Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ran Hitman Pro and now my computer is stuck on the repair screen


  • This topic is locked This topic is locked
15 replies to this topic

#1 Yorkiegal

Yorkiegal

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 17 January 2013 - 05:38 PM

I have Windows 7 32 bit and had a virus. Well, I ran Hitman Pro and apparently deleted more than the virus. Can anyone help so that I don't have to reinstall Windows? I saw a previous post that has been closed and I ran Frst and have a frst.txt, which I will paste below. Looks bad to me. Hope someone can help me.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-01-2013
Ran by SYSTEM at 17-01-2013 16:43:51
Running from G:\
(X86) OS Language: English(US)
Attention: Could not load system hive.
Attention: System hive is missing.

==================== Registry (Whitelisted) ===================

Attention: Software hive is missing.

ATTENTION: Unable to load Software hive.


==================== Services (Whitelisted) ===================


==================== Drivers (Whitelisted) ====================


==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========


==================== One Month Modified Files and Folders ========


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.
c:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 23%
Total physical RAM: 1782.71 MB
Available physical RAM: 1365.9 MB
Total Pagefile: 1782.71 MB
Available Pagefile: 1407.39 MB
Total Virtual: 2047.88 MB
Available Virtual: 1958.62 MB

==================== Partitions =============================

1 Drive d: () (Fixed) (Total:232.79 GB) (Free:147.75 GB) NTFS
2 Drive e: (GRMCULFRER_EN_DVD) (CDROM) (Total:2.33 GB) (Free:0 GB) UDF
4 Drive g: (KINGSTON) (Removable) (Total:1.87 GB) (Free:1.65 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== End Of Log ============================

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:50 PM

Posted 20 January 2013 - 08:43 AM

FRST isn't able to read the system hive

all may not be lost, let's see if list parts will work


For scans and fixes in Recovery Environment ....

  • Download ListParts to a USB flash drive.
  • Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

Posted Image

  • Select the Command Prompt option.
  • A command window will open.
  • Type notepad then hit Enter.
  • Notepad will open.
  • Click File > Open then select Computer.
  • Note down the drive letter for your USB Drive.
  • Close Notepad.
[*]Back in the command window ....
  • Type e:\listparts.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  • ListParts will start to run.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on the flash drive.
[*]Close the command window.
[*]Boot back into normal mode and post me the Result.txt log please.
[/list]

Edited by CatByte, 20 January 2013 - 08:44 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Yorkiegal

Yorkiegal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 21 January 2013 - 12:00 PM

Obviously I'm new on this board. I thought I replied, but can't find it so I'm doing it again. My apologies if I have done it twice.
I thank you so much for your help. I ran listparts as you directed, checked bcd as it seemed to give more info. Here is the result.txt file:

ListParts by Farbar Version: 16-01-2013
Ran by SYSTEM (administrator) on 21-01-2013 at 11:40:55
Windows 7 (X86)
Running From: G:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 18%
Total physical RAM: 1782.71 MB
Available physical RAM: 1451.24 MB
Total Pagefile: 1782.71 MB
Available Pagefile: 1447.82 MB
Total Virtual: 2047.88 MB
Available Virtual: 1981.54 MB

======================= Partitions =========================

1 Drive c: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: () (Fixed) (Total:232.79 GB) (Free:147.75 GB) NTFS
3 Drive e: (GRMCULFRER_EN_DVD) (CDROM) (Total:2.33 GB) (Free:0 GB) UDF
5 Drive g: (KINGSTON) (Removable) (Total:1.87 GB) (Free:1.65 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 1919 MB 0 B

Partitions of Disk 0:
===============

Disk ID: 0F82D9C5

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 232 GB 101 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C System Rese NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D NTFS Partition 232 GB Healthy

======================================================================================================

Partitions of Disk 2:
===============

Disk ID: 04030201

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1918 MB 16 KB

======================================================================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G KINGSTON FAT Removable 1918 MB Healthy

======================================================================================================
==========================================================
TDL4: custom:26000022


Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {default}
resumeobject {c1eda855-d7e9-11e0-859e-877c8365492b}
displayorder {default}
toolsdisplayorder {memdiag}
timeout 30

Windows Boot Loader
-------------------
identifier {default}
device partition=D:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {c1eda857-d7e9-11e0-859e-877c8365492b}
recoveryenabled Yes
osdevice partition=D:
systemroot \Windows
resumeobject {c1eda855-d7e9-11e0-859e-877c8365492b}
nx OptIn

Windows Boot Loader
-------------------
identifier {c1eda857-d7e9-11e0-859e-877c8365492b}
device ramdisk=[D:]\Recovery\c1eda857-d7e9-11e0-859e-877c8365492b\Winre.wim,{c1eda858-d7e9-11e0-859e-877c8365492b}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[D:]\Recovery\c1eda857-d7e9-11e0-859e-877c8365492b\Winre.wim,{c1eda858-d7e9-11e0-859e-877c8365492b}
systemroot \windows
nx OptIn
winpe Yes

Resume from Hibernate
---------------------
identifier {c1eda855-d7e9-11e0-859e-877c8365492b}
device partition=D:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=D:
filepath \hiberfil.sys
pae Yes
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
custom:26000022 Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {c1eda858-d7e9-11e0-859e-877c8365492b}
description Ramdisk Options
ramdisksdidevice partition=D:
ramdisksdipath \Recovery\c1eda857-d7e9-11e0-859e-877c8365492b\boot.sdi


****** End Of Log ******

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:50 PM

Posted 21 January 2013 - 12:46 PM

Please run the following using FRST:



Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
TDL4: custom:26000022
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.



NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Yorkiegal

Yorkiegal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 21 January 2013 - 01:40 PM

Amazing, got me back to where I started. I was trying to remove the dept of justice money virus. I cannot get to the desktop; the virus takes over. Can't boot into safe mode or safe mode with networking--virus still there.

Here's the fixlog file:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-01-2013 02
Ran by SYSTEM at 2013-01-21 13:27:13 Run:1
Running from G:\

==============================================


The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

How can I run combofix?

