Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with search/redirect virus


  • This topic is locked This topic is locked
31 replies to this topic

#1 Ksoldats

Ksoldats

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 20 November 2012 - 12:40 AM

My laptop is infected with a search virus. I've tried: spybot, TDSSkiller, PCTools registry mechanic and advanced system care 6, as well as the instructions on this site. http://atechjourney.com/google-redirect-virus-remove-manually.html/

it redirects to ihavenet. something and newsbusters

Here's the DDS log.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 1.6.0_32
Run by User at 21:31:18 on 2012-11-19
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.4014.2316 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
AV: Norton 360 *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k LocalService
C:\Program Files\WTouch\WTouchService.exe
C:\windows\system32\atieclxx.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe
C:\windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\System Control Manager\MSIService.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Program Files (x86)\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\windows\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Motorola\Bluetooth\obexsrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskeng.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 6\Monitor.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\windows\system32\Pen_Tablet.exe
C:\Program Files (x86)\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\vVX3000.exe
C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\StikyNot.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\wbem\unsecapp.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://s2.photobucket.com/albums/y12/ksoldats/
uSearch Bar = Preserve
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\5.2.2.3\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\5.2.2.3\ips\ipsbho.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - <orphaned>
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\5.2.2.3\coieplg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\5.2.2.3\coieplg.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [RESTART_STICKY_NOTES] C:\windows\System32\StikyNot.exe
uRun: [Ukefonn] rundll32 "C:\Users\User\AppData\Roaming\C_1145H.dll",XGZYEN
uRun: [Advanced SystemCare 6] "C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [MGSysCtrl] C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
TCP: NameServer = 192.168.1.254 75.153.176.9
TCP: Interfaces\{5DD0D5E2-A502-4000-A584-117A9D396C9E} : DHCPNameServer = 192.168.1.254 75.153.176.9
TCP: Interfaces\{C7E6DA96-BB8C-4E31-BDC5-0D0CC22B7D69} : DHCPNameServer = 192.168.1.254 75.153.176.9
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
x64-Run: [VX3000] C:\windows\vVX3000.exe
x64-Run: [IntelliType Pro] "C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe"
x64-Run: [IntelliPoint] "C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe"
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\2vq908kt.default\
FF - prefs.js: browser.startup.homepage - hxxp://s2.photobucket.com/albums/y12/ksoldats/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=685749&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
FF - plugin: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\2vq908kt.default\extensions\[email protected]\plugins\npLMI64.dll
FF - plugin: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\2vq908kt.default\extensions\[email protected]\plugins\npRACtrl.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll
FF - plugin: C:\windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2012-10-18 21:07; [email protected]; C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\2vq908kt.default\extensions\[email protected]
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: content.notify.ontimer - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.switch.threshold - 750000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R0 johci;JMicron 1394 Filter Driver;C:\windows\System32\drivers\johci.sys [2010-6-29 20392]
R0 MpFilter;Microsoft Malware Protection Driver;C:\windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2010-12-27 52856]
R0 SymDS;Symantec Data Store;C:\windows\System32\drivers\N360x64\0502020.003\symds64.sys [2012-6-11 450680]
R0 SymEFA;Symantec Extended File Attributes;C:\windows\System32\drivers\N360x64\0502020.003\symefa64.sys [2012-6-11 912504]
