.SYS[fffff8800181743f] → nt!IofCallDriver → [0xfffffa8006570430]
13:09:33.184 5 ACPI.sys[fffff88000edd7a1] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8006574050]
13:09:33.188 AVAST engine scan C:\Windows
13:09:33.192 AVAST engine scan C:\Windows\system32
13:09:33.196 AVAST engine scan C:\Windows\system32\drivers
13:09:33.200 AVAST engine scan C:\Users\Dragan
13:09:33.204 AVAST engine scan C:\ProgramData
13:09:33.208 Scan finished successfully
13:09:36.832 Disk 0 MBR has been saved successfully to “C:\Users\Dragan\Desktop\MBR.dat”
13:09:36.836 The log file has been saved successfully to “C:\Users\Dragan\Desktop\aswMBR.txt”
system
December 8, 2013, 12:11pm
11
Waiting for further istructions…
As Mach is in Germany, It might be a while till he gets online. Please be patient
system
December 8, 2013, 2:32pm
13
As Mach is in Germany, It might be a while till he gets online. Please be patient
From where do you know that I'm from Germany?
Free Space Warning
I see you have only less than 15% free space on your PC. That is another reason for the slowness of your computer. Because of that I recommend uninstalling software which you don’t use at all.
Punkbuster Advice
We don’t recommend using Punkbuster while we are fixing your PC. I see you have some gaming tools installed like Punkbuster - Punkbuster uses techniques which are like Spyware/Malware! A Fact is that it takes control about your PC and they meet the definition of Malware ! I know, I’m myself a gamer, that you need Punkbuster for cool games like Battlefield 4 etc. but while we are fixing your PC it would be clever to disable Punkbuster. So please follow the following steps below:
[]Download the Removal Tool for Punkbuster from here
[*]Right-click on pbsvc.exe and select Run as Administrator (if you use Win Vista / Win 7 / Win 8).
[*]Make sure that Uninstall/Remove PunkBuster Service is selected.
[ ]Click on Next >> Yes >> Finish.
[*]Reboot(restart) your machine if not prompted to do so.
When we are finished you can install it again if you like of course.
SideBar Advice
In your logs I see that Windows SideBar is running! At the moment Windows Sidebar has a security vulnerability and so I recommend you to disable it for a while. More information is here so far I noticed.
To disable Windows Sidebar please follow the instructions below:
[*]Download the FixIt from here to your Desktop
[*]Double click on MicrosoftFixit50906.msi and follow the prompts to disable Windows Sidebar and gadgets. Once finished, reboot your computer if not advised to do so.
Uninstalls
I want you to uninstall following programs (XP: Start > Control Panel > Add/Remove Programs | Vista / Win7 / Win8: Start > Control Panel > uninstall a program ):
[]Movies Toolbar for Chrome (Dist. by MaxiGet Ltd.)
[ ]Movies Toolbar for Internet Explorer (Dist. by MaxiGet Ltd.)
[*]Funmoods
system
December 8, 2013, 2:32pm
14
OTL Fix
[*]Run OTL .
[*]Copy (Ctrl+C) and Paste (Ctrl+V) all of the following text into the Custom Scans/Fixes box:
:Commands
[CreateRestorePoint]
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{52db1893-8a90-4192-aede-08e00b8f8484}: "URL" = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=003&systemid=484&v=n9795-166&apn_uid=3411734024104107&apn_dtid=BND484&o=APN10640&apn_ptnrs=AG1&q={searchTerms}
IE - HKLM\..\SearchScopes\{52db1893-8a90-4192-aede-08e00b8f8484}: "URL" = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=003&systemid=484&v=n9795-166&apn_uid=3411734024104107&apn_dtid=BND484&o=APN10640&apn_ptnrs=AG1&q={searchTerms}
IE - HKU\S-1-5-21-743841737-3555611461-1389555401-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.search.ask.com/?o=APN10640A&gct=hp&d=484-003&v=n9795-166&t=4
IE - HKU\S-1-5-21-743841737-3555611461-1389555401-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www1.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=AE11FE85DE2A1987&affID=122304&tsp=4940
IE - HKU\S-1-5-21-743841737-3555611461-1389555401-1001\..\SearchScopes\{52db1893-8a90-4192-aede-08e00b8f8484}: "URL" = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=003&systemid=484&v=n9795-166&apn_uid=3411734024104107&apn_dtid=BND484&o=APN10640&apn_ptnrs=AG1&q={searchTerms}
O2 - BHO: (Funmoods Helper Object) - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - C:\Program Files (x86)\Funmoods\1.5.23.22\bh\escort.dll (Funmoods BHO)
O2 - BHO: (SelectionLinks) - {7825CFB6-490A-436B-9F26-4A7B5CFC01A9} - C:\Program Files (x86)\OApps\SelectionLinks.dll (SelectionLinks)
O2 - BHO: (Movies Toolbar (Dist. by MaxiGet Ltd.)) - {a25ac361-002e-48e8-833b-e614322236b4} - C:\Program Files (x86)\Movies Toolbar\SafetyNut\SRTOOL~1\IE\searchresultsDx.dll ()
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Movies Toolbar (Dist. by MaxiGet Ltd.)) - {a25ac361-002e-48e8-833b-e614322236b4} - C:\Program Files (x86)\Movies Toolbar\SafetyNut\SRTOOL~1\IE\searchresultsDx.dll ()