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:50 PM

Posted 21 January 2013 - 02:13 PM

ok

run FRST again this time just run a normal scan

if it does not produce a log again, see if you are able to boot into safe mode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Yorkiegal

Yorkiegal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 21 January 2013 - 03:15 PM

FRST created another log. I personal messaged it to you for security.

thanks so much!

#8 Yorkiegal

Yorkiegal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 21 January 2013 - 03:45 PM

Tried it again and got into safe mode. Am running Combofix now. Will report asap.

thanks.

Sent Today, 03:14 PM
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-01-2013 02
Ran by SYSTEM at 21-01-2013 14:48:18
Running from G:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-09-23] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-20] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Windows\iTunesHelper.exe" [421736 2012-03-06] (Apple Inc.)
HKLM\...\Run: [PC Optimizer Pro] "C:\Program Files\PC Optimizer Pro\StartApps.exe" "C:\Program Files\PC Optimizer Pro\PCOptimizerPro.exe -w31" [12056856 2012-03-27] (Tweaking Tools Inc)
HKLM\...\Run: [Starter] C:\Program Files\Driver-Soft\DriverGenius\StarterW3i.exe [79728 2012-02-14] (Driver-Soft Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947176 2012-09-12] (Microsoft Corporation)
HKLM\...\Run: [DATAMNGR] C:\PROGRA~1\IMESHA~1\Mediabar\Datamngr\DATAMN~1.EXE [1898960 2012-09-20] (iMesh, Inc)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Masters\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-09-07] (Google Inc.)
HKU\Masters\...\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 [1652736 2010-10-29] (AWS Convergence Technologies, Inc.)
HKU\Masters\...\Run: [Itibiti.exe] C:\Program Files\Itibiti Soft Phone\Itibiti.exe [5284352 2011-11-08] ()
HKU\Masters\...\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [822456 2011-06-08] (The Weather Channel Interactive, Inc.)
HKU\Masters\...\Run: [Browser Infrastructure Helper] C:\Users\Masters\AppData\Local\Smartbar\Application\Linkury.exe startup [19768 2012-02-20] (Smartbar)
HKU\Masters\...\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [4692840 2012-06-11] (Veoh Networks)
HKU\McKenzie Masters\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-09-07] (Google Inc.)
HKU\McKenzie Masters\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
HKU\McKenzie Masters\...\Run: [Adobe CS Manager] C:\Users\McKenzie Masters\AppData\Roaming\ca50f34c-00df-4688-8cd5-e6e4e5bf185f79\cafcdfcdeeebff.exe [94208 2013-01-10] ()
HKU\McKenzie Masters\...\Run: [Noolzyt] "C:\Users\McKenzie Masters\AppData\Roaming\Ruto\adafv.exe" [295192 2012-09-03] ()
HKU\McKenzie Masters\...\Run: [Intel] C:\Users\McKenzie Masters\AppData\Roaming\180C3A\180C3A.exe [52728 2009-07-13] ()
HKU\McKenzie Masters\...\Run: [AdobeUpdater] C:\Users\McKenzie Masters\AppData\Roaming\Adobe\AdobeUpdaterInstallMgr.exe /Service [84992 2013-01-10] (Adobe Systems Incorporated)
HKU\McKenzie Masters\...\Run: [SonyAgent] C:\Windows\Temp\temp03.exe [766976 2013-01-16] ()
HKU\McKenzie Masters\...\CurrentVersion\Windows: [Load] C:\Users\MCKENZ~1\LOCALS~1\Temp\mssfzqq.bat
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [262656 2009-07-13] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
AppInit_DLLs: C:\PROGRA~1\IMESHA~1\Mediabar\Datamngr\datamngr.dll C:\PROGRA~1\IMESHA~1\Mediabar\Datamngr\IEBHO.dll
Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Masters\Start Menu\Programs\Startup\runctf.lnk
ShortcutTarget: runctf.lnk -> C:\Windows\System32\rundll32.exe (Microsoft Corporation)
Startup: C:\Users\McKenzie Masters\Start Menu\Programs\Startup\runctf.lnk
ShortcutTarget: runctf.lnk -> C:\Windows\System32\rundll32.exe (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 Giraffic; C:\Program Files\Giraffic\Veoh_GirafficWatchdog.exe --service [2232504 2012-07-02] (Giraffic)
2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [105832 2013-01-16] (SurfRight B.V.)
3 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.1.121\McCHSvc.exe" [227232 2010-09-02] (McAfee, Inc.)
2 Winmgmt; C:\PROGRA~2\ms050B6C92.dat [266240 2013-01-10] ()
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

