Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Sounds advertisement keeps appearing!


  • This topic is locked This topic is locked
6 replies to this topic

#1 DAngel

DAngel

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 30 November 2012 - 06:43 PM

Hi, my computer keeps playing sounds out of no where, mainly advertisements but somethimes just weird music/noises. They tend to come and go, I have no idea how I got it...please help.


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.7.2
Run by Phillip at 10:39:38 on 2012-12-01
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4094.2663 [GMT 11:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\PPStream\PPSAP.exe
C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files (x86)\Free Download Manager\fdm.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Users\Phillip.Oberon\AppData\Local\Facebook\Messenger\2.1.4651.0\FacebookMessenger.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
\\.\globalroot\systemroot\Installer\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}\U
C:\Windows\system32\AUDIODG.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uProxyServer = 180.96.19.25:8080
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFre0.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFre0.dll
mWinlogon: Userinit = userinit.exe
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFre0.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
BHO: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
TB: uTorrentBar Toolbar: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
TB: Freecorder Toolbar: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - C:\Program Files (x86)\Freecorder\prxtbFre0.dll
TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFre0.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [PPS Accelerator] C:\Program Files (x86)\PPStream\PPSAP.exe
uRun: [KiesHelper] C:\Program Files (x86)\Samsung\Kies\KiesHelper.exe /s
uRun: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
uRun: [Facebook Update] "C:\Users\Phillip.Oberon\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Free Download Manager] C:\Program Files (x86)\Free Download Manager\fdm.exe -autorun
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRun: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\PHILLI~1.OBE\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\FACEBO~1.LNK - C:\Users\Phillip.Oberon\AppData\Local\Facebook\Messenger\2.1.4651.0\FacebookMessenger.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Download all with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_client_4.4.26.0.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{879168FE-8275-40A5-92F0-53CD8118792F} : DHCPNameServer = 192.168.1.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
x64-BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll
x64-TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll
x64-IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll
x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Phillip.Oberon\AppData\Roaming\Mozilla\Firefox\Profiles\ckqte5vq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.104.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Total Immersion\DFusionHomeWebPlugIn\NPDFusionWebFirefox.dll
FF - plugin: C:\Users\Phillip.Oberon\AppData\Local\Facebook\Messenger\2.1.4651.0\npFbDesktopPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: !HIDDEN! 2011-10-30 16:57; smartwebprinting@hp.com; C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-4-19 28480]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-1-31 36944]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-7-26 291680]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2011-12-23 47696]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-8-24 384352]
R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2010-7-14 87600]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-8-13 5167736]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2011-12-23 124496]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\avgidsfiltera.sys [2011-12-23 29776]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-4-8 327576]
R3 LVUVC64;Logitech Webcam 200(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-4-8 6377496]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-11 187392]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2012-3-26 98616]
S3 lvpopf64;Logitech POP Suppression Filter;C:\Windows\System32\drivers\lvpopf64.sys [2012-4-8 271640]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2012-3-26 203320]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-3 1255736]
.
=============== Created Last 30 ================
.
2012-11-25 11:42:00 96224 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe
2012-11-25 11:42:00 889848 ----a-w- C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe
2012-11-25 11:42:00 270816 ----a-w- C:\Program Files (x86)\Mozilla Firefox\updater.exe
2012-11-25 11:42:00 19424 ----a-w- C:\Program Files (x86)\Mozilla Firefox\xpcom.dll
2012-11-25 11:42:00 157272 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapp-uninstaller.exe
2012-11-25 11:42:00 14676448 ----a-w- C:\Program Files (x86)\Mozilla Firefox\xul.dll
2012-11-17 22:27:17 -------- d-----w- C:\Program Files (x86)\Medal of Honor Warfighter
2012-11-03 12:23:43 2 --shatr- C:\Windows\winstart.bat
2012-11-03 12:23:37 -------- d-----w- C:\Program Files (x86)\Greatis
.
==================== Find3M ====================
.
2012-10-09 10:49:18 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-09 10:49:18 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-09-06 10:22:32 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-06 10:22:32 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-09-06 10:22:32 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
.
============= FINISH: 10:40:37.90 ===============

