Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown audio source, possible malware


  • This topic is locked This topic is locked
13 replies to this topic

#1 JohnnyCGoode

JohnnyCGoode

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 19 June 2013 - 01:30 PM

Hello,

First off I would like to say that through searching the forums I have solved many a computer problems relatively quickly and painlessly and I thank you for that. 

I recently ran into a rather persistent problem with my computer, running Windows Vista, playing an unknown audio source appearing to be in the form of an ad and various Internet sources. I downloaded malwarebytes which blocked a few different ip addresses: 46.249.61.94 , 46.249.61.85 , 46.249.61.89. The audio ceased during the trial run of Malewarebytes but now that it is gone the audio has returned. 
 
I most recently began getting a blue screen so I ran aswMBR which came up with a couple of items.
 
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-19 10:40:09
-----------------------------
10:40:09.957    OS Version: Windows 6.0.6002 Service Pack 2
10:40:09.957    Number of processors: 2 586 0xF0D
10:40:09.959    ComputerName: USER-PC  UserName: User
10:40:31.673    Initialize success
10:47:10.391    AVAST engine defs: 13061900
10:47:18.500    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
10:47:18.509    Disk 0 Vendor: WDC_WD2500BEVT-22A23T0 01.01A01 Size: 238475MB BusType: 3
10:47:18.517    Device \Driver\atapi -> MajorFunction 85adac10
10:47:18.525    Disk 0 MBR read successfully
10:47:18.535    Disk 0 MBR scan
10:47:18.568    Disk 0 Windows VISTA default MBR code
10:47:18.590    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       238473 MB offset 2048
10:47:18.606    Disk 0 scanning sectors +488394752
10:47:18.732    Disk 0 scanning C:\Windows\system32\drivers
10:47:40.992    Service scanning
10:48:28.257    Modules scanning
10:48:39.280    Disk 0 trace - called modules:
10:48:39.303    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85adac10]<<
10:48:39.745    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x857cf030]
10:48:39.781    3 CLASSPNP.SYS[82fa58b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-2[0x855cf030]
10:48:39.796    \Driver\atapi[0x859f1b98] -> IRP_MJ_CREATE -> 0x85adac10
10:48:42.050    AVAST engine scan C:\Windows
10:48:47.027    AVAST engine scan C:\Windows\system32
10:56:12.612    AVAST engine scan C:\Windows\system32\drivers
10:56:37.334    AVAST engine scan C:\Users\User
11:22:25.546    Disk 0 MBR has been saved successfully to "C:\Users\User\Contacts\Desktop\MBR.dat"
11:22:25.577    The log file has been saved successfully to "C:\Users\User\Contacts\Desktop\aswMBR.txt"
 
At this point I am not sure what to do and am in need of some dire assistance. Thank you so much for your time and help.
 
- Johnny

 


Edited by hamluis, 19 June 2013 - 03:24 PM.
Moved from Vista to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 JohnnyCGoode

JohnnyCGoode
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 19 June 2013 - 06:09 PM

Thank you for the edit/re-categorization Hamluis. New to forums :)

#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 20 June 2013 - 08:02 AM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#4 JohnnyCGoode

JohnnyCGoode
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 20 June 2013 - 01:18 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20-06-2013
Ran by User (administrator) on 20-06-2013 11:04:22
Running from C:\Users\User\Downloads
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Safe Mode (with Networking)
 
==================== Processes (Whitelisted) ===================
 
(McAfee, Inc.) C:\Windows\system32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(McAfee, Inc.) c:\PROGRA~1\mcafee.com\agent\mcagent.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe [3444736 2007-12-08] (Dell Inc.)
HKLM\...\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s [118784 2007-07-27] (Creative Technology Ltd.)
HKLM\...\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe [36864 2007-05-09] (Creative Technology Ltd.)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [58656 2011-04-20] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\pcTrayApp.exe" [1939968 2012-06-07] (Alcatel-Lucent)
HKLM\...\Run: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [217256 2012-05-03] (Visicom Media Inc. (Powered by Panda Security))
HKLM\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1278064 2013-03-13] (McAfee, Inc.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-05-31] (Apple Inc.)
HKCU\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKCU\...\Run: [Facebook Update] "C:\Users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-14] (Facebook Inc.)
HKCU\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
MountPoints2: {85d48e77-8687-11e1-b464-00219be242e6} - F:\MI.exe
Startup: C:\ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: IB Updater - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\IB Updater\Extension32.dll ()
BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120925095522.dll (McAfee, Inc.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
BHO: delta Helper Object - {C1AF5FA5-852C-4C90-812E-A7F75E011D87} - C:\Program Files\Delta\delta\1.8.10.0\bh\delta.dll (Delta-search.com)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: Yontoo - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll (Yontoo LLC)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM - Delta Toolbar - {82E1477C-B154-48D3-9891-33D83C26BCD3} - C:\Program Files\Delta\delta\1.8.10.0\deltaTlbr.dll (Delta-search.com)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Handler: msdaipp - No CLSID Value - 
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~1\mcafee\msc\mcsniepl.dll (McAfee, Inc.)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
 
