Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to access/use MSE or uninstall, cannot run/install any apps from browser.


  • This topic is locked This topic is locked
18 replies to this topic

#1 K1llabeezz

K1llabeezz

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 June 2013 - 10:43 AM

This Windows 7 32 bit PC will not run or install anything downloaded from any browser and MSE will not launch, I can't uninstall it and everything in its directory is locked and even as Administrator i cannot change the permissions. I went ahead and ran FRST and have posted the logs below. Thanks for any help you can offer.

 

FRST Log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 22-06-2013
Ran by Administrator (administrator) on 24-06-2013 11:41:26
Running from E:\
Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(McKesson MIG) C:\Program Files\Common Files\McKesson\MIG\Service\AliUpdate.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) C:\Windows\system32\wbem\unsecapp.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version6\TeamViewer.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
() C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
(Dell Computer Corporation) C:\dell\DBRM\Reminder\DbrmTrayicon.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [1314816 2009-06-22] (Analog Devices, Inc.)
HKLM\...\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM\...\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2009-07-06] (CyberLink Corp.)
HKLM\...\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-04-29] (CyberLink Corp.)
HKLM\...\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM\...\Run: [Desktop Disc Tool] "C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM\...\Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)
HKLM\...\Run: [SpeechExec Startup] C:\Program Files\Common Files\Philips Speech Shared\Components\PSP.SpeechExec.StartupApp.exe [16384 2008-10-27] (Philips Austria GmbH - Speech Processing)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll [X]
HKU\Dr. Rojas\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Dr. Rojas\...\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" [x]
Lsa: [Authentication Packages] msv1_0 wvauth

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=122460&babsrc=SP_ss&mntrId=2A61BC305BBEC4C3
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: WeCareReminder Class - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (We-Care.com)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKCU -No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {0E399C04-2FD3-4D24-BBF8-FC98C864F657} http://tghpacs/HRS/download/AliUpdate.cab
DPF: {26441C18-AFBB-4DAE-9919-7252BCD3BA23} http://vpscribev5/webcore/cab/PscribeSDK.cab
DPF: {36B874FC-EECA-4622-8DCE-F8D453C88845} http://tghpacs/HRS/download/AliUpdate.cab
DPF: {601B418B-E6A6-47FC-A094-07248741CEB3} https://cpacs.tgh.org/vericis_web/vwr_data//webvwr.cab
DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} https://myapps.tgh.org/WebConnect/windows/ptdownloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {9C5D86BB-6882-4FCC-B5A3-3088BF6ABE47} http://vpscribev51/webcore/cab/PowerScribeClient.cab
DPF: {A380542A-A9F0-4F4D-9614-D87B8E0CB59C} http://vpscribev5/webcore/client/install/dcversion.cab
DPF: {BD413F3F-67C3-4100-AC76-36FC47A7EEA0} https://cpacs.tgh.org/vericis_web/vwr_data//msmpg4.cab
DPF: {C56351DF-0072-494C-B6B2-2640CAD1BA90} http://tghpacs/HRS/download/Setup.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {DE2DB781-BE83-11D1-A572-006008AAC4E2} http://vpscribev5/webcore/cab/DSCBinaries.cab
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
Tcpip\Parameters: [DhcpNameServer] 131.107.2.23 172.30.105.10

========================== Services (Whitelisted) =================

R2 AliUpdate; C:\Program Files\Common Files\McKesson\MIG\Service\AliUpdate.exe [117840 2012-01-28] (McKesson MIG)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] ()
S3 RoxMediaDB12OEM; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [1116656 2010-11-25] (Sonic Solutions)
S2 RoxWatch12; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [219632 2010-11-25] (Sonic Solutions)
S3 SecureStorageService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe [1477632 2010-11-03] (Wave Systems Corp.)
S3 SPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [69718 2004-05-27] (Sony Corporation)
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1629696 2010-07-13] ()
R2 TdmService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe [2336104 2010-10-16] (Wave Systems Corp.)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] ()

==================== Drivers (Whitelisted) ====================

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S3 NAL; C:\Windows\system32\Drivers\iqvw32.sys [30880 2010-02-03] (Intel Corporation )
S3 netvsc; C:\Windows\System32\DRIVERS\netvsc60.sys [126464 2010-11-20] (Microsoft Corporation)
R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
S3 SynthVid; C:\Windows\System32\DRIVERS\VMBusVideoM.sys [19456 2010-11-20] (Microsoft Corporation)
S1 bndmepos; \??\C:\Windows\system32\drivers\bndmepos.sys [x]
S3 catchme; \??\C:\Users\DRF045~1.ROJ\AppData\Local\Temp\catchme.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-24 11:41 - 2013-06-24 11:41 - 00000000 ____D C:\FRST
2013-06-24 11:24 - 2013-06-24 11:27 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google
2013-06-24 11:24 - 2013-06-24 11:24 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\URSoft
2013-06-24 11:24 - 2013-06-24 11:24 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Babylon
2013-06-24 11:24 - 2013-06-24 11:24 - 00000000 ____D C:\Users\Administrator\AppData\Local\Babylon
2013-06-24 11:24 - 2013-06-24 11:24 - 00000000 ____D C:\ProgramData\Babylon
2013-06-24 10:40 - 2013-06-24 10:40 - 00126120 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2013-06-24 10:39 - 2013-06-24 10:39 - 00008224 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-24 10:39 - 2013-06-24 10:39 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Roxio
2013-06-24 10:39 - 2013-06-24 10:39 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Intel Corporation
2013-06-21 11:45 - 2013-06-21 11:45 - 00016778 ____A C:\ComboFix.txt
2013-06-21 11:33 - 2013-06-21 11:45 - 00000000 ____D C:\ComboFix
2013-06-21 11:05 - 2013-06-21 11:05 - 00000000 ___HD C:\Windows\PIF
2013-06-21 11:01 - 2013-06-24 10:39 - 00000000 ____D C:\users\Administrator
2013-06-21 11:01 - 2013-06-21 11:01 - 00000020 ___SH C:\Users\Administrator\ntuser.ini
2013-06-21 11:01 - 2012-02-05 22:34 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Macromedia
2013-06-21 11:01 - 2011-11-01 03:01 - 00000000 ____D C:\Users\Administrator\AppData\Local\Microsoft Help
2013-06-21 09:31 - 2013-06-02 17:21 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-20 10:14 - 2013-06-20 10:14 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2013-06-19 20:36 - 2013-06-21 11:45 - 00000000 ____D C:\Qoobox
2013-06-19 20:36 - 2013-06-21 11:44 - 00000000 ____D C:\Windows\erdnt
2013-06-19 20:36 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2013-06-19 20:36 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2013-06-19 20:36 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-06-19 20:36 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-06-19 20:36 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-06-19 20:36 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2013-06-19 20:36 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2013-06-19 20:36 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2013-06-19 20:35 - 2013-06-19 20:34 - 05081021 ___RA (Swearware) C:\ComboFix.exe
2013-06-19 20:30 - 2013-06-19 20:30 - 00001469 ____A C:\Users\Dr. Rojas\Desktop\Internet Explorer (No Add-ons).lnk
2013-06-19 20:27 - 2013-06-19 20:27 - 00000000 ___AH C:\Users\Dr. Rojas\Documents\Default.rdp
2013-06-19 20:09 - 2013-06-19 20:36 - 00000501 ____A C:\Users\Dr. Rojas\Desktop\interCONNECT.website
2013-06-11 23:27 - 2013-05-13 00:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-11 23:27 - 2013-05-13 00:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-11 23:27 - 2013-05-13 00:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-11 23:27 - 2013-05-12 23:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-11 23:27 - 2013-05-12 23:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-11 23:27 - 2013-05-09 23:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-11 23:27 - 2013-05-08 01:38 - 01293672 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-11 23:27 - 2013-05-06 01:06 - 03968872 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-06-11 23:27 - 2013-05-06 01:06 - 03913576 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-06-11 23:27 - 2013-04-26 00:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-11 23:27 - 2013-04-25 19:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-06-11 23:27 - 2013-04-17 03:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll

==================== One Month Modified Files and Folders ========

2013-06-24 11:41 - 2013-06-24 11:41 - 00000000 ____D C:\FRST
2013-06-24 11:27 - 2013-06-24 11:24 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google
2013-06-24 11:27 - 2012-02-05 22:34 - 00000000 ____D C:\ProgramData\Google
2013-06-24 11:27 - 2012-02-05 22:34 - 00000000 ____D C:\Program Files\Google
2013-06-24 11:24 - 2013-06-24 11:24 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\URSoft
2013-06-24 11:24 - 2013-06-24 11:24 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Babylon
2013-06-24 11:24 - 2013-06-24 11:24 - 00000000 ____D C:\Users\Administrator\AppData\Local\Babylon
2013-06-24 11:24 - 2013-06-24 11:24 - 00000000 ____D C:\ProgramData\Babylon
2013-06-24 10:49 - 2013-01-13 09:01 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-24 10:43 - 2009-07-14 00:34 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-24 10:43 - 2009-07-14 00:34 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-24 10:42 - 2012-02-05 22:34 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-24 10:40 - 2013-06-24 10:40 - 00126120 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2013-06-24 10:39 - 2013-06-24 10:39 - 00008224 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-24 10:39 - 2013-06-24 10:39 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Roxio
2013-06-24 10:39 - 2013-06-24 10:39 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Intel Corporation
2013-06-24 10:39 - 2013-06-21 11:01 - 00000000 ____D C:\users\Administrator
2013-06-24 10:39 - 2012-02-05 22:34 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-24 10:39 - 2011-06-02 14:07 - 00000000 ____D C:\ProgramData\Sonic
2013-06-24 10:39 - 2011-06-02 13:52 - 01429086 ____A C:\Windows\WindowsUpdate.log
2013-06-24 10:36 - 2009-07-14 00:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-24 10:36 - 2009-07-14 00:39 - 00044009 ____A C:\Windows\setupact.log
2013-06-24 10:17 - 2010-11-20 17:01 - 00797602 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-24 10:16 - 2011-06-13 10:49 - 00002198 ____A C:\Windows\epplauncher.mif
2013-06-24 09:56 - 2009-07-14 00:53 - 00032590 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-21 11:45 - 2013-06-21 11:45 - 00016778 ____A C:\ComboFix.txt
2013-06-21 11:45 - 2013-06-21 11:33 - 00000000 ____D C:\ComboFix
2013-06-21 11:45 - 2013-06-19 20:36 - 00000000 ____D C:\Qoobox
2013-06-21 11:44 - 2013-06-19 20:36 - 00000000 ____D C:\Windows\erdnt
2013-06-21 11:41 - 2010-11-20 17:48 - 00035100 ____A C:\Windows\PFRO.log
2013-06-21 11:41 - 2009-07-13 22:04 - 00000215 ____A C:\Windows\system.ini
2013-06-21 11:40 - 2009-07-13 22:03 - 67895296 ____A C:\Windows\System32\config\SOFTWARE.bak
2013-06-21 11:40 - 2009-07-13 22:03 - 13631488 ____A C:\Windows\System32\config\SYSTEM.bak
2013-06-21 11:40 - 2009-07-13 22:03 - 00524288 ____A C:\Windows\System32\config\DEFAULT.bak
2013-06-21 11:40 - 2009-07-13 22:03 - 00262144 ____A C:\Windows\System32\config\SECURITY.bak
2013-06-21 11:40 - 2009-07-13 22:03 - 00262144 ____A C:\Windows\System32\config\SAM.bak
2013-06-21 11:05 - 2013-06-21 11:05 - 00000000 ___HD C:\Windows\PIF
2013-06-21 11:01 - 2013-06-21 11:01 - 00000020 ___SH C:\Users\Administrator\ntuser.ini
2013-06-21 09:36 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-06-20 13:17 - 2012-10-01 13:28 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-20 12:05 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Cursors
2013-06-20 10:14 - 2013-06-20 10:14 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2013-06-19 20:44 - 2012-09-06 22:24 - 00000000 ____D C:\Users\Dr. Rojas\AppData\Roaming\DefaultTab
2013-06-19 20:44 - 2011-06-09 13:56 - 00000000 ____D C:\users\Dr. Rojas
2013-06-19 20:36 - 2013-06-19 20:09 - 00000501 ____A C:\Users\Dr. Rojas\Desktop\interCONNECT.website
2013-06-19 20:36 - 2011-06-22 09:37 - 00000000 ____D C:\Program Files\LogMeIn Rescue Calling Card
2013-06-19 20:34 - 2013-06-19 20:35 - 05081021 ___RA (Swearware) C:\ComboFix.exe
2013-06-19 20:31 - 2011-06-22 09:37 - 00002555 ____A C:\Users\Public\Desktop\Tower Radiology Centers Support.lnk
2013-06-19 20:31 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\SchCache
2013-06-19 20:30 - 2013-06-19 20:30 - 00001469 ____A C:\Users\Dr. Rojas\Desktop\Internet Explorer (No Add-ons).lnk
2013-06-19 20:27 - 2013-06-19 20:27 - 00000000 ___AH C:\Users\Dr. Rojas\Documents\Default.rdp
2013-06-19 20:21 - 2012-07-10 10:29 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-19 20:21 - 2012-07-10 10:29 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-19 20:05 - 2011-06-22 09:37 - 00000000 ____D C:\Users\Dr. Rojas\AppData\Local\LogMeIn Rescue Calling Card
2013-06-16 03:06 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-06-15 19:43 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\rescache
2013-06-15 19:18 - 2013-01-13 09:01 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-15 19:18 - 2011-08-10 17:49 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-09 11:33 - 2012-07-10 08:37 - 00000000 ____D C:\Users\Dr. Rojas\AppData\Local\Deployment
2013-06-02 17:21 - 2013-06-21 09:31 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

