Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix reports/logs that I would like looked at please?


  • This topic is locked This topic is locked
21 replies to this topic

#1 triley7

triley7

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 29 April 2013 - 09:38 AM

Hi

 

About a month ago my house mate's laptop (Windows 7) was severely infected (see attached screen shot of Adaware scan results). The first thing he noticed was a random website just came up while he was browsing that said he was in trouble with the Australian Federal Police and it had a photo of him on the web page etc. After that his computer ran slow. Connected to the existing router are 3 other computers (2 of which are mine and 1 is my other house mates that is brand new so probably not really worth mentioning - she also did not notice anything wrong with her old or new computer) which are all basically networked. After this happened to him I noticed a couple of different (subtle) things on both of my computers that seemed odd. On my Home Theatre (Windows Vista Ultimate) computer I noticed that after I downloaded something in the download window of Firefox the "Clear List" icon was "greyed out" (since upgrading to latest version no longer like it as it's different now). Also the keyboard seems to sometimes have a mind of it's own now however I realise that this could just be coincidental and be a prob with the keyboard itself. I scanned it with Adaware (Free version) & it didn't pick up anything immediately but since then it has found "System_Integrity_Check (v)" on 2 occasions (7/4 & 14/4). I had ran Combofix before on this computer (advised by a mate who works in IT - can't remember exactly why, think it was running slow etc) so I decided to run it again due to my house mates computer getting so badly infected and fear of infection via the network. I also ran Combofix on my laptop (XP Service Pack 3) after doing a scan with McAfee and the old version of Adaware even though they found nothing serious. After I ran Combofix on my laptop I ran Adaware again immediately after and it found "System_Integrity_Check (v)" also. Both my laptop, Home Theatre computer & house mate's computer appear to be running fine except just a couple of days ago I noticed that the Bluetooth on my laptop is no longer working properly. The UI is different and when I right click on the icon and select "Show Bluetooth Devices" nothing happens. If I select "Add a Bluetooth Device" it can't find my phone (Bluetooth definately on and in discoverable mode). Below are the Combofix reports for all 3 computers:

 

House mates computer:

ComboFix 13-04-28.01 - ACER 29/04/2013  15:29:34.3.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.34.3082.18.3767.2259 [GMT 8:00]
Running from: c:\users\ACER\Downloads\ComboFix.exe
AV: Lavasoft Ad-Aware *Disabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
FW: Lavasoft Ad-Aware *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}
SP: Lavasoft Ad-Aware *Disabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-28 to 2013-04-29  )))))))))))))))))))))))))))))))
.
.
2013-04-29 07:35 . 2013-04-29 07:35    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-04-29 07:23 . 2013-04-29 07:23    --------    d-----w-    c:\users\ACER\AppData\Roaming\Uniblue
2013-04-29 07:23 . 2013-04-29 07:23    --------    d-----w-    c:\program files (x86)\Uniblue
2013-04-24 09:50 . 2013-04-12 14:45    1656680    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-23 03:49 . 2013-04-23 03:49    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-04-23 03:42 . 2013-04-03 21:35    95648    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-04-22 05:04 . 2013-04-22 14:09    --------    d-----w-    c:\program files (x86)\McAfee Security Scan
2013-04-14 02:21 . 2013-04-14 02:21    --------    d-----w-    c:\program files (x86)\Common Files\Skype
2013-04-10 15:17 . 2013-02-15 04:37    3217408    ----a-w-    c:\windows\SysWow64\mstscax.dll
2013-04-10 15:17 . 2013-02-15 03:25    36864    ----a-w-    c:\windows\SysWow64\tsgqec.dll
2013-04-10 15:17 . 2013-02-15 04:34    131584    ----a-w-    c:\windows\SysWow64\aaclient.dll
2013-04-10 15:17 . 2013-02-15 06:08    44032    ----a-w-    c:\windows\system32\tsgqec.dll
2013-04-10 15:17 . 2013-02-15 06:06    3717632    ----a-w-    c:\windows\system32\mstscax.dll
2013-04-10 15:17 . 2013-02-15 06:02    158720    ----a-w-    c:\windows\system32\aaclient.dll
2013-04-10 08:49 . 2013-03-01 03:36    3153408    ----a-w-    c:\windows\system32\win32k.sys
2013-04-10 08:49 . 2013-01-24 06:01    223752    ----a-w-    c:\windows\system32\drivers\fvevol.sys
2013-04-10 08:49 . 2013-03-19 06:04    5550424    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-04-10 08:49 . 2013-03-19 05:04    3968856    ----a-w-    c:\windows\SysWow64\ntkrnlpa.exe
2013-04-10 08:49 . 2013-03-19 05:04    3913560    ----a-w-    c:\windows\SysWow64\ntoskrnl.exe
2013-04-10 08:49 . 2013-03-19 03:06    112640    ----a-w-    c:\windows\system32\smss.exe
2013-04-10 08:49 . 2013-03-19 05:46    43520    ----a-w-    c:\windows\system32\csrsrv.dll
2013-04-10 08:49 . 2013-03-19 04:47    6656    ----a-w-    c:\windows\SysWow64\apisetschema.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-22 05:04 . 2012-04-03 16:18    691592    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-04-22 05:03 . 2011-06-05 04:34    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-10 16:29 . 2011-05-21 07:49    72702784    ----a-w-    c:\windows\system32\MRT.exe
2013-03-29 13:23 . 2013-02-20 16:20    14456    ----a-w-    c:\windows\system32\drivers\gfibto.sys
2013-03-16 18:28 . 2012-06-22 13:27    861088    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-03-16 18:28 . 2012-06-22 13:27    782240    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-02-12 05:45 . 2013-03-14 05:11    135168    ----a-w-    c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-14 05:11    308736    ----a-w-    c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-14 05:11    111104    ----a-w-    c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 05:45 . 2013-03-14 05:11    350208    ----a-w-    c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 04:48 . 2013-03-14 05:11    474112    ----a-w-    c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-14 05:11    2176512    ----a-w-    c:\windows\apppatch\AcGenral.dll
2013-02-12 04:12 . 2013-03-21 04:23    19968    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-02-11 03:28 . 2013-02-21 02:23    38456    ----a-w-    c:\windows\system32\drivers\gfiark.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{043C5167-00BB-4324-AF7E-62013FAEDACF}]
2011-05-15 19:55    482360    ----a-w-    c:\program files (x86)\vShare\vshare_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2013-02-11 10:47    87464    ----a-w-    c:\program files (x86)\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{043C5167-00BB-4324-AF7E-62013FAEDACF}"= "c:\program files (x86)\vShare\vshare_toolbar.dll" [2011-05-15 482360]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files (x86)\adawaretb\adawareDx.dll" [2013-02-11 87464]
.
[HKEY_CLASSES_ROOT\clsid\{043c5167-00bb-4324-af7e-62013faedacf}]
[HKEY_CLASSES_ROOT\vShare.PugiObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3E315C81-442B-431C-AEC8-ED189699EC24}]
[HKEY_CLASSES_ROOT\vShare.PugiObj]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2010-05-27 02:40    120176    ----a-w-    c:\program files (x86)\EgisTec MyWinLocker\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-08-28 3671904]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-02-28 18642024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files (x86)\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-04-13 284696]
"SuiteTray"="c:\program files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [2010-05-27 337264]