FireFox:
========
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\user.js
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @mcafee.com/MSC,version=10 - c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @mcafee.com/SAFFPlugin - C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @Motive.com/NpMotive,version=1.0 - C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF Plugin: @nitropdf.com/NitroPDF - C:\Program Files\Nitro\Reader 3\npnitromozilla.dll (Nitro PDF)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: hxxp://www.delta-search.com/?affID=119776&babsrc=HP_ss&mntrId=10CE00219BE242E6
CHR RestoreOnStartup: "hxxp://www.google.com/"
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\27.0.1453.110\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\27.0.1453.110\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\27.0.1453.110\pdf.dll ()
CHR Plugin: (Injovo Extension Plugin) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd\2.0.0.538_0\npbrowserext.dll (Injovo)
CHR Plugin: (McAfee SiteAdvisor) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.50.146.2_0\McChPlg.dll (McAfee, Inc.)
CHR Plugin: (Skype Click to Call) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.10.0.9560_0\npSkypeChromePlugin.dll (Skype Technologies S.A.)
CHR Plugin: (Conduit Chrome Plugin) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\phfmiknmhngmmlcppkpmbnopohlnfpbh\10.13.20.29_0\plugins/ConduitChromeApiPlugin.dll No File
CHR Plugin: (Conduit Radio Plugin) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\phfmiknmhngmmlcppkpmbnopohlnfpbh\10.13.20.29_0\plugins/np-cwmp.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.300.12) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java™ Platform SE 6 U30) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Motive Plugin) - C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (McAfee SiteAdvisor) - C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Facebook Video Calling Plugin) - C:\Users\User\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (McAfee SecurityCenter) - c:\progra~1\mcafee\msc\npmcsn~1.dll ()
CHR Extension: (Movie2kDownloader) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blaofbhgbmeikidhlkmjhbkbfohpgekf\1.0_0
CHR Extension: (IB Updater) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd\2.0.0.538_0
CHR Extension: (SiteAdvisor) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.50.146.2_0
CHR Extension: (Skype Click to Call) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.10.0.9560_0
 
========================== Services (Whitelisted) =================
 
S4 FlipShare Service; C:\Program Files\Flip Video\FlipShare\FlipShareService.exe [451904 2009-08-19] ()
S4 IB Updater; C:\Program Files\IB Updater\ExtensionUpdaterService.exe [188760 2012-10-09] ()
S2 lxdxCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdxserv.exe [94208 2009-10-16] (Lexmark International, Inc.)
S4 lxdx_device; C:\Windows\system32\lxdxcoms.exe [589824 2009-10-16] ( )
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 McAfee SiteAdvisor Service; c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe [95232 2012-06-15] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [279048 2012-11-16] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [203840 2013-02-19] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169320 2013-02-19] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [172416 2013-02-19] (McAfee, Inc.)
S2 NitroReaderDriverReadSpool3; C:\Program Files\Nitro\Reader 3\NitroPDFReaderDriverService3.exe [196624 2012-10-30] (Nitro PDF Software)
S2 pcServiceHost; C:\Program Files\Common Files\Motive\pcServiceHost.exe [342016 2012-06-14] (Alcatel-Lucent)
S4 Yontoo Desktop Updater; C:\Users\User\AppData\Roaming\Yontoo\YontooDesktop.exe [42784 2013-03-13] (Yontoo LLC)
S2 BrowserProtect; C:\ProgramData\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [x]
 
==================== Drivers (Whitelisted) ====================
 
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60920 2013-02-19] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [146872 2012-04-20] (McAfee, Inc.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [133416 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [235264 2013-02-19] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [65928 2013-02-19] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [363080 2013-02-19] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [565888 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [92632 2013-02-19] (McAfee, Inc.)