LastRegBack: 2013-06-15 19:36

==================== End Of Log ============================

 

Addition Log:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 22-06-2013
Ran by Administrator at 2013-06-24 11:41:39
Running from E:\
Boot Mode: Normal
==========================================================

==================== Installed Programs =======================

Adobe AIR (Version: 3.1.0.4880)
Adobe Flash Player 11 ActiveX (Version: 11.7.700.224)
Adobe Reader X (10.1.2) (Version: 10.1.2)
ASPCA Reminder by We-Care.com v4.1.18.1 (Version: 4.1.18.1)
BioAPI Framework (Version: 1.0.2)
Custom (Version: 12.34.56.789)
CyberLink PowerDVD 9.5 (Version: 9.5.1.3225)
D3DX10 (Version: 15.4.2368.0902)
DefaultTab (Version: 1.2.8.0)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Backup and Recovery Manager (Version: 1.3.1)
Dell Data Protection | Access (Version: 01.00.00.154)
Dell Data Protection | Access (Version: 2.0.00000.154)
Dell Data Protection | Access | Drivers (Version: 1.00.011)
Dell Data Protection | Access | Middleware (Version: 1.00.005)
Dell Edoc Viewer (Version: 1.0.0)
DellAccess (Version: 01.00.00.078)
Dictaphone PowerScribeSDK Components (Version: 3.2.38.2)
DirectX 9 Runtime (Version: 1.00.0000)
Dragon SDK Client Components (Version: 9.51.253.59)
EMBASSY Security Center (Version: 04.02.00.072)
EPSON Scan
Gemalto (Version: 01.01.01.0000)
Gimp 2.6.2 Debug
Google Update Helper (Version: 1.3.21.145)
Horizon Medical Imaging Update Service (Version: 1.0.0.5)
HRS 11.9 Distributed (Version: 11.90.0000.312)
Intel® Control Center (Version: 1.2.1.1007)
Intel® Network Connections 15.2.89.0 (Version: 15.2.89.0)
Intel® Rapid Storage Technology (Version: 9.6.0.1014)
Itibiti RTC (Version: 0.0.1)
Java Auto Updater (Version: 2.0.3.1)
Java™ 6 Update 24 (Version: 6.0.240)
Junk Mail filter update (Version: 15.4.3502.0922)
Knctr
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Mesh Runtime (Version: 15.4.5722.2)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office 2010 (Version: 14.0.4763.1000)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Security Client (Version: 4.2.0223.1)
Microsoft Security Essentials (Version: 4.2.223.1)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.50727.42)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual J# 2.0 Redistributable Package (Version: 2.0.50727)
Mozilla Firefox 16.0.1 (x86 en-US) (Version: 16.0.1)
Mozilla Maintenance Service (Version: 16.0.1)
MSVCRT (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MWSnap 3 (Version: 3.0.0.74)
NTRU TCG Software Stack (Version: 2.1.34)
NVIDIA Drivers (Version: 1.10.57.35)
OpenMG Limited Patch 4.0-04-08-02-01
OpenMG Secure Module 4.0.00 (Version: 4.0.00.06170)
PC-CCID (Version: 2.0.0)
Philips SpMikeCtrl (Version: 2.8.260.26)
PhotoShowExpress (Version: 2.0.063)
PowerScribe 5.0 Dictation Client (Version: 5.0.1319.0)
Preboot Manager (Version: 03.02.00.066)
Private Information Manager (Version: 07.00.00.026)
Roxio Activation Module (Version: 1.0)
Roxio BackOnTrack (Version: 1.3.3)
Roxio Burn (Version: 1.8)
Roxio Creator Starter (Version: 1.0.439)
Roxio Creator Starter (Version: 12.1.77.0)
Roxio Creator Starter (Version: 5.0.0)
Roxio Express Labeler 3 (Version: 3.2.2)
Roxio File Backup (Version: 1.3.2)
Sonic CinePlayer Decoder Pack (Version: 4.3.0)
SonicStage 2.2.00
SPBA 5.9 (Version: 5.9.4.6686)
SpeechExec Transcribe (Version: 5.0.422.1)
TeamViewer 6 (Version: 6.0.10722)
Tower Radiology Centers Support (Version: 6.0.232)
Trusted Drive Manager (Version: 4.0.0.512)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2836939) (Version: 1)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
Upek Touchchip Fingerprint Reader (Version: 1.2.004)
Wave Infrastructure Installer (Version: 07.02.40.0008)
Wave Support Software Installer (Version: 05.12.00.012)
Windows Driver Package - Dell Inc. PBADRV System  (09/11/2009 1.0.1.6) (Version: 09/11/2009 1.0.1.6)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3508.1109)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
Yontoo 1.10.02 (Version: 1.10.02)

==================== Restore Points  =========================

17-04-2013 07:29:39 Windows Update
24-04-2013 15:17:14 Windows Update
25-04-2013 07:00:21 Windows Update
30-04-2013 12:08:53 Windows Update
07-05-2013 02:00:33 Windows Update
12-05-2013 03:45:58 Windows Update
15-05-2013 21:55:16 Windows Update
16-05-2013 07:00:24 Windows Update
19-05-2013 20:26:25 Windows Update
09-06-2013 15:34:58 Windows Update
12-06-2013 07:00:12 Windows Update
15-06-2013 23:38:54 Windows Update
16-06-2013 07:00:22 Windows Update
20-06-2013 00:17:17 Windows Modules Installer
21-06-2013 13:23:15 Windows Update
21-06-2013 13:31:15 Windows Update
21-06-2013 14:41:48 Windows Modules Installer
24-06-2013 14:19:40 Installed Microsoft Fix it 50535
24-06-2013 15:14:08 Installed Microsoft Fix it 50535

