Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Denied permissions to MSE. Can't do anything with it.


  • Please log in to reply
17 replies to this topic

#1 Twotone

Twotone

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:01:02 AM

Posted 10 June 2013 - 12:22 PM

Hello

 

I am working on a computer that had a ransom virus. Since the removal I am not able to use MSE or uninstall MSE. I keep getting permission errors. Changing the permissions under the security tab is not helping. Any help would be appreciated. Thanks in advance. I've Ran Malwarebytes to remove the virus. I also have run Spybot 2 and Combofix to get any left overs. I tried using the UVK tool to fix permissions but that did not help. I have tried to manually fix the permissions by changing them in the security tab for the folder.

 

Twotone

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16483  BrowserJavaVersion: 10.21.2
Run by John at 11:19:06 on 2013-06-10
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3003.1759 [GMT -6:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=2A697F3001CC81770F89623E&src_id=30051&camp_id=3081&tb_version=1.1.1000.4(B)
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: ALOT Appbar Helper: {85F5CF95-EC8F-49fc-BB3F-38C79455CBA2} -
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Toolbar BHO: {ab56dfde-0c14-45b3-9df6-7b0eba617870} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Search Assistant BHO: {df22384f-cf68-4d19-969f-10423715528b} -
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: TotalRecipeSearch: {a0154e07-2b48-475c-a82a-80efd84ea33e} -
TB: ALOT Appbar: {A531D99C-5A22-449b-83DA-872725C6D0ED} -
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [BingDesktop] C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktop.exe /fromkey
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: WallpaperStyle = 2
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{A1A32E3D-ACB0-46EE-A2B0-F060CDF3BCFA} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{A1A32E3D-ACB0-46EE-A2B0-F060CDF3BCFA}\14775637F6D656023516573656 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{F5C91082-6EDA-4F54-9B8D-59A940195DF3} : DHCPNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\Windows\System32\wpdshserviceobj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\Windows\System32\wpdshserviceobj.dll
x64-mASetup: {12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\Windows\System32\ieudinit.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\18uz0y5r.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.charter.net/
FF - prefs.js: keyword.URL -  hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YKxdm002R2us&ptnrS=YKxdm002R2us&si=CJq71fD6v6sCFYPu7QodU2Nrug&ptb=C21EE0CD-1657-43B5-87DD-0318D375AC93&psa=&ind=2011092808&st=kwd&n=77ded748&searchfor=
FF - prefs.js: network.proxy.type - 0
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-1-20 230320]
R2 BingDesktopUpdate;Bing Desktop Update service;C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [2013-4-10 168592]
R2 HsfXAudioService;HsfXAudioService;C:\Windows\System32\svchost.exe -k HsfXAudioService [2009-7-13 27136]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2010-10-24 130008]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-6-5 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-6-5 1033688]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-6-5 171928]
R3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2009-6-24 292864]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-8-23 215040]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;C:\Windows\System32\drivers\libusb0.sys [2012-5-24 29184]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 NisSrv;NisSrv;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2009-8-17 216064]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-20 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-10-21 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
S4 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-8-17 227896]
S4 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-10-14 92216]
.
=============== Created Last 30 ================
.
2013-06-05 21:58:45 -------- d-----w- C:\ProgramData\UVK
2013-06-05 21:56:30 -------- d-----w- C:\Program Files (x86)\UVK
2013-06-05 21:29:56 -------- d-----w- C:\$RECYCLE.BIN
2013-06-05 21:06:13 -------- d-----w- C:\ComboFix
2013-06-05 17:18:37 92256 ----a-w- C:\ProgramData\Microsoft\BingDesktop\Updater\BingDesktopRestarter.exe
2013-06-05 14:19:48 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
2013-06-05 14:19:43 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-06-05 14:17:15 971680 ----a-w- C:\Windows\System32\deployJava1.dll
2013-06-05 14:17:15 1092512 ----a-w- C:\Windows\System32\npDeployJava1.dll
2013-06-05 14:17:08 108448 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2013-06-05 14:16:05 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-04 22:50:46 -------- d-----w- C:\Users\John\AppData\Local\Programs
2013-06-01 22:48:09 76232 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5E0722AB-0F36-44CF-9945-104AAD991B7D}\offreg.dll
2013-06-01 09:34:53 9460464 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5E0722AB-0F36-44CF-9945-104AAD991B7D}\mpengine.dll
2013-05-31 09:35:19 9460464 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-21 09:35:04 964552 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{67F65652-A79E-4E4D-9A16-51D11720FF03}\gapaengine.dll
2013-05-16 09:02:39 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-05-16 09:02:38 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-05-15 11:27:31 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-05-15 11:27:31 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2013-05-15 11:27:31 144384 ----a-w- C:\Windows\System32\cdd.dll
2013-05-15 11:27:20 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-05-15 11:27:19 70144 ----a-w- C:\Windows\System32\appinfo.dll
2013-05-15 11:27:19 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-05-15 11:27:19 111448 ----a-w- C:\Windows\System32\consent.exe
2013-05-15 11:27:12 3153920 ----a-w- C:\Windows\System32\win32k.sys
.
==================== Find3M  ====================
.
2013-06-05 14:15:58 866720 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2013-06-05 14:15:58 788896 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-06-01 22:48:53 328704 ----a-w- C:\Windows\System32\services.exe
2013-05-15 15:45:48 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-15 15:45:48 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-02 15:29:56 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-04-05 01:08:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-04-05 01:00:30 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-04-05 00:59:24 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-04-05 00:56:16 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-04-05 00:55:47 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-04-04 22:11:34 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-04-04 22:02:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-04-04 22:02:17 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-04-04 21:58:51 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-04-04 21:57:45 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-04-04 20:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-03-20 09:16:56 175616 ----a-w- C:\Windows\System32\msclmd.dll
2013-03-20 09:16:56 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe
.
============= FINISH: 11:19:23.66 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 10 June 2013 - 12:25 PM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Please post up c:\combofix.txt


