Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malwarebytes not responding during full scan


  • This topic is locked This topic is locked
82 replies to this topic

#1 twrich

twrich

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 29 December 2012 - 10:34 AM

When running malwarebytes pro scan stops responding after about 22 min.It shows 92 threats at the time it stops,it always stops on temp.internet files.I ran DDS and will post the two log files,thank you
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421
Run by Tim at 23:07:47 on 2012-12-28
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3838.1392 [GMT -6:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Windows\system32\locator.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\RAVCpl64.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Windows\System32\spool\drivers\x64\3\EKIJ5000MUI.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files (x86)\IOI\ButtonMonitor.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\mobsync.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\hh.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5692
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5692
uProxyServer = hxxp=127.0.0.1:54646
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
uURLSearchHooks: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - <orphaned>
uURLSearchHooks: <No Name>: {9b138bf3-1d40-4e7e-84bb-2975198ad938} -
mURLSearchHooks: MapQuest Toolbar Search Class: {2558d83c-097c-4cf1-9163-ce5ecc36ace2} - C:\Program Files (x86)\MapQuest Toolbar\mapquesttb.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: MapQuest Toolbar Loader: {bd3fd433-147a-482e-a192-614f26e2310c} - C:\Program Files (x86)\MapQuest Toolbar\mapquesttb.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files (x86)\Megaupload\Mega Manager\MegaIEMn.dll
BHO: PriceGongCtrl Class: {D2A2595C-4FE4-4315-AA9B-19DBD6271B71} - C:\Program Files (x86)\PriceGong\1.5.0\PriceGongIE.dll
BHO: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo Layers Client\YontooIEClient.dll
TB: MapQuest Toolbar: {9302E698-7E00-43AB-B867-C6E759BC2ADA} - C:\Program Files (x86)\MapQuest Toolbar\mapquesttb.dll
TB: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: MapQuest Toolbar: {9302e698-7e00-43ab-b867-c6e759bc2ada} - C:\Program Files (x86)\MapQuest Toolbar\mapquesttb.dll
TB: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: CouponXplorer: {65c72339-fb1d-4155-84e1-9afacee02d6f} -
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [Apple] rundll32.exe "C:\Users\Tim\AppData\Local\Chat Republic Games\Apple\tczdhs.dll",DllRegisterServerW
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
mRun: [ButtonMonitor] C:\Program Files (x86)\IOI\ButtonMonitor.exe
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [Conime] C:\Windows\System32\conime.exe
mRun: [File Helper] "C:\Program Files (x86)\File Helper\2.5.0.2\FileHelper.exe" --start-trayed
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun: [Nikon Transfer Monitor] C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: [Launcher] C:\Windows\SMINST\launcher.exe
mRunOnce: [1] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" /r /p
dRunOnce: [Shockwave Updater] "C:\Windows\SysWOW64\Adobe\Shockwave 11\SwHelper_1157609.exe" -Update
StartupFolder: C:\Users\Tim\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: &Search - <no file>
IE: Download Link Using Mega Manager... - C:\Program Files (x86)\Megaupload\Mega Manager\mm_file.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
LSP: mswsock.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://www.onlineregister.com/gateway/serial/gwCID.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{5CCEEF7A-958B-4437-AE7E-EA7E8FA1EBCB} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{9E7D4302-B517-47F3-88CC-64B552D0C3B5} : DHCPNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
x64-mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5692
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [RtHDVCpl] RAVCpl64.exe
x64-Run: [Skytel] Skytel.exe
x64-Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe
x64-Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe
x64-mPolicies-Explorer: NoActiveDesktop = dword:1
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - LocalServer32 - <no file>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 FontCache;Windows Font Cache Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;C:\Program Files (x86)\Kodak\AiO\Center\ekdiscovery.exe [2010-2-11 300400]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-10-19 398184]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-10-19 682344]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-4-24 483688]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-10-19 24176]
R3 RTL8023x64;Realtek 10/100 NIC Family NDIS x64 Driver;C:\Windows\System32\drivers\Rtnic64.sys [2006-11-2 55640]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2010-4-24 721768]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2010-4-24 269672]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2010-4-24 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2010-4-24 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-4-24 209768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\b57nd60a.sys [2008-1-20 214016]
S3 CAXHWBS2;CAXHWBS2;C:\Windows\System32\drivers\CAXHWBS2.sys [2008-5-12 403968]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\System32\drivers\nx6000.sys [2010-12-2 31744]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-4-25 52736]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk60x64.sys [2007-12-28 391680]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-17 89920]
.
=============== File Associations ===============
.
FileExt: .scr: scrfile="%1" %*
FileExt: .reg: regfile=regedit.exe "%1" %*
FileExt: .js: JSFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-12-26 15:21:07 0 ----a-w- C:\autoexec.bat
2012-12-14 22:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 8:03:09.67 ===============

BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,021 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:35 AM

Posted 29 December 2012 - 02:40 PM

Hi twrich,

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

 

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.




:step1: Please download and run Combofix:

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
3. Double click on combofix.exe & follow the prompts.

Notes:
  • Combofix may need to reboot your computer more than once to do its job. This is normal.
  • When finished, it will produce a report for you.

Important:
  • Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

In your next reply, please include:
  • Combofix log
  • How is your computer running now? Please be as descriptive as possible. Include any word-for-word error messages that you may have, and/or screenshots of strange behavior.

Regards,
Jason


Simple and easy ways to keep your computer safe and secure on the Internet

My help is free... however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <-- (every little bit helps)


#3 twrich

twrich
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 29 December 2012 - 06:56 PM

I am running combofix now it has been running for about 2 hrs. it has stopped on stage #48 Do i let it continue.When i ran dds earlier it took almost 8 hrs.

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,021 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:35 AM

Posted 29 December 2012 - 07:45 PM

Thanks for asking. Please allow it to continue to run. :thumbup2:

Edited by jntkwx, 29 December 2012 - 07:45 PM.

Regards,
Jason


Simple and easy ways to keep your computer safe and secure on the Internet

My help is free... however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <-- (every little bit helps)


#5 twrich

twrich
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 30 December 2012 - 10:58 AM

Here is yhe combo fix log,I tried to run another full scan and it stopped again at 22 min (not responding) with 91 object detected.
ComboFix 12-12-29.02 - Tim 12/29/2012 15:46:17.1.3 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3838.1307 [GMT -6:00]
Running from: c:\users\Tim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H2FMYQRE\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files (x86)\Common Files\Uninstall
c:\program files (x86)\Common Files\Uninstall\PAV\Uninstall.lnk
c:\program files (x86)\LP
c:\program files (x86)\PAV
c:\programdata\54844632
c:\programdata\kcehcuj.pad
c:\programdata\Microsoft\Windows\DRM\D78E.tmp
c:\programdata\Microsoft\Windows\DRM\D78F.tmp
c:\programdata\Microsoft\Windows\Start Menu\PAV
c:\programdata\Microsoft\Windows\Start Menu\PAV\Uninstall.lnk
c:\users\Tim\AppData\Local\Chat Republic Games\Apple\tczdhs.dll
c:\users\Tim\AppData\Roaming\165671
c:\users\Tim\AppData\Roaming\Microsoft\Windows\Recent\power point.pptx
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-30 )))))))))))))))))))))))))))))))
.
.
2012-12-28 19:41 . 2012-12-28 19:41 -------- d-----w- c:\program files\CCleaner
2012-12-28 00:05 . 2012-12-28 00:05 118784 ----a-w- c:\programdata\Microsoft\Windows\DRM\FD71.tmp.dat
2012-12-27 22:15 . 2012-12-27 22:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-26 15:20 . 2012-12-26 15:20 -------- d-----w- c:\program files\Enigma Software Group
2012-12-26 15:19 . 2012-12-27 22:03 -------- d-----w- c:\windows\83B952C7F8F34CA3B4C533C85B24E478.TMP
2012-12-26 15:19 . 2012-12-26 15:19 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2012-12-22 19:33 . 2012-12-22 19:33 -------- d-----w- c:\program files (x86)\CouponXplorer_5z
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-14 22:49 . 2012-10-19 19:14 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-06-07 1519304]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bd3fd433-147a-482e-a192-614f26e2310c}]
2009-03-11 19:39 1291560 ----a-w- c:\program files (x86)\MapQuest Toolbar\mapquesttb.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}]
2009-10-08 03:01 288056 ----a-w- c:\program files (x86)\PriceGong\1.5.0\PriceGongIE.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-06-07 02:33 1519304 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-01-21 21:05 194912 ----a-w- c:\program files (x86)\Yontoo Layers Client\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{9302e698-7e00-43ab-b867-c6e759bc2ada}"= "c:\program files (x86)\MapQuest Toolbar\mapquesttb.dll" [2009-03-11 1291560]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-06-07 1519304]
.
[HKEY_CLASSES_ROOT\clsid\{9302e698-7e00-43ab-b867-c6e759bc2ada}]
[HKEY_CLASSES_ROOT\mapquestTb.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{e3a72ce3-87ab-41bc-a506-d0c507d265f3}]
[HKEY_CLASSES_ROOT\mapquestTb.AOLToolBand]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-20 39408]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"ButtonMonitor"="c:\program files (x86)\IOI\ButtonMonitor.exe" [2007-05-11 53248]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2012-02-23 59240]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"File Helper"="c:\program files (x86)\File Helper\2.5.0.2\FileHelper.exe" [2010-05-14 602648]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"Nikon Transfer Monitor"="c:\program files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-16 479232]
"LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-06-07 1564872]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-08 421776]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\SysWOW64\Adobe\Shockwave 11\SwHelper_1157609.exe" [2010-05-05 467224]
.
c:\users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-13 20:25]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-13 20:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2007-12-17 5453824]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 225792]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe" [2010-02-08 2041344]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5692
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:54646
IE: Download Link Using Mega Manager... - c:\program files (x86)\Megaupload\Mega Manager\mm_file.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
TCP: DhcpNameServer = 192.168.2.1
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - (no file)
BHO-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
Toolbar-{65c72339-fb1d-4155-84e1-9afacee02d6f} - c:\program files (x86)\CouponXplorer_5z\bar\1.bin\5zbar.dll
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKCU-Run-Apple - c:\users\Tim\AppData\Local\Chat Republic Games\Apple\tczdhs.dll
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-81175361.sys
WebBrowser-{9302E698-7E00-43AB-B867-C6E759BC2ADA} - (no file)
WebBrowser-{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Kodak\AiO\Center\ekdiscovery.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
c:\program files (x86)\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe
c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
c:\program files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
.
**************************************************************************
.
Completion time: 2012-12-30 09:02:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-30 15:02
.
Pre-Run: 198,732,996,608 bytes free
Post-Run: 199,365,505,024 bytes free
.
- - End Of File - - 02F1E18081922A8BD949E4325D1AA23B

