Ultimately Hijacked by Trojan/Malware

Ok So I'm working on this computer that has been completely taken over by a trojan. Im getting a long # in the processes 3203397148:3809022017.exe This proccess cannot be terminated. Every attempt to install any malware removal "malwarebytes" Spybot, AVG & every other snippet I could find here on geeks all fail. Most wont even open. Malwarebytes came the closest it installed and ran but few seconds into the scan the trojan terminated it, then access denied after. I've been doing all this in safe mode, normal mode the keyboard is toast & mouse & USB. I've managed to get the USB working & keyboard but no mouse in safe or normal. I need some combat force help here! :major I could format but that's last resort, I'm also worried the virus could have made it to the restore partition. Thanks

 

I still done all the steps just to give it another go. Ran combofix, combofix told me to run again if the net didn't work, the trojan killed it 2nd go round. trojan has killed my winrar so no root repeal. couldnt run mg tools either. here log from first combofix. thanks :major

 

ok the agcsclean wont run in safe mode but I got combofix to run again and mgtools ran, here's the mg log. the rootrepeal or agcsclean said wrong version of windows. its vita so must be the trojan rolleyes

 

forgot to add the log rolleyes

 

ok I coulden't run the analyze.exe "hijack This".

 

The Hijack said I did not have permission to access. Couldn't Uinstall the LiveUpdate Says this action is only valid for products that are currently installed. The data is backed up, No Vista Boot disk it only has recovery partition.

 

Hey everything ran, had to restart for the mglog but it ran after restart. I think I seen it say access denied on the analyze.exe. The internet still wont work. Combofix told me the malware was attached to my tcip stash. It will connect to the router but will not identify the internet. Proxy is not enabled. thanks for your help M8

 

Hi r1d5g7,
chaslang is unable to respond at the moment so I will help you with your remaining malware problems.

If something here does not run as expected, make a note of what problems you encountered, but at least try to complete all steps listed here!

Please download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  explorer.exe
  ipnat.sys
  ipsec.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  %systemdrive%\MGtools
  %systemdrive%
  %userprofile%\desktop
  hklm\software\microsoft\windows\currentversion\run|exe /rs
  hklm\software\microsoft\windows\currentversion\runonce|exe /rs
  

• Now click the button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

Please download Windows Repair by Tweaking.com to your desktop.

• See the download links under this icon:
• Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
• Now open this folder and double-click Repair_Windows.exe.
• Click the Start Repairs tab on the far right.
• Click Custom Mode so there is a bullet in it.
• Click the Start button (bottom right)
  Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
• Click Unselect All
• Put a checkmark in the following items:
  • Reset Registry Permissions
  • Reset File Permissions
  • Remove Policies Set By Infections
  Note: Leave everything else unchecked
• Put a checkmark in Restart System When Finished
• Now click the Start button (bottom right)

Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

 

Got an error on the diag, screen shot attached. Everything ran I have the logs. Not sure about the tweeking tool it kinda seemed like it just got shut off.

 

Do this while I review the rest of your logs.

Please download SystemLook by jpshortstuff to your desktop.

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :regfind
  *ipsec*
  :filefind
  ipsec.sys
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
  Note: The log be found on your desktop entitled SystemLook.txt

 

here's the file. thanks m8:cool

 

Please download GrantPerms by Farbar to your desktop.

• Open GrantPerms.zip and extract GrantPerms.exe to your desktop.
• Run GrantPerms.exe by double-clicking on it. (Vista and Win7 right-click and select Run as administrator)
• Copy the text in the below code box and paste it into the text-field available in GrantPerms.
  
