Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans: Tracur, Blacole, Meredrop, Redirector


  • This topic is locked This topic is locked
12 replies to this topic

#1 Nwakeboard

Nwakeboard

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 02:29 AM

Initial problems:

Intermittent quarantine notifications from MS security essentials

svchost.exe process running at 99% CPU and 700k memory when internet connected, causing computer to overheat

Spammy redirects from google search in firefox

USB drives nonfunctional

 

 

Ran Malwareabytes full scan, MS security essentials full scan, Hitman Pro, Combofix

 

 

Problems seem to be resolved, but I want to make sure I got everything.

 

 

ComboFix 13-04-12.02 - Nancy 04/13/2013   2:38.1.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3056.1396 [GMT -4:00]
Running from: c:\users\Nancy\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\users\Nancy\GoToAssistDownloadHelper.exe
c:\windows\security\Database\tmp.edb
c:\windows\system32\pt
c:\windows\system32\pt\ThpProp.exe.mui
c:\windows\system32\pt\ThpSrv.exe.mui
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-13 to 2013-04-13  )))))))))))))))))))))))))))))))
.
.
2013-04-13 06:43 . 2013-04-13 06:43    --------    d-----w-    c:\users\Nancy\AppData\Local\temp
2013-04-13 06:43 . 2013-04-13 06:43    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-04-13 06:25 . 2013-04-13 06:25    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-13 06:25 . 2013-04-13 06:25    691592    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-04-13 06:20 . 2013-04-13 06:20    --------    d-----w-    c:\program files\Common Files\Adobe
2013-04-13 06:13 . 2013-04-13 06:13    60872    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3FA8C45-6645-4601-ADD4-D56877208607}\offreg.dll
2013-04-13 05:55 . 2013-04-13 05:55    --------    d-----w-    c:\program files\HitmanPro
2013-04-13 05:38 . 2013-04-13 06:09    --------    d-----w-    c:\programdata\HitmanPro
2013-04-13 02:39 . 2013-04-13 02:39    31560    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-04-12 21:31 . 2013-04-12 21:31    --------    d-----w-    c:\program files\WinDirStat
2013-04-12 14:59 . 2013-04-12 14:59    --------    d-----w-    c:\program files\Common Files\Java
2013-04-12 14:59 . 2013-04-12 14:59    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-04-12 14:59 . 2013-04-12 14:59    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-04-12 14:09 . 2013-03-15 07:21    7108640    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3FA8C45-6645-4601-ADD4-D56877208607}\mpengine.dll
2013-04-11 12:32 . 2013-03-15 07:21    7108640    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-10 12:38 . 2013-03-01 03:09    2347008    ----a-w-    c:\windows\system32\win32k.sys
2013-04-10 12:38 . 2013-01-24 04:47    196328    ----a-w-    c:\windows\system32\drivers\fvevol.sys
2013-04-10 12:38 . 2013-03-19 05:04    3968856    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-04-10 12:38 . 2013-03-19 05:04    3913560    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-04-10 12:38 . 2013-03-19 04:48    38912    ----a-w-    c:\windows\system32\csrsrv.dll
2013-04-10 12:38 . 2013-03-19 02:49    69632    ----a-w-    c:\windows\system32\smss.exe
2013-04-10 12:38 . 2013-02-15 04:37    3217408    ----a-w-    c:\windows\system32\mstscax.dll
2013-04-10 12:38 . 2013-02-15 04:34    131584    ----a-w-    c:\windows\system32\aaclient.dll
2013-04-10 12:38 . 2013-02-15 03:25    36864    ----a-w-    c:\windows\system32\tsgqec.dll
2013-03-21 01:01 . 2012-11-28 13:46    740840    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B123AF86-F74A-44D3-9F1D-2A21FFAA56E1}\gapaengine.dll
2013-03-18 12:22 . 2013-02-12 03:32    15872    ----a-w-    c:\windows\system32\drivers\usb8023.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-12 14:59 . 2011-01-18 17:09    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-04-04 18:50 . 2012-07-15 20:58    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-04-02 10:33 . 2011-01-18 15:31    237088    ------w-    c:\windows\system32\MpSigStub.exe
2013-03-04 14:32 . 2013-03-04 14:32    10    ----a-w-    c:\windows\Fonts\wfonts.key
2013-02-12 04:48 . 2013-03-13 13:43    474112    ----a-w-    c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 13:43    2176512    ----a-w-    c:\windows\apppatch\AcGenral.dll
2013-01-20 20:59 . 2013-01-20 20:59    195296    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2013-01-20 20:59 . 2012-08-31 02:03    100328    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2013-04-10 06:58 . 2013-04-13 06:14    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ATFPUOverlayIcon]
@="{3239DBC1-B76D-4dc7-8B29-D99CBA3C7336}"
[HKEY_CLASSES_ROOT\CLSID\{3239DBC1-B76D-4dc7-8B29-D99CBA3C7336}]
2009-12-23 15:57    147888    ------w-    c:\program files\TOSHIBA\TFPU\TFPUOverlayIcon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ------w-    c:\users\Nancy\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ------w-    c:\users\Nancy\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ------w-    c:\users\Nancy\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ------w-    c:\users\Nancy\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-12-17 59872]
"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-12-17 59872]
"com.apple.dav.bookmarks.daemon"="c:\program files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe" [2012-12-17 59872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-11 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2009-10-01 111640]
"nwiz"="nwiz.exe" [2010-01-14 1657448]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-15 13838952]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-10-30 7856128]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-12-09 2454840]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-09-11 241664]
"TFPUPWDBankService"="c:\program files\TOSHIBA\TFPU\TFPUPWDBank.exe" [2009-12-23 888752]
"TFPUService"="c:\program files\TOSHIBA\TFPU\TFPUTaskMonitor.exe" [2009-12-23 784304]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-10-20 163840]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-11-06 480608]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2010-03-25 742712]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 22840]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-11-05 611672]