==================== Drivers (Whitelisted) ====================

0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)
1 MpKsl0425a745; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A12EF609-FCCD-472D-A787-033E47CCD933}\MpKsl0425a745.sys [x]
1 MpKsl050205ca; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6DE0E0EF-B263-4997-B510-64F30D5322A4}\MpKsl050205ca.sys [x]
1 MpKsl0d0bdd31; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E1B355E2-FEA4-4FF0-BE37-09D869BEB7A7}\MpKsl0d0bdd31.sys [x]
1 MpKsl0d268157; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{784059A0-E137-42BF-B6A4-A12E38570D97}\MpKsl0d268157.sys [x]
1 MpKsl0e6f116e; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AAD7DE4E-A6AB-407D-B269-3824AED7622E}\MpKsl0e6f116e.sys [x]
1 MpKsl13199f15; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A12EF609-FCCD-472D-A787-033E47CCD933}\MpKsl13199f15.sys [x]
1 MpKsl1974460e; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FC531976-7ADE-4295-88E0-666BE65C0D9C}\MpKsl1974460e.sys [x]
1 MpKsl19f792e3; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{50B1489A-A13C-4BBE-93CB-78D2D132D51D}\MpKsl19f792e3.sys [x]
1 MpKsl223068dd; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AAD7DE4E-A6AB-407D-B269-3824AED7622E}\MpKsl223068dd.sys [x]
1 MpKsl3649f5c6; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3BF0890F-7FC0-4DD1-95F0-FEF517757A32}\MpKsl3649f5c6.sys [x]
1 MpKsl37dbe54c; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{72D3898B-8A3C-42D6-AACA-DC850361027C}\MpKsl37dbe54c.sys [x]
1 MpKsl3963a15e; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4D57F625-59F8-4321-9838-A622B0BEF4A8}\MpKsl3963a15e.sys [x]
1 MpKsl3974fee7; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BE5E7431-C1CA-4943-9199-F8D4C09716E3}\MpKsl3974fee7.sys [x]
1 MpKsl39934802; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9428D37A-1B6A-4C42-ACE1-9935D66F2A25}\MpKsl39934802.sys [x]
1 MpKsl3ca0fc4a; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B7839AA8-A5E8-4690-B34E-770638F9BEE4}\MpKsl3ca0fc4a.sys [x]
1 MpKsl55a93ea9; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5AB09BC3-7CF3-4565-86FC-D3879CDD5491}\MpKsl55a93ea9.sys [x]
1 MpKsl5ef1a86f; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E1B355E2-FEA4-4FF0-BE37-09D869BEB7A7}\MpKsl5ef1a86f.sys [x]
1 MpKsl622ac3ca; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E1B355E2-FEA4-4FF0-BE37-09D869BEB7A7}\MpKsl622ac3ca.sys [x]
1 MpKsl6516fe71; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B7220E7A-72BA-4EC2-8CF7-36F97551C203}\MpKsl6516fe71.sys [x]
1 MpKsl65b946bc; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E42D127A-EABD-4EA6-970B-75074C66473D}\MpKsl65b946bc.sys [x]
1 MpKsl65f227fa; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{99AFF042-E927-48C3-AED7-C92FC56C37C8}\MpKsl65f227fa.sys [x]
1 MpKsl6c85c7e2; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5AB09BC3-7CF3-4565-86FC-D3879CDD5491}\MpKsl6c85c7e2.sys [x]
1 MpKsl740d410f; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{784059A0-E137-42BF-B6A4-A12E38570D97}\MpKsl740d410f.sys [x]
1 MpKsl8b1cce7c; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E42D127A-EABD-4EA6-970B-75074C66473D}\MpKsl8b1cce7c.sys [x]
1 MpKsl927a87bc; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{69D646CF-AFC5-4588-B9AE-4406B32FFA44}\MpKsl927a87bc.sys [x]
1 MpKsl92ea2cb3; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6DE0E0EF-B263-4997-B510-64F30D5322A4}\MpKsl92ea2cb3.sys [x]
1 MpKsl97ff344e; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9428D37A-1B6A-4C42-ACE1-9935D66F2A25}\MpKsl97ff344e.sys [x]
1 MpKsla183799d; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8A9242EC-0373-4E53-9CE0-8632E5457B6C}\MpKsla183799d.sys [x]
1 MpKslae6eca18; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F579F719-A8B0-4D23-8539-E76630EB2861}\MpKslae6eca18.sys [x]
1 MpKslaff90cf5; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5D79E818-1F4F-455F-A1FB-3E3090A25F3F}\MpKslaff90cf5.sys [x]
1 MpKslb0860136; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6DE0E0EF-B263-4997-B510-64F30D5322A4}\MpKslb0860136.sys [x]
1 MpKslb1d281d2; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A5CFB7A7-0E3E-4830-AC66-A78EB2942D4B}\MpKslb1d281d2.sys [x]
1 MpKslbf570dee; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{50B1489A-A13C-4BBE-93CB-78D2D132D51D}\MpKslbf570dee.sys [x]
1 MpKslc538e4fd; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B7220E7A-72BA-4EC2-8CF7-36F97551C203}\MpKslc538e4fd.sys [x]
1 MpKslc6ff4cc1; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F579F719-A8B0-4D23-8539-E76630EB2861}\MpKslc6ff4cc1.sys [x]
1 MpKslc83a2a21; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A95D675C-B63D-497B-B28B-4074EB5D1D4A}\MpKslc83a2a21.sys [x]
1 MpKslc9361826; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{061A5372-0E66-4455-BBFD-E69AE3614FC3}\MpKslc9361826.sys [x]
1 MpKslcc9b44bc; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{418780EC-505F-4DC2-A940-4486A9E898FF}\MpKslcc9b44bc.sys [x]
1 MpKsld114dd30; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6DE0E0EF-B263-4997-B510-64F30D5322A4}\MpKsld114dd30.sys [x]
1 MpKsldc38c9fc; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D8472858-484A-41FA-8216-F2663BDC3CA3}\MpKsldc38c9fc.sys [x]
1 MpKslde498ecb; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{04EB3AE1-7F09-44D5-9918-A3187933F060}\MpKslde498ecb.sys [x]
1 MpKsle0945a82; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5D79E818-1F4F-455F-A1FB-3E3090A25F3F}\MpKsle0945a82.sys [x]
1 MpKslf875ccd7; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A4F5E5CA-C548-4357-87A2-FE77DB37E996}\MpKslf875ccd7.sys [x]
1 MpKslf8d7caf5; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DC94B989-0594-4AF5-BAB8-2314605B7F56}\MpKslf8d7caf5.sys [x]
1 MpKslf928cce3; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AAD7DE4E-A6AB-407D-B269-3824AED7622E}\MpKslf928cce3.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-01-21 13:27 - 2013-01-21 13:27 - 00000000 ____D C:\FRST
2013-01-21 10:35 - 2013-01-21 10:35 - 00000000 ____D C:\8847f4dfb672e7a085
2013-01-16 13:30 - 2013-01-16 14:38 - 00001821 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2013-01-16 13:30 - 2013-01-16 13:30 - 00000000 ____D C:\Program Files\HitmanPro
2013-01-16 12:56 - 2013-01-17 09:14 - 00000000 ____D C:\Users\All Users\HitmanPro
2013-01-10 14:32 - 2013-01-10 14:32 - 00107245 ____A C:\Users\McKenzie Masters\AppData\Roaming\itldvupd.dat
2013-01-10 14:32 - 2013-01-10 14:32 - 00000217 ____A C:\Users\McKenzie Masters\AppData\Roaming\itlsvc.dat
2013-01-10 14:28 - 2013-01-21 10:34 - 95023320 ___AT C:\Users\All Users\29C6B050sm.pad
2013-01-10 14:28 - 2013-01-10 14:32 - 95023320 ___AT C:\Users\All Users\D079.pad
2013-01-10 14:28 - 2013-01-10 14:28 - 00002727 ____A C:\Users\All Users\29C6B050sm.js
2013-01-10 14:27 - 2013-01-11 12:32 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Roaming\Kuofux
2013-01-10 14:27 - 2013-01-10 14:27 - 00266240 __ASH C:\Users\All Users\ms050B6C92.dat
2013-01-10 14:27 - 2013-01-10 14:27 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Roaming\Ruto
2013-01-10 14:27 - 2013-01-10 14:27 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Roaming\ca50f34c-00df-4688-8cd5-e6e4e5bf185f79
2013-01-10 14:27 - 2013-01-10 14:27 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Roaming\Byicu
2013-01-08 23:54 - 2012-11-22 19:06 - 02344960 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-01-08 23:54 - 2012-11-19 21:10 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2013-01-08 23:54 - 2012-11-08 20:49 - 00492032 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-01-08 23:54 - 2012-11-01 20:50 - 01388544 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2013-01-06 07:54 - 2013-01-07 13:55 - 00000000 ____D C:\Program Files\McAfee Security Scan
2013-01-06 07:54 - 2013-01-06 07:54 - 00000000 ____D C:\Users\All Users\McAfee Security Scan
2013-01-06 07:53 - 2013-01-06 07:53 - 00000000 ____D C:\Users\All Users\Sun
2013-01-06 07:53 - 2013-01-06 07:53 - 00000000 ____D C:\Program Files\Common Files\Java
2013-01-06 07:52 - 2013-01-06 07:51 - 00859072 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2013-01-06 07:52 - 2013-01-06 07:51 - 00779704 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-01-06 07:52 - 2013-01-06 07:51 - 00260528 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-01-06 07:51 - 2013-01-06 07:51 - 00174000 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-01-06 07:51 - 2013-01-06 07:51 - 00173992 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-01-06 07:51 - 2013-01-06 07:51 - 00093640 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-01-06 07:51 - 2013-01-06 07:51 - 00000000 ____D C:\Program Files\Java
2013-01-06 07:49 - 2013-01-06 07:49 - 00000000 ____D C:\Users\All Users\McAfee