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Twotone

Twotone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:01:02 AM

Posted 10 June 2013 - 12:27 PM

ComboFix 13-06-05.04 - John 06/05/2013  15:07:45.1.1 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3003.2021 [GMT -6:00]
Running from: c:\users\John\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files (x86)\alotappbar
c:\program files (x86)\alotappbar\alotUninst.exe
c:\program files (x86)\alotappbar\bin\alotappbar.dll
c:\program files (x86)\alotappbar\bin\alothelper.dll
c:\program files (x86)\alotappbar\bin\ALOTSettings.exe
c:\program files (x86)\alotappbar\bin\alotwidgets.exe
c:\program files (x86)\alotappbar\bin\BHO\ALOTHelperBHO.dll
c:\program files (x86)\AVG Antivirus 2011
c:\program files (x86)\TotalRecipeSearch_14
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14auxstb.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14bar.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14barsvc.exe
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14brmon.exe
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14brstub.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14datact.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14dlghk.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14dyn.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14feedmg.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14highin.exe
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14html.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14htmlmu.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14httpct.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14idle.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14ieovr.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14impipe.exe
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14medint.exe
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14mlbtn.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14msg.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14Plugin.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14radio.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14regfft.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14regiet.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14script.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14skin.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14skplay.exe
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14SrcAs.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14tpinst.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14uabtn.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\CHROME.MANIFEST
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\chrome\14ffxtbr.jar
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\INSTALL.RDF
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\LOGO.BMP
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\NP14Stub.dll
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\T8RES.DLL
c:\program files (x86)\TotalRecipeSearch_14\bar\IE9Mesg\COMMON.T8S
c:\program files (x86)\TotalRecipeSearch_14\bar\Message\COMMON.T8S
c:\program files (x86)\TotalRecipeSearch_14\bar\Settings\s_pid.dat
c:\program files (x86)\TotalRecipeSearch_14EI
c:\program files (x86)\TotalRecipeSearch_14EI\Installr\1.bin\14EIPlug.dll
c:\program files (x86)\TotalRecipeSearch_14EI\Installr\1.bin\14EZSETP.dll
c:\program files (x86)\TotalRecipeSearch_14EI\Installr\1.bin\NP14EISb.dll
c:\users\John\acrobatreader.exe
c:\users\John\mstsc.exe
c:\windows\tmp
c:\windows\tmp\dd_vcredistMSI07F0.txt
c:\windows\tmp\dd_vcredistMSI6946.txt
c:\windows\tmp\dd_vcredistMSI7392.txt
c:\windows\tmp\dd_vcredistMSI7E94.txt
c:\windows\tmp\dd_vcredistUI07F0.txt
c:\windows\tmp\dd_vcredistUI694A.txt
c:\windows\tmp\dd_vcredistUI7392.txt
c:\windows\tmp\dd_vcredistUI7E94.txt
c:\windows\tmp\Digital Editions\587ce258-591d-4f80-aef8-fc66312eeefb
c:\windows\tmp\Digital Editions\99052f50-a1b0-456c-b244-3ef4f04f7b64
c:\windows\tmp\qtsingleapp-koboex-7d5-1-lockfile
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_TotalRecipeSearch_14Service
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-05 to 2013-06-05  )))))))))))))))))))))))))))))))
.
.
2013-06-05 21:20 . 2013-06-05 21:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-05 18:09 . 2013-06-05 18:09 -------- d-----w- c:\program files (x86)\Microsoft.NET
2013-06-05 17:18 . 2013-03-26 23:59 92256 ----a-w- c:\programdata\Microsoft\BingDesktop\Updater\BingDesktopRestarter.exe
2013-06-05 14:19 . 2009-01-25 19:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-06-05 14:19 . 2013-06-05 14:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-06-05 14:17 . 2013-06-05 14:17 971680 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-05 14:17 . 2013-06-05 14:17 311200 ----a-w- c:\windows\system32\javaws.exe
