Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Inksdata.com infection


  • This topic is locked This topic is locked
39 replies to this topic

#1 stillanovice

stillanovice

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:04:22 PM

Posted 28 April 2013 - 07:50 PM

My daughter downloaded SIMS Carnival about 2 weeks ago, and ever since then, it's been popups like crazy.  The address that shows up is inksdata.com.  I've uninstalled the game and anything else installed on the same day.  I got rid of Google Chrome because I read that the virus "hides" in the extensions.  I've run MBAM 3 times.  The first time there were 6 items to be removed.  The next two times, no infections, but still plenty of popups.  I really don't have a clue about how it works, but I just want it gone.  Can someone help me with this?  I would be so appreciative!  Thank you!



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 PM

Posted 28 April 2013 - 08:09 PM


Hello stillanovice

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.





I need to get some reports to get a base to start from so I need you to run these programs first.


-DeFogger-
  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

-Security Check-
  • Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-Download DDS-
  • Please download DDS from one of the links below and save it to your desktop:

    dds_scr.gif
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply
information and logs
  • In your next post I need the following
    • both reports from DDS
    • report from security check
    • let me know of any problems you may have had
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 PM

Posted 03 May 2013 - 05:24 AM


Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 stillanovice

stillanovice
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:04:22 PM

Posted 04 May 2013 - 12:08 PM

So sorry for the delay - seems there is always something coming up, and I can never find a sufficient block of time to work on this!  Finally, I was able to do your first set of instructions.   Reports follow.   Inksdata window still popping up on a regular basis :)   P.S. Thank you for hanging in there for me!

 

 

 

Screen 317's Security Check

 

Results of screen317's Security Check version 0.99.63

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.75.0.1300

Java™ 6 Update 33

Java version out of Date!

Adobe Reader 9 Adobe Reader out of Date!

````````Process Check: objlist.exe by Laurent````````

Symantec Norton Online Backup NOBuAgent.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1%

````````````````````End of Log``````````````````````

 

DDS Notepad

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 10.0.9200.16537

Run by user at 12:53:45 on 2013-05-04

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1979.342 [GMT -4:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe

C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\PROGRA~2\ZWINKY~2\bar\1.bin\5qbarsvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe

C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe

C:\Program Files\Realtek\RtVOsd\RtVOsd.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe

C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files (x86)\Canon\ImageBrowser EX\MFManager.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qbrmon.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Windows\system32\Macromed\Flash\FlashUtil64_11_3_300_265_ActiveX.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Program Files (x86)\WordPerfect Office 12\Programs\wpwin12.exe

C:\Windows\splwow64.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

c:\program files\windows defender\MpCmdRun.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uURLSearchHooks: <No Name>: {cc2e2b99-14d3-4516-883c-9ea147f594ef} -

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: {5F815AD7-A955-4943-91C4-7A96C2932399} - <orphaned>

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Arcadesafari BHO: {adff4c9a-4f49-4a1f-8885-360e107b7938} -

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll

TB: Zwinky: {3033124f-06bf-4829-873a-310a125b4d4c} -

uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

uRun: [ZumoDrive] C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk

uRun: [DW7] "C:\Program Files (x86)\The Weather Channel\The Weather Channel App\TWCApp.exe"

mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [WordPerfect Office 1215] C:\Program Files (x86)\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=051912 serial=WA12WRX-0000002-HMD lang=EN

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

mRun: [ZumoDrive] "C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Zwinky_5q Browser Plugin Loader] C:\PROGRA~2\ZWINKY~2\bar\1.bin\5qbrmon.exe

dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\IMAGEB~1.LNK - C:\Program Files (x86)\Canon\ImageBrowser EX\MFManager.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe

DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

TCP: NameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{5234EEB6-9645-4B41-80B9-9D92E56E0DAB} : DHCPNameServer = 10.20.0.1

TCP: Interfaces\{7CCAF969-A696-496F-B8CC-70FF3A2DAD84} : DHCPNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{7CCAF969-A696-496F-B8CC-70FF3A2DAD84}\E4544574541425 : DHCPNameServer = 192.168.1.1

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s

x64-Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden

x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

x64-DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2012-5-1 98208]

R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-9-27 86528]

R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-7-21 103992]

R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-5 291896]

R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]

R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]

R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-9-11 399344]

R2 RtVOsdService;RtVOsdService Installer;C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [2010-6-24 315392]

R2 Zwinky_5qService;ZwinkyService;C:\PROGRA~2\ZWINKY~2\bar\1.bin\5qbarsvc.exe [2012-7-25 42528]

R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2010-9-29 31088]

R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2012-5-1 1041760]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-5-1 347680]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]

S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]

S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]

S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-5-6 59392]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-2-15 52736]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-5-5 1255736]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]

.

=============== Created Last 30 ================

.