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:39 PM

Posted 30 November 2012 - 07:56 PM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 DAngel

DAngel
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 05 December 2012 - 06:26 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-11-2012 (ATTENTION: FRST version is 12 days old)
Ran by SYSTEM at 05-12-2012 22:18:46
Running from E:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [31016 2006-10-26] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2009-11-17] (Hewlett-Packard)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-08-31] (Research In Motion Limited)
HKLM-x32\...\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [3508624 2012-03-06] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [304568 2010-10-11] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-01] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2596984 2012-07-30] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-02] (Sun Microsystems, Inc.)
HKU\Phillip.Oberon\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [357696 2010-04-01] (DT Soft Ltd)
HKU\Phillip.Oberon\...\Run: [PPS Accelerator] C:\Program Files (x86)\PPStream\PPSAP.exe [214408 2010-02-23] (PPStream Inc)
HKU\Phillip.Oberon\...\Run: [KiesHelper] C:\Program Files (x86)\Samsung\Kies\KiesHelper.exe /s [943504 2012-03-06] (Samsung)
HKU\Phillip.Oberon\...\Run: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [21416 2012-03-31] ()
HKU\Phillip.Oberon\...\Run: [Facebook Update] "C:\Users\Phillip.Oberon\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-12] (Facebook Inc.)
HKU\Phillip.Oberon\...\Run: [Free Download Manager] C:\Program Files (x86)\Free Download Manager\fdm.exe -autorun [6149120 2012-05-13] (FreeDownloadManager.ORG)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Phillip.Oberon\Start Menu\Programs\Startup\Facebook Messenger.lnk
ShortcutTarget: Facebook Messenger.lnk -> (No File)

==================== Services (Whitelisted) ===================

2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe" [5167736 2012-08-12] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-13] (AVG Technologies CZ, s.r.o.)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [75136 2011-12-11] ()

==================== Drivers (Whitelisted) =====================

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-22] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-22] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-18] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [291680 2012-07-25] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-22] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-30] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [384352 2012-08-23] (AVG Technologies CZ, s.r.o.)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2011-10-29] (Duplex Secure Ltd.)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-12-05 03:08 - 2012-12-05 03:08 - 00001908 ____A C:\Windows\diagwrn.xml
2012-12-05 03:08 - 2012-12-05 03:08 - 00001908 ____A C:\Windows\diagerr.xml
2012-12-01 15:19 - 2012-12-01 15:20 - 01461039 ____A (Farbar) C:\Users\Phillip.Oberon\Desktop\FRST64.exe
2012-11-30 15:40 - 2012-11-30 15:41 - 00021451 ____A C:\Users\Phillip.Oberon\Desktop\dds.txt
2012-11-30 15:40 - 2012-11-30 15:41 - 00006551 ____A C:\Users\Phillip.Oberon\Desktop\attach.txt
2012-11-28 18:40 - 2012-11-28 18:40 - 00027520 ____A C:\Users\Phillip.Oberon\AppData\Local\dt.dat
2012-11-26 02:31 - 2012-11-26 02:31 - 00877854 ____A C:\Users\Phillip.Oberon\Desktop\untitled.bmp
2012-11-25 03:41 - 2012-11-27 04:13 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-11-17 15:45 - 2012-11-17 15:47 - 00000000 ____D C:\Users\Phillip.Oberon\Documents\MOHW
2012-11-17 15:45 - 2012-11-17 15:45 - 00001541 ____A C:\Users\Phillip.Oberon\Desktop\MOHW.exe.lnk
2012-11-17 14:27 - 2012-11-17 15:18 - 00000000 ____D C:\Program Files (x86)\Medal of Honor Warfighter
2012-11-13 04:48 - 2012-11-13 04:48 - 00000000 ____D C:\Windows\Sun


