WiredWX Hobby Weather ToolsLog in

 


Trojan: PSW.OnlineGames4.ALGT

2 posters

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyTrojan: PSW.OnlineGames4.ALGT

more_horiz
Windows 7 Home Premium - Service Pack 1 - 64 bit
HP Laptop
AMD A8-3500M APU with Radeon HD Graphics 1.5 GHz
6 GB RAM installed

Laptop had been behaving badly - slow at times, occasional blue screen's of death,
lost iTune's config info after a BSoD, etc. However, antivirus just alerted malware:

AVG AntiVirus Free - AVG Detection
Name: Trojan horse PSW.OnlineGames4.ALGT
Object name: c:\Users\Michael\AppData\Local\Temp\sysoxkq\sqiqkiy\wow64.dll

Removing of threat has failed.
Access is denied.


I'm not overly technical but it seems to be burried in the directory listed
above but yet doesn't allow me to access files (or even see that the directory
exists) via Windows Explorer or a command prompt. I tried booting in SAFE mode
and it didn't make a difference. I ran AVG in SAFE mode also without success.

I'm sure you get a lot of sob stories. Mine is that this laptop belongs to my son
who is right in the middle of two large projects for school. I really appreciate any
assistance you can provide. THANK YOU!!!

Here is the output from AdwCleaner:

# AdwCleaner v2.202 - Logfile created 04/23/2013 at 23:44:55
# Updated 23/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Michael - MICHAEL-HP
# Boot Mode : Normal
# Running from : C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUGTLUPJ\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files (x86)\Common Files\AVG Secure Search
File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Deleted : C:\Users\Public\Desktop\eBay.lnk
Folder Deleted : C:\Program Files (x86)\AVG Secure Search
Folder Deleted : C:\Program Files (x86)\Babylon
Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\Users\Michael\AppData\Local\AVG Secure Search
Folder Deleted : C:\Users\Michael\AppData\Local\Temp\avg@toolbar
Folder Deleted : C:\Users\Michael\AppData\LocalLow\AVG Secure Search

***** [Registry] *****

Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6536801B-F50C-449B-9476-093DFD3789E3}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BabylonHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{5C9A2304-70A5-11D5-AFB0-0050DAC67890}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BabylonTC_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BabylonTC_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{37425600-CB21-49A0-8659-476FBAB0F8E8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{431FB0E5-2CBB-4602-9FE6-F1D64488ADD7}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{5C9A230D-70A5-11D5-AFB0-0050DAC67890}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{8911483C-C00A-4183-9FBC-6C9C00946C15}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C3F058A9-407D-4CD1-8F66-B75605B54B69}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{EFDCAF05-D29C-4D4D-9836-8CDCD606A6B2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{37425600-CB21-49A0-8659-476FBAB0F8E8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{431FB0E5-2CBB-4602-9FE6-F1D64488ADD7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5C9A230D-70A5-11D5-AFB0-0050DAC67890}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8911483C-C00A-4183-9FBC-6C9C00946C15}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C3F058A9-407D-4CD1-8F66-B75605B54B69}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFDCAF05-D29C-4D4D-9836-8CDCD606A6B2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

File : C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\8c5dcrl5.default\prefs.js

C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\8c5dcrl5.default\user.js ... Deleted !

Deleted : user_pref("browser.search.selectedEngine", "Search the web (Babylon)");
Deleted : user_pref("extensions.BabylonToolbar.admin", false);
Deleted : user_pref("extensions.BabylonToolbar.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar.appId", "{BDB69379-802F-4eaf-B541-F8DE92DD98DB}");
Deleted : user_pref("extensions.BabylonToolbar.dfltLng", "en");
Deleted : user_pref("extensions.BabylonToolbar.excTlbr", false);
Deleted : user_pref("extensions.BabylonToolbar.id", "b00ab00b0000000000003859f93cc21a");
Deleted : user_pref("extensions.BabylonToolbar.instlDay", "15645");
Deleted : user_pref("extensions.BabylonToolbar.instlRef", "na");
Deleted : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar.tlbrId", "base");
Deleted : user_pref("extensions.BabylonToolbar.tlbrSrchUrl", "hxxp://search.babylon.com/?babsrc=TB_def&mntrId=[...]
Deleted : user_pref("extensions.BabylonToolbar.vrsn", "1.8.3.8");
Deleted : user_pref("extensions.BabylonToolbar.vrsni", "1.8.3.8");
Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true);
Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=18319&tt=4412_2[...]
Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.8.3.80:14:42");

-\\ Google Chrome v26.0.1410.64

File : C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.1] : icon_url ={"backup":{"_signature":"tme62S2xweQ9wMCpKZ1oO015ccnVvZ0z5pXAOhMQjII=","_version":4,"extensions":{"i[...]