2013-05-04 16:53:06 76232 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{953A5EF3-15D4-49D4-AAC2-1F22CA1A17F4}\offreg.dll

2013-05-03 18:24:56 -------- d-----w- C:\Users\user\AppData\Local\Adobe

2013-05-03 11:48:40 9317456 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{953A5EF3-15D4-49D4-AAC2-1F22CA1A17F4}\mpengine.dll

2013-04-29 02:10:02 -------- d-----w- C:\Users\user\AppData\Local\Apple

2013-04-29 02:09:12 -------- d-----w- C:\Users\user\AppData\Local\Apple Computer

2013-04-25 18:02:54 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-04-24 10:47:20 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2013-04-19 17:54:10 -------- d-----w- C:\Users\user\AppData\Roaming\Oberon Media

2013-04-19 17:51:57 -------- d-----w- C:\Users\user\AppData\Roaming\OpenCandy

2013-04-18 13:49:30 -------- d-----w- C:\Users\user\AppData\Roaming\Virtual City

2013-04-18 13:39:01 -------- d-----w- C:\Users\user\AppData\Roaming\Strongvault

2013-04-18 13:38:37 -------- d-----w- C:\Program Files (x86)\OApps

2013-04-18 13:37:38 -------- d-sh--w- C:\Windows\SysWow64\AI_RecycleBin

2013-04-18 13:37:31 -------- d-----w- C:\ProgramData\Strongvault Online Backup

2013-04-18 13:37:20 -------- d-sh--w- C:\AI_RecycleBin

2013-04-17 19:46:22 -------- d-----w- C:\Program Files (x86)\Microsoft Games

2013-04-11 11:00:34 223752 ----a-w- C:\Windows\System32\drivers\fvevol.sys

2013-04-11 11:00:24 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-04-11 11:00:20 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-04-11 11:00:19 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-04-11 11:00:17 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll

2013-04-11 11:00:17 43520 ----a-w- C:\Windows\System32\csrsrv.dll

2013-04-11 11:00:17 112640 ----a-w- C:\Windows\System32\smss.exe

2013-04-11 10:59:59 3717632 ----a-w- C:\Windows\System32\mstscax.dll

2013-04-11 10:59:57 3217408 ----a-w- C:\Windows\SysWow64\mstscax.dll

2013-04-11 10:59:56 158720 ----a-w- C:\Windows\System32\aaclient.dll

2013-04-11 10:59:56 131584 ----a-w- C:\Windows\SysWow64\aaclient.dll

2013-04-11 10:59:55 44032 ----a-w- C:\Windows\System32\tsgqec.dll

2013-04-11 10:59:54 36864 ----a-w- C:\Windows\SysWow64\tsgqec.dll

2013-04-11 10:59:31 3153408 ----a-w- C:\Windows\System32\win32k.sys

.

==================== Find3M ====================

.

2013-05-02 06:06:08 278800 ------w- C:\Windows\System32\MpSigStub.exe

2013-04-25 18:04:59 92160 ----a-w- C:\Windows\System32\SetIEInstalledDate.exe

2013-04-25 18:04:59 51200 ----a-w- C:\Windows\System32\imgutil.dll

2013-04-25 18:04:59 13824 ----a-w- C:\Windows\System32\mshta.exe

2013-04-25 18:04:59 135680 ----a-w- C:\Windows\System32\IEAdvpack.dll

2013-04-25 18:04:58 77312 ----a-w- C:\Windows\System32\tdc.ocx

2013-04-25 18:04:58 48640 ----a-w- C:\Windows\System32\mshtmler.dll

2013-04-25 18:04:58 3958784 ----a-w- C:\Windows\System32\jscript9.dll

2013-04-25 18:04:58 136704 ----a-w- C:\Windows\System32\iesysprep.dll

2013-04-04 18:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-03-20 10:52:06 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll

2013-03-20 10:52:02 175616 ----a-w- C:\Windows\System32\msclmd.dll

2013-02-12 05:45:24 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2013-02-12 05:45:22 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2013-02-12 05:45:22 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll

2013-02-12 05:45:22 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll

2013-02-12 04:48:31 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll

2013-02-12 04:48:26 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll

2013-02-12 04:12:05 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys

.

============= FINISH: 12:55:01.36 ===============

 

 

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 5/1/2012 7:00:37 PM

System Uptime: 5/4/2013 10:16:16 AM (2 hours ago)

.

Motherboard: Hewlett-Packard | | 1605

Processor: Intel® Celeron® CPU 900 @ 2.20GHz | CPU | 2194/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 214 GiB total, 105.071 GiB free.

D: is FIXED (NTFS) - 19 GiB total, 2.736 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP146: 4/17/2013 3:34:08 PM - Installed Microsoft Visual C++ 2005 Redistributable

RP147: 4/17/2013 3:44:12 PM - Installed ProductName from default.wxl

RP148: 4/20/2013 8:22:45 AM - Windows Update

RP149: 4/21/2013 10:06:13 AM - Windows Update

RP150: 4/24/2013 9:38:23 PM - Removed Google Earth.