==================== One Month Modified Files and Folders =======

2012-12-05 03:15 - 2012-06-20 05:02 - 00000000 ____D C:\Users\Phillip.Oberon\AppData\Roaming\Free Download Manager
2012-12-05 03:15 - 2011-10-29 20:53 - 00000000 ____D C:\Users\Phillip.Oberon\AppData\Roaming\uTorrent
2012-12-05 03:15 - 2009-07-13 20:45 - 00020640 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-05 03:15 - 2009-07-13 20:45 - 00020640 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-05 03:08 - 2012-12-05 03:08 - 00001908 ____A C:\Windows\diagwrn.xml
2012-12-05 03:08 - 2012-12-05 03:08 - 00001908 ____A C:\Windows\diagerr.xml
2012-12-05 03:08 - 2009-07-13 20:51 - 00000611 ____A C:\Windows\setupact.log
2012-12-05 03:08 - 2009-07-13 20:51 - 00000000 ____A C:\Windows\setuperr.log
2012-12-05 02:49 - 2012-04-08 14:30 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-12-05 02:41 - 2012-04-11 03:31 - 00000950 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2592582243-134260206-1283965565-1000UA.job
2012-12-05 02:41 - 2011-10-29 20:46 - 00000000 ____D C:\Users\Phillip.Oberon\AppData\Roaming\vlc
2012-12-05 02:31 - 2012-05-18 21:47 - 00063847 ____A C:\Windows\SysWOW64\debug.log
2012-12-05 02:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-12-05 02:22 - 2012-03-18 15:13 - 00000000 ____D C:\ppsvodcache
2012-12-05 02:18 - 2012-04-07 17:44 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs
2012-12-05 02:18 - 2011-11-09 15:50 - 00000000 ____D C:\Users\All Users\NVIDIA
2012-12-05 02:18 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-04 23:57 - 2012-06-06 02:46 - 00000000 ____D C:\Users\All Users\MFAData
2012-12-04 23:41 - 2012-04-11 03:31 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2592582243-134260206-1283965565-1000Core.job
2012-12-04 20:53 - 2012-06-06 02:51 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2012-12-04 00:34 - 2010-08-16 15:53 - 00000000 ____D C:\Anime
2012-12-03 04:18 - 2012-09-26 06:13 - 00018053 ____A C:\Users\Phillip.Oberon\Desktop\Trip planner.xlsx
2012-12-01 23:26 - 2010-08-25 03:25 - 00000000 ____D C:\Movies
2012-12-01 15:20 - 2012-12-01 15:19 - 01461039 ____A (Farbar) C:\Users\Phillip.Oberon\Desktop\FRST64.exe
2012-12-01 04:35 - 2011-10-30 10:53 - 01830976 ____A C:\Windows\WindowsUpdate.log
2012-12-01 04:09 - 2011-11-04 16:30 - 00000000 ____D C:\Users\Phillip.Oberon\Documents\My Scans
2012-11-30 15:41 - 2012-11-30 15:40 - 00021451 ____A C:\Users\Phillip.Oberon\Desktop\dds.txt
2012-11-30 15:41 - 2012-11-30 15:40 - 00006551 ____A C:\Users\Phillip.Oberon\Desktop\attach.txt
2012-11-28 18:40 - 2012-11-28 18:40 - 00027520 ____A C:\Users\Phillip.Oberon\AppData\Local\dt.dat
2012-11-27 18:20 - 2012-05-09 02:58 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-11-27 04:13 - 2012-11-25 03:41 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-11-26 02:31 - 2012-11-26 02:31 - 00877854 ____A C:\Users\Phillip.Oberon\Desktop\untitled.bmp
2012-11-25 11:56 - 2012-03-15 01:03 - 00000969 ____A C:\Users\Public\Desktop\Sibelius 7.lnk
2012-11-25 00:06 - 2010-08-28 23:44 - 00000000 ____D C:\Images
2012-11-24 23:52 - 2010-08-24 02:47 - 00000000 ____D C:\Modern Family
2012-11-24 23:51 - 2010-09-30 00:11 - 00000000 ____D C:\How I Met Your Mother
2012-11-21 04:23 - 2012-10-19 07:09 - 00000000 ____D C:\Users\Phillip.Oberon\Desktop\Trip Docs
2012-11-17 19:43 - 2010-08-15 09:43 - 00000000 ____D C:\Users\Phillip.Oberon\Desktop\Parents
2012-11-17 19:02 - 2012-09-25 02:56 - 00000000 ____D C:\Users\Phillip.Oberon\AppData\Roaming\Skype
2012-11-17 15:47 - 2012-11-17 15:45 - 00000000 ____D C:\Users\Phillip.Oberon\Documents\MOHW
2012-11-17 15:45 - 2012-11-17 15:45 - 00001541 ____A C:\Users\Phillip.Oberon\Desktop\MOHW.exe.lnk
2012-11-17 15:37 - 2011-10-29 22:27 - 00411864 ____A C:\Windows\DirectX.log
2012-11-17 15:18 - 2012-11-17 14:27 - 00000000 ____D C:\Program Files (x86)\Medal of Honor Warfighter
2012-11-16 13:53 - 2011-10-30 11:37 - 00000000 ____D C:\Windows.old
2012-11-16 04:13 - 2012-07-14 04:34 - 00000000 ____D C:\TVB
2012-11-16 02:40 - 2009-07-13 21:13 - 00717718 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-13 04:48 - 2012-11-13 04:48 - 00000000 ____D C:\Windows\Sun
2012-11-10 18:11 - 2011-09-16 17:06 - 01497137 ____A C:\Users\Phillip.Oberon\Desktop\Home Loan Balance Record.xlsx


ZeroAccess:
C:\Windows\Installer\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}
C:\Windows\Installer\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}\@
C:\Windows\Installer\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}\L
C:\Windows\Installer\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}\U
C:\Windows\Installer\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}\U\00000001.@
C:\Windows\Installer\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}\U\80000000.@
C:\Windows\Installer\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}\U\800000cb.@

ZeroAccess:
C:\Users\Phillip.Oberon\AppData\Local\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}
C:\Users\Phillip.Oberon\AppData\Local\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}\@
C:\Users\Phillip.Oberon\AppData\Local\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}\L
C:\Users\Phillip.Oberon\AppData\Local\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-29 03:18:39

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 4094.49 MB
Available physical RAM: 3529.72 MB
Total Pagefile: 4092.69 MB
Available Pagefile: 3513.79 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

2 Drive c: () (Fixed) (Total:465.75 GB) (Free:61.61 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
4 Drive e: () (Removable) (Total:29.8 GB) (Free:14.8 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 7168 KB
Disk 1 Online 29 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 465 GB 31 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 465 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 32 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E FAT32 Removable 29 GB Healthy

=========================================================

Last Boot: 2012-12-04 22:41

==================== End Of Log =============================

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:39 PM

Posted 05 December 2012 - 07:17 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM-x32\...\Run: [] [x]
C:\Windows\Installer\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}
C:\Users\Phillip.Oberon\AppData\Local\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 DAngel

DAngel
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 07 December 2012 - 03:29 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-11-2012
Ran by SYSTEM at 2012-12-08 06:43:04 Run:1
Running from E:\

==============================================

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
C:\Windows\Installer\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3} moved successfully.
C:\Users\Phillip.Oberon\AppData\Local\{0d786eb2-6ce0-928c-5870-4dc497c3f1a3} moved successfully.

==== End of Fixlog ====


ComboFix 12-12-04.01 - Phillip 08/12/2012 6:51.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4094.2819 [GMT 11:00]
Running from: c:\users\Phillip.Oberon\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\PHILLI~1.OBE\AppData\Local\Temp\61e4dc9e-b0a3-4e40-99a9-4cd9049f7d99\CliSecureRT.dll
c:\users\Phillip.Oberon\AppData\Local\Temp\61e4dc9e-b0a3-4e40-99a9-4cd9049f7d99\CliSecureRT.dll
c:\users\Phillip.Oberon\AppData\Roaming\Boifko
c:\users\Phillip.Oberon\AppData\Roaming\Boifko\iwaki.zos
c:\users\Phillip.Oberon\AppData\Roaming\Unqyu
c:\users\Phillip.Oberon\AppData\Roaming\Unqyu\ozex.dia
c:\windows\SysWow64\DEBUG.log
c:\windows\SysWow64\muzapp.exe
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-11-07 to 2012-12-07 )))))))))))))))))))))))))))))))
.
.
2012-12-07 19:56 . 2012-12-07 19:56 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-12-07 19:56 . 2012-12-07 19:56 -------- d-----w- c:\users\Phillip\AppData\Local\temp
2012-12-07 19:56 . 2012-12-07 19:56 -------- d-----w- c:\users\PHILLI~1~OBE\AppData\Local\temp
2012-12-07 19:56 . 2012-12-07 19:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-06 06:18 . 2012-12-06 06:18 -------- d-----w- C:\FRST
2012-12-05 10:41 . 2012-12-05 10:41 -------- d-----w- c:\users\Phillip.Oberon\AppData\Local\ElevatedDiagnostics
2012-11-17 22:27 . 2012-11-17 23:18 -------- d-----w- c:\program files (x86)\Medal of Honor Warfighter
2012-11-13 12:48 . 2012-11-13 12:48 -------- d-----w- c:\windows\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-03 12:23 . 2012-11-03 12:23 2 --shatr- c:\windows\winstart.bat
2012-10-09 10:49 . 2012-04-08 22:29 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-09 10:49 . 2011-10-30 04:35 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2011-12-03 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2011-12-03 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files (x86)\Freecorder\prxtbFre0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\Freecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\uTorrentBar\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files (x86)\Freecorder\prxtbFre0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"PPS Accelerator"="c:\program files (x86)\PPStream\PPSAP.exe" [2010-02-24 214408]
"KiesHelper"="c:\program files (x86)\Samsung\Kies\KiesHelper.exe" [2012-03-06 943504]
"KiesPDLR"="c:\program files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-03-31 21416]
"Facebook Update"="c:\users\Phillip.Oberon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-12 138096]
"Free Download Manager"="c:\program files (x86)\Free Download Manager\fdm.exe" [2012-05-14 6149120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2012-03-06 3508624]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-07-30 2596984]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]
.
c:\users\Phillip.Oberon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Facebook Messenger.lnk - c:\users\Phillip.Oberon\AppData\Local\Facebook\Messenger\2.1.4651.0\FacebookMessenger.exe [2012-9-25 247728]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-08-12 5167736]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2011-12-08 98616]
R3 lvpopf64;Logitech POP Suppression Filter;c:\windows\system32\DRIVERS\lvpopf64.sys [2009-04-30 271640]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2011-12-08 203320]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-03 1255736]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-18 28480]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-30 36944]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-10-30 834544]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-07-25 291680]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-08-24 384352]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2010-07-14 87600]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-13 193288]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-14 381248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2009-04-30 327576]
S3 LVUVC64;Logitech Webcam 200(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2009-04-30 6377496]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 10:49]
.
2012-12-05 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2592582243-134260206-1283965565-1000Core.job
- c:\users\Phillip.Oberon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-11 08:36]
.
2012-12-06 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2592582243-134260206-1283965565-1000UA.job
- c:\users\Phillip.Oberon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-11 08:36]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com.au/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = 180.96.19.25:8080
IE: Download all with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Phillip.Oberon\AppData\Roaming\Mozilla\Firefox\Profiles\ckqte5vq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: !HIDDEN! 2011-10-30 16:57; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Battlelog Web Plugins - c:\program files (x86)\Battlelog Web Plugins\uninstall.exe
AddRemove-Katawa Shoujo - c:\program files (x86)\Katawa Shoujo\Uninstall Katawa Shoujo.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
c:\program files (x86)\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2012-12-08 07:04:09 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-07 20:04
.
Pre-Run: 61,436,952,576 bytes free
Post-Run: 62,535,168,000 bytes free
.
- - End Of File - - D9E428BE01B3E5736D14E1F23B98391A

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:39 PM

Posted 07 December 2012 - 03:40 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll | c:\windows\system32\user32.dll
c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll | c:\windows\SysWOW64\user32.dll

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System/TDSS File system is found then ensure Cure is selected (if cure is not available, choose skip)
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:39 PM

Posted 17 December 2012 - 09:46 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users