*************************

AdwCleaner[S1].txt - [394 octets] - [23/04/2013 23:34:29]
AdwCleaner[S2].txt - [9828 octets] - [23/04/2013 23:44:55]

########## EOF - C:\AdwCleaner[S2].txt - [9888 octets] ##########

Here is the output from MBAM:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.24.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16540
Michael :: MICHAEL-HP [administrator]

4/23/2013 11:53:19 PM
mbam-log-2013-04-23 (23-53-19).txt

Scan type: Full scan (C:\|D:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 504799
Time elapsed: 2 hour(s), 22 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Here is the output from Security Check:

Results of screen317's Security Check version 0.99.63
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG AntiVirus Free Edition 2013
Norton Internet Security
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
Java(TM) 6 Update 24
Java version out of Date!
Adobe Flash Player 11.6.602.180
Adobe Reader 10.1.6 Adobe Reader out of Date!
Mozilla Firefox 16.0.2 Firefox out of Date!
Mozilla Thunderbird (17.0.2)
Google Chrome 26.0.1410.43
Google Chrome 26.0.1410.64
Google Chrome plugins...
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
AVG avgwdsvc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 5%
````````````````````End of Log``````````````````````


Thank You! Thank You! Thank You!

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*******************************************************
The Security Check shows that you have two AV's on your computer; AVG AntiVirus Free Edition 2013 and Norton Internet Security. Please make sure that only one AV is enabled at any time on your computer.
********************************************************
Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.


First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*************************************************
Update your Adobe Reader. get.adobe.com/reader.

Be sure to uncheck the Free McAfee Security Scan so it isn't installed.

***********************************************
Please download and run MicroSoft Safety Scanner. This will take about 20 minutes to run and will produce a log if your computer was infected. Please post the log. This scanner only has a shelf life of 10 days so you will need to download a new one if you want to run a scan after the trial period has expired.

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
THANK YOU for the fast reply Dave!!

AV - the laptop came with Norton which I disabled and installed AVG.
I removed / de-installed Norton now.

Java - wow - you are correct sir! I ran the verify link you provided and I had 6.24 installed
and it said that 7.21 was the latest. I updated via Oracles / Sun's web site to 7.21. Sorry,
but I'm a little confused now regarding your instructions. You provide a link to MajorGeek's
web site for getting the newest version of the Sun Java Runtime Environment. When I went there
it appeared that it was offering an older version 6.43. Since I updated it via Oracle's web
site I didn't take any actions from MajorGeek's web link. Should I have?

I ran JavaRa and it found / removed Jre6.

I updated Adobe Reader.

I ran the MicroSoft Safety Scanner. You mentioned "... will take about 20 minutes ..." so I left
it at the default of "Quick Scan" since the full scan said it will take hours. The scan did not
find any issues.

Literally, when the MicroSoft Safety Scanner ended my AVG popped up a warning window again.
Sorry, I'm not sure how to imbed images so I will attach them as a file. These are the same
screen's I have been seeing. After the first / top window appears I select "Protect Me" to have
AVG fix the issue but as you can see from the second / bottom screen shot it fails.

Thanks again for helping me figure this out. I will try to respond as quickly as I can when
you post the next steps.....

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
FYI - now my AVG software has detected it about 6 more times - in the last 15 minutes! This is much more often than previously. Not sure what it is doing or why but as I was doing the screen shots / pasting them into paint / renaming the file / etc. the detection window just kept popping up.... I'm guessing that is not a good sign : )

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
Sorry if I am being a pest but two other things I thought of that might be useful....

1) I will attach a picture I took while running AVG after booting the laptop in SAFE mode last night. There are a couple of lines that really jumped out at me - one that uses the word "TROJAN" and a second that has access denied to the directory that AVG keeps calling out in it's detection alerts. BTW - I tried getting to this directory via Windows Explorer (making sure I could see hidden files / system files) and could even see it. I also tried with a command propt and couldn't get to it either.... it is almost like the security is set so that it doesn't appear??? I will attach a copy of the picture for your reference.

2) Before I contacted you I was googling the detection message and several of the manual removal suggestions referenced registry entires. As I was scanning through the registry I noticed "Wild Tangent" in one of the entries. I had a "Wild Tangent" virus on my home computer a couple years ago. My AVG hasn't flagged / detected anything "Wild Tangent" so I don't know if they are related but I'm curious if I have a secondary issue also?

Thank you again for all of your help!!

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
it appeared that it was offering an older version 6.43. Since I updated it via Oracle's web
site I didn't take any actions from MajorGeek's web link. Should I have?

When you click on "verify your Java version" it should take you directly to the Java site. That's the only link I use. It will tell you if you have the latest version.
As I was scanning through the registry I noticed "Wild Tangent" in one of the entries.

Please do not make any changes in the registry.

How to post screenshots or images
*********************************************
Please download Junkware Removal Tool to your desktop.

Warning! Once the scan is complete JRT will shut down your browser with NO warning.

Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*********************************************
Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:

Trojan: PSW.OnlineGames4.ALGT NSIS_disclaimer_ENG

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

Trojan: PSW.OnlineGames4.ALGT NSIS_extraction

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Trojan: PSW.OnlineGames4.ALGT RcAuto1

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Trojan: PSW.OnlineGames4.ALGT Whatnext

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
Again - THANK YOU THANK YOU THANK YOU!! - I really do appreciate your help!!

Below will be the outputs pasted as requested. A couple observations:

I downloaded the JRT, turned off AVG, went to my desktop, right mouse clicked JRT to run as admin and up popped a RunDLL error box (I've attached the screen shot.) Curious, I didn't launch JRT but rather closed the error box, and right clicked another icon - boom - RunDLL error box. I repeated this 4-5x's. I then ran JRT. After it was done, I was still curious, so I tried right mouse clicking again - nothing, again, again and again - nothing. It appears as though running JRT cleared up what ever was causing that - does that make sense from the output file?

I ran the ComboFix. After it was completed it just seemed like the laptop was more responsive / running faster / smoother. Can't quantify - just seems like it. I think either JRT or ComboFix might have closed out AVG? Maybe it is just because that isn't running or maybe it cleaned something up. I'm very interested to see what you find in the output files.

Have I mentioned - THANK YOU!!!

JRT output:



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.8.9 (04.22.2013:1)
OS: Windows 7 Home Premium x64
Ran by Michael on Wed 04/24/2013 at 18:53:15.67
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A22F7BA3-591A-4DDB-B9A3-C974A5B67BEB}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{A22F7BA3-591A-4DDB-B9A3-C974A5B67BEB}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}