2013-06-05 14:17 . 2013-06-05 14:17 1092512 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-06-05 14:17 . 2013-06-05 14:17 188832 ----a-w- c:\windows\system32\javaw.exe
2013-06-05 14:17 . 2013-06-05 14:17 188320 ----a-w- c:\windows\system32\java.exe
2013-06-05 14:17 . 2013-06-05 14:17 108448 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2013-06-05 14:16 . 2013-06-05 14:16 -------- d-----w- c:\program files\Java
2013-06-05 14:16 . 2013-06-05 14:16 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-06-05 14:16 . 2013-06-05 14:15 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-04 22:50 . 2013-06-04 22:50 -------- d-----w- c:\users\John\AppData\Local\Programs
2013-06-01 22:48 . 2013-06-01 22:48 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5E0722AB-0F36-44CF-9945-104AAD991B7D}\offreg.dll
2013-06-01 09:34 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5E0722AB-0F36-44CF-9945-104AAD991B7D}\mpengine.dll
2013-05-31 09:35 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-21 09:35 . 2013-05-21 09:34 964552 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{67F65652-A79E-4E4D-9A16-51D11720FF03}\gapaengine.dll
2013-05-16 09:02 . 2013-05-05 21:36 17818624 ----a-w- c:\windows\system32\mshtml.dll
2013-05-16 09:02 . 2013-05-05 21:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-16 09:02 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2013-05-15 11:27 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-15 11:27 . 2013-04-10 06:01 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 11:27 . 2011-02-03 11:25 144384 ----a-w- c:\windows\system32\cdd.dll
2013-05-15 11:27 . 2013-02-27 05:52 14172672 ----a-w- c:\windows\system32\shell32.dll
2013-05-15 11:27 . 2013-02-27 05:52 197120 ----a-w- c:\windows\system32\shdocvw.dll
2013-05-15 11:27 . 2013-02-27 05:48 1930752 ----a-w- c:\windows\system32\authui.dll
2013-05-15 11:27 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe
2013-05-15 11:27 . 2013-02-27 05:47 70144 ----a-w- c:\windows\system32\appinfo.dll
2013-05-15 11:27 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\SysWow64\authui.dll
2013-05-15 11:27 . 2013-04-10 03:30 3153920 ----a-w- c:\windows\system32\win32k.sys
2013-05-11 10:37 . 2013-05-11 10:37 209472 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-05 14:15 . 2012-11-11 17:06 866720 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-06-05 14:15 . 2011-01-12 20:11 788896 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-06-01 22:48 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe
2013-05-16 09:03 . 2011-02-03 17:24 75016696 ----a-w- c:\windows\system32\MRT.exe
2013-05-15 15:45 . 2012-05-03 20:18 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-15 15:45 . 2011-05-12 23:23 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-02 15:29 . 2010-02-11 20:03 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-04-25 09:27 . 2013-04-25 09:27 905296 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A6CE1A87-2791-40AE-BEF1-48403592E0D4}\gapaengine.dll
2013-04-25 09:27 . 2011-03-26 00:00 905296 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-04-12 14:45 . 2013-04-23 20:22 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-04 20:50 . 2011-02-03 23:35 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-20 09:16 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2013-03-20 09:16 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2013-03-19 06:04 . 2013-04-09 20:17 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-09 20:17 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-09 20:17 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-09 20:17 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-09 20:17 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-09 20:17 112640 ----a-w- c:\windows\system32\smss.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{06e3475c-5521-4de8-bb12-50720f21631c}]
2012-11-15 18:40 707728 ----a-w- c:\progra~2\RECIPE~2\bar\1.bin\2jbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{1e91a655-bb4b-4693-a05e-2edebc4c9d89}]
2013-01-11 01:35 820448 ----a-w- c:\progra~2\MAPSGA~2\bar\1.bin\39bar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{71c1d63a-c944-428a-a5bd-ba513190e5d2}]
2013-01-11 01:35 139488 ----a-w- c:\program files (x86)\MapsGalaxy_39\bar\1.bin\39SrcAs.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{b7acdf9c-c4f9-4d5d-998e-b147866b4d4c}]
2012-11-15 18:40 62864 ----a-w- c:\program files (x86)\RecipeHub_2j\bar\1.bin\2jSrcAs.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-10-17 06:46 1521352 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-10-17 1521352]
"{cf51de5b-eb36-4114-bb69-84df63fbadb4}"= "c:\program files (x86)\RecipeHub_2j\bar\1.bin\2jbar.dll" [2012-11-15 707728]
"{364ea597-e728-4ce4-bb4a-ed846ef47970}"= "c:\program files (x86)\MapsGalaxy_39\bar\1.bin\39bar.dll" [2013-01-11 820448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{cf51de5b-eb36-4114-bb69-84df63fbadb4}]