#6 twrich

twrich
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 30 December 2012 - 11:03 AM

I also recieved this error message after reboot,

Run DLL
Error loadingC:\users\Tim|AppData\Local\Chat republic games\apple\tczdhs.dll

#7 jntkwx

jntkwx

  • Malware Response Team
  • 4,021 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:35 AM

Posted 30 December 2012 - 08:23 PM

twrich,

If you still get that error when restarting, please let me know.

:step1: TDSSkiller
  • Download TDSSKiller.exe and save it to your desktop.
  • Double-click TDSSKiller.exe to run it.
  • Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
  • If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
  • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents of the logfile in your next reply

:step2: OTL
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In your next reply, please include:
  • TDSSkiller log
  • OTL log
  • How's your computer running now? Please be as descriptive as possible.

Regards,
Jason


Simple and easy ways to keep your computer safe and secure on the Internet

My help is free... however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <-- (every little bit helps)


#8 twrich

twrich
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 30 December 2012 - 10:11 PM

I ran the tdss killer,it didnt find any threats and i clicked on report and brought up the log but there is no way to copy and paste.I am running the other scans(OTL)now

#9 twrich

twrich
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 31 December 2012 - 11:09 AM

OTL Froze up not responding after about 6hrs while scanning temp.internet files

#10 twrich

twrich
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 31 December 2012 - 11:42 AM

malwarebytes also still not responding after 26 min.91 objects detected

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,021 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:35 AM

Posted 31 December 2012 - 03:06 PM

twrich,

Let's try rebooting into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu with several options. Press the down arrow key on your keyboard until Safe Mode with Networking is selected. Press Enter. Please see here for additional details.

Rerun Malwarebytes
Still in Safe Mode with Networking, open Malwarebytes, click on the Update tab, and click the check for Updates button.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

In your next reply, please include:
  • Malwarebytes log
  • How's your computer running now?