~~~ Files

Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npcouponprinter.dll"
Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npmozcouponprinter.dll"
Successfully deleted: [File] "C:\Windows\couponprinter.ocx"



~~~ Folders

Successfully deleted: [Folder] "C:\Program Files (x86)\coupons"
Successfully deleted: [Empty Folder] C:\Users\Michael\appdata\local\{009360A4-E400-469C-BCE5-486F4063BB6B}
Successfully deleted: [Empty Folder] C:\Users\Michael\appdata\local\{12E25302-3C25-4A73-A8A6-CDAA34AEA534}
Successfully deleted: [Empty Folder] C:\Users\Michael\appdata\local\{72625E8D-A446-482A-A95B-CDD8751ED095}
Successfully deleted: [Empty Folder] C:\Users\Michael\appdata\local\{8C9E3644-A36F-4C21-B38B-05953DDD235F}
Successfully deleted: [Empty Folder] C:\Users\Michael\appdata\local\{9044851A-2B4A-47EA-A307-F31F38501AD5}
Successfully deleted: [Empty Folder] C:\Users\Michael\appdata\local\{E2F497AA-C86D-4190-AE8A-9E69E14C7F5E}
Successfully deleted: [Empty Folder] C:\Users\Michael\appdata\local\{E432364F-14F9-4EBA-A823-940A286239AB}



~~~ FireFox

Emptied folder: C:\Users\Michael\AppData\Roaming\mozilla\firefox\profiles\8c5dcrl5.default\minidumps [34 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 04/24/2013 at 18:59:58.97
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix output:



ComboFix 13-04-24.03 - Michael 04/24/2013 19:07:53.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5611.3101 [GMT -5:00]
Running from: c:\users\Michael\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\{4333C1A8-42DC-446B-A90F-D24B7E21EE5D}.xps
c:\windows\PolicyDefinitions
c:\windows\PolicyDefinitions\DeviceRedirection.admx
c:\windows\PolicyDefinitions\en-US\DeviceRedirection.adml
c:\windows\PolicyDefinitions\en-US\EnhancedStorage.adml
c:\windows\PolicyDefinitions\en-US\InetRes.adml
c:\windows\PolicyDefinitions\en-US\NCSI.adml
c:\windows\PolicyDefinitions\en-US\RacWmiProv.adml
c:\windows\PolicyDefinitions\en-US\ReAgent.adml
c:\windows\PolicyDefinitions\en-US\sdiageng.adml
c:\windows\PolicyDefinitions\en-US\sdiagschd.adml
c:\windows\PolicyDefinitions\en-US\Search.adml
c:\windows\PolicyDefinitions\en-US\WindowsMediaDRM.adml
c:\windows\PolicyDefinitions\en-US\WindowsMediaPlayer.adml
c:\windows\PolicyDefinitions\EnhancedStorage.admx
c:\windows\PolicyDefinitions\inetres.admx
c:\windows\PolicyDefinitions\NCSI.admx
c:\windows\PolicyDefinitions\RacWmiProv.admx
c:\windows\PolicyDefinitions\ReAgent.admx
c:\windows\PolicyDefinitions\sdiageng.admx
c:\windows\PolicyDefinitions\sdiagschd.admx
c:\windows\PolicyDefinitions\Search.admx
c:\windows\PolicyDefinitions\WindowsMediaDRM.admx
c:\windows\PolicyDefinitions\WindowsMediaPlayer.admx
.
.
((((((((((((((((((((((((( Files Created from 2013-03-25 to 2013-04-25 )))))))))))))))))))))))))))))))
.
.
2013-04-25 00:15 . 2013-04-25 00:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-24 23:53 . 2013-04-24 23:53 -------- d-----w- c:\windows\ERUNT
2013-04-24 23:52 . 2013-04-24 23:52 -------- d-----w- C:\JRT
2013-04-24 18:59 . 2013-04-24 18:59 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-04-24 18:59 . 2013-04-24 18:58 866720 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-04-24 18:59 . 2013-04-24 18:58 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-04-24 18:58 . 2013-04-24 18:58 -------- d-----w- c:\programdata\McAfee
2013-04-24 04:45 . 2013-04-24 04:45 121 ----a-w- c:\windows\DeleteOnReboot.bat
2013-04-24 04:39 . 2013-04-24 04:39 -------- d-----w- c:\users\Michael\AppData\Roaming\Malwarebytes
2013-04-24 04:39 . 2013-04-24 04:39 -------- d-----w- c:\programdata\Malwarebytes
2013-04-24 04:39 . 2013-04-24 04:39 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-04-24 04:39 . 2013-04-04 19:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-24 04:38 . 2013-04-24 04:38 -------- d-----w- c:\users\Michael\AppData\Local\Programs
2013-04-24 04:34 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-20 04:06 . 2013-04-23 03:37 -------- d-----w- c:\users\TEMP
2013-04-10 19:34 . 2013-02-15 06:06 3717632 ----a-w- c:\windows\system32\mstscax.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-24 18:58 . 2011-04-29 00:39 788896 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-20 17:03 . 2013-03-20 17:03 226304 ----a-w- c:\windows\system32\elshyph.dll
2013-03-20 17:03 . 2013-03-20 17:03 185344 ----a-w- c:\windows\SysWow64\elshyph.dll
2013-03-20 17:03 . 2013-03-20 17:03 158720 ----a-w- c:\windows\SysWow64\msls31.dll
2013-03-20 17:03 . 2013-03-20 17:03 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-03-20 17:03 . 2013-03-20 17:03 719360 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2013-03-20 17:03 . 2013-03-20 17:03 523264 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-03-20 17:03 . 2013-03-20 17:03 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2013-03-20 17:03 . 2013-03-20 17:03 138752 ----a-w- c:\windows\SysWow64\wextract.exe
2013-03-20 17:03 . 2013-03-20 17:03 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-03-20 17:03 . 2013-03-20 17:03 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2013-03-20 17:03 . 2013-03-20 17:03 38400 ----a-w- c:\windows\SysWow64\imgutil.dll
2013-03-20 17:03 . 2013-03-20 17:03 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-03-20 17:03 . 2013-03-20 17:03 12800 ----a-w- c:\windows\SysWow64\mshta.exe
2013-03-20 17:03 . 2013-03-20 17:03 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2013-03-20 17:03 . 2013-03-20 17:03 61952 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-03-20 17:03 . 2013-03-20 17:03 361984 ----a-w- c:\windows\SysWow64\html.iec
2013-03-20 17:03 . 2013-03-20 17:03 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll
2013-03-20 17:03 . 2013-03-20 17:03 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-03-20 17:03 . 2013-03-20 17:03 81408 ----a-w- c:\windows\system32\icardie.dll
2013-03-20 17:03 . 2013-03-20 17:03 762368 ----a-w- c:\windows\system32\ieapfltr.dll
2013-03-20 17:03 . 2013-03-20 17:03 452096 ----a-w- c:\windows\system32\dxtmsft.dll
2013-03-20 17:03 . 2013-03-20 17:03 441856 ----a-w- c:\windows\system32\html.iec