RP151: 4/24/2013 10:04:46 PM - Windows Update

RP152: 4/25/2013 1:57:42 PM - Windows Update

RP153: 4/30/2013 6:28:31 AM - Windows Update

RP154: 5/3/2013 7:48:07 AM - Windows Update

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader 9.5.1 MUI

Adobe Shockwave Player 11.5

Agatha Christie - Peril at End House

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Bejeweled 2 Deluxe

Blackhawk Striker 2

Blasterball 3

Blio

Bonjour

Bounce Symphony

Build-a-lot 2

Cake Mania

Canon PowerShot A4000 IS and A3400 IS and A2400 IS and A2300 and A1300 and A810 Camera User Guide

Canon Utilities CameraWindow DC 8

Canon Utilities ImageBrowser EX

Canon Utilities PhotoStitch

Chuzzle Deluxe

Compaq Setup Manager

CyberLink DVD Suite

CyberLink MediaShow

CyberLink PowerDVD 9

CyberLink YouCam

D3DX10

DHTML Editing Component

Diner Dash 2 Restaurant Rescue

Dora's World Adventure

eMazing Mazes

Energy Star Digital Logo

Escape Rosecliff Island

ESU for Microsoft Windows 7

Farm Frenzy

Fashion Solitaire

FATE

Final Drive Nitro

Heroes of Hellas 2 - Olympia

Hewlett-Packard ACLM.NET v1.2.1.1

HP Auto

HP Client Services

HP CloudDrive

HP Customer Experience Enhancements

HP Documentation

HP Game Console

HP Games

HP MovieStore

HP Photo Creations

HP Power Manager

HP Quick Launch

HP Setup

HP Software Framework

HP Support Assistant

HP Wireless Assistant

Intel® Graphics Media Accelerator Driver

Intel® Rapid Storage Technology

IrfanView (remove only)

iTunes

Java Auto Updater

Java™ 6 Update 21 (64-bit)

Java™ 6 Update 33

Jewel Quest Solitaire 2

Junk Mail filter update

LabelPrint

LEGO Creator

LightScribe System Software

Malwarebytes Anti-Malware version 1.75.0.1300

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Office 2010

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft WSE 3.0 Runtime

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Mystery P.I. - The London Caper

Norton Online Backup

Origin

Peggle Nights 1.0

Penguins!

Plants vs. Zombies

PlayReady PC Runtime x86

Poker Superstars III

Polar Bowler

Polar Golfer

Power2Go

PowerDirector

Ralink RT2860 Wireless LAN Card

Realtek Ethernet Controller Driver For Windows 7

Realtek High Definition Audio Driver

Recovery Manager

RoxioNow Player

RtVOsd

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2736428)

Security Update for Microsoft .NET Framework 4 Extended (KB2742595)

Synaptics Pointing Device Driver

The Sims 3 Teaser

The Sims™ 2 Sampler - Create-A-Sim

TONKA Firefighter

Turbo Lister 2

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Virtual Families

Virtual Villagers 4 - The Tree of Life

Wheel of Fortune 2

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Language Selector

Windows Live Mail

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WordPerfect Office 12

Zoo Tycoon: Complete Collection

Zuma Deluxe

.

==== Event Viewer Messages From Past Week ========

.

5/3/2013 11:34:22 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} and APPID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user user-HP\user SID (S-1-5-21-1392159129-2078248977-845139479-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

5/3/2013 11:33:16 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WinDefend service.

5/3/2013 10:26:36 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.

5/1/2013 8:15:45 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HPWMISVC service.

5/1/2013 6:13:47 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{7CCAF969-A696-496F-B8CC-70FF3A2DAD84} because another computer on the network has the same name. The server could not start.

4/29/2013 7:12:20 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the RtVOsdService service.

4/27/2013 6:32:09 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

.

==== End Of File ===========================



#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 PM

Posted 04 May 2013 - 12:23 PM


Hello stillanovice


These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.


-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 stillanovice

stillanovice
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:04:22 PM

Posted 04 May 2013 - 02:07 PM

I have the report for the AdwCleaner saved to a Wordperfect document.  For some reason, I can copy it, but paste is not bold when I right click, so I can't paste.  The RogueKiller had a user agreement that talks about "data grabbing."  Is this a usual thing?  Should I worry about that?



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 PM

Posted 04 May 2013 - 02:28 PM

That is not something to worry about


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 stillanovice

stillanovice
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:04:22 PM

Posted 04 May 2013 - 03:10 PM

I've done both reports - here they are:

 

 

 

 

 

 

# AdwCleaner v2.300 - Logfile created 05/04/2013 at 13:48:03

# Updated 28/04/2013 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : user - USER-HP

# Boot Mode : Normal

# Running from : C:\Users\user\Downloads\adwcleaner.exe

# Option [Delete]

 

***** [Services] *****

Stopped & Deleted : Zwinky_5qService

***** [Files / Folders] *****

File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

File Deleted : C:\user.js

Folder Deleted : C:\Program Files (x86)\1ClickDownload

Folder Deleted : C:\Program Files (x86)\DealPly

Folder Deleted : C:\Program Files (x86)\Gophoto.it

Folder Deleted : C:\Program Files (x86)\OApps

Folder Deleted : C:\Program Files (x86)\Zwinky_5q

Folder Deleted : C:\ProgramData\Ask

Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DealPly

Folder Deleted : C:\ProgramData\Tarma Installer

***** [Registry] *****

Key Deleted : HKCU\Software\1ClickDownload

Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider

Key Deleted : HKCU\Software\AppDataLow\Software\PricePeep

Key Deleted : HKCU\Software\AppDataLow\Software\Zwinky_5q

Key Deleted : HKCU\Software\Cr_Installer

Key Deleted : HKCU\Software\Google\Chrome\Extensions\gaiilaahiahdejapggenmdmafpmbipje