==================== One Month Modified Files and Folders ========

2013-01-21 13:27 - 2013-01-21 13:27 - 00000000 ____D C:\FRST
2013-01-21 11:44 - 2012-07-04 23:37 - 00000000 ____D C:\Program Files\Giraffic
2013-01-21 11:44 - 2012-04-05 21:54 - 00000420 ____A C:\Windows\Tasks\RPCReminder.job
2013-01-21 11:44 - 2011-09-05 09:09 - 01327371 ____A C:\Windows\WindowsUpdate.log
2013-01-21 11:44 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-21 11:44 - 2009-07-13 20:39 - 00043771 ____A C:\Windows\setupact.log
2013-01-21 10:35 - 2013-01-21 10:35 - 00000000 ____D C:\8847f4dfb672e7a085
2013-01-21 10:34 - 2013-01-10 14:28 - 95023320 ___AT C:\Users\All Users\29C6B050sm.pad
2013-01-21 10:30 - 2012-04-05 21:53 - 00000434 ____A C:\Windows\Tasks\RegPowerClean.job
2013-01-21 10:30 - 2012-04-05 21:11 - 00000000 ____D C:\Users\Masters\AppData\Local\WeatherBug
2013-01-21 10:30 - 2011-09-07 15:51 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-21 10:29 - 2012-04-05 21:12 - 00000400 ____A C:\Windows\Tasks\FreeFileViewerUpdateChecker.job
2013-01-17 09:14 - 2013-01-16 12:56 - 00000000 ____D C:\Users\All Users\HitmanPro
2013-01-17 09:00 - 2011-09-07 15:51 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-17 08:54 - 2012-04-15 20:06 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-17 07:35 - 2009-07-13 20:34 - 00014000 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-17 07:35 - 2009-07-13 20:34 - 00014000 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-16 15:24 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-01-16 14:38 - 2013-01-16 13:30 - 00001821 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2013-01-16 13:30 - 2013-01-16 13:30 - 00000000 ____D C:\Program Files\HitmanPro
2013-01-16 13:22 - 2011-09-07 15:51 - 00000000 ____D C:\Users\Masters\AppData\Local\Google
2013-01-11 12:32 - 2013-01-10 14:27 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Roaming\Kuofux
2013-01-11 12:31 - 2011-09-05 09:19 - 00000000 ____D C:\Users\Masters\AppData\Local\VirtualStore
2013-01-10 14:32 - 2013-01-10 14:32 - 00107245 ____A C:\Users\McKenzie Masters\AppData\Roaming\itldvupd.dat
2013-01-10 14:32 - 2013-01-10 14:32 - 00000217 ____A C:\Users\McKenzie Masters\AppData\Roaming\itlsvc.dat
2013-01-10 14:32 - 2013-01-10 14:28 - 95023320 ___AT C:\Users\All Users\D079.pad
2013-01-10 14:28 - 2013-01-10 14:28 - 00002727 ____A C:\Users\All Users\29C6B050sm.js
2013-01-10 14:28 - 2011-09-07 15:51 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Roaming\Adobe
2013-01-10 14:27 - 2013-01-10 14:27 - 00266240 __ASH C:\Users\All Users\ms050B6C92.dat
2013-01-10 14:27 - 2013-01-10 14:27 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Roaming\Ruto
2013-01-10 14:27 - 2013-01-10 14:27 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Roaming\ca50f34c-00df-4688-8cd5-e6e4e5bf185f79
2013-01-10 14:27 - 2013-01-10 14:27 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Roaming\Byicu
2013-01-10 13:54 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-01-09 15:00 - 2011-09-05 13:20 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Local\VirtualStore
2013-01-09 14:58 - 2009-07-13 20:33 - 00266808 ____A C:\Windows\System32\FNTCACHE.DAT
2013-01-09 00:05 - 2011-09-05 09:20 - 00740374 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-08 14:10 - 2012-04-15 20:06 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-01-08 14:10 - 2011-09-07 15:50 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-01-07 13:55 - 2013-01-06 07:54 - 00000000 ____D C:\Program Files\McAfee Security Scan
2013-01-06 07:54 - 2013-01-06 07:54 - 00000000 ____D C:\Users\All Users\McAfee Security Scan
2013-01-06 07:53 - 2013-01-06 07:53 - 00000000 ____D C:\Users\All Users\Sun
2013-01-06 07:53 - 2013-01-06 07:53 - 00000000 ____D C:\Program Files\Common Files\Java
2013-01-06 07:51 - 2013-01-06 07:52 - 00859072 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2013-01-06 07:51 - 2013-01-06 07:52 - 00779704 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-01-06 07:51 - 2013-01-06 07:52 - 00260528 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-01-06 07:51 - 2013-01-06 07:51 - 00174000 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-01-06 07:51 - 2013-01-06 07:51 - 00173992 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-01-06 07:51 - 2013-01-06 07:51 - 00093640 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-01-06 07:51 - 2013-01-06 07:51 - 00000000 ____D C:\Program Files\Java
2013-01-06 07:49 - 2013-01-06 07:49 - 00000000 ____D C:\Users\All Users\McAfee
2013-01-06 03:31 - 2012-04-05 21:54 - 00000440 ___AH C:\Windows\Tasks\Norton Security Scan for McKenzie Masters.job


ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2097891935-2920972167-416249672-1003\$14f01a0203e7f549a810b95fa3b6270f

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2012-12-12 13:47] - [2012-09-06 08:48] - 0245616 ____A (Microsoft Corporation) 59F06B4968E58BC83DFC56CA4517960E


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-16 21:24:35
Restore point made on: 2012-12-13 16:43:07
Restore point made on: 2012-12-21 00:09:12
Restore point made on: 2013-01-06 07:50:45
Restore point made on: 2013-01-09 00:00:46
Restore point made on: 2013-01-16 15:18:45

==================== Memory info ===========================

Percentage of memory in use: 22%
Total physical RAM: 1782.71 MB
Available physical RAM: 1380.02 MB
Total Pagefile: 1782.71 MB
Available Pagefile: 1381 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.4 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:232.79 GB) (Free:147.54 GB) NTFS
2 Drive e: (GRMCULFRER_EN_DVD) (CDROM) (Total:2.33 GB) (Free:0 GB) UDF
4 Drive g: (KINGSTON) (Removable) (Total:1.87 GB) (Free:1.64 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 1919 MB 0 B

Partitions of Disk 0:
===============

Disk ID: 0F82D9C5

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 232 GB 101 MB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 232 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Disk ID: 04030201

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1918 MB 16 KB

=========================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G KINGSTON FAT Removable 1918 MB Healthy

=========================================================

Last Boot: 2013-01-16 15:09

==================== End Of Log ============================

Edited by CatByte, 21 January 2013 - 04:51 PM.
inserted FRST log that was PM'd


#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:50 PM

Posted 21 January 2013 - 06:10 PM

have you been able to successfully run ComboFix?

If not, run this fix first with FRST, then give ComboFix another try

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\McKenzie Masters\...\Run: [Adobe CS Manager] C:\Users\McKenzie Masters\AppData\Roaming\ca50f34c-00df-4688-8cd5-e6e4e5bf185f79\cafcdfcdeeebff.exe [94208 2013-01-10] ()
C:\Users\McKenzie Masters\AppData\Roaming\ca50f34c-00df-4688-8cd5-e6e4e5bf185f79\cafcdfcdeeebff.exe
HKU\McKenzie Masters\...\Run: [Noolzyt] "C:\Users\McKenzie Masters\AppData\Roaming\Ruto\adafv.exe" [295192 2012-09-03] ()
C:\Users\McKenzie Masters\AppData\Roaming\Ruto\adafv.exe
HKU\McKenzie Masters\...\Run: [SonyAgent] C:\Windows\Temp\temp03.exe [766976 2013-01-16] ()
C:\Windows\Temp\temp03.exe
HKU\McKenzie Masters\...\CurrentVersion\Windows: [Load] C:\Users\MCKENZ~1\LOCALS~1\Temp\mssfzqq.bat
C:\Users\MCKENZ~1\LOCALS~1\Temp\mssfzqq.bat
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [262656 2009-07-13] (Microsoft Corporation)
AppInit_DLLs: C:\PROGRA~1\IMESHA~1\Mediabar\Datamngr\datamngr.dll C:\PROGRA~1\IMESHA~1\Mediabar\Datamngr\IEBHO.dll
2013-01-10 14:27 - 2013-01-11 12:32 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Roaming\Kuofux
2013-01-10 14:27 - 2013-01-10 14:27 - 00266240 __ASH C:\Users\All Users\ms050B6C92.dat
2013-01-10 14:27 - 2013-01-10 14:27 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Roaming\Ruto
2013-01-10 14:27 - 2013-01-10 14:27 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Roaming\ca50f34c-00df-4688-8cd5-e6e4e5bf185f79
2013-01-10 14:27 - 2013-01-10 14:27 - 00000000 ____D C:\Users\McKenzie Masters\AppData\Roaming\Byicu
Startup: C:\Users\Masters\Start Menu\Programs\Startup\runctf.lnk
ShortcutTarget: runctf.lnk -> C:\Windows\System32\rundll32.exe (Microsoft Corporation)
Startup: C:\Users\McKenzie Masters\Start Menu\Programs\Startup\runctf.lnk
ShortcutTarget: runctf.lnk -> C:\Windows\System32\rundll32.exe (Microsoft Corporation)
C:\$Recycle.Bin\S-1-5-21-2097891935-2920972167-416249672-1003\$14f01a0203e7f549a810b95fa3b6270f
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 Yorkiegal

Yorkiegal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 21 January 2013 - 08:12 PM

I ran Combofix successfully and the computer appears to be working well! Thank you soooo much!

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:50 PM

Posted 21 January 2013 - 08:41 PM

can you please post the ComboFix log

we will likely have more work to do as there are usually leftovers to remove, so stay with me till I give the "all clean"

(the log will be located at C:\combofix.txt)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 Yorkiegal

Yorkiegal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 21 January 2013 - 08:48 PM

I am not with the computer right now, but I will post it first thing in the morning. If there's anything else I can do, I will be most happy to do so.