"TUSBSleepChargeSrv"="c:\program files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe" [2009-10-26 253312]
"ToshibaAppPlace"="c:\program files\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-06-11 552960]
"TosReelTimeMonitor"="c:\program files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [2010-02-24 30040]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-01-19 1206544]
"PeachtreePrefetcher.exe"="c:\program files\Sage Software\Peachtree\PeachtreePrefetcher.exe" [2012-11-06 320368]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"AgentUiRunKey"="c:\program files\Remote Data Backups\Agent.exe" [2010-09-25 239104]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
c:\users\Nancy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
Dropbox.lnk - c:\users\Nancy\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-3-12 29106336]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-11-6 2717024]
BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Ultimate\BBStartup.exe [2011-1-18 46464]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-18 19:08    946352    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 21:13    54576    ------w-    c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 18:57    152544    ------w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2008-09-25 23:49    195080    ------w-    c:\program files\ltmoh\ltmoh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 16:12    288080    ------w-    c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36    421888    ------w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-01-08 17:59    18705664    ----a-r-    c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-11-11 11:28    39408    ------w-    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Teco]
2010-02-26 02:58    1323008    ------w-    c:\program files\TOSHIBA\TECO\Teco.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSDCR]
2007-08-28 18:30    169296    ------w-    c:\program files\TOSHIBA\PasswordUtility\TOSDCR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosNC]
2010-02-24 05:14    467816    ------w-    c:\program files\TOSHIBA\BulletinBoard\TosNcCore.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosWaitSrv]
2010-02-06 01:49    611672    ------w-    c:\program files\TOSHIBA\TPHM\TosWaitSrv.exe
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [x]
R4 BBWatcherService;BBWatcherService;c:\program files\CMS Products\BounceBack Ultimate\BBWatcherService.exe [x]
R4 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [x]
R4 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [x]
R4 CMSITService;BounceBack ITConsole Service;c:\program files\CMS Products\BounceBack Ultimate\CMSITService.exe [x]
R4 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [x]
R4 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R4 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [x]
R4 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [x]
R4 Sage 50 SmartPosting 2013;Sage 50 SmartPosting 2013;c:\program files\Sage Software\Peachtree\SmartPostingService2013.exe [x]
R4 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
R4 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [x]
R4 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
R4 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]
R4 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [x]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [x]
S1 MpKsl72a160eb;MpKsl72a160eb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3FA8C45-6645-4601-ADD4-D56877208607}\MpKsl72a160eb.sys [x]
S2 AgentService;AgentService;c:\program files\Remote Data Backups\AgentService.exe [x]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [x]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
S2 LV_Tracker;LV_Tracker;c:\windows\system32\DRIVERS\LV_Tracker.sys [x]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [x]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [x]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [x]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [x]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [x]
S3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [x]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [x]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL72A160EB
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
HPService    REG_MULTI_SZ       HPSLPSVC
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-10 17:35    1642448    ----a-w-    c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-12 c:\windows\Tasks\CMS Application Updater.job
- c:\program files\CMS Products\Updater\CmsUpdater.exe [2011-01-18 17:28]
.
2013-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-11 11:29]
.
2013-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-11 11:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
uInternet Settings,ProxyOverride = <local>;*.local
TCP: DhcpNameServer = 10.0.1.1
FF - ProfilePath - c:\users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\x8xk98s5.default\
FF - ExtSQL: 2013-04-13 02:17; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\x8xk98s5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-04-13 02:18; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\x8xk98s5.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2013-04-13 02:18; {3d7eb24f-2740-49df-8937-200b1cc08f8a}; c:\users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\x8xk98s5.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}.xpi
FF - ExtSQL: !HIDDEN! 2012-12-27 10:07; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-avast5 - c:\program files\Alwil Software\Avast5\avastUI.exe
AddRemove-TOSHIBA Software Modem - c:\windows\agrsmdel
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.3.198\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-04-13  02:44:56
ComboFix-quarantined-files.txt  2013-04-13 06:44
.
Pre-Run: 387,516,690,432 bytes free
Post-Run: 387,438,698,496 bytes free
.
- - End Of File - - B761ABAA8C98AB10E2A9C39B22D2EC42
 