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3033124F-06BF-4829-873A-310A125B4D4C}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3033124F-06BF-4829-873A-310A125B4D4C}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Deleted : HKCU\Software\Softonic

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}

Key Deleted : HKLM\SOFTWARE\Classes\1ClicktorrentFile

Key Deleted : HKLM\SOFTWARE\Classes\1ClicktorrentFile1

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\PropertySync.EXE

Key Deleted : HKLM\SOFTWARE\Classes\oneclick

Key Deleted : HKLM\SOFTWARE\Classes\oneclickmg

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{03119103-0854-469D-807A-171568457991}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{06CEAB46-0EFC-479A-B66B-AB6B11E1138A}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3B82BA62-32FD-4623-BB38-464D186E7453}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{644413C0-4090-4A84-BC29-DC69E91A7D73}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{648CEC5D-18E0-4445-9A17-C1589D0C9169}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{782D4CC0-74AE-41B6-B445-3D4C23AE6B9A}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B6CC4C24-962F-4314-9358-C998FD4B4288}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{BD48A3C7-5201-4093-AB66-04BD35BAC3D8}

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.DynamicBarButton

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.DynamicBarButton.1

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.FeedManager

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.FeedManager.1

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.HTMLMenu

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.HTMLMenu.1

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.MultipleButton

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.MultipleButton.1

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.PseudoTransparentPlugin

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.PseudoTransparentPlugin.1

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.Radio

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.Radio.1

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.ScriptButton

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.ScriptButton.1

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.SkinLauncher

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.SkinLauncher.1

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.ThirdPartyInstaller

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.ThirdPartyInstaller.1

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.UrlAlertButton

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.UrlAlertButton.1

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.XMLSessionPlugin

Key Deleted : HKLM\SOFTWARE\Classes\Zwinky_5q.XMLSessionPlugin.1

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\Software\DealPly

Key Deleted : HKLM\Software\Freeze.com

Key Deleted : HKLM\Software\Iminent

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Deal Vault_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Deal Vault_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\deal vault-bg_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\deal vault-bg_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Deal Vault-InternalInstaller_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Deal Vault-InternalInstaller_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{315C7727-2B4D-4EF9-95FA-EA6CDA9AEB9D}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{35DAB87A-026F-4503-B5F1-6774E16EAFFA}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8C775DBE-2382-4EAB-A48A-6859C3B9EF29}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A00289B5-2C16-4EC7-9780-2B56977ADC65}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F464A68D-1CF2-4991-93AB-A84351D7F676}

Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@Zwinky_5q.com/Plugin

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00FB52B5-0779-46DD-AFC6-C6EB55F21A26}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{13119113-0854-469D-807A-171568457991}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3033124F-06BF-4829-873A-310A125B4D4C}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{315C7727-2B4D-4EF9-95FA-EA6CDA9AEB9D}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{33119133-0854-469D-807A-171568457991}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{35DAB87A-026F-4503-B5F1-6774E16EAFFA}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{4A75066C-E359-4CE6-830C-E09830A3CD2D}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{61789F17-B8ED-4867-BA4A-DC19DAC8EF5B}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{8C775DBE-2382-4EAB-A48A-6859C3B9EF29}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A00289B5-2C16-4EC7-9780-2B56977ADC65}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{C6A7154F-EA0E-4DE3-AFB9-144FC620E780}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D675A74C-29F6-4AA7-A098-66373D746CB9}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DA4EBFA0-6BA0-4E18-817F-304B4192C393}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F2E03ADB-A325-4084-BA22-2F2260F6A90F}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F346CF98-FA03-4E7A-81B6-EB19B718F9C1}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F90EAF3D-6A09-4FAF-A84C-E6E91F97561B}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FBC663ED-1560-421B-BD71-F5B94DCEA09C}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{23119123-0854-469D-807A-171568457991}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{328D6F78-0DBB-4F17-ACD5-26A2EA4EF251}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{98623C86-E768-4C5A-B23B-EE8CE3727CD3}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gaiilaahiahdejapggenmdmafpmbipje

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pmlghpafmmnmmkjdhacccolfgnkiboco

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{328D6F78-0DBB-4F17-ACD5-26A2EA4EF251}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61789F17-B8ED-4867-BA4A-DC19DAC8EF5B}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7695996F-9846-4A09-A037-632E45737712}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{98623C86-E768-4C5A-B23B-EE8CE3727CD3}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B803084B-B069-485E-B5D0-F9A6D318AF02}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}

Key Deleted : HKLM\Software\Zwinky_5q

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{328D6F78-0DBB-4F17-ACD5-26A2EA4EF251}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{98623C86-E768-4C5A-B23B-EE8CE3727CD3}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}