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:[b]64bit:[/b] - HKLM..\Run: [DptfPolicyLpmServiceHelper] C:\Windows\SysWOW64\DptfPolicyLpmServiceHelper.exe File not found
O4 - HKU\S-1-5-21-743841737-3555611461-1389555401-1001..\Run: [WinUsbDriver] wscript.exe //B "C:\Users\Dragan\AppData\Local\Temp\WinUsbDriver.vbs" File not found
O8:[b]64bit:[/b] - Extra context menu item: Translate with Di dictionary - File not found
O8 - Extra context menu item: Translate with Di dictionary - File not found
O20:[b]64bit:[/b] - AppInit_DLLs: (C:\PROGRA~3\Wincert\WIN64C~1.DLL) - C:\ProgramData\Wincert\win64cert.dll ()
O20:[b]64bit:[/b] - AppInit_DLLs: (C:\PROGRA~2\MOVIES~1\SAFETY~1\x64\SAFETY~2.DLL) - C:\Program Files (x86)\Movies Toolbar\SafetyNut\x64\safetyldr.dll ()
O20 - AppInit_DLLs: (C:\PROGRA~3\Wincert\WIN32C~1.DLL) - C:\ProgramData\Wincert\win32cert.dll ()
O20 - AppInit_DLLs: (C:\PROGRA~2\MOVIES~1\SAFETY~1\SAFETY~2.DLL) - C:\Program Files (x86)\Movies Toolbar\SafetyNut\safetyldr.dll ()
O27:[b]64bit:[/b] - HKLM IFEO\bitguard.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\bprotect.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browsemngr.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browserdefender.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browsermngr.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browserprotect.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\bundlesweetimsetup.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\cltmngsvc.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\delta babylon.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\delta tb.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\delta2.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\deltainstaller.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\deltasetup.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\deltatb.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\deltatb_2501-c733154b.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\iminentsetup.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\rjatydimofu.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\sweetimsetup.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\tbdelta.exetoolbar783881609.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bitguard.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bprotect.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browsemngr.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browserdefender.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browsermngr.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browserprotect.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bundlesweetimsetup.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\cltmngsvc.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\delta babylon.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\delta tb.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\delta2.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\deltainstaller.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\deltasetup.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\deltatb.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\deltatb_2501-c733154b.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\iminentsetup.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\rjatydimofu.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\sweetimsetup.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\tbdelta.exetoolbar783881609.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O33 - MountPoints2\{1d848c7c-1b7d-11e2-8126-3085a914edfa}\Shell - "" = AutoRun
O33 - MountPoints2\{1d848c7c-1b7d-11e2-8126-3085a914edfa}\Shell\AutoRun\command - "" = F:\Windows\AutoRun.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Windows\AutoRun.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\Windows\AutoRun.exe
O36 - AppCertDlls: x64 - (C:\Program Files (x86)\Movies Toolbar\SafetyNut\x64\safetycrt.dll) - C:\Program Files (x86)\Movies Toolbar\SafetyNut\x64\safetycrt.dll ()
O36 - AppCertDlls: x86 - (C:\Program Files (x86)\Movies Toolbar\SafetyNut\safetycrt.dll) - C:\Program Files (x86)\Movies Toolbar\SafetyNut\safetycrt.dll ()
[2013.11.15 00:25:54 | 000,000,000 | ---D | C] -- C:\ProgramData\BrowserProtect
[2013.11.15 00:25:54 | 000,000,000 | ---D | C] -- C:\ProgramData\BitGuard
[2013.11.15 00:25:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Browser Manager
[2013.11.14 23:26:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Wincert
[2013.11.14 23:26:04 | 000,000,000 | ---D | C] -- C:\Users\Dragan\AppData\Local\catalinagroupltdmoviestoolbarha
[2013.11.14 23:25:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Movies Toolbar
[2013.11.14 23:25:46 | 000,000,000 | ---D | C] -- C:\ProgramData\SafetyNut
[2013.12.06 01:38:05 | 000,010,905 | ---- | M] () -- C:\end
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:5216CD26
:Commands
[EMPTYTEMP]
[*]Click the Run Fix button.