BC AdBot (Login to Remove)

 


#2 Nwakeboard

Nwakeboard
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 02:34 AM

Attempting to beat Helpbot to the punch

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/17/2011 7:31:29 PM
System Uptime: 4/13/2013 2:10:25 AM (1 hours ago)
.
Motherboard: TOSHIBA |  | Portable PC
Processor: Intel® Core™ i7 CPU       M 640  @ 2.80GHz | rPGA988A Socket | 2800/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 446 GiB total, 362.215 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP270: 3/25/2013 6:53:29 PM - Windows Update
RP271: 3/28/2013 9:52:04 PM - Windows Update
RP272: 4/1/2013 6:45:29 PM - Windows Update
RP273: 4/5/2013 8:02:20 AM - Windows Update
RP274: 4/8/2013 4:49:23 PM - Windows Update
RP275: 4/10/2013 11:36:08 PM - Windows Update
RP276: 4/11/2013 1:31:19 PM - Installed TurboTax 2012 wrapper
RP277: 4/11/2013 1:33:57 PM - Installed TurboTax 2012 wnciper
RP278: 4/11/2013 1:34:08 PM - Installed TurboTax 2012 waziper
RP279: 4/12/2013 10:58:16 AM - Removed Java™ 6 Update 26
RP280: 4/12/2013 10:58:54 AM - Installed Java 7 Update 17
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe AIR
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.02)
ALPS Touch Pad Driver
Amazon Links
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AuthenTec Fingerprint Software
Bejeweled 2 Deluxe
Bluetooth Stack for Windows by Toshiba
Bonjour
BounceBack Ultimate
BufferChm
Build-a-lot 2
C410
CCleaner
Chuzzle Deluxe
Compatibility Pack for the 2007 Office system
Crystal Reports 2008 Runtime SP1
Destinations
DeviceDiscovery
DING!
DocProc
Dropbox
FATE
Fax
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService2
HitmanPro 3.7
HL-2240
HP Customer Participation Program 14.0
HP Imaging Device Functions 14.0
HP Photo Creations
HP Photosmart Prem C410 All-In-One Driver Software 14.0 Rel. 7
HP Smart Web Printing 4.60
HP Solution Center 14.0
HP Update
HPAppStudio
HPPhotoGadget
HPProductAssistant
HPSSupply
iCloud
Intel PROSet Wireless
Intel® Control Center
Intel® Management Engine Components
Intel® Network Connections Drivers
Intel® PROSet/Wireless WiFi Software
Intel® Rapid Storage Technology
Intel® Turbo Boost Technology Driver
iTunes
Java 7 Update 17
Java Auto Updater
Jewel Quest - Heritage
Junk Mail filter update
LogMeIn
LSI V92 MOH Application
Malwarebytes Anti-Malware version 1.75.0.1300
MarketResearch
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Default Manager
Microsoft IntelliPoint 8.2
Microsoft Office 2010
Microsoft Office File Validation Add-In
Microsoft Office Standard Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 20.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
OCR Software by I.R.I.S. 14.0
Peachtree Complete Accounting 2010
Pervasive PSQL v10 SP2 Workgroup (32-bit)
Pervasive PSQL v10.10 Workgroup (32-bit)
Plants vs. Zombies
PlayReady PC Runtime x86
Polar Bowler
PS_AIO_07_C410_SW_Min
QuickTime
QuickTransfer
Realtek High Definition Audio Driver
Remote Data Backups Agent
RICOH R5U230 Media Driver ver.2.08.03.03
Sage 50 Accounting 2013
Sage 50 Accounting Tax Forms
Sage Integration Services
Sage Message Center
Scan
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Shop for HP Supplies
Skype Launcher
Skype Toolbars
Skype™ 6.1
SmartWebPrinting
SolutionCenter
Status
TFPU
Toolbox
Toshiba App Place
TOSHIBA Application and Driver Installer
TOSHIBA Assist
Toshiba Book Place
TOSHIBA Bulletin Board
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA eco Utility
TOSHIBA Face Recognition
TOSHIBA Fingerprint Utility
TOSHIBA HDD Protection
TOSHIBA HDD/SSD Alert
TOSHIBA Internal Modem Region Select Utility
Toshiba Laptop Checkup
TOSHIBA PC Health Monitor
TOSHIBA Quality Application
TOSHIBA Recovery Media Creator
TOSHIBA ReelTime
TOSHIBA Security Assist
TOSHIBA Service Station
TOSHIBA USB Sleep and Charge Utility
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
ToshibaRegistration
TrayApp
TurboTax 2011
TurboTax 2011 waziper
TurboTax 2011 WinPerFedFormset
TurboTax 2011 WinPerReleaseEngine
TurboTax 2011 WinPerTaxSupport
TurboTax 2011 wnciper
TurboTax 2011 wrapper
TurboTax 2012
TurboTax 2012 waziper
TurboTax 2012 WinPerFedFormset
TurboTax 2012 WinPerReleaseEngine
TurboTax 2012 WinPerTaxSupport
TurboTax 2012 wnciper
TurboTax 2012 wrapper
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Visual Studio Tools for the Office system 3.0 Runtime
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258)
WebReg
Wheel of Fortune 2
WildTangent Games
WildTangent ORB Game Console
WinDirStat 1.1.2
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Zuma's Revenge
.
==== Event Viewer Messages From Past Week ========
.
4/6/2013 8:23:11 AM, Error: Service Control Manager [7034]  - The Google Update Service (gupdate) service terminated unexpectedly.  It has done this 1 time(s).
4/13/2013 2:43:41 AM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
4/13/2013 2:10:53 AM, Error: Service Control Manager [7024]  - The HitmanPro 3.7 Crusader (Boot) service terminated with service-specific error The operation completed successfully..
4/13/2013 2:07:56 AM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:  An instance of the service is already running.
4/13/2013 2:07:56 AM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Multimedia Class Scheduler service, but this action failed with the following error:  An instance of the service is already running.
4/13/2013 2:07:56 AM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Computer Browser service, but this action failed with the following error:  An instance of the service is already running.
4/13/2013 2:06:56 AM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Server service, but this action failed with the following error:  An instance of the service is already running.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The Windows Update service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The Windows Management Instrumentation service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The User Profile Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The Themes service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The Task Scheduler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The System Event Notification Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The Shell Hardware Detection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The Multimedia Class Scheduler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The IP Helper service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The Group Policy Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The Extensible Authentication Protocol service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The Computer Browser service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
4/13/2013 2:05:56 AM, Error: Service Control Manager [7031]  - The Certificate Propagation service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
4/13/2013 2:00:57 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the gpsvc service.
4/13/2013 2:00:57 AM, Error: Service Control Manager [7000]  - The Group Policy Client service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
4/13/2013 2:00:27 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the CertPropSvc service.
4/13/2013 2:00:27 AM, Error: Service Control Manager [7000]  - The Certificate Propagation service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
4/13/2013 1:59:57 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the EapHost service.
4/13/2013 1:59:57 AM, Error: Service Control Manager [7000]  - The Extensible Authentication Protocol service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
4/13/2013 1:59:26 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Schedule service.
4/13/2013 1:59:26 AM, Error: Service Control Manager [7000]  - The Task Scheduler service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
4/13/2013 1:58:56 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
4/13/2013 1:58:26 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Themes service.
4/13/2013 1:58:26 AM, Error: Service Control Manager [7000]  - The Themes service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
4/13/2013 1:57:56 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the wuauserv service.
4/13/2013 1:57:56 AM, Error: Service Control Manager [7000]  - The Windows Update service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
4/13/2013 1:57:26 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AeLookupSvc service.
4/13/2013 1:57:26 AM, Error: Service Control Manager [7000]  - The Application Experience service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
4/13/2013 1:55:56 AM, Error: Service Control Manager [7031]  - The Application Experience service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/12/2013 9:56:17 AM, Error: Service Control Manager [7000]  - The Multimedia Class Scheduler service failed to start due to the following error:  A thread could not be created for the service.
4/12/2013 8:42:34 AM, Error: Service Control Manager [7000]  - The Application Experience service failed to start due to the following error:  The client of a component requested an operation which is not valid given the state of the component instance.
4/12/2013 8:34:53 AM, Error: Service Control Manager [7023]  - The Multimedia Class Scheduler service terminated with the following error:  Not enough storage is available to process this command.
4/12/2013 10:05:27 AM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Application Experience service, but this action failed with the following error:  An instance of the service is already running.
4/12/2013 10:00:31 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001]  - The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000009f (0x00000003, 0x86aabb58, 0x83329ae0, 0x86066ab0). A dump was saved in: C:\windows\MEMORY.DMP. Report Id: 041213-17456-01.
4/12/2013 1:03:49 PM, Error: Service Control Manager [7000]  - The Multimedia Class Scheduler service failed to start due to the following error:  The client of a component requested an operation which is not valid given the state of the component instance.
4/12/2013 1:03:39 PM, Error: Service Control Manager [7031]  - The Background Intelligent Transfer Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/11/2013 11:24:38 AM, Error: iaStor [5]  - A parity error was detected on \Device\Ide\iaStor0.
.
==== End Of File ===========================