2013-03-20 17:03 . 2013-03-20 17:03 281600 ----a-w- c:\windows\system32\dxtrans.dll
2013-03-20 17:03 . 2013-03-20 17:03 216064 ----a-w- c:\windows\system32\msls31.dll
2013-03-20 17:03 . 2013-03-20 17:03 197120 ----a-w- c:\windows\system32\msrating.dll
2013-03-20 17:03 . 2013-03-20 17:03 1400416 ----a-w- c:\windows\system32\ieapfltr.dat
2013-03-20 17:03 . 2013-03-20 17:03 97280 ----a-w- c:\windows\system32\mshtmled.dll
2013-03-20 17:03 . 2013-03-20 17:03 905728 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-03-20 17:03 . 2013-03-20 17:03 27648 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-20 17:03 . 2013-03-20 17:03 270848 ----a-w- c:\windows\system32\iedkcs32.dll
2013-03-20 17:03 . 2013-03-20 17:03 247296 ----a-w- c:\windows\system32\webcheck.dll
2013-03-20 17:03 . 2013-03-20 17:03 235008 ----a-w- c:\windows\system32\url.dll
2013-03-20 17:03 . 2013-03-20 17:03 167424 ----a-w- c:\windows\system32\iexpress.exe
2013-03-20 17:03 . 2013-03-20 17:03 1509376 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-20 17:03 . 2013-03-20 17:03 144896 ----a-w- c:\windows\system32\wextract.exe
2013-03-20 17:03 . 2013-03-20 17:03 102912 ----a-w- c:\windows\system32\inseng.dll
2013-03-20 17:03 . 2013-03-20 17:03 599552 ----a-w- c:\windows\system32\vbscript.dll
2013-03-20 17:03 . 2013-03-20 17:03 173568 ----a-w- c:\windows\system32\ieUnatt.exe
2013-03-20 17:03 . 2013-03-20 17:03 149504 ----a-w- c:\windows\system32\occache.dll
2013-03-20 17:03 . 2013-03-20 17:03 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-03-20 17:03 . 2013-03-20 17:03 62976 ----a-w- c:\windows\system32\pngfilt.dll
2013-03-20 17:03 . 2013-03-20 17:03 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2013-03-20 17:03 . 2013-03-20 17:03 51200 ----a-w- c:\windows\system32\imgutil.dll
2013-03-20 17:03 . 2013-03-20 17:03 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-03-20 17:03 . 2013-03-20 17:03 13824 ----a-w- c:\windows\system32\mshta.exe
2013-03-20 17:03 . 2013-03-20 17:03 136192 ----a-w- c:\windows\system32\iepeers.dll
2013-03-20 17:03 . 2013-03-20 17:03 135680 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-03-20 17:03 . 2013-03-20 17:03 12800 ----a-w- c:\windows\system32\msfeedssync.exe
2013-03-20 17:03 . 2013-03-20 17:03 77312 ----a-w- c:\windows\system32\tdc.ocx
2013-03-13 03:24 . 2012-04-04 19:45 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-13 03:24 . 2011-08-29 16:50 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-27 04:40 . 2013-02-27 04:40 246072 ----a-w- c:\windows\system32\drivers\avgidsdrivera.sys
2013-02-18 19:05 . 2012-10-01 01:23 39768 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2013-02-14 08:52 . 2013-02-14 08:52 239416 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2013-02-12 05:45 . 2013-03-13 22:05 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-13 22:05 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-13 22:05 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-03-13 22:05 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48 . 2013-03-13 22:05 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 22:05 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-12 04:12 . 2013-03-20 20:37 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-08 09:37 . 2013-02-08 09:37 116536 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
2013-02-08 09:37 . 2013-02-08 09:37 311096 ----a-w- c:\windows\system32\drivers\avgloga.sys
2013-02-08 09:37 . 2013-02-08 09:37 71480 ----a-w- c:\windows\system32\drivers\avgidsha.sys
2013-02-08 09:37 . 2013-02-08 09:37 206136 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2013-02-08 09:37 . 2013-02-08 09:37 45880 ----a-w- c:\windows\system32\drivers\avgrkx64.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-11-01 06:09 220632 ----a-w- c:\users\Michael\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-11-01 06:09 220632 ----a-w- c:\users\Michael\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-11-01 06:09 220632 ----a-w- c:\users\Michael\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"HP Photosmart 6510 series (NET)"="c:\program files\HP\HP Photosmart 6510 series\Bin\ScanToPCActivationApp.exe" [2011-09-16 2676584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-02 336384]
"Easybits Recovery"="c:\program files (x86)\EasyBits For Kids\ezRecover.exe" [2011-03-16 61112]
"HPConnectionManager"="c:\program files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2011-05-23 103992]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2011-07-11 574008]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]
"RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2011-03-30 87336]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared files\brs.exe" [2011-12-12 75048]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2013-03-13 4394032]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2013-1-8 228448]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0 /sync /restart\0 /sync /restart\0 /sync /restart\0 /sync /restart\0 /sync /restart\0 /sync /restart\0 /sync /restart\0 /sync /restart