R1 anodlwf;ANOD Network Security Filter driver;C:\windows\System32\drivers\anodlwfx.sys [2010-10-15 15872]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.2.1\Definitions\BASHDefs\20120402.001\BHDrvx64.sys [2012-4-2 1160824]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\System32\drivers\dtsoftbus01.sys [2012-6-24 283200]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.2.1\Definitions\IPSDefs\20120411.001\IDSviA64.sys [2012-4-11 488568]
R1 SymIRON;Symantec Iron Driver;C:\windows\System32\drivers\N360x64\0502020.003\ironx64.sys [2012-6-11 171128]
R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\System32\drivers\N360x64\0502020.003\symnets.sys [2012-6-11 386168]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [2012-11-4 464256]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2010-6-29 202752]
R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files\Motorola\Bluetooth\obexsrv.exe [2010-6-29 637192]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-6-29 13336]
R2 Micro Star SCM;Micro Star SCM;C:\Program Files (x86)\System Control Manager\MSIService.exe [2010-6-29 160768]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\5.2.2.3\ccsvchst.exe [2012-6-11 130008]
R2 NisDrv;Microsoft Network Inspection System;C:\windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe service --> C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe service [?]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2012-11-18 583640]
R2 TabletServicePen;TabletServicePen;C:\windows\System32\Pen_Tablet.exe [2010-12-27 5414184]
R2 WTouchService;WTouch Service;C:\Program Files\WTouch\WTouchService.exe [2010-12-27 127272]
R3 Bluetooth Device Manager;Bluetooth Device Manager;C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe [2010-6-29 4154120]
R3 enecir;ENE CIR Receiver;C:\windows\System32\drivers\enecir.sys [2010-6-29 70656]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-6-29 1028096]
R3 JMCR;JMCR;C:\windows\System32\drivers\jmcr.sys [2010-6-29 140128]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
S2 0083601351911904mcinstcleanup;McAfee Application Installer Cleanup (0083601351911904); [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MOBCleanup;MOBCleanup; [x]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
S3 androidusb;ADB Interface Driver;C:\windows\System32\drivers\androidusb.sys [2009-8-21 31744]
S3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files\Motorola\Bluetooth\audiosrv.exe [2010-6-29 1029896]
S3 BTMCOM;Bluetooth Serial Port;C:\windows\System32\drivers\btmcom.sys [2010-6-29 51200]
S3 BTMHID;BTMHID;C:\windows\System32\drivers\btmhid.sys [2010-6-29 34048]
S3 BTMUSB;Motorola Bluetooth Radio Service;C:\windows\System32\drivers\btmusb.sys [2010-6-29 461312]
S3 enecirhid;ENE CIR HID Receiver;C:\windows\System32\drivers\enecirhid.sys [2010-6-29 14848]
S3 enecirhidma;ENE CIR HIDmini Filter;C:\windows\System32\drivers\enecirhidma.sys [2010-6-29 6656]
S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;C:\windows\System32\drivers\libusb0.sys [2011-12-19 29184]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\windows\System32\drivers\netr28x.sys [2010-6-29 855328]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\System32\drivers\NETw5s64.sys [2010-1-6 6952960]
S3 qcusbser;ACER USB Device for Legacy Serial Communication;C:\windows\System32\drivers\qcusbser.sys [2009-8-14 120960]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\System32\drivers\rdpvideominiport.sys [2012-11-2 19456]
S3 RTL8192U;Realtek RTL8192u 802.11n Wireless LAN USB 2.0 Network Adapter;C:\windows\System32\drivers\RTL8192u.sys [2010-10-15 488960]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2012-11-2 57856]
S3 wacmoumonitor;Wacom Mode Helper;C:\windows\System32\drivers\wacmoumonitor.sys [2010-12-25 18216]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2010-9-10 1255736]
.
=============== Created Last 30 ================
.
2012-11-20 02:29:36 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3C578049-6DDA-4142-869E-E833ADD03249}\mpengine.dll
2012-11-20 02:29:25 972192 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3C59F2F3-A360-4B7E-AB46-312DA2A52450}\gapaengine.dll
2012-11-20 02:29:21 9291768 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-20 02:25:21 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8CF9F457-79BB-48DC-BA7A-9F0657B749C2}\mpengine.dll
2012-11-20 02:23:16 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-11-20 02:23:13 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-11-20 02:15:32 -------- d-----w- C:\Users\User\AppData\Local\{D96D00DD-8A45-4452-B53D-1C0DAB448589}
2012-11-19 05:10:25 -------- d-----w- C:\$RECYCLE.BIN
2012-11-19 05:03:18 -------- d-----w- C:\Users\User\AppData\Roaming\WTouch