Key Deleted : HKLM\SOFTWARE\Tarma Installer

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{CC2E2B99-14D3-4516-883C-9EA147F594EF}]

Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Zwinky_5q Browser Plugin Loader]

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [5qffxtbr@Zwinky_5q.com]

Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{3033124F-06BF-4829-873A-310A125B4D4C}]

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [10000 octets] - [04/05/2013 13:48:03]

########## EOF - C:\AdwCleaner[S1].txt - [10061 octets] ##########

 

 

 

 

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : user [Admin rights]
Mode : Scan -- Date : 05/04/2013 16:04:53
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[TASK][SUSP PATH] Arcadesafari.job : C:\Users\Maddy\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe  [-] -> FOUND
[TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe  -> FOUND
[TASK][ROGUE ST] 4628 : wscript.exe C:\Users\user\AppData\Local\Temp\launchie.vbs //B -> FOUND
[TASK][SUSP PATH] Arcadesafari : C:\Users\Maddy\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe  [-] -> FOUND
[TASK][SUSP PATH] RunAsStdUser Task : "C:\Users\user\AppData\Local\teeveewatchSA\bin\1.0.8.0\TeeveeWatchSA.exe"  [x] -> FOUND
[TASK][SUSP PATH] Test TimeTrigger : C:\Users\user\AppData\Local\Temp\Runner.exe C:\Users\user\AppData\Local\Temp\DNS.exe [-] -> FOUND
[TASK][SUSP PATH] TidyNetwork Update : C:\Users\user\AppData\Local\TidyNetwork.com\tidy2update.exe  [x] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 PM

Posted 04 May 2013 - 07:30 PM


Hello stillanovice

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 PM

Posted 07 May 2013 - 01:39 AM


Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 stillanovice

stillanovice
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:04:22 PM

Posted 07 May 2013 - 02:07 PM

Sorry for the delay ... finished Combofix today.  Thank you for your patience!  :)  Here is the report:

 

 

 

ComboFix 13-05-07.02 - user 05/07/2013  14:47:30.1.1 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1979.849 [GMT -4:00]
Running from: C:\Users\user\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Users\user\AppData\Local\Temp\{A8F805DC-EC1F-493D-8080-BA62F7F3D413}\fpb.tmp

(((((((((((((((((((((((((   Files Created from 2013-04-07 to 2013-05-07  )))))))))))))))))))))))))))))))