Attached File  attach.zip   4.06KB   0 downloads



#3 Nwakeboard

Nwakeboard
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 02:35 AM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.12.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Nancy :: NANCY-PC [administrator]

4/12/2013 10:52:24 PM
mbam-log-2013-04-12 (22-52-24).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 373721
Time elapsed: 58 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Edited by Nwakeboard, 13 April 2013 - 02:46 AM.


#4 Nwakeboard

Nwakeboard
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 02:43 AM

MS security essentials, all deleted
 
Trojan:HTML/Redirector.BB
Items:
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SNYLUW78\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\95J6S137\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2YE2O0C\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5VFE8AK8\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GOTNMXRN\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GOTNMXRN\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GOTNMXRN\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GOTNMXRN\ajax-loading[2].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GOTNMXRN\ajax-loading[3].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PF41JJ3D\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XHD3KILD\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTCV5JZX\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XHD3KILD\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WU97SZDC\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IM9NG0AG\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHP4KRGG\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1KGVWS0O\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTCV5JZX\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTCV5JZX\ajax-loading[2].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTCV5JZX\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHP4KRGG\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1KGVWS0O\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WU97SZDC\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHP4KRGG\ajax-loading[1].gif
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IM9NG0AG\ajax-loading[1].gif

Exploit:JS/Blacole.GB
Items:
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2SB8NCGS\lad[1].htm

Trojan:JS/Tracur.F
Items:
containerfile:C:\Users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\gn3xjmvt.default\extensions\zzeamioqfp@zzeamioqfp.org.xpi
file:C:\Users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\gn3xjmvt.default\extensions\zzeamioqfp@zzeamioqfp.org.xpi->chrome/performance.jar->content/overlay.xul->(SCRIPT0000)

Trojan:Win32/Meredrop
Items:
file:C:\Users\Nancy\AppData\Local\Temp\A705.tmp

#5 Nwakeboard

Nwakeboard
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 02:45 AM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.12.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Nancy :: NANCY-PC [administrator]

4/13/2013 1:47:46 AM
mbam-log-2013-04-13 (01-47-46).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 225065
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Edited by Nwakeboard, 13 April 2013 - 02:47 AM.


#6 Nwakeboard

Nwakeboard
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 02:47 AM

HitmanPro 3.7.3.193
www.hitmanpro.com

   Computer name . . . . : NANCY-PC
   Windows . . . . . . . : 6.1.1.7601.X86/4
   User name . . . . . . : Nancy-PC\Nancy
   UAC . . . . . . . . . : Disabled
   License . . . . . . . : Trial (30 days left)

   Scan date . . . . . . : 2013-04-13 02:05:45
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 3m 29s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : Yes

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 10

   Objects scanned . . . : 1,119,605
   Files scanned . . . . : 33,091
   Remnants scanned  . . : 287,728 files / 798,786 keys

Miniport ____________________________________________________________________

   Primary
      DriverObject . . . : 86AA9DD8
      DriverName . . . . : \Driver\iaStor
      DriverPath . . . . : \SystemRoot\system32\DRIVERS\iaStor.sys
      StartIo  . . . . . : 00000000 +0
      IRP_MJ_SCSI  . . . : 88BC2C10 +0
   Secondary
      DriverObject . . . : 86ABE2B0
      DriverName . . . . : \Driver\iaStor
      DriverPath . . . . : \SystemRoot\system32\DRIVERS\iaStor.sys
      StartIo  . . . . . : 00000000 +0
      IRP_MJ_SCSI  . . . : 88BC1F3B +0
   Solution
      DriverObject . . . : 86ABE2B0
      DriverName . . . . : \Driver\iaStor
      DriverPath . . . . : \SystemRoot\system32\DRIVERS\iaStor.sys
      StartIo  . . . . . : 00000000 +0
      IRP_MJ_SCSI  . . . : 8B8638C6 \SystemRoot\system32\DRIVERS\iaStor.sys+268486

Malware _____________________________________________________________________

   Master Boot Record (sector 0)

    > HitmanPro  . . . . : Win32/Bootkit

      Partition	Type	LBA	Number of sectors
      0*	27	63	4803372
      1 	07	4803435	935063325
      2 	17	939866760	36901305
      3 	00	0	0

