Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PUM.Hijack.HomepageControl detected by Malware bytes antimalware


  • This topic is locked This topic is locked
31 replies to this topic

#1 ynotmat

ynotmat

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 17 June 2013 - 06:13 AM

The problem started with internet explorer redirecting to weird websites. My antivirus used to detect a virus but this went away automatically but the redirects did not stop. Yesterday  Malwarebytes anti malware detected PUM.Hijack.homepageControl and was deleted but the redirects did not get solved. I guess the virus/ trojan has to be removed from the registry. This is a company issued laptop and technically i should be giving to to IT (i know they cannot solve this issue). Can you help?

============================================================

The DDS log follows.

============================================================

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 10.21.2
Run by mathewt1 at 12:44:09 on 2013-06-17
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.44.1033.18.4048.1143 [GMT 3:00]
.
AV: Microsoft Forefront Endpoint Protection *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Forefront Endpoint Protection *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\STacSV64.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Windows\system32\CISVC.EXE
C:\Program Files (x86)\Connectify\ConnectifyService.exe
C:\Program Files (x86)\Connectify\ConnectifyD.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\ProgramData\DatacardService\HWDeviceService64.exe
C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\ProgramData\Photon Plus\Huawei\OnlineUpdate\ouc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe
C:\Program Files (x86)\Connectify\DispatchUI.exe
C:\Program Files (x86)\Connectify\Connectify.exe
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\27.0.1453.110\chrome_frame_helper.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Users\mathewt1\AppData\Local\Google\Update\1.3.21.145\GoogleCrashHandler.exe
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Users\mathewt1\AppData\Local\Google\Update\1.3.21.145\GoogleCrashHandler64.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Microsoft Lync\communicator.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Microsoft Lync\UcMapi.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\cidaemon.exe
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathewt1\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
C:\Windows\SysWOW64\CCM\CcmExec.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\splwow64.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\HP\HPLJUT\HPLJUTSCH.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe
C:\Windows\sysWow64\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\taskeng.exe
C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Free Download Manager\fdm.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://515intranet/
uSearch Bar = Preserve
mStart Page = hxxp://websearch.resulthunters.info/?unqvl=21
uProxyOverride = local
mWinlogon: Userinit = userinit.exe,
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: SnagIt: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\SnagIt 8\SnagItIEAddin.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
uRun: [GrooveMonitor] C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE
uRun: [005A4CA47FF622BB748CFF6D59FD53638461CEA4._service_run] "C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe" --type=service
uRun: [Free Download Manager] "C:\Program Files (x86)\Free Download Manager\fdm.exe" -autorun
uRun: [Google Update] "C:\Users\mathewt1\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [GoogleChromeAutoLaunch_A88CF196930C464BA422087DBFD40196] "C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe" --no-startup-window
uRun: [ChromeFrameHelper] "C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\27.0.1453.110\chrome_frame_helper.exe" --startup
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [ToolboxFX] "C:\Program Files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey
mRun: [CanonQuickMenu] C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE /logon
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\mathewt1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\mathewt1\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\mathewt1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
StartupFolder: C:\Users\mathewt1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
StartupFolder: C:\Users\mathewt1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TimeLeft.lnk - C:\Program Files (x86)\TimeLeft3\TimeLeft.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAGIT~1.LNK - C:\Program Files (x86)\TechSmith\SnagIt 8\SnagIt32.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: legalnoticecaption = Weatherford Policy Acceptance
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
Trusted Zone: 515crpweb
Trusted Zone: 515crpwebcapture
Trusted Zone: 515opweb
Trusted Zone: 515opweb1
Trusted Zone: 515opwebcapture
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/bin/LogitechDeviceDetection32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab
TCP: NameServer = 93.91.200.200 93.91.200.201 8.8.8.8
TCP: Interfaces\{2F640B81-8AE0-4E70-BBDA-6672B36EA857} : DHCPNameServer = 93.91.200.200 93.91.200.201 8.8.8.8
TCP: Interfaces\{2F640B81-8AE0-4E70-BBDA-6672B36EA857}\6596C6C616134353 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{2F640B81-8AE0-4E70-BBDA-6672B36EA857}\75644504F4666696365637 : DHCPNameServer = 10.136.3.30 10.136.3.29 192.168.100.79
TCP: Interfaces\{2F640B81-8AE0-4E70-BBDA-6672B36EA857}\75644513 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{2F640B81-8AE0-4E70-BBDA-6672B36EA857}\8496464656E60275962756C656373702E4564777F627B6 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{8538B979-D47D-4411-9C61-D82B5CF267CC} : NameServer = 192.168.212.1
TCP: Interfaces\{B22EB7F3-1A6C-44FC-9977-B18E5F5560C6} : DHCPNameServer = 10.136.3.30 192.168.100.79 93.91.200.200
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\27.0.1453.110\npchrome_frame.dll
AppInit_DLLs=  
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-TB: SnagIt: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\SnagIt 8\DLLx64\SnagItIEAddin64.dll
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe
x64-Run: [HP LaserJet Professional CM1410 Series Fax] C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe "HP LaserJet Professional CM1410 Series Fax"
x64-Run: [Connectify Dispatch] C:\Program Files (x86)\Connectify\DispatchUI.exe autorun
x64-Run: [Connectify Hotspot] C:\Program Files (x86)\Connectify\Connectify.exe autorun
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
x64-Trusted Zone: 515crpweb
x64-Trusted Zone: 515crpwebcapture
x64-Trusted Zone: 515opweb
x64-Trusted Zone: 515opweb1
x64-Trusted Zone: 515opwebcapture
x64-Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-7-28 55856]
R1 cnnctfy3;Connectify LightWeight Filter;C:\Windows\System32\drivers\cnnctfy3.sys [2013-3-26 34840]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2010-10-25 189440]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-13 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\AESTSr64.exe [2012-6-28 89600]
R2 Connectify;Connectify;C:\Program Files (x86)\Connectify\ConnectifyService.exe [2013-1-21 156672]
R2 HsfXAudioService;HsfXAudioService;C:\Windows\System32\svchost.exe -k HsfXAudioService [2009-7-14 27136]
R2 HWDeviceService64.exe;HWDeviceService64.exe;C:\ProgramData\DatacardService\HWDeviceService64.exe [2011-3-14 346976]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-21 2656280]
R3 acpials;ALS Sensor Filter;C:\Windows\System32\drivers\acpials.sys [2009-7-14 9728]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2012-6-28 35104]
R3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2012-6-28 292864]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2012-7-22 172960]
R3 cvusbdrv;Dell ControlVault;C:\Windows\System32\drivers\cvusbdrv.sys [2012-6-28 38440]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\System32\drivers\e1y62x64.sys [2012-6-28 287960]
R3 huawei_enumerator;huawei_enumerator;C:\Windows\System32\drivers\ew_jubusenum.sys [2013-2-23 90112]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\System32\drivers\IntcHdmi.sys [2012-6-28 145408]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\System32\drivers\MpNWMon.sys [2010-10-25 40832]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2010-10-25 84864]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S2 dsiasrv;DSM CM Inventory Agent;C:\Program Files (x86)\Dell\SysMgt\dsia\bin\DsiaSrv32.exe [2011-11-3 149400]
S2 HP LaserJet Service;HP LaserJet Service;C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2010-10-25 145920]
S2 Photon Plus. RunOuc;Photon Plus. OUC;C:\Program Files (x86)\Photon Plus\Huawei\UpdateDog\ouc.exe [2013-2-23 655712]
S3 d554gps;Dell Wireless HSPA Mini-Card GPS Port;C:\Windows\System32\drivers\d554gps64.sys [2012-6-28 96296]
S3 d557bus;Dell Wireless 5540 HSPA Mini-Card Device (Win7);C:\Windows\System32\drivers\d557bus.sys [2012-6-28 328704]
S3 d557mgmt;Dell Wireless 5540 HSPA Mini-Card Device Management (Win7);C:\Windows\System32\drivers\d557mgmt.sys [2012-6-28 376320]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-7-27 71168]
S3 ecnssndis;Service for enabling selective suspend to NDIS device;C:\Windows\System32\drivers\wwuss64.sys [2012-6-28 12800]
S3 ecnssndisfltr;SSNDIS filter service;C:\Windows\System32\drivers\wwussf64.sys [2012-6-28 17408]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\System32\drivers\ew_hwusbdev.sys [2013-2-23 117248]
S3 fastdumpx64;fastdumpx64;C:\Windows\HBGDDNA\fastdumpx64.sys [2013-6-10 18728]
S3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2012-6-28 56344]
S3 HPFXBULKLEDM;HPFXBULKLEDM;C:\Windows\System32\drivers\hppdbulkio.sys [2012-11-4 22040]
S3 HPFXFAX;HPFXFAX;C:\Windows\System32\drivers\hppdfaxio.sys [2012-11-4 23576]
S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2012-6-28 158976]
S3 Mbm3CBus;Dell Wireless HSPA Mini-Card Device (WDM);C:\Windows\System32\drivers\Mbm3CBus.sys [2012-6-28 378952]
S3 Mbm3DevMt;Dell Wireless HSPA Mini-Card Device Management Driver (WDM);C:\Windows\System32\drivers\Mbm3DevMt.sys [2012-6-28 416328]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-11-19 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-11-19 181248]
S3 QCFilterdl;Dell Wireless 5600 (EV-DO-HSPA) Mobile Broadband Mini-Card Composite Device Filter Driver;C:\Windows\System32\drivers\qcfilterdl.sys [2012-6-28 8832]
S3 qcfilterdl2k;Gobi 2000 USB Composite Device Filter Driver(413C-8186);C:\Windows\System32\drivers\qcfilterdl2k.sys [2012-6-28 6400]
S3 qcusbserdl;Dell USB Device for Legacy Serial Communication;C:\Windows\System32\drivers\qcusbserdl.sys [2012-6-28 127104]
S3 qcusbserdl2k;Gobi 2000 USB Device for Legacy Serial Communication(413C-8186);C:\Windows\System32\drivers\qcusbserdl2k.sys [2012-6-28 121600]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2011-7-27 20992]
S3 rimspci;rimspci;C:\Windows\System32\drivers\rimspe64.sys [2012-6-28 60416]
S3 risdpcie;risdpcie;C:\Windows\System32\drivers\risdpe64.sys [2012-6-28 80896]
S3 rixdpcie;rixdpcie;C:\Windows\System32\drivers\rixdpe64.sys [2012-6-28 55808]
S3 SNXPPAMD;SUNIX Parallel Port Driver;C:\Windows\System32\drivers\snxppamd.sys [2011-12-21 100728]
S3 SNXPSAMD;SUNIX Serial Port Driver;C:\Windows\System32\drivers\snxpsamd.sys [2011-12-21 97144]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-7-27 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2011-7-27 34816]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-27 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2011-7-27 31232]
S3 tsusbhub;Remote Deskotop USB Hub;C:\Windows\System32\drivers\tsusbhub.sys [2011-7-27 117248]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-7-25 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S4 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\SysWOW64\NLSSRV32.EXE [2012-11-6 69640]
S4 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S4 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
.
=============== Created Last 30 ================
.
2013-06-17 04:45:31 9460464 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D99A34DD-FA08-4CE0-8B08-A95078BFAD5A}\mpengine.dll
2013-06-16 18:31:38 -------- d-----w- C:\ProgramData\StarApp
2013-06-16 18:31:36 -------- d-----w- C:\Program Files (x86)\WebSearch
2013-06-11 04:54:48 -------- d-----w- C:\Users\mathewt1\AppData\Local\Microsoft Games
2013-06-10 06:17:07 -------- d-----w- C:\Program Files\Microsoft Games
2013-06-10 05:06:48 -------- d-----w- C:\Program Files (x86)\HBGary
2013-06-06 13:34:44 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-06 13:34:44 -------- d-----w- C:\Program Files\iTunes
2013-06-06 13:34:44 -------- d-----w- C:\Program Files\iPod
2013-06-06 13:34:44 -------- d-----w- C:\Program Files (x86)\iTunes
2013-06-04 06:36:02 -------- d--h--w- C:\ProgramData\CanonIJQuickMenu
2013-06-04 06:35:52 -------- d--h--w- C:\ProgramData\CanonIJEGV
2013-06-04 06:33:56 -------- d-----w- C:\ProgramData\CanonIJPLM
2013-06-04 06:32:55 392192 ----a-w- C:\Windows\System32\CNMXLMB7.DLL
2013-06-04 06:32:06 320000 ----a-w- C:\Windows\SysWow64\CNC_B7L.dll
2013-06-04 06:32:06 15872 ----a-w- C:\Windows\SysWow64\CNHMCA.dll
2013-06-04 06:32:06 103424 ----a-w- C:\Windows\SysWow64\CNC_B7U.dll
2013-06-04 06:27:11 -------- d-----w- C:\Program Files\Common Files\CANON
2013-06-04 06:26:57 -------- d-----w- C:\ProgramData\CanonIJWSpt
2013-06-04 06:20:36 30208 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\CNMPDB7.DLL
2013-06-04 06:20:36 100352 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\CNMPPB7.DLL
2013-06-04 06:20:19 363520 ----a-w- C:\Windows\System32\CNC_B7L.dll
2013-06-04 06:20:19 287744 ----a-w- C:\Windows\System32\CNC_B7C.dll
2013-06-04 06:20:19 17920 ----a-w- C:\Windows\System32\CNHMCA6.dll
2013-06-04 06:20:19 106496 ----a-w- C:\Windows\System32\CNC_B7I.dll
2013-06-04 06:19:54 389120 ----a-w- C:\Windows\System32\CNMLMB7.DLL
2013-05-31 06:38:16 -------- d-----w- C:\ProgramData\Free Download Manager
2013-05-23 14:29:52 24416 ----a-r- C:\Windows\System32\AdobePDFUI.dll
.
==================== Find3M  ====================
.
2013-06-16 06:11:28 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-16 06:11:28 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-02 15:29:56 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-04-13 08:47:55 861088 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2013-04-13 08:47:55 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-04-04 11:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-04-04 02:35:05 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-26 04:06:24 34840 ----a-w- C:\Windows\System32\drivers\cnnctfy3.sys
.
============= FINISH: 12:48:15.59 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Robybel

Robybel

    Bleepin' Mattley


  • Malware Response Team
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 21 June 2013 - 12:18 AM

Hi and Welcome!! ynotmat :)

My name is Robybel.

I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.


Vista and Windows 7 users:

These tools MUST be run from the executable. (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")


Stay with this topic until I give you the all clean post.

Having said that....Let's get going!! ;)

==========================

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Next

AdwCleaner
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
Next

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Next
  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    RGKRScan.png
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    RGKRDelete.png
  • Next click on the ShortcutsFix
    RGKRShortcutsFix.png
  • another report will be created on your desktop.
Please post: All RKreport.txt text files located on your desktop.

On your next reply please post :
  • checkup.txt
  • AdwCleaner[S1].txt
  • JRT.txt
  • All RKreport.txt

Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

- Proud Graduate of WTT Classroom -

Member of ASAP and UNITE


Please Only Copy And Paste Reports Into Topic - Do Not Attach

If you are satisfied with the help that you have received, please consider a donation btndonatesmr.gif

 

 


#3 ynotmat

ynotmat
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 21 June 2013 - 03:31 PM

Hi RobyBel,

 

Thanks for the reply. :-)

 

All logs required by you follows;.

 

=======================================================

1. Checkup.txt

=======================================================

 

  Results of screen317's Security Check version 0.99.67  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Forefront Endpoint Protection   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 21  
 Java version out of Date! 
 Adobe Flash Player 11.7.700.169  
 Adobe Reader 10.1.7 Adobe Reader out of Date!  
 Google Chrome 27.0.1453.116  
 Google Chrome 28.0.1500.52  
 Google Chrome Plugins...  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials msseces.exe 
 Windows Defender MSMpEng.exe 
 Microsoft Security Client Antimalware MsMpEng.exe  
 Microsoft Security Client Antimalware NisSrv.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 
 
==============================================================
2. AdwCleaner[S1].txt
==============================================================
 
# AdwCleaner v2.303 - Logfile created 06/21/2013 at 22:48:52
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Enterprise Service Pack 1 (64 bits)
# User : mathewt1 - 246QJ4J
# Boot Mode : Normal
# Running from : C:\Users\mathewt1\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Folder Deleted : C:\Program Files (x86)\continuetosave
Folder Deleted : C:\Program Files (x86)\WebSearch
Folder Deleted : C:\ProgramData\cconttiNiUUetoosaavee
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Trymedia
Folder Deleted : C:\Users\mathewt1\AppData\LocalLow\cconttiNiUUetoosaavee
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\AppDataLow\SProtector
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\Software\DownTango
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\SP Global
Key Deleted : HKLM\Software\SProtector
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Value Deleted : HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel [Homepage]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.7601.17514
 
Replaced : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main - Start Page] = hxxp://websearch.resulthunters.info/?unqvl=21 --> hxxp://www.google.com
 
-\\ Google Chrome v28.0.1500.52
 
File : C:\Users\mathewt1\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
Deleted [l.3276] : homepage = "hxxp://startsear.ch/?aff=1",
Deleted [l.4036] : urls_to_restore_on_startup = [ "", "hxxp://websearch.resulthunters.info/?unqvl=21" ]
 
*************************
 
AdwCleaner[S1].txt - [2609 octets] - [21/06/2013 22:48:52]
 
########## EOF - C:\AdwCleaner[S1].txt - [2669 octets] ##########
 
======================================================================

3. JRT.txt

======================================================================

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Enterprise x64
Ran by mathewt1 on 21/06/2013 at 22:58:59.03
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\free download manager
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 21/06/2013 at 23:03:33.63
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
============================================================================

4. RKreport[0]_S_06212013_231428.txt

============================================================================

 

RogueKiller V8.6.1 _x64_ [Jun 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : mathewt1 [Admin rights]
Mode : Scan -- Date : 06/21/2013 23:14:28
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 2 ¤¤¤
[SUSP PATH] ouc.exe -- C:\ProgramData\Photon Plus\Huawei\OnlineUpdate\ouc.exe [7] -> KILLED [TermProc]
[SUSP PATH] chrome_frame_helper.exe -- C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\28.0.1500.52\chrome_frame_helper.exe [7] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 7 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : ChromeFrameHelper ("C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\28.0.1500.52\chrome_frame_helper.exe" --startup [7]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1213323324-3724858365-2759078338-2174580\[...]\Run : ChromeFrameHelper ("C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\28.0.1500.52\chrome_frame_helper.exe" --startup [7]) -> FOUND
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: WDC WD1600BJKT-75F4T0 +++++
--- User ---
[MBR] 831b5bb0527cb6bfc0bb6fa0ef236bb7
[BSP] 78239fcb611d0ac495c40b69d13b875f : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 300 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 616448 | Size: 152325 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: WDC WD1600BJKT-75F4T0 +++++
--- User ---
[MBR] 8a4a3f84a9eda68451f8bdccda84c484
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 7576 Mo
Error reading LL1 MBR!
Error reading LL2 MBR!
 
+++++ PhysicalDrive2: WDC WD1600BJKT-75F4T0 +++++
--- User ---
[MBR] c12da8a36023e8c182bc01060ebb34c3
[BSP] 5cab7fac78b6fe5301595cea6da44b25 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1430796 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
 
+++++ PhysicalDrive3: WDC WD1600BJKT-75F4T0 +++++
--- User ---
[MBR] 19d14e50286225414aa964e9db40b934
[BSP] d381446b6906e1ffa5c3bd8cea5d26c3 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
 
Finished : << RKreport[0]_S_06212013_231428.txt >>
 
=======================================================================
5. RKreport[0]_SC_06212013_231707

=======================================================================

 

RogueKiller V8.6.1 _x64_ [Jun 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : mathewt1 [Admin rights]
Mode : Shortcuts HJfix -- Date : 06/21/2013 23:17:07
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 2 ¤¤¤
[SUSP PATH] ouc.exe -- C:\ProgramData\Photon Plus\Huawei\OnlineUpdate\ouc.exe [7] -> KILLED [TermProc]
[SUSP PATH] chrome_frame_helper.exe -- C:\Users\mathewt1\AppData\Local\Google\Chrome\Application\28.0.1500.52\chrome_frame_helper.exe [7] -> KILLED [TermProc]
 
¤¤¤ Driver : [NOT LOADED] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 0 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 18 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 3 / Fail 0
Backup: [NOT FOUND]
 
Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume3 -- 0x2 --> Restored
[F:] \Device\CdRom1 -- 0x5 --> Skipped
[G:] \Device\HarddiskVolume5 -- 0x3 --> Restored
[H:] \Device\HarddiskVolume4 -- 0x3 --> Restored
 
¤¤¤ Infection :  ¤¤¤
 
Finished : << RKreport[0]_SC_06212013_231707.txt >>
RKreport[0]_D_06212013_231645.txt;RKreport[0]_S_06212013_231428.txt
 
***END OF ALL LOGS***
 

 

Hope i have posted correctly. Awaiting your reply and further instructions.
 
Good day to you.


#4 Robybel

Robybel

    Bleepin' Mattley


  • Malware Response Team
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 22 June 2013 - 10:22 AM

Hi ynotmat :)

Good job

Please read through these instructions to familarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide


Download ComboFix from one of these locations:

Link 1
Link 2



* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

- Proud Graduate of WTT Classroom -

Member of ASAP and UNITE


Please Only Copy And Paste Reports Into Topic - Do Not Attach

If you are satisfied with the help that you have received, please consider a donation btndonatesmr.gif

 

 


#5 ynotmat

ynotmat
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 23 June 2013 - 12:12 AM

Hi Robybel,

 

I have question about a folder that was created on my desktop. During the rouge killer scan a folder "RK-Quarantine"  was created on my desktop. Is it safe to delete this folder and its contents? There are 12 files in the folder including a rougekiller.ini file.

 

Combofix log follows:

=======================================

ComboFix 13-06-22.01 - mathewt1 23/06/2013   0:59.1.2 - x64
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.44.1033.18.4048.2329 [GMT 3:00]
Running from: c:\users\mathewt1\Desktop\ComboFix.exe
AV: Microsoft Forefront Endpoint Protection *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Forefront Endpoint Protection *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 192 bytes in 1 streams.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\mathewt1\AppData\Local\assembly\tmp
c:\windows\SysWow64\pt
c:\windows\SysWow64\pt\AuthFWSnapIn.Resources.dll
c:\windows\SysWow64\pt\AuthFWWizFwk.Resources.dll
c:\windows\SysWow64\zip32.dll
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-22 to 2013-06-22  )))))))))))))))))))))))))))))))
.
.
2013-06-22 22:16 . 2013-06-22 22:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-22 22:16 . 2013-06-22 22:16 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-06-22 22:16 . 2013-06-22 22:16 -------- d-----w- c:\users\Administrator.246QJ4J\AppData\Local\temp
2013-06-22 16:25 . 2013-06-12 03:08 9552976 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2444859F-9DD7-443B-B48B-743DE5463D89}\mpengine.dll
2013-06-21 19:58 . 2013-06-21 19:58 -------- d-----w- c:\windows\ERUNT
2013-06-21 19:58 . 2013-06-21 19:58 -------- d-----w- C:\JRT
2013-06-20 10:00 . 2013-06-20 10:00 -------- d-----w- c:\users\Default\AppData\Local\Google
2013-06-16 18:31 . 2013-06-16 18:31 -------- d-----w- c:\programdata\StarApp
2013-06-12 18:04 . 2013-02-16 22:40 28672 ----a-w- c:\windows\system32\IEUDINIT.EXE
2013-06-11 04:54 . 2013-06-12 11:50 -------- d-----w- c:\users\mathewt1\AppData\Local\Microsoft Games
2013-06-10 06:17 . 2013-06-10 06:17 -------- d-----w- c:\program files\Microsoft Games
2013-06-10 05:06 . 2013-06-10 05:06 -------- d-----w- c:\program files (x86)\HBGary
2013-06-06 13:34 . 2013-06-06 13:35 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-06 13:34 . 2013-06-06 13:35 -------- d-----w- c:\program files\iTunes
2013-06-06 13:34 . 2013-06-06 13:35 -------- d-----w- c:\program files (x86)\iTunes
2013-06-06 13:34 . 2013-06-06 13:34 -------- d-----w- c:\program files\iPod
2013-06-04 06:36 . 2013-06-04 06:36 -------- d-----w- c:\programdata\CanonIJQuickMenu
2013-06-04 06:35 . 2013-06-04 06:35 -------- d-----w- c:\programdata\CanonIJEGV
2013-06-04 06:33 . 2013-06-06 13:31 -------- d-----w- c:\programdata\CanonIJPLM
2013-06-04 06:32 . 2012-03-26 02:00 392192 ----a-w- c:\windows\system32\CNMXLMB7.DLL
2013-06-04 06:32 . 2012-02-08 13:34 320000 ----a-w- c:\windows\SysWow64\CNC_B7L.dll
2013-06-04 06:32 . 2012-01-16 11:21 103424 ----a-w- c:\windows\SysWow64\CNC_B7U.dll
2013-06-04 06:32 . 2008-08-25 15:02 15872 ----a-w- c:\windows\SysWow64\CNHMCA.dll
2013-06-04 06:27 . 2013-06-04 06:27 -------- d-----w- c:\program files\Common Files\CANON
2013-06-04 06:26 . 2013-06-04 06:26 -------- d-----w- c:\programdata\CanonIJWSpt
2013-06-04 06:20 . 2012-03-26 02:00 30208 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPDB7.DLL
2013-06-04 06:20 . 2012-03-26 02:00 100352 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPPB7.DLL
2013-06-04 06:20 . 2013-06-04 06:20 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2013-06-04 06:20 . 2012-02-08 13:36 363520 ----a-w- c:\windows\system32\CNC_B7L.dll
2013-06-04 06:20 . 2012-01-16 11:21 287744 ----a-w- c:\windows\system32\CNC_B7C.dll
2013-06-04 06:20 . 2012-01-16 11:20 106496 ----a-w- c:\windows\system32\CNC_B7I.dll
2013-06-04 06:20 . 2008-08-25 15:02 17920 ----a-w- c:\windows\system32\CNHMCA6.dll
2013-06-04 06:19 . 2012-03-26 02:00 389120 ----a-w- c:\windows\system32\CNMLMB7.DLL
2013-06-04 06:19 . 2013-06-04 06:19 -------- d-----w- c:\program files\CanonBJ
2013-05-31 06:38 . 2013-05-31 06:38 -------- d-----w- c:\programdata\Free Download Manager
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-16 06:11 . 2013-04-11 09:52 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-06-16 06:11 . 2013-04-11 09:52 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 03:08 . 2011-08-08 16:28 9552976 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-03 13:15 . 2011-07-24 21:57 75016696 ----a-w- c:\windows\system32\MRT.exe
2013-05-02 15:29 . 2011-07-24 21:13 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-04-13 08:47 . 2012-08-05 14:29 861088 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-04-13 08:47 . 2011-07-28 20:20 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-04-04 11:50 . 2013-03-31 06:52 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-04 02:35 . 2013-04-19 07:36 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-26 04:06 . 2013-03-26 04:06 34840 ----a-w- c:\windows\system32\drivers\cnnctfy3.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\mathewt1\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\mathewt1\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\mathewt1\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\mathewt1\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-20 719672]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office14\GROOVEMN.EXE" [2011-02-11 944520]
"005A4CA47FF622BB748CFF6D59FD53638461CEA4._service_run"="c:\users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe" [2013-06-19 846288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-06-09 5622512]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"GoogleChromeAutoLaunch_A88CF196930C464BA422087DBFD40196"="c:\users\mathewt1\AppData\Local\Google\Chrome\Application\chrome.exe" [2013-06-19 846288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"IMSS"="c:\program files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2011-01-17 112152]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-03-12 462993]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-09 49208]
"ToolboxFX"="c:\program files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-10-25 58936]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Communicator"="c:\program files (x86)\Microsoft Lync\communicator.exe" [2013-03-22 12107944]
"CanonQuickMenu"="c:\program files (x86)\Canon\Quick Menu\CNQMMAIN.EXE" [2012-04-03 1273448]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-05-31 152392]
.
c:\users\mathewt1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\mathewt1\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-25 27776968]
Microsoft SharePoint Workspace.lnk - c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE /TrayOnly [2012-9-20 30785672]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2011-9-2 227712]
TimeLeft.lnk - c:\program files (x86)\TimeLeft3\TimeLeft.exe [2012-10-12 2050224]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-8-17 1080096]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
SnagIt 8.lnk - c:\program files (x86)\TechSmith\SnagIt 8\SnagIt32.exe [2007-2-16 6379080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 dsiasrv;DSM CM Inventory Agent;c:\program files (x86)\Dell\SysMgt\dsia\bin\DsiaSrv32.exe;c:\program files (x86)\Dell\SysMgt\dsia\bin\DsiaSrv32.exe [x]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [x]
R2 Photon Plus. RunOuc;Photon Plus. OUC;c:\program files (x86)\Photon Plus\Huawei\UpdateDog\ouc.exe;c:\program files (x86)\Photon Plus\Huawei\UpdateDog\ouc.exe [x]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys [x]
R3 d554gps;Dell Wireless HSPA Mini-Card GPS Port;c:\windows\system32\drivers\d554gps64.sys;c:\windows\SYSNATIVE\drivers\d554gps64.sys [x]
R3 d557bus;Dell Wireless 5540 HSPA Mini-Card Device (Win7);c:\windows\system32\drivers\d557bus.sys;c:\windows\SYSNATIVE\drivers\d557bus.sys [x]
R3 d557mgmt;Dell Wireless 5540 HSPA Mini-Card Device Management (Win7);c:\windows\system32\drivers\d557mgmt.sys;c:\windows\SYSNATIVE\drivers\d557mgmt.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 ecnssndis;Service for enabling selective suspend to NDIS device;c:\windows\System32\Drivers\wwuss64.sys;c:\windows\SYSNATIVE\Drivers\wwuss64.sys [x]
R3 ecnssndisfltr;SSNDIS filter service;c:\windows\System32\Drivers\wwussf64.sys;c:\windows\SYSNATIVE\Drivers\wwussf64.sys [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys;c:\windows\SYSNATIVE\DRIVERS\ew_hwusbdev.sys [x]
R3 fastdumpx64;fastdumpx64;c:\windows\HBGDDNA\fastdumpx64.sys;c:\windows\HBGDDNA\fastdumpx64.sys [x]
R3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys;c:\windows\SYSNATIVE\drivers\HECIx64.sys [x]
R3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppdbulkio.sys;c:\windows\SYSNATIVE\drivers\hppdbulkio.sys [x]
R3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppdfaxio.sys;c:\windows\SYSNATIVE\drivers\hppdfaxio.sys [x]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys;c:\windows\SYSNATIVE\drivers\Impcd.sys [x]
R3 Mbm3CBus;Dell Wireless HSPA Mini-Card Device (WDM);c:\windows\system32\drivers\Mbm3CBus.sys;c:\windows\SYSNATIVE\drivers\Mbm3CBus.sys [x]
R3 Mbm3DevMt;Dell Wireless HSPA Mini-Card Device Management Driver (WDM);c:\windows\system32\drivers\Mbm3DevMt.sys;c:\windows\SYSNATIVE\drivers\Mbm3DevMt.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys;c:\windows\SYSNATIVE\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys;c:\windows\SYSNATIVE\drivers\nusb3xhc.sys [x]
R3 QCFilterdl;Dell Wireless 5600 (EV-DO-HSPA) Mobile Broadband Mini-Card Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterdl.sys;c:\windows\SYSNATIVE\drivers\qcfilterdl.sys [x]
R3 qcfilterdl2k;Gobi 2000 USB Composite Device Filter Driver(413C-8186);c:\windows\system32\drivers\qcfilterdl2k.sys;c:\windows\SYSNATIVE\drivers\qcfilterdl2k.sys [x]
R3 qcusbserdl;Dell USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserdl.sys;c:\windows\SYSNATIVE\drivers\qcusbserdl.sys [x]
R3 qcusbserdl2k;Gobi 2000 USB Device for Legacy Serial Communication(413C-8186);c:\windows\system32\drivers\qcusbserdl2k.sys;c:\windows\SYSNATIVE\drivers\qcusbserdl2k.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 rimspci;rimspci;c:\windows\system32\drivers\rimspe64.sys;c:\windows\SYSNATIVE\drivers\rimspe64.sys [x]
R3 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe64.sys;c:\windows\SYSNATIVE\drivers\risdpe64.sys [x]
R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe64.sys;c:\windows\SYSNATIVE\drivers\rixdpe64.sys [x]
R3 SNXPPAMD;SUNIX Parallel Port Driver;c:\windows\system32\drivers\snxppamd.sys;c:\windows\SYSNATIVE\drivers\snxppamd.sys [x]
R3 SNXPSAMD;SUNIX Serial Port Driver;c:\windows\system32\drivers\snxpsamd.sys;c:\windows\SYSNATIVE\drivers\snxpsamd.sys [x]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys;c:\windows\SYSNATIVE\drivers\Synth3dVsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R4 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\NLSSRV32.EXE;c:\windows\SysWOW64\NLSSRV32.EXE [x]
R4 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]
R4 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 cnnctfy3;Connectify LightWeight Filter;c:\windows\system32\DRIVERS\cnnctfy3.sys;c:\windows\SYSNATIVE\DRIVERS\cnnctfy3.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\AESTSr64.exe;c:\windows\SYSNATIVE\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\AESTSr64.exe [x]
S2 Connectify;Connectify;c:\program files (x86)\Connectify\ConnectifyService.exe;c:\program files (x86)\Connectify\ConnectifyService.exe [x]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 HWDeviceService64.exe;HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys;c:\windows\SYSNATIVE\DRIVERS\acpials.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys;c:\windows\SYSNATIVE\DRIVERS\CAXHWAZL.sys [x]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys;c:\windows\SYSNATIVE\Drivers\cvusbdrv.sys [x]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y62x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1y62x64.sys [x]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jubusenum.sys [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys;c:\windows\SYSNATIVE\drivers\IntcHdmi.sys [x]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys;c:\windows\SYSNATIVE\DRIVERS\MpNWMon.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-11 06:11]
.
2013-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-07 05:47]
.
2013-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-07 05:47]
.
2013-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1213323324-3724858365-2759078338-2174580Core.job
- c:\users\mathewt1\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-22 16:02]
.
2013-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1213323324-3724858365-2759078338-2174580UA.job
- c:\users\mathewt1\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-22 16:02]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\mathewt1\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\mathewt1\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\mathewt1\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\mathewt1\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-06-06 20:57 778192 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-06 20:57 778192 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-06 20:57 778192 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-06-06 20:57 778192 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-06-06 20:57 778192 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-06-06 20:57 778192 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-02-11 375808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 415256]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-02-11 487424]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-02 5712896]
"HP LaserJet Professional CM1410 Series Fax"="c:\program files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe" [2010-08-24 3706424]
"Connectify Dispatch"="c:\program files (x86)\Connectify\DispatchUI.exe" [2013-05-14 3121440]
"Connectify Hotspot"="c:\program files (x86)\Connectify\Connectify.exe" [2013-05-14 5236512]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = local
Trusted Zone: 515crpweb
Trusted Zone: 515crpwebcapture
Trusted Zone: 515opweb
Trusted Zone: 515opweb1
Trusted Zone: 515opwebcapture
Trusted Zone: techno-media.com\www
Trusted Zone: weatherford.com\citrix
Trusted Zone: weatherford.com\elearning
Trusted Zone: weatherford.com\elm
Trusted Zone: weatherford.com\employeeconnect
Trusted Zone: weatherford.com\hcmprdapp
Trusted Zone: weatherford.com\hrmsonline
Trusted Zone: weatherford.com\hrtstapp01
Trusted Zone: weatherford.com\ocs
Trusted Zone: weatherford.com\psoftelm
Trusted Zone: weatherford.com\uswftadfs
Trusted Zone: weatherford.com\wftsso
Trusted Zone: weatherford.com\xenapp
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-99937698.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
AddRemove-{DFE19F23-4372-39FE-7787-5398FCAB3637} - c:\progra~3\INSTAL~1\{D46E3~1\Setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1213323324-3724858365-2759078338-2174580\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*ib]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1213323324-3724858365-2759078338-2174580\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*ib\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1213323324-3724858365-2759078338-2174580\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**€J*ÑøÕL*-éP?ä/§e]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1213323324-3724858365-2759078338-2174580\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**€J*ÑøÕL*-éP?ä/§e\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1213323324-3724858365-2759078338-2174580\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*ib]
@Allowed: (Read) (RestrictedCode)
"0"=hex:4a,3a,5c,48,44,5c,54,68,65,20,44,61,72,6a,65,65,6c,69,6e,67,20,4c,69,
   6d,69,74,65,64,5c,74,39,5c,53,42,5c,6e,6b,73,5c,32,30,30,39,5f,31,32,5f,31,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-1213323324-3724858365-2759078338-2174580\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.**€J*ÑøÕL*-éP?ä/§e]
@Allowed: (Read) (RestrictedCode)
"0"=hex:45,3a,5c,56,69,64,65,6f,73,5c,46,75,6e,20,63,6c,69,70,73,5c,48,75,6d,
   6f,75,72,5c,43,6c,69,70,73,5c,50,6f,6c,69,63,65,5f,44,65,70,74,5f,56,6f,69,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-06-23  01:46:13
ComboFix-quarantined-files.txt  2013-06-22 22:46
.
Pre-Run: 35,060,043,776 bytes free
Post-Run: 34,694,840,320 bytes free
.
- - End Of File - - 0F6CDD7684919CE7F7CB55AD549C76A0
D41D8CD98F00B204E9800998ECF8427E
 

===============================================================

 

Hope we are making progress!! :-)



#6 Robybel

Robybel

    Bleepin' Mattley


  • Malware Response Team
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 23 June 2013 - 01:04 AM

Hi ynotmat :)

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
ClearJavaCache

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

CFScriptB-4.gif


Next

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    MBAM.PNG
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
=============================== Next =======================================



ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

Note: If you are using Windows Vista/7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as MyEsetScan. Alternatively, look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
  • Push the Back button.
  • Select Uninstall application on close check box and push esetFinish.png
    Please let me know how your machine is running and if there are any outstanding issues


    On your next reply please post :
  • MBAM log
  • Eset report

  • Let me know if you have any problems in performing with the steps above or any questions you may have.

    Good Day!

- Proud Graduate of WTT Classroom -

Member of ASAP and UNITE


Please Only Copy And Paste Reports Into Topic - Do Not Attach

If you are satisfied with the help that you have received, please consider a donation btndonatesmr.gif

 

 


#7 ynotmat

ynotmat
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 23 June 2013 - 04:55 AM

HI Robybel,

 

Did i miss anything from your previous instructions (thought i followed them to the dot!!). I completed the the combofix scan as you instructed along with the malware bytes and ESET online scan. Following are the logs.

 

============================================================

Malwarebytes' Anti-Malware LOG

============================================================

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.06.23.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
mathewt1 :: 246QJ4J [administrator]
 
Protection: Enabled
 
23/06/2013 10:16:52
mbam-log-2013-06-23 (10-16-52).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 254579
Time elapsed: 4 minute(s), 13 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
========================================================

ESET Online Scanner LOG

========================================================

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=5946af83d44a2c4196a058841fb7f06d
# engine=14135
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-06-23 09:48:12
# local_time=2013-06-23 12:48:12 (+0300, Arabic Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 47566716 123610742 0 0
# scanned=280893
# found=0
# cleaned=0
# scan_time=8089
 

** End of Logs**

 

please advice on further action, or if i have missed out anything. 

 

regards and good day!!

 

 



#8 Robybel

Robybel

    Bleepin' Mattley


  • Malware Response Team
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 23 June 2013 - 05:37 AM

Hi ynomat :)

You have done very good job

Please let me know how your machine is running and if there are any outstanding issues :)

- Proud Graduate of WTT Classroom -

Member of ASAP and UNITE


Please Only Copy And Paste Reports Into Topic - Do Not Attach

If you are satisfied with the help that you have received, please consider a donation btndonatesmr.gif

 

 


#9 ynotmat

ynotmat
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 23 June 2013 - 05:57 AM

Hi Robybel,

 

Your instructions were clear which made it easy!!!

Everything seems to run fine now. will report in a couple of days as i check how IE is functioning. When i started IE the old redirect came back but i deleted history and now everything seems fine. Will report back on 26th, will this post remain open this then?

 

Regards.



#10 Robybel

Robybel

    Bleepin' Mattley


  • Malware Response Team
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 24 June 2013 - 04:10 PM

Ok !!

- Proud Graduate of WTT Classroom -

Member of ASAP and UNITE


Please Only Copy And Paste Reports Into Topic - Do Not Attach

If you are satisfied with the help that you have received, please consider a donation btndonatesmr.gif

 

 


#11 ynotmat

ynotmat
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 25 June 2013 - 01:51 AM

Hi Robybel,

 

Just to report everything seems to be working fine now. Thanks a lot for your assistance. can i contact you if the issue crops up again.

 

Regards,

mathewtony



#12 ynotmat

ynotmat
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 25 June 2013 - 04:59 AM

HI robybel,

 

The problem is come back with a vengence!!! if i reset IE the redirects stop for a little while and then is back.

 

Regards



#13 Robybel

Robybel

    Bleepin' Mattley


  • Malware Response Team
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 25 June 2013 - 11:52 PM

Hi ynotmat :)

No problem, do not worry I'm here :)

We had not yet finished:

Run OTL
  • Open OTL again and click the Quick Scan button (don't check the boxes beside LOP Check or Purity this time)
  • Post the OTL.txt log it produces in your next reply.
Ynotmat Thank you very much :)

- Proud Graduate of WTT Classroom -

Member of ASAP and UNITE


Please Only Copy And Paste Reports Into Topic - Do Not Attach

If you are satisfied with the help that you have received, please consider a donation btndonatesmr.gif

 

 


#14 ynotmat

ynotmat
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 26 June 2013 - 12:04 AM

hi Robybel,

 

OTL is not linked. cannot open.

 

Regards.



#15 Robybel

Robybel

    Bleepin' Mattley


  • Malware Response Team
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 26 June 2013 - 12:06 AM

You're right sorry ynotmat :)


Scan with OTL
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under Custom Scan paste this in


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    services.exe
    /md5stop
    %systemroot%\*. /rp /s
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    DRIVES
    CREATERESTOREPOINT
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
  • You may need two posts to fit them both in.

- Proud Graduate of WTT Classroom -

Member of ASAP and UNITE


Please Only Copy And Paste Reports Into Topic - Do Not Attach

If you are satisfied with the help that you have received, please consider a donation btndonatesmr.gif

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users