2013-05-07 18:58:19 . 2013-05-07 18:58:19 -------- d-----w- C:\Users\Default\AppData\Local\temp
2013-05-07 18:58:19 . 2013-05-07 18:58:19 -------- d-----w- C:\Users\Cal\AppData\Local\temp
2013-05-07 12:16:31 . 2013-05-07 12:16:31 76232 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{59A3FF5E-E8E0-4ABD-87DE-926EBE60F15C}\offreg.dll
2013-05-07 12:13:18 . 2013-04-10 03:46:09 9317456 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{59A3FF5E-E8E0-4ABD-87DE-926EBE60F15C}\mpengine.dll
2013-05-03 18:24:56 . 2013-05-03 18:24:57 -------- d-----w- C:\Users\user\AppData\Local\Adobe
2013-04-29 02:10:02 . 2013-04-29 02:10:02 -------- d-----w- C:\Users\user\AppData\Local\Apple
2013-04-29 02:09:12 . 2013-04-29 02:09:12 -------- d-----w- C:\Users\user\AppData\Local\Apple Computer
2013-04-25 18:04:59 . 2013-04-25 18:04:59 855552 ----a-w- C:\Windows\system32\jscript.dll
2013-04-25 18:02:54 . 2013-04-25 18:02:54 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-24 10:47:20 . 2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\system32\drivers\ntfs.sys
2013-04-19 17:54:10 . 2013-04-28 21:58:25 -------- d-----w- C:\Users\user\AppData\Roaming\Oberon Media
2013-04-19 17:51:57 . 2013-04-19 17:51:57 -------- d-----w- C:\Users\user\AppData\Roaming\OpenCandy
2013-04-19 17:51:39 . 2013-04-19 17:51:45 -------- d-----w- C:\Users\Maddy\AppData\Local\Arcadesafari
2013-04-18 15:06:35 . 2013-05-03 21:23:12 -------- d-----w- C:\Users\Maddy\AppData\Local\Windows Live
2013-04-18 15:06:12 . 2013-04-18 15:06:21 -------- d-----w- C:\Users\Maddy\AppData\Local\Windows Live Writer
2013-04-18 15:06:12 . 2013-04-18 15:06:12 -------- d-----w- C:\Users\Maddy\AppData\Roaming\Windows Live Writer
2013-04-18 13:49:30 . 2013-04-18 13:52:40 -------- d-----w- C:\Users\user\AppData\Roaming\Virtual City
2013-04-18 13:39:01 . 2013-04-22 03:07:56 -------- d-----w- C:\Users\user\AppData\Roaming\Strongvault
2013-04-18 13:37:38 . 2013-04-22 03:07:57 -------- d-sh--w- C:\Windows\SysWow64\AI_RecycleBin
2013-04-18 13:37:31 . 2013-04-22 03:07:57 -------- d-----w- C:\ProgramData\Strongvault Online Backup
2013-04-18 13:37:20 . 2013-04-22 03:07:58 -------- d-----w- C:\AI_RecycleBin
2013-04-17 19:46:22 . 2013-04-17 19:46:22 -------- d-----w- C:\Program Files (x86)\Microsoft Games
2013-04-11 11:00:34 . 2013-01-24 06:01:01 223752 ----a-w- C:\Windows\system32\drivers\fvevol.sys
2013-04-11 11:00:24 . 2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\system32\ntoskrnl.exe
2013-04-11 11:00:20 . 2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-04-11 11:00:19 . 2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-04-11 11:00:17 . 2013-03-19 05:46:56 43520 ----a-w- C:\Windows\system32\csrsrv.dll
2013-04-11 11:00:17 . 2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-04-11 11:00:17 . 2013-03-19 03:06:33 112640 ----a-w- C:\Windows\system32\smss.exe
2013-04-11 10:59:59 . 2013-02-15 06:06:11 3717632 ----a-w- C:\Windows\system32\mstscax.dll
2013-04-11 10:59:57 . 2013-02-15 04:37:10 3217408 ----a-w- C:\Windows\SysWow64\mstscax.dll
2013-04-11 10:59:56 . 2013-02-15 06:02:26 158720 ----a-w- C:\Windows\system32\aaclient.dll
2013-04-11 10:59:56 . 2013-02-15 04:34:10 131584 ----a-w- C:\Windows\SysWow64\aaclient.dll
2013-04-11 10:59:55 . 2013-02-15 06:08:40 44032 ----a-w- C:\Windows\system32\tsgqec.dll
2013-04-11 10:59:54 . 2013-02-15 03:25:51 36864 ----a-w- C:\Windows\SysWow64\tsgqec.dll
2013-04-11 10:59:31 . 2013-03-01 03:36:04 3153408 ----a-w- C:\Windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-05-02 06:06:08 . 2012-05-04 16:24:59 278800 ------w- C:\Windows\system32\MpSigStub.exe
2013-04-12 10:13:17 . 2013-03-20 16:13:00 72702784 ----a-w- C:\Windows\system32\MRT.exe
2013-04-04 18:50:32 . 2012-05-15 19:37:58 25928 ----a-w- C:\Windows\system32\drivers\mbam.sys
2013-03-20 10:52:06 . 2009-07-14 02:36:51 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2013-03-20 10:52:02 . 2009-07-14 02:36:51 175616 ----a-w- C:\Windows\system32\msclmd.dll
2013-02-12 05:45:24 . 2013-03-20 14:45:49 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45:22 . 2013-03-20 14:45:49 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45:22 . 2013-03-20 14:45:49 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45:22 . 2013-03-20 14:45:49 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48:31 . 2013-03-20 14:45:50 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 . 2013-03-20 14:45:50 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-02-12 04:12:05 . 2013-03-26 00:41:33 19968 ----a-w- C:\Windows\system32\drivers\usb8023.sys

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{adff4c9a-4f49-4a1f-8885-360e107b7938}]
2010-11-05 01:58:19 297808 ----a-w- C:\Windows\System32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-08-16 20:45:02 2736128]
"ZumoDrive"="C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk" [2012-05-30 02:35:02 2080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Norton Online Backup"="C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 22:33:10 1155928]
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
"Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 12:41:07 37296]
"WordPerfect Office 1215"="C:\Program Files (x86)\WordPerfect Office 12\Programs\Registration.exe" [2004-03-08 16:36:32 733184]
"APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 00:06:18 59280]
"HP Quick Launch"="C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 19:20:36 586296]
"ZumoDrive"="C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk" [2012-05-30 02:35:02 2080]
"iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 23:33:22 421776]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
ImageBrowser EX Agent.lnk - C:\Program Files (x86)\Canon\ImageBrowser EX\MFManager.exe [2012-10-25 69120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 21:27:14 138576]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys [2009-06-10 20:35:28 5434368]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 21:01:11 292864]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 21:01:11 1485312]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 21:01:11 740864]
R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2010-11-20 11:07:05 59392]
R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys [2012-02-15 18:01:50 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2012-05-05 13:27:01 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys [2009-06-10 20:35:33 389120]
S2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 02:14:26 98208]
S2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2012-09-27 16:55:16 86528]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 21:33:00 103992]
S2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 02:51:08 291896]
S2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 19:20:34 26680]
S2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-09-11 08:02:22 399344]
S2 RtVOsdService;RtVOsdService Installer;C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [2010-06-24 22:24:12 315392]
S3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys [2010-09-29 06:55:54 31088]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys [2010-11-05 00:57:54 1041760]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys [2010-03-23 01:57:20 347680]

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-08-16 20:43:02 451872 ----a-w- C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe

Contents of the 'Scheduled Tasks' folder

2013-05-06 C:\Windows\Tasks\HPCeeScheduleForUSER-HP$.job
- C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15:40 . 2010-09-14 05:15:40]