      0000  33 C0 8E D0 8E C0 8E D8 BC 00 7C BE 00 7C BF 00  3.........|..|..
      0010  06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB 60 B9 54  .......Ph....`.T
      0020  01 BD 2B 06 80 76 00 47 45 E2 F9 CF 51 38 40 C4  ..+..v.GE...Q8@.
      0030  69 54 43 57 E6 54 43 86 A7 41 E4 32 41 F3 0F F9  iTCW.TC..A.2A...
      0040  C3 40 80 41 C3 40 59 47 8A 54 F8 33 40 FE 4E 47  .@.A.@YG.T.3@.NG
      0050  AF A0 47 21 CC 03 53 B8 71 32 41 40 74 B8 AF 51  ..G!..S.q2A@t..Q
      0060  47 F9 FF 4F CC 49 F3 4F B4 E3 E6 F1 4F C2 87 32  G..O.I.O....O..2
      0070  AA 26 AD 47 47 47 47 27 81 41 E5 40 57 80 41 E3  .&.GGGG'.A.@W.A.
      0080  40 46 47 49 C8 41 EF 40 80 41 E1 40 F5 4F 21 B8  @FGI.A.@.A.@.O!.
      0090  71 D3 40 21 C8 41 ED 40 21 B8 71 DF 40 21 C8 41  q.@!.A.@!.q.@!.A
      00A0  E9 40 21 07 21 6E 41 ED 40 21 C4 59 E9 40 47 F3  .@!.!nA.@!.Y.@G.
      00B0  05 F9 E5 40 CD 51 38 40 8A 54 FD 43 43 21 B8 71  ...@.Q8@.T.CC!.q
      00C0  ED 40 21 C8 41 C7 40 21 C6 71 C7 40 01 15 D1 05  .@!.A.@!.q.@....
      00D0  F9 C7 40 74 87 6C B8 74 9C CF D8 F5 40 B9 84 32  ..@t.l.t....@..2
      00E0  BF CD C8 F5 40 45 43 45 86 CC BF CD EA F5 40 CF  ....@ECE......@.
      00F0  E8 F5 40 CF CA F5 40 01 B9 89 32 43 6C B5 CD B5  ..@...@...2Cl...
      0100  B9 84 32 9A F9 F5 4F FD 47 45 48 F1 9C 48 F1 84  ..2...O.GEH..H..
      0110  74 B8 B9 84 CD C8 F5 40 45 86 CC BF CD EA F5 40  t......@E......@
      0120  CF CA F5 40 CF E8 F5 40 45 8A 75 AA CC BE CD CA  ...@...@E.u.....
      0130  F5 40 77 4B 01 0D 32 9D 26 84 21 74 87 AF 70 B8  .@wK..2.&.!t..p.
      0140  C6 79 F5 4F 0F 03 33 4A 21 B8 49 D3 40 21 C4 59  .y.O..3J!.I.@!.Y
      0150  DF 40 47 AC A2 CC AE FC 42 47 F9 FF 4F B4 E1 6C  .@G.....BG..O..l
      0160  B2 C2 8E 33 49 44 B6 C4 81 67 6C 8A 44 BE CC 8A  ...3ID...gl.D...
      0170  0C 32 AD 84 74 70 75 71 76 77 74 73 47 6C 41 20  .2..tpuqvwtsGlA 
      0180  6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 6E  loading operatin
      0190  67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E 67  g system.Missing
      01A0  20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65   operating syste
      01B0  6D 00 00 00 00 00 00 00 00 E7 D4 E2 00 00 80 01  m...............
      01C0  01 00 27 FE 7F 2A 3F 00 00 00 2C 4B 49 00 00 00  ..'..*?...,KI...
      01D0  41 2B 07 FE FF FF 6B 4B 49 00 1D EF BB 37 00 00  A+....kKI....7..
      01E0  C1 FF 17 FE FF FF 88 3A 05 38 B9 11 33 02 00 00  .......:.8..3...
      01F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA  ..............U.



Potential Unwanted Programs _________________________________________________

   HKLM\SOFTWARE\Classes\s\ (Softonic)

Cookies _____________________________________________________________________

   C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Cookies\4ZLDZF0O.txt
   C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Cookies\AC7OKS6B.txt
   C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Cookies\D0GB7RA9.txt
   C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Cookies\H57PQ2SD.txt
   C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Cookies\IGMC7XUM.txt
   C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Cookies\O5C7DPOM.txt
   C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Cookies\OEO8XTTD.txt
   C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Cookies\RGKSELVD.txt
   C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Cookies\YP6M2LDX.txt




#7 Nwakeboard

Nwakeboard
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 03:21 AM

Combofix run second time. Caused all programs to report "illegal operation attempted on a registry key that has been marked for deletion". Fixed by rebooting computer.

 