2012-11-19 04:43:21 98816 ----a-w- C:\windows\sed.exe
2012-11-19 04:43:21 256000 ----a-w- C:\windows\PEV.exe
2012-11-19 04:43:21 208896 ----a-w- C:\windows\MBR.exe
2012-11-19 04:43:18 -------- d-s---w- C:\ComboFix
2012-11-19 03:26:27 -------- d-----w- C:\Program Files\Microsoft Mouse and Keyboard Center
2012-11-19 02:20:45 -------- d-----w- C:\Users\User\AppData\Roaming\Auslogics
2012-11-19 02:20:39 -------- d-----w- C:\Program Files (x86)\Auslogics
2012-11-19 02:18:56 -------- d-----w- C:\Users\User\AppData\Roaming\Registry Mechanic
2012-11-19 02:00:58 40408 ----a-w- C:\windows\System32\CleanMFT64.exe
2012-11-19 02:00:57 880640 ----a-w- C:\windows\SysWow64\UniBox10.ocx
2012-11-19 02:00:57 506368 ----a-w- C:\windows\SysWow64\msxml.dll
2012-11-19 02:00:57 212992 ----a-w- C:\windows\SysWow64\UniBoxVB12.ocx
2012-11-19 02:00:57 1101824 ----a-w- C:\windows\SysWow64\UniBox210.ocx
2012-11-19 02:00:47 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2012-11-19 01:12:29 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-11-19 01:12:29 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-11-19 00:18:42 -------- d-----w- C:\Users\User\AppData\Local\{3F4C1D9B-0634-402D-B06D-C6CA1E5DC1AD}
2012-11-17 20:50:19 -------- d-----w- C:\Users\User\AppData\Local\{75C01284-F6E1-4C08-B1FB-BBD656DA956E}
2012-11-17 04:01:08 -------- d-----w- C:\Users\User\AppData\Local\{D52098C7-4F93-4C7E-95AD-9C33BB6799A0}
2012-11-16 01:29:13 -------- d-----w- C:\Users\User\AppData\Local\{5882B3B2-B4E8-4B6E-84A8-32E59F69B4C7}
2012-11-15 03:46:37 -------- d-----w- C:\Users\User\AppData\Local\{AEF32DB7-FCC8-40B2-A054-A1129AE73863}
2012-11-14 01:42:30 95744 ----a-w- C:\windows\System32\synceng.dll
2012-11-14 01:42:30 78336 ----a-w- C:\windows\SysWow64\synceng.dll
2012-11-14 01:42:05 87040 ----a-w- C:\windows\System32\drivers\WUDFPf.sys
2012-11-14 01:42:05 84992 ----a-w- C:\windows\System32\WUDFSvc.dll
2012-11-14 01:42:05 744448 ----a-w- C:\windows\System32\WUDFx.dll
2012-11-14 01:42:05 45056 ----a-w- C:\windows\System32\WUDFCoinstaller.dll
2012-11-14 01:42:05 229888 ----a-w- C:\windows\System32\WUDFHost.exe
2012-11-14 01:42:05 198656 ----a-w- C:\windows\System32\drivers\WUDFRd.sys
2012-11-14 01:42:05 194048 ----a-w- C:\windows\System32\WUDFPlatform.dll
2012-11-14 01:41:29 9728 ----a-w- C:\windows\System32\Wdfres.dll
2012-11-14 01:41:29 785512 ----a-w- C:\windows\System32\drivers\Wdf01000.sys
2012-11-14 01:41:29 54376 ----a-w- C:\windows\System32\drivers\WdfLdr.sys
2012-11-14 01:41:29 2560 ----a-w- C:\windows\System32\drivers\en-US\wdf01000.sys.mui
2012-11-14 01:31:42 3149824 ----a-w- C:\windows\System32\win32k.sys
2012-11-14 01:09:33 -------- d-----w- C:\Users\User\AppData\Local\{633CFF62-BD0D-4591-9E21-6E5178821614}
2012-11-13 06:28:42 -------- d-----w- C:\Users\User\AppData\Local\{A35E44B5-404C-422C-9CFA-82402312E351}
2012-11-13 00:52:35 -------- d-----w- C:\Program Files (x86)\Free Window Registry Repair
2012-11-12 18:27:53 -------- d-----w- C:\Users\User\AppData\Local\{139C8C15-5C95-4AB7-8A20-08E76F220826}
2012-11-12 01:20:56 -------- d-----w- C:\Users\User\AppData\Local\{530A5C90-0803-4372-A45A-B446E1FA2FF0}
2012-11-10 18:49:58 -------- d-----w- C:\Users\User\AppData\Local\{9BBFC0F8-C6B8-464C-90EB-9F95460F4FAB}
2012-11-10 02:02:18 -------- d-----w- C:\Users\User\AppData\Local\{B85B8728-7754-4837-BB67-6F4862098F2E}
2012-11-09 01:16:25 -------- d-----w- C:\Users\User\AppData\Local\{90475E5F-9E05-40A2-99E3-B14FED2620F2}
2012-11-08 01:28:35 -------- d-----w- C:\Users\User\AppData\Local\{5FAB25D5-DB22-497F-AFF0-FD1393887DD3}
2012-11-07 03:41:33 -------- d-----w- C:\Users\User\AppData\Local\{7D62E205-7164-4464-B5AB-B31BE5CB1DC3}
2012-11-07 02:36:27 25472 ----a-w- C:\windows\System32\RegistryDefragBootTime.exe
2012-11-06 15:41:09 -------- d-----w- C:\Users\User\AppData\Local\{8F1E6E2D-D261-433C-9599-60024BEF154D}
2012-11-06 05:21:26 -------- d-----w- C:\ProgramData\ErrorEND64
2012-11-06 01:38:44 -------- d-----w- C:\Users\User\AppData\Local\{5502FA47-528D-47A8-AD6B-09DCB4081F59}
2012-11-05 01:06:22 -------- d-----w- C:\Users\User\AppData\Local\{56D14890-8B6D-440C-A4AC-5DE137FC2008}
2012-11-03 03:59:32 -------- d-----w- C:\ProgramData\IObit
2012-11-03 03:50:54 96768 ----a-w- C:\windows\SysWow64\sspicli.dll
2012-11-03 03:50:54 458712 ----a-w- C:\windows\System32\drivers\cng.sys
2012-11-03 03:50:54 340992 ----a-w- C:\windows\System32\schannel.dll
2012-11-03 03:50:54 307200 ----a-w- C:\windows\System32\ncrypt.dll
2012-11-03 03:50:54 247808 ----a-w- C:\windows\SysWow64\schannel.dll
2012-11-03 03:50:54 220160 ----a-w- C:\windows\SysWow64\ncrypt.dll