R1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [210608 2013-02-19] (McAfee, Inc.)
S3 MREMP50; C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [21248 2012-06-14] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [20096 2012-06-14] (Printing Communications Assoc., Inc. (PCAUSA))
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-06-20 10:42 - 2013-06-20 10:42 - 00000232 ____A C:\Users\User\Downloads\Search.txt
2013-06-20 10:15 - 2013-06-20 10:44 - 00003698 ____A C:\Users\User\Downloads\Addition.txt
2013-06-20 10:04 - 2013-06-20 10:04 - 00000000 ____D C:\FRST
2013-06-20 10:01 - 2013-06-20 10:01 - 01368263 ____A (Farbar) C:\Users\User\Downloads\FRST.exe
2013-06-19 11:34 - 2013-06-19 11:34 - 00139464 ____A C:\Windows\Minidump\Mini061913-04.dmp
2013-06-19 10:37 - 2013-06-19 10:39 - 04745728 ____A (AVAST Software) C:\Users\User\Downloads\aswMBR.exe
2013-06-19 10:29 - 2013-06-19 10:29 - 00143680 ____A C:\Windows\Minidump\Mini061913-03.dmp
2013-06-19 10:21 - 2013-06-19 10:21 - 00143680 ____A C:\Windows\Minidump\Mini061913-02.dmp
2013-06-19 08:02 - 2013-06-19 08:02 - 00143680 ____A C:\Windows\Minidump\Mini061913-01.dmp
2013-06-18 21:26 - 2013-06-18 21:26 - 00143680 ____A C:\Windows\Minidump\Mini061813-02.dmp
2013-06-18 21:19 - 2013-06-19 09:02 - 00000000 ____D C:\Windows\pss
2013-06-18 20:38 - 2013-06-18 20:38 - 00143680 ____A C:\Windows\Minidump\Mini061813-01.dmp
2013-06-16 21:38 - 2013-06-16 21:39 - 00139464 ____A C:\Windows\Minidump\Mini061613-02.dmp
2013-06-16 21:18 - 2013-06-16 21:18 - 00143680 ____A C:\Windows\Minidump\Mini061613-01.dmp
2013-06-10 21:16 - 2013-06-10 21:16 - 00147744 ____A C:\Windows\Minidump\Mini061013-04.dmp
2013-06-10 21:09 - 2013-06-10 21:09 - 00001664 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-10 21:07 - 2013-06-10 21:07 - 00000000 ____D C:\Program Files\iPod
2013-06-10 21:06 - 2013-06-10 21:09 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-10 21:06 - 2013-06-10 21:09 - 00000000 ____D C:\Program Files\iTunes
2013-06-10 20:24 - 2013-06-10 20:24 - 00147792 ____A C:\Windows\Minidump\Mini061013-03.dmp
2013-06-10 20:02 - 2013-06-10 20:02 - 00143576 ____A C:\Windows\Minidump\Mini061013-02.dmp
2013-06-10 18:58 - 2013-06-10 18:58 - 00147792 ____A C:\Windows\Minidump\Mini061013-01.dmp
2013-06-09 16:10 - 2013-06-09 16:10 - 00143632 ____A C:\Windows\Minidump\Mini060913-03.dmp
2013-06-09 15:52 - 2013-06-09 15:53 - 00143680 ____A C:\Windows\Minidump\Mini060913-02.dmp
2013-06-09 15:28 - 2013-06-09 15:29 - 00143680 ____A C:\Windows\Minidump\Mini060913-01.dmp
2013-06-06 15:45 - 2013-06-06 15:46 - 00000000 ____D C:\Users\User\lmms
2013-06-06 15:23 - 2013-06-06 15:23 - 00143680 ____A C:\Windows\Minidump\Mini060613-02.dmp
2013-06-06 15:11 - 2013-06-06 15:11 - 00000000 ____D C:\Users\User\AppData\Roaming\Yahoo!
2013-06-06 10:51 - 2013-06-06 10:52 - 00143680 ____A C:\Windows\Minidump\Mini060613-01.dmp
2013-06-04 17:11 - 2013-06-04 17:12 - 00143680 ____A C:\Windows\Minidump\Mini060413-02.dmp
2013-06-04 13:37 - 2013-06-19 11:34 - 167575750 ____A C:\Windows\MEMORY.DMP
2013-06-04 13:37 - 2013-06-04 13:37 - 00143680 ____A C:\Windows\Minidump\Mini060413-01.dmp
2013-06-03 15:00 - 2013-06-03 15:00 - 00000000 ____D C:\Users\User\AppData\Roaming\Malwarebytes
2013-06-03 15:00 - 2013-06-03 15:00 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-03 14:59 - 2013-06-03 15:00 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-03 14:59 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-06-03 13:11 - 2013-06-03 13:11 - 00000000 ____D C:\ProgramData\?Û?Û0
2013-06-03 09:16 - 2013-06-03 09:16 - 00000000 ____D C:\ProgramData\?ø?ø0
2013-06-01 08:52 - 2013-06-01 08:52 - 00000000 ____D C:\ProgramData\????0
2013-06-01 08:14 - 2013-06-01 08:14 - 00000000 ____D C:\ProgramData\????0
2013-06-01 07:24 - 2013-06-01 07:25 - 00000000 ____D C:\Program Files\Microsoft ATS
2013-06-01 07:13 - 2013-06-01 07:13 - 00000000 ____D C:\ProgramData\?ò?ò0
2013-06-01 07:04 - 2013-06-01 07:04 - 00000000 ____D C:\ProgramData\????
2013-05-31 08:40 - 2013-05-31 08:40 - 00000000 ____D C:\ProgramData\?E?E0
2013-05-28 18:19 - 2013-05-28 18:20 - 00000000 ____D C:\Program Files\QuickTime
2013-05-28 17:38 - 2013-05-28 17:38 - 00000000 ____D C:\ProgramData\?i?i0
2013-05-28 15:55 - 2013-05-28 15:55 - 00000000 ____D C:\ProgramData\?U?U0
 