==================== Scheduled Tasks (whitelisted) =============

Task: {1C67E99C-92B2-4ADD-BEE8-AD57C3A52D16} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\MpCmdRun.exe [2013-01-27] ()
Task: {45E56EDC-A30B-43B7-8A39-AC988152DCA6} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-15] (Adobe Systems Incorporated)
Task: {522917FC-C8A4-48E8-A4A3-A54FADB4ED24} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2012-02-05] (Google Inc.)
Task: {97FBA62A-281F-4408-9088-AC810980C7BE} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2012-02-05] (Google Inc.)
Task: {B0015E21-E854-491E-A718-86EE6C1F5DA2} - System32\Tasks\Microsoft\Microsoft Antimalware\MpIdleTask => c:\Program Files\Microsoft Security Client\MpCmdRun.exe [2013-01-27] ()
Task: {D2AF8C52-B131-49BC-B487-54DD2D91BABB} - System32\Tasks\JavaUpdateSched => C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-10-29] (Sun Microsystems, Inc.)
Task: {FC867C90-E605-46A8-9C74-484CECE22329} - System32\Tasks\Microsoft\Windows Live\SOXE\Extractor Definitions Update Task

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (06/24/2013 11:15:02 AM) (Source: MsiInstaller) (User: RATS-Rojas)
Description: Product: Microsoft Fix it 50535 -- Error 1921. Service 'Microsoft Antimalware Service' (MsMpSvc) could not be stopped.  Verify that you have sufficient privileges to stop system services.

Error: (06/24/2013 10:36:30 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/24/2013 10:35:20 AM) (Source: MsiInstaller) (User: RATS-Rojas)
Description: Product: Microsoft Fix it 50535 -- Error 1921. Service 'Microsoft Antimalware Service' (MsMpSvc) could not be stopped.  Verify that you have sufficient privileges to stop system services.

Error: (06/24/2013 09:56:25 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/24/2013 09:52:13 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/21/2013 11:41:25 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/21/2013 11:33:40 AM) (Source: System Restore) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\wbem\wmiprvse.exe; Description = ComboFix created restore point; Error = 0x8007043c).

Error: (06/21/2013 11:33:40 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007043c, This service cannot be started in Safe Mode
.

Operation:
   Instantiating VSS server

Error: (06/21/2013 11:33:40 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started during Safe Mode.
The Volume Shadow Copy service cannot start while in safe mode. [0x8007043c, This service cannot be started in Safe Mode
]

Operation:
   Instantiating VSS server

Error: (06/21/2013 10:58:24 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

System errors:
=============
Error: (06/24/2013 11:23:53 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Error: (06/24/2013 10:36:30 AM) (Source: Service Control Manager) (User: )
Description: The WinDefend service terminated with the following error:
%%5

Error: (06/24/2013 10:36:28 AM) (Source: Service Control Manager) (User: )
Description: The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services service which failed to start because of the following error:
%%0

Error: (06/24/2013 10:36:27 AM) (Source: Service Control Manager) (User: )
Description: The Microsoft Antimalware Service service failed to start due to the following error:
%%5

Error: (06/24/2013 10:19:17 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Error: (06/24/2013 09:57:30 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (06/24/2013 09:56:24 AM) (Source: Service Control Manager) (User: )
Description: The WinDefend service terminated with the following error:
%%5

Error: (06/24/2013 09:56:22 AM) (Source: Service Control Manager) (User: )
Description: The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services service which failed to start because of the following error:
%%0

Error: (06/24/2013 09:56:21 AM) (Source: Service Control Manager) (User: )
Description: The Microsoft Antimalware Service service failed to start due to the following error:
%%5

Error: (06/24/2013 09:52:09 AM) (Source: Service Control Manager) (User: )
Description: The WinDefend service terminated with the following error:
%%5

Microsoft Office Sessions:
=========================
Error: (06/24/2013 11:15:02 AM) (Source: MsiInstaller)(User: RATS-Rojas)
Description: Product: Microsoft Fix it 50535 -- Error 1921. Service 'Microsoft Antimalware Service' (MsMpSvc) could not be stopped.  Verify that you have sufficient privileges to stop system services.(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (06/24/2013 10:36:30 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/24/2013 10:35:20 AM) (Source: MsiInstaller)(User: RATS-Rojas)
Description: Product: Microsoft Fix it 50535 -- Error 1921. Service 'Microsoft Antimalware Service' (MsMpSvc) could not be stopped.  Verify that you have sufficient privileges to stop system services.(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (06/24/2013 09:56:25 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/24/2013 09:52:13 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/21/2013 11:41:25 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/21/2013 11:33:40 AM) (Source: System Restore)(User: )
Description: C:\Windows\system32\wbem\wmiprvse.exeComboFix created restore point0x8007043c

Error: (06/21/2013 11:33:40 AM) (Source: VSS)(User: )
Description: CoCreateInstance0x8007043c, This service cannot be started in Safe Mode

Operation:
   Instantiating VSS server

Error: (06/21/2013 11:33:40 AM) (Source: VSS)(User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}IVssCoordinatorEx20x8007043c, This service cannot be started in Safe Mode

Operation:
   Instantiating VSS server

Error: (06/21/2013 10:58:24 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 3581.59 MB
Available physical RAM: 2860.22 MB
Total Pagefile: 7161.48 MB
Available Pagefile: 6204.92 MB
Total Virtual: 2047.88 MB
Available Virtual: 1898.63 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:453.57 GB) (Free:313.45 GB) NTFS
Drive e: (KINGSTON) (Removable) (Total:7.26 GB) (Free:4.93 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: C648A420)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=454 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=7 GB) - (Type=0C)

==================== End Of Log ============================

 

 

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 AM

Posted 24 June 2013 - 12:19 PM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
Post up C:\ComboFix.txt.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 K1llabeezz

K1llabeezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 June 2013 - 12:23 PM

ComboFix.txt

 