2012-11-03 03:50:54 22016 ----a-w- C:\windows\SysWow64\secur32.dll
2012-11-03 03:50:54 154480 ----a-w- C:\windows\System32\drivers\ksecpkg.sys
2012-11-03 03:50:54 1448448 ----a-w- C:\windows\System32\lsasrv.dll
2012-11-03 03:50:16 514560 ----a-w- C:\windows\SysWow64\qdvd.dll
2012-11-03 03:50:16 366592 ----a-w- C:\windows\System32\qdvd.dll
2012-11-03 02:41:05 -------- d-----w- C:\Users\User\AppData\Roaming\IObit
2012-11-03 02:40:59 -------- d-----w- C:\Program Files (x86)\IObit
2012-11-03 02:09:56 -------- d-----w- C:\Program Files (x86)\McAfeeMOBK
2012-11-03 02:09:21 -------- d-----w- C:\Program Files (x86)\McAfee.com
2012-11-03 02:09:16 -------- d-----w- C:\Program Files (x86)\Common Files\McAfee
2012-11-03 02:09:09 -------- d-----w- C:\Program Files\Common Files\McAfee
2012-11-03 02:09:05 -------- d-----w- C:\Program Files\McAfee.com
2012-11-03 02:09:04 -------- d-----w- C:\Program Files\McAfee
2012-11-03 02:08:55 -------- d-----w- C:\Program Files (x86)\McAfee
2012-11-03 01:55:58 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-11-03 01:24:06 256904 ----a-w- C:\windows\SysWow64\drivers\tmcomm.sys
2012-11-03 01:08:17 -------- d-----w- C:\Users\User\AppData\Local\{F3AB987C-87CE-48B0-8898-23E76E454008}
2012-11-02 23:38:36 862664 ----a-w- C:\windows\SysWow64\msvcr110.dll
2012-11-02 23:38:36 828872 ----a-w- C:\windows\System32\msvcr110.dll
2012-11-02 23:38:36 661448 ----a-w- C:\windows\System32\msvcp110.dll
2012-11-02 23:38:36 534480 ----a-w- C:\windows\SysWow64\msvcp110.dll
2012-11-02 23:38:36 50856 ----a-w- C:\windows\System32\drivers\point64.sys
2012-11-02 23:38:36 354264 ----a-w- C:\windows\System32\vccorlib110.dll
2012-11-02 23:38:36 251864 ----a-w- C:\windows\SysWow64\vccorlib110.dll
2012-11-02 23:38:36 1795952 ----a-w- C:\windows\System32\WdfCoInstaller01011.dll
2012-11-02 01:10:28 -------- d-----w- C:\Users\User\AppData\Local\{BE9F5395-A24C-482B-8AD8-A77CA193F8DB}
2012-10-26 00:07:02 -------- d-----w- C:\Users\User\AppData\Local\{4C969A43-44DE-49BC-9761-F8C5DEEDD1ED}
2012-10-25 01:05:10 -------- d-----w- C:\Users\User\AppData\Local\{9866CA89-3F54-4920-B895-C8FFA1745A47}
2012-10-24 04:01:16 -------- d-----w- C:\Users\User\AppData\Local\{F5AFF8F6-A9A6-4FB7-9630-91F768CE34FF}
2012-10-23 00:52:39 -------- d-----w- C:\Users\User\AppData\Local\{1AD2EE98-18F6-47BB-B0A7-9839D317627F}
2012-10-21 18:38:02 -------- d-----w- C:\Users\User\AppData\Local\{799FFA73-18A1-4877-A23F-0F0765C9B93A}
.
==================== Find3M ====================
.
2012-11-16 01:39:18 73656 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-11-16 01:39:18 697272 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-11-14 01:33:37 599040 ----a-w- C:\windows\System32\vbscript.dll
2012-11-14 01:33:37 420864 ----a-w- C:\windows\SysWow64\vbscript.dll
2012-11-14 01:33:37 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
2012-11-14 01:33:37 2382848 ----a-w- C:\windows\System32\mshtml.tlb
2012-11-14 01:33:37 2312704 ----a-w- C:\windows\System32\jscript9.dll
2012-11-14 01:33:37 1800704 ----a-w- C:\windows\SysWow64\jscript9.dll
2012-11-14 01:33:37 173056 ----a-w- C:\windows\System32\ieUnatt.exe
2012-11-14 01:33:37 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe
2012-11-14 01:33:36 1494528 ----a-w- C:\windows\System32\inetcpl.cpl
2012-11-14 01:33:36 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2012-11-14 01:33:36 1392128 ----a-w- C:\windows\System32\wininet.dll
2012-11-14 01:33:36 1129472 ----a-w- C:\windows\SysWow64\wininet.dll
2012-11-03 03:51:44 3174912 ----a-w- C:\windows\System32\rdpcorets.dll
2012-09-29 06:32:08 2177688 ----a-w- C:\windows\System32\coin92.dll
2012-09-22 17:12:37 114688 --sha-r- C:\Users\User\AppData\Roaming\C_1145H.dll
2012-09-14 19:19:29 2048 ----a-w- C:\windows\System32\tzres.dll
2012-09-14 18:28:53 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2012-08-31 18:19:35 1659760 ----a-w- C:\windows\System32\drivers\ntfs.sys
2012-08-31 06:03:48 228768 ----a-w- C:\windows\System32\drivers\MpFilter.sys
2012-08-31 06:03:48 128456 ----a-w- C:\windows\System32\drivers\NisDrvWFP.sys
2012-08-30 18:03:45 5559664 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-08-30 17:12:02 3968880 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2012-08-24 18:05:07 220160 ----a-w- C:\windows\System32\wintrust.dll
2012-08-24 16:57:48 172544 ----a-w- C:\windows\SysWow64\wintrust.dll
2012-08-22 18:12:40 950128 ----a-w- C:\windows\System32\drivers\ndis.sys
2012-08-22 18:12:40 376688 ----a-w- C:\windows\System32\drivers\netio.sys
2012-08-22 18:12:33 288624 ----a-w- C:\windows\System32\drivers\FWPKCLNT.SYS
.
============= FINISH: 21:31:46.32 ===============