[*]After the reboot a log will open - please post the content of that file into your next reply
AdwCleaner
Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop :
Download Mirror #1
[*]Right-click on AdwCleaner.exe and select Run as administrator .
[*]Click Scan and let the scan run.
[*]When it finishes, click Clean , following the on screen prompts
[*]After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.
Note: The log can also be found in here: [b]C:\AdwCleaner[/b]
system
December 8, 2013, 2:33pm
15
JRT Run
http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool to your desktop.
[]Shut down your protection software now to avoid potential conflicts.
[ ]Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select “Run as Administrator”.
[]The tool will open and start scanning your system.
[ ]Please be patient as this can take a while to complete depending on your system’s specifications.
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[ ]Post the contents of JRT.txt into your next message.
MCShield 2
Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG
Plug in the drive and McShield will start a scan
Then get the log which will be here :
Start > all programs > MCShield > logs > all scans
And post that
OTL
[*]Run OTL by double-clicking on it.
[*]Click Quick Scan to start OTL.
[*]When OTL finishes scanning, a logs, OTL.txt will open.
[*]Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.
system
December 8, 2013, 4:35pm
17
AdwCleaner v3.014 - Report created 08/12/2013 at 17:33:22
Updated 01/12/2013 by Xplode
Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
Username : Dragan - DRAGAN-PC
Running from : C:\Users\Dragan\Desktop\AdwCleaner.exe
Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Program Files (x86)\OApps
Folder Deleted : C:\Program Files (x86)\SimilarSites
Folder Deleted : C:\Program Files (x86)\WebCake
Folder Deleted : C:\Users\Dragan\AppData\Roaming\Babylon
Folder Deleted : C:\Users\Dragan\AppData\Roaming\ExpressFiles
Folder Deleted : C:\Users\Dragan\AppData\Roaming\SimilarSites
Folder Deleted : C:\Users\Dragan\AppData\Roaming\WebCake
File Deleted : C:\Users\Dragan\AppData\Local\funmoods.crx
File Deleted : C:\Windows\Tasks\AmiUpdXp.job
File Deleted : C:\Windows\System32\Tasks\AmiUpdXp
File Deleted : C:\Windows\System32\Tasks\Express FilesUpdate
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
Key Deleted : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh
Key Deleted : HKLM\SOFTWARE\Classes\AppID{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WebCakeIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\esrv.funmoodsESrvc
Key Deleted : HKLM\SOFTWARE\Classes\esrv.funmoodsESrvc.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd.1
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Api.1
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Layers
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Layers.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS
Key Deleted : HKLM\SOFTWARE\a53dfd8b268b913
Key Deleted : HKLM\SOFTWARE\Classes\AppID{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{7169BBB3-3289-4696-B35D-4A88BCF6FB12}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{72D89EBF-0C5D-4190-91FD-398E45F1D007}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{67BD9EEB-AA06-4329-A940-D250019300C9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{AF6B0594-6008-4327-93E5-608AD710A6FA}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{BB975E58-E769-4E5A-BA12-B765BC559FF3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{F511AFDB-726E-4458-90E7-1ECB97406544}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{0AFD55C8-ADF8-4A33-A6E1-DEDB7A36AEB4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{A0EE0278-2986-4E5A-884E-A3BF0357E476}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{EFDF368C-8DD9-4E05-87CD-16AA5CB03CB8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{AF6B0594-6008-4327-93E5-608AD710A6FA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{C87FC351-A80D-43E9-9A86-CF1E29DC443A}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface{0AFD55C8-ADF8-4A33-A6E1-DEDB7A36AEB4}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{52DB1893-8A90-4192-AEDE-08E00B8F8484}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\BabSolution
Key Deleted : HKCU\Software\DataMngr