"EgisUpdate"="c:\program files (x86)\EgisTec IPS\EgisUpdate.exe" [2010-03-11 201584]
"EgisTecPMMUpdate"="c:\program files (x86)\EgisTec IPS\PmmUpdate.exe" [2010-03-11 407920]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2010-06-28 265984]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2010-08-10 975952]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-03-22 74752]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2013-01-31 542632]
"SearchProtection"="c:\programdata\Search Protection\_run.bat" [2013-02-20 168]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-11 253816]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Assistant du gestionnaire de contenu pour PlayStation®.lnk - c:\program files (x86)\Sony\Content Manager Assistant\CMA.exe [2012-11-13 3359712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SBAMSvc;Ad-Aware;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2012-09-19 3677000]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-08-13 3064000]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-02-28 161384]
R3 csr_a2dp;Perfil AV Bluetooth;c:\windows\system32\drivers\bthav.sys [2009-12-21 78848]
R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-02-11 38456]
R3 MWLService;MyWinLocker Service;c:\program files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [2010-05-27 305520]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-06-17 246376]
R3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;c:\windows\system32\DRIVERS\sbfwim.sys [2012-09-12 120064]
R3 SBHIPS;SBHIPS;c:\windows\system32\drivers\sbhips.sys [2012-09-19 61216]
R3 sbwtis;sbwtis;c:\windows\system32\DRIVERS\sbwtis.sys [2012-09-19 86816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Servicio de tecnologías de activación de Windows;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-16 1255736]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-03-29 14456]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-09-05 283200]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [2009-06-03 22576]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [2009-06-03 20016]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [2009-06-03 60464]
S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-09-19 258848]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2013-03-17 1236336]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe [2010-08-10 321104]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2010-06-11 868896]
S2 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe [2010-01-08 23584]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-04-13 13336]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2010-06-28 255744]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2012-09-12 82872]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-18 2320920]
S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2010-01-28 243232]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-04-13 135560]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-26 158976]
S3 IntcDAud;Sonido Intel® para pantallas;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-06-21 287232]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2010-05-15 384040]
S3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\SBFWIM.sys [2012-09-12 120064]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GFIARK
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 05:04]
.
2013-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3343030603-3455308119-1344604290-1000Core.job
- c:\users\ACER\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:51]
.
2013-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3343030603-3455308119-1344604290-1000UA.job
- c:\users\ACER\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:51]
.
2013-04-29 c:\windows\Tasks\SpeedUpMyPC.job
- c:\program files (x86)\Uniblue\SpeedUpMyPC\sump.exe [2013-04-29 03:27]
.
2013-04-29 c:\windows\Tasks\spmonitor.job
- c:\program files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe [2013-04-29 03:27]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2010-05-27 02:42    137584    ----a-w-    c:\program files (x86)\EgisTec MyWinLocker\x64\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="DOWS\SYSTEM32\IGFXTRAY.EXE" [BU]
"HotKeysCmds"="DOWS\SYSTEM32\HKCMD.EXE" [BU]
"Persistence"="DOWS\SYSTEM32\IGFXPERS.EXE" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-22 10920552]
"ETDWare"="TECH\ETDCTRL.EXE" [BU]
"PLFSetI"="DOWS\PLFSETI.EXE" [BU]
"Acer ePower Management"="T\EPOWERTRAY.EXE" [BU]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.fr/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 10.1.1.1
TCP: Interfaces\{3DE1FAC4-B916-448F-A747-E5A362D2FC66}: NameServer = 192.168.2.1
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files (x86)\vShare\vshare_toolbar.dll
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Notify-SDWinLogon - SDWinLogon.dll
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-04-29  15:38:21
ComboFix-quarantined-files.txt  2013-04-29 07:38
ComboFix2.txt  2013-04-01 14:26
.
Pre-Run: 134.824.718.336 bytes libres
Post-Run: 134.458.048.512 bytes libres
.
- - End Of File - - ABDBD154B4DA4ED6B5D862247CC51A31