any help is greatly appreciated =)

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 19,029 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:54 PM

Posted 20 November 2012 - 11:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs for my review.

#3 Ksoldats

Ksoldats
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 20 November 2012 - 10:09 PM

Thanks. I have attached the combo fix log because it was the biggest.

here are the other two.

security check

Results of screen317's Security Check version 0.99.54
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Windows Firewall Disabled!
Norton 360
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Java™ 6 Update 32
Java version out of Date!
Adobe Flash Player 11.5.502.110
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (16.0.2)
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
Symantec Norton Online Backup NOBuAgent.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

ADWcleaner

# AdwCleaner v2.008 - Logfile created 11/20/2012 at 19:05:51
# Updated 17/11/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : User - USER-MSI
# Boot Mode : Normal
# Running from : C:\Users\User\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\Surf Canyon

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

*************************

AdwCleaner[R1].txt - [684 octets] - [20/11/2012 19:05:51]

########## EOF - C:\AdwCleaner[R1].txt - [743 octets] ##########

#4 Ksoldats

Ksoldats
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 20 November 2012 - 10:10 PM

I'm not sure why the combofix log isn't showing up as an attachment on the previous reply so here it is in all its glory.

ComboFix 12-11-20.02 - User 20/11/2012 18:16:25.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.4014.2566 [GMT -8:00]
Running from: c:\users\User\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\User\AppData\Roaming\C_1145H.dll
c:\windows\SysWow64\URTTemp
c:\windows\SysWow64\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-21 to 2012-11-21 )))))))))))))))))))))))))))))))
.
.
2012-11-21 02:23 . 2012-11-21 02:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-20 02:25 . 2012-10-17 09:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8CF9F457-79BB-48DC-BA7A-9F0657B749C2}\mpengine.dll
2012-11-19 05:03 . 2012-11-19 05:03 -------- d-----w- c:\users\User\AppData\Roaming\WTouch
2012-11-19 03:26 . 2012-11-19 03:26 -------- d-----w- c:\program files\Microsoft Mouse and Keyboard Center
2012-11-19 02:20 . 2012-11-19 02:20 -------- d-----w- c:\users\User\AppData\Roaming\Auslogics
2012-11-19 02:20 . 2012-11-19 02:20 -------- d-----w- c:\program files (x86)\Auslogics
2012-11-19 02:18 . 2012-11-19 02:18 -------- d-----w- c:\users\User\AppData\Roaming\Registry Mechanic
2012-11-19 02:00 . 2010-08-05 16:46 40408 ----a-w- c:\windows\system32\CleanMFT64.exe
2012-11-19 02:00 . 2008-04-02 23:54 1101824 ----a-w- c:\windows\SysWow64\UniBox210.ocx
2012-11-19 02:00 . 2008-04-02 23:53 212992 ----a-w- c:\windows\SysWow64\UniBoxVB12.ocx
2012-11-19 02:00 . 2008-04-02 23:53 880640 ----a-w- c:\windows\SysWow64\UniBox10.ocx
2012-11-19 02:00 . 2004-08-04 15:00 506368 ----a-w- c:\windows\SysWow64\msxml.dll
2012-11-19 02:00 . 2012-11-19 02:00 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-11-19 01:12 . 2012-11-20 02:24 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-11-19 01:12 . 2012-11-19 01:12 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-11-14 01:42 . 2012-11-14 01:42 95744 ----a-w- c:\windows\system32\synceng.dll
2012-11-14 01:42 . 2012-11-14 01:42 78336 ----a-w- c:\windows\SysWow64\synceng.dll
2012-11-14 01:42 . 2012-11-14 01:42 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-11-14 01:42 . 2012-11-14 01:42 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-11-14 01:42 . 2012-11-14 01:42 744448 ----a-w- c:\windows\system32\WUDFx.dll
2012-11-14 01:42 . 2012-11-14 01:42 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-11-14 01:42 . 2012-11-14 01:42 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2012-11-14 01:42 . 2012-11-14 01:42 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-11-14 01:42 . 2012-11-14 01:42 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-11-14 01:41 . 2012-11-14 01:41 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-11-14 01:41 . 2012-11-14 01:41 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-11-14 01:41 . 2012-11-14 01:41 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-11-14 01:41 . 2012-11-14 01:41 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-11-14 01:31 . 2012-11-14 01:31 3149824 ----a-w- c:\windows\system32\win32k.sys
2012-11-13 00:52 . 2012-11-13 01:26 -------- d-----w- c:\program files (x86)\Free Window Registry Repair
