Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't run or find downloads (one of many problems)


  • This topic is locked This topic is locked
25 replies to this topic

#1 bjackson76

bjackson76

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 08 July 2013 - 02:33 PM

I first had a random audio ad play in the background about a month ago like another user posted.  I thought I'd get Malwarebytes, but after it appeared to download, I could not open the containing folder, nor was the file in my downloads. (running Firefox)  A pdf will open in the reader, but if I try to save it the same thing occurs.

 

I used a jumpdrive to get Malwarebytes, but scans won't complete and the program locks up.  I used Dropbox to get the DDS log program.  We just had guests stay with us last week, and this is the first time I've been back on the PC.  As soon as I opened Firefox, someone or thing had installed some sweetpacks thing.

 

I ran the DDS log before I noticed the sweetpacks.  It showed as an Add-on in Firefox and I have since disabled it from within Firefox.

 

One of the steps in the prep guide is to use a firewall.  My windows firewall (Vista Home Premium) appears to have been disabled and it would not allow me to enable it.  I again used Dropbox to install Privatefirewall to have something running.

 

Thank you for your help!

Ben

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16490  BrowserJavaVersion: 10.25.2
Run by jackson at 14:10:37 on 2013-07-08
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2942.1763 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Privacyware\Privatefirewall 7.0\pfsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Windows\system32\dmwu.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\jmdp\stij.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Windows\vVX3000.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Nuance\PaperPort\pptd40nt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
C:\Program Files\Browny02\Brother\BrStMonW.exe
C:\Program Files\Privacyware\Privatefirewall 7.0\PFGUI.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files\PC Drivers HeadQuarters\Driver Detective\DriversHQ.DriverDetective.Client.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Users\jackson\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe
C:\Program Files\ControlCenter4\BrCtrlCntr.exe
C:\Windows\ehome\ehmsas.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Browny02\BrYNSvc.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\ControlCenter4\BrCcUxSys.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\ProgramData\FLEXnet\Connect\11\agent.exe
C:\Windows\system32\schtasks.exe
C:\Users\jackson\AppData\Roaming\Microsoft\Upsmw\upsmw.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={20A13E20-E49E-11E2-B07B-001BB952C55C}
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={20A13E20-E49E-11E2-B07B-001BB952C55C}
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
uProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
BHO: Yahoo! Toolbar Helper: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: PlusIEEventHelper Class: {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - c:\program files\nuance\pdf viewer plus\bin\PlusIEContextMenu.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Updater By SweetPacks: {7D4F1959-3F72-49d5-8E59-F02F8AA6815D} - c:\program files\updater by sweetpacks\Extension32.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SweetPacks Browser Helper: {EEE6C35C-6118-11DC-9C72-001320C79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Vuze Remote Toolbar: {BA14329E-9550-4989-B3F2-9732E92D17CC} - c:\program files\vuze_remote\prxtbVuz0.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: SweetPacks Toolbar for Internet Explorer: {EEE6C35B-6118-11DC-9C72-001320C79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Driver Detective] c:\program files\pc drivers headquarters\driver detective\DriversHQ.DriverDetective.Client.exe /applicationMode:systemTray /showWelcome:false
uRun: [ISUSPM] "c:\users\jackson\appdata\roaming\microsoft\upsmw\upsmw.exe" /c c:\programdata\flexnet\connect\11\ISUSPM.exe -scheduler
uRun: [epyc] "c:\users\jackson\appdata\roaming\microsoft\upsmw\upsmw.exe"
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IndexSearch] "c:\program files\nuance\paperport\IndexSearch.exe"
mRun: [PaperPort PTD] "c:\program files\nuance\paperport\pptd40nt.exe"
mRun: [PPort12reminder] "c:\program files\nuance\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\12\config\ereg\Ereg.ini"
mRun: [PDFHook] c:\program files\nuance\pdf viewer plus\pdfpro5hook.exe
mRun: [PDF5 Registry Controller] c:\program files\nuance\pdf viewer plus\RegistryController.exe
mRun: [ControlCenter4] c:\program files\controlcenter4\BrCcBoot.exe /autorun
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [Privatefirewall] c:\program files\privacyware\privatefirewall 7.0\PFGUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Launcher] c:\windows\sminst\launcher.exe
StartupFolder: c:\users\jackson\appdata\roaming\micros~1\windows\startm~1\programs\startup\direct~1.lnk - c:\users\jackson\appdata\local\directdownloader\DirectDownloader.exe
StartupFolder: c:\users\jackson\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\jackson\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\imaget~1.lnk - c:\program files\sony corporation\image transfer\SonyTray.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://www.stonyfield.com/coupons/scriptX/smsx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {20722C4E-9050-45C8-8D1A-816C4A06AD90} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_6/PhotoCenter_ActiveX_Control.cab
DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/canvasx.cab
DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - hxxp://host.cycore.net/plugins/windows/ie/Cult3D_IE_5.3.0.228.cab
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/52.09/uploader2.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://eversave.coupons.smartsource.com/download/cscmv5X.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.winkflash.com/photo/loaders/ImageUploader5.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://samsclubus.pnimedia.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/NET/Uploader/LPUploader57.cab
DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://stories.scrapbooksetc.com/create/DragDropUploader.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: NameServer = 10.0.0.1
TCP: Interfaces\{4129B5DC-99F9-495A-8760-E0646DEAD679} : DHCPNameServer = 10.0.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jackson\appdata\roaming\mozilla\firefox\profiles\9knxff2z.default-1369178178166\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://start.sweetpacks.com/?src=2&st=12&crg=3.5000006.10045&barid={20A13E20-E49E-11E2-B07B-001BB952C55C}&q=
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\logitech\harmony remote driver\NprtHarmonyPlugin.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\users\jackson\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-07-04 07:38; {EEE6C361-6118-11DC-9C72-001320C79847}; c:\users\jackson\appdata\roaming\mozilla\firefox\profiles\9knxff2z.default-1369178178166\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
FF - ExtSQL: 2013-07-04 07:38; {7D4F1959-3F72-49d5-8E59-F02F8AA6815D}; c:\program files\updater by sweetpacks\Firefox
.
============= SERVICES / DRIVERS ===============
.
R1 pwipf6;Privacyware Filter Driver;c:\windows\system32\drivers\pwipf6.sys [2013-7-4 128672]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 AdobeActiveFileMonitor11.0;Adobe Active File Monitor V11;c:\program files\adobe\elements 11 organizer\PhotoshopElementsFileAgent.exe [2012-9-17 171600]
R2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2011-5-6 1085440]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-24 21504]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 IBUpdaterService;IBUpdaterService;c:\windows\system32\dmwu.exe [2013-7-4 1167152]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-5-21 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-5-21 701512]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\nuance\paperport\PDFProFiltSrvPP.exe [2010-3-9 144672]
R2 PFNet;Privacyware network service;c:\program files\privacyware\privatefirewall 7.0\pfsvc.exe [2013-1-14 374600]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-8-27 92008]
R2 Updater By SweetPacks;Updater By SweetPacks;c:\program files\updater by sweetpacks\ExtensionUpdaterService.exe [2013-7-4 188760]
R3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2013-2-16 245760]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-5-21 22856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2010-6-9 19456]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-07-04 14:14:01    299008    ----a-w-    c:\users\jackson\appdata\roaming\microsoft\upsmw\u\upsmw.exe
2013-07-04 12:27:57    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-07-04 11:49:27    --------    d-----w-    c:\users\jackson\appdata\local\Privatefirewall
2013-07-04 11:41:06    128672    ----a-w-    c:\windows\system32\drivers\pwipf6.sys
2013-07-04 11:40:56    --------    d-----w-    c:\programdata\Privacyware
2013-07-04 11:40:56    --------    d-----w-    c:\program files\Privacyware
2013-07-04 11:38:41    --------    d-----w-    c:\program files\Updater By SweetPacks
2013-07-04 11:38:09    --------    d-----w-    c:\program files\SweetIM
2013-07-04 11:37:55    941320    ----a-w-    c:\program files\windows defender\en-us\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\axfbc0ad\SkywalkerSetup[1].exe
2013-07-04 11:37:46    632656    ----a-w-    c:\windows\system32\msvcr80.dll
2013-07-04 11:37:46    554832    ----a-w-    c:\windows\system32\msvcp80.dll
2013-07-04 11:37:46    479232    ----a-w-    c:\windows\system32\msvcm80.dll
2013-07-04 11:37:46    --------    d-----w-    c:\windows\system32\jmdp
2013-07-04 11:37:46    --------    d-----w-    c:\windows\system32\ARFC
2013-07-04 11:37:44    27136    ----a-w-    c:\windows\system32\ImHttpComm.dll
2013-07-04 11:37:44    1167152    ----a-w-    c:\windows\system32\dmwu.exe
2013-07-04 11:37:44    --------    d-----w-    c:\windows\system32\WNLT
2013-06-30 18:56:04    304128    ----a-w-    c:\users\jackson\appdata\roaming\microsoft\upsmw\uwzkgpjz.exe
2013-06-25 02:39:01    307200    ----a-w-    c:\users\jackson\appdata\roaming\microsoft\upsmw\upsmw.exe
2013-06-14 00:06:47    905576    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-06-14 00:06:39    443904    ----a-w-    c:\windows\system32\win32spl.dll
2013-06-14 00:06:39    37376    ----a-w-    c:\windows\system32\printcom.dll
2013-06-14 00:06:21    985600    ----a-w-    c:\windows\system32\crypt32.dll
2013-06-14 00:06:21    98304    ----a-w-    c:\windows\system32\cryptnet.dll
2013-06-14 00:06:21    812544    ----a-w-    c:\windows\system32\certutil.exe
2013-06-14 00:06:21    41984    ----a-w-    c:\windows\system32\certenc.dll
2013-06-14 00:06:21    133120    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-06-14 00:06:08    3603832    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-14 00:06:07    3551096    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-06-14 00:05:44    24576    ----a-w-    c:\windows\system32\cryptdlg.dll
.
==================== Find3M  ====================
.
2013-07-04 12:27:17    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-07-04 12:27:17    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-13 23:56:13    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-13 23:56:13    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-05-16 22:39:39    1800704    ----a-w-    c:\windows\system32\jscript9.dll
2013-05-16 22:28:26    1129472    ----a-w-    c:\windows\system32\wininet.dll
2013-05-16 22:27:30    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-05-16 22:21:37    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-05-16 22:20:30    420864    ----a-w-    c:\windows\system32\vbscript.dll
2013-05-16 22:16:57    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2013-05-02 06:06:08    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-15 14:20:04    638328    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-04-13 10:56:44    37376    ----a-w-    c:\windows\system32\cdd.dll
.
============= FINISH: 14:13:30.94 ===============

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,686 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 08 July 2013 - 03:10 PM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 bjackson76

bjackson76
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 08 July 2013 - 06:44 PM

Thank you for your help.

Here is what was found:

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.07.08.08

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
jackson :: JACKSON-PC [administrator]

7/8/2013 18:36:41 PM
mbar-log-2013-07-08 (18-36-41).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 318096
Time elapsed: 1 hour(s), 1 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> No action taken.
HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 (Trojan.Zaccess) -> No action taken.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| (Trojan.Zaccess) -> Data: C:\$Recycle.Bin\S-1-5-21-4254822833-444479354-2476460612-1000\$a79a71ced41b92fab73973b2178ad40f\o. -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 6
c:\$Recycle.Bin\S-1-5-18\$a79a71ced41b92fab73973b2178ad40f\U (Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-21-4254822833-444479354-2476460612-1000\$a79a71ced41b92fab73973b2178ad40f\U (Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-18\$a79a71ced41b92fab73973b2178ad40f\L (Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-21-4254822833-444479354-2476460612-1000\$a79a71ced41b92fab73973b2178ad40f\L (Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-18\$a79a71ced41b92fab73973b2178ad40f (Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-21-4254822833-444479354-2476460612-1000\$a79a71ced41b92fab73973b2178ad40f (Trojan.Siredef.C) -> No action taken.

Files Detected: 14
c:\Users\jackson\AppData\Roaming\Microsoft\Upsmw\uwzkgpjz.exe (Trojan.Downloader.ED) -> No action taken.
c:\Users\jackson\AppData\Local\Temp\2fCPBK.exe (Trojan.Reveton) -> No action taken.
c:\Users\jackson\AppData\Local\Temp\msimg32.dll (Trojan.Downloader.ED) -> No action taken.
c:\$Recycle.Bin\S-1-5-18\$a79a71ced41b92fab73973b2178ad40f\@ (Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-21-4254822833-444479354-2476460612-1000\$a79a71ced41b92fab73973b2178ad40f\@ (Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-21-4254822833-444479354-2476460612-1000\$a79a71ced41b92fab73973b2178ad40f\n (Trojan.0Access) -> No action taken.
c:\Users\jackson\AppData\Local\DirectDownloader\updateRunner.exe (Adware.DirectDownloader) -> No action taken.
c:\Program Files\BitTornado\btdownloadgui.exe (P2P.BitTornado) -> No action taken.
c:\$Recycle.Bin\S-1-5-21-4254822833-444479354-2476460612-1000\$a79a71ced41b92fab73973b2178ad40f\o (Hijack.Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-18\$a79a71ced41b92fab73973b2178ad40f\U\80000000.@ (Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-18\$a79a71ced41b92fab73973b2178ad40f\U\800000cb.@ (Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-21-4254822833-444479354-2476460612-1000\$a79a71ced41b92fab73973b2178ad40f\U\00000001.@ (Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-21-4254822833-444479354-2476460612-1000\$a79a71ced41b92fab73973b2178ad40f\U\80000000.@ (Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-21-4254822833-444479354-2476460612-1000\$a79a71ced41b92fab73973b2178ad40f\U\800000cb.@ (Trojan.Siredef.C) -> No action taken.

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,686 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 09 July 2013 - 01:05 AM

Run another scan with mbar.exe and click the CleanUp button. It will require a reboot.

When it has rebooted, run another scan with mbar.exe and click CleanUp again if necessary.

Send the mbar-log.txt along with an update on machine behavior.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 bjackson76

bjackson76
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 09 July 2013 - 03:08 PM

Trying.  I don't know if you saw the first scan took just over an hour.  This scan is way beyond that.  It hasn't stopped completely, so I don't know if I should cancel and restart since there is no guarantee the next scan will be any quicker.  The file name being scanned changes every now and then, but the whole scan has lasted several hours, like 8.  Other processes seem to be acting normal, but I don't use this machine much.  Unless you tell me otherwise, I'll keep letting the scan go and hopefully have something to post tonight.

 

Thank you



#6 bjackson76

bjackson76
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 09 July 2013 - 10:12 PM

I finally had to cancel and restart my computer.  After that I was able to complete a scan and CleanUp.  I ran another scan after rebooting and it came back clean.

 

I downloaded Avast and it went to the correct folder so I think that issue is resolved.  I have not installed it yet.

 

I still have a few concerns.

 

1. When I click on a new tab in Firefox, it opens with a start.sweetpacks.com page.  At the moment I have bing.com as my home page.  If I open Firefox or click on the Home icon, it correctly goes to Bing.  sweetpacks only shows up with a new tab.

 

2.  Upon startup, some program upsmw.exe shows briefly in the title box of a window then goes away.  When Privatefirewall starts running it immediately flags the application and I click to block it.  The name appears to be in Russian. Even though I clicked to block it, I see it running in Task Manager and the PrivateFirewall process monitor.

 

3. Another program I blocked is "adobe flash player updater.job".  This I don't see as running.  I only see it now as a blocked application in PrivateFirewall. 

 

All of these have happened before and after the CleanUp.

 

www.malwarebytes.org

Database version: v2013.07.09.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
jackson :: JACKSON-PC [administrator]

7/9/2013 21:49:50 PM
mbar-log-2013-07-09 (21-49-50).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 318146
Time elapsed: 38 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

Thank you



#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,686 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 10 July 2013 - 02:00 AM

We´re not finished yet and will fix your other issues.

 

 

Combofix


Combofix should only be run when adviced by a team member!


Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 bjackson76

bjackson76
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 10 July 2013 - 12:03 PM

The firewall kept interrupting during the start and caused it to hang up. I disabled it during the scan and it ran through fine the next time.

Here you go:

 

ComboFix 13-07-09.01 - jackson 07/10/2013   8:03.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2942.1642 [GMT -4:00]
Running from: c:\users\jackson\Desktop\ComboFix.exe
FW: Privatefirewall *Disabled* {F9380B5D-D31C-8B74-72FB-D86DF39490C2}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\jackson\AppData\Roaming\Microsoft\Upsmw\upsmw.exe
c:\windows\COUPon~1.ocx
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\system
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-10 to 2013-07-10  )))))))))))))))))))))))))))))))
.
.
2013-07-10 12:28 . 2013-07-10 13:13    --------    d-----w-    c:\users\jackson\AppData\Local\temp
2013-07-10 12:28 . 2013-07-10 12:28    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-07-10 12:28 . 2013-07-10 12:28    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2013-07-10 12:28 . 2013-07-10 12:28    --------    d-----w-    c:\users\Ben\AppData\Local\temp
2013-07-10 05:51 . 2013-06-04 01:50    2049024    ----a-w-    c:\windows\system32\win32k.sys
2013-07-10 05:51 . 2013-04-17 10:10    1069056    ----a-w-    c:\windows\system32\DWrite.dll
2013-07-10 05:51 . 2013-04-17 10:10    798208    ----a-w-    c:\windows\system32\FntCache.dll
2013-07-10 05:51 . 2013-04-17 11:28    219648    ----a-w-    c:\windows\system32\d3d10_1core.dll
2013-07-10 05:51 . 2013-04-17 11:28    189952    ----a-w-    c:\windows\system32\d3d10core.dll
2013-07-10 05:51 . 2013-04-17 11:28    160768    ----a-w-    c:\windows\system32\d3d10_1.dll
2013-07-10 05:51 . 2013-04-17 11:28    1029120    ----a-w-    c:\windows\system32\d3d10.dll
2013-07-10 05:51 . 2013-04-17 10:34    1172480    ----a-w-    c:\windows\system32\d3d10warp.dll
2013-07-10 05:51 . 2013-04-17 10:33    486400    ----a-w-    c:\windows\system32\d3d10level9.dll
2013-07-10 05:51 . 2013-04-17 10:14    683008    ----a-w-    c:\windows\system32\d2d1.dll
2013-07-10 05:50 . 2013-06-01 04:06    505344    ----a-w-    c:\windows\system32\qedit.dll
2013-07-10 05:50 . 2013-04-09 03:51    936960    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-10 05:50 . 2013-05-08 03:14    1548288    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-07-10 01:59 . 2013-06-17 06:10    7068072    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{D0E661F6-1170-453F-9862-B4BACABBFAB6}\mpengine.dll
2013-07-10 01:49 . 2013-07-10 01:49    146648    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-07-10 01:49 . 2013-07-10 01:49    31560    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-07-04 14:14 . 2013-07-10 11:47    270336    ----a-w-    c:\users\jackson\AppData\Roaming\Microsoft\Upsmw\u\upsmw.exe
2013-07-04 12:27 . 2013-07-04 12:27    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-07-04 11:49 . 2013-07-04 11:49    --------    d-----w-    c:\users\jackson\AppData\Local\Privatefirewall
2013-07-04 11:41 . 2012-12-25 23:08    128672    ----a-w-    c:\windows\system32\drivers\pwipf6.sys
2013-07-04 11:40 . 2013-07-04 11:40    --------    d-----w-    c:\programdata\Privacyware
2013-07-04 11:40 . 2013-07-04 11:40    --------    d-----w-    c:\program files\Privacyware
2013-07-04 11:38 . 2013-07-04 11:38    --------    d-----w-    c:\program files\Updater By SweetPacks
2013-07-04 11:38 . 2013-07-04 11:38    --------    d-----w-    c:\program files\SweetIM
2013-07-04 11:37 . 2013-07-04 11:37    --------    d-----w-    c:\windows\system32\jmdp
2013-07-04 11:37 . 2013-07-04 11:37    --------    d-----w-    c:\windows\system32\ARFC
2013-07-04 11:37 . 2013-02-05 07:25    632656    ----a-w-    c:\windows\system32\msvcr80.dll
2013-07-04 11:37 . 2013-02-05 07:25    554832    ----a-w-    c:\windows\system32\msvcp80.dll
2013-07-04 11:37 . 2013-02-05 07:25    479232    ----a-w-    c:\windows\system32\msvcm80.dll
2013-07-04 11:37 . 2013-07-04 11:37    --------    d-----w-    c:\windows\system32\WNLT
2013-07-04 11:37 . 2013-05-27 08:58    1167152    ----a-w-    c:\windows\system32\dmwu.exe
2013-07-04 11:37 . 2013-05-27 08:55    27136    ----a-w-    c:\windows\system32\ImHttpComm.dll
2013-06-14 00:06 . 2013-05-08 04:37    905576    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-06-14 00:06 . 2013-05-02 04:04    443904    ----a-w-    c:\windows\system32\win32spl.dll
2013-06-14 00:06 . 2013-05-02 04:03    37376    ----a-w-    c:\windows\system32\printcom.dll
2013-06-14 00:06 . 2013-04-24 04:00    985600    ----a-w-    c:\windows\system32\crypt32.dll
2013-06-14 00:06 . 2013-04-24 04:00    98304    ----a-w-    c:\windows\system32\cryptnet.dll
2013-06-14 00:06 . 2013-04-24 04:00    133120    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-06-14 00:06 . 2013-04-24 04:00    41984    ----a-w-    c:\windows\system32\certenc.dll
2013-06-14 00:06 . 2013-04-24 01:46    812544    ----a-w-    c:\windows\system32\certutil.exe
2013-06-14 00:06 . 2013-05-02 22:03    3603832    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-14 00:06 . 2013-05-02 22:03    3551096    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-06-14 00:05 . 2013-04-17 12:30    24576    ----a-w-    c:\windows\system32\cryptdlg.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-04 12:27 . 2012-06-22 13:59    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-07-04 12:27 . 2010-10-13 10:22    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-13 23:56 . 2012-04-03 13:30    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-13 23:56 . 2011-06-16 21:13    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-02 06:06 . 2009-10-02 16:48    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-15 14:20 . 2013-05-15 12:58    638328    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-04-13 10:56 . 2013-05-15 12:58    37376    ----a-w-    c:\windows\system32\cdd.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-05-09 09:49    176936    ----a-w-    c:\program files\Vuze_Remote\prxtbVuz0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\jackson\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\jackson\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\jackson\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-13 171448]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-27 247144]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Driver Detective"="c:\program files\PC Drivers HeadQuarters\Driver Detective\DriversHQ.DriverDetective.Client.exe" [2012-09-22 3522528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2005-08-18 749568]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2012-09-28 298376]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"IndexSearch"="c:\program files\Nuance\PaperPort\IndexSearch.exe" [2010-03-09 46368]
"PaperPort PTD"="c:\program files\Nuance\PaperPort\pptd40nt.exe" [2010-03-09 29984]
"PPort12reminder"="c:\program files\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]
"PDFHook"="c:\program files\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-06 62752]
"ControlCenter4"="c:\program files\ControlCenter4\BrCcBoot.exe" [2011-04-20 139264]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-06-16 499608]
"Privatefirewall"="c:\program files\Privacyware\Privatefirewall 7.0\PFGUI.exe" [2013-01-15 3011400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]
.
c:\users\jackson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\jackson\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2008-6-22 73728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-14 11:55    61440    ----a-w-    c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT HPW]
2007-01-16 21:12    280576    ----a-w-    c:\program files\Portrait Displays\HP My Display\dthtml.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11    49152    ----a-w-    c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-03-13 00:44    1773568    ----a-w-    c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SnapfishMediaDetector]
2007-03-02 21:55    1441792    ----a-w-    c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 AdobeActiveFileMonitor11.0;Adobe Active File Monitor V11;c:\program files\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [2012-09-17 171600]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 23:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={20A13E20-E49E-11E2-B07B-001BB952C55C}
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={20A13E20-E49E-11E2-B07B-001BB952C55C}
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: ingenix.com\owagdv
TCP: DhcpNameServer = 10.0.0.1
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {20722C4E-9050-45C8-8D1A-816C4A06AD90} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_6/PhotoCenter_ActiveX_Control.cab
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan.cab
DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://stories.scrapbooksetc.com/create/DragDropUploader.cab
FF - ProfilePath - c:\users\jackson\AppData\Roaming\Mozilla\Firefox\Profiles\9knxff2z.default-1369178178166\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.bing.com
FF - prefs.js: keyword.URL - hxxp://start.sweetpacks.com/?src=2&st=12&crg=3.5000006.10045&barid={20A13E20-E49E-11E2-B07B-001BB952C55C}&q=
FF - ExtSQL: 2013-07-04 07:38; {7D4F1959-3F72-49d5-8E59-F02F8AA6815D}; c:\program files\Updater By SweetPacks\Firefox
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
HKCU-Run-ISUSPM - c:\users\jackson\AppData\Roaming\Microsoft\Upsmw\upsmw.exe
HKCU-Run-epyc - c:\users\jackson\AppData\Roaming\Microsoft\Upsmw\upsmw.exe
HKLM-Run-RtHDVCpl - RtHDVCpl.exe
c:\users\jackson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Direct Downloader.lnk - c:\users\jackson\AppData\Local\DirectDownloader\DirectDownloader.exe startup
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-kldbmkoh - c:\users\jackson\AppData\Local\hrybxqntc\rcyyvfttssd.exe
MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-10 09:13
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4254822833-444479354-2476460612-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3d,b9,ef,09,5a,d6,50,43,79,01,b8,f8,b3,5d,fd,55,83,25,c4,70,14,a2,1d,
   ae,82,e1,31,f3,77,c8,86,74,54,8c,71,a8,45,9c,c2,ff,60,88,5c,10,72,25,a2,c0,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-07-10  09:17:52
ComboFix-quarantined-files.txt  2013-07-10 13:17
.
Pre-Run: 24,395,038,720 bytes free
Post-Run: 29,844,910,080 bytes free
.
- - End Of File - - 9F5997293EE8D15D050686ED408D3768
8913823FF508CCF109DB74B636C301DA



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,686 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 10 July 2013 - 11:44 PM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 bjackson76

bjackson76
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 11 July 2013 - 01:14 PM

I think I did this right.  The file was named ComboFix2.

 

 

ComboFix 13-07-09.01 - jackson 07/10/2013   8:03.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2942.1642 [GMT -4:00]
Running from: c:\users\jackson\Desktop\ComboFix.exe
FW: Privatefirewall *Disabled* {F9380B5D-D31C-8B74-72FB-D86DF39490C2}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\jackson\AppData\Roaming\Microsoft\Upsmw\upsmw.exe
c:\windows\COUPon~1.ocx
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\system
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-10 to 2013-07-10  )))))))))))))))))))))))))))))))
.
.
2013-07-10 12:28 . 2013-07-10 13:13    --------    d-----w-    c:\users\jackson\AppData\Local\temp
2013-07-10 12:28 . 2013-07-10 12:28    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-07-10 12:28 . 2013-07-10 12:28    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2013-07-10 12:28 . 2013-07-10 12:28    --------    d-----w-    c:\users\Ben\AppData\Local\temp
2013-07-10 05:51 . 2013-06-04 01:50    2049024    ----a-w-    c:\windows\system32\win32k.sys
2013-07-10 05:51 . 2013-04-17 10:10    1069056    ----a-w-    c:\windows\system32\DWrite.dll
2013-07-10 05:51 . 2013-04-17 10:10    798208    ----a-w-    c:\windows\system32\FntCache.dll
2013-07-10 05:51 . 2013-04-17 11:28    219648    ----a-w-    c:\windows\system32\d3d10_1core.dll
2013-07-10 05:51 . 2013-04-17 11:28    189952    ----a-w-    c:\windows\system32\d3d10core.dll
2013-07-10 05:51 . 2013-04-17 11:28    160768    ----a-w-    c:\windows\system32\d3d10_1.dll
2013-07-10 05:51 . 2013-04-17 11:28    1029120    ----a-w-    c:\windows\system32\d3d10.dll
2013-07-10 05:51 . 2013-04-17 10:34    1172480    ----a-w-    c:\windows\system32\d3d10warp.dll
2013-07-10 05:51 . 2013-04-17 10:33    486400    ----a-w-    c:\windows\system32\d3d10level9.dll
2013-07-10 05:51 . 2013-04-17 10:14    683008    ----a-w-    c:\windows\system32\d2d1.dll
2013-07-10 05:50 . 2013-06-01 04:06    505344    ----a-w-    c:\windows\system32\qedit.dll
2013-07-10 05:50 . 2013-04-09 03:51    936960    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-10 05:50 . 2013-05-08 03:14    1548288    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-07-10 01:59 . 2013-06-17 06:10    7068072    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{D0E661F6-1170-453F-9862-B4BACABBFAB6}\mpengine.dll
2013-07-10 01:49 . 2013-07-10 01:49    146648    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-07-10 01:49 . 2013-07-10 01:49    31560    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-07-04 14:14 . 2013-07-10 11:47    270336    ----a-w-    c:\users\jackson\AppData\Roaming\Microsoft\Upsmw\u\upsmw.exe
2013-07-04 12:27 . 2013-07-04 12:27    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-07-04 11:49 . 2013-07-04 11:49    --------    d-----w-    c:\users\jackson\AppData\Local\Privatefirewall
2013-07-04 11:41 . 2012-12-25 23:08    128672    ----a-w-    c:\windows\system32\drivers\pwipf6.sys
2013-07-04 11:40 . 2013-07-04 11:40    --------    d-----w-    c:\programdata\Privacyware
2013-07-04 11:40 . 2013-07-04 11:40    --------    d-----w-    c:\program files\Privacyware
2013-07-04 11:38 . 2013-07-04 11:38    --------    d-----w-    c:\program files\Updater By SweetPacks
2013-07-04 11:38 . 2013-07-04 11:38    --------    d-----w-    c:\program files\SweetIM
2013-07-04 11:37 . 2013-07-04 11:37    --------    d-----w-    c:\windows\system32\jmdp
2013-07-04 11:37 . 2013-07-04 11:37    --------    d-----w-    c:\windows\system32\ARFC
2013-07-04 11:37 . 2013-02-05 07:25    632656    ----a-w-    c:\windows\system32\msvcr80.dll
2013-07-04 11:37 . 2013-02-05 07:25    554832    ----a-w-    c:\windows\system32\msvcp80.dll
2013-07-04 11:37 . 2013-02-05 07:25    479232    ----a-w-    c:\windows\system32\msvcm80.dll
2013-07-04 11:37 . 2013-07-04 11:37    --------    d-----w-    c:\windows\system32\WNLT
2013-07-04 11:37 . 2013-05-27 08:58    1167152    ----a-w-    c:\windows\system32\dmwu.exe
2013-07-04 11:37 . 2013-05-27 08:55    27136    ----a-w-    c:\windows\system32\ImHttpComm.dll
2013-06-14 00:06 . 2013-05-08 04:37    905576    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-06-14 00:06 . 2013-05-02 04:04    443904    ----a-w-    c:\windows\system32\win32spl.dll
2013-06-14 00:06 . 2013-05-02 04:03    37376    ----a-w-    c:\windows\system32\printcom.dll
2013-06-14 00:06 . 2013-04-24 04:00    985600    ----a-w-    c:\windows\system32\crypt32.dll
2013-06-14 00:06 . 2013-04-24 04:00    98304    ----a-w-    c:\windows\system32\cryptnet.dll
2013-06-14 00:06 . 2013-04-24 04:00    133120    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-06-14 00:06 . 2013-04-24 04:00    41984    ----a-w-    c:\windows\system32\certenc.dll
2013-06-14 00:06 . 2013-04-24 01:46    812544    ----a-w-    c:\windows\system32\certutil.exe
2013-06-14 00:06 . 2013-05-02 22:03    3603832    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-14 00:06 . 2013-05-02 22:03    3551096    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-06-14 00:05 . 2013-04-17 12:30    24576    ----a-w-    c:\windows\system32\cryptdlg.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-04 12:27 . 2012-06-22 13:59    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-07-04 12:27 . 2010-10-13 10:22    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-13 23:56 . 2012-04-03 13:30    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-13 23:56 . 2011-06-16 21:13    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-02 06:06 . 2009-10-02 16:48    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-15 14:20 . 2013-05-15 12:58    638328    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-04-13 10:56 . 2013-05-15 12:58    37376    ----a-w-    c:\windows\system32\cdd.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-05-09 09:49    176936    ----a-w-    c:\program files\Vuze_Remote\prxtbVuz0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\jackson\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\jackson\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\jackson\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-13 171448]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-27 247144]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Driver Detective"="c:\program files\PC Drivers HeadQuarters\Driver Detective\DriversHQ.DriverDetective.Client.exe" [2012-09-22 3522528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2005-08-18 749568]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2012-09-28 298376]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"IndexSearch"="c:\program files\Nuance\PaperPort\IndexSearch.exe" [2010-03-09 46368]
"PaperPort PTD"="c:\program files\Nuance\PaperPort\pptd40nt.exe" [2010-03-09 29984]
"PPort12reminder"="c:\program files\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]
"PDFHook"="c:\program files\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-06 62752]
"ControlCenter4"="c:\program files\ControlCenter4\BrCcBoot.exe" [2011-04-20 139264]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-06-16 499608]
"Privatefirewall"="c:\program files\Privacyware\Privatefirewall 7.0\PFGUI.exe" [2013-01-15 3011400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]
.
c:\users\jackson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\jackson\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2008-6-22 73728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-14 11:55    61440    ----a-w-    c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT HPW]
2007-01-16 21:12    280576    ----a-w-    c:\program files\Portrait Displays\HP My Display\dthtml.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11    49152    ----a-w-    c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-03-13 00:44    1773568    ----a-w-    c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SnapfishMediaDetector]
2007-03-02 21:55    1441792    ----a-w-    c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 AdobeActiveFileMonitor11.0;Adobe Active File Monitor V11;c:\program files\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [2012-09-17 171600]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 23:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={20A13E20-E49E-11E2-B07B-001BB952C55C}
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={20A13E20-E49E-11E2-B07B-001BB952C55C}
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: ingenix.com\owagdv
TCP: DhcpNameServer = 10.0.0.1
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {20722C4E-9050-45C8-8D1A-816C4A06AD90} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_6/PhotoCenter_ActiveX_Control.cab
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan.cab
DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://stories.scrapbooksetc.com/create/DragDropUploader.cab
FF - ProfilePath - c:\users\jackson\AppData\Roaming\Mozilla\Firefox\Profiles\9knxff2z.default-1369178178166\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.bing.com
FF - prefs.js: keyword.URL - hxxp://start.sweetpacks.com/?src=2&st=12&crg=3.5000006.10045&barid={20A13E20-E49E-11E2-B07B-001BB952C55C}&q=
FF - ExtSQL: 2013-07-04 07:38; {7D4F1959-3F72-49d5-8E59-F02F8AA6815D}; c:\program files\Updater By SweetPacks\Firefox
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
HKCU-Run-ISUSPM - c:\users\jackson\AppData\Roaming\Microsoft\Upsmw\upsmw.exe
HKCU-Run-epyc - c:\users\jackson\AppData\Roaming\Microsoft\Upsmw\upsmw.exe
HKLM-Run-RtHDVCpl - RtHDVCpl.exe
c:\users\jackson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Direct Downloader.lnk - c:\users\jackson\AppData\Local\DirectDownloader\DirectDownloader.exe startup
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-kldbmkoh - c:\users\jackson\AppData\Local\hrybxqntc\rcyyvfttssd.exe
MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-10 09:13
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4254822833-444479354-2476460612-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3d,b9,ef,09,5a,d6,50,43,79,01,b8,f8,b3,5d,fd,55,83,25,c4,70,14,a2,1d,
   ae,82,e1,31,f3,77,c8,86,74,54,8c,71,a8,45,9c,c2,ff,60,88,5c,10,72,25,a2,c0,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-07-10  09:17:52
ComboFix-quarantined-files.txt  2013-07-10 13:17
.
Pre-Run: 24,395,038,720 bytes free
Post-Run: 29,844,910,080 bytes free
.
- - End Of File - - 9F5997293EE8D15D050686ED408D3768
8913823FF508CCF109DB74B636C301DA



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,686 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 12 July 2013 - 03:00 AM

thats the wrong log - please post up C:\combofix.txt


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 bjackson76

bjackson76
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 12 July 2013 - 04:36 PM

Sorry.  I left PrivateFirewall run when I ran the script, and I guess they didn't play nice together.  I've tried again with the firewall disabled.

 

ComboFix 13-07-09.01 - jackson 07/12/2013  17:03:20.3.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2942.1664 [GMT -4:00]
Running from: c:\users\jackson\Desktop\ComboFix.exe
Command switches used :: c:\users\jackson\Desktop\CFScript.txt
FW: Privatefirewall *Disabled* {F9380B5D-D31C-8B74-72FB-D86DF39490C2}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\dmwu.exe"
"c:\windows\system32\ImHttpComm.dll"
"c:\windows\system32\msvcm80.dll"
"c:\windows\system32\msvcp80.dll"
"c:\windows\system32\msvcr80.dll"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\Ask.com
c:\program files\Ask.com\assets\oobe\b.png
c:\program files\Ask.com\assets\oobe\bl.png
c:\program files\Ask.com\assets\oobe\br.png
c:\program files\Ask.com\assets\oobe\l.png
c:\program files\Ask.com\assets\oobe\pointer.png
c:\program files\Ask.com\assets\oobe\r.png
c:\program files\Ask.com\assets\oobe\t.png
c:\program files\Ask.com\assets\oobe\tl.png
c:\program files\Ask.com\assets\oobe\tr.png
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\precache.exe
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\Updater\config.xml
c:\program files\Ask.com\Updater\Updater.exe
c:\program files\Ask.com\UpdateTask.exe
c:\program files\SweetIM
c:\program files\SweetIM\Toolbars\Internet Explorer\ClearHist.exe
c:\program files\SweetIM\Toolbars\Internet Explorer\conf\logger.xml
c:\program files\SweetIM\Toolbars\Internet Explorer\default.xml
c:\program files\SweetIM\Toolbars\Internet Explorer\mgcommon.dll
c:\program files\SweetIM\Toolbars\Internet Explorer\mgconfig.dll
c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe
c:\program files\SweetIM\Toolbars\Internet Explorer\mghooking.dll
c:\program files\SweetIM\Toolbars\Internet Explorer\mglogger.dll
c:\program files\SweetIM\Toolbars\Internet Explorer\mgsimcommon.dll
c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll
c:\program files\SweetIM\Toolbars\Internet Explorer\mgxml_wrapper.dll
c:\program files\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest
c:\program files\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcm90.dll
c:\program files\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcp90.dll
c:\program files\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcr90.dll
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\about.html
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\affid.dat
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\basis.xml
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\bing.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\blue\search_button.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\blue\search_button_bing.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\blue\search_button_blank.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\blue\search_button_current.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\blue\search_button_dictionary.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\blue\search_button_google.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\blue\search_button_hover.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\blue\search_button_left.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\blue\search_button_photo.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\blue\search_button_video.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\blue\search_button_web.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\blue\search_button_yahoo.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\clear-history.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\content-notifier-anim-over.gif
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\content-notifier-anim.gif
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\content-notifier.js
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\dating.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\dictionary.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\e_cards.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\eye_icon.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\eye_icon_over.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\find.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\free_stuff.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\games.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\glitter.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\google.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\green\search_button.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\green\search_button_bing.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\green\search_button_current.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\green\search_button_dictionary.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\green\search_button_google.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\green\search_button_hover.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\green\search_button_left.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\green\search_button_photo.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\green\search_button_video.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\green\search_button_web.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\green\search_button_yahoo.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\help.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\highlight.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\locales.xml
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\logo_16x16.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\logo_21x18.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\logo_32x32.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\logo_about.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\more-search-providers.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\music.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\news.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\onstart.js
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\options.html
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\orange\search_button.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\orange\search_button_bing.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\orange\search_button_current.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\orange\search_button_dictionary.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\orange\search_button_google.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\orange\search_button_hover.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\orange\search_button_left.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\orange\search_button_photo.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\orange\search_button_video.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\orange\search_button_web.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\orange\search_button_yahoo.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\photos.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\search-current-site.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\shopping.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\SmileySmile.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\SmileyWink.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\sweetim_text.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\toolbar.xml
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\video.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\web-search.png
c:\program files\SweetIM\Toolbars\Internet Explorer\resources\yahoo.png
c:\program files\Updater By SweetPacks
c:\program files\Updater By SweetPacks\Extension32.dll
c:\program files\Updater By SweetPacks\ExtensionUpdaterService.exe
c:\program files\Updater By SweetPacks\Firefox\chrome.manifest
c:\program files\Updater By SweetPacks\Firefox\chrome\content\libraries\DataExchangeScript.js
c:\program files\Updater By SweetPacks\Firefox\chrome\content\main.js
c:\program files\Updater By SweetPacks\Firefox\chrome\content\main.xul
c:\program files\Updater By SweetPacks\Firefox\chrome\content\resources\localscript.js
c:\program files\Updater By SweetPacks\Firefox\chrome\locale\en-US\overlay.dtd
c:\program files\Updater By SweetPacks\Firefox\chrome\skin\overlay.css
c:\program files\Updater By SweetPacks\Firefox\defaults\preferences\defaults.js
c:\program files\Updater By SweetPacks\Firefox\install.rdf
c:\program files\Updater By SweetPacks\InstallerHelper.dll
c:\program files\Updater By SweetPacks\libraries\DataExchangeScript.js
c:\program files\Updater By SweetPacks\resources\localscript.js
c:\program files\Updater By SweetPacks\unins000.dat
c:\program files\Updater By SweetPacks\unins000.exe
c:\program files\Vuze_Remote
c:\program files\Vuze_Remote\GottenAppsContextMenu.xml
c:\program files\Vuze_Remote\INSTALL.LOG
c:\program files\Vuze_Remote\ldrtbVuz0.dll
c:\program files\Vuze_Remote\OtherAppsContextMenu.xml
c:\program files\Vuze_Remote\prxtbVuz0.dll
c:\program files\Vuze_Remote\SharedAppsContextMenu.xml
c:\program files\Vuze_Remote\tbVuz0.dll
c:\program files\Vuze_Remote\tbVuz1.dll
c:\program files\Vuze_Remote\tbVuze.dll
c:\program files\Vuze_Remote\toolbar.cfg
c:\program files\Vuze_Remote\ToolbarContextMenu.xml
c:\program files\Vuze_Remote\uninstall.exe
c:\program files\Vuze_Remote\UNWISE.EXE
c:\program files\Vuze_Remote\Vuze_RemoteToolbarHelper.exe
c:\program files\Vuze_Remote\Vuze_RemoteToolbarHelper1.exe
c:\windows\system32\ARFC
c:\windows\system32\ARFC\wrtc.exe
c:\windows\system32\dmwu.exe
c:\windows\system32\ImHttpComm.dll
c:\windows\system32\jmdp
c:\windows\system32\jmdp\lmrn.dll
c:\windows\system32\jmdp\sqlite3.dll
c:\windows\system32\jmdp\stij.exe
c:\windows\system32\jmdp\SweetNT.crx
c:\windows\system32\msvcm80.dll
c:\windows\system32\msvcp80.dll
c:\windows\system32\msvcr80.dll
c:\windows\system32\WNLT
c:\windows\system32\WNLT\Installation\SKSetup.exe
c:\windows\system32\WNLT\Installation\uninstaller.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_IBUpdaterService
-------\Service_Updater By SweetPacks
-------\Service_Updater By SweetPacks
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-12 to 2013-07-12  )))))))))))))))))))))))))))))))
.
.
2013-07-12 21:15 . 2013-07-12 21:23    --------    d-----w-    c:\users\jackson\AppData\Local\temp
2013-07-12 21:15 . 2013-07-12 21:15    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2013-07-12 21:15 . 2013-07-12 21:15    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-07-12 21:15 . 2013-07-12 21:15    --------    d-----w-    c:\users\Ben\AppData\Local\temp
2013-07-12 20:57 . 2013-06-17 06:10    7068072    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{AFA36861-0BAE-459C-9469-67070FED2715}\mpengine.dll
2013-07-10 05:51 . 2013-06-04 01:50    2049024    ----a-w-    c:\windows\system32\win32k.sys
2013-07-10 05:51 . 2013-04-17 10:10    1069056    ----a-w-    c:\windows\system32\DWrite.dll
2013-07-10 05:51 . 2013-04-17 10:10    798208    ----a-w-    c:\windows\system32\FntCache.dll
2013-07-10 05:51 . 2013-04-17 11:28    219648    ----a-w-    c:\windows\system32\d3d10_1core.dll
2013-07-10 05:51 . 2013-04-17 11:28    189952    ----a-w-    c:\windows\system32\d3d10core.dll
2013-07-10 05:51 . 2013-04-17 11:28    160768    ----a-w-    c:\windows\system32\d3d10_1.dll
2013-07-10 05:51 . 2013-04-17 11:28    1029120    ----a-w-    c:\windows\system32\d3d10.dll
2013-07-10 05:51 . 2013-04-17 10:34    1172480    ----a-w-    c:\windows\system32\d3d10warp.dll
2013-07-10 05:51 . 2013-04-17 10:33    486400    ----a-w-    c:\windows\system32\d3d10level9.dll
2013-07-10 05:51 . 2013-04-17 10:14    683008    ----a-w-    c:\windows\system32\d2d1.dll
2013-07-10 05:50 . 2013-06-01 04:06    505344    ----a-w-    c:\windows\system32\qedit.dll
2013-07-10 05:50 . 2013-04-09 03:51    936960    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-10 05:50 . 2013-05-08 03:14    1548288    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-07-10 01:49 . 2013-07-10 01:49    31560    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-07-04 14:14 . 2013-07-10 11:47    270336    ----a-w-    c:\users\jackson\AppData\Roaming\Microsoft\Upsmw\u\upsmw.exe
2013-07-04 12:27 . 2013-07-04 12:27    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-07-04 11:49 . 2013-07-04 11:49    --------    d-----w-    c:\users\jackson\AppData\Local\Privatefirewall
2013-07-04 11:41 . 2012-12-25 23:08    128672    ----a-w-    c:\windows\system32\drivers\pwipf6.sys
2013-07-04 11:40 . 2013-07-04 11:40    --------    d-----w-    c:\programdata\Privacyware
2013-07-04 11:40 . 2013-07-04 11:40    --------    d-----w-    c:\program files\Privacyware
2013-06-14 00:06 . 2013-05-08 04:37    905576    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-06-14 00:06 . 2013-05-02 04:04    443904    ----a-w-    c:\windows\system32\win32spl.dll
2013-06-14 00:06 . 2013-05-02 04:03    37376    ----a-w-    c:\windows\system32\printcom.dll
2013-06-14 00:06 . 2013-04-24 04:00    985600    ----a-w-    c:\windows\system32\crypt32.dll
2013-06-14 00:06 . 2013-04-24 04:00    98304    ----a-w-    c:\windows\system32\cryptnet.dll
2013-06-14 00:06 . 2013-04-24 04:00    133120    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-06-14 00:06 . 2013-04-24 04:00    41984    ----a-w-    c:\windows\system32\certenc.dll
2013-06-14 00:06 . 2013-04-24 01:46    812544    ----a-w-    c:\windows\system32\certutil.exe
2013-06-14 00:06 . 2013-05-02 22:03    3603832    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-14 00:06 . 2013-05-02 22:03    3551096    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-06-14 00:05 . 2013-04-17 12:30    24576    ----a-w-    c:\windows\system32\cryptdlg.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-04 12:27 . 2012-06-22 13:59    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-07-04 12:27 . 2010-10-13 10:22    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-13 23:56 . 2012-04-03 13:30    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-13 23:56 . 2011-06-16 21:13    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-02 06:06 . 2009-10-02 16:48    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-15 14:20 . 2013-05-15 12:58    638328    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\jackson\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\jackson\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\jackson\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-13 171448]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-27 247144]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Driver Detective"="c:\program files\PC Drivers HeadQuarters\Driver Detective\DriversHQ.DriverDetective.Client.exe" [2012-09-22 3522528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2005-08-18 749568]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2012-09-28 298376]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [N/A]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"IndexSearch"="c:\program files\Nuance\PaperPort\IndexSearch.exe" [2010-03-09 46368]
"PaperPort PTD"="c:\program files\Nuance\PaperPort\pptd40nt.exe" [2010-03-09 29984]
"PPort12reminder"="c:\program files\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]
"PDFHook"="c:\program files\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-06 62752]
"ControlCenter4"="c:\program files\ControlCenter4\BrCcBoot.exe" [2011-04-20 139264]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-06-16 499608]
"Privatefirewall"="c:\program files\Privacyware\Privatefirewall 7.0\PFGUI.exe" [2013-01-15 3011400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]
.
c:\users\jackson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\jackson\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2008-6-22 73728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-14 11:55    61440    ----a-w-    c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT HPW]
2007-01-16 21:12    280576    ----a-w-    c:\program files\Portrait Displays\HP My Display\dthtml.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11    49152    ----a-w-    c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-03-13 00:44    1773568    ----a-w-    c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SnapfishMediaDetector]
2007-03-02 21:55    1441792    ----a-w-    c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 AdobeActiveFileMonitor11.0;Adobe Active File Monitor V11;c:\program files\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [2012-09-17 171600]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 23:56]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: ingenix.com\owagdv
TCP: DhcpNameServer = 10.0.0.1
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {20722C4E-9050-45C8-8D1A-816C4A06AD90} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_6/PhotoCenter_ActiveX_Control.cab
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan.cab
DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://stories.scrapbooksetc.com/create/DragDropUploader.cab
FF - ProfilePath - c:\users\jackson\AppData\Roaming\Mozilla\Firefox\Profiles\9knxff2z.default-1369178178166\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.bing.com
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Vuze_Remote Toolbar - c:\program files\Vuze_Remote\uninstall.exe
AddRemove-WNLT - c:\windows\system32\WNLT\Installation\uninstaller.exe
AddRemove-{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}_is1 - c:\program files\Updater By SweetPacks\unins000.exe
AddRemove-{79A765E1-C399-405B-85AF-466F52E918B0} - c:\program files\Ask.com\Updater\Updater.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-12 17:27
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4254822833-444479354-2476460612-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3d,b9,ef,09,5a,d6,50,43,79,01,b8,f8,b3,5d,fd,55,83,25,c4,70,14,a2,1d,
   ae,82,e1,31,f3,77,c8,86,74,54,8c,71,a8,45,9c,c2,ff,60,88,5c,10,72,25,a2,c0,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3604)
c:\users\jackson\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Privacyware\Privatefirewall 7.0\pfsvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe
c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Nuance\PaperPort\PDFProFiltSrvPP.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\System32\WUDFHost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\users\jackson\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\program files\ControlCenter4\BrCtrlCntr.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\Browny02\BrYNSvc.exe
c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe
c:\windows\system32\WerFault.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ControlCenter4\BrCcUxSys.exe
.
**************************************************************************
.
Completion time: 2013-07-12  17:32:07 - machine was rebooted
ComboFix-quarantined-files.txt  2013-07-12 21:31
ComboFix2.txt  2013-07-10 13:17
.
Pre-Run: 30,360,289,280 bytes free
Post-Run: 29,740,584,960 bytes free
.
- - End Of File - - 070451FBA5ACE5A8D46F498FDC44127E
8913823FF508CCF109DB74B636C301DA
 



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,686 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 14 July 2013 - 08:20 AM

Looks good!

 

 

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 bjackson76

bjackson76
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 15 July 2013 - 10:47 AM

Thank you as always!

 

C:\Qoobox\Quarantine\C\Program Files\Updater By SweetPacks\Extension32.dll.vir    a variant of Win32/Toolbar.Perion.A application
C:\Qoobox\Quarantine\C\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe.vir    a variant of Win32/Toolbar.Perion.C application
C:\Qoobox\Quarantine\C\Program Files\Updater By SweetPacks\InstallerHelper.dll.vir    a variant of Win32/Toolbar.Perion.B application
C:\Qoobox\Quarantine\C\Users\jackson\AppData\Roaming\Microsoft\Upsmw\upsmw.exe.vir    a variant of Win32/Kryptik.BEXO trojan
C:\Qoobox\Quarantine\C\Windows\System32\dmwu.exe.vir    Win32/SweetIM.E application
C:\Qoobox\Quarantine\C\Windows\System32\ARFC\wrtc.exe.vir    Win32/SweetIM.E application
C:\Users\jackson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DNJG9BTL\needs-avoiding-discusses[1].htm    JS/Kryptik.ALH trojan
C:\Users\jackson\AppData\Roaming\Microsoft\Upsmw\u\upsmw.exe    a variant of Win32/Kryptik.BFKH trojan
C:\Users\jackson\Desktop\Downloads\cbsidlm-tr1_13-Privatefirewall-SEO-10371057.exe    Win32/DownloadAdmin.G application
C:\Users\jackson\Documents\WakeTech\DropBoxCopy11_19\Dropbox\Previous Classes\AmericanLit\FastDownload.exe    Win32/InstallMate.A application
C:\Users\jackson\Downloads\coretemp_1236.exe    a variant of Win32/InstallIQ.A application
C:\Users\jackson\Downloads\freeripmp3.exe    multiple threats
 



#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,686 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 16 July 2013 - 01:01 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users