.
[HKEY_CLASSES_ROOT\clsid\{364ea597-e728-4ce4-bb4a-ed846ef47970}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-10-17 1573576]
"Recipe Hub Search Scope Monitor"="c:\progra~2\RECIPE~2\bar\1.bin\2jsrchmn.exe" [2012-11-15 42536]
"RecipeHub_2j Browser Plugin Loader"="c:\progra~2\RECIPE~2\bar\1.bin\2jbrmon.exe" [2012-11-15 30096]
"MapsGalaxy Search Scope Monitor"="c:\progra~2\MAPSGA~2\bar\1.bin\39srchmn.exe" [2013-01-11 56032]
"MapsGalaxy_39 Browser Plugin Loader"="c:\progra~2\MAPSGA~2\bar\1.bin\39brmon.exe" [2013-01-11 59616]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-05-16 3830224]
"BingDesktop"="c:\program files (x86)\Microsoft\BingDesktop\BingDesktop.exe" [2013-04-10 2387088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"WallpaperStyle"= 2
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 ahhvmecx;ahhvmecx;c:\windows\system32\drivers\ahhvmecx.sys;c:\windows\SYSNATIVE\drivers\ahhvmecx.sys [x]
R1 SASDIFSV;SASDIFSV;c:\users\John\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS;c:\users\John\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\John\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS;c:\users\John\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS [x]
R3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys;c:\windows\SYSNATIVE\drivers\libusb0.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 NisSrv;NisSrv;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys;c:\windows\SYSNATIVE\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
R4 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [x]
R4 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 BingDesktopUpdate;Bing Desktop Update service;c:\program files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe;c:\program files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [x]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 MapsGalaxy_39Service;MapsGalaxyService;c:\progra~2\MAPSGA~2\bar\1.bin\39barsvc.exe;c:\progra~2\MAPSGA~2\bar\1.bin\39barsvc.exe [x]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
S2 RecipeHub_2jService;Recipe HubService;c:\progra~2\RECIPE~2\bar\1.bin\2jbarsvc.exe;c:\progra~2\RECIPE~2\bar\1.bin\2jbarsvc.exe [x]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys;c:\windows\SYSNATIVE\DRIVERS\CAXHWAZL.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-01-22 18:06 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-03 15:45]
.
2013-06-04 c:\windows\Tasks\HPCeeScheduleForJohn.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 12:22]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = localhost:21320
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=2A697F3001CC81770F89623E&src_id=30051&camp_id=3081&tb_version=1.1.1000.4(B)
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\18uz0y5r.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.charter.net/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=&locale=&apn_uid=81F75054-F271-42FB-A9A8-152ECEDBB9CB&apn_ptnrs=TV&apn_sauid=B328A8C7-2223-42A2-A785-7B46D69FBC97&apn_dtid=OSJ000YYUS&&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: TotalRecipeSearch: 14ffxtbr@TotalRecipeSearch_14.com - %profile%\extensions\14ffxtbr@TotalRecipeSearch_14.com
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2} - c:\program files (x86)\alotappbar\bin\BHO\ALOTHelperBHO.dll
BHO-{ab56dfde-0c14-45b3-9df6-7b0eba617870} - c:\progra~2\TOTALR~2\bar\1.bin\14bar.dll
BHO-{df22384f-cf68-4d19-969f-10423715528b} - c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14SrcAs.dll
Toolbar-{a0154e07-2b48-475c-a82a-80efd84ea33e} - c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14bar.dll
Toolbar-{A531D99C-5A22-449b-83DA-872725C6D0ED} - c:\program files (x86)\alotappbar\bin\ALOTHelper.dll
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-TotalRecipeSearch_14 Browser Plugin Loader - c:\progra~2\TOTALR~2\bar\1.bin\14brmon.exe
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
Notify-SDWinLogon - SDWinLogon.dll
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe
AddRemove-alotAppbar - c:\program files (x86)\alotappbar\alotUninst.exe
AddRemove-Bookworm Deluxe 1.03 - c:\program files\PopCap Games\BookWorm Deluxe\PopUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\RecipeHub_2j\bar\1.bin\2jbrmon.exe
c:\program files (x86)\MapsGalaxy_39\bar\1.bin\39brmon.exe
.
**************************************************************************
.
Completion time: 2013-06-05  15:41:28 - machine was rebooted
ComboFix-quarantined-files.txt  2013-06-05 21:41
.
Pre-Run: 184,463,847,424 bytes free
Post-Run: 184,046,505,984 bytes free
.
- - End Of File - - 88CC6988AF7AD7FA8CB78A2ECF222185
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 10 June 2013 - 12:41 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Twotone