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:50 PM

Posted 21 January 2013 - 08:51 PM

:thumbup2:

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 Yorkiegal

Yorkiegal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 22 January 2013 - 09:43 AM

Here's what ComboFix found:

ComboFix 13-01-21.04 - Masters 01/21/2013 15:47:07.1.2 - x86 MINIMAL
Running from: c:\users\McKenzie Masters\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\$recycle.bin\S-1-5-21-2097891935-2920972167-416249672-1003\$14f01a0203e7f549a810b95fa3b6270f\@
c:\$recycle.bin\S-1-5-21-2097891935-2920972167-416249672-1003\$14f01a0203e7f549a810b95fa3b6270f\n
c:\$recycle.bin\S-1-5-21-2097891935-2920972167-416249672-1003\$14f01a0203e7f549a810b95fa3b6270f\U\00000001.@
c:\$recycle.bin\S-1-5-21-2097891935-2920972167-416249672-1003\$14f01a0203e7f549a810b95fa3b6270f\U\80000000.@
c:\$recycle.bin\S-1-5-21-2097891935-2920972167-416249672-1003\$14f01a0203e7f549a810b95fa3b6270f\U\800000cb.@
c:\program files\I Want This
c:\program files\I Want This\appAPIinternalWrapper.js
c:\program files\I Want This\fb.js
c:\program files\I Want This\I Want This.dll
c:\program files\I Want This\I Want This.exe
c:\program files\I Want This\I Want This.ico
c:\program files\I Want This\I Want This.ini
c:\program files\I Want This\I Want ThisGui.exe
c:\program files\I Want This\I Want ThisInstaller.log
c:\program files\I Want This\jquery.js
c:\program files\I Want This\json.js
c:\program files\I Want This\Uninstall.exe
c:\programdata\29C6B050sm.js
c:\programdata\29C6B050sm.pad
c:\programdata\D079.pad
c:\programdata\ms050B6C92.dat
c:\users\Masters\AppData\Local\I Want This
c:\users\Masters\AppData\Local\I Want This\Chrome\I Want This.crx
c:\users\Masters\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC Optimizer Pro.lnk
c:\users\Masters\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk
c:\users\McKenzie Masters\AppData\Roaming\180C3A
c:\users\McKenzie Masters\AppData\Roaming\180C3A\180C3A.exe
c:\users\McKenzie Masters\AppData\Roaming\Adobe\AdobeUpdaterInstallMgr.exe
c:\users\McKenzie Masters\AppData\Roaming\ca50f34c-00df-4688-8cd5-e6e4e5bf185f79
c:\users\McKenzie Masters\AppData\Roaming\ca50f34c-00df-4688-8cd5-e6e4e5bf185f79\cafcdfcdeeebff.exe
c:\users\McKenzie Masters\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk
c:\users\McKenzie Masters\AppData\Roaming\Ruto
c:\users\McKenzie Masters\AppData\Roaming\Ruto\adafv.exe
c:\windows\itunes.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-21 to 2013-01-21 )))))))))))))))))))))))))))))))
.
.
2013-01-21 21:27 . 2013-01-21 21:27 -------- d-----w- C:\FRST
2013-01-21 21:22 . 2013-01-21 21:22 -------- d-----w- c:\users\McKenzie Masters\AppData\Local\temp
2013-01-21 21:22 . 2013-01-21 21:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-21 21:20 . 2013-01-21 21:22 -------- d-----w- c:\users\Masters\AppData\Local\temp
2013-01-21 18:35 . 2013-01-21 18:35 -------- d-----w- C:\8847f4dfb672e7a085
2013-01-16 21:30 . 2013-01-16 21:30 -------- d-----w- c:\program files\HitmanPro
2013-01-16 20:56 . 2013-01-17 17:14 -------- d-----w- c:\programdata\HitmanPro
2013-01-10 22:27 . 2013-01-11 20:32 -------- d-----w- c:\users\McKenzie Masters\AppData\Roaming\Kuofux
2013-01-10 22:27 . 2013-01-10 22:27 -------- d-----w- c:\users\McKenzie Masters\AppData\Roaming\Byicu
2013-01-09 07:54 . 2012-11-23 03:06 2344960 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 07:54 . 2012-11-09 04:49 492032 ----a-w- c:\windows\system32\win32spl.dll
2013-01-09 07:54 . 2012-11-02 04:50 1388544 ----a-w- c:\windows\system32\msxml6.dll
2013-01-09 07:54 . 2012-11-20 05:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-06 15:54 . 2013-01-06 15:54 -------- d-----w- c:\programdata\McAfee Security Scan
2013-01-06 15:54 . 2013-01-07 21:55 -------- d-----w- c:\program files\McAfee Security Scan
2013-01-06 15:53 . 2013-01-06 15:53 -------- d-----w- c:\program files\Common Files\Java
2013-01-06 15:52 . 2013-01-06 15:51 779704 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-06 15:52 . 2013-01-06 15:51 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-01-06 15:51 . 2013-01-06 15:51 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-01-06 15:51 . 2013-01-06 15:51 -------- d-----w- c:\program files\Java
2013-01-06 15:49 . 2013-01-06 15:49 -------- d-----w- c:\programdata\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-21 20:44 . 2012-07-29 11:31 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D3223AAF-17A0-4607-94AD-F5803FDEDE73}\offreg.dll
2013-01-08 22:10 . 2012-04-16 04:06 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-08 22:10 . 2011-09-07 23:50 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 14:25 . 2012-12-21 08:09 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:25 . 2012-12-21 08:09 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-11-14 02:09 . 2012-12-14 01:01 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58 . 2012-12-14 01:01 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57 . 2012-12-14 01:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49 . 2012-12-14 01:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48 . 2012-12-14 01:01 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44 . 2012-12-14 01:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-09 04:49 . 2012-12-12 21:46 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-02 04:48 . 2012-12-12 21:47 376832 ----a-w- c:\windows\system32\dpnet.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0b1be383-efa8-44d5-a7c2-9a39594575a1}"= "c:\program files\cleanlab\prxtbclea.dll" [2011-05-09 176936]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn0\yt.dll" [2012-03-21 1523512]