ComboFix 13-06-21.02 - Dr. Rojas 06/21/2013  11:34:08.2.2 - x86 NETWORK
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3582.3121 [GMT -4:00]
Running from: E:\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Install.exe
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\addon.ico
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\amazon_ie.ico
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.cfg
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabStart.exe
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabStart64.exe
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabWrap.dll
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabWrap64.dll
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\DT.ico
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\ebay_ie.ico
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\facebook_ie.ico
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\imdb_ie.ico
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\search_here_ie.ico
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\searchhere.ico
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\twitter_ie.ico
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\uninstalldt.exe
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\update.exe
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\wikipedia_ie.ico
c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\youtube_ie.ico
c:\users\Dr. Rojas\g2mdlhlpx.exe
c:\windows\system32\zip32.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_DefaultTabUpdate
-------\Service_DefaultTabUpdate
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-21 to 2013-06-21  )))))))))))))))))))))))))))))))
.
.
2013-06-21 15:40 . 2013-06-21 15:40 -------- d-----w- c:\users\DRF045~1~ROJ\AppData\Local\temp
2013-06-21 15:40 . 2013-06-21 15:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-21 15:05 . 2013-06-21 15:05 -------- d--h--w- c:\windows\PIF
2013-06-21 15:01 . 2013-06-21 15:01 -------- d-----w- c:\users\Administrator
2013-06-16 04:07 . 2013-06-16 04:07 60872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{219C668A-5683-47F6-85A4-792FEF6D2EF1}\offreg.dll
2013-06-15 23:39 . 2013-06-09 15:35 724464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C3E509B7-2F8F-45BC-AD0D-7645095B8519}\gapaengine.dll
2013-06-15 23:39 . 2013-05-13 06:19 7016152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{219C668A-5683-47F6-85A4-792FEF6D2EF1}\mpengine.dll
2013-06-12 03:27 . 2013-04-25 23:30 1505280 ----a-w- c:\windows\system32\d3d11.dll
2013-06-12 03:27 . 2013-05-10 03:20 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-06-12 03:27 . 2013-04-26 04:55 492544 ----a-w- c:\windows\system32\win32spl.dll
2013-06-12 03:27 . 2013-05-13 03:08 903168 ----a-w- c:\windows\system32\certutil.exe
2013-06-12 03:27 . 2013-05-13 04:45 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-06-12 03:27 . 2013-05-13 04:45 1160192 ----a-w- c:\windows\system32\crypt32.dll
2013-06-12 03:27 . 2013-05-13 04:45 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-06-12 03:27 . 2013-05-13 03:08 43008 ----a-w- c:\windows\system32\certenc.dll
2013-06-12 03:27 . 2013-04-17 07:02 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-06-12 03:27 . 2013-05-06 05:06 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-12 03:27 . 2013-05-06 05:06 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-06-12 03:27 . 2013-05-08 05:38 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-11 15:43 . 2013-05-13 06:19 7016152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-09 15:36 . 2013-06-09 15:35 724464 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DDF1C73B-5465-4803-A851-D673E7086B63}\gapaengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-15 23:18 . 2013-01-13 13:01 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-15 23:18 . 2011-08-10 21:49 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-09 15:35 . 2011-08-12 02:31 724464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-06-09 15:32 . 2010-06-24 16:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-02 15:28 . 2011-06-09 18:14 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-13 04:45 . 2013-05-15 21:50 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 21:50 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45 . 2013-04-24 15:12 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 05:18 . 2013-05-15 21:50 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 05:18 . 2013-05-15 21:50 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 03:14 . 2013-05-15 21:50 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 18:50 . 2012-07-10 14:29 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-13 13:47 . 2012-10-01 17:28 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-10-16 21:10 119664 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-10-16 21:10 119664 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-02-06 39408]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-21 719672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1314816]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2011-03-08 227328]
"SpeechExec Startup"="c:\program files\Common Files\Philips Speech Shared\Components\PSP.SpeechExec.StartupApp.exe" [2008-10-27 16384]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spba]
2010-09-15 16:11 1971536 ----a-w- c:\program files\Common Files\SPBA\homefus2.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ    msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 bndmepos;bndmepos;c:\windows\system32\drivers\bndmepos.sys [x]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys [2010-11-20 126464]
R3 NisSrv;NisSrv;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 295232]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184]
R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys [2010-11-20 19456]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-06-11 1343400]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 20480]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S2 AliUpdate;Horizon Medical Imaging Update Service;c:\program files\Common Files\McKesson\MIG\Service\AliUpdate.exe [2012-01-28 117840]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 100328]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-06-01 2337144]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-06 224424]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-13 23:18]
.
2013-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 02:34]
.
2013-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
Trusted Zone: imadoctors.com\pacs
Trusted Zone: tgh.org\myapps
Trusted Zone: towerpacs.com
Trusted Zone: towerpacs.com\www
Trusted Zone: woodlandsmed.com\pacs
TCP: DhcpNameServer = 131.107.2.23 172.30.105.10
DPF: 541725B1-4823-44FA-A212-6F32C206BA86 - hxxp://tghpacs/HRS/download/\Setup.cab
DPF: {0E399C04-2FD3-4D24-BBF8-FC98C864F657} - hxxp://tghpacs/HRS/download/AliUpdate.cab
DPF: {26441C18-AFBB-4DAE-9919-7252BCD3BA23} - hxxp://vpscribev5/webcore/cab/PscribeSDK.cab
DPF: {36B874FC-EECA-4622-8DCE-F8D453C88845} - hxxp://tghpacs/HRS/download/AliUpdate.cab
DPF: {601B418B-E6A6-47FC-A094-07248741CEB3} - hxxps://cpacs.tgh.org/vericis_web/vwr_data//webvwr.cab
DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} - hxxps://myapps.tgh.org/WebConnect/windows/ptdownloader.cab
DPF: {9C5D86BB-6882-4FCC-B5A3-3088BF6ABE47} - hxxp://vpscribev51/webcore/cab/PowerScribeClient.cab
DPF: {A380542A-A9F0-4F4D-9614-D87B8E0CB59C} - hxxp://vpscribev5/webcore/client/install/dcversion.cab
DPF: {BD413F3F-67C3-4100-AC76-36FC47A7EEA0} - hxxps://cpacs.tgh.org/vericis_web/vwr_data//msmpg4.cab
DPF: {C56351DF-0072-494C-B6B2-2640CAD1BA90} - hxxp://tghpacs/HRS/download/Setup.cab
DPF: {DE2DB781-BE83-11D1-A572-006008AAC4E2} - hxxp://vpscribev5/webcore/cab/DSCBinaries.cab
FF - ProfilePath - c:\users\Dr. Rojas\AppData\Roaming\Mozilla\Firefox\Profiles\7j30fj3v.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 57d8a406-f56c-47ea-8af3-7ae09f481e45
FF - user.js: extentions.y2layers.defaultEnableAppsList - easyinline
FF - user.js: extensions.autoDisableScopes - 14
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\mssecex.exe
AddRemove-DefaultTab - c:\users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\uninstalldt.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(524)
c:\windows\system32\wvauth.DLL
.
- - - - - - - > 'Explorer.exe'(3512)
c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\SPBA\upeksvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\WUDFHost.exe
c:\program files\TeamViewer\Version6\TeamViewer.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Java\Java Update\jusched.exe
.
**************************************************************************
.
Completion time: 2013-06-21  11:45:02 - machine was rebooted
ComboFix-quarantined-files.txt  2013-06-21 15:45
.
Pre-Run: 336,768,372,736 bytes free
Post-Run: 336,135,639,040 bytes free
.
- - End Of File - - 330DFDCC29ADA56414566F2E1A1541D2
5C616939100B85E558DA92B899A0FC36
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 AM

Posted 24 June 2013 - 12:40 PM

Scan with adwCleaner


Please download AdwCleaner to your desktop.
  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.
Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.
Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.