.
R2 CLKMSVC10_38F51D56;CyberLink Product - 2011/12/12 15:50;c:\program files (x86)\CyberLink\PowerDVD10\NavFilter\kmsvc.exe [2011-02-25 241648]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-04-29 32768]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2010-06-16 35840]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-15 1255736]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [2011-03-04 78976]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [2011-03-04 38528]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2013-02-08 71480]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys [2013-02-08 311096]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2013-02-08 116536]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2013-02-08 45880]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2013-02-27 246072]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2013-02-08 206136]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2013-02-14 239416]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2013-02-18 39768]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-11-28 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-02 204288]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-04-02 365568]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [2013-02-28 4937264]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [2013-02-19 282624]
S2 ezSharedSvc;Easybits Services for Windows;c:\windows\System32\ezSharedSvcHost.exe [x]
S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-02-18 265544]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-09-01 227896]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-27 30520]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-07-11 26680]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-03-08 2375168]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
S2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [2013-02-18 968880]
S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys [2011-03-18 87168]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys [2011-03-18 188544]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-11-17 115216]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2010-07-28 31088]
S3 hpCMSrv;HP Connection Manager 4 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-05-23 1098296]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [2011-07-19 1492992]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-03-25 337512]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-02-17 428136]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-12-16 47232]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - CLKMDRV10_38F51D56
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 03:24]
.
2013-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-12 22:14]
.
2013-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-12 22:14]
.
2013-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-695660584-876410207-1421700361-1001Core.job
- c:\users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-01 03:56]
.
2013-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-695660584-876410207-1421700361-1001UA.job
- c:\users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-01 03:56]
.
2013-04-25 c:\windows\Tasks\HP Photo Creations Messager.job
- c:\programdata\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
.
2013-04-23 c:\windows\Tasks\HPCeeScheduleForMichael.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-11-01 06:09 244696 ----a-w- c:\users\Michael\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-11-01 06:09 244696 ----a-w- c:\users\Michael\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-11-01 06:09 244696 ----a-w- c:\users\Michael\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-11-28 1128448]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\8c5dcrl5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-Adobe Reader Speed Launcher - c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe
Wow6432Node-HKLM-Run-AVG_TRAY - c:\program files (x86)\AVG\AVG2012\avgtray.exe
Wow6432Node-HKLM-Run-vProt - c:\program files (x86)\AVG Secure Search\vprot.exe
Wow6432Node-HKLM-Run- - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Coupon Printer for Windows5.0.0.0 - c:\program files (x86)\Coupons\uninstall.exe
AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-04-24 19:19:40
ComboFix-quarantined-files.txt 2013-04-25 00:19
.
Pre-Run: 419,027,480,576 bytes free
Post-Run: 421,745,721,344 bytes free
.
- - End Of File - - F39DAD8A3292FE2E4FBF8F5D13AB3B60