==================== One Month Modified Files and Folders ========
 
2013-06-20 10:44 - 2013-06-20 10:15 - 00003698 ____A C:\Users\User\Downloads\Addition.txt
2013-06-20 10:42 - 2013-06-20 10:42 - 00000232 ____A C:\Users\User\Downloads\Search.txt
2013-06-20 10:12 - 2010-10-30 08:56 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-20 10:09 - 2012-08-20 12:43 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-20 10:09 - 2008-01-20 18:35 - 02020453 ____A C:\Windows\WindowsUpdate.log
2013-06-20 10:04 - 2013-06-20 10:04 - 00000000 ____D C:\FRST
2013-06-20 10:01 - 2013-06-20 10:01 - 01368263 ____A (Farbar) C:\Users\User\Downloads\FRST.exe
2013-06-20 09:51 - 2010-10-30 08:56 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-20 09:50 - 2006-11-02 06:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-20 09:50 - 2006-11-02 05:47 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-20 09:50 - 2006-11-02 05:47 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-19 11:34 - 2013-06-19 11:34 - 00139464 ____A C:\Windows\Minidump\Mini061913-04.dmp
2013-06-19 11:34 - 2013-06-04 13:37 - 167575750 ____A C:\Windows\MEMORY.DMP
2013-06-19 11:34 - 2012-09-10 18:23 - 00000000 ____D C:\Windows\Minidump
2013-06-19 10:39 - 2013-06-19 10:37 - 04745728 ____A (AVAST Software) C:\Users\User\Downloads\aswMBR.exe
2013-06-19 10:29 - 2013-06-19 10:29 - 00143680 ____A C:\Windows\Minidump\Mini061913-03.dmp
2013-06-19 10:21 - 2013-06-19 10:21 - 00143680 ____A C:\Windows\Minidump\Mini061913-02.dmp
2013-06-19 10:20 - 2012-01-07 18:42 - 00000000 ____D C:\Users\User\AppData\Roaming\SoftGrid Client
2013-06-19 09:57 - 2006-11-02 06:01 - 00032554 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-19 09:02 - 2013-06-18 21:19 - 00000000 ____D C:\Windows\pss
2013-06-19 08:24 - 2011-08-19 14:14 - 00000936 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4071275818-4037909974-1013974746-1000UA.job
2013-06-19 08:10 - 2012-08-20 12:43 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-19 08:10 - 2011-08-03 07:59 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-19 08:02 - 2013-06-19 08:02 - 00143680 ____A C:\Windows\Minidump\Mini061913-01.dmp
2013-06-18 21:26 - 2013-06-18 21:26 - 00143680 ____A C:\Windows\Minidump\Mini061813-02.dmp
2013-06-18 21:04 - 2010-09-29 11:46 - 00001356 ____A C:\Users\User\AppData\Local\d3d9caps.dat
2013-06-18 20:38 - 2013-06-18 20:38 - 00143680 ____A C:\Windows\Minidump\Mini061813-01.dmp
2013-06-18 20:33 - 2013-03-18 12:27 - 00000000 ____D C:\Users\User\AppData\Roaming\Yontoo
2013-06-16 21:39 - 2013-06-16 21:38 - 00139464 ____A C:\Windows\Minidump\Mini061613-02.dmp
2013-06-16 21:18 - 2013-06-16 21:18 - 00143680 ____A C:\Windows\Minidump\Mini061613-01.dmp
2013-06-11 06:45 - 2006-11-02 03:33 - 00704382 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-10 21:16 - 2013-06-10 21:16 - 00147744 ____A C:\Windows\Minidump\Mini061013-04.dmp
2013-06-10 21:09 - 2013-06-10 21:09 - 00001664 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-10 21:09 - 2013-06-10 21:06 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-10 21:09 - 2013-06-10 21:06 - 00000000 ____D C:\Program Files\iTunes
2013-06-10 21:07 - 2013-06-10 21:07 - 00000000 ____D C:\Program Files\iPod
2013-06-10 21:07 - 2011-05-18 23:17 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-06-10 20:32 - 2012-12-11 13:46 - 00262144 ____A C:\Windows\System32\config\ELAM
2013-06-10 20:24 - 2013-06-10 20:24 - 00147792 ____A C:\Windows\Minidump\Mini061013-03.dmp
2013-06-10 20:02 - 2013-06-10 20:02 - 00143576 ____A C:\Windows\Minidump\Mini061013-02.dmp
2013-06-10 18:58 - 2013-06-10 18:58 - 00147792 ____A C:\Windows\Minidump\Mini061013-01.dmp
2013-06-09 18:07 - 2006-11-02 05:37 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-06-09 18:00 - 2010-10-18 18:25 - 00121856 ____A C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-06-09 17:23 - 2006-11-02 05:52 - 00052279 ____A C:\Windows\setupact.log
2013-06-09 16:10 - 2013-06-09 16:10 - 00143632 ____A C:\Windows\Minidump\Mini060913-03.dmp
2013-06-09 15:53 - 2013-06-09 15:52 - 00143680 ____A C:\Windows\Minidump\Mini060913-02.dmp
2013-06-09 15:29 - 2013-06-09 15:28 - 00143680 ____A C:\Windows\Minidump\Mini060913-01.dmp
2013-06-06 16:22 - 2013-03-21 14:34 - 00001132 ____A C:\Users\User\.lmmsrc.xml
2013-06-06 15:46 - 2013-06-06 15:45 - 00000000 ____D C:\Users\User\lmms
2013-06-06 15:45 - 2010-09-29 11:46 - 00000000 ____D C:\users\User
2013-06-06 15:23 - 2013-06-06 15:23 - 00143680 ____A C:\Windows\Minidump\Mini060613-02.dmp
2013-06-06 15:11 - 2013-06-06 15:11 - 00000000 ____D C:\Users\User\AppData\Roaming\Yahoo!
2013-06-06 10:52 - 2013-06-06 10:51 - 00143680 ____A C:\Windows\Minidump\Mini060613-01.dmp
2013-06-04 17:31 - 2013-05-18 14:29 - 00000000 ____D C:\Users\User\AppData\Roaming\PrimoPDF
2013-06-04 17:12 - 2013-06-04 17:11 - 00143680 ____A C:\Windows\Minidump\Mini060413-02.dmp
2013-06-04 14:18 - 2010-10-30 08:55 - 00000000 ____D C:\Program Files\Google
2013-06-04 13:37 - 2013-06-04 13:37 - 00143680 ____A C:\Windows\Minidump\Mini060413-01.dmp
2013-06-03 17:46 - 2008-01-20 19:47 - 00050232 ____A C:\Windows\PFRO.log
2013-06-03 17:46 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\Resources
2013-06-03 15:00 - 2013-06-03 15:00 - 00000000 ____D C:\Users\User\AppData\Roaming\Malwarebytes
2013-06-03 15:00 - 2013-06-03 15:00 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-03 15:00 - 2013-06-03 14:59 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-03 14:29 - 2011-08-12 17:03 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-06-03 14:07 - 2013-03-18 12:29 - 00000000 ____D C:\ProgramData\BrowserProtect
2013-06-03 13:11 - 2013-06-03 13:11 - 00000000 ____D C:\ProgramData\?Û?Û0
2013-06-03 11:56 - 2012-08-07 20:28 - 00000000 ____D C:\ProgramData\blekko toolbars
2013-06-03 09:16 - 2013-06-03 09:16 - 00000000 ____D C:\ProgramData\?ø?ø0
2013-06-01 08:52 - 2013-06-01 08:52 - 00000000 ____D C:\ProgramData\????0
2013-06-01 08:14 - 2013-06-01 08:14 - 00000000 ____D C:\ProgramData\????0
2013-06-01 07:25 - 2013-06-01 07:24 - 00000000 ____D C:\Program Files\Microsoft ATS
2013-06-01 07:13 - 2013-06-01 07:13 - 00000000 ____D C:\ProgramData\?ò?ò0
2013-06-01 07:04 - 2013-06-01 07:04 - 00000000 ____D C:\ProgramData\????
2013-05-31 11:24 - 2011-08-19 14:14 - 00000914 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4071275818-4037909974-1013974746-1000Core.job
2013-05-31 08:40 - 2013-05-31 08:40 - 00000000 ____D C:\ProgramData\?E?E0
2013-05-30 15:04 - 2011-05-18 23:23 - 00000000 ____D C:\Users\User\AppData\Roaming\Apple Computer
2013-05-28 18:20 - 2013-05-28 18:19 - 00000000 ____D C:\Program Files\QuickTime
2013-05-28 17:38 - 2013-05-28 17:38 - 00000000 ____D C:\ProgramData\?i?i0
2013-05-28 15:55 - 2013-05-28 15:55 - 00000000 ____D C:\ProgramData\?U?U0
2013-05-28 15:54 - 2011-08-20 22:44 - 00000000 ____D C:\Program Files\McAfee
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-4071275818-4037909974-1013974746-1000\$0afc0dafdb8e558d643e990125e4bcb4
 
Files to move or delete:
====================
C:\Users\User\Lame_v3.99.3_for_Windows.exe
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2013-06-20 10:55
 
==================== End Of Log ============================
 
Attached File  Addition.txt   16.8KB   1 downloads

Edited by JohnnyCGoode, 20 June 2013 - 01:24 PM.