Twotone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:01:02 AM

Posted 10 June 2013 - 01:14 PM

ComboFix 13-06-08.02 - John 06/10/2013  11:51:48.2.1 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3003.1885 [GMT -6:00]
Running from: c:\users\John\Desktop\ComboFix.exe
Command switches used :: c:\users\John\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\18uz0y5r.default\extensions\14ffxtbr@TotalRecipeSearch_14.com
c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\18uz0y5r.default\extensions\14ffxtbr@TotalRecipeSearch_14.com\chrome.manifest
c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\18uz0y5r.default\extensions\14ffxtbr@TotalRecipeSearch_14.com\chrome\14ffxtbr.jar
c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\18uz0y5r.default\extensions\14ffxtbr@TotalRecipeSearch_14.com\install.rdf
c:\windows\SysWow64\drivers\hfile.txt
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ahhvmecx
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-10 to 2013-06-10  )))))))))))))))))))))))))))))))
.
.
2013-06-10 18:00 . 2013-06-10 18:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-05 21:58 . 2013-06-05 22:40 -------- d-----w- c:\programdata\UVK
2013-06-05 21:56 . 2013-06-05 22:42 -------- d-----w- c:\program files (x86)\UVK
2013-06-05 18:09 . 2013-06-05 18:09 -------- d-----w- c:\program files (x86)\Microsoft.NET
2013-06-05 17:18 . 2013-03-26 23:59 92256 ----a-w- c:\programdata\Microsoft\BingDesktop\Updater\BingDesktopRestarter.exe
2013-06-05 14:19 . 2009-01-25 19:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-06-05 14:19 . 2013-06-05 14:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-06-05 14:17 . 2013-06-05 14:17 971680 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-05 14:17 . 2013-06-05 14:17 311200 ----a-w- c:\windows\system32\javaws.exe
2013-06-05 14:17 . 2013-06-05 14:17 1092512 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-06-05 14:17 . 2013-06-05 14:17 188832 ----a-w- c:\windows\system32\javaw.exe
2013-06-05 14:17 . 2013-06-05 14:17 188320 ----a-w- c:\windows\system32\java.exe
2013-06-05 14:17 . 2013-06-05 14:17 108448 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2013-06-05 14:16 . 2013-06-05 14:16 -------- d-----w- c:\program files\Java
2013-06-05 14:16 . 2013-06-05 14:16 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-06-05 14:16 . 2013-06-05 14:15 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-04 22:50 . 2013-06-04 22:50 -------- d-----w- c:\users\John\AppData\Local\Programs
2013-06-01 22:48 . 2013-06-01 22:48 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5E0722AB-0F36-44CF-9945-104AAD991B7D}\offreg.dll
2013-06-01 09:34 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5E0722AB-0F36-44CF-9945-104AAD991B7D}\mpengine.dll
2013-05-31 09:35 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-21 09:35 . 2013-05-21 09:34 964552 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{67F65652-A79E-4E4D-9A16-51D11720FF03}\gapaengine.dll
2013-05-16 09:02 . 2013-05-05 21:36 17818624 ----a-w- c:\windows\system32\mshtml.dll
2013-05-16 09:02 . 2013-05-05 21:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-16 09:02 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2013-05-15 11:27 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-15 11:27 . 2013-04-10 06:01 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 11:27 . 2011-02-03 11:25 144384 ----a-w- c:\windows\system32\cdd.dll
2013-05-15 11:27 . 2013-02-27 05:52 14172672 ----a-w- c:\windows\system32\shell32.dll
2013-05-15 11:27 . 2013-02-27 05:52 197120 ----a-w- c:\windows\system32\shdocvw.dll
2013-05-15 11:27 . 2013-02-27 05:48 1930752 ----a-w- c:\windows\system32\authui.dll
2013-05-15 11:27 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe
2013-05-15 11:27 . 2013-02-27 05:47 70144 ----a-w- c:\windows\system32\appinfo.dll
2013-05-15 11:27 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\SysWow64\authui.dll
2013-05-15 11:27 . 2013-04-10 03:30 3153920 ----a-w- c:\windows\system32\win32k.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-05 14:15 . 2012-11-11 17:06 866720 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-06-05 14:15 . 2011-01-12 20:11 788896 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-06-01 22:48 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe
2013-05-16 09:03 . 2011-02-03 17:24 75016696 ----a-w- c:\windows\system32\MRT.exe
2013-05-15 15:45 . 2012-05-03 20:18 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-15 15:45 . 2011-05-12 23:23 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-02 15:29 . 2010-02-11 20:03 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-04-25 09:27 . 2013-04-25 09:27 905296 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A6CE1A87-2791-40AE-BEF1-48403592E0D4}\gapaengine.dll
2013-04-25 09:27 . 2011-03-26 00:00 905296 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-04-12 14:45 . 2013-04-23 20:22 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-04 20:50 . 2011-02-03 23:35 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-20 09:16 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2013-03-20 09:16 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2013-03-19 06:04 . 2013-04-09 20:17 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-09 20:17 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-09 20:17 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-09 20:17 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-09 20:17 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-09 20:17 112640 ----a-w- c:\windows\system32\smss.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}]
c:\program files (x86)\alotappbar\bin\BHO\ALOTHelperBHO.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{ab56dfde-0c14-45b3-9df6-7b0eba617870}]
c:\progra~2\TOTALR~2\bar\1.bin\14bar.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{df22384f-cf68-4d19-969f-10423715528b}]
c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14SrcAs.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{a0154e07-2b48-475c-a82a-80efd84ea33e}"= "c:\program files (x86)\TotalRecipeSearch_14\bar\1.bin\14bar.dll" [BU]
"{A531D99C-5A22-449b-83DA-872725C6D0ED}"= "c:\program files (x86)\alotappbar\bin\ALOTHelper.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{a0154e07-2b48-475c-a82a-80efd84ea33e}]
.
[HKEY_CLASSES_ROOT\clsid\{a531d99c-5a22-449b-83da-872725c6d0ed}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-05-16 3830224]
"BingDesktop"="c:\program files (x86)\Microsoft\BingDesktop\BingDesktop.exe" [2013-04-10 2387088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"PromptOnSecureDesktop"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"WallpaperStyle"= 2
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk /k:C *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 SASDIFSV;SASDIFSV;c:\users\John\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS;c:\users\John\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\John\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS;c:\users\John\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys;c:\windows\SYSNATIVE\drivers\libusb0.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 NisSrv;NisSrv;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys;c:\windows\SYSNATIVE\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
R4 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [x]
R4 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 BingDesktopUpdate;Bing Desktop Update service;c:\program files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe;c:\program files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [x]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys;c:\windows\SYSNATIVE\DRIVERS\CAXHWAZL.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-01-22 18:06 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-03 15:45]
.
2013-06-04 c:\windows\Tasks\HPCeeScheduleForJohn.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 12:22]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\mssecex.exe" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=2A697F3001CC81770F89623E&src_id=30051&camp_id=3081&tb_version=1.1.1000.4(B)
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\18uz0y5r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.charter.net/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
Toolbar-Locked - (no file)
AddRemove-Bookworm Deluxe 1.03 - c:\program files\PopCap Games\BookWorm Deluxe\PopUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
.
**************************************************************************
.
Completion time: 2013-06-10  12:12:26 - machine was rebooted
ComboFix-quarantined-files.txt  2013-06-10 18:12
ComboFix2.txt  2013-06-05 21:41
.
Pre-Run: 186,915,807,232 bytes free
Post-Run: 186,523,222,016 bytes free
.
- - End Of File - - 608A017F576774CEF10B9FDB14474E23
EFC2ECED49282702DB0B737570780FB0
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 10 June 2013 - 01:25 PM