  Code:

  C:\Windows\SMINST
  

• Now click the Unlock button.
• Click the OK button when you see Unlock operation completed.
• Now click the List Permissions button.
  Note: Notepad will open afterwards.
• This Perms.txt log file is on your desktop.
• Attach Perms.txt to your next message. (How to attach items to your post)

Now we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
  FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll File not found
  O4 - HKU\S-1-5-21-2172796819-2331580506-2278859845-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe ()
  [2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
  [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
  [2011/10/28 20:05:47 | 000,005,710 | ---- | M] () -- C:\ProgramData\LuUninstall.LiveUpdate
  @Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:206E2596
  [COLOR="DarkRed"]:services [/COLOR]
  [COLOR="DarkRed"]:files[/COLOR]
  C:\Windows\System32\drivers\0200~1
  C:\Program Files\Viewpoint
  C:\Program Files\Eusing Free Registry Cleaner
  xcopy %temp%\smtmp\1 "%programdata%\start menu" /s /i /h /y /c
  xcopy %temp%\smtmp\2 "%appdata%\microsoft\internet explorer\quick launch" /s /i /h /y /c
  xcopy %temp%\smtmp\3 "%appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
  xcopy %temp%\smtmp\4 "%programdata%\desktop" /s /i /h /y /c
  dir "C:\Windows\SMINST\" /c
  netsh int ip reset resetlog.txt /c
  netsh winsock reset /c
  ipconfig /flushdns /c
  [COLOR="DarkRed"]:reg[/COLOR]
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "SpybotSD TeaTimer"=-
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptytemp]
  

• Now click the button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

Please re-run ComboFix by right-mouse clicking ComboFix.exe and selecting "Run as Administrator". Allow it to Update itself if prompted!
When finished, attach its newest log. (How to attach items to your post)

Now retry running Win32KDiag.exe using the same instructions as before.
Then attach its latest log. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

Man this is one pain in the $$$ agent, I hope all the bad things in the world happen to the inventer and to him/her only LoL :major Anyways still not identifying my network, and the win32dig had a different error, screen included.

 

Here is the rest of them, max upload

 

It can be quite stubborn. Let's go ahead and fix your Master Boot Record (MBR) before going further.

You have all your important data backed up right? This is important as sometimes attempting to fix the MBR can result in the PC not booting up properly. However, this very rarely happens.

Do you have your Windows Vista DVD? We need it to restore a clean MBR.

If you do not have your Vista DVD, you can create one with the Recovery Console (which is really all we need), here: Download Windows Vista 32-Bit (x86) Recovery Disc Use a program such as Imgburn to create the bootable Image (we want to be able to boot from this CD/DVD)

1. Insert the CD/DVD
2. Reboot your computer
3. At the Hewlett Packard (HP) splash screen, press Esc
4. This takes you to the Boot Menu
5. Select CD/DVD Rom from the selection by using the Down / up arrows (Note: It will probably be TSSTcorp CDDVDW TS-L633A ATA Device or something similar [according to your logs])
6. Press ENTER after you have selected the CD/DVD Rom drive.
7. You'll hear the DVD spinning up, be ready to press ANY key when you see the following message:

• This takes a while to load (30-45 seconds)
• When the below screen appears:

• Choose Repair your computer
• Now you be presented with this screen:

• Press Next
• You will now see this screen below:

• Choose Command Prompt which is at the bottom of the list.
• A black box appears on top of the previous screen. This is the command prompt.
• Now type in: bootrec /fixmbr and press ENTER afterwards.
• Note: There is only a SPACE after bootrec
• Now you will see:
• 
• Type exit and press ENTER.
• Now restart your computer WITHOUT booting off the DVD again (don't press a key when it says... "press any key to boot from cd/dvd...")

Once back in Windows.. Re-run MBRCheck and attach its latest log.

 

This dang hp don't come with disk anymore recover partition that is why I haven't just reformatted this mug. The link dosent work for the recovery disk.

 

here's the log. No net still. It still says Identifying.....:cry

 

K your MBRCheck log looks good now.

Can you upload the below files to VirusTotal for analysis and let me know the results.