2012-11-07 02:36 . 2012-10-13 03:09 25472 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2012-11-06 05:21 . 2012-11-06 05:21 -------- d-----w- c:\programdata\ErrorEND64
2012-11-03 03:59 . 2012-11-05 01:08 -------- d-----w- c:\programdata\IObit
2012-11-03 03:50 . 2012-11-03 03:50 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2012-11-03 03:50 . 2012-11-03 03:50 458712 ----a-w- c:\windows\system32\drivers\cng.sys
2012-11-03 03:50 . 2012-11-03 03:50 340992 ----a-w- c:\windows\system32\schannel.dll
2012-11-03 03:50 . 2012-11-03 03:50 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-11-03 03:50 . 2012-11-03 03:50 247808 ----a-w- c:\windows\SysWow64\schannel.dll
2012-11-03 03:50 . 2012-11-03 03:50 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-11-03 03:50 . 2012-11-03 03:50 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-11-03 03:50 . 2012-11-03 03:50 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-11-03 03:50 . 2012-11-03 03:50 1448448 ----a-w- c:\windows\system32\lsasrv.dll
2012-11-03 03:50 . 2012-11-03 03:50 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-11-03 03:50 . 2012-11-03 03:50 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-11-03 02:41 . 2012-11-06 02:18 -------- d-----w- c:\users\User\AppData\Roaming\IObit
2012-11-03 02:40 . 2012-11-05 01:08 -------- d-----w- c:\program files (x86)\IObit
2012-11-03 02:09 . 2012-11-05 01:04 -------- d-----w- c:\program files (x86)\Common Files\McAfee
2012-11-03 02:09 . 2012-11-05 01:04 -------- d-----w- c:\program files\Common Files\McAfee
2012-11-03 02:09 . 2012-11-03 02:09 -------- d-----w- c:\program files\McAfee
2012-11-03 02:08 . 2012-11-03 02:09 -------- d-----w- c:\program files (x86)\McAfee
2012-11-03 01:24 . 2012-06-05 07:37 256904 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2012-11-02 23:38 . 2012-11-02 23:38 862664 ----a-w- c:\windows\SysWow64\msvcr110.dll
2012-11-02 23:38 . 2012-11-02 23:38 828872 ----a-w- c:\windows\system32\msvcr110.dll
2012-11-02 23:38 . 2012-11-02 23:38 661448 ----a-w- c:\windows\system32\msvcp110.dll
2012-11-02 23:38 . 2012-11-02 23:38 534480 ----a-w- c:\windows\SysWow64\msvcp110.dll
2012-11-02 23:38 . 2012-11-02 23:38 50856 ----a-w- c:\windows\system32\drivers\point64.sys
2012-11-02 23:38 . 2012-11-02 23:38 354264 ----a-w- c:\windows\system32\vccorlib110.dll
2012-11-02 23:38 . 2012-11-02 23:38 251864 ----a-w- c:\windows\SysWow64\vccorlib110.dll
2012-11-02 23:38 . 2012-11-02 23:38 1795952 ----a-w- c:\windows\system32\WdfCoInstaller01011.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-16 02:44 . 2010-09-10 18:24 66395536 ----a-w- c:\windows\system32\MRT.exe
2012-11-16 01:39 . 2012-03-31 00:41 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-16 01:39 . 2011-05-18 00:03 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-29 06:32 . 2012-09-29 06:32 2177688 ----a-w- c:\windows\system32\coin92.dll
2012-09-14 19:19 . 2012-10-14 02:13 2048 ----a-w- c:\windows\system32\tzres.dll
2012-09-14 18:28 . 2012-10-14 02:13 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-08-31 18:19 . 2012-10-14 02:14 1659760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-08-30 18:03 . 2012-10-14 02:14 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-30 17:12 . 2012-10-14 02:14 3968880 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12 . 2012-10-14 02:14 3914096 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-08-24 18:05 . 2012-10-14 02:13 220160 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 16:57 . 2012-10-14 02:13 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ukefonn"="c:\users\User\AppData\Roaming\C_1145H.dll" [BU]
"Advanced SystemCare 6"="c:\program files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe" [2012-09-25 490880]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-05 102400]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"MGSysCtrl"="c:\program files (x86)\System Control Manager\MGSysCtrl.exe" [2010-01-08 2396160]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"SSDMonitor"="c:\program files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-08-05 104408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 0083601351911904mcinstcleanup;McAfee Application Installer Cleanup (0083601351911904); [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MOBCleanup;MOBCleanup; [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2009-08-21 31744]
R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files\Motorola\Bluetooth\audiosrv.exe [2010-01-26 1029896]
R3 BTMCOM;Bluetooth Serial Port;c:\windows\System32\Drivers\btmcom.sys [2009-12-14 51200]
R3 BTMHID;BTMHID;c:\windows\system32\DRIVERS\btmhid.sys [2010-01-13 34048]
R3 BTMUSB;Motorola Bluetooth Radio Service;c:\windows\system32\Drivers\btmusb.sys [2010-01-26 461312]
R3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\DRIVERS\enecirhid.sys [2009-05-19 14848]