Regards,
Jason


Simple and easy ways to keep your computer safe and secure on the Internet

My help is free... however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <-- (every little bit helps)


#12 twrich

twrich
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 31 December 2012 - 03:42 PM

Here is the malwarebytes log no malicious items detected in quick scan.When i restart i get a message if i started this application from user accounts ,bitwire filehelper from bitwire techknoledgy,i dont know what this is so i hit cancel.

Malwarebytes Anti-Malware (PRO) 1.70.0.1100
www.malwarebytes.org

Database version: v2012.12.31.09

Windows Vista Service Pack 2 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Tim :: TIM-PC [administrator]

Protection: Disabled

12/31/2012 2:25:36 PM
mbam-log-2012-12-31 (14-25-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 242575
Time elapsed: 2 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#13 twrich

twrich
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 31 December 2012 - 05:53 PM

I tried running malwarebytes again full scan and aborted it before it froze up.I was able to delete 91 objects and here is the log.

Malwarebytes Anti-Malware (PRO) 1.70.0.1100
www.malwarebytes.org

Database version: v2012.12.31.09

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Tim :: TIM-PC [administrator]

Protection: Enabled

12/31/2012 4:22:39 PM
mbam-log-2012-12-31 (16-22-39).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 112385
Time elapsed: 13 minute(s), 27 second(s) [aborted]

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 51
HKCR\CLSID\{927c6290-8b1f-4673-9046-658843fea0d0} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{9d51d472-88c3-4e12-93ea-8aeafc57b227} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{15F335C1-5CC0-4786-ABB9-06E727FF2D42} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{ae1fb1ef-c142-48d2-8bfa-2730b43e8bea} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{b12e159d-74ba-45b7-ae12-f6d1a71f9e50} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{99395F16-43C8-461E-A1AC-36AC80EF13E4} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{b4fa9c4c-95e4-4f97-ae11-53d374520b46} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.DynamicBarButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.DynamicBarButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{76e9f00f-6852-44fc-b406-bb452f232a1b} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{697fa9f6-da51-4f3c-8f01-fd5daafc18e5} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{4E60D532-F00E-495B-BD0F-75F1B96CC714} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.FeedManager.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.FeedManager (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{48708b86-3672-46f9-89cf-680f8e807b91} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{be1ede40-9c0b-4913-bf21-09f7ab5e270e} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{1BCF3F83-F9A0-4075-B0BC-53128BBC228F} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{b1c38f5a-506f-4f75-80d7-292903e8f87a} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.MultipleButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.MultipleButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{2238806b-78fe-443b-84c0-3c3d7647b8b8} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{ca95ac1f-ebbd-4b84-aa2d-5383d029e534} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{2EEF77F9-4F97-4158-9209-A95B38C38EC1} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.XMLSessionPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.XMLSessionPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2238806B-78FE-443B-84C0-3C3D7647B8B8} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{4ad0f9ab-db53-49fa-9c03-42e6ae1f0c7c} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.Radio.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.Radio (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{627d42c1-e006-4bf2-bb79-d5fc6e0e01f0} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.ScriptButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.ScriptButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{131a1f72-5c50-43cf-ba3e-3ac75df1188b} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{b4685aa8-dbdd-4d8e-9a16-51b64646026a} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{0CD246B5-EC5A-4601-9A8F-C6D21742BB86} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{131A1F72-5C50-43CF-BA3E-3AC75DF1188B} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{2c76e19a-5b10-4018-92dd-54de302114f9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{3852ab8e-1ca9-4b29-846f-092ca8d97969} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{4025F9A4-91CE-4F20-8486-8A3D95564DB3} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.ThirdPartyInstaller.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.ThirdPartyInstaller (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2C76E19A-5B10-4018-92DD-54DE302114F9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{ba1ab335-e597-40cf-a2b7-c28c27e10672} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.UrlAlertButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.UrlAlertButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{46861ec7-fd7a-4197-b4a2-223196de2dcb} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{8221ac18-699f-46c9-8a89-0916cbdb5005} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{41040243-9338-4C91-9457-AD11F56F48E1} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.HTMLPanel.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponXplorer_5z.HTMLPanel (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{46861EC7-FD7A-4197-B4A2-223196DE2DCB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 40
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zauxstb.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zdatact.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zdlghk.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zdyn.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zfeedmg.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zhighin.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zhkstub.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zhttpct.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zidle.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zieovr.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zimpipe.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zmedint.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zmlbtn.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zmsg.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zradio.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zreghk.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zregiet.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zscript.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zskin.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zskplay.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5ztpinst.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zuabtn.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin\T8HTML.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\DRM\FD71.tmp.dat (Trojan.Agent.NIX) -> Quarantined and deleted successfully.
C:\ProgramData\{5F2CE881-C7A5-4F1A-A1C0-A5BFC9A36913}\OFFLINE\6216A4BD\3E688669\stbYahoo8.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.
C:\ProgramData\{5F2CE881-C7A5-4F1A-A1C0-A5BFC9A36913}\OFFLINE\628759C1\3E688669\stbOLEX.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.
C:\ProgramData\{5F2CE881-C7A5-4F1A-A1C0-A5BFC9A36913}\OFFLINE\A26F7F7\3E688669\stbOL.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.
C:\ProgramData\{5F2CE881-C7A5-4F1A-A1C0-A5BFC9A36913}\OFFLINE\A53562F1\3E688669\AIMActiveXDLL.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.
C:\ProgramData\{5F2CE881-C7A5-4F1A-A1C0-A5BFC9A36913}\OFFLINE\B3AC8875\3E688669\stbMsn.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.
C:\ProgramData\{5F2CE881-C7A5-4F1A-A1C0-A5BFC9A36913}\OFFLINE\C3C6C2CD\3E688669\stbIE.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.
C:\ProgramData\{5F2CE881-C7A5-4F1A-A1C0-A5BFC9A36913}\OFFLINE\C41B8701\3E688669\stbAol.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.
C:\ProgramData\{5F2CE881-C7A5-4F1A-A1C0-A5BFC9A36913}\OFFLINE\CE8732D\3E688669\ProductInfo.dll (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\ProgramData\{5F2CE881-C7A5-4F1A-A1C0-A5BFC9A36913}\OFFLINE\D5797E3B\3E688669\stbYahoo9.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.
C:\ProgramData\{5F2CE881-C7A5-4F1A-A1C0-A5BFC9A36913}\OFFLINE\EB91CE86\3E688669\stbdl.exe (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\ProgramData\{5F2CE881-C7A5-4F1A-A1C0-A5BFC9A36913}\OFFLINE\mFileBagIDE.dll\bag\ProductInfo.dll (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\D78E.tmp.vir (Rootkit.ZeroAccess) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\D78F.tmp.vir (Rootkit.ZeroAccess) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\27.12.2012_16.13.54\zasubsys0000\zafs0000\tsk0005.dta (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Tim\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\15c0a0d5-69fd76af (Trojan.Agent.NIX) -> Quarantined and deleted successfully.
C:\Users\Tim\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\21b7eaa8-310e3194 (Spyware.Zeus) -> Quarantined and deleted successfully.