 

My Laptop:

ComboFix 13-04-11.01 - LocalAdmin 14/04/2013  14:37:57.1.4 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.61.1033.18.3241.2519 [GMT 8:00]
Running from: c:\documents and settings\LocalAdmin\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Host Intrusion Prevention Firewall *Disabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{8C20787A-7402-4FA7-BF25-6E5750930FDC}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
c:\documents and settings\LocalAdmin\Application Data\PriceGong
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\1.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\17781.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\450.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\5938.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\a.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\b.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\c.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\d.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\e.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\f.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\g.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\h.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\i.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\j.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\k.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\l.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\m.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\n.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\o.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\p.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\q.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\r.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\s.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\t.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\u.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\v.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\w.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\x.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\y.txt
c:\documents and settings\LocalAdmin\Application Data\PriceGong\Data\z.txt
c:\documents and settings\LocalAdmin\Local Settings\Application Data\assembly\tmp
c:\windows\EventSystem.log
c:\windows\system32\default_user_class.dat.LOG
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\SET6C3.tmp
c:\windows\system32\SET6DE.tmp
c:\windows\system32\SET6E0.tmp
c:\windows\system32\SET6EE.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-14 to 2013-04-14  )))))))))))))))))))))))))))))))
.
.
2013-03-21 03:23 . 2013-03-21 03:23    --------    d-sh--w-    c:\documents and settings\Default User\IETldCache
2013-03-21 03:23 . 2013-03-21 03:23    5504    ----a-w-    c:\windows\system32\drivers\staropen.sys
2013-03-21 03:23 . 2013-03-21 03:23    --------    d-----w-    c:\documents and settings\All Users\Application Data\Canneverbe Limited
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-13 12:47 . 2012-04-03 02:15    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-03-13 12:47 . 2011-09-10 03:40    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-05 04:51 . 2013-03-05 04:51    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-03-05 04:51 . 2010-12-08 08:19    143872    ----a-w-    c:\windows\system32\javacpl.cpl
2013-03-05 04:51 . 2012-06-16 07:40    861088    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-03-05 04:51 . 2011-09-11 08:39    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-04-12 09:02 . 2013-04-12 09:02    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}"= "c:\program files\MyAshampoo\prxtbMyA2.dll" [2013-03-05 231168]
.
[HKEY_CLASSES_ROOT\clsid\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}]
2013-03-05 13:37    231168    ----a-w-    c:\program files\MyAshampoo\prxtbMyA2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}"= "c:\program files\MyAshampoo\prxtbMyA2.dll" [2013-03-05 231168]
.
[HKEY_CLASSES_ROOT\clsid\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Magentic"="c:\progra~1\Magentic\bin\Magentic.exe" [2010-05-11 488808]
"Spotify Web Helper"="c:\documents and settings\LocalAdmin\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2012-07-20 1193176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Radia User Connect"="c:\progra~1\Novadigm\radskman uid=$machine" [X]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-01-25 536668]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-07-07 737280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-05-27 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-05-27 182552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-05-27 166680]
"FreeFallProtection"="c:\program files\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-12-17 686704]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-04-05 501104]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-22 124224]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-18 49152]
"WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"RUNRADTRAY"="c:\progra~1\Novadigm\radtray.exe" [2010-08-30 481000]
"WinVNC"="c:\program files\det\ultravnc\winvnc.exe" [2005-08-06 974848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2010-10-01 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2010-09-17 50472]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-24 240112]
"Desktop Disc Tool"="c:\program files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-03-12 462993]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"McAfee NAC Tray Icon"="c:\program files\McAfee\MNAC Scanner\ScannerTray.exe" [2011-06-22 402752]
"McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2010-06-15 979104]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-05-19 161088]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-24 421888]
"DFX"="c:\program files\DFX\DFX.exe" [2013-01-10 1131880]
"EPSON_UD_START"="c:\program files\EPSON Projector\Epson USB Display V1.6\EMP_UD.exe" [2011-11-17 534664]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\LocalAdmin\Start Menu\Programs\Startup\
Samsung Auto Backup Guage.lnk - c:\program files\Clarus\Samsung Auto Backup\ISFGuage.exe [2011-9-10 888832]
Samsung Auto Backup Real-Time Daemon.lnk - c:\program files\Clarus\Samsung Auto Backup\ISFRealTimeD.exe [2011-9-10 77824]
Samsung Auto Backup Scheduler.lnk - c:\program files\Clarus\Samsung Auto Backup\ISFTimerD.exe [2011-9-10 102400]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-12-9 636256]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 3600 (0xe10)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4016737976-1595093383-3530643372-15174\Scripts\Logoff\0\0]
"Script"=\\E4017S01SV001\Netlogon\Global\GlobalLogoff.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4016737976-1595093383-3530643372-15174\Scripts\Logoff\1\0]
"Script"=firefox_logout.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4016737976-1595093383-3530643372-15174\Scripts\Logoff\2\0]
"Script"=\\E4017S01SV001\Netlogon\Global\GlobalLogoff.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4016737976-1595093383-3530643372-15174\Scripts\Logoff\3\0]
"Script"=firefox_logout.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4016737976-1595093383-3530643372-15174\Scripts\Logon\0\0]
"Script"=\\E4017S01SV001\Netlogon\Global\GlobalLogon.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4016737976-1595093383-3530643372-15174\Scripts\Logon\1\0]
"Script"=firefox_login.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4016737976-1595093383-3530643372-15174\Scripts\Logon\2\0]
"Script"=OutlookProfileConfig.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4016737976-1595093383-3530643372-15174\Scripts\Logon\3\0]
"Script"=\\E4017S01SV001\Netlogon\Global\GlobalLogon.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4016737976-1595093383-3530643372-15174\Scripts\Logon\4\0]
"Script"=firefox_login.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4016737976-1595093383-3530643372-22281\Scripts\Logoff\0\0]
"Script"=\\E4017S01SV001\Netlogon\Global\GlobalLogoff.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4016737976-1595093383-3530643372-22281\Scripts\Logoff\1\0]
"Script"=firefox_logout.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4016737976-1595093383-3530643372-22281\Scripts\Logon\0\0]
"Script"=\\E4017S01SV001\Netlogon\Global\GlobalLogon.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4016737976-1595093383-3530643372-22281\Scripts\Logon\1\0]
"Script"=firefox_login.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Magentic\\bin\\MgImp.exe"=
"c:\\Program Files\\Magentic\\bin\\Magentic.exe"=
"c:\\Program Files\\Magentic\\bin\\MgApp.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\LocalAdmin\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1725:TCP"= 1725:TCP:i-Clickr.exe Operation Port (1725)
"8725:TCP"= 8725:TCP:i-Clickr.exe Operation Port (8725)
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/09/2011 10:43 AM 64512]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [10/01/2008 12:58 PM 39680]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [25/08/2011 4:18 PM 17648]
R2 eBeam Device Service;eBeam Device Service;c:\program files\Luidia\eBeam Device Service\eBeamDeviceServiceMain.exe [9/02/2012 5:10 PM 180224]
R2 EMP_UDSA;EMP_UDSA;c:\program files\EPSON Projector\Epson USB Display V1.6\EMP_UDSA.exe [6/02/2013 11:56 AM 157696]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [22/10/2010 8:07 PM 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [13/01/2011 1:01 PM 69192]
R2 NACClient;McAfee Network Access Control Client;c:\program files\McAfee\MNAC Scanner\NACScanner.exe [22/06/2011 8:53 AM 1729856]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [23/03/2012 2:25 PM 87040]
R2 radexecd;HPCA Notify Daemon;c:\program files\Novadigm\radexecd.exe [13/11/2009 3:43 PM 300776]
R2 radsched;HPCA Scheduler Daemon;c:\program files\Novadigm\radsched.exe [13/11/2009 3:44 PM 194280]
R2 Radstgms;HPCA MSI Redirector;c:\program files\Novadigm\Radstgms.exe [13/11/2009 3:45 PM 333544]
R2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [11/03/2013 11:03 AM 3560800]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [25/08/2011 4:18 PM 43888]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [22/04/2009 6:13 AM 113664]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [4/10/2011 5:04 PM 134144]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [4/10/2011 5:04 PM 144576]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [19/07/2010 6:18 PM 33832]
R3 EMP_MIRRUD;EMP_MIRRUD;c:\windows\system32\drivers\EMP_MirrUD.sys [6/02/2013 11:56 AM 3712]
R3 eppvad_simple;EPSON Projector UD Audio Device;c:\windows\system32\drivers\EMP_UDAU.sys [6/02/2013 11:56 AM 17664]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [20/10/2011 6:26 PM 44680]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [19/01/2010 8:50 PM 260864]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [26/08/2011 7:00 AM 41088]
R3 mfempefw;McAfee Inc. mfempefw;c:\windows\system32\drivers\mfempefw.sys [31/10/2011 10:41 AM 37576]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\o2mdrxp.sys [26/08/2011 7:00 AM 61728]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjxp.sys [26/08/2011 7:00 AM 63976]
R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [12/09/2011 12:43 PM 29072]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [11/05/2011 11:37 PM 11026]
S2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [15/06/2010 11:50 AM 1498224]
S2 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [25/11/2011 2:18 PM 35696]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [28/10/2011 5:52 PM 2152720]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [25/11/2010 5:34 AM 219632]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k5132.sys --> c:\windows\system32\DRIVERS\e1k5132.sys [?]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [20/10/2011 6:26 PM 44680]
S3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [20/10/2011 6:26 PM 107960]
S3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [20/10/2011 6:26 PM 38680]
S3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [20/10/2011 6:26 PM 35552]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2/06/2012 11:25 AM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 6:01 PM 21248]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys --> c:\windows\system32\DRIVERS\Impcd.sys [?]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [6/08/2008 10:48 AM 93968]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [28/10/2011 5:52 PM 15232]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [13/01/2011 1:01 PM 66536]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [24/02/2012 9:24 AM 9472]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [25/11/2010 5:33 AM 1116656]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 1:37 PM 517096]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [29/07/2010 3:12 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 07:04    8192    ----a-w-    c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2009-03-07 20:32    128512    ----a-w-    c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-10-28 02:46]
.
2013-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 12:47]
.
2013-04-13 c:\windows\Tasks\AdobeAAMUpdater-1.0-BLUE-E2007031.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-10-28 19:44]
.
2013-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-13 11:40]
.
2013-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-13 11:40]
.
2013-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2124250000-430152382-4132914119-1006Core.job
- c:\documents and settings\LocalAdmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-15 13:45]
.
2013-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2124250000-430152382-4132914119-1006UA.job
- c:\documents and settings\LocalAdmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-15 13:45]
.
2013-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4016737976-1595093383-3530643372-15174Core.job
- c:\documents and settings\e2007031\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-14 10:00]
.
2013-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4016737976-1595093383-3530643372-15174UA.job
- c:\documents and settings\e2007031\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-14 10:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\LocalAdmin\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to DVD Converter - c:\documents and settings\LocalAdmin\Application Data\DVDVideoSoftIEHelpers\freeyoutubetodvdconverter.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\LocalAdmin\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: filesanywhere.com\www
TCP: DhcpNameServer = 10.1.1.1
FF - ProfilePath - c:\documents and settings\LocalAdmin\Application Data\Mozilla\Firefox\Profiles\cbmaqjqv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/firefox
FF - prefs.js: network.proxy.http - 10.1.81.11
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 2
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Samsung_AppInst - d:\samsungsoftware\AppInst.exe
HKLM-Run-X3BPush - c:\windows\DELLXIMG\BPUSH.EXE
HKLM-Run-IDTSysTrayApp - (no file)
HKLM-Run-BgInfo Taskbar - c:\program files\DET\BgInfo\bginfo.exe
Notify-AtiExtEvent - (no file)
AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-14 14:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  Samsung_AppInst = d:\samsungsoftware\AppInst.exe??????????????????????V??????????????????????Q?????????????????????Q???????????????Q????????????????
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\09\06\0a\06\1c\12."
.
Completion time: 2013-04-14  14:51:20
ComboFix-quarantined-files.txt  2013-04-14 06:51
.
Pre-Run: 129,477,066,752 bytes free
Post-Run: 132,645,339,136 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 2FB383B9ECA53FD3093971A0C02AC18C
 

My Home Theatre Computer:

ComboFix 13-04-12.02 - Riley 14/04/2013  15:27:11.2.2 - x86
Microsoft® Windows Vista™ Ultimate   6.0.6002.2.1252.61.1033.18.3327.1387 [GMT 8:00]
Running from: c:\users\Trevor\Desktop\ComboFix.exe
AV: Lavasoft Ad-Aware *Disabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}
SP: Lavasoft Ad-Aware *Disabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\f7129022-a000-4847-db07-470265a73c4f
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-14 to 2013-04-14  )))))))))))))))))))))))))))))))
.
.
2013-04-14 07:33 . 2013-04-14 07:33    --------    d-----w-    c:\users\Trevor\AppData\Local\temp
2013-04-14 07:33 . 2013-04-14 07:33    --------    d-----w-    c:\users\Public\AppData\Local\temp
2013-04-14 07:33 . 2013-04-14 07:33    --------    d-----w-    c:\users\Nadine\AppData\Local\temp
2013-04-14 07:33 . 2013-04-14 07:33    --------    d-----w-    c:\users\Jon\AppData\Local\temp
2013-04-14 07:33 . 2013-04-14 07:33    --------    d-----w-    c:\users\Guest\AppData\Local\temp
2013-04-14 07:33 . 2013-04-14 07:33    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-04-10 17:32 . 2013-02-22 03:34    420864    ----a-w-    c:\windows\system32\vbscript.dll
2013-04-10 10:46 . 2013-03-03 19:07    1082232    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-10 10:46 . 2013-03-11 13:25    3603816    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-04-10 10:46 . 2013-03-11 13:25    3551080    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-04-10 10:46 . 2013-03-09 03:45    49152    ----a-w-    c:\windows\system32\csrsrv.dll
2013-04-10 10:46 . 2013-03-09 01:28    64000    ----a-w-    c:\windows\system32\smss.exe
2013-04-10 10:46 . 2013-03-08 03:52    2067968    ----a-w-    c:\windows\system32\mstscax.dll
2013-04-10 10:46 . 2013-03-08 03:53    376320    ----a-w-    c:\windows\system32\winsrv.dll
2013-04-10 10:46 . 2013-03-05 01:40    2049024    ----a-w-    c:\windows\system32\win32k.sys
2013-03-29 14:59 . 2013-04-10 07:13    --------    d-----w-    c:\users\Nadine\AppData\Roaming\vlc
2013-03-20 19:52 . 2013-02-12 01:57    15872    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-03-20 19:52 . 2013-02-12 01:57    15872    ----a-w-    c:\windows\system32\drivers\usb8023x.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-12 18:26 . 2012-04-07 08:00    691592    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-04-12 18:26 . 2011-06-03 14:32    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-06 10:08 . 2013-03-06 10:08    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-03-06 10:08 . 2012-06-27 11:52    861088    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-03-06 10:08 . 2010-05-24 12:08    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-04-12 10:00 . 2013-04-12 10:00    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 04:06    163328    --sha-r-    c:\windows\System32\flvDX.dll
2007-02-21 05:47    31232    --sha-r-    c:\windows\System32\msfDX.dll
2008-03-16 07:30    216064    --sha-r-    c:\windows\System32\nbDX.dll
2010-01-06 16:00    107520    --sha-r-    c:\windows\System32\TAKDSDecoder.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2012-09-20 20:06    87448    ----a-w-    c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2012-09-20 87448]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-01 39408]
"Spotify Web Helper"="c:\users\Trevor\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-02-28 1199000]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\HydraVision\HydraDM.exe" [2011-01-12 393216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2008-08-07 91648]
"WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
"My Movies Tray"="c:\program files\Binnerup Consult\My Movies for Windows Media Center\My Movies Tray.exe" [2012-05-10 354384]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2012-08-08 540056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-12-19 642808]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
S2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile    REG_MULTI_SZ       wcescomm rapimgr
LocalServiceRestricted    REG_MULTI_SZ       WcesComm RapiMgr
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
nosGetPlusHelper    REG_MULTI_SZ       nosGetPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
2008-02-25 03:55    7680    ----a-w-    c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 09:23    38400    ----a-w-    c:\windows\System32\SoundSchemes.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-11 14:55    1642448    ----a-w-    c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 02:50    30720    ----a-w-    c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 18:26]
.
2013-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-02 10:15]
.
2013-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-02 10:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - c:\users\Trevor\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm
IE: Free YouTube to DVD Converter - c:\users\Trevor\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetodvdconverter.htm
IE: Free YouTube to MP3 Converter - c:\users\Trevor\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 10.1.1.1
FF - ProfilePath - c:\users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\be5sit8r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/firefox
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com//?loc=ff_address_bar&a=IAX5bTn7dx&search=
FF - ExtSQL: 2013-03-02 20:05; {02450914-cdd9-410f-b1da-db004e18c671}; c:\users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\be5sit8r.default\extensions\{02450914-cdd9-410f-b1da-db004e18c671}.xpi
FF - ExtSQL: !HIDDEN! 2009-06-25 00:06; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-Free DVD Video Burner_is1 - c:\program files\DVDVideoSoft\Free DVD Video Burner\unins000.exe
AddRemove-Free DVD Video Converter_is1 - c:\program files\Common Files\DVDVideoSoft\Uninstall.exe
AddRemove-Free Video Dub_is1 - c:\program files\Common Files\DVDVideoSoft\Uninstall.exe
AddRemove-Free YouTube Download_is1 - c:\program files\Common Files\DVDVideoSoft\Uninstall.exe
AddRemove-Free YouTube to DVD Converter_is1 - c:\program files\Common Files\DVDVideoSoft\Uninstall.exe
AddRemove-Free YouTube to MP3 Converter_is1 - c:\program files\Common Files\DVDVideoSoft\Uninstall.exe
AddRemove-Uninstall_is1 - c:\program files\Common Files\DVDVideoSoft\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-14 15:33
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,04,aa,44,18,70,f8,6c,4c,9a,76,0c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,04,aa,44,18,70,f8,6c,4c,9a,76,0c,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-04-14  15:35:20
ComboFix-quarantined-files.txt  2013-04-14 07:35
ComboFix2.txt  2012-04-04 02:45
.
Pre-Run: 15,324,651,520 bytes free
Post-Run: 16,648,724,480 bytes free
.
- - End Of File - - 871F8DDF83113A856229C91BA8BB0E27

 

So obviously I would like someone to view these reports/logs and inform me of anything that I, or my house mate needs to do in order to ensure that our computers & network are essentially free of any major threats or I guess anything that needs to be fixed in general. It would be much appreciated. I hope that is enough information and I also hope I have followed the correct procedures in posting this.

 

Trevor.

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:38 AM

Posted 02 May 2013 - 07:46 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:


[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#3 triley7

triley7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 02 May 2013 - 09:00 PM

Hi m0le

 

"Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right."

 

- Couldn't see these options anywhere on the page. I assume that's because I'm already following it??

Anyway here is my reply. I willl not install/remove or update any programs until I receive your reply with your first instructions.

 

Thanks,

Trevor.

 



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:38 AM

Posted 03 May 2013 - 07:13 PM

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

 

 

Your machine is the only one that showed infection. So, it's yours we're going to check out.

 

Please download aswMBR ( 511KB ) to your desktop.

  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

 

 

 


[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#5 triley7

triley7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 07 May 2013 - 04:37 AM

"Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again."

 

Yeah I am aware of this and as I said in my original post I have used it before after a mate of mine who works in IT recommend I run it. I am fairly computer literate so I'm fairly sure I know how to run it safely. Can you please specify which computer of mine I need to run aswMBR.exe on - my Home Theatre computer (Microsoft® Windows Vista™ Ultimate) or my Laptop (Microsoft Windows XP Professional)?

 

Kind regards,

Trevor.



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:38 AM

Posted 07 May 2013 - 06:09 PM

 

I am fairly computer literate so I'm fairly sure I know how to run it safely.

 

 

 

You're fairly sure? In that case, why are you asking for help with the log output?

 

I'm fairly sure the warning was given correctly. :)

 

Please run aswMBR on your laptop


Edited by m0le, 07 May 2013 - 06:10 PM.

[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#7 triley7

triley7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 12 May 2013 - 12:39 AM

Because my mate is bleepin useless & unreliable, that's why I am asking for your help with the log output. But why are you asking that question in relation to the log output when combofix produces it after you've run the program? Isn't the disclaimer more so to cover the creator's ass? Runnning the program is certainly not difficult (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) unless your a noob & bleep surely anyone could follow the instructions given in this link? So I am now curious to know, what expert/technical knowledge is required, first of all, in order to determine that it would be wise to run Combofix on a computer? and secondly, while it is being run? Is it possible that Combofix can damage your computer if you don't have an infection?

 

*These are all sincere questions btw that I hope who have the time to answer - I am not being a smart ass & just in case you thought I was, wasn't trying to be one in my last post.*

 

Anyway I ran aswMBR.exe and below is the log it produced:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-05-08 21:10:52
-----------------------------
21:10:52.843    OS Version: Windows 5.1.2600 Service Pack 3
21:10:52.843    Number of processors: 4 586 0x2A07
21:10:52.843    ComputerName: DOE-4046082C9E9  UserName: LocalAdmin
21:10:55.125    Initialize success
21:27:33.546    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:27:33.546    Disk 0 Vendor: ST320LT007-9ZV142 0001DEM1 Size: 305245MB BusType: 3
21:27:33.796    Disk 0 MBR read successfully
21:27:33.796    Disk 0 MBR scan
21:27:33.796    Disk 0 unknown MBR code
21:27:33.796    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        10240 MB offset 2048
21:27:33.812    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       295003 MB offset 20973568
21:27:33.828    Disk 0 scanning sectors +625139712
21:27:33.890    Disk 0 scanning C:\WINDOWS\system32\drivers
21:27:55.171    Service scanning
21:28:18.515    Modules scanning
21:28:27.187    Disk 0 trace - called modules:
21:28:27.218    ntkrnlpa.exe CLASSPNP.SYS disk.sys stdcfltn.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
21:28:27.218    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b368ab8]
21:28:27.734    3 CLASSPNP.SYS[b9918fd7] -> nt!IofCallDriver -> [0x8b3febf0]
21:28:27.734    5 stdcfltn.sys[b9ccd896] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8b36eb00]
21:28:27.734    Scan finished successfully
22:21:22.578    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\LocalAdmin\Desktop\MBR.dat"
22:21:22.609    The log file has been saved successfully to "C:\Documents and Settings\LocalAdmin\Desktop\aswMBR.txt"


Do you need the 'MBR.dat" file it produced also?

 

Thanks, and again, I appreciate your help.

Trevor.



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:38 AM

Posted 12 May 2013 - 07:44 PM

These are all sincere questions btw that I hope who have the time to answer - I am not being a smart ass & just in case you thought I was, wasn't trying to be one in my last post

Fair enough. :)

 

So I am now curious to know, what expert/technical knowledge is required, first of all, in order to determine that it would be wise to run Combofix on a computer? and secondly, while it is being run? Is it possible that Combofix can damage your computer if you don't have an infection?

 
Yes, Combofix can damage your computer even if you don't have an infection but can also trigger a problem by detecting some malware which then fights back. Due to its power it has the ability to destroy a system.
 
If Combofix is run without support (and as you know it's quite easy to run) and you do encounter a problem then you will need expert or technical knowledge. Because of the nature of the program some parts of it are secret and in a lot of cases even helpers have to go to the developer for support. It might look like overkill but it is protecting the tool and protecting our members and is a valuable weapon. We don't want it to destroy people's computers we want it to destroy the malware.
 
The aswMBR log looks fine. Can you run MBAM - again we're only looking at your laptop
 
Please download mbam-logo-new100_big.jpgMalwarebytes Anti-Malware and save it to your desktop.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#9 triley7

triley7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 13 May 2013 - 09:16 AM

Nothing found appararently:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.13.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
LocalAdmin :: DOE-4046082C9E9 [administrator]

13/05/2013 7:13:00 PM
mbam-log-2013-05-13 (19-13-00).txt

Scan type: Full scan (C:\|R:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 549068
Time elapsed: 2 hour(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

Trevor.