Please post up C:\qoobox\ComboFix-quarantined-files.txt


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Twotone

Twotone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:01:02 AM

Posted 10 June 2013 - 01:32 PM

2013-06-10 17:56:28 . 2013-06-10 17:56:28            1,164 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Service_ahhvmecx.reg.dat
2013-06-10 17:51:03 . 2013-06-10 17:51:39              252 ----a-w-  C:\Qoobox\Quarantine\catchme.txt
2013-06-05 22:39:07 . 2013-06-05 22:39:07                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\drivers\hfile.txt.vir
2013-06-05 21:39:37 . 2013-06-05 21:39:37               80 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-MSC.reg.dat
2013-06-05 21:39:37 . 2013-06-10 18:10:35              173 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2013-06-05 21:39:28 . 2013-06-05 21:39:28              377 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47}.reg.dat
2013-06-05 21:39:16 . 2013-06-05 21:39:16              230 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKU-Default-RunOnce-SPReview.reg.dat
2013-06-05 21:38:52 . 2013-06-05 21:38:52              188 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-TotalRecipeSearch_14 Browser Plugin Loader.reg.dat
2013-06-05 21:38:51 . 2013-06-10 18:10:05              104 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat
2013-06-05 21:38:44 . 2013-06-05 21:38:44              405 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-{A531D99C-5A22-449b-83DA-872725C6D0ED}.reg.dat
2013-06-05 21:38:43 . 2013-06-05 21:38:44              412 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-{a0154e07-2b48-475c-a82a-80efd84ea33e}.reg.dat
2013-06-05 21:38:43 . 2013-06-05 21:38:43              539 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-BHO-{df22384f-cf68-4d19-969f-10423715528b}.reg.dat
2013-06-05 21:38:38 . 2013-06-05 21:38:38              424 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-BHO-{ab56dfde-0c14-45b3-9df6-7b0eba617870}.reg.dat
2013-06-05 21:38:38 . 2013-06-05 21:38:38              497 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-BHO-{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}.reg.dat
2013-06-05 21:12:51 . 2013-06-05 21:12:51            1,188 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Service_TotalRecipeSearch_14Service.reg.dat
2013-06-05 21:12:32 . 2013-06-10 17:56:10            8,777 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2013-06-01 22:46:24 . 2013-06-01 22:46:24                0 ----a-w-  C:\Qoobox\Quarantine\C\Users\John\mstsc.exe.vir
2013-06-01 22:46:23 . 2013-06-01 22:46:23                0 ----a-w-  C:\Qoobox\Quarantine\C\Users\John\acrobatreader.exe.vir
2013-02-25 00:54:34 . 2013-02-25 00:54:41          360,722 ----a-w-  C:\Qoobox\Quarantine\C\Windows\tmp\dd_vcredistMSI07F0.txt.vir
2013-02-25 00:54:34 . 2013-02-25 00:54:42           11,070 ----a-w-  C:\Qoobox\Quarantine\C\Windows\tmp\dd_vcredistUI07F0.txt.vir
2012-12-26 01:10:38 . 2012-12-26 01:10:43          418,744 ----a-w-  C:\Qoobox\Quarantine\C\Windows\tmp\Digital Editions\587ce258-591d-4f80-aef8-fc66312eeefb.vir
2012-12-26 01:10:36 . 2012-12-26 01:10:36          490,639 ----a-w-  C:\Qoobox\Quarantine\C\Windows\tmp\Digital Editions\99052f50-a1b0-456c-b244-3ef4f04f7b64.vir
2012-12-26 00:53:57 . 2012-12-26 00:54:02          361,884 ----a-w-  C:\Qoobox\Quarantine\C\Windows\tmp\dd_vcredistMSI6946.txt.vir
2012-12-26 00:53:52 . 2012-12-26 00:54:02           11,118 ----a-w-  C:\Qoobox\Quarantine\C\Windows\tmp\dd_vcredistUI694A.txt.vir
2012-10-22 00:27:41 . 2012-10-22 00:27:51          361,500 ----a-w-  C:\Qoobox\Quarantine\C\Windows\tmp\dd_vcredistMSI7E94.txt.vir
2012-10-22 00:27:39 . 2012-10-22 00:27:51           11,102 ----a-w-  C:\Qoobox\Quarantine\C\Windows\tmp\dd_vcredistUI7E94.txt.vir
2012-07-22 14:36:06 . 2012-07-22 14:36:06                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\tmp\qtsingleapp-koboex-7d5-1-lockfile.vir
2012-07-22 14:35:54 . 2012-07-22 14:35:58          363,374 ----a-w-  C:\Qoobox\Quarantine\C\Windows\tmp\dd_vcredistMSI7392.txt.vir
2012-07-22 14:35:54 . 2012-07-22 14:35:58           13,902 ----a-w-  C:\Qoobox\Quarantine\C\Windows\tmp\dd_vcredistUI7392.txt.vir
2011-10-03 02:49:53 . 2011-10-03 02:49:54          152,740 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\alotappbar\alotUninst.exe.vir
2011-10-03 02:49:53 . 2011-09-08 21:21:02           48,488 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\alotappbar\bin\BHO\ALOTHelperBHO.dll.vir
2011-09-28 12:40:07 . 2011-09-28 12:40:07               24 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\Settings\s_pid.dat.vir
2011-09-28 12:40:07 . 2011-09-28 12:40:07          447,767 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\IE9Mesg\COMMON.T8S.vir
2011-09-28 12:40:07 . 2011-09-28 12:40:07           18,793 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\Message\COMMON.T8S.vir
2011-09-28 12:40:07 . 2011-09-28 12:40:00              265 ----a-w-  C:\Qoobox\Quarantine\C\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\18uz0y5r.default\extensions\14ffxtbr@TotalRecipeSearch_14.com\chrome.manifest.vir
2011-09-28 12:40:07 . 2011-09-28 12:40:00              903 ----a-w-  C:\Qoobox\Quarantine\C\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\18uz0y5r.default\extensions\14ffxtbr@TotalRecipeSearch_14.com\install.rdf.vir
2011-09-28 12:40:07 . 2011-09-28 12:40:06           15,922 ----a-w-  C:\Qoobox\Quarantine\C\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\18uz0y5r.default\extensions\14ffxtbr@TotalRecipeSearch_14.com\chrome\14ffxtbr.jar.vir
2011-09-28 12:40:06 . 2011-09-28 12:40:06           15,922 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\chrome\14ffxtbr.jar.vir