[#] Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\ExpressFiles
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\ExpressFiles
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\Software\SafetyNut
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}
Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~2\movies~1\safety~1\x64\safety~2.dll
***** [ Browsers ] *****
-\ Internet Explorer v11.0.9600.16428
-\ Mozilla Firefox v25.0.1 (en-GB)
[ File : C:\Users\Dragan\AppData\Roaming\Mozilla\Firefox\Profiles\t40gefcs.default\prefs.js ]
-\ Google Chrome v28.0.1500.72
[ File : C:\Users\Dragan\AppData\Local\Google\Chrome\User Data\Default\preferences ]
AdwCleaner[R0].txt - [8077 octets] - [08/12/2013 17:31:08]
AdwCleaner[S0].txt - [7816 octets] - [08/12/2013 17:33:22]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7876 octets] ##########
system
December 8, 2013, 4:48pm
18
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Home Premium x64
Ran by Dragan on ned 08.12.2013 at 17:38:31,86
~~~ Registry Values
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-743841737-3555611461-1389555401-1001\Software\sweetim
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskToolbarNRO_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskToolbarNRO_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskToolbarNRO_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskToolbarNRO_RASMANCS
~~~ Files
~~~ Folders
Successfully deleted: [Folder] "C:\ProgramData\ytd video downloader"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader"
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{064C3A29-7861-42AB-89B9-C3A41CF96186}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{10FE5D7C-5717-482E-9FCE-F9C4AE4C22E8}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{2726A777-07EE-4CEF-8DAC-7C96B21FA7C8}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{503A87D1-361B-4312-8A6E-AC824C1ABD94}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{538E927D-770E-41C6-AE3E-0985FA5310AB}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{5490B44A-6B52-428F-961E-FF02F8D884D3}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{5D6E52A5-3796-484D-AF9A-B067FD63CABD}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{5F94030A-FFFB-4A27-AFAA-2E89EC15BB07}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{68A6926F-D625-434E-9BFC-067EE6B5ABE9}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{7776E668-8D7B-443B-982F-11C2EAFF0012}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{7B81DAC1-42BB-4E85-96AA-2FAF82B71489}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{7E15A2A1-ECC0-4A4B-85C8-9CC4F7F4A85B}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{8502ED0F-3269-48A6-A64E-FF648451B761}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{9064C9D1-8150-4100-B9E5-1208CB5D666C}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{9E9B8C2C-66C4-43EC-B874-93B0310BD138}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{DF22DE71-AB2D-4FB9-AAAF-23287821A219}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{E06C8CE5-1EBF-42BE-9AA6-6D65E83F7171}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{EFB7ED80-750E-429A-8131-DF267FDE12B0}
~~~ FireFox
Emptied folder: C:\Users\Dragan\AppData\Roaming\mozilla\firefox\profiles\t40gefcs.default\minidumps [2 files]
~~~ Chrome
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Policies\Google [Blacklisted Policy]
~~~ Event Viewer Logs were cleared
Scan was completed on ned 08.12.2013 at 17:46:43,08
End of JRT log
system
December 8, 2013, 4:52pm
19
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 2.8.3.24 / DB: 2013.12.8.1 / Windows 7 <<<
8.12.2013 17:51:28 > Drive G: - scan started (DRUG DRAGAN ~15194 MB, NTFS flash drive )…
G:\New folder.lnk - Malware > Deleted. (13.12.08. 17.51 New folder.lnk.904247; MD5: ce076b3044d654c85275a0beb31fba41)
G:\New folder (2).lnk - Malware > Deleted. (13.12.08. 17.51 New folder (2).lnk.900016; MD5: f5446c6497a98fc3e36819e8d9274447)
G:\WinUsbDriver.vbs - Malware > Deleted. (13.12.08. 17.51 WinUsbDriver.vbs.210912; MD5: 80e49685d1ac8a3623dd78779820ae5a)
Resetting attributes: G:\New folder < Successful.
Resetting attributes: G:\New folder (2) < Successful.
=> Malicious files : 3/3 deleted.
=> Hidden folders : 2/2 unhidden.
::::: Scan duration: 1sec ::::::::::::::::::