"{cd90bf73-20f6-44ef-993d-bb920303bd2e}"= "c:\program files\Veoh_Web_Player\prxtbVeoh.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{0b1be383-efa8-44d5-a7c2-9a39594575a1}]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CLASSES_ROOT\clsid\{cd90bf73-20f6-44ef-993d-bb920303bd2e}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0b1be383-efa8-44d5-a7c2-9a39594575a1}]
2011-05-09 08:49 176936 ----a-w- c:\program files\cleanlab\prxtbclea.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C585D593-E7F3-4852-A200-561686EE02E4}]
2009-11-25 16:47 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cd90bf73-20f6-44ef-993d-bb920303bd2e}]
2011-05-09 08:49 176936 ----a-w- c:\program files\Veoh_Web_Player\prxtbVeoh.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0b1be383-efa8-44d5-a7c2-9a39594575a1}"= "c:\program files\cleanlab\prxtbclea.dll" [2011-05-09 176936]
"{cd90bf73-20f6-44ef-993d-bb920303bd2e}"= "c:\program files\Veoh_Web_Player\prxtbVeoh.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{0b1be383-efa8-44d5-a7c2-9a39594575a1}]
.
[HKEY_CLASSES_ROOT\clsid\{cd90bf73-20f6-44ef-993d-bb920303bd2e}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{0B1BE383-EFA8-44D5-A7C2-9A39594575A1}"= "c:\program files\cleanlab\prxtbclea.dll" [2011-05-09 176936]
"{CD90BF73-20F6-44EF-993D-BB920303BD2E}"= "c:\program files\Veoh_Web_Player\prxtbVeoh.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{0b1be383-efa8-44d5-a7c2-9a39594575a1}]
.
[HKEY_CLASSES_ROOT\clsid\{cd90bf73-20f6-44ef-993d-bb920303bd2e}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-09-07 39408]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-10-29 1652736]
"Itibiti.exe"="c:\program files\Itibiti Soft Phone\Itibiti.exe" [2011-11-08 5284352]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2011-06-08 822456]
"Browser Infrastructure Helper"="c:\users\Masters\AppData\Local\Smartbar\Application\Linkury.exe" [2012-02-20 19768]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2012-06-11 4692840]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-24 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-24 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-24 170520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\windows\iTunesHelper.exe" [2012-03-06 421736]
"PC Optimizer Pro"="c:\program files\PC Optimizer Pro\StartApps.exe" [2012-03-28 349976]
"Starter"="c:\program files\Driver-Soft\DriverGenius\StarterW3i.exe" [2012-02-15 79728]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\IMESHA~1\Mediabar\Datamngr\datamngr.dll c:\progra~1\IMESHA~1\Mediabar\Datamngr\IEBHO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl0425a745;MpKsl0425a745;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A12EF609-FCCD-472D-A787-033E47CCD933}\MpKsl0425a745.sys [x]
R1 MpKsl050205ca;MpKsl050205ca;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6DE0E0EF-B263-4997-B510-64F30D5322A4}\MpKsl050205ca.sys [x]
R1 MpKsl0d0bdd31;MpKsl0d0bdd31;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E1B355E2-FEA4-4FF0-BE37-09D869BEB7A7}\MpKsl0d0bdd31.sys [x]
R1 MpKsl0d268157;MpKsl0d268157;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{784059A0-E137-42BF-B6A4-A12E38570D97}\MpKsl0d268157.sys [x]
R1 MpKsl0e6f116e;MpKsl0e6f116e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AAD7DE4E-A6AB-407D-B269-3824AED7622E}\MpKsl0e6f116e.sys [x]
R1 MpKsl13199f15;MpKsl13199f15;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A12EF609-FCCD-472D-A787-033E47CCD933}\MpKsl13199f15.sys [x]
R1 MpKsl1974460e;MpKsl1974460e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FC531976-7ADE-4295-88E0-666BE65C0D9C}\MpKsl1974460e.sys [x]
R1 MpKsl19f792e3;MpKsl19f792e3;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{50B1489A-A13C-4BBE-93CB-78D2D132D51D}\MpKsl19f792e3.sys [x]
R1 MpKsl223068dd;MpKsl223068dd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AAD7DE4E-A6AB-407D-B269-3824AED7622E}\MpKsl223068dd.sys [x]
R1 MpKsl3649f5c6;MpKsl3649f5c6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3BF0890F-7FC0-4DD1-95F0-FEF517757A32}\MpKsl3649f5c6.sys [x]
R1 MpKsl37dbe54c;MpKsl37dbe54c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{72D3898B-8A3C-42D6-AACA-DC850361027C}\MpKsl37dbe54c.sys [x]
R1 MpKsl3963a15e;MpKsl3963a15e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4D57F625-59F8-4321-9838-A622B0BEF4A8}\MpKsl3963a15e.sys [x]
R1 MpKsl3974fee7;MpKsl3974fee7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BE5E7431-C1CA-4943-9199-F8D4C09716E3}\MpKsl3974fee7.sys [x]
R1 MpKsl39934802;MpKsl39934802;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9428D37A-1B6A-4C42-ACE1-9935D66F2A25}\MpKsl39934802.sys [x]
R1 MpKsl3ca0fc4a;MpKsl3ca0fc4a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7839AA8-A5E8-4690-B34E-770638F9BEE4}\MpKsl3ca0fc4a.sys [x]
R1 MpKsl55a93ea9;MpKsl55a93ea9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5AB09BC3-7CF3-4565-86FC-D3879CDD5491}\MpKsl55a93ea9.sys [x]
R1 MpKsl5ef1a86f;MpKsl5ef1a86f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E1B355E2-FEA4-4FF0-BE37-09D869BEB7A7}\MpKsl5ef1a86f.sys [x]
R1 MpKsl622ac3ca;MpKsl622ac3ca;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E1B355E2-FEA4-4FF0-BE37-09D869BEB7A7}\MpKsl622ac3ca.sys [x]
R1 MpKsl6516fe71;MpKsl6516fe71;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7220E7A-72BA-4EC2-8CF7-36F97551C203}\MpKsl6516fe71.sys [x]