2013-05-05 C:\Windows\Tasks\HPCeeScheduleForuser.job
- C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15:40 . 2010-09-14 05:15:40]

--------- X64 Entries -----------

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-09-23 04:53:46 2210304 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-09-23 04:53:46 2210304 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-09-23 04:53:46 2210304 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-09-23 04:53:46 2210304 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-09-23 04:53:46 2210304 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2010-07-29 21:34:24 166424]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2010-07-29 21:34:12 391192]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2010-07-29 21:34:18 410648]
"RTHDVCPL"="C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-09-22 00:37:08 6489704]
"HPWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 21:33:00 8192]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache

------- Supplementary Scan -------

uStart Page = hxxp://www.google.com/
uLocal Page = C:\Windows\system32\blank.htm
mLocal Page = C:\Windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

- - - - ORPHANS REMOVED - - - -

BHO-{5F815AD7-A955-4943-91C4-7A96C2932399} - (no file)
Wow6432Node-HKCU-Run-DW7 - C:\Program Files (x86)\The Weather Channel\The Weather Channel App\TWCApp.exe
Wow6432Node-HKU-Default-RunOnce-SPReview - C:\Windows\System32\SPReview\SPReview.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM-Run-SynTPEnh - C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - C:\Program Files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 PM

Posted 07 May 2013 - 03:07 PM


Hello stillanovice

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
C:\Users\user\AppData\Roaming\OpenCandy
C:\Users\user\AppData\Roaming\Strongvault
C:\ProgramData\Strongvault Online Backup

 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 stillanovice

stillanovice
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:04:22 PM

Posted 07 May 2013 - 05:56 PM

After doing this latest set of instructions, I double-checked to see if the popups will continue, and they do!  UGH!  It seems to be mostly when I click on AOL to access email.  Sometimes I get the popups on other sites too, but mostly with AOL. 

 

 