#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 20 June 2013 - 04:55 PM

Please do this next:

icon11.gif  Go to this page and download Malwarebytes Anti-Rootkit (MBAR)

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • MBAR will create logs that you will find in the same folder you found MBAR.exe.  Please post those for me to review.

icon11.gif  Download Combofix from HERE, and save it to your desktop.  

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back.  Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • MBAR log(s)
  • ComboFix log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 JohnnyCGoode

JohnnyCGoode
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 20 June 2013 - 07:59 PM

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1003
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.0.6002 Windows Vista Service Pack 2 x86
 
System is currently in a safe mode
 
Account is Administrative
 
Internet Explorer version: 9.0.8112.16421
 
Java version: 1.6.0_30
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.862000 GHz
Memory total: 2136272896, free: 1034231808
 
Initializing...
------------ Kernel report ------------
     06/20/2013 15:20:17
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\mfehidk.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\yk60x86.sys
\SystemRoot\system32\DRIVERS\bcmwl6.sys
\SystemRoot\system32\DRIVERS\ohci1394.sys
\SystemRoot\system32\DRIVERS\1394BUS.SYS
\SystemRoot\system32\DRIVERS\rimmptsk.sys
\SystemRoot\system32\DRIVERS\rimsptsk.sys
\SystemRoot\system32\DRIVERS\rixdptsk.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\drivers\mfewfpk.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\mfefirek.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\framebuf.dll
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\cfwids.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff857ceac8
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-2\
Lower Device Object: 0xffffffff855cf030
Lower Device Driver Name: Unknown
IRP handler 0 of \Driver\atapi points to an unknown module
Unhooking enabled.
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff857ceac8
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-2\
Lower Device Object: 0xffffffff855cf030
Lower Device Driver Name: Unknown
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff857ceac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff857472b0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff857ceac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff855cf030, DeviceName: \Device\Ide\IdeDeviceP1T0L0-2\, DriverName: Unknown
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0xffffffff81cfaf10, 0xffffffff857ceac8, 0xffffffff867f06d0
Lower DeviceData: 0xffffffffa5ee44c8, 0xffffffff855cf030, 0xffffffff864b65f0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
MBR buffers are not equal
MBR is forged! [0c09dbfb6e001608950df0db533ee0d1]
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 121DE020
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 488392704
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Replacement MBR for a drive 0 found
MBR infection found on drive 0
Disk Size: 250059350016 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-488377168-488397168)...
Done!
Infected: c:\$Recycle.Bin\S-1-5-21-4071275818-4037909974-1013974746-1000\$0afc0dafdb8e558d643e990125e4bcb4\U --> [Trojan.Siredef.C]
Infected: c:\$Recycle.Bin\S-1-5-21-4071275818-4037909974-1013974746-1000\$0afc0dafdb8e558d643e990125e4bcb4\L --> [Trojan.Siredef.C]
Infected: c:\$Recycle.Bin\S-1-5-21-4071275818-4037909974-1013974746-1000\$0afc0dafdb8e558d643e990125e4bcb4 --> [Trojan.Siredef.C]
Scan finished
Creating System Restore point...
Could not create restore point...
Cleaning up...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Executing an action fixdamage.exe...
Success!
Queuing an action fixdamage.exe
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
 
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1003
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.0.6002 Windows Vista Service Pack 2 x86
 
System is currently in a safe mode
 
Account is Administrative
 
Internet Explorer version: 9.0.8112.16421
 
Java version: 1.6.0_30
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.862000 GHz
Memory total: 2136272896, free: 1716277248
 
Initializing...
------------ Kernel report ------------
     06/20/2013 16:20:55
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\mfehidk.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\yk60x86.sys
\SystemRoot\system32\DRIVERS\bcmwl6.sys
\SystemRoot\system32\DRIVERS\ohci1394.sys
\SystemRoot\system32\DRIVERS\1394BUS.SYS
\SystemRoot\system32\DRIVERS\rimmptsk.sys
\SystemRoot\system32\DRIVERS\rimsptsk.sys
\SystemRoot\system32\DRIVERS\rixdptsk.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\drivers\mfewfpk.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\mfefirek.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\framebuf.dll
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\cfwids.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
Removal queue found; removal started
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbrcode_0.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\sector_0_488396906_u.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\sector_0_488396906_k.mbam...
Removal finished
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff853ce9d0
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-2\
Lower Device Object: 0xffffffff851d0030
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff853ce9d0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85347828, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff853ce9d0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff851d0030, DeviceName: \Device\Ide\IdeDeviceP1T0L0-2\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 121DE020
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 488392704
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 250059350016 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-488377168-488397168)...
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removal finished
 
SECOND MBAR SCAN CAME BACK CLEAN!
 
 
                                                                                                                
 
 