R3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\DRIVERS\enecirhidma.sys [2008-04-24 6656]
R3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2011-12-20 29184]
R3 MGHwCtrl;MGHwCtrl;c:\program files\msi\msi Software Install\MGHwCtrl.sys [x]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [2010-02-08 855328]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2009-09-15 6952960]
R3 qcusbser;ACER USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbser.sys [2009-08-14 120960]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-11-03 19456]
R3 RTL8192U;Realtek RTL8192u 802.11n Wireless LAN USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192u.sys [2008-09-12 488960]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-11-03 57856]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2009-08-27 18216]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-10 1255736]
S0 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys [2009-09-21 20392]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-12-28 52856]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0502020.003\SYMDS64.SYS [2011-01-27 450680]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0502020.003\SYMEFA64.SYS [2011-03-15 912504]
S1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\DRIVERS\anodlwfx.sys [2008-05-06 15872]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.2.1\Definitions\BASHDefs\20120402.001\BHDrvx64.sys [2012-04-02 1160824]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-06-24 283200]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.2.1\Definitions\IPSDefs\20120411.001\IDSvia64.sys [2012-03-07 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0502020.003\Ironx64.SYS [2010-11-16 171128]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0502020.003\SYMNETS.SYS [2011-04-21 386168]
S2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [2012-10-31 464256]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-06-07 202752]
S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files\Motorola\Bluetooth\obexsrv.exe [2009-12-21 637192]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 Micro Star SCM;Micro Star SCM;c:\program files (x86)\System Control Manager\MSIService.exe [2009-07-09 160768]
S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\5.2.2.3\ccSvcHst.exe [2011-04-17 130008]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe service [x]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-08-05 583640]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-07-15 5414184]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-07-15 127272]
S3 Bluetooth Device Manager;Bluetooth Device Manager;c:\program files\Motorola\Bluetooth\devmgrsrv.exe [2010-01-25 4154120]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-05-20 70656]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-06-30 1028096]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-07-14 140128]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-11-02 50856]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 01:39]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2010-01-12 1702400]
"VX3000"="c:\windows\vVX3000.exe" [2010-05-20 762736]
"IntelliType Pro"="c:\program files\Microsoft Mouse and Keyboard Center\itype.exe" [2012-11-02 1464944]
"IntelliPoint"="c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2012-11-02 2076272]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://s2.photobucket.com/albums/y12/ksoldats/
TCP: DhcpNameServer = 192.168.1.254 75.153.176.9
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\2vq908kt.default\
FF - prefs.js: browser.startup.homepage - hxxp://s2.photobucket.com/albums/y12/ksoldats/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=685749&p=
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-10-18 21:07; [email protected]; c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\2vq908kt.default\extensions\[email protected]
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: content.notify.ontimer - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.switch.threshold - 750000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - (no file)
Toolbar-Locked - (no file)
Toolbar-{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - (no file)
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1093270497-3551389573-3982611671-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
c:\program files (x86)\IObit\Advanced SystemCare 6\Monitor.exe
.
**************************************************************************
.
Completion time: 2012-11-20 18:29:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-21 02:29
ComboFix2.txt 2012-11-19 05:09
.
Pre-Run: 158,335,299,584 bytes free
Post-Run: 158,108,622,848 bytes free
.
- - End Of File - - 84D02C920A6DC1C8404BE42600111463