ComboFix 13-05-07.02 - user 05/07/2013  17:51:30.2.1 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1979.793 [GMT -4:00]
Running from: c:\users\user\Downloads\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Strongvault Online Backup
c:\programdata\Strongvault Online Backup\Logs\Messaging_2013-04-20-10-56-24-902.log
c:\programdata\Strongvault Online Backup\Logs\Messaging_2013-04-20-10-58-52-507.log
c:\users\user\AppData\Roaming\OpenCandy
c:\users\user\AppData\Roaming\OpenCandy\535AB5308F474102A89F4C7C49C74797\2513.ico
c:\users\user\AppData\Roaming\OpenCandy\535AB5308F474102A89F4C7C49C74797\EBB77268-338F-4C6A-8590-AD88FED26F4A
c:\users\user\AppData\Roaming\OpenCandy\535AB5308F474102A89F4C7C49C74797\OCBrowserHelper_1.0.6.124.exe
c:\users\user\AppData\Roaming\OpenCandy\535AB5308F474102A89F4C7C49C74797\SliderCWAv4.1.21.3_20121211.msi
c:\users\user\AppData\Roaming\OpenCandy\535AB5308F474102A89F4C7C49C74797\WeCare_ClearWaterALL_p4v0.exe
c:\users\user\AppData\Roaming\Strongvault
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-07 to 2013-05-07  )))))))))))))))))))))))))))))))
.
.
2013-05-07 22:03 . 2013-05-07 22:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-07 22:03 . 2013-05-07 22:03 -------- d-----w- c:\users\Cal\AppData\Local\temp
2013-05-07 12:16 . 2013-05-07 12:16 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{59A3FF5E-E8E0-4ABD-87DE-926EBE60F15C}\offreg.dll
2013-05-07 12:13 . 2013-04-10 03:46 9317456 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{59A3FF5E-E8E0-4ABD-87DE-926EBE60F15C}\mpengine.dll
2013-05-03 18:24 . 2013-05-03 18:24 -------- d-----w- c:\users\user\AppData\Local\Adobe
2013-04-29 02:10 . 2013-04-29 02:10 -------- d-----w- c:\users\user\AppData\Local\Apple
2013-04-29 02:09 . 2013-04-29 02:09 -------- d-----w- c:\users\user\AppData\Local\Apple Computer
2013-04-25 18:04 . 2013-04-25 18:04 855552 ----a-w- c:\windows\system32\jscript.dll
2013-04-25 18:02 . 2013-04-25 18:02 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-24 10:47 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-19 17:54 . 2013-04-28 21:58 -------- d-----w- c:\users\user\AppData\Roaming\Oberon Media
2013-04-19 17:51 . 2013-04-19 17:51 -------- d-----w- c:\users\Maddy\AppData\Local\Arcadesafari
2013-04-18 15:06 . 2013-05-03 21:23 -------- d-----w- c:\users\Maddy\AppData\Local\Windows Live
2013-04-18 15:06 . 2013-04-18 15:06 -------- d-----w- c:\users\Maddy\AppData\Local\Windows Live Writer
2013-04-18 15:06 . 2013-04-18 15:06 -------- d-----w- c:\users\Maddy\AppData\Roaming\Windows Live Writer
2013-04-18 13:49 . 2013-04-18 13:52 -------- d-----w- c:\users\user\AppData\Roaming\Virtual City
2013-04-18 13:37 . 2013-04-22 03:07 -------- d-sh--w- c:\windows\SysWow64\AI_RecycleBin
2013-04-18 13:37 . 2013-04-22 03:07 -------- d-----w- C:\AI_RecycleBin
2013-04-17 19:46 . 2013-04-17 19:46 -------- d-----w- c:\program files (x86)\Microsoft Games
2013-04-11 11:00 . 2013-01-24 06:01 223752 ----a-w- c:\windows\system32\drivers\fvevol.sys
2013-04-11 11:00 . 2013-03-19 06:04 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-11 11:00 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-04-11 11:00 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-04-11 11:00 . 2013-03-19 05:46 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-11 11:00 . 2013-03-19 04:47 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-04-11 11:00 . 2013-03-19 03:06 112640 ----a-w- c:\windows\system32\smss.exe
2013-04-11 10:59 . 2013-02-15 06:06 3717632 ----a-w- c:\windows\system32\mstscax.dll
2013-04-11 10:59 . 2013-02-15 04:37 3217408 ----a-w- c:\windows\SysWow64\mstscax.dll
2013-04-11 10:59 . 2013-02-15 06:02 158720 ----a-w- c:\windows\system32\aaclient.dll
2013-04-11 10:59 . 2013-02-15 04:34 131584 ----a-w- c:\windows\SysWow64\aaclient.dll
2013-04-11 10:59 . 2013-02-15 06:08 44032 ----a-w- c:\windows\system32\tsgqec.dll
2013-04-11 10:59 . 2013-02-15 03:25 36864 ----a-w- c:\windows\SysWow64\tsgqec.dll
2013-04-11 10:59 . 2013-03-01 03:36 3153408 ----a-w- c:\windows\system32\win32k.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-02 06:06 . 2012-05-04 16:24 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-04-12 10:13 . 2013-03-20 16:13 72702784 ----a-w- c:\windows\system32\MRT.exe
2013-04-04 18:50 . 2012-05-15 19:37 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-20 10:52 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2013-03-20 10:52 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2013-02-12 05:45 . 2013-03-20 14:45 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-20 14:45 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-03-20 14:45 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-20 14:45 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48 . 2013-03-20 14:45 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-20 14:45 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-12 04:12 . 2013-03-26 00:41 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{adff4c9a-4f49-4a1f-8885-360e107b7938}]
2010-11-05 01:58 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-08-16 2736128]
"ZumoDrive"="c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk" [2012-05-30 2080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"WordPerfect Office 1215"="c:\program files (x86)\WordPerfect Office 12\Programs\Registration.exe" [2004-03-08 733184]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"ZumoDrive"="c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk" [2012-05-30 2080]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ImageBrowser EX Agent.lnk - c:\program files (x86)\Canon\ImageBrowser EX\MFManager.exe [2012-10-25 69120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-05-05 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2012-09-27 86528]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 103992]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 291896]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-09-11 399344]
S2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [2010-06-24 315392]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2010-09-29 31088]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [2010-11-05 1041760]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-23 347680]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-08-16 20:43 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-06 c:\windows\Tasks\HPCeeScheduleForUSER-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
2013-05-05 c:\windows\Tasks\HPCeeScheduleForuser.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 410648]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-09-22 6489704]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{5F815AD7-A955-4943-91C4-7A96C2932399} - (no file)
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1392159129-2078248977-845139479-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8DD7F11B-B1CE-4042-871E-6820233F0F6A}*Win32"}]
"AppName"="Roblox.exe"
"Policy"=dword:00000003
"AppPath"="c:\\Users\\Maddy\\AppData\\Local\\Roblox\\Versions\\version-eecd9135a67340ab\\"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-05-07  18:07:50
ComboFix-quarantined-files.txt  2013-05-07 22:07
ComboFix2.txt  2013-05-07 19:03
.
Pre-Run: 116,963,909,632 bytes free
Post-Run: 116,667,199,488 bytes free
.
- - End Of File - - 1A2B0F9225CCDDA114F9C781FE5BBAB0

 



#14 stillanovice

stillanovice
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:04:22 PM

Posted 07 May 2013 - 06:52 PM

Since my last post, I restarted my computer that I was having problems with.  I used to have 4 tabs come up for my homepage: Google, Ebay, Pinterest & AOL.  Since I restarted the computer a few minutes ago, only one tab comes up when I get online:  Google. 

 

Also, I was unable to navigate to another website.  I tried clicking on this website (which is stored on my favorites toolbar) and it wouldn't let me go there.  I've since gone to another computer in the house, so I could write this update for you.

 

I worry that if you want me to download another program to help me solve the popups problem, that I won't be able to.  Does this have something to do with shutting firewalls and all that from the last set of instructions?


Edited by stillanovice, 07 May 2013 - 06:54 PM.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 PM

Posted 07 May 2013 - 08:39 PM

Hello


which browser is causing the problem?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users