Edited by TB-Psychotic, 24 June 2013 - 12:40 PM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 K1llabeezz

K1llabeezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 June 2013 - 01:05 PM

AdwCleaner[S1]

 

# AdwCleaner v2.303 - Logfile created 06/24/2013 at 13:46:58
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Administrator - RATS-ROJAS
# Boot Mode : Normal
# Running from : E:\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Program Files\Free Offers from Freeze.com
Folder Deleted : C:\Program Files\Yontoo
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\ProgramData\WeCareReminder
Folder Deleted : C:\Users\Administrator\AppData\Local\Babylon
Folder Deleted : C:\Users\Administrator\AppData\Roaming\Babylon
Folder Deleted : C:\Users\Dr. Rojas\AppData\Roaming\DefaultTab

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\DefaultTabBHO.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\IEHelperv2.5.0.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\Toolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{99066096-8989-4612-841F-621A01D54AD7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX.1
Key Deleted : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder
Key Deleted : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Deleted : HKLM\Software\Default Tab
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.babylon.com/?affID=122460&babsrc=NT_ss&mntrId=2A61BC305BBEC4C3 --> hxxp://www.google.com

*************************

AdwCleaner[S1].txt - [4879 octets] - [24/06/2013 13:46:58]

########## EOF - C:\AdwCleaner[S1].txt - [4939 octets] ##########

 

 

Mbar found nothing. Log attached anyways.

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.06.24.05

Windows 7 Service Pack 1 x86 FAT32
Internet Explorer 8.0.7601.17514
Administrator :: RATS-ROJAS [administrator]

6/24/2013 1:51:28 PM
mbar-log-2013-06-24 (13-51-28).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 249503
Time elapsed: 6 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 AM

Posted 24 June 2013 - 01:28 PM

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
also post up a new log from FRST.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 K1llabeezz

K1llabeezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 June 2013 - 01:33 PM

FSS

 

Farbar Service Scanner Version: 16-06-2013
Ran by Administrator (administrator) on 24-06-2013 at 14:31:05
Running from "E:\"
Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-06-11 23:27] - [2013-05-08 01:38] - 1293672 ____A (Microsoft Corporation) D32FDAC73FCD76B85389C39BC1087F2A

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2013-06-11 23:27] - [2013-05-13 00:45] - 0140288 ____A (Microsoft Corporation) 3897DFF247D9ED0006190349DE264E14

ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll Reparse point on file detected.

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

 

 

New FRST

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 22-06-2013
Ran by Administrator (administrator) on 24-06-2013 14:31:57
Running from E:\
Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(McKesson MIG) C:\Program Files\Common Files\McKesson\MIG\Service\AliUpdate.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) C:\Windows\system32\wbem\unsecapp.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version6\TeamViewer.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
() C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
(Dell Computer Corporation) C:\dell\DBRM\Reminder\DbrmTrayicon.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [1314816 2009-06-22] (Analog Devices, Inc.)
HKLM\...\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM\...\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2009-07-06] (CyberLink Corp.)
HKLM\...\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-04-29] (CyberLink Corp.)
HKLM\...\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM\...\Run: [Desktop Disc Tool] "C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM\...\Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)
HKLM\...\Run: [SpeechExec Startup] C:\Program Files\Common Files\Philips Speech Shared\Components\PSP.SpeechExec.StartupApp.exe [16384 2008-10-27] (Philips Austria GmbH - Speech Processing)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll [X]
HKU\Dr. Rojas\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Dr. Rojas\...\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" [x]
Lsa: [Authentication Packages] msv1_0 wvauth

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKCU -No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {0E399C04-2FD3-4D24-BBF8-FC98C864F657} http://tghpacs/HRS/download/AliUpdate.cab
DPF: {26441C18-AFBB-4DAE-9919-7252BCD3BA23} http://vpscribev5/webcore/cab/PscribeSDK.cab
DPF: {36B874FC-EECA-4622-8DCE-F8D453C88845} http://tghpacs/HRS/download/AliUpdate.cab
DPF: {601B418B-E6A6-47FC-A094-07248741CEB3} https://cpacs.tgh.org/vericis_web/vwr_data//webvwr.cab
DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} https://myapps.tgh.org/WebConnect/windows/ptdownloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {9C5D86BB-6882-4FCC-B5A3-3088BF6ABE47} http://vpscribev51/webcore/cab/PowerScribeClient.cab
DPF: {A380542A-A9F0-4F4D-9614-D87B8E0CB59C} http://vpscribev5/webcore/client/install/dcversion.cab
DPF: {BD413F3F-67C3-4100-AC76-36FC47A7EEA0} https://cpacs.tgh.org/vericis_web/vwr_data//msmpg4.cab
DPF: {C56351DF-0072-494C-B6B2-2640CAD1BA90} http://tghpacs/HRS/download/Setup.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {DE2DB781-BE83-11D1-A572-006008AAC4E2} http://vpscribev5/webcore/cab/DSCBinaries.cab
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
Tcpip\Parameters: [DhcpNameServer] 131.107.2.23 172.30.105.10

========================== Services (Whitelisted) =================

R2 AliUpdate; C:\Program Files\Common Files\McKesson\MIG\Service\AliUpdate.exe [117840 2012-01-28] (McKesson MIG)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] ()
S3 RoxMediaDB12OEM; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [1116656 2010-11-25] (Sonic Solutions)
S2 RoxWatch12; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [219632 2010-11-25] (Sonic Solutions)
S3 SecureStorageService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe [1477632 2010-11-03] (Wave Systems Corp.)
S3 SPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [69718 2004-05-27] (Sony Corporation)
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1629696 2010-07-13] ()
R2 TdmService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe [2336104 2010-10-16] (Wave Systems Corp.)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] ()