ComboFix 13-06-20.01 - User 06/20/2013  17:30:18.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2037.1140 [GMT -7:00]
Running from: c:\users\User\Contacts\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\DRM\C3ED.tmp
c:\programdata\SPL85D6.tmp
c:\programdata\SPL8E9B.tmp
c:\programdata\SPL9971.tmp
c:\programdata\SPLA68F.tmp
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_pcCMService
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-21 to 2013-06-21  )))))))))))))))))))))))))))))))
.
.
2013-06-20 23:18 . 2013-06-20 23:18 0 ----a-w- c:\windows\system32\sho821A.tmp
2013-06-20 22:20 . 2013-06-20 23:46 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-20 17:04 . 2013-06-20 17:04 -------- d-----w- C:\FRST
2013-06-11 04:07 . 2013-06-11 04:07 -------- d-----w- c:\program files\iPod
2013-06-11 04:06 . 2013-06-11 04:09 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-11 04:06 . 2013-06-11 04:09 -------- d-----w- c:\program files\iTunes
2013-06-06 22:45 . 2013-06-06 22:46 -------- d-----w- c:\users\User\lmms
2013-06-06 22:11 . 2013-06-06 22:11 -------- d-----w- c:\users\User\AppData\Roaming\Yahoo!
2013-06-03 22:00 . 2013-06-03 22:00 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2013-06-03 22:00 . 2013-06-03 22:00 -------- d-----w- c:\programdata\Malwarebytes
2013-06-03 21:59 . 2013-06-03 22:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-06-03 21:59 . 2013-04-04 21:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-06-03 20:11 . 2013-06-03 20:11 -------- d-----w-0 c:\progra~2\04AA8~1
2013-06-03 16:16 . 2013-06-03 16:16 -------- d-----w-0 c:\progra~2\0ABA4~1
2013-06-01 15:52 . 2013-06-01 15:52 -------- d-----w- c:\progra~2\078BC~1
2013-06-01 15:14 . 2013-06-01 15:14 -------- d-----w- c:\progra~2\066A0~1
2013-06-01 14:24 . 2013-06-01 14:25 -------- d-----w- c:\program files\Microsoft ATS
2013-06-01 14:13 . 2013-06-01 14:13 -------- d-----w-0 c:\progra~2\05BAC~1
2013-06-01 14:04 . 2013-06-01 14:04 -------- d-----w- c:\progra~2\B08E~1
2013-05-31 15:40 . 2013-05-31 15:40 -------- d-----w- c:\progra~2\0DCAC~1
2013-05-29 01:20 . 2013-05-29 01:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2013-05-29 01:20 . 2013-05-29 01:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2013-05-29 01:20 . 2013-05-29 01:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2013-05-29 01:20 . 2013-05-29 01:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2013-05-29 01:20 . 2013-05-29 01:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2013-05-29 01:19 . 2013-05-29 01:20 -------- d-----w- c:\program files\QuickTime
2013-05-29 00:38 . 2013-05-29 00:38 -------- d-----w- c:\progra~2\0C5B4~1
2013-05-28 22:55 . 2013-05-28 22:55 -------- d-----w- c:\progra~2\0F5B0~1
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-19 15:10 . 2012-08-20 19:43 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-19 15:10 . 2011-08-03 14:59 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-05 19:12 . 2013-05-16 03:22 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-01 10:59 . 2013-05-01 10:59 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2013-05-01 10:59 . 2013-05-01 10:59 69632 ----a-w- c:\windows\system32\QuickTime.qts
2013-04-15 14:20 . 2013-05-15 02:33 638328 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-04-13 10:56 . 2013-05-15 02:33 37376 ----a-w- c:\windows\system32\cdd.dll
2013-04-09 01:36 . 2013-05-15 02:32 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 22:11 . 2013-05-16 02:53 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-04-04 22:02 . 2013-05-16 02:53 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-04 22:02 . 2013-05-16 02:53 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-04-04 21:58 . 2013-05-16 02:53 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-04-04 21:57 . 2013-05-16 02:53 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-09-20 18:44 . 2012-09-20 18:44 4096000 ----a-w- c:\program files\GUT2109.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Facebook Update"="c:\users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-14 138096]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\pcTrayApp.exe" [2012-06-07 1939968]
"Anti-phishing Domain Advisor"="c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-05-03 217256]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-14 1278064]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes' Anti-Malware (portable)\cleanup.dll" [2013-06-20 1552968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxamon]
2010-02-04 01:28 16040 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxmon.exe]
2010-02-04 01:27 672424 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yontoo Desktop]
2013-03-13 21:25 42784 ------w- c:\users\User\AppData\Roaming\Yontoo\YontooDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-06 23:12 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-20 15:10]
.
2013-05-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4071275818-4037909974-1013974746-1000Core.job
- c:\users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-19 18:19]
.
2013-06-19 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4071275818-4037909974-1013974746-1000UA.job
- c:\users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-19 18:19]
.
2013-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-30 15:56]
.
2013-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-30 15:56]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: $talisma_url$
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-Uninstall_is1 - c:\program files\Common Files\DVDVideoSoft\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-20 17:47
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\mfevtps.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2013-06-20  17:52:22 - machine was rebooted
ComboFix-quarantined-files.txt  2013-06-21 00:52
.
Pre-Run: 127,297,351,680 bytes free
Post-Run: 129,460,465,664 bytes free
.
- - End Of File - - EDE3DF1BB442C57070D32CC966D660B2
5C616939100B85E558DA92B899A0FC36

Edited by JohnnyCGoode, 20 June 2013 - 08:02 PM.


#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 21 June 2013 - 12:43 AM

Please do this next:

icon11.gif  Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard,  then paste it into Notepad, make sure there is no space before and above File::
 

DirLook::
c:\progra~2\04AA8~1
c:\progra~2\0ABA4~1
c:\progra~2\078BC~1
c:\progra~2\066A0~1
c:\progra~2\05BAC~1
c:\progra~2\B08E~1
c:\progra~2\0DCAC~1

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

icon11.gif   Download AdwCleaner from  here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


Please include the following in your next post:

  • ComboFix log
  • AdwCleaner log

Edited by RPMcMurphy, 21 June 2013 - 12:44 AM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 JohnnyCGoode

JohnnyCGoode
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 21 June 2013 - 10:09 AM