• c:\windows\system32\drivers\smb.sys
• c:\windows\system32\Drivers\COH_Mon.sys

Please download a new TDSSKiller from a clean computer and run it on the infected computer.
In the Change Parameters field, select "Verify driver digital signatures" and "Detect TDLFS File System" and then Scan. Do not attempt to fix anything it detects! (if anything). Just select Skip for all and then attach the log.

Please download The Avenger by Swandog46 to your desktop.

• See the download links under this icon:
• Open avenger.zip and extract avenger.exe to your desktop
• Run avenger.exe by double-clicking on it.
• Click OK at the warning to continue to use The Avenger.
  Note: Do not change any of the check box options!
• Shut down your protection software now to avoid possible conflicts.
• Copy everything in the code box below, and paste it into the Input script here: text-field.
  
  Code:

  [COLOR="DarkRed"]Files to delete:[/COLOR]
  C:\Windows\System32\drivers\0200~1
  [COLOR="DarkRed"]Folders to delete:[/COLOR]
  C:\Program Files\Viewpoint
  C:\Program Files\Eusing Free Registry Cleaner
  

• Now click the button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
• Attach avenger.txt to your next message. (How to attach items to your post)

Now try the following: Complete reinstall of TCP/IP stack

Running a new scan with OTL...

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  afd.sys
  atapi.sys
  COH_Mon.sys
  csrss.exe
  explorer.exe
  ipnat.sys
  ipsec.sys
  netbios.sys
  regedit.exe
  services.exe
  smb.sys
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\software\microsoft\windows\currentversion\run|exe /rs
  hklm\software\microsoft\windows\currentversion\runonce|exe /rs
  

• Now click the button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be a log file entitled OTL.txt on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

 

heres the virus total analyst for smb.sys

Code:

MD5:	7b75299a4d201d6a6533603d6914ab04
Date first seen:	2009-05-30 01:00:06 (UTC)
Date last seen:	2011-09-29 20:44:11 (UTC)
Detection ratio:	0/43

there's no COH_Mon.sys on the system

The Directions for Reinstall TCP/IP didn't work for me, he must be using XP or something. I couldn't make any changes nettcpip.sys because of permission. I'm guessing that why I couldn't uninstall the protocol. v4 or v6, and he dosen't specify. By the way while I was in my control panel I seen Live Systematic Update folder and a Viewpoint folder.

P.S. I Greatly Appreciate All of the Help I received from you guys, Thanks a million!

 

You did not update TDSSKiller as requested. Please update it and perform a scan again.

 

Sorry didn't know update was out already

 

Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Shut down your protection software now to avoid possible conflicts.
Note: This is actually Trend Micro HiJackThis - v2.0.4
Choose Do a system scan only and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
[COLOR="DarkRed"]Driver::[/COLOR]
COH_Mon
[COLOR="DarkRed"]FileLook::[/COLOR]
c:\windows\system32\Drivers\COH_Mon.sys
c:\windows\system32\drivers\smb.sys
C:\Windows\System32\ping.exe
C:\Windows\System32\cmd.exe

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

A new scan with SystemLook by jpshortstuff.

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :reg
  HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\netbt
  HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\afd
  HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\IPNAT
  HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\Tcpip
  HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\smb
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
  Note: The log be found on your desktop entitled SystemLook.txt

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

I Haven't been able to run the analyse.exe for a while now, says "Windows Cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I checked the permissions under options and everything says allow, and it's not read only either. Is there anyway to reinstall the MGtools?

 

Yes, but the .bat file I would normally recommend would also remove the rest of our tools from your PC.

Do this: Delete the entire C:\MGtools folder.
Now downlod a new copy of MGtools.exe to the root of your C: drive (not to your desktop!)
Now run C:\MGtools.exe, let it finish its scan. When it's finished, close the DOS prompt window by "pressing any key".
Now open C:\MGtools\analyse.exe as instructed before. See if the permissions issue will allow you open it this time.