#5 nasdaq

nasdaq

  • Malware Response Team
  • 19,029 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:54 PM

Posted 21 November 2012 - 10:36 AM

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 32


===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

Open notepad and copy/paste the text in the quote box below into it:

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ukefonn"=-

ClearJavaCache::


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log and let me know what problem persists.

#6 Ksoldats

Ksoldats
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 21 November 2012 - 09:56 PM

here is the second log. so far i am not being redirected.

Thanks.

Attached Files

  • Attached File  log2.txt   24.28KB   2 downloads


#7 nasdaq

nasdaq

  • Malware Response Team
  • 19,029 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:54 PM

Posted 22 November 2012 - 08:51 AM

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#8 Ksoldats

Ksoldats
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 22 November 2012 - 09:12 PM

after I ran combofix, when I start up my computer I now get the following error:

There was a problem starting c:\users\user\appdata\roaming\c_145H.dll
the specified module could not be found.

how do i deal with this?

#9 nasdaq

nasdaq

  • Malware Response Team
  • 19,029 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:54 PM

Posted 23 November 2012 - 08:05 AM

A very similar file was deleted by ComboFix on the first run.

c:\users\User\AppData\Roaming\C_1145H.dll

Your has only 145H....
There was a problem starting c:\users\user\appdata\roaming\c_145H.dll
the specified module could not be found.

Is this a type error or a new file?

Download Combofix again and post a fresh log for my review.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 19,029 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:54 PM

Posted 29 November 2012 - 02:37 PM

Are you still with me?

#11 Ksoldats

Ksoldats
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 29 November 2012 - 03:15 PM

I'm sorry I thought I replied. you are correct the error is

c:\users\User\AppData\Roaming\C_1145H.dll

I have not deleted combo fix again yet. Did you want me to run it again? I saw the warning against running it twice..

thank you.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 19,029 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:54 PM

Posted 30 November 2012 - 09:43 AM

Do not remove ComboFix just yet.

Let find out where the message is coming from.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    C_1145H.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#13 Ksoldats

Ksoldats
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 02 December 2012 - 10:45 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 19:35 on 02/12/2012 by User
Administrator - Elevation successful

========== filefind ==========

Searching for "C_1145H.dll"
No files found.

-= EOF =-

#14 nasdaq

nasdaq

  • Malware Response Team
  • 19,029 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:54 PM

Posted 03 December 2012 - 10:27 AM

My mistake, I wanted to check the registry not for the file.

Run the SystemLook tool again but this time used this script.

:regfind
C_1145H.dll


Post the log.

#15 Ksoldats

Ksoldats
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 05 December 2012 - 09:25 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 18:25 on 05/12/2012 by User
Administrator - Elevation successful

========== regfind ==========

Searching for "C_1145H.dll"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Ukefonn"="rundll32 "C:\Users\User\AppData\Roaming

\C_1145H.dll",XGZYEN"
[HKEY_USERS\S-1-5-21-1093270497-3551389573-3982611671-1000\Software

\Microsoft\Windows\CurrentVersion\Run]
"Ukefonn"="rundll32 "C:\Users\User\AppData\Roaming

\C_1145H.dll",XGZYEN"

-= EOF =-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users