ComboFix 13-06-20.01 - User 06/21/2013   7:43.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2037.1347 [GMT -7:00]
Running from: c:\users\User\Contacts\Desktop\ComboFix.exe
Command switches used :: c:\users\User\Contacts\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-21 to 2013-06-21  )))))))))))))))))))))))))))))))
.
.
2013-06-21 14:53 . 2013-06-21 14:53 -------- d-----w- c:\users\User\AppData\Local\temp
2013-06-21 14:53 . 2013-06-21 14:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-20 23:18 . 2013-06-20 23:18 0 ----a-w- c:\windows\system32\sho821A.tmp
2013-06-20 22:20 . 2013-06-20 23:46 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-20 17:04 . 2013-06-20 17:04 -------- d-----w- C:\FRST
2013-06-11 04:07 . 2013-06-11 04:07 -------- d-----w- c:\program files\iPod
2013-06-11 04:06 . 2013-06-11 04:09 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-11 04:06 . 2013-06-11 04:09 -------- d-----w- c:\program files\iTunes
2013-06-06 22:45 . 2013-06-06 22:46 -------- d-----w- c:\users\User\lmms
2013-06-06 22:11 . 2013-06-06 22:11 -------- d-----w- c:\users\User\AppData\Roaming\Yahoo!
2013-06-03 22:00 . 2013-06-03 22:00 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2013-06-03 22:00 . 2013-06-03 22:00 -------- d-----w- c:\programdata\Malwarebytes
2013-06-03 21:59 . 2013-06-03 22:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-06-03 21:59 . 2013-04-04 21:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-06-03 20:11 . 2013-06-03 20:11 -------- d-----w-0 c:\progra~2\04AA8~1
2013-06-03 16:16 . 2013-06-03 16:16 -------- d-----w-0 c:\progra~2\0ABA4~1
2013-06-01 15:52 . 2013-06-01 15:52 -------- d-----w- c:\progra~2\078BC~1
2013-06-01 15:14 . 2013-06-01 15:14 -------- d-----w- c:\progra~2\066A0~1
2013-06-01 14:24 . 2013-06-01 14:25 -------- d-----w- c:\program files\Microsoft ATS
2013-06-01 14:13 . 2013-06-01 14:13 -------- d-----w-0 c:\progra~2\05BAC~1
2013-06-01 14:04 . 2013-06-01 14:04 -------- d-----w- c:\progra~2\B08E~1
2013-05-31 15:40 . 2013-05-31 15:40 -------- d-----w- c:\progra~2\0DCAC~1
2013-05-29 01:20 . 2013-05-29 01:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2013-05-29 01:20 . 2013-05-29 01:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2013-05-29 01:20 . 2013-05-29 01:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2013-05-29 01:20 . 2013-05-29 01:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2013-05-29 01:20 . 2013-05-29 01:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2013-05-29 01:19 . 2013-05-29 01:20 -------- d-----w- c:\program files\QuickTime
2013-05-29 00:38 . 2013-05-29 00:38 -------- d-----w- c:\progra~2\0C5B4~1
2013-05-28 22:55 . 2013-05-28 22:55 -------- d-----w- c:\progra~2\0F5B0~1
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-19 15:10 . 2012-08-20 19:43 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-19 15:10 . 2011-08-03 14:59 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-05 19:12 . 2013-05-16 03:22 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-01 10:59 . 2013-05-01 10:59 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2013-05-01 10:59 . 2013-05-01 10:59 69632 ----a-w- c:\windows\system32\QuickTime.qts
2013-04-15 14:20 . 2013-05-15 02:33 638328 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-04-13 10:56 . 2013-05-15 02:33 37376 ----a-w- c:\windows\system32\cdd.dll
2013-04-09 01:36 . 2013-05-15 02:32 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 22:11 . 2013-05-16 02:53 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-04-04 22:02 . 2013-05-16 02:53 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-04 22:02 . 2013-05-16 02:53 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-04-04 21:58 . 2013-05-16 02:53 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-04-04 21:57 . 2013-05-16 02:53 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-09-20 18:44 . 2012-09-20 18:44 4096000 ----a-w- c:\program files\GUT2109.tmp
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\progra~2\04AA8~1 ----
.
.
---- Directory of c:\progra~2\05BAC~1 ----
.
.
---- Directory of c:\progra~2\066A0~1 ----
.
.
---- Directory of c:\progra~2\078BC~1 ----
.
.
---- Directory of c:\progra~2\0ABA4~1 ----
.
.
---- Directory of c:\progra~2\0DCAC~1 ----
.
.
---- Directory of c:\progra~2\B08E~1 ----
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Facebook Update"="c:\users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-14 138096]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\pcTrayApp.exe" [2012-06-07 1939968]
"Anti-phishing Domain Advisor"="c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-05-03 217256]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-14 1278064]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes' Anti-Malware (portable)\cleanup.dll" [2013-06-20 1552968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxamon]
2010-02-04 01:28 16040 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxmon.exe]
2010-02-04 01:27 672424 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yontoo Desktop]
2013-03-13 21:25 42784 ------w- c:\users\User\AppData\Roaming\Yontoo\YontooDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-06 23:12 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-20 15:10]
.
2013-05-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4071275818-4037909974-1013974746-1000Core.job
- c:\users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-19 18:19]
.
2013-06-19 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4071275818-4037909974-1013974746-1000UA.job
- c:\users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-19 18:19]
.
2013-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-30 15:56]
.
2013-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-30 15:56]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: $talisma_url$
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-21 07:53
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-06-21  07:56:06
ComboFix-quarantined-files.txt  2013-06-21 14:56
ComboFix2.txt  2013-06-21 00:52
.
Pre-Run: 129,532,289,024 bytes free
Post-Run: 129,478,848,512 bytes free
.
- - End Of File - - 087941347347B7D2D70E781896437B07
5C616939100B85E558DA92B899A0FC36
 

 

 
 
ADWCLEANER:
 
# AdwCleaner v2.303 - Logfile created 06/21/2013 at 08:03:38
# Updated 08/06/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : User - User-PC
# Boot Mode : Safe mode with networking
# Running from : C:\Users\User\Contacts\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
Stopped & Deleted : BrowserProtect
Stopped & Deleted : IB Updater
Stopped & Deleted : Yontoo Desktop Updater
 