(end)

#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,021 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:35 AM

Posted 01 January 2013 - 12:18 AM

When i restart i get a message if i started this application from user accounts ,bitwire filehelper from bitwire techknoledgy,i dont know what this is so i hit cancel.


What is the exact error message you get?

I tried running malwarebytes again full scan and aborted it before it froze up.I was able to delete 91 objects and here is the log.


Good job getting Malwarebytes to remove those things. We're slowly removing the malware. :thumbup2:

When you run Malwarebytes and it stops scanning, does it stop on a specific file, and if so, what file?

Also, please try running OTL again, following my previous instructions, and post the log if it finishes.

Regards,
Jason


Simple and easy ways to keep your computer safe and secure on the Internet

My help is free... however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <-- (every little bit helps)


#15 twrich

twrich
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 02 January 2013 - 08:22 PM

I ran OTL again and it stopped on this file
c:\windows\system32\config\system profile\appdata\local\microsoft\windows\temporaryinternetfiles\content.IE5\8HN812HR\_utm[9].gif


I ran malwarebytes and it stopped on this file,Im pretty sure its this one every time.

c:\windows\system32\config\system profile\appdata\local\microsoft\windows\temporaryinternetfiles\content.IE5\453G6H10\yJiYmJg%3D%3DScreen=1024x768language=en-usrefer=http%3A%2F%2Fuiadserver.com%2Fte%2Fsa[1].js




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users