ComboFix 13-04-12.02 - Nancy 04/13/2013   3:58.2.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3056.1639 [GMT -4:00]
Running from: c:\users\Nancy\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-13 to 2013-04-13  )))))))))))))))))))))))))))))))
.
.
2013-04-13 08:04 . 2013-04-13 08:04    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-04-13 07:55 . 2013-04-13 07:55    29904    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3FA8C45-6645-4601-ADD4-D56877208607}\MpKsl471086dc.sys
2013-04-13 07:37 . 2013-04-13 07:37    --------    d-----w-    c:\users\Nancy\AppData\Roaming\HPAppData
2013-04-13 06:44 . 2013-04-13 08:04    --------    d-----w-    c:\users\Nancy\AppData\Local\temp
2013-04-13 06:25 . 2013-04-13 06:25    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-13 06:25 . 2013-04-13 06:25    691592    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-04-13 06:20 . 2013-04-13 06:20    --------    d-----w-    c:\program files\Common Files\Adobe
2013-04-13 05:55 . 2013-04-13 05:55    --------    d-----w-    c:\program files\HitmanPro
2013-04-13 05:38 . 2013-04-13 06:09    --------    d-----w-    c:\programdata\HitmanPro
2013-04-13 02:39 . 2013-04-13 02:39    31560    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-04-12 21:31 . 2013-04-12 21:31    --------    d-----w-    c:\program files\WinDirStat
2013-04-12 14:59 . 2013-04-12 14:59    --------    d-----w-    c:\program files\Common Files\Java
2013-04-12 14:59 . 2013-04-12 14:59    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-04-12 14:59 . 2013-04-12 14:59    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-04-12 14:09 . 2013-03-15 07:21    7108640    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3FA8C45-6645-4601-ADD4-D56877208607}\mpengine.dll
2013-04-11 12:32 . 2013-03-15 07:21    7108640    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-10 12:38 . 2013-03-01 03:09    2347008    ----a-w-    c:\windows\system32\win32k.sys
2013-04-10 12:38 . 2013-01-24 04:47    196328    ----a-w-    c:\windows\system32\drivers\fvevol.sys
2013-04-10 12:38 . 2013-03-19 05:04    3968856    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-04-10 12:38 . 2013-03-19 05:04    3913560    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-04-10 12:38 . 2013-03-19 04:48    38912    ----a-w-    c:\windows\system32\csrsrv.dll
2013-04-10 12:38 . 2013-03-19 02:49    69632    ----a-w-    c:\windows\system32\smss.exe
2013-04-10 12:38 . 2013-02-15 04:37    3217408    ----a-w-    c:\windows\system32\mstscax.dll
2013-04-10 12:38 . 2013-02-15 04:34    131584    ----a-w-    c:\windows\system32\aaclient.dll
2013-04-10 12:38 . 2013-02-15 03:25    36864    ----a-w-    c:\windows\system32\tsgqec.dll
2013-03-21 01:01 . 2012-11-28 13:46    740840    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B123AF86-F74A-44D3-9F1D-2A21FFAA56E1}\gapaengine.dll
2013-03-18 12:22 . 2013-02-12 03:32    15872    ----a-w-    c:\windows\system32\drivers\usb8023.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-13 07:12 . 2013-04-13 07:12    4161    ----a-w-    C:\attach.zip
2013-04-12 14:59 . 2011-01-18 17:09    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-04-04 18:50 . 2012-07-15 20:58    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-04-02 10:33 . 2011-01-18 15:31    237088    ------w-    c:\windows\system32\MpSigStub.exe
2013-03-04 14:32 . 2013-03-04 14:32    10    ----a-w-    c:\windows\Fonts\wfonts.key
2013-02-12 04:48 . 2013-03-13 13:43    474112    ----a-w-    c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 13:43    2176512    ----a-w-    c:\windows\apppatch\AcGenral.dll
2013-01-20 20:59 . 2013-01-20 20:59    195296    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2013-01-20 20:59 . 2012-08-31 02:03    100328    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2013-04-10 06:58 . 2013-04-13 06:14    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ATFPUOverlayIcon]
@="{3239DBC1-B76D-4dc7-8B29-D99CBA3C7336}"
[HKEY_CLASSES_ROOT\CLSID\{3239DBC1-B76D-4dc7-8B29-D99CBA3C7336}]
2009-12-23 15:57    147888    ------w-    c:\program files\TOSHIBA\TFPU\TFPUOverlayIcon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ------w-    c:\users\Nancy\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ------w-    c:\users\Nancy\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ------w-    c:\users\Nancy\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32    129272    ------w-    c:\users\Nancy\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-12-17 59872]
"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-12-17 59872]
"com.apple.dav.bookmarks.daemon"="c:\program files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe" [2012-12-17 59872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-11 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2009-10-01 111640]
"nwiz"="nwiz.exe" [2010-01-14 1657448]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-15 13838952]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-10-30 7856128]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-12-09 2454840]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-09-11 241664]
"TFPUPWDBankService"="c:\program files\TOSHIBA\TFPU\TFPUPWDBank.exe" [2009-12-23 888752]
"TFPUService"="c:\program files\TOSHIBA\TFPU\TFPUTaskMonitor.exe" [2009-12-23 784304]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-10-20 163840]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-11-06 480608]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2010-03-25 742712]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 22840]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-11-05 611672]
"TUSBSleepChargeSrv"="c:\program files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe" [2009-10-26 253312]
"ToshibaAppPlace"="c:\program files\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-06-11 552960]