==================== Drivers (Whitelisted) ====================

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S3 NAL; C:\Windows\system32\Drivers\iqvw32.sys [30880 2010-02-03] (Intel Corporation )
S3 netvsc; C:\Windows\System32\DRIVERS\netvsc60.sys [126464 2010-11-20] (Microsoft Corporation)
R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
S3 SynthVid; C:\Windows\System32\DRIVERS\VMBusVideoM.sys [19456 2010-11-20] (Microsoft Corporation)
S1 bndmepos; \??\C:\Windows\system32\drivers\bndmepos.sys [x]
S3 catchme; \??\C:\Users\DRF045~1.ROJ\AppData\Local\Temp\catchme.sys [x]
U4 mbamswissarmy;
S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-24 13:51 - 2013-06-24 14:03 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-24 13:46 - 2013-06-24 13:47 - 00005008 ____A C:\AdwCleaner[S1].txt
2013-06-24 11:41 - 2013-06-24 11:41 - 00000000 ____D C:\FRST
2013-06-24 11:24 - 2013-06-24 11:27 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google
2013-06-24 11:24 - 2013-06-24 11:24 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\URSoft
2013-06-24 10:40 - 2013-06-24 10:40 - 00126120 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2013-06-24 10:39 - 2013-06-24 10:39 - 00008224 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-24 10:39 - 2013-06-24 10:39 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Roxio
2013-06-24 10:39 - 2013-06-24 10:39 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Intel Corporation
2013-06-21 11:45 - 2013-06-21 11:45 - 00016778 ____A C:\ComboFix.txt
2013-06-21 11:33 - 2013-06-21 11:45 - 00000000 ____D C:\ComboFix
2013-06-21 11:05 - 2013-06-21 11:05 - 00000000 ___HD C:\Windows\PIF
2013-06-21 11:01 - 2013-06-24 10:39 - 00000000 ____D C:\users\Administrator
2013-06-21 11:01 - 2013-06-21 11:01 - 00000020 ___SH C:\Users\Administrator\ntuser.ini
2013-06-21 11:01 - 2012-02-05 22:34 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Macromedia
2013-06-21 11:01 - 2011-11-01 03:01 - 00000000 ____D C:\Users\Administrator\AppData\Local\Microsoft Help
2013-06-21 09:31 - 2013-06-02 17:21 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-20 10:14 - 2013-06-20 10:14 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2013-06-19 20:36 - 2013-06-21 11:45 - 00000000 ____D C:\Qoobox
2013-06-19 20:36 - 2013-06-21 11:44 - 00000000 ____D C:\Windows\erdnt
2013-06-19 20:36 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2013-06-19 20:36 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2013-06-19 20:36 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-06-19 20:36 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-06-19 20:36 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-06-19 20:36 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2013-06-19 20:36 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2013-06-19 20:36 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2013-06-19 20:35 - 2013-06-19 20:34 - 05081021 ___RA (Swearware) C:\ComboFix.exe
2013-06-19 20:30 - 2013-06-19 20:30 - 00001469 ____A C:\Users\Dr. Rojas\Desktop\Internet Explorer (No Add-ons).lnk
2013-06-19 20:27 - 2013-06-19 20:27 - 00000000 ___AH C:\Users\Dr. Rojas\Documents\Default.rdp
2013-06-19 20:09 - 2013-06-19 20:36 - 00000501 ____A C:\Users\Dr. Rojas\Desktop\interCONNECT.website
2013-06-11 23:27 - 2013-05-13 00:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-11 23:27 - 2013-05-13 00:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-11 23:27 - 2013-05-13 00:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-11 23:27 - 2013-05-12 23:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-11 23:27 - 2013-05-12 23:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-11 23:27 - 2013-05-09 23:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-11 23:27 - 2013-05-08 01:38 - 01293672 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-11 23:27 - 2013-05-06 01:06 - 03968872 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-06-11 23:27 - 2013-05-06 01:06 - 03913576 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-06-11 23:27 - 2013-04-26 00:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-11 23:27 - 2013-04-25 19:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-06-11 23:27 - 2013-04-17 03:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll

==================== One Month Modified Files and Folders ========

2013-06-24 14:03 - 2013-06-24 13:51 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-24 13:55 - 2009-07-14 00:34 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-24 13:55 - 2009-07-14 00:34 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-24 13:51 - 2011-06-02 13:52 - 01441841 ____A C:\Windows\WindowsUpdate.log
2013-06-24 13:50 - 2011-06-02 14:07 - 00000000 ____D C:\ProgramData\Sonic
2013-06-24 13:49 - 2013-01-13 09:01 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-24 13:48 - 2012-02-05 22:34 - 00000000 ____D C:\Program Files\Google
2013-06-24 13:48 - 2010-11-20 17:48 - 00035650 ____A C:\Windows\PFRO.log
2013-06-24 13:48 - 2009-07-14 00:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-24 13:48 - 2009-07-14 00:39 - 00044065 ____A C:\Windows\setupact.log
2013-06-24 13:47 - 2013-06-24 13:46 - 00005008 ____A C:\AdwCleaner[S1].txt
2013-06-24 11:41 - 2013-06-24 11:41 - 00000000 ____D C:\FRST
2013-06-24 11:27 - 2013-06-24 11:24 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google
2013-06-24 11:27 - 2012-02-05 22:34 - 00000000 ____D C:\ProgramData\Google
2013-06-24 11:24 - 2013-06-24 11:24 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\URSoft
2013-06-24 10:40 - 2013-06-24 10:40 - 00126120 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2013-06-24 10:39 - 2013-06-24 10:39 - 00008224 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-24 10:39 - 2013-06-24 10:39 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Roxio
2013-06-24 10:39 - 2013-06-24 10:39 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Intel Corporation
2013-06-24 10:39 - 2013-06-21 11:01 - 00000000 ____D C:\users\Administrator
2013-06-24 10:17 - 2010-11-20 17:01 - 00797602 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-24 10:16 - 2011-06-13 10:49 - 00002198 ____A C:\Windows\epplauncher.mif
2013-06-24 09:56 - 2009-07-14 00:53 - 00032590 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-21 11:45 - 2013-06-21 11:45 - 00016778 ____A C:\ComboFix.txt
2013-06-21 11:45 - 2013-06-21 11:33 - 00000000 ____D C:\ComboFix
2013-06-21 11:45 - 2013-06-19 20:36 - 00000000 ____D C:\Qoobox
2013-06-21 11:44 - 2013-06-19 20:36 - 00000000 ____D C:\Windows\erdnt
2013-06-21 11:41 - 2009-07-13 22:04 - 00000215 ____A C:\Windows\system.ini
2013-06-21 11:40 - 2009-07-13 22:03 - 67895296 ____A C:\Windows\System32\config\SOFTWARE.bak
2013-06-21 11:40 - 2009-07-13 22:03 - 13631488 ____A C:\Windows\System32\config\SYSTEM.bak
2013-06-21 11:40 - 2009-07-13 22:03 - 00524288 ____A C:\Windows\System32\config\DEFAULT.bak
2013-06-21 11:40 - 2009-07-13 22:03 - 00262144 ____A C:\Windows\System32\config\SECURITY.bak
2013-06-21 11:40 - 2009-07-13 22:03 - 00262144 ____A C:\Windows\System32\config\SAM.bak
2013-06-21 11:05 - 2013-06-21 11:05 - 00000000 ___HD C:\Windows\PIF
2013-06-21 11:01 - 2013-06-21 11:01 - 00000020 ___SH C:\Users\Administrator\ntuser.ini
2013-06-21 09:36 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-06-20 13:17 - 2012-10-01 13:28 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-20 12:05 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Cursors
2013-06-20 10:14 - 2013-06-20 10:14 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2013-06-19 20:44 - 2011-06-09 13:56 - 00000000 ____D C:\users\Dr. Rojas
2013-06-19 20:36 - 2013-06-19 20:09 - 00000501 ____A C:\Users\Dr. Rojas\Desktop\interCONNECT.website
2013-06-19 20:36 - 2011-06-22 09:37 - 00000000 ____D C:\Program Files\LogMeIn Rescue Calling Card
2013-06-19 20:34 - 2013-06-19 20:35 - 05081021 ___RA (Swearware) C:\ComboFix.exe
2013-06-19 20:31 - 2011-06-22 09:37 - 00002555 ____A C:\Users\Public\Desktop\Tower Radiology Centers Support.lnk
2013-06-19 20:31 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\SchCache
2013-06-19 20:30 - 2013-06-19 20:30 - 00001469 ____A C:\Users\Dr. Rojas\Desktop\Internet Explorer (No Add-ons).lnk
2013-06-19 20:27 - 2013-06-19 20:27 - 00000000 ___AH C:\Users\Dr. Rojas\Documents\Default.rdp
2013-06-19 20:21 - 2012-07-10 10:29 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-19 20:21 - 2012-07-10 10:29 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-19 20:05 - 2011-06-22 09:37 - 00000000 ____D C:\Users\Dr. Rojas\AppData\Local\LogMeIn Rescue Calling Card
2013-06-16 03:06 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-06-15 19:43 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\rescache
2013-06-15 19:18 - 2013-01-13 09:01 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-15 19:18 - 2011-08-10 17:49 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-09 11:33 - 2012-07-10 08:37 - 00000000 ____D C:\Users\Dr. Rojas\AppData\Local\Deployment
2013-06-02 17:21 - 2013-06-21 09:31 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