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
Rut roh.... I rebooted the laptop, it came up just fine. Interesting - no AVG detection box pops up - yea!! However, I opened IE - opened fine. Yahoo.com is the default home page. If I click on any of the links, the IE window empties and nothing comes up. If I try and type in a url (i.e. GeekPolice.net) and press enter - nothing. It is like I'm not hitting enter. Nothing on the screen changes. I verified my internet connection - it is fine. I opened Firefox - seemed to work just fine. I opened Chrome and received an error box "Your preferences file is corrupt or invalid. Google Chrome is unable to recover your settings." I clicked "ok" and Chrome opened and seemed to work just fine. Were you expecting this? Thoughts?

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
JRT cleaned up some Registry entries which is usually the cause of DLL errors.ComboFix also got rid of some crap.

Please download and run MS Fix-it from here. This may help with IE.

Please download Rooter and Save it to your desktop.

  • Double click it to start the tool.Vista and Windows7 run as administrator.
  • Click Scan.
  • Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
Thank you for the additional tasks....

I ran the MS Fix-it and it did not fix IE. Any additional suggestions?

FYI - it seems like something funky is still going on. The pointer continues to regularly show the "busy" / arrow running in circles. Any additional suggestions on this?

Do we know at this point that we have found / removed any bad stuff?

Thanks again for all of your help!

Here is the output from Rooter:

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 7 Home Edition (6.1.7601) Service Pack 1
[32_bits] - AMD64 Family 18 Model 1 Stepping 0, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 9.10.9200.16540
Mozilla Firefox 16.0.2 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:581 Go - Free:392 Go )
D:\ [Fixed-NTFS] .. ( Total:14 Go - Free:1 Go )
E:\ [CD_Rom]
F:\ [Fixed-FAT32] .. ( Total:0 Go - Free:0 Go )
.
Scan : 14:48.46
Path : C:\Users\Michael\Desktop\Rooter.exe
User : Michael ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ ????????? (284)
______ ????????? (400)
______ ????????? (448)
______ ????????? (720)
______ ????????? (816)
______ ????????? (836)
______ ????????? (884)
______ ????????? (900)
______ ????????? (908)
______ ????????? (1012)
______ C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe (508)
______ ????????? (708)
______ ????????? (1032)
______ ????????? (1076)
______ ????????? (1124)
______ ????????? (1164)
______ ????????? (1208)
______ ????????? (1240)
______ ????????? (1272)
______ ????????? (1524)
______ ????????? (1552)
______ ????????? (1620)
______ ????????? (1824)
______ ????????? (1944)
______ ????????? (1992)
______ ????????? (2036)
______ C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (2044)
______ ????????? (2052)
______ ????????? (2080)
______ C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (2108)
______ C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe (2164)
______ C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe (2192)
______ ????????? (2228)
______ C:\Windows\SysWOW64\ezSharedSvcHost.exe (2284)
______ ????????? (2344)
______ C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe (2376)
______ C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe (2400)
______ ????????? (2424)
______ C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe (2488)
______ C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE (2552)
______ ????????? (2696)
______ C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe (2828)
______ ????????? (2912)
______ ????????? (3016)
______ ????????? (3080)
______ ????????? (3092)
______ ????????? (3260)
______ ????????? (3504)
______ ????????? (3964)
______ ????????? (4044)
______ ????????? (4072)
______ C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe (3152)
______ ????????? (3712)
______ C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe (1344)
______ ????????? (4112)
______ ????????? (4120)
______ ????????? (4128)
______ C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (4316)
______ C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe (4400)
______ C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe (4436)
______ C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe (4468)
______ ????????? (4532)
______ C:\Program Files (x86)\CyberLink\Shared files\brs.exe (4540)
______ C:\Program Files (x86)\AVG\AVG2013\avgui.exe (4640)
______ C:\Program Files (x86)\iTunes\iTunesHelper.exe (4728)
______ C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe (4772)
______ ????????? (4880)
______ C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe (4892)
______ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (4996)
______ ????????? (1324)
______ ????????? (3900)
______ ????????? (2836)
______ C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe (1336)
______ ????????? (5836)
______ ????????? (6020)
______ ????????? (5404)
______ ????????? (5244)
______ ????????? (3844)
______ ????????? (5028)
______ C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe (6084)
______ ????????? (4268)
______ ????????? (5544)
______ C:\Program Files (x86)\Mozilla Firefox\firefox.exe (1836)
______ C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe (2804)
______ C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe (5548)
______ C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe (4240)
Locked audiodg.exe (3432)
______ ????????? (2352)
______ ????????? (6432)
______ C:\Users\Michael\Desktop\Rooter.exe (7020)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:1048576 | Length:208666624)
\Device\Harddisk0\Partition2 (Start_Offset:209715200 | Length:624150183936)
\Device\Harddisk0\Partition3 (Start_Offset:624359899136 | Length:15665725440)
\Device\Harddisk0\Partition4 (Start_Offset:640025624576 | Length:108355584)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Adobe Flash Player Updater.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-695660584-876410207-1421700361-1001Core.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-695660584-876410207-1421700361-1001UA.job
C:\Windows\Tasks\HP Photo Creations Messager.job
C:\Windows\Tasks\HPCeeScheduleForMichael.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 14:49.15
.
C:\Rooter$\Rooter_1.txt - (25/04/2013 | 14:49.15)

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    Trojan: PSW.OnlineGames4.ALGT TDSSKillernumber1

  • If an infected file is detected, the default action will be Cure, click on Continue.