"TosReelTimeMonitor"="c:\program files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [2010-02-24 30040]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-01-19 1206544]
"PeachtreePrefetcher.exe"="c:\program files\Sage Software\Peachtree\PeachtreePrefetcher.exe" [2012-11-06 320368]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"AgentUiRunKey"="c:\program files\Remote Data Backups\Agent.exe" [2010-09-25 239104]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
c:\users\Nancy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
Dropbox.lnk - c:\users\Nancy\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-3-12 29106336]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-11-6 2717024]
BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Ultimate\BBStartup.exe [2011-1-18 46464]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-18 19:08    946352    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 21:13    54576    ------w-    c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 18:57    152544    ------w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2008-09-25 23:49    195080    ------w-    c:\program files\ltmoh\ltmoh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 16:12    288080    ------w-    c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36    421888    ------w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-01-08 17:59    18705664    ----a-r-    c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-11-11 11:28    39408    ------w-    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Teco]
2010-02-26 02:58    1323008    ------w-    c:\program files\TOSHIBA\TECO\Teco.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSDCR]
2007-08-28 18:30    169296    ------w-    c:\program files\TOSHIBA\PasswordUtility\TOSDCR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosNC]
2010-02-24 05:14    467816    ------w-    c:\program files\TOSHIBA\BulletinBoard\TosNcCore.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosWaitSrv]
2010-02-06 01:49    611672    ------w-    c:\program files\TOSHIBA\TPHM\TosWaitSrv.exe
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [x]
R4 BBWatcherService;BBWatcherService;c:\program files\CMS Products\BounceBack Ultimate\BBWatcherService.exe [x]
R4 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [x]
R4 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [x]
R4 CMSITService;BounceBack ITConsole Service;c:\program files\CMS Products\BounceBack Ultimate\CMSITService.exe [x]
R4 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [x]
R4 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R4 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [x]
R4 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [x]
R4 Sage 50 SmartPosting 2013;Sage 50 SmartPosting 2013;c:\program files\Sage Software\Peachtree\SmartPostingService2013.exe [x]
R4 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
R4 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [x]
R4 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
R4 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]
R4 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [x]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [x]
S1 MpKsl471086dc;MpKsl471086dc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3FA8C45-6645-4601-ADD4-D56877208607}\MpKsl471086dc.sys [x]
S2 AgentService;AgentService;c:\program files\Remote Data Backups\AgentService.exe [x]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [x]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
S2 LV_Tracker;LV_Tracker;c:\windows\system32\DRIVERS\LV_Tracker.sys [x]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [x]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [x]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [x]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [x]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [x]
S3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [x]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL471086DC
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
HPService    REG_MULTI_SZ       HPSLPSVC
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-10 17:35    1642448    ----a-w-    c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-12 c:\windows\Tasks\CMS Application Updater.job
- c:\program files\CMS Products\Updater\CmsUpdater.exe [2011-01-18 17:28]
.
2013-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-11 11:29]
.
2013-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-11 11:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
uInternet Settings,ProxyOverride = <local>;*.local
TCP: DhcpNameServer = 10.0.1.1
FF - ProfilePath - c:\users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\x8xk98s5.default\
FF - ExtSQL: 2013-04-13 02:17; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\x8xk98s5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-04-13 02:18; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\x8xk98s5.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2013-04-13 02:18; {3d7eb24f-2740-49df-8937-200b1cc08f8a}; c:\users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\x8xk98s5.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}.xpi
FF - ExtSQL: !HIDDEN! 2012-12-27 10:07; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.3.198\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4136)
c:\program files\TOSHIBA\TFPU\TFPUOverlayIcon.dll
c:\users\Nancy\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
c:\program files\Toshiba\Bluetooth Toshiba Stack\sys\TosBtExt.dll
c:\program files\Common Files\Apple\Internet Services\ShellStreams.dll
.
Completion time: 2013-04-13  04:05:24
ComboFix-quarantined-files.txt  2013-04-13 08:05
ComboFix2.txt  2013-04-13 06:44
.
Pre-Run: 388,999,958,528 bytes free
Post-Run: 389,859,405,824 bytes free
.
- - End Of File - - 618B84E4AC5287A7522099183D7AF6B6
 