 

I remembered using GetPerms by Fubar a while back in the post to get permission to a file. So I did a list Permissions on it and it said allow. So I did an unlock anyways, soon as I did that the Icon come back to normal and it let me run

 

These do not exist I attached the log
Still no internet

 

Ok, please attach the SystemLook log as requested.

 

dang I thought I did:-D

 

r1d5g7, please try the below and tell me if the Internet works.

==== !!WARNING!! ====
This is specifically for r1d5g7's computer.
Do NOT use if you are not r1d5g7

Attached is tdx.zip which contains two files:

• tdx.sys
• tdx.reg

Extract the tdx.sys file into your C:\Windows\System32\drivers folder
Extract the tdx.reg file into your desktop.

Now double-click the tdx.reg file and allow it to merge into the registry.

Let me know if you got a "successfully merged into the registry" message.

Regardless if the merge was successful, reboot your computer and proceed with the below directions too:

Start > All Programs > Accessories > right-mouse click Command Prompt and choose "run as administrator".

In the command prompt window, type in the following commands in this order, pressing ENTER after each one:

1. net start afd
2. net start tdx
3. net start tcpip
4. net start nsiproxy
5. net start dhcp

Also let me know what error messages you received, if any, while attempting the above.

 

the tdx was successfully written to the reg. When I restarted the connection Icon has a world on it "new", It still says identifying when I mouse over or open network center but the internet is working. All the net files where already running. The malware still has the mouse history but I'm gonna try to find an up to date driver. Thanks M8

 

Ok The tdx was written to reg no problem. After reboot I noticed the globe over my computers icon for the internet connection. I ran the net commands and all the files where already running. So I opened up firefox and the net is working now. I still don't have the mouse working but I'm looking for a driver update now that some other things are working. The mouseover on the network connection icon will say network 3 then switch back to identifying but the internet is working so I dunno. thanks M8

 

Ok the mouse is working after driver update. Seems like its quit doing the Identifying after the restart with the mouse installation. As far as my logs go the malware is gone correct? I usually recommend people to put AVG and Spybot on their pc and run weekly after I clean one, would you recommend the same? Thanks for all of your help :major

 

Can you put your PC back into Normal Startup mode with msconfig and then rerun C:\MGtools\GetLogs.bat. Then attach the latest MGlogs.zip to your next message.

I just want to make sure nothing else is hiding. The rest of your logs look good though.

and I'm glad to hear the internet is working again

 

Would you recommend AVG free and spybot to keep the system clean?

 

Still not in Normal Startup mode.

Copy the bold text below to Notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "All files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now reboot and rerun GetLogs.bat. Attach MGlogs.zip

No.

 

msconfig says im in normal

 

I know. This happens sometimes, go ahead and run the fixme.reg as requested.

 

What free programs would you recommend to keep the system clean?

 

had no problems with the reg edit

 

Latest logs are clean

MBAM and SAS - more details below in the final steps.
Free AntiVirus + Spyware Protection: Ad-Aware

You're welcome. Surf safely!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

So I kept the computer for a few days to be sure and Adware already pulled a few problems. I'm worried the recovery partition might have infections or something. Here's adware log, I'm going to go back through the malware removal steps I'll post log's tomorrow. PS. This one seemed to attach itself to adware so I uninstalled it.

 

Most likely they are files that ZeroAccess patched. The md5 hash does appear to be faked. I will know more once you attach updated logs.

 

Been busy playing Mw3 LoL :major

 

I saw a commercial for that the other day. Looks fun

This is the only file I found that looks somewhat suspicious. My guess is that it's from the Tweaking.com program we ran earlier. You can delete it just to be safe.

The rest of your logs are clean.

The files found by Ad-Aware scan are related to the PowerDirector program you have installed. Is it still functioning? If not, you may want to uninstall and reinstall it again. Then see if Ad-Aware picks up the new richvideo.exe as infected.