    Trojan: PSW.OnlineGames4.ALGT TDSSKillernumber2

  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    Trojan: PSW.OnlineGames4.ALGT TDSSKillernumber3

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Trojan: PSW.OnlineGames4.ALGT TDSSKillerlastone3

  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory..

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
I ran TDSSKiller and it came back with "No threats found"

24 seconds
463 objects
found 0 threats

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Trojan: PSW.OnlineGames4.ALGT AswMBR_Scan

Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

Trojan: PSW.OnlineGames4.ALGT AswMBR_SaveLog

On completion of the scan click save log, save it to your desktop and post in your next reply
**********************************************

  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
Thanks for the additional investigation!

I downloaded and am running the aswMBR.exe. Did you want me to download the Avast virus definitions file and have it perform a AV scan (quickscan?) also? It was the default so I did it. The scan has been running almost 30 minutes - it often takes several minutes per file. Please let me know if I should end it and restart. I did notice others had similar long scan periods (i.e. 15 hours!) running this tool with AV scan.

descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
Ok - the scan completed shortly after I posted that previous message.

Unfortunately, in the middle of the virus scan, my AVG Detection window popped back up for the first time since I posted it stopped - BUMMER!! Same detection as before (see previous posts for screen shots.)

Also, after the aswMBR was done, my screen started freaking out - flashing scrambled spots on the screen (I have a screen shot if you are interested.) I rebooted the laptop and it stopped.

I then ran the RogueKiller. Here are the output files:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-04-25 21:05:03
-----------------------------
21:05:03.733 OS Version: Windows x64 6.1.7601 Service Pack 1
21:05:03.733 Number of processors: 4 586 0x100
21:05:03.733 ComputerName: MICHAEL-HP UserName: Michael
21:05:05.527 Initialize success
21:06:53.372 AVAST engine defs: 13042501
21:07:21.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000006b
21:07:21.046 Disk 0 Vendor: Hitachi_ JEDO Size: 610480MB BusType: 11
21:07:21.187 Disk 0 MBR read successfully
21:07:21.187 Disk 0 MBR scan
21:07:21.202 Disk 0 Windows 7 default MBR code
21:07:21.202 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
21:07:21.234 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 595236 MB offset 409600
21:07:21.265 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 14940 MB offset 1219452928
21:07:21.280 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 1250050048
21:07:21.421 Disk 0 scanning C:\Windows\system32\drivers
21:07:33.246 Service scanning
21:08:05.148 Modules scanning
21:08:05.163 Disk 0 trace - called modules:
21:08:05.179 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
21:08:05.195 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80062ce060]
21:08:05.210 3 CLASSPNP.SYS[fffff8800190843f] -> nt!IofCallDriver -> [0xfffffa8006145b10]
21:08:05.226 5 hpdskflt.sys[fffff880018af189] -> nt!IofCallDriver -> [0xfffffa8005d4e040]
21:08:05.226 7 amd_xata.sys[fffff8800110b8f7] -> nt!IofCallDriver -> \Device\0000006b[0xfffffa8005d55060]
21:08:06.848 AVAST engine scan C:\Windows
21:08:11.934 AVAST engine scan C:\Windows\system32
21:11:35.280 AVAST engine scan C:\Windows\system32\drivers
21:11:50.225 AVAST engine scan C:\Users\Michael
21:42:50.072 AVAST engine scan C:\ProgramData
21:45:50.252 Scan finished successfully
21:47:05.632 Disk 0 MBR has been saved successfully to "C:\Users\Michael\Desktop\MBR.dat"
21:47:05.632 The log file has been saved successfully to "C:\Users\Michael\Desktop\aswMBR.txt"




RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Michael [Admin rights]
Mode : Scan -- Date : 04/25/2013 22:16:40
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskmgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS547564A9E384 SATA Disk Device +++++
--- User ---
[MBR] ea2873f04f92b7f37995ddbf1f3d8b72
[BSP] 8cf892ae4bead2ef24e2536e5326c410 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 595236 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1219452928 | Size: 14940 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 1250050048 | Size: 103 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] a4a6b4f4b5b86f3996d39856df6e44d0
[BSP] 8cf892ae4bead2ef24e2536e5326c410 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 77824 Mo
1 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 159793152 | Size: 400 Mo

Finished : << RKreport[1]_S_04252013_02d2216.txt >>
RKreport[1]_S_04252013_02d2216.txt



descriptionTrojan: PSW.OnlineGames4.ALGT EmptyRe: Trojan: PSW.OnlineGames4.ALGT

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum