Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search engine redirect


  • This topic is locked This topic is locked
14 replies to this topic

#1 robot_ee

robot_ee

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 05 September 2012 - 08:41 PM

Hello,

I have malware that is redirecting my google and yahoo search results. It is not redirecting my bing searches.

A few days ago, I must have inadvertently clicked on one of the redirects which caused more severe problems. I was able to resolve the more severe Trojan/Malware/Virus in Safe Mode a few days ago. However, my efforts to correct the search engine redirect issue has been fruitless.

My antivirus full scans have been clean for a few days.

I ran Microsoft's safety scanner and it found Trojan:win32/Alureon.fv and Trojan:JS/Loop. It partially removed both. Subsequent safety scanner runs only finds Trojan:JS/Loop.

Malwarebytes found one bad file...

C:\Users\Wolverine\Local Settings\TempDIR\BetterInstaller.exe (PUP.BundleInstaller.Somoto) -> Quarantined and deleted successfully.

Subsequent Malwarebytes scans don't find any issues.

I also ran the following multiple time...Combofix, HitmanPro, and Kaspersky TDSSKiller. The TDSSKiller found nothing.


Please help me fix this issue so that I don't inadvertently click on the redirect and wreak more havoc.



DDS log...


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_35
Run by Wolverine at 21:14:47 on 2012-09-05
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4046.1670 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\Hpservice.exe
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\Program Files\Broadcom\Broadcom 802.11\WLTRYSVC.EXE
C:\Program Files\Broadcom\Broadcom 802.11\bcmwltry.exe
C:\windows\System32\spoolsv.exe
c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe
c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe
c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxtcs.exe
C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe
C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\IfxPsdSv.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\SysWow64\ArcVCapRender\uArcCapture.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\windows\system32\Dwm.exe
C:\windows\system32\taskhost.exe
C:\windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Broadcom\Broadcom 802.11\WLTRAY.EXE
C:\Program Files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft Device Center\itype.exe
C:\Program Files\Microsoft Device Center\ipoint.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\teraterm\ttpmenu.exe
C:\windows\SysWOW64\RunDll32.exe
C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\coreshredder.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe
C:\Program Files (x86)\VTech\DownloadManager\System\AgentMonitor.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe
C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe
C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\SDKCOMServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\taskmgr.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://xfinity.comcast.net/?cid=insDate08272012
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\IEBHO.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [File Sanitizer] C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [NUSB3MON] "c:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [HPConnectionManager] c:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
mRun: [HPQuickWebProxy] "c:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"
mRun: [IFXSPMGT] "c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe" /NotifyLogon
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QLBController] C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe /start
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [AgentMonitor] C:\Program Files (x86)\VTech\DownloadManager\System\AgentMonitor.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\WOLVER~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\Users\WOLVER~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TERATE~1.LNK - C:\Program Files (x86)\teraterm\ttpmenu.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{90B496A5-140F-4468-AD18-B85BDA53CD8D} : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{90B496A5-140F-4468-AD18-B85BDA53CD8D}\45275696E647169545275637 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{90B496A5-140F-4468-AD18-B85BDA53CD8D}\86F6D656 : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{E96F5685-C65F-4776-A433-E6FD5A090BE9} : DhcpNameServer = 68.87.66.249 68.87.64.245
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Notify: DeviceNP - DeviceNP.dll
LSA: Notification Packages = DPPassFilter scecli
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: File Sanitizer for HP ProtectTools: {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\IEBHO.dll
BHO-X64: BHO_Startup - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [File Sanitizer] C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [NUSB3MON] "c:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [HPConnectionManager] c:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
mRun-x64: [HPQuickWebProxy] "c:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"
mRun-x64: [IFXSPMGT] "c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe" /NotifyLogon
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [QLBController] C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe /start
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [AgentMonitor] C:\Program Files (x86)\VTech\DownloadManager\System\AgentMonitor.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Wolverine\AppData\Roaming\Mozilla\Firefox\Profiles\8qtdu9xv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
FF - plugin: C:\windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MfeEpePc;MfeEpePc;C:\windows\system32\drivers\MfeEpePc.sys --> C:\windows\system32\drivers\MfeEpePc.sys [?]
R0 MpFilter;Microsoft Malware Protection Driver;C:\windows\system32\DRIVERS\MpFilter.sys --> C:\windows\system32\DRIVERS\MpFilter.sys [?]
R0 PxHlpa64;PxHlpa64;C:\windows\system32\Drivers\PxHlpa64.sys --> C:\windows\system32\Drivers\PxHlpa64.sys [?]
R1 PersonalSecureDrive;PersonalSecureDrive;C:\windows\system32\drivers\psd.sys --> C:\windows\system32\drivers\psd.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-9-12 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\system32\atiesrxx.exe --> C:\windows\system32\atiesrxx.exe [?]
R2 HP Power Assistant Service;HP Power Assistant Service;C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-1-26 131128]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-6-21 85560]
R2 HPDayStarterService;HP DayStarter Service;C:\Program Files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe [2011-1-28 133688]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-7-5 227384]
R2 HPFSService;File Sanitizer for HP ProtectTools;C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2011-2-7 320000]
R2 hpHotkeyMonitor;hpHotkeyMonitor;C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [2011-7-6 1698360]
R2 hpsrv;HP Service;C:\windows\system32\Hpservice.exe --> C:\windows\system32\Hpservice.exe [?]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-7-26 13336]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2012-2-6 13672]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2010-11-29 210896]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-5 655944]
R2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [2011-2-9 1318912]
R2 PdiService;Portrait Displays SDK Service;C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2011-3-6 113264]
R2 uArcCapture;ArcCapture;C:\Windows\SysWOW64\ArcVCapRender\uArcCapture.exe [2011-7-26 502464]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-7-26 2656280]
R3 amdkmdag;amdkmdag;C:\windows\system32\DRIVERS\atikmdag.sys --> C:\windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\windows\system32\DRIVERS\atikmpag.sys --> C:\windows\system32\DRIVERS\atikmpag.sys [?]
R3 ARCVCAM;ARCVCAM, ArcSoft Webcam Sharing Manager Driver;C:\windows\system32\DRIVERS\ArcSoftVCapture.sys --> C:\windows\system32\DRIVERS\ArcSoftVCapture.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\windows\system32\drivers\AtihdW76.sys --> C:\windows\system32\drivers\AtihdW76.sys [?]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\windows\system32\DRIVERS\e1c62x64.sys --> C:\windows\system32\DRIVERS\e1c62x64.sys [?]
R3 HP ProtectTools Service;HP ProtectTools Service;C:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2011-1-12 36864]
R3 hpCMSrv;HP Connection Manager 4 Service;C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-4-5 1094712]
R3 JMCR;JMCR;C:\windows\system32\DRIVERS\jmcr.sys --> C:\windows\system32\DRIVERS\jmcr.sys [?]
R3 johci;JMicron 1394 Filter Driver;C:\windows\system32\DRIVERS\johci.sys --> C:\windows\system32\DRIVERS\johci.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\windows\system32\drivers\mbam.sys --> C:\windows\system32\drivers\mbam.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\windows\system32\DRIVERS\nusb3hub.sys --> C:\windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\windows\system32\DRIVERS\nusb3xhc.sys --> C:\windows\system32\DRIVERS\nusb3xhc.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-7-6 116648]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-29 158856]
S2 vcsFPService;Validity VCS Fingerprint Service;C:\Windows\System32\vcsFPService.exe [2011-8-23 2774320]
S3 BrSerIb;Brother MFC Serial Interface Driver(WDM);C:\windows\system32\DRIVERS\BrSerIb.sys --> C:\windows\system32\DRIVERS\BrSerIb.sys [?]
S3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);C:\windows\system32\DRIVERS\BrUsbSIb.sys --> C:\windows\system32\DRIVERS\BrUsbSIb.sys [?]
S3 btwampfl;Bluetooth AMP USB Filter;C:\windows\system32\drivers\btwampfl.sys --> C:\windows\system32\drivers\btwampfl.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
S3 DAMDrv;DAMDrv;C:\windows\system32\DRIVERS\DAMDrv64.sys --> C:\windows\system32\DRIVERS\DAMDrv64.sys [?]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;C:\Windows\SysWOW64\flcdlock.exe [2011-2-3 464480]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-7-6 116648]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-3 113120]
S3 NisDrv;Microsoft Network Inspection System;C:\windows\system32\DRIVERS\NisDrvWFP.sys --> C:\windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2011-1-15 1116656]
S3 StorSvc;Storage Service;C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-09-05 20:34:43 -------- d-sh--w- C:\$RECYCLE.BIN
2012-09-05 20:34:04 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8CC96F0C-2DD9-4CAE-AE6F-501B7C944439}\offreg.dll
2012-09-05 20:29:23 9310152 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8CC96F0C-2DD9-4CAE-AE6F-501B7C944439}\mpengine.dll
2012-09-05 20:27:53 -------- d-----w- C:\Program Files\HitmanPro
2012-09-05 20:27:38 -------- d-----w- C:\ProgramData\HitmanPro
2012-09-05 14:22:44 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-09-05 14:22:44 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-05 13:42:24 9310152 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-05 13:19:35 -------- d-----w- C:\Users\Wolverine\AppData\Local\temp
2012-09-05 13:07:01 98816 ----a-w- C:\windows\sed.exe
2012-09-05 13:07:01 518144 ----a-w- C:\windows\SWREG.exe
2012-09-05 13:07:01 256000 ----a-w- C:\windows\PEV.exe
2012-09-05 13:07:01 208896 ----a-w- C:\windows\MBR.exe
2012-09-04 17:10:05 -------- d-----w- C:\Users\Wolverine\AppData\Roaming\Malwarebytes
2012-09-04 17:09:49 -------- d-----w- C:\ProgramData\Malwarebytes
2012-09-04 14:15:40 -------- d-----w- C:\Program Files (x86)\PC Tools
2012-09-04 14:13:01 251560 ----a-w- C:\windows\System32\drivers\PCTSD64.sys
2012-09-04 14:12:59 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2012-09-04 14:12:39 -------- d-----w- C:\ProgramData\PC Tools
2012-09-04 14:12:38 -------- d-----w- C:\Users\Wolverine\AppData\Roaming\TestApp
2012-09-04 12:27:43 -------- d-----w- C:\temp
2012-08-31 19:56:19 -------- d-----w- C:\Users\Wolverine\AppData\Local\ElevatedDiagnostics
2012-08-28 16:17:28 552960 ----a-w- C:\windows\System32\drivers\bthport.sys
2012-08-28 13:14:03 -------- d-----w- C:\Program Files\Microsoft Device Center
2012-08-27 13:40:34 -------- d-----w- C:\Users\Wolverine\AppData\Local\Xfinity.com
2012-08-12 14:23:39 -------- d-----w- C:\windows\SHELLNEW
2012-08-12 14:23:24 -------- d-----w- C:\Users\Wolverine\AppData\Local\Microsoft Help
.
==================== Find3M ====================
.
2012-08-29 00:24:56 477168 ----a-w- C:\windows\SysWow64\npdeployJava1.dll
2012-08-29 00:24:53 473072 ----a-w- C:\windows\SysWow64\deployJava1.dll
2012-08-28 16:03:16 73416 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-28 16:03:16 696520 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-07-18 18:15:06 3148800 ----a-w- C:\windows\System32\win32k.sys
2012-07-04 22:13:27 59392 ----a-w- C:\windows\System32\browcli.dll
2012-07-04 22:13:27 136704 ----a-w- C:\windows\System32\browser.dll
2012-07-04 21:14:34 41984 ----a-w- C:\windows\SysWow64\browcli.dll
2012-06-16 05:16:04 609792 ----a-w- C:\windows\System32\vbscript.dll
2012-06-16 04:26:57 428032 ----a-w- C:\windows\SysWow64\vbscript.dll
.
============= FINISH: 21:15:21.01 ===============

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:34 AM

Posted 06 September 2012 - 05:04 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 robot_ee

robot_ee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 06 September 2012 - 09:08 PM

Hello CatByte,

Cool username :)

Below you'll find the output logs...

FRST.txt...

Scan result of Farbar Recovery Scan Tool (x64) Version: 05-09-2012
Ran by SYSTEM at 06-09-2012 21:47:34
Running from H:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [HPPowerAssistant] C:\Program Files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe /hidden [2919992 2011-01-26] (Hewlett-Packard Company)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2710824 2011-09-12] (Synaptics Incorporated)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Broadcom\Broadcom 802.11\WLTRAY.exe [5398528 2011-07-25] (Broadcom Corporation)
HKLM\...\Run: [MfeEpePcMonitor] "C:\Program Files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe" [200704 2011-02-09] ()
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-09-12] (IDT, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [IntelliType Pro] "c:\Program Files\Microsoft Device Center\itype.exe" [1464928 2012-06-26] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft Device Center\ipoint.exe" [2004584 2012-06-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [File Sanitizer] C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe [12274688 2011-02-07] (Hewlett-Packard)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2011-01-26] (Intel Corporation)
HKLM-x32\...\Run: [NUSB3MON] "c:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [HPConnectionManager] c:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe [94264 2011-04-05] (Hewlett-Packard Development Company L.P.)
HKLM-x32\...\Run: [HPQuickWebProxy] "c:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe" [76344 2011-02-10] (Hewlett-Packard Company)
HKLM-x32\...\Run: [IFXSPMGT] "c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe" /NotifyLogon [1125728 2011-01-19] (Infineon Technologies AG)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [522736 2011-04-18] ()
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-10-09] (Apple Inc.)
HKLM-x32\...\Run: [QLBController] C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe /start [323128 2011-07-06] (Hewlett-Packard Company)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-08-09] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AgentMonitor] C:\Program Files (x86)\VTech\DownloadManager\System\AgentMonitor.exe [357800 2011-12-12] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s [619008 2010-05-25] (Nikon Corporation)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\Guest\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2011-03-04] (Hewlett-Packard Company)
HKU\Wolverine\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2011-03-04] (Hewlett-Packard Company)
HKU\Wolverine\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Lsa: [Notification Packages] DPPassFilter scecli
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Wolverine\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Users\Wolverine\Start Menu\Programs\Startup\TeraTerm Menu.lnk
ShortcutTarget: TeraTerm Menu.lnk -> C:\Program Files (x86)\teraterm\ttpmenu.exe (TeraTerm Project, Shinpei Hayakawa)

==================== Services ====================

2 DpHost; C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe [481104 2011-02-11] (DigitalPersona, Inc.)
3 FLCDLOCK; C:\Windows\SysWOW64\flcdlock.exe [464480 2011-02-03] (Hewlett-Packard Company)
3 HP ProtectTools Service; "C:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe" [36864 2011-01-12] (Hewlett-Packard Development Company, L.P)
3 hpCMSrv; "C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe" [1094712 2011-04-05] (Hewlett-Packard Development Company L.P.)
2 HPDayStarterService; "C:\Program Files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe" [133688 2011-01-28] (Hewlett-Packard Company)
2 hpHotkeyMonitor; C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe [1698360 2011-07-06] (Hewlett-Packard Company)
2 IFXSpMgtSrv; C:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe [1125728 2011-01-19] (Infineon Technologies AG)
2 IFXTCS; C:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxtcs.exe [980320 2011-01-19] (Infineon Technologies AG)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 McAfee Endpoint Encryption Agent; "C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe" [1318912 2011-02-09] ()
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 PersonalSecureDriveService; "C:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\IfxPsdSv.exe" [203104 2011-01-19] (Infineon Technologies AG)
2 uArcCapture; C:\windows\SysWow64\ArcVCapRender\uArcCapture.exe [502464 2010-11-10] (ArcSoft, Inc.)
2 wltrysvc; "C:\Program Files\Broadcom\Broadcom 802.11\WLTRYSVC.EXE" "C:\Program Files\Broadcom\Broadcom 802.11\bcmwltry.exe" [4819968 2011-07-25] (Broadcom Corporation)

==================== Drivers =================================

3 ARCVCAM; C:\Windows\System32\DRIVERS\ArcSoftVCapture.sys [32192 2010-11-10] (ArcSoft, Inc.)
3 DAMDrv; C:\Windows\System32\DRIVERS\DAMDrv64.sys [63336 2011-02-07] (Hewlett-Packard Company)
3 johci; C:\Windows\System32\Drivers\johci.sys [26712 2011-02-08] (JMicron Technology Corp.)
3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
0 MfeEpePc; C:\Windows\System32\Drivers\MfeEpePc.sys [168008 2011-02-09] (McAfee, Inc.)
1 PersonalSecureDrive; C:\Windows\System32\drivers\psd.sys [44576 2010-01-25] (Infineon Technologies AG)
3 SNP2UVC; C:\Windows\System32\Drivers\SNP2UVC.sys [1826048 2010-12-21] ()
3 WinDriver6; C:\Windows\System32\drivers\windrvr6.sys [254976 2010-08-31] (Jungo)
3 catchme; \??\C:\ComboFix\catchme.sys [x]

==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-09-05 17:19 - 2012-09-05 17:19 - 00021557 ____A C:\Users\Wolverine\Desktop\Attach.txt
2012-09-05 17:17 - 2012-09-05 17:17 - 00027138 ____A C:\Users\Wolverine\Desktop\DDS.txt
2012-09-05 17:14 - 2012-09-05 17:14 - 00607260 ____R (Swearware) C:\Users\Wolverine\Desktop\dds.com
2012-09-05 17:12 - 2012-09-05 17:12 - 00050477 ____A C:\Users\Wolverine\Desktop\Defogger.exe
2012-09-05 17:12 - 2012-09-05 17:12 - 00000480 ____A C:\Users\Wolverine\Desktop\defogger_disable.log
2012-09-05 17:12 - 2012-09-05 17:12 - 00000000 ____A C:\Users\Wolverine\defogger_reenable
2012-09-05 12:27 - 2012-09-05 12:35 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-09-05 12:27 - 2012-09-05 12:27 - 00000000 ____D C:\Program Files\HitmanPro
2012-09-05 12:25 - 2012-09-05 12:25 - 00029648 ____A C:\ComboFix.txt
2012-09-05 11:56 - 2012-09-05 11:56 - 08864168 ____A (SurfRight B.V.) C:\Users\Wolverine\Desktop\HitmanPro36_x64.exe
2012-09-05 11:53 - 2012-09-05 11:53 - 00347424 ____A (Microsoft Corporation) C:\Users\Wolverine\Desktop\MicrosoftFixit.WinSecurity.LB.19270305421342664.1.1.Run.exe
2012-09-05 06:31 - 2012-09-05 12:13 - 00002876 ____A C:\Users\Wolverine\Desktop\Rkill.txt
2012-09-05 06:31 - 2012-09-05 06:31 - 01619360 ____A (Bleeping Computer, LLC) C:\Users\Wolverine\Desktop\rkill.exe
2012-09-05 06:22 - 2012-09-05 06:22 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Wolverine\Desktop\mbam-setup-1.62.0.1300.exe
2012-09-05 06:22 - 2012-09-05 06:22 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-05 06:22 - 2012-09-05 06:22 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-05 06:22 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-05 06:06 - 2012-09-05 06:06 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Wolverine\Desktop\ffi99.exe.exe
2012-09-05 06:00 - 2012-09-05 06:00 - 00028989 ____A C:\Users\Wolverine\Desktop\Result.txt
2012-09-05 05:59 - 2012-09-05 05:59 - 00751391 ____A (Farbar) C:\Users\Wolverine\Desktop\MiniToolBox.exe
2012-09-05 05:36 - 2012-09-05 05:19 - 00026108 ____A C:\Users\Wolverine\Desktop\ComboFix.txt
2012-09-05 05:07 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-09-05 05:07 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-09-05 05:07 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-09-05 05:07 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-09-05 05:07 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-09-05 05:07 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-09-05 05:07 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-09-05 05:07 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-09-05 04:59 - 2012-09-05 12:25 - 00000000 ____D C:\Qoobox
2012-09-05 04:58 - 2012-09-05 05:18 - 00000000 ____D C:\Windows\erdnt
2012-09-05 03:54 - 2012-09-05 03:54 - 04743490 ____R (Swearware) C:\Users\Wolverine\Desktop\ComboFix.exe
2012-09-05 03:54 - 2012-09-05 03:54 - 00094404 ____A C:\Users\Wolverine\Desktop\how-to-use-combofix.htm
2012-09-05 03:54 - 2012-09-05 03:54 - 00000000 ____D C:\Users\Wolverine\Desktop\how-to-use-combofix_files
2012-09-04 09:10 - 2012-09-04 09:10 - 00000000 ____D C:\Users\Wolverine\AppData\Roaming\Malwarebytes
2012-09-04 09:09 - 2012-09-04 09:09 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-09-04 06:35 - 2012-09-04 06:36 - 73369648 ____A (Microsoft Corporation) C:\Users\Wolverine\Desktop\msert.exe
2012-09-04 06:15 - 2012-09-04 06:15 - 00000000 ____D C:\Program Files (x86)\PC Tools
2012-09-04 06:13 - 2012-09-04 06:13 - 02154805 ____A C:\Windows\System32\Drivers\Cat.DB
2012-09-04 06:13 - 2012-06-22 11:35 - 00251560 ____A (PC Tools) C:\Windows\System32\Drivers\PCTSD64.sys
2012-09-04 06:12 - 2012-09-04 06:25 - 00000000 ____D C:\Users\All Users\PC Tools
2012-09-04 06:12 - 2012-09-04 06:12 - 00000000 ____D C:\Users\Wolverine\AppData\Roaming\TestApp
2012-09-02 14:16 - 2012-09-02 14:16 - 00004383 ____A C:\Windows\SysWOW64\jupdate-1.6.0_35-b10.log
2012-09-02 14:16 - 2012-08-28 16:10 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-09-02 14:16 - 2012-08-28 16:10 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-09-02 14:16 - 2012-08-28 16:09 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-09-02 14:15 - 2012-09-02 14:15 - 00000000 ____D C:\Users\All Users\McAfee
2012-08-31 13:24 - 2012-08-03 00:46 - 59884088 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MRT.exe
2012-08-31 13:17 - 2012-05-28 04:47 - 00001966 ____A C:\Users\Public\Desktop\ViewNX 2.lnk
2012-08-31 13:17 - 2012-04-01 15:16 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
2012-08-31 13:17 - 2012-02-25 10:57 - 00002729 ____A C:\Users\Public\Desktop\GC-Prevue 13.3.4.lnk
2012-08-31 13:17 - 2012-02-02 09:03 - 00001899 ____A C:\Users\Public\Desktop\ExpressSCH.lnk
2012-08-31 13:17 - 2012-02-02 09:03 - 00001899 ____A C:\Users\Public\Desktop\ExpressPCB.lnk
2012-08-31 13:17 - 2011-11-21 17:39 - 00002179 ____A C:\Users\Public\Desktop\HP Support Assistant.lnk
2012-08-31 13:17 - 2011-09-26 09:51 - 00000998 ____A C:\Users\Public\Desktop\IrfanView.lnk
2012-08-31 13:16 - 2012-08-31 13:38 - 00002414 ____A C:\Users\Wolverine\Desktop\unhide.txt
2012-08-31 10:11 - 2012-08-31 10:11 - 00000655 ____A C:\Users\Wolverine\Desktop\File_Recovery.lnk
2012-08-30 11:25 - 2012-08-31 10:01 - 00008670 ____A C:\Users\Wolverine\Desktop\UofM schedule.xlsx
2012-08-28 08:17 - 2012-07-06 12:07 - 00552960 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys
2012-08-28 08:07 - 2012-07-04 14:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-28 08:07 - 2012-07-04 14:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-28 08:07 - 2012-06-15 21:16 - 00609792 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-28 08:07 - 2012-06-15 21:15 - 00911360 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-28 08:07 - 2012-06-15 20:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-28 08:07 - 2012-06-15 20:26 - 00428032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-28 08:07 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-08-28 08:07 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-08-28 08:07 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-08-28 08:07 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-08-28 08:07 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-08-28 08:07 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-08-28 08:07 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-08-28 08:07 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-08-28 08:07 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-08-28 08:07 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-08-28 08:07 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-08-28 08:07 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-08-28 08:07 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-08-28 08:07 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-08-28 08:07 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-08-28 08:07 - 2012-05-05 00:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-28 08:07 - 2012-05-04 23:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2012-08-28 08:07 - 2012-02-10 22:43 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-28 08:07 - 2012-02-10 22:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-28 08:07 - 2012-02-10 22:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2012-08-28 08:07 - 2012-02-10 21:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2012-08-28 08:07 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-08-28 08:07 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-08-28 08:06 - 2012-07-18 10:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-28 08:06 - 2012-07-04 14:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-28 08:06 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-28 08:06 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-28 08:06 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-08-28 08:06 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-08-28 08:06 - 2012-05-13 21:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-28 05:14 - 2012-08-28 05:14 - 00000000 ____D C:\Program Files\Microsoft Device Center
2012-08-27 05:40 - 2012-08-27 05:40 - 00005288 ____A C:\comcastrelease.log
2012-08-27 05:40 - 2012-08-27 05:40 - 00001280 ____A C:\Users\Wolverine\Desktop\XFINITY Connect.lnk
2012-08-27 05:40 - 2012-08-27 05:40 - 00001252 ____A C:\Users\Wolverine\Desktop\Constant Guard Protection Suite.lnk
2012-08-27 05:40 - 2012-08-27 05:40 - 00001246 ____A C:\Users\Wolverine\Desktop\XFINITY TV.lnk
2012-08-27 05:40 - 2012-08-27 05:40 - 00000000 ____D C:\Users\Wolverine\AppData\Local\Xfinity.com
2012-08-12 06:26 - 2012-08-28 08:13 - 00000000 ____D C:\Program Files (x86)\Microsoft Works
2012-08-12 06:23 - 2012-08-28 08:18 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-08-12 06:23 - 2012-08-12 06:23 - 00000000 ____D C:\Windows\SHELLNEW
2012-08-12 06:23 - 2012-08-12 06:23 - 00000000 ____D C:\Users\Wolverine\AppData\Local\Microsoft Help
2012-08-12 06:23 - 2012-08-12 06:23 - 00000000 ____D C:\Program Files\Microsoft Office
2012-08-12 06:22 - 2012-08-12 06:22 - 00000000 ___RD C:\MSOCache


==================== 3 Months Modified Files ================================

2012-09-06 17:44 - 2012-07-06 11:44 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-06 17:43 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-06 17:43 - 2009-07-13 20:51 - 00052392 ____A C:\Windows\setupact.log
2012-09-06 17:16 - 2011-07-25 20:05 - 01304423 ____A C:\Windows\WindowsUpdate.log
2012-09-06 17:02 - 2012-07-06 11:44 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-06 16:59 - 2009-07-13 21:13 - 00782702 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-06 04:40 - 2009-07-13 20:45 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-06 04:40 - 2009-07-13 20:45 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-05 17:19 - 2012-09-05 17:19 - 00021557 ____A C:\Users\Wolverine\Desktop\Attach.txt
2012-09-05 17:17 - 2012-09-05 17:17 - 00027138 ____A C:\Users\Wolverine\Desktop\DDS.txt
2012-09-05 17:14 - 2012-09-05 17:14 - 00607260 ____R (Swearware) C:\Users\Wolverine\Desktop\dds.com
2012-09-05 17:12 - 2012-09-05 17:12 - 00050477 ____A C:\Users\Wolverine\Desktop\Defogger.exe
2012-09-05 17:12 - 2012-09-05 17:12 - 00000480 ____A C:\Users\Wolverine\Desktop\defogger_disable.log
2012-09-05 17:12 - 2012-09-05 17:12 - 00000000 ____A C:\Users\Wolverine\defogger_reenable
2012-09-05 12:33 - 2011-07-25 20:47 - 00036476 ____A C:\Windows\PFRO.log
2012-09-05 12:25 - 2012-09-05 12:25 - 00029648 ____A C:\ComboFix.txt
2012-09-05 12:24 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-09-05 12:13 - 2012-09-05 06:31 - 00002876 ____A C:\Users\Wolverine\Desktop\Rkill.txt
2012-09-05 11:56 - 2012-09-05 11:56 - 08864168 ____A (SurfRight B.V.) C:\Users\Wolverine\Desktop\HitmanPro36_x64.exe
2012-09-05 11:53 - 2012-09-05 11:53 - 00347424 ____A (Microsoft Corporation) C:\Users\Wolverine\Desktop\MicrosoftFixit.WinSecurity.LB.19270305421342664.1.1.Run.exe
2012-09-05 06:31 - 2012-09-05 06:31 - 01619360 ____A (Bleeping Computer, LLC) C:\Users\Wolverine\Desktop\rkill.exe
2012-09-05 06:22 - 2012-09-05 06:22 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Wolverine\Desktop\mbam-setup-1.62.0.1300.exe
2012-09-05 06:22 - 2012-09-05 06:22 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-05 06:06 - 2012-09-05 06:06 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Wolverine\Desktop\ffi99.exe.exe
2012-09-05 06:00 - 2012-09-05 06:00 - 00028989 ____A C:\Users\Wolverine\Desktop\Result.txt
2012-09-05 05:59 - 2012-09-05 05:59 - 00751391 ____A (Farbar) C:\Users\Wolverine\Desktop\MiniToolBox.exe
2012-09-05 05:19 - 2012-09-05 05:36 - 00026108 ____A C:\Users\Wolverine\Desktop\ComboFix.txt
2012-09-05 05:13 - 2009-07-13 18:34 - 70254592 ____A C:\Windows\System32\config\SOFTWARE.bak
2012-09-05 05:13 - 2009-07-13 18:34 - 18874368 ____A C:\Windows\System32\config\SYSTEM.bak
2012-09-05 05:13 - 2009-07-13 18:34 - 00524288 ____A C:\Windows\System32\config\DEFAULT.bak
2012-09-05 05:13 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\SECURITY.bak
2012-09-05 05:13 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\SAM.bak
2012-09-05 03:54 - 2012-09-05 03:54 - 04743490 ____R (Swearware) C:\Users\Wolverine\Desktop\ComboFix.exe
2012-09-05 03:54 - 2012-09-05 03:54 - 00094404 ____A C:\Users\Wolverine\Desktop\how-to-use-combofix.htm
2012-09-04 06:36 - 2012-09-04 06:35 - 73369648 ____A (Microsoft Corporation) C:\Users\Wolverine\Desktop\msert.exe
2012-09-04 06:30 - 2012-02-06 08:57 - 00000348 ____A C:\Windows\Tasks\HPCeeScheduleForWolverine.job
2012-09-04 06:13 - 2012-09-04 06:13 - 02154805 ____A C:\Windows\System32\Drivers\Cat.DB
2012-09-03 12:35 - 2011-08-24 10:27 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-09-02 14:16 - 2012-09-02 14:16 - 00004383 ____A C:\Windows\SysWOW64\jupdate-1.6.0_35-b10.log
2012-08-31 13:38 - 2012-08-31 13:16 - 00002414 ____A C:\Users\Wolverine\Desktop\unhide.txt
2012-08-31 10:11 - 2012-08-31 10:11 - 00000655 ____A C:\Users\Wolverine\Desktop\File_Recovery.lnk
2012-08-31 10:01 - 2012-08-30 11:25 - 00008670 ____A C:\Users\Wolverine\Desktop\UofM schedule.xlsx
2012-08-29 12:02 - 2011-08-28 04:12 - 00000350 ____A C:\Windows\Tasks\HPCeeScheduleForWOLVERINE-HP$.job
2012-08-28 16:24 - 2012-05-02 16:43 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-08-28 16:24 - 2011-09-04 10:11 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-08-28 16:10 - 2012-09-02 14:16 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-08-28 16:10 - 2012-09-02 14:16 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-08-28 16:09 - 2012-09-02 14:16 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-08-28 09:16 - 2011-08-21 09:00 - 00092784 ____A C:\Users\Wolverine\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-28 09:14 - 2009-07-13 20:45 - 00382784 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-28 08:03 - 2012-04-01 05:54 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-28 08:03 - 2011-08-21 09:40 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-27 05:40 - 2012-08-27 05:40 - 00005288 ____A C:\comcastrelease.log
2012-08-27 05:40 - 2012-08-27 05:40 - 00001280 ____A C:\Users\Wolverine\Desktop\XFINITY Connect.lnk
2012-08-27 05:40 - 2012-08-27 05:40 - 00001252 ____A C:\Users\Wolverine\Desktop\Constant Guard Protection Suite.lnk
2012-08-27 05:40 - 2012-08-27 05:40 - 00001246 ____A C:\Users\Wolverine\Desktop\XFINITY TV.lnk
2012-08-03 00:46 - 2012-08-31 13:24 - 59884088 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MRT.exe
2012-08-03 00:27 - 2012-04-21 06:51 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-31 02:34 - 2012-07-26 12:17 - 00054438 ____A C:\Users\Wolverine\.ganttproject.log.1
2012-07-31 02:34 - 2011-10-02 08:48 - 00003494 ____A C:\Users\Wolverine\.ganttproject
2012-07-31 02:34 - 2011-10-02 08:26 - 00001091 ____A C:\Users\Wolverine\.ganttproject.log
2012-07-26 11:58 - 2012-05-28 04:47 - 00000020 ____N C:\Users\All Users\PKP_DLet.DAT
2012-07-18 10:15 - 2012-08-28 08:06 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-18 06:50 - 2012-05-28 04:47 - 00000020 ____N C:\Users\All Users\PKP_DLev.DAT
2012-07-16 13:12 - 2011-12-07 09:02 - 00005995 ____A C:\Users\Wolverine\Documents\eaglerc.usr
2012-07-06 12:07 - 2012-08-28 08:17 - 00552960 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys
2012-07-04 14:16 - 2012-08-28 08:06 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:13 - 2012-08-28 08:07 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:13 - 2012-08-28 08:07 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:16 - 2012-08-28 08:06 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:14 - 2012-08-28 08:06 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-07-03 09:46 - 2012-09-05 06:22 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-01 04:05 - 2012-06-29 08:01 - 00003347 ____A C:\Users\Wolverine\Desktop\Tree.mm
2012-06-28 09:14 - 2012-05-28 04:47 - 00000020 ____N C:\Users\All Users\PKP_DLes.DAT
2012-06-22 11:35 - 2012-09-04 06:13 - 00251560 ____A (PC Tools) C:\Windows\System32\Drivers\PCTSD64.sys
2012-06-22 02:36 - 2011-03-06 13:49 - 00779172 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-22 00:55 - 2012-06-22 00:55 - 00909936 ____A C:\Windows\Minidump\062212-21028-01.dmp
2012-06-22 00:55 - 2011-09-23 06:35 - 531386986 ____A C:\Windows\MEMORY.DMP
2012-06-15 21:16 - 2012-08-28 08:07 - 00609792 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-06-15 21:15 - 2012-08-28 08:07 - 00911360 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-15 20:26 - 2012-08-28 08:07 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-15 20:26 - 2012-08-28 08:07 - 00428032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-20 09:35:46
Restore point made on: 2012-08-27 06:03:26
Restore point made on: 2012-08-28 05:13:52
Restore point made on: 2012-08-28 08:09:32
Restore point made on: 2012-09-01 06:20:29
Restore point made on: 2012-09-02 14:16:05
Restore point made on: 2012-09-05 05:07:17
Restore point made on: 2012-09-05 05:52:17

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 4046.36 MB
Available physical RAM: 3416.81 MB
Total Pagefile: 4044.51 MB
Available Pagefile: 3409.23 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions ============================

1 Drive c: () (Fixed) (Total:445.53 GB) (Free:342.24 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (HP_RECOVERY) (Fixed) (Total:14.93 GB) (Free:2.23 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:4.98 GB) (Free:2.12 GB) FAT32
5 Drive h: (CENTON USB) (Removable) (Total:7.49 GB) (Free:7.48 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.12 GB) (Free:0.12 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 7680 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 300 MB 1024 KB
Partition 2 Primary 445 GB 301 MB
Partition 3 Primary 14 GB 445 GB
Partition 4 Primary 5115 MB 460 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 300 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 445 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E HP_RECOVERY NTFS Partition 14 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 5115 MB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7679 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H CENTON USB FAT32 Removable 7679 MB Healthy

==================================================================================

Last Boot: 2012-08-28 07:03

==================== End Of Log =============================



Search.txt...

Farbar Recovery Scan Tool (x64) Version: 05-09-2012
Ran by SYSTEM at 2012-09-06 21:51:05
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\erdnt\cache64\services.exe
[2012-09-05 05:18] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:34 AM

Posted 06 September 2012 - 10:16 PM

nothing obvious in the log

please run the following:

  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    Posted Image
  • Wait for the end of the scan
  • Click on Report when the scan has finished, copy/paste the content of the notepad into your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 robot_ee

robot_ee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 07 September 2012 - 07:43 AM

RogueKiller report...

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Wolverine [Admin rights]
Mode : Scan -- Date : 09/07/2012 08:41:55

Bad processes : 0

Registry Entries : 8
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[WALLP] HKCU\[...]\Desktop : Wallpaper (C:\Users\Wolverine\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg) -> FOUND

Particular Files / Folders:

Driver : [NOT LOADED]

Infection :

HOSTS File:
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: Hitachi HTS727550A9E364 +++++
--- User ---
[MBR] 27c9b86d972c429012a1243c9ab11a00
[BSP] 270e5d797478a887184f50094096aa5e : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 300 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 616448 | Size: 456224 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 934963200 | Size: 15292 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 966281216 | Size: 5115 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: CENTON USB Device +++++
--- User ---
[MBR] de90de2f37ab15840bc54a173e2e84ff
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7679 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:34 AM

Posted 07 September 2012 - 01:15 PM

Please re-run rogue killer and click the delete button this time after the scan so it can fix what it has found

please post the new report it makes


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 robot_ee

robot_ee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 08 September 2012 - 11:26 AM

RogueKiller report...

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Wolverine [Admin rights]
Mode : Remove -- Date : 09/08/2012 09:23:59

Bad processes : 0

Registry Entries : 0

Particular Files / Folders:

Driver : [NOT LOADED]

Infection :

HOSTS File:
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: Hitachi HTS727550A9E364 +++++
--- User ---
[MBR] 27c9b86d972c429012a1243c9ab11a00
[BSP] 270e5d797478a887184f50094096aa5e : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 300 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 616448 | Size: 456224 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 934963200 | Size: 15292 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 966281216 | Size: 5115 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: CENTON USB Device +++++
--- User ---
[MBR] de90de2f37ab15840bc54a173e2e84ff
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7679 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt



Malwarebytes log...

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.08.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Wolverine :: WOLVERINE-HP [administrator]

Protection: Enabled

9/8/2012 9:25:14 AM
mbam-log-2012-09-08 (09-25-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 225740
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


ESET Scan...

C:\Users\Wolverine\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\a54beb9-7791ed83 Java/Exploit.CVE-2012-4681.K trojan
C:\Users\Wolverine\AppData\Roaming\Mozilla\Firefox\Profiles\8qtdu9xv.default\extensions\pkkwnnfhvq@pkkwnnfhvq.org.xpi JS/Redirector.NCA trojan


The Java/Exploit trojan and JS/Redirector trojan are very suspicious.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:34 AM

Posted 08 September 2012 - 12:12 PM

yes, they are likely the cause of the problem


delete the copy of combofix that you have on your desktop (it is outdated)

and download a fresh copy from here

Now do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\Wolverine\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\a54beb9-7791ed83 
C:\Users\Wolverine\AppData\Roaming\Mozilla\Firefox\Profiles\8qtdu9xv.default\extensions\pkkwnnfhvq@pkkwnnfhvq.org.xpi 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Let me know how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 robot_ee

robot_ee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 10 September 2012 - 01:50 PM

So far I've had no redirects in google or in yahoo.

Can you tell from the report if ComboFix got both trojans?


ComboFix report...

ComboFix 12-09-09.02 - Wolverine 09/10/2012 9:01.4.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4046.1878 [GMT -4:00]
Running from: c:\users\Wolverine\Desktop\ComboFix.exe
Command switches used :: c:\users\Wolverine\Desktop\CFScript.TXT
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\users\Wolverine\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\a54beb9-7791ed83"
"c:\users\Wolverine\AppData\Roaming\Mozilla\Firefox\Profiles\8qtdu9xv.default\extensions\pkkwnnfhvq@pkkwnnfhvq.org.xpi"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Wolverine\AppData\Roaming\Mozilla\Firefox\Profiles\8qtdu9xv.default\extensions\pkkwnnfhvq@pkkwnnfhvq.org.xpi
.
.
((((((((((((((((((((((((( Files Created from 2012-08-10 to 2012-09-10 )))))))))))))))))))))))))))))))
.
.
2012-09-10 13:33 . 2012-09-10 13:33 -------- d-----w- c:\users\Wolverine\AppData\Local\temp
2012-09-10 13:33 . 2012-09-10 13:33 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-09-10 13:33 . 2012-09-10 13:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-08 16:22 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{631D1B7A-23AE-4537-9F56-40BAB5ADB003}\mpengine.dll
2012-09-08 13:32 . 2012-09-08 13:32 -------- d-----w- c:\program files (x86)\ESET
2012-09-07 05:47 . 2012-09-07 05:47 -------- d-----w- C:\FRST
2012-09-07 01:55 . 2012-09-07 01:55 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-09-07 01:55 . 2012-09-07 01:55 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-09-07 01:55 . 2012-09-07 01:55 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-09-07 01:55 . 2012-09-07 01:55 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-09-07 01:55 . 2012-09-07 01:55 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-09-07 01:55 . 2012-09-07 01:55 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-09-07 01:55 . 2012-09-07 01:55 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-09-07 01:55 . 2012-09-07 01:55 1651 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-09-07 01:54 . 2012-09-07 01:54 8288 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-09-07 01:54 . 2012-09-07 01:54 6910 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-09-07 01:54 . 2012-09-07 01:54 6208 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-09-07 01:54 . 2012-09-07 01:54 18541 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-09-07 01:54 . 2012-09-07 01:54 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-09-07 01:54 . 2012-09-07 01:54 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-09-07 01:54 . 2012-09-07 01:54 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-09-07 01:54 . 2012-09-07 01:54 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-09-07 01:54 . 2012-09-07 01:54 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-09-07 01:02 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-05 20:27 . 2012-09-05 20:27 -------- d-----w- c:\program files\HitmanPro
2012-09-05 20:27 . 2012-09-05 20:35 -------- d-----w- c:\programdata\HitmanPro
2012-09-05 14:22 . 2012-09-05 14:22 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-05 14:22 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-04 17:10 . 2012-09-04 17:10 -------- d-----w- c:\users\Wolverine\AppData\Roaming\Malwarebytes
2012-09-04 17:09 . 2012-09-04 17:09 -------- d-----w- c:\programdata\Malwarebytes
2012-09-04 14:15 . 2012-09-04 14:15 -------- d-----w- c:\program files (x86)\PC Tools
2012-09-04 14:13 . 2012-06-22 19:35 251560 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-09-04 14:12 . 2012-09-04 14:30 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-09-04 14:12 . 2012-09-04 14:25 -------- d-----w- c:\programdata\PC Tools
2012-09-04 14:12 . 2012-09-04 14:12 -------- d-----w- c:\users\Wolverine\AppData\Roaming\TestApp
2012-09-04 12:27 . 2012-09-04 13:33 -------- d-----w- C:\temp
2012-09-02 22:15 . 2012-09-02 22:15 -------- d-----w- c:\programdata\McAfee
2012-08-31 19:56 . 2012-09-05 19:53 -------- d-----w- c:\users\Wolverine\AppData\Local\ElevatedDiagnostics
2012-08-28 16:17 . 2012-07-06 20:07 552960 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-08-28 16:06 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-08-28 13:14 . 2012-08-28 13:14 -------- d-----w- c:\program files\Microsoft Device Center
2012-08-27 13:40 . 2012-08-27 13:40 -------- d-----w- c:\users\Wolverine\AppData\Local\Xfinity.com
2012-08-12 14:26 . 2012-08-28 16:13 -------- d-----w- c:\program files (x86)\Microsoft Works
2012-08-12 14:23 . 2012-08-12 14:23 -------- d-----w- c:\program files\Microsoft Office
2012-08-12 14:23 . 2012-08-12 14:23 -------- d-----w- c:\windows\SHELLNEW
2012-08-12 14:23 . 2012-08-12 14:23 -------- d-----w- c:\users\Wolverine\AppData\Local\Microsoft Help
2012-08-12 14:23 . 2012-08-28 16:18 -------- d-----w- c:\programdata\Microsoft Help
2012-08-12 14:22 . 2012-08-12 14:22 -------- d-----r- C:\MSOCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-29 00:24 . 2012-05-03 00:43 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-08-29 00:24 . 2011-09-04 18:11 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-28 16:03 . 2012-04-01 13:54 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-28 16:03 . 2011-08-21 17:40 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-03 08:27 . 2012-04-21 14:51 62134624 ----a-w- c:\windows\system32\MRT.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-09-05_13.15.30 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-09-05 12:56 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-09-05 13:14 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-09-05 12:56 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-05 13:14 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-09-05 12:56 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-05 13:14 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-06 21:52 . 2012-09-07 01:56 51526 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-09-07 01:56 39176 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2011-08-21 07:53 . 2012-09-05 03:59 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-08-21 07:53 . 2012-09-10 11:48 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-08-21 07:53 . 2012-09-05 03:59 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-08-21 07:53 . 2012-09-10 11:48 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-09-05 03:59 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-10 11:48 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-08-22 13:13 . 2012-09-07 01:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-08-22 13:13 . 2012-09-05 12:59 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-08-22 13:13 . 2012-09-05 12:59 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-08-22 13:13 . 2012-09-07 01:57 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-08-22 13:13 . 2012-09-05 12:59 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-08-22 13:13 . 2012-09-07 01:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-08-21 19:04 . 2012-09-05 13:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-08-21 19:04 . 2012-09-10 13:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-08-21 19:04 . 2012-09-05 13:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-08-21 19:04 . 2012-09-10 13:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-08-22 16:30 . 2012-09-07 01:56 9442 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1364543355-386302362-1975130397-1002_UserData.bin
- 2012-09-05 13:14 . 2012-09-05 13:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-07 01:54 . 2012-09-07 01:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-07 01:54 . 2012-09-07 01:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-09-05 13:14 . 2012-09-05 13:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-08-22 13:13 . 2012-09-10 11:37 449698 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2012-09-07 02:02 664270 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-09-05 13:04 664270 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-09-05 13:04 123056 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-09-07 02:02 123056 c:\windows\system32\perfc009.dat
+ 2009-07-14 04:46 . 2012-09-08 02:03 104720 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 05:01 . 2012-09-07 01:45 369884 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-09-05 13:13 369884 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-03-06 22:41 . 2012-09-05 13:13 2796384 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-03-06 22:41 . 2012-09-07 01:45 2796384 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-08-22 13:48 . 2012-09-07 01:45 8943535 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1364543355-386302362-1975130397-1002-8192.dat
+ 2011-11-23 03:33 . 2012-09-05 19:45 2635652 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1364543355-386302362-1975130397-1002-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2011-03-04 2736128]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"File Sanitizer"="c:\program files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2011-02-07 12274688]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-01-26 283160]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"HPConnectionManager"="c:\program files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2011-04-05 94264]
"HPQuickWebProxy"="c:\program files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe" [2011-02-11 76344]
"IFXSPMGT"="c:\program files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe" [2011-01-20 1125728]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2011-04-19 522736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QLBController"="c:\program files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe" [2011-07-06 323128]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-08-10 336384]
"AgentMonitor"="c:\program files (x86)\VTech\DownloadManager\System\AgentMonitor.exe" [2011-12-13 357800]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Nikon Message Center 2"="c:\program files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-25 619008]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\users\Wolverine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
TeraTerm Menu.lnk - c:\program files (x86)\teraterm\ttpmenu.exe [2011-11-22 192512]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-29 1132320]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2011-02-03 23:09 75360 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-06 116648]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2011-08-23 3175728]
R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [2009-07-14 281088]
R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [2009-06-10 15360]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-07-14 344616]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-02 39464]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv64.sys [2011-02-07 63336]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\SysWOW64\flcdlock.exe [2011-02-03 464480]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-06 116648]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-31 113120]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2011-01-15 1116656]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-22 1255736]
S0 MfeEpePc;MfeEpePc; [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [2010-01-26 44576]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-09-13 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-11-22 203776]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-01-27 131128]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe [2011-01-28 133688]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-07-05 227384]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2011-02-07 320000]
S2 hpHotkeyMonitor;hpHotkeyMonitor;c:\program files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe [2011-07-06 1698360]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-13 30520]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-01-26 13336]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2012-02-06 13672]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2010-11-29 210896]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [2011-02-09 1318912]
S2 PdiService;Portrait Displays SDK Service;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2011-01-18 113264]
S2 uArcCapture;ArcCapture;c:\windows\SysWow64\ArcVCapRender\uArcCapture.exe [2010-11-11 502464]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-03 2656280]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-11-22 9090560]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-11-22 299520]
S3 ARCVCAM;ARCVCAM, ArcSoft Webcam Sharing Manager Driver;c:\windows\system32\DRIVERS\ArcSoftVCapture.sys [2010-11-11 32192]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-11-22 231440]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2011-05-04 340656]
S3 HP ProtectTools Service;HP ProtectTools Service;c:\program files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2011-01-12 36864]
S3 hpCMSrv;HP Connection Manager 4 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-04-05 1094712]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2011-01-30 174168]
S3 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys [2011-02-08 26712]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-12-10 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-12-10 181248]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2011-03-04 16:29 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-06 19:44]
.
2012-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-06 19:44]
.
2012-08-29 c:\windows\Tasks\HPCeeScheduleForWOLVERINE-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
2012-09-04 c:\windows\Tasks\HPCeeScheduleForWolverine.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2011-01-27 13880]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"Broadcom Wireless Manager UI"="c:\program files\Broadcom\Broadcom 802.11\WLTRAY.exe" [2011-07-26 5398528]
"MfeEpePcMonitor"="c:\program files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe" [2011-02-09 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-09-13 1128448]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
"IntelliType Pro"="c:\program files\Microsoft Device Center\itype.exe" [2012-06-27 1464928]
"IntelliPoint"="c:\program files\Microsoft Device Center\ipoint.exe" [2012-06-27 2004584]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://xfinity.comcast.net/?cid=insDate08272012
uLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\Wolverine\AppData\Roaming\Mozilla\Firefox\Profiles\8qtdu9xv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\x*sh***]
@="x?h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\_2**]
@="????\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\2**]
@="????\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\2**]
@="????\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\A|**]
@="????\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\A|**]
@="????\08"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\m**]
@="????\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\*]
@="?"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\M2?***]
@="????\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\
]
@="?"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\*
]
@="?"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\,
ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\
ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\<ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\\ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\|ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\\ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\ph***]
@="??h?\02"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{F7A31DE6-534B-4564-808A-7D170A9F74A1}\DeviceDbcc\e|**]
@="????\02"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-10 09:35:32
ComboFix-quarantined-files.txt 2012-09-10 13:35
ComboFix2.txt 2012-09-05 20:25
ComboFix3.txt 2012-09-05 19:15
ComboFix4.txt 2012-09-05 13:19
.
Pre-Run: 369,009,594,368 bytes free
Post-Run: 368,938,672,128 bytes free
.
- - End Of File - - E85D408CD5C6A11A6EB37706195FADDA

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:34 AM

Posted 10 September 2012 - 02:12 PM

yes, combofix cleaned those entries,

please do the following:

  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 robot_ee

robot_ee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 11 September 2012 - 07:07 PM

MiniToolBox log...

MiniToolBox by Farbar Version: 23-07-2012
Ran by Wolverine (administrator) on 11-09-2012 at 20:01:35
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

Adobe Flash Player 10 ActiveX (Version: 10.2.152.26)
Adobe Flash Player 11 Plugin (Version: 11.4.402.265)
Adobe Reader X (10.1.4) (Version: 10.1.4)
Alcor Micro Smart Card Reader Driver (Version: 1.7.16.0)
Apple Application Support (Version: 2.1.5)
Apple Mobile Device Support (Version: 4.0.0.96)
Apple Software Update (Version: 2.1.3.127)
ArcSoft Webcam Sharing Manager (Version: 2.0.0.30)
ATI Catalyst Install Manager (Version: 3.0.812.0)
ATI Stream SDK v2 Developer (Version: 2.3.0.0)
AVR Jungo USB (Version: 10.2)
AVR Studio 4.19 (Version: 4.19.730)
Bing Bar (Version: 6.0.2282.0)
Bing Bar Platform (Version: 6.0.2282.0)
Bing Rewards Client Installer (Version: 16.0.345.0)
Bonjour (Version: 3.0.0.10)
Broadcom 2070 Bluetooth 3.0 (Version: 6.3.0.6300)
Broadcom 802.11 Wireless LAN Adapter (Version: 5.60.48.61)
Broadcom Wireless Utility (Version: 5.60.48.61)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Graphics Previews Common (Version: 2011.0810.36.42320)
Catalyst Control Center InstallProxy (Version: 2011.0810.36.42320)
Catalyst Control Center Localization All (Version: 2011.0810.36.42320)
Catalyst Control Center Profiles Mobile (Version: 2011.0810.36.42320)
ccc-core-static (Version: 2011.0810.36.42320)
ccc-utility64 (Version: 2011.0810.36.42320)
CCC Help Chinese Standard (Version: 2011.0810.0035.42320)
CCC Help Chinese Traditional (Version: 2011.0810.0035.42320)
CCC Help Czech (Version: 2011.0810.0035.42320)
CCC Help Danish (Version: 2011.0810.0035.42320)
CCC Help Dutch (Version: 2011.0810.0035.42320)
CCC Help English (Version: 2011.0810.0035.42320)
CCC Help Finnish (Version: 2011.0810.0035.42320)
CCC Help French (Version: 2011.0810.0035.42320)
CCC Help German (Version: 2011.0810.0035.42320)
CCC Help Greek (Version: 2011.0810.0035.42320)
CCC Help Hungarian (Version: 2011.0810.0035.42320)
CCC Help Italian (Version: 2011.0810.0035.42320)
CCC Help Japanese (Version: 2011.0810.0035.42320)
CCC Help Korean (Version: 2011.0810.0035.42320)
CCC Help Norwegian (Version: 2011.0810.0035.42320)
CCC Help Polish (Version: 2011.0810.0035.42320)
CCC Help Portuguese (Version: 2011.0810.0035.42320)
CCC Help Russian (Version: 2011.0810.0035.42320)
CCC Help Spanish (Version: 2011.0810.0035.42320)
CCC Help Swedish (Version: 2011.0810.0035.42320)
CCC Help Thai (Version: 2011.0810.0035.42320)
CCC Help Turkish (Version: 2011.0810.0035.42320)
Cisco EAP-FAST Module (Version: 2.2.14)
Cisco LEAP Module (Version: 1.0.19)
Cisco PEAP Module (Version: 1.1.6)
Device Access Manager for HP ProtectTools (Version: 6.0.0.9)
DirectX 9 Runtime (Version: 1.00.0000)
Drive Encryption For HP ProtectTools (Version: 6.0.33.24411)
Embedded Security for HP ProtectTools (Version: 6.0.100.2572)
Energy Star Digital Logo (Version: 1.0.1)
ESET Online Scanner v3
ExpressPCB (Version: 7.0.2)
Face Recognition for HP ProtectTools (Version: 6.00.4303)
File Sanitizer For HP ProtectTools (Version: 6.0.0.8)
FreeMind (Version: 0.9.0)
GanttProject
GC-Prevue (Version: 13.3.4)
Google Earth Plug-in (Version: 6.2.2.6613)
Google Update Helper (Version: 1.3.21.115)
Hewlett-Packard ACLM.NET v1.1.1.0 (Version: 1.00.0000)
HP 3D DriveGuard (Version: 4.1.4.1)
HP Auto (Version: 1.0.12494.3472)
HP Client Automation Agent Preload (Version: 7.5)
HP Connection Manager (Version: 4.1.10.1)
HP Customer Experience Enhancements (Version: 6.0.1.7)
HP DayStarter (Version: 2.0.0.12)
HP Documentation (Version: 1.1.0.0)
HP ESU for Microsoft Windows 7 (Version: 1.1.13.2)
HP HotKey Support (Version: 4.0.20.1)
HP Power Assistant (Version: 2.0.2.0)
HP ProtectTools Security Manager (Version: 6.00.888)
HP QuickWeb (Version: 3.0.0.9057)
HP Setup (Version: 8.5.4526.3645)
HP SoftPaq Download Manager (Version: 3.2.0.0)
HP Software Framework (Version: 4.1.6.1)
HP Software Setup (Version: 8.2.1.1)
HP Support Assistant (Version: 6.0.5.4)
HP System Default Settings (Version: 2.1.2)
HP Wallpaper (Version: 2.00)
HP Web Camera (Version: 1.0.0)
HP Webcam (Version: 1.0.26.3)
HP Webcam Driver (Version: 5.8.50058.0)
IDT Audio (Version: 1.0.6341.0)
Intel® Identity Protection Technology 1.0.71.0 (Version: 1.0.71.0)
Intel® Management Engine Components (Version: 7.0.0.1144)
Intel® Network Connections Drivers (Version: 16.3)
Intel® Rapid Storage Technology (Version: 10.1.2.1004)
IrfanView (remove only) (Version: 4.30)
iSEEK AnswerWorks English Runtime (Version: 010.000.0101)
iTunes (Version: 10.5.0.142)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 35 (Version: 6.0.350)
JMicron 1394 Filter Driver (Version: 1.00.21.00)
JMicron Flash Media Controller Driver (Version: 1.0.57.2)
Learning Lodge Navigator
LightScribe System Software (Version: 1.18.22.2)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Default Manager (Version: 2.2.114.0)
Microsoft Mouse and Keyboard Center (Version: 1.1.500.0)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office 2010 (Version: 14.0.4763.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Search Enhancement Pack (Version: 3.0.131.0)
Microsoft Security Client (Version: 4.0.1526.0)
Microsoft Security Essentials (Version: 4.0.1526.0)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Mozilla Firefox 15.0.1 (x86 en-US) (Version: 15.0.1)
Mozilla Maintenance Service (Version: 15.0.1)
Mozilla Thunderbird 10.0.2 (x86 en-US) (Version: 10.0.2)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Nikon Message Center 2 (Version: 2.0.1)
OpenOffice.org 3.3 (Version: 3.3.9567)
Picture Control Utility (Version: 1.2.2)
Privacy Manager for HP ProtectTools (Version: 6.00.831)
Quicken 2011 (Version: 20.1.8.6)
QuickTime (Version: 7.70.80.34)
RBVirtualFolder64Inst (Version: 1.00.0000)
Renesas Electronics USB 3.0 Host Controller Driver (Version: 2.0.32.0)
Roxio Activation Module (Version: 1.0)
Roxio CinePlayer Decoder Pack (Version: 4.3.0)
Roxio Express Labeler 3 (Version: 3.2.2)
Roxio MyDVD Business 2010 (Version: 1.0.410)
Roxio MyDVD Business 2010 (Version: 12.1.73.14)
Roxio Secure Burn (Version: 1.8)
Roxio Secure Burn (Version: 1.8.73.2)
SDK (Version: 2.24.025)
Skype 5.8 (Version: 5.8.158)
Synaptics Pointing Device Driver (Version: 15.2.16.6)
Tera Term 4.71
Theft Recovery for HP ProtectTools (Version: 6.0.0.30)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Validity Fingerprint Sensor Driver (Version: 4.3.216.0)
ViewNX 2 (Version: 2.1.2)
VIP Access SDK x64(1.0.0.50) (Version: 1.0.0.50)
VTech Download Agent Library (Version: 1.00.0000)
WinAVR 20100110 (remove only) (Version: 20100110)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)

**** End of log ****



Farbar Service Scanner log...

Farbar Service Scanner Version: 06-08-2012
Ran by Wolverine (administrator) on 11-09-2012 at 20:04:04
Running from "C:\Users\Wolverine\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:34 AM

Posted 11 September 2012 - 07:11 PM

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click on "Do I have Java"
  • It will check your current version and then offer to update to the latest version
  • Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if there are - remove them.


how id the computer running now, are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 robot_ee

robot_ee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 14 September 2012 - 10:19 AM

Java is up to date.

I'm not getting any more redirects.

Thanks!

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:34 AM

Posted 14 September 2012 - 10:33 AM

We just have some housekeeping to do now,

Please do the following:


You can delete the DDS and all the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    PC Safety and Security--What Do I Need?.
  • Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:34 AM

Posted 20 September 2012 - 05:58 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users