R1 MpKsl65b946bc;MpKsl65b946bc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E42D127A-EABD-4EA6-970B-75074C66473D}\MpKsl65b946bc.sys [x]
R1 MpKsl65f227fa;MpKsl65f227fa;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{99AFF042-E927-48C3-AED7-C92FC56C37C8}\MpKsl65f227fa.sys [x]
R1 MpKsl6c85c7e2;MpKsl6c85c7e2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5AB09BC3-7CF3-4565-86FC-D3879CDD5491}\MpKsl6c85c7e2.sys [x]
R1 MpKsl740d410f;MpKsl740d410f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{784059A0-E137-42BF-B6A4-A12E38570D97}\MpKsl740d410f.sys [x]
R1 MpKsl8b1cce7c;MpKsl8b1cce7c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E42D127A-EABD-4EA6-970B-75074C66473D}\MpKsl8b1cce7c.sys [x]
R1 MpKsl927a87bc;MpKsl927a87bc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{69D646CF-AFC5-4588-B9AE-4406B32FFA44}\MpKsl927a87bc.sys [x]
R1 MpKsl92ea2cb3;MpKsl92ea2cb3;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6DE0E0EF-B263-4997-B510-64F30D5322A4}\MpKsl92ea2cb3.sys [x]
R1 MpKsl97ff344e;MpKsl97ff344e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9428D37A-1B6A-4C42-ACE1-9935D66F2A25}\MpKsl97ff344e.sys [x]
R1 MpKsla183799d;MpKsla183799d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8A9242EC-0373-4E53-9CE0-8632E5457B6C}\MpKsla183799d.sys [x]
R1 MpKslae6eca18;MpKslae6eca18;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F579F719-A8B0-4D23-8539-E76630EB2861}\MpKslae6eca18.sys [x]
R1 MpKslaff90cf5;MpKslaff90cf5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5D79E818-1F4F-455F-A1FB-3E3090A25F3F}\MpKslaff90cf5.sys [x]
R1 MpKslb0860136;MpKslb0860136;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6DE0E0EF-B263-4997-B510-64F30D5322A4}\MpKslb0860136.sys [x]
R1 MpKslb1d281d2;MpKslb1d281d2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A5CFB7A7-0E3E-4830-AC66-A78EB2942D4B}\MpKslb1d281d2.sys [x]
R1 MpKslbf570dee;MpKslbf570dee;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{50B1489A-A13C-4BBE-93CB-78D2D132D51D}\MpKslbf570dee.sys [x]
R1 MpKslc538e4fd;MpKslc538e4fd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7220E7A-72BA-4EC2-8CF7-36F97551C203}\MpKslc538e4fd.sys [x]
R1 MpKslc6ff4cc1;MpKslc6ff4cc1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F579F719-A8B0-4D23-8539-E76630EB2861}\MpKslc6ff4cc1.sys [x]
R1 MpKslc83a2a21;MpKslc83a2a21;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A95D675C-B63D-497B-B28B-4074EB5D1D4A}\MpKslc83a2a21.sys [x]
R1 MpKslc9361826;MpKslc9361826;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{061A5372-0E66-4455-BBFD-E69AE3614FC3}\MpKslc9361826.sys [x]
R1 MpKslcc9b44bc;MpKslcc9b44bc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{418780EC-505F-4DC2-A940-4486A9E898FF}\MpKslcc9b44bc.sys [x]
R1 MpKsld114dd30;MpKsld114dd30;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6DE0E0EF-B263-4997-B510-64F30D5322A4}\MpKsld114dd30.sys [x]
R1 MpKsldc38c9fc;MpKsldc38c9fc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D8472858-484A-41FA-8216-F2663BDC3CA3}\MpKsldc38c9fc.sys [x]
R1 MpKslde498ecb;MpKslde498ecb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{04EB3AE1-7F09-44D5-9918-A3187933F060}\MpKslde498ecb.sys [x]
R1 MpKsle0945a82;MpKsle0945a82;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5D79E818-1F4F-455F-A1FB-3E3090A25F3F}\MpKsle0945a82.sys [x]
R1 MpKslf875ccd7;MpKslf875ccd7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A4F5E5CA-C548-4357-87A2-FE77DB37E996}\MpKslf875ccd7.sys [x]
R1 MpKslf8d7caf5;MpKslf8d7caf5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DC94B989-0594-4AF5-BAB8-2314605B7F56}\MpKslf8d7caf5.sys [x]
R1 MpKslf928cce3;MpKslf928cce3;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AAD7DE4E-A6AB-407D-B269-3824AED7622E}\MpKslf928cce3.sys [x]
R2 Giraffic;Veoh Giraffic Video Accelerator;c:\program files\Giraffic\Veoh_GirafficWatchdog.exe [x]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [x]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.1.121\McCHSvc.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-17 16:58 1606760 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 22:10]
.
2013-01-21 c:\windows\Tasks\FreeFileViewerUpdateChecker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2012-04-06 18:24]
.
2013-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-07 23:51]
.
2013-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-07 23:51]
.
2013-01-06 c:\windows\Tasks\Norton Security Scan for McKenzie Masters.job
- c:\progra~1\NORTON~2\Engine\371~1.4\Nss.exe [2012-04-06 05:43]
.
2013-01-21 c:\windows\Tasks\RegPowerClean.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2012-04-06 19:30]
.
2013-01-21 c:\windows\Tasks\RPCReminder.job
- c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2012-04-06 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.imesh.net
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
AddRemove-I Want This - c:\program files\I Want This\Uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-21 16:26:10
ComboFix-quarantined-files.txt 2013-01-21 21:26
.
Pre-Run: 158,317,453,312 bytes free
Post-Run: 160,467,701,760 bytes free
.
- - End Of File - - 8B9271E55546BB357EE88587A688476A

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:50 PM

Posted 22 January 2013 - 06:56 PM

there is a little more work to do,

please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\users\McKenzie Masters\AppData\Roaming\Kuofux
c:\users\McKenzie Masters\AppData\Roaming\Byicu
c:\progra~1\IMESHA~1\Mediabar

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


Please download Malwarebytes Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users