Edited by Nwakeboard, 13 April 2013 - 03:22 AM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 13 April 2013 - 06:30 AM


Hello Nwakeboard

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-
  • Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
  • Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Nwakeboard

Nwakeboard
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 08:15 AM

 Results of screen317's Security Check version 0.99.62  
 Windows 7 Service Pack 1 x86 (UAC is disabled!)  
 Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner     
 Java 7 Update 17  
 Adobe Flash Player     11.7.700.169  
 Adobe Reader XI  
 Mozilla Firefox (20.0.1)
 Google Chrome 26.0.1410.43  
 Google Chrome 26.0.1410.64  
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

======================================================================================================================

 

# AdwCleaner v2.200 - Logfile created 04/13/2013 at 09:01:57
# Updated 02/04/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : Nancy - NANCY-PC
# Boot Mode : Normal
# Running from : C:\Users\Nancy\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\Partner

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Deleted : HKLM\SOFTWARE\Software

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\x8xk98s5.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Users\Nancy\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1361 octets] - [13/04/2013 09:01:57]

########## EOF - C:\AdwCleaner[S1].txt - [1421 octets] ##########
 

 

======================================================================================================================

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Nancy [Admin rights]
Mode : Remove -- Date : 04/13/2013 09:11:20
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST95005620AS +++++
--- User ---
[MBR] d4143d10c8c6e2bb15465177e3766315
[BSP] 6bffb03effa36fd4d17a4c19902d48f5 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 2345 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 4803435 | Size: 456573 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 939866760 | Size: 18018 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_04132013_02d0911.txt >>
RKreport[1]_S_04132013_02d0909.txt ; RKreport[2]_D_04132013_02d0911.txt

 



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 13 April 2013 - 08:47 AM


Hello Nwakeboard

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

  • Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 17 April 2013 - 01:08 AM


Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 19 April 2013 - 11:50 PM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 24 April 2013 - 10:14 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users