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:38 AM

Posted 13 May 2013 - 07:41 PM

Looks good. Please run ESET on your lappy. That should wrap that up

 

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 


[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:38 AM

Posted 16 May 2013 - 07:35 PM

Hi,

I have not had a reply from you for 3 days.
Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,

m0le
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#12 triley7

triley7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 19 May 2013 - 04:11 AM

Hey m0le

 

Yeah I still need your help please. Sorry about late reply, just had a really busy & crazy week. I ran ESET last Fri arvo/evening & then later on in the evening I had people round for drinks and was playing music on my computer when all of a sudden my laptop turned off cause the battery went flat as I didn't have it plugged in (Whoops!). The last time I had looked at the scan it was like around 98% complete I think (& was displaying that it had found multiple threats - approx 19 at that point) and when my laptop turned off I'm pretty sure it would've been completed. Today I tried to go into the program but & couldn't find it in "All Programs" (I assume because it's an online scanner) but I see it's in "Add Or Remove Programs" listed as "ESET Online Scanner v3". I assume the best thing to do now would be to just run it again but I thought I better just check with you first? Sorry about the stuff up & using some more of your time by dragging this out. Like I said just had a full on week, hence why I was still scanning my computer for viruses on a Fri night while I've got guests around at the same time! :).

 

Thanks,

Trevor.



#13 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:38 AM

Posted 19 May 2013 - 07:01 PM

Yes, run ESET from the beginning. It can take some time so make sure you can watch it a bit more. Of course, guests are more important than this - you can't download a guest and run them later can you? :P

 

Just post a reply within 3 days if you know you're not going to be able to do it. Okay?


[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#14 triley7

triley7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 21 May 2013 - 06:10 AM

Hahaha, Nice. No you certainly can't. Turned out that one of the guests I ran a lot on the weekend and no doubt will be regularly running! She was certainly worth the download Fri night haha :).

 

Gee what a great program ESET is! Found quite a few threats. Here's a copy of the report/log:

 

C:\Documents and Settings\LocalAdmin\My Documents\Azureus Downloads\DFX Audio Enhancer v9.107 6-in-1\dfx9Setup-JRiver.exe    a variant of Win32/Bundled.Toolbar.Ask.A application    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Azureus Downloads\DFX Audio Enhancer v9.107 6-in-1\dfx9Setup-Musicmatch.exe    a variant of Win32/Bundled.Toolbar.Ask.A application    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Azureus Downloads\DFX Audio Enhancer v9.107 6-in-1\dfx9Setup-RealPlayer.exe    a variant of Win32/Bundled.Toolbar.Ask.A application    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Azureus Downloads\DFX Audio Enhancer v9.107 6-in-1\dfx9Setup-Winamp.exe    a variant of Win32/Bundled.Toolbar.Ask.A application    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Azureus Downloads\DFX Audio Enhancer v9.107 6-in-1\dfx9Setup-WMP.exe    a variant of Win32/Bundled.Toolbar.Ask.A application    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Azureus Downloads\DFX Audio Enhancer v9.107 6-in-1\dfx9Setup-WMP64.exe    a variant of Win32/Bundled.Toolbar.Ask.A application    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Azureus Downloads\DFX Audio Enhancer v9.107 MegaPack + 35 Skins-CORE [h33t] [Original]\DFX.Audio.Enhancer.v9.107.Pack.Plus.35.Skins-CORE.zip    a variant of Win32/Bundled.Toolbar.Ask.A application    deleted - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Downloads\cbsi-3_2_5_39-10064069.exe    a variant of Win32/CNETInstaller.A application    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Downloads\cbsidlm-tr1_10a-Living_Earth_Desktop-ORG-10789812.exe    Win32/DownloadAdmin.G application    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Downloads\cnet2_ashampoo_burning_studio_6_free_6_80_4312_exe.exe    a variant of Win32/InstallCore.D application    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Downloads\FileViewPro_2013.exe    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Downloads\FreeAVIVideoConverter.exe    multiple threats    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Downloads\FreeVideoDub.exe    Win32/OpenCandy application    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Downloads\FreeVideoFlipAndRotate.exe    multiple threats    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Downloads\FreeVideoToDVDConverter.exe    multiple threats    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Downloads\FreeYouTubeToDVDConverter.exe    Win32/OpenCandy application    cleaned by deleting - quarantined
C:\Documents and Settings\LocalAdmin\My Documents\Downloads\MyPhoneExplorer_Setup_1.8.2.exe    Win32/OpenCandy application    cleaned by deleting - quarantined
C:\Program Files\Common Files\DVDVideoSoft\AskTB\ApnIC.dll    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting - quarantined
C:\Program Files\Common Files\DVDVideoSoft\AskTB\ApnToolbarInstaller.exe    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting - quarantined
C:\Program Files\Vuze\bunndle.zip    a variant of Win32/Bunndle application    deleted - quarantined
C:\Program Files\Vuze\.install4j\i4j_extf_32_5p83tu.dll    a variant of Win32/Bunndle application    cleaned by deleting - quarantined
 

Thanks,

Trevor.



#15 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:38 AM

Posted 21 May 2013 - 08:18 PM

Turned out that one of the guests I ran a lot on the weekend and no doubt will be regularly running! She was certainly worth the download Fri night haha

 
Excellent. remember with programs, regular updates. :)
 
ESET did the job and picked off a lot of remnants - not all exactly malware - but it is a good program and is very thorough.
 
Let's have a scan just to check out where we're at
  • Please download OTL
  • Save it to your desktop.
  • Double click on the otlicon.png icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the runscan.png button.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users