2011-09-28 12:40:01 . 2011-09-28 12:40:01           42,384 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14uabtn.dll.vir
2011-09-28 12:40:01 . 2011-09-28 12:40:01          128,520 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14tpinst.dll.vir
2011-09-28 12:40:01 . 2011-09-28 12:40:01           62,864 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14SrcAs.dll.vir
2011-09-28 12:40:01 . 2011-09-28 12:40:01           30,216 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14skplay.exe.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:01          128,512 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14skin.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           46,480 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14script.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00          161,736 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\T8RES.DLL.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           42,512 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14regiet.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           42,512 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14regfft.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00          124,304 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14radio.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           62,864 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14Plugin.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00          161,288 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14msg.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           46,480 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14mlbtn.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           22,048 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14medint.exe.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           24,695 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14impipe.exe.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           42,384 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14ieovr.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           34,192 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14idle.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           83,456 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14httpct.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00          161,272 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14htmlmu.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           95,736 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14html.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           22,048 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14highin.exe.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           91,648 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14feedmg.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           54,672 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14dyn.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           50,704 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14dlghk.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           99,840 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14datact.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           34,192 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14brstub.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           30,096 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14brmon.exe.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           42,504 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14barsvc.exe.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00          669,072 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14bar.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           30,224 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14auxstb.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           30,664 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\NP14Stub.dll.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00           10,054 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\LOGO.BMP.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00              903 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\INSTALL.RDF.vir
2011-09-28 12:40:00 . 2011-09-28 12:40:00              265 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\CHROME.MANIFEST.vir
2011-09-28 12:39:36 . 2011-09-28 12:39:36          219,184 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14EI\Installr\1.bin\14EZSETP.dll.vir
2011-09-28 12:39:36 . 2011-09-28 12:39:36           55,344 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14EI\Installr\1.bin\14EIPlug.dll.vir
2011-09-28 12:39:36 . 2011-09-28 12:39:36           30,776 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14EI\Installr\1.bin\NP14EISb.dll.vir
2011-09-08 21:21:02 . 2011-09-08 21:21:02          903,016 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\alotappbar\bin\alotappbar.dll.vir
2011-09-08 21:21:02 . 2011-09-08 21:21:02           48,488 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\alotappbar\bin\alothelper.dll.vir
2011-09-08 21:21:02 . 2011-09-08 21:21:02           49,512 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\alotappbar\bin\ALOTSettings.exe.vir
2011-09-08 21:21:02 . 2011-09-08 21:21:02          465,256 ----a-w-  C:\Qoobox\Quarantine\C\Program Files (x86)\alotappbar\bin\alotwidgets.exe.vir
2011-02-11 22:50:05 . 2013-06-10 17:49:25              204 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2007-11-07 14:03:18 . 2007-11-07 14:03:18          562,688 ----a-w-  C:\Qoobox\Quarantine\C\Install.exe.vir
 



