Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

commercials play on speakers and google redirects


  • This topic is locked This topic is locked
43 replies to this topic

#1 donttellanyone

donttellanyone

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 13 September 2012 - 05:07 PM

I had some sort of malware infection about a weak ago that would pop up like 18 "delayed write failure" error boxes and hid all my files. I used combofix to remove that infection. Most of my desktop and files and settings returned, but not all. I also did full scans with MSE and MBAM.

Now I have two major issues.
1. About every 5-10 minutes random music or advertisements play over the speakers, even when no applications (nothing, not even firefox) are running.
2. Clicks on google search results get routed to alabamaelection.net and then to various random sites (e.g. secure.bidvertiser.com)

Other symptoms:
1. I cannot turn on Windows firewall (I get a system error saying "Windows Firewall can't change some of your settings. Error Code 0x80070424)
2. Browsing and some other applications run VERY slowly
3. DDS took roughly 15 minutes to run

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.5.1
Run by Jace at 16:46:38 on 2012-09-13
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3767.1608 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\PFU\ScanSnap\CardMinder\CardLauncher.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe
C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Users\Jace\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\PFU\ScanSnap\SSFolder\SSFolderTray.exe
C:\Program Files (x86)\eFax Messenger 4.4\J2GTray.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Windows\SSDriver\fi5110\SsWiaChecker.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Evernote\Evernote\Evernote.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteTray.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Citrix\GoToMeeting\880\g2mstart.exe
C:\Program Files (x86)\Citrix\GoToMeeting\880\g2mcomm.exe
C:\Program Files (x86)\Citrix\GoToMeeting\880\g2mlauncher.exe
C:\Windows\System32\wiawow64.exe
C:\Users\Jace\AppData\Local\Temp\124kkk290347.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv59c&r=27360812k105l04d4z105a4792i265
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv59c&r=27360812k105l04d4z105a4792i265
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [eFax 4.4] "C:\Program Files (x86)\eFax Messenger 4.4\J2GDllCmd.exe" /R
uRun: [GoToMeeting] "C:\Program Files (x86)\Citrix\GoToMeeting\880\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [primnog] rundll32 "C:\Users\Jace\AppData\Local\primnog.dll",primnog
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [ScanSnap WIA Service Checker] C:\Windows\SSDriver\fi5110\SsWiaChecker.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\Jace\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Jace\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Jace\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EFAX44~1.LNK - C:\Program Files (x86)\eFax Messenger 4.4\J2GTray.exe
StartupFolder: C:\Users\Jace\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\Users\Jace\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\FUJITS~1.LNK - C:\Program Files (x86)\Fujitsu\LeaderTech\fujitsuWebview-Release.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CARDMI~1.LNK - C:\Program Files (x86)\PFU\ScanSnap\CardMinder\CardLauncher.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CONVER~1.LNK - C:\Program Files (x86)\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SCANSN~1.LNK - C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 172.16.1.116 172.16.1.114 216.136.95.2
TCP: Interfaces\{258E57C4-4B23-49C4-B4E4-97C18ADF72AB} : DhcpNameServer = 172.16.1.116 172.16.1.114 216.136.95.2
TCP: Interfaces\{6D009EF8-B056-43C8-9766-FAF747EB2217} : DhcpNameServer = 172.16.1.116 172.16.1.114 216.136.95.2
TCP: Interfaces\{6D009EF8-B056-43C8-9766-FAF747EB2217}\2375942554138393 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{6D009EF8-B056-43C8-9766-FAF747EB2217}\451627A716E6 : DhcpNameServer = 172.18.1.30 66.7.180.122 66.7.143.122
TCP: Interfaces\{6D009EF8-B056-43C8-9766-FAF747EB2217}\455534B4542523031303 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{6D009EF8-B056-43C8-9766-FAF747EB2217}\7457563747 : DhcpNameServer = 159.27.254.222 4.2.2.2
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Notify: primnog - C:\Users\Jace\AppData\Local\primnog.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun-x64: [ScanSnap WIA Service Checker] C:\Windows\SSDriver\fi5110\SsWiaChecker.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Jace\AppData\Roaming\Mozilla\Firefox\Profiles\mqsxvhcl.default\
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2012/08/04 18:21:23];C:\Program Files (x86)\Cyberlink\PowerDVD9\000.fcl [2010-4-28 146928]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe [2010-6-7 408576]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-7-19 312400]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe [2012-8-4 868896]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-7-19 13336]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2010-6-28 255744]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-7-19 2320920]
R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2010-7-19 243232]
R2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe [2010-6-7 911872]
R3 bpenum;bpenum;C:\Windows\system32\DRIVERS\bpenum.sys --> C:\Windows\system32\DRIVERS\bpenum.sys [?]
R3 bpmp;Intel® Centrino® WiMAX 6050 Series;C:\Windows\system32\DRIVERS\bpmp.sys --> C:\Windows\system32\DRIVERS\bpmp.sys [?]
R3 bpusb;bpusb;C:\Windows\system32\Drivers\bpusb.sys --> C:\Windows\system32\Drivers\bpusb.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-8-4 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-8-7 250568]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-8-4 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-8-6 113120]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-09-13 21:41:00 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B83BF130-772E-46A5-A4FF-26BF3E2024ED}\offreg.dll
2012-09-13 21:27:44 16896 ----a-w- C:\Users\Jace\AppData\Local\primnog.dll
2012-09-13 19:02:28 60304 ----a-w- C:\Users\Jace\g2mdlhlpx.exe
2012-09-11 13:32:38 -------- d-----w- C:\Users\Jace\AppData\Local\ElevatedDiagnostics
2012-09-09 19:02:05 927800 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F5F857DE-28F7-4E62-B771-81D1D95EAB6C}\gapaengine.dll
2012-09-09 19:01:48 9310152 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B83BF130-772E-46A5-A4FF-26BF3E2024ED}\mpengine.dll
2012-09-09 18:54:03 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-09-09 18:54:01 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-09-09 18:09:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-09 03:13:23 -------- d-----w- C:\$RECYCLE.BIN
2012-09-09 02:31:18 -------- d-----w- C:\ComboFix
2012-08-29 08:58:14 98816 ----a-w- C:\Windows\sed.exe
2012-08-29 08:58:14 518144 ----a-w- C:\Windows\SWREG.exe
2012-08-29 08:58:14 256000 ----a-w- C:\Windows\PEV.exe
2012-08-29 08:58:14 208896 ----a-w- C:\Windows\MBR.exe
2012-08-29 04:41:48 -------- d-----w- C:\Users\Jace\AppData\Roaming\Malwarebytes
2012-08-29 04:41:42 -------- d-----w- C:\ProgramData\Malwarebytes
2012-08-29 03:44:16 -------- d-----w- C:\Users\Jace\AppData\Roaming\Qouw
2012-08-29 03:44:16 -------- d-----w- C:\Users\Jace\AppData\Roaming\Ocpedo
2012-08-29 03:44:16 -------- d-----w- C:\Users\Jace\AppData\Roaming\Ahonu
2012-08-17 14:08:52 -------- d-----w- C:\Users\Jace\AppData\Roaming\pdfforge
2012-08-17 14:08:49 662288 ----a-w- C:\Windows\SysWow64\MSCOMCT2.OCX
2012-08-17 14:08:49 137000 ----a-w- C:\Windows\SysWow64\MSMAPI32.OCX
2012-08-17 14:08:48 95744 ----a-w- C:\Windows\System32\pdfcmon.dll
2012-08-17 14:08:47 23552 ----a-w- C:\Windows\SysWow64\MSMPIDE.DLL
2012-08-17 14:08:46 -------- d-----w- C:\Program Files (x86)\PDFCreator
2012-08-15 08:53:00 503808 ----a-w- C:\Windows\System32\srcore.dll
.
==================== Find3M ====================
.
2012-08-25 06:35:12 73416 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-25 06:35:12 696520 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-08-05 01:20:31 505128 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2012-08-05 01:20:31 353576 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2012-08-05 01:20:31 29480 ----a-w- C:\Windows\SysWow64\msxml3a.dll
2012-08-05 01:11:12 3 ----a-w- C:\Windows\System32\PLD_Framework.cmd
2012-07-18 17:31:12 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-07-06 03:06:30 772544 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-07-06 03:06:20 687544 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-07-04 22:01:38 58880 ----a-w- C:\Windows\System32\browcli.dll
2012-07-04 22:01:38 136704 ----a-w- C:\Windows\System32\browser.dll
2012-07-04 21:23:55 41472 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-06-27 07:03:25 1197568 ----a-w- C:\Windows\System32\wininet.dll
2012-06-27 06:59:12 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2012-06-27 06:03:21 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-27 06:01:19 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2012-06-27 05:41:43 482816 ----a-w- C:\Windows\System32\html.iec
2012-06-27 04:58:58 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-27 04:53:25 386048 ----a-w- C:\Windows\SysWow64\html.iec
2012-06-27 04:19:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-16 05:25:51 609792 ----a-w- C:\Windows\System32\vbscript.dll
2012-06-16 04:37:51 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
.
============= FINISH: 16:54:36.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 donttellanyone

donttellanyone
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 13 September 2012 - 05:50 PM

I also notice this in the upper right corner of my google search results:

SSL search is off

This network has turned off SSL search, so you cannot see personalized results.

The security features of SSL search are not available. Content filtering may be in place.

Learn More | Dismiss

#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:59 AM

Posted 13 September 2012 - 08:19 PM

Hello donttellanyone,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.



Do you have a USB Flash Drive you can use?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 donttellanyone

donttellanyone
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 13 September 2012 - 08:56 PM

yes as well as access to other computers

#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:59 AM

Posted 13 September 2012 - 09:03 PM

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list][/quote]

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 donttellanyone

donttellanyone
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 14 September 2012 - 10:38 AM

Thank you for your help. In case it matters, the first method of entering System Recovery Options from Advanced Boot Options did not work. I got the initial menu, but when I selected Repair your computer it said loading files and froze (I let it go 20 minutes).

I had to use a windows installation usb drive to get to the command prompt.

Here is frst.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-09-2012 01
Ran by SYSTEM at 14-09-2012 10:26:48
Running from F:\
Service Pack 1 (X64) OS Language: English(US)
Attention: Could not load system hive.==================== Registry (Whitelisted) ===================

HKLM\...\Winlogon: [Userinit]
HKLM-x32\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell] [x ] ()
HKLM-x32\...\Winlogon: [Shell] [x ] ()
HKLM\...\InprocServer32: [Default-wbemess] ATTENTION! ====> ZeroAccess
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess
Startup: C:\Users\All Users\Start Menu\Programs\Startup\CardMinder Viewer.lnk
ShortcutTarget: CardMinder Viewer.lnk -> C:\Program Files (x86)\PFU\ScanSnap\CardMinder\CardLauncher.exe (PFU LIMITED)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Conversion to PDF with ScanSnap Organizer.lnk
ShortcutTarget: Conversion to PDF with ScanSnap Organizer.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe (PFU LIMITED)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk
ShortcutTarget: ScanSnap Manager.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Jace\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\Jace\Start Menu\Programs\Startup\eFax 4.4.lnk
ShortcutTarget: eFax 4.4.lnk -> C:\Program Files (x86)\eFax Messenger 4.4\J2GTray.exe (j2 Global Communications, Inc.)
Startup: C:\Users\Jace\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
Startup: C:\Users\Jace\Start Menu\Programs\Startup\Fujitsu S1500 Registration.lnk
ShortcutTarget: Fujitsu S1500 Registration.lnk -> C:\Program Files (x86)\Fujitsu\LeaderTech\fujitsuWebview-Release.exe (Leader Technologies/Fujitsu)

==================== Services ====================


==================== Drivers =================================


==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-09-13 13:55 - 2012-09-13 13:55 - 00027714 ____A C:\Users\Jace\Desktop\Attach.txt
2012-09-13 13:55 - 2012-09-13 13:55 - 00021348 ____A C:\Users\Jace\Desktop\DDS.txt
2012-09-13 13:45 - 2012-09-13 13:44 - 00607260 ____R (Swearware) C:\Users\Jace\Desktop\dds.com
2012-09-13 13:43 - 2012-09-13 13:44 - 00000470 ____A C:\Users\Jace\Desktop\defogger_disable.log
2012-09-13 13:43 - 2012-09-13 13:43 - 00050477 ____A C:\Users\Jace\Desktop\Defogger.exe
2012-09-13 13:43 - 2012-09-13 13:43 - 00000000 ____A C:\Users\Jace\defogger_reenable
2012-09-13 13:40 - 2012-09-13 13:40 - 00050477 ____A C:\Users\Jace\Downloads\Defogger.exe
2012-09-13 13:27 - 2012-09-13 13:27 - 00016896 ____A C:\Users\Jace\AppData\Local\primnog.dll
2012-09-13 11:02 - 2012-09-13 11:02 - 00060304 ____A C:\Users\Jace\g2mdlhlpx.exe
2012-09-09 10:54 - 2012-09-09 10:54 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-09-09 10:54 - 2012-09-09 10:54 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-09-09 10:44 - 2012-09-09 10:45 - 12621696 ____A (Microsoft Corporation) C:\Users\Jace\Downloads\mseinstall.exe
2012-09-09 10:09 - 2012-09-09 10:09 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-09 10:08 - 2012-09-09 10:09 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\Jace\Downloads\mbam-setup.exe
2012-09-08 19:34 - 2012-09-08 19:34 - 00025840 ____A C:\ComboFix.txt
2012-09-08 18:31 - 2012-09-08 19:35 - 00000000 ____D C:\ComboFix
2012-09-07 15:26 - 2012-09-07 15:26 - 00279256 ____A C:\Windows\Minidump\090712-20685-01.dmp
2012-09-07 08:05 - 2012-09-08 18:28 - 04747117 ____R (Swearware) C:\Users\Jace\Desktop\ComboFix.exe
2012-09-05 07:05 - 2012-09-05 07:05 - 00010818 ____A C:\Users\Jace\Desktop\budget cats.xlsx
2012-08-29 00:58 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-29 00:58 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-29 00:58 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-29 00:58 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-29 00:58 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-29 00:58 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-29 00:58 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-29 00:58 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-29 00:55 - 2012-09-08 19:35 - 00000000 ____D C:\Qoobox
2012-08-29 00:55 - 2012-08-29 01:06 - 00000000 ____D C:\Windows\erdnt
2012-08-29 00:35 - 2012-08-29 00:35 - 01440846 ____A C:\Users\Jace\Downloads\mbam-chameleon-1.62.1.1000.zip
2012-08-29 00:35 - 2012-08-29 00:35 - 00000000 ____D C:\Users\Jace\Downloads\mbam-chameleon-1.62.1.1000
2012-08-28 20:41 - 2012-08-28 20:41 - 00000000 ____D C:\Users\Jace\AppData\Roaming\Malwarebytes
2012-08-28 20:41 - 2012-08-28 20:41 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-28 20:36 - 2012-08-28 20:36 - 00457632 ____A (Bleeping Computer, LLC) C:\Users\Jace\Downloads\FixExec.exe
2012-08-28 20:02 - 2012-08-28 20:02 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Jace\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-28 19:44 - 2012-08-28 21:31 - 00000000 ____D C:\Users\Jace\AppData\Roaming\Ahonu
2012-08-28 19:44 - 2012-08-28 19:45 - 00000000 ____D C:\Users\Jace\AppData\Roaming\Ocpedo
2012-08-28 19:44 - 2012-08-28 19:44 - 00000000 ____D C:\Users\Jace\AppData\Roaming\Qouw
2012-08-27 07:13 - 2012-09-13 06:57 - 01081556 ____A C:\Users\Jace\Desktop\S3 IP slide.pptx
2012-08-17 06:08 - 2012-08-17 06:10 - 00000000 ____D C:\Users\Jace\AppData\Roaming\pdfforge
2012-08-17 06:08 - 2012-08-17 06:09 - 00000000 ____D C:\Program Files (x86)\PDFCreator
2012-08-17 06:08 - 2012-06-30 05:46 - 00095744 ____A (pdfforge GbR) C:\Windows\System32\pdfcmon.dll
2012-08-17 06:08 - 2012-05-05 08:54 - 00662288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCT2.OCX
2012-08-17 06:08 - 2012-05-05 08:54 - 00137000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSMAPI32.OCX
2012-08-17 06:08 - 2012-05-05 08:54 - 00023552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSMPIDE.DLL
2012-08-15 00:53 - 2012-05-05 00:30 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-15 00:52 - 2012-07-18 09:31 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 00:52 - 2012-07-04 14:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 00:52 - 2012-07-04 14:01 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-15 00:52 - 2012-07-04 14:01 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-15 00:52 - 2012-07-04 13:26 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-15 00:52 - 2012-07-04 13:23 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-15 00:52 - 2012-06-26 23:03 - 01501184 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-15 00:52 - 2012-06-26 23:03 - 01197568 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-15 00:52 - 2012-06-26 23:03 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-15 00:52 - 2012-06-26 23:00 - 01026560 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-08-15 00:52 - 2012-06-26 22:59 - 09372672 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-15 00:52 - 2012-06-26 22:59 - 00736256 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-15 00:52 - 2012-06-26 22:59 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-15 00:52 - 2012-06-26 22:59 - 00082944 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-08-15 00:52 - 2012-06-26 22:59 - 00057856 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-08-15 00:52 - 2012-06-26 22:58 - 12405760 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-15 00:52 - 2012-06-26 22:58 - 02458624 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-15 00:52 - 2012-06-26 22:58 - 00445952 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-08-15 00:52 - 2012-06-26 22:58 - 00256000 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-08-15 00:52 - 2012-06-26 22:58 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-15 00:52 - 2012-06-26 22:58 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-15 00:52 - 2012-06-26 22:55 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-08-15 00:52 - 2012-06-26 22:03 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-15 00:52 - 2012-06-26 22:03 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-15 00:52 - 2012-06-26 22:03 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-15 00:52 - 2012-06-26 22:01 - 06029312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-15 00:52 - 2012-06-26 22:01 - 02072576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-15 00:52 - 2012-06-26 22:01 - 00627200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-15 00:52 - 2012-06-26 22:01 - 00606208 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll
2012-08-15 00:52 - 2012-06-26 22:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-15 00:52 - 2012-06-26 22:01 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-15 00:52 - 2012-06-26 22:01 - 00064512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2012-08-15 00:52 - 2012-06-26 22:01 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-15 00:52 - 2012-06-26 22:01 - 00044544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2012-08-15 00:52 - 2012-06-26 22:00 - 11019776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-15 00:52 - 2012-06-26 22:00 - 00381440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2012-08-15 00:52 - 2012-06-26 22:00 - 00185856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2012-08-15 00:52 - 2012-06-26 21:58 - 00012800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2012-08-15 00:52 - 2012-06-26 21:41 - 00482816 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-08-15 00:52 - 2012-06-26 20:58 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-15 00:52 - 2012-06-26 20:53 - 00386048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2012-08-15 00:52 - 2012-06-26 20:19 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-15 00:52 - 2012-06-15 21:25 - 00850944 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-15 00:52 - 2012-06-15 21:25 - 00609792 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-15 00:52 - 2012-06-15 20:37 - 00428032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-15 00:52 - 2012-06-15 20:36 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-15 00:52 - 2012-05-13 21:20 - 00956416 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-15 00:52 - 2012-05-04 23:44 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2012-08-15 00:52 - 2012-02-10 22:36 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-15 00:52 - 2012-02-10 22:29 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-15 00:52 - 2012-02-10 22:29 - 00067584 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2012-08-15 00:52 - 2012-02-10 21:44 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll


==================== 3 Months Modified Files ================================

2012-09-14 06:32 - 2009-07-13 20:45 - 00009920 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-14 06:32 - 2009-07-13 20:45 - 00009920 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-14 06:25 - 2012-08-04 17:17 - 00000050 ____A C:\Windows\System32\SupplicantTest.log
2012-09-14 06:25 - 2012-08-04 15:50 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-14 06:25 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-14 06:25 - 2009-07-13 20:51 - 00034948 ____A C:\Windows\setupact.log
2012-09-14 05:18 - 2012-08-06 22:09 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-14 05:18 - 2012-08-04 15:50 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-13 13:55 - 2012-09-13 13:55 - 00027714 ____A C:\Users\Jace\Desktop\Attach.txt
2012-09-13 13:55 - 2012-09-13 13:55 - 00021348 ____A C:\Users\Jace\Desktop\DDS.txt
2012-09-13 13:44 - 2012-09-13 13:45 - 00607260 ____R (Swearware) C:\Users\Jace\Desktop\dds.com
2012-09-13 13:44 - 2012-09-13 13:43 - 00000470 ____A C:\Users\Jace\Desktop\defogger_disable.log
2012-09-13 13:43 - 2012-09-13 13:43 - 00050477 ____A C:\Users\Jace\Desktop\Defogger.exe
2012-09-13 13:43 - 2012-09-13 13:43 - 00000000 ____A C:\Users\Jace\defogger_reenable
2012-09-13 13:40 - 2012-09-13 13:40 - 00050477 ____A C:\Users\Jace\Downloads\Defogger.exe
2012-09-13 13:27 - 2012-09-13 13:27 - 00016896 ____A C:\Users\Jace\AppData\Local\primnog.dll
2012-09-13 11:05 - 2009-07-13 21:13 - 00729514 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-13 11:02 - 2012-09-13 11:02 - 00060304 ____A C:\Users\Jace\g2mdlhlpx.exe
2012-09-13 06:57 - 2012-08-27 07:13 - 01081556 ____A C:\Users\Jace\Desktop\S3 IP slide.pptx
2012-09-09 10:54 - 2012-08-05 04:51 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-09 10:54 - 2012-08-05 04:50 - 00743360 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-09-09 10:45 - 2012-09-09 10:44 - 12621696 ____A (Microsoft Corporation) C:\Users\Jace\Downloads\mseinstall.exe
2012-09-09 10:41 - 2010-07-19 05:48 - 00222034 ____A C:\Windows\PFRO.log
2012-09-09 10:09 - 2012-09-09 10:08 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\Jace\Downloads\mbam-setup.exe
2012-09-08 19:34 - 2012-09-08 19:34 - 00025840 ____A C:\ComboFix.txt
2012-09-08 19:14 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-09-08 18:28 - 2012-09-07 08:05 - 04747117 ____R (Swearware) C:\Users\Jace\Desktop\ComboFix.exe
2012-09-07 15:26 - 2012-09-07 15:26 - 00279256 ____A C:\Windows\Minidump\090712-20685-01.dmp
2012-09-07 15:26 - 2012-08-14 12:56 - 499883757 ____A C:\Windows\MEMORY.DMP
2012-09-05 07:05 - 2012-09-05 07:05 - 00010818 ____A C:\Users\Jace\Desktop\budget cats.xlsx
2012-08-29 00:35 - 2012-08-29 00:35 - 01440846 ____A C:\Users\Jace\Downloads\mbam-chameleon-1.62.1.1000.zip
2012-08-28 20:36 - 2012-08-28 20:36 - 00457632 ____A (Bleeping Computer, LLC) C:\Users\Jace\Downloads\FixExec.exe
2012-08-28 20:02 - 2012-08-28 20:02 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Jace\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-24 22:35 - 2012-08-06 22:09 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-24 22:35 - 2012-08-06 22:09 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-15 14:00 - 2009-07-13 20:45 - 00414656 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-15 13:53 - 2012-08-04 16:17 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-14 12:56 - 2012-08-14 12:56 - 00279256 ____A C:\Windows\Minidump\081412-34647-01.dmp
2012-08-14 12:40 - 2012-08-08 11:49 - 00003584 ____A C:\Users\Jace\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-12 17:48 - 2012-08-12 17:48 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-08-12 17:48 - 2012-08-12 17:48 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-08-12 17:44 - 2012-08-12 17:44 - 00263186 ____A C:\Users\Jace\Downloads\Minecraft.exe
2012-08-09 12:42 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-08-07 13:58 - 2012-08-04 15:45 - 00108840 ____A C:\Users\Jace\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-06 06:57 - 2012-08-06 06:57 - 00000622 ____A C:\Windows\System32\ricdb.ini
2012-08-04 18:22 - 2012-08-04 17:57 - 00000418 ____A C:\Windows\WININIT.INI
2012-08-04 17:56 - 2012-08-04 17:56 - 00000000 ____A C:\Users\Jace\Sti_Trace.log
2012-08-04 17:35 - 2009-07-13 20:46 - 00003043 ____A C:\Windows\DtcInstall.log
2012-08-04 17:25 - 2012-08-04 17:25 - 00031419 ____A C:\Windows\DirectX.log
2012-08-04 17:20 - 2012-08-04 17:20 - 00505128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2012-08-04 17:20 - 2012-08-04 17:20 - 00353576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2012-08-04 17:20 - 2012-08-04 17:20 - 00029480 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3a.dll
2012-08-04 17:18 - 2012-08-04 17:18 - 00004844 ____A C:\Windows\DPINST.LOG
2012-08-04 17:18 - 2012-08-04 17:18 - 00003083 ____A C:\RHDSetup.log
2012-08-04 17:18 - 2012-08-04 17:18 - 00000000 ____A C:\Windows\System32\Drivers\Msft_Kernel_SynTP_01009.Wdf
2012-08-04 17:17 - 2012-08-04 17:17 - 00000000 ____A C:\Windows\System32\Drivers\Msft_Kernel_bpusb_01007.Wdf
2012-08-04 17:17 - 2012-08-04 17:17 - 00000000 ____A C:\Windows\System32\Drivers\Msft_Kernel_bpenum_01007.Wdf
2012-08-04 17:15 - 2012-08-04 17:15 - 00000184 ____A C:\Windows\LMv4.UNI
2012-08-04 17:12 - 2012-08-04 17:12 - 00015770 ____A C:\Windows\System32\results.xml
2012-08-04 17:11 - 2012-08-04 17:11 - 00000003 ____A C:\Windows\System32\PLD_Framework.cmd
2012-08-04 17:08 - 2010-07-19 05:24 - 00003540 ____A C:\Windows\TSSysprep.log
2012-08-04 17:00 - 2012-08-04 16:28 - 00286828 ____A C:\Windows\msxml4-KB973688-enu.LOG
2012-08-04 17:00 - 2012-08-04 16:24 - 00292658 ____A C:\Windows\msxml4-KB954430-enu.LOG
2012-08-04 15:46 - 2010-07-19 05:49 - 00027965 ____A C:\Windows\Patch.log
2012-08-04 15:44 - 2012-08-04 15:44 - 00000413 ____A C:\Windows\System32\oem_Get_OS_Language.log
2012-08-04 15:44 - 2012-08-04 15:44 - 00000020 ___SH C:\Users\Jace\ntuser.ini
2012-07-18 09:31 - 2012-08-15 00:52 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-05 19:06 - 2012-08-12 17:49 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-07-05 19:06 - 2012-08-12 17:49 - 00687544 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-07-05 19:06 - 2012-08-12 17:49 - 00227760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-07-04 14:04 - 2012-08-15 00:52 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:01 - 2012-08-15 00:52 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:01 - 2012-08-15 00:52 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:26 - 2012-08-15 00:52 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:23 - 2012-08-15 00:52 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-06-30 05:46 - 2012-08-17 06:08 - 00095744 ____A (pdfforge GbR) C:\Windows\System32\pdfcmon.dll
2012-06-26 23:03 - 2012-08-15 00:52 - 01501184 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-26 23:03 - 2012-08-15 00:52 - 01197568 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-26 23:03 - 2012-08-15 00:52 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-26 23:00 - 2012-08-15 00:52 - 01026560 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-06-26 22:59 - 2012-08-15 00:52 - 09372672 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-26 22:59 - 2012-08-15 00:52 - 00736256 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-06-26 22:59 - 2012-08-15 00:52 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-26 22:59 - 2012-08-15 00:52 - 00082944 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-06-26 22:59 - 2012-08-15 00:52 - 00057856 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-06-26 22:58 - 2012-08-15 00:52 - 12405760 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-26 22:58 - 2012-08-15 00:52 - 02458624 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-26 22:58 - 2012-08-15 00:52 - 00445952 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-06-26 22:58 - 2012-08-15 00:52 - 00256000 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-06-26 22:58 - 2012-08-15 00:52 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-26 22:58 - 2012-08-15 00:52 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-26 22:55 - 2012-08-15 00:52 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-06-26 22:03 - 2012-08-15 00:52 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-26 22:03 - 2012-08-15 00:52 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-26 22:03 - 2012-08-15 00:52 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-26 22:01 - 2012-08-15 00:52 - 06029312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-26 22:01 - 2012-08-15 00:52 - 02072576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-26 22:01 - 2012-08-15 00:52 - 00627200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-06-26 22:01 - 2012-08-15 00:52 - 00606208 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll
2012-06-26 22:01 - 2012-08-15 00:52 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-26 22:01 - 2012-08-15 00:52 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-26 22:01 - 2012-08-15 00:52 - 00064512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2012-06-26 22:01 - 2012-08-15 00:52 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-26 22:01 - 2012-08-15 00:52 - 00044544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2012-06-26 22:00 - 2012-08-15 00:52 - 11019776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-26 22:00 - 2012-08-15 00:52 - 00381440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2012-06-26 22:00 - 2012-08-15 00:52 - 00185856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2012-06-26 21:58 - 2012-08-15 00:52 - 00012800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2012-06-26 21:41 - 2012-08-15 00:52 - 00482816 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-06-26 20:58 - 2012-08-15 00:52 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-26 20:53 - 2012-08-15 00:52 - 00386048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2012-06-26 20:19 - 2012-08-15 00:52 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

==================== Restore Points =========================

Restore point made on: 2012-08-19 09:52:04
Restore point made on: 2012-08-22 10:16:10
Restore point made on: 2012-08-25 19:33:55
Restore point made on: 2012-08-30 05:19:43
Restore point made on: 2012-09-02 08:41:59
Restore point made on: 2012-09-06 07:15:37
Restore point made on: 2012-09-13 09:01:35

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 3766.71 MB
Available physical RAM: 3243.28 MB
Total Pagefile: 3764.91 MB
Available Pagefile: 3233.09 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions ============================

1 Drive c: (Gateway) (Fixed) (Total:465.65 GB) (Free:377.56 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: () (Removable) (Total:7.45 GB) (Free:4.5 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]


Last Boot: 2012-09-06 08:05

==================== End Of Log =============================

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:59 AM

Posted 14 September 2012 - 01:31 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKLM\...\InprocServer32: [Default-wbemess] ATTENTION! ====> ZeroAccess
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess
C:\Users\Jace\AppData\Roaming\Ahonu
C:\Users\Jace\AppData\Roaming\Ocpedo
C:\Users\Jace\AppData\Roaming\Qouw
HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


How is the machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 donttellanyone

donttellanyone
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 14 September 2012 - 02:36 PM

I couldn't get the full paths in the script...

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-09-2012 01
Ran by SYSTEM at 2012-09-14 14:28:02 Run:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default Error setting value.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default Error setting value.
C:\Users\Jace\AppData\Roaming\Ahonu moved successfully.
C:\Users\Jace\AppData\Roaming\Ocpedo moved successfully.
C:\Users\Jace\AppData\Roaming\Qouw moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\\Default Error setting value.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\\Default Error setting value.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\Default Error setting value.

==== End of Fixlog ====

#9 donttellanyone

donttellanyone
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 14 September 2012 - 02:49 PM

It is still running slowly and still redirecting search results. I don't think I've heard the commercials since the last reboot, but it's only been a few minutes and sometimes it can be a long time between instances

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:59 AM

Posted 14 September 2012 - 03:09 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKLM\...\InprocServer32: [Default-wbemess] 
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] 


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Edited by fireman4it, 14 September 2012 - 03:12 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 donttellanyone

donttellanyone
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 14 September 2012 - 03:42 PM

Should the paths expand when I copy them in Notepad? They still look like this:

HKLM\...\InprocServer32: [Default-wbemess]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]

Should the "..." parts be replaced with an actual path or hierarchy?

I am waiting to do this step until you confirm this.

Thank you,

Jace

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:59 AM

Posted 14 September 2012 - 03:46 PM

Hello,

Please copy and paste them directly into the notepad without changing any thing.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 donttellanyone

donttellanyone
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 14 September 2012 - 03:59 PM

Ok, thank you. I've done it:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-09-2012 01
Ran by SYSTEM at 2012-09-14 15:53:27 Run:2
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default Error setting value.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default Error setting value.

==== End of Fixlog ====

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:59 AM

Posted 14 September 2012 - 04:39 PM

Hello,


1.
Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDSSKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 donttellanyone

donttellanyone
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 14 September 2012 - 05:06 PM

I downloaded tdsskiller to the desktop, but when I doubleclick on it, nothing happens. I've tried several times and waited long periods. I tried rebooting and running as administrator as well. Nothing worked. Should I try going into safe mode to launch it?

BTW, I keep getting alerts to update JAVA, but I will ignore them until we are finished.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users