***** [Files / Folders] *****
 
File Deleted : C:\END
File Deleted : C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\bProtector Web Data
File Deleted : C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\bprotectorpreferences
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Delta
Folder Deleted : C:\Program Files\HDvidCodec.com
Folder Deleted : C:\Program Files\IB Updater
Folder Deleted : C:\Program Files\Movie2KDownloader.com
Folder Deleted : C:\Program Files\Yontoo
Folder Deleted : C:\ProgramData\Anti-phishing Domain Advisor
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\blekko toolbars
Folder Deleted : C:\ProgramData\BrowserProtect
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\ProgramData\Tencent
Folder Deleted : C:\Users\User\AppData\Local\Conduit
Folder Deleted : C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blaofbhgbmeikidhlkmjhbkbfohpgekf
Folder Deleted : C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
Folder Deleted : C:\Users\User\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\User\AppData\Roaming\BabSolution
Folder Deleted : C:\Users\User\AppData\Roaming\Babylon
Folder Deleted : C:\Users\User\AppData\Roaming\Delta
Folder Deleted : C:\Users\User\AppData\Roaming\dvdvideosoftiehelpers
Folder Deleted : C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDvidCodec.com
Folder Deleted : C:\Users\User\AppData\Roaming\OpenCandy
Folder Deleted : C:\Users\User\AppData\Roaming\Yontoo
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\1ClickDownload
Key Deleted : HKCU\Software\5a68d8ce168b846
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\BabylonToolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\Delta
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{336D0C35-8A85-403a-B9D2-65C292C39087}_is1
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\1ClickDownload
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Delta
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Delta Chrome Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\TENCENT
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\5a68d8ce168b846
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{39CB8175-E224-4446-8746-00566302DF8D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B302A1BD-0157-49FA-90F1-4E94F22C7B4B}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\Extension.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{261DD098-8A3E-43D4-87AA-63324FA897D8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{86838207-681D-469D-9511-D0DCC6F19F9B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{99066096-8989-4612-841F-621A01D54AD7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltaappCore
Key Deleted : HKLM\SOFTWARE\Classes\delta.deltaappCore.1
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
Key Deleted : HKLM\SOFTWARE\Classes\esrv.deltaESrvc
Key Deleted : HKLM\SOFTWARE\Classes\esrv.deltaESrvc.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1231839B-064E-4788-B865-465A1B5266FD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2DAC2231-CC35-482B-97C5-CED1D4185080}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F1CD84C-04A3-4EA0-9EA1-7D134FD66C82}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F83A9CA-B5F0-44EC-9357-35BB3E84B07F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{47E520EA-CAD2-4F51-8F30-613B3A1C33EB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{57C91446-8D81-4156-A70E-624551442DE9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{70AFB7B2-9FB5-4A70-905B-0E9576142E1D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7AD65FD1-79E0-406D-B03C-DD7C14726D69}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{97DD820D-2E20-40AD-B01E-6730B2FCE630}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A36867C6-302D-49FC-9D8E-1EB037B5F1AB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B177446D-54A4-4869-BABC-8566110B4BE0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D9D1DFC5-502D-43E4-B1BB-4D0B7841489A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E0B07188-A528-4F9E-B2F7-C7FDE8680AE4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3061355
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{39CB8175-E224-4446-8746-00566302DF8D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Delta
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\blaofbhgbmeikidhlkmjhbkbfohpgekf
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Deleted : HKLM\Software\IB Updater
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{336D0C35-8A85-403a-B9D2-65C292C39087}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-phishing Domain Advisor
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Delta
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Delta Chrome Toolbar
Key Deleted : HKLM\Software\TENCENT
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Anti-phishing Domain Advisor]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\extensions [{336D0C35-8A85-403a-B9D2-65C292C39087}]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16483
 
[OK] Registry is clean.
 
-\\ Google Chrome v27.0.1453.110
 
File : C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
Deleted [l.2230] : homepage = "hxxp://www.delta-search.com/?affID=119776&babsrc=HP_ss&mntrId=10CE00219BE242E6",
 
*************************
 
AdwCleaner[S1].txt - [10443 octets] - [21/06/2013 08:03:38]
 
########## EOF - C:\AdwCleaner[S1].txt - [10504 octets] ##########

Edited by JohnnyCGoode, 21 June 2013 - 10:12 AM.


#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 21 June 2013 - 12:06 PM

How is your computer running now?  Please do this next:

icon11.gif  Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

  • Go to Start > Control Panel > Programs > Uninstall a program, and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java™ 6 or Java™ 7) in the name and select "uninstall".
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Go to www.java.com and follow the instructions to download and install the latest version

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:
  • How is your computer running now?
  • ESET log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 JohnnyCGoode

JohnnyCGoode
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 21 June 2013 - 03:50 PM

Computer now runs normally with no problems.

No blue screen or unknown sounds.

Runs significantly faster.

 

 1 threat found:

 

C:\Users\User\AppData\Local\temp\APNStub.exe a variant of Win32/Bundled.Toolbar.Ask application


#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 22 June 2013 - 09:46 AM

This will take care of that one:

Open an elevated command window:

  • Click Start and type cmd in Start Search.
  • When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.
  • Copy the contents of the following code box then right click in the command window, select paste and press "Enter"
cmd /c del /f/a/q "C:\Users\User\AppData\Local\temp\APNStub.exe"

Otherwise, all I have left for you is another update and some very important cleanup:

icon11.gif  Your Adobe reader needs to be updated.  Please visit Adobe's site and grab the newest version.  Be sure to watch for and uncheck any boxes offering to install other software.

icon11.gif  Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run.  Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif  Delete the following tools along with any other logs you saved from our work:


  • aswMBR
  • FRST (you may also delete the c:\FRST folder)
  • MBAR
  • AdwCleaner

icon11.gif  Download TFC to your desktop


  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't,  manually reboot to ensure a complete clean

icon11.gif  Finally, I'd like to make a couple of suggestions to help you stay clean in the future:


  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated.  Scan with them at least weekly.
  • Please read this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!


Edited by RPMcMurphy, 22 June 2013 - 09:47 AM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 JohnnyCGoode

JohnnyCGoode
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 22 June 2013 - 01:57 PM

Everything is working in tip top shape. Thank you for all of your help through this. I will heed your advice and keep my system as clean as possible. Thank you once again.

#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 23 June 2013 - 10:16 AM

You're welcome.  Take care.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 24 June 2013 - 10:18 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users