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 10 June 2013 - 02:27 PM

Are you able to access MSE now?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Twotone

Twotone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:01:02 AM

Posted 10 June 2013 - 02:29 PM

Yes I am. It is updating now.



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 10 June 2013 - 02:33 PM

Scan with adwCleaner


Please download AdwCleaner to your desktop.

 

  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.

 

 

 

Let´s hope nothing else got wasted:

 

 

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Edited by TB-Psychotic, 10 June 2013 - 02:33 PM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 Twotone

Twotone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:01:02 AM

Posted 10 June 2013 - 02:45 PM

# AdwCleaner v2.303 - Logfile created 06/10/2013 at 13:36:10
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : John - JOHN-PC
# Boot Mode : Normal
# Running from : C:\Users\John\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\18uz0y5r.default\searchplugins\Askcom.xml
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\Users\John\AppData\LocalLow\alotappbar
Folder Deleted : C:\Users\John\AppData\LocalLow\TotalRecipeSearch_14EI

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\alotAppbar
Key Deleted : HKCU\Software\AppDataLow\Software\TotalRecipeSearch_14EI
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A531D99C-5A22-449b-83DA-872725C6D0ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A531D99C-5A22-449b-83DA-872725C6D0ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F0B76E1-4E46-427B-B55B-B90593468AC6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A531D99C-5A22-449b-83DA-872725C6D0ED}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{343263AB-D732-4066-A274-4A487A07F108}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C42103E4-7D10-4cc9-B2B4-C546BCCF8706}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{A531D99C-5A22-449b-83DA-872725C6D0ED}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16483

[OK] Registry is clean.

-\\ Mozilla Firefox v3.6.13 (en-US)

File : C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\18uz0y5r.default\prefs.js

Deleted : user_pref("extensions.TotalRecipeSearch_14.openSearchURL", "hxxp://search.mywebsearch.com/mywebsearc[...]
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");

*************************

AdwCleaner[R1].txt - [4169 octets] - [10/06/2013 13:35:46]
AdwCleaner[S1].txt - [4182 octets] - [10/06/2013 13:36:10]

########## EOF - C:\AdwCleaner[S1].txt - [4242 octets] ##########

 

 

Farbar Service Scanner Version: 31-05-2013 01
Ran by John (administrator) on 10-06-2013 at 13:44:15
Running from "C:\Users\John\Desktop"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 10 June 2013 - 02:47 PM

Beautiful!

Let´s cross check...

 

 

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 Twotone

Twotone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:01:02 AM

Posted 10 June 2013 - 04:14 PM

Looks like it was all in quaratine but I will post it anyway.

 

C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14datact.dll.vir a variant of Win32/Toolbar.MyWebSearch.A application
C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14html.dll.vir probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14htmlmu.dll.vir probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14ieovr.dll.vir probably a variant of Win32/Toolbar.MyWebSearch.P application
C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14Plugin.dll.vir a variant of Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14skin.dll.vir a variant of Win32/Toolbar.MyWebSearch.P application
C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14EI\Installr\1.bin\14EIPlug.dll.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14EI\Installr\1.bin\14EZSETP.dll.vir a variant of Win32/Toolbar.MyWebSearch.Q application
C:\Qoobox\Quarantine\C\Program Files (x86)\TotalRecipeSearch_14EI\Installr\1.bin\NP14EISb.dll.vir Win32/Toolbar.MyWebSearch application



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 10 June 2013 - 04:32 PM

Then we can clean up. If you´re facing any issues, report them immediately.

 

 

SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 Twotone

Twotone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:01:02 AM

Posted 10 June 2013 - 04:40 PM

 Results of screen317's Security Check version 0.99.64 
 Windows 7 Service Pack 1 x64 (UAC is disabled!) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 7 Update 21 
 Adobe Reader XI 
 Mozilla Firefox (3.6.13) Firefox out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Spybot Teatimer.exe is disabled!
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users