LastRegBack: 2013-06-15 19:36

==================== End Of Log ============================



#8 K1llabeezz

K1llabeezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 June 2013 - 01:34 PM

Anything relating to "unreachable hosts" is due to the fact that I am keeping the infected PC of of the network. It can still reach outside servers and websites when its connected to the network.



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 AM

Posted 24 June 2013 - 01:51 PM

Fix with FRST
  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    S1 bndmepos; \??\C:\Windows\system32\drivers\bndmepos.sys [x]
    
    C:\Windows\system32\drivers\bndmepos.sys
    DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
    DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.
When ready, restart the machine. Connect it to the network and check if everything works.
Report.

Edited by TB-Psychotic, 24 June 2013 - 01:52 PM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 K1llabeezz

K1llabeezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 June 2013 - 02:14 PM

OK that seems to have restored access to MSE and running downloads from browsers. Fixlog below.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 22-06-2013
Ran by Administrator at 2013-06-24 15:06:00 Run:1
Running from E:\
Boot Mode: Normal

==============================================

bndmepos => Service deleted successfully.
C:\Windows\system32\drivers\bndmepos.sys => File/Directory not found.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking started.
"C:\Program Files\Microsoft Security Client\Backup" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\DbgHelp.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\Drivers" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\en-us" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\EppManifest.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\MpAsDesc.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\MpClient.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\MpCmdRun.exe" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\MpCommu.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\mpevmsg.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\MpOAv.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\MpRTP.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\MpSvc.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\MSESysprep.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\MsMpCom.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\MsMpEng.exe" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\MsMpLics.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\MsMpRes.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\msseces.exe" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\msseoobe.exe" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\msseooberes.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\MsseWat.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\NisIpsPlugin.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\NisLog.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\NisSrv.exe" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\NisWFP.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\Setup.exe" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\SetupRes.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\shellext.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\sqmapi.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\SymSrv.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client\SymSrv.yes" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking completed.

The system needs a manual reboot.

==== End of Fixlog ====



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 AM

Posted 24 June 2013 - 02:22 PM

Please go to here to run the online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 K1llabeezz

K1llabeezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 June 2013 - 03:38 PM

Threats found. Awaiting instructions. Logs below.

 

C:\Qoobox\Quarantine\C\Users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll.vir a variant of Win32/Toolbar.DefaultTab.B application
C:\Qoobox\Quarantine\C\Users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabStart.exe.vir Win32/Toolbar.DefaultTab.A application
C:\Qoobox\Quarantine\C\Users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabStart64.exe.vir Win64/Toolbar.DefaultTab.A application
C:\Qoobox\Quarantine\C\Users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabWrap.dll.vir a variant of Win32/Toolbar.DefaultTab.B application
C:\Qoobox\Quarantine\C\Users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe.vir Win32/Toolbar.DefaultTab.A application
C:\Qoobox\Quarantine\C\Users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\uninstalldt.exe.vir Win32/Toolbar.DefaultTab.B application
C:\Qoobox\Quarantine\C\Users\Dr. Rojas\AppData\Roaming\DefaultTab\DefaultTab\update.exe.vir multiple threats
C:\Users\Administrator\AppData\Local\temp\50892788-BAB0-7891-9655-0BC404FA0911\IEHelper.dll Win32/Toolbar.Babylon.E application
C:\Users\Administrator\AppData\Local\temp\50892788-BAB0-7891-9655-0BC404FA0911\Setup.exe a variant of Win32/Toolbar.Babylon.E application
C:\Users\Dr. Rojas\AppData\Roaming\Mozilla\Firefox\Profiles\7j30fj3v.default\extensions\plugin@yontoo.com\content\overlay.js Win32/Adware.Yontoo application
 



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:42 AM

Posted 24 June 2013 - 03:41 PM

Fix with FRST
  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    C:\Users\Administrator\AppData\Local\temp\50892788-BAB0-7891-9655-0BC404FA0911
    C:\Users\Dr. Rojas\AppData\Roaming\Mozilla\Firefox\Profiles\7j30fj3v.default\extensions\plugin@yontoo.com
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.
Then we can do the cleanup - if you are facing any issues, report that immediately.

Scan with adwCleaner


Please download AdwCleaner to your desktop.
  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.
SecurityCheck

Please download SecurityCheck: %5BB%5DLINK1[/b] %5BB%5DLINK2[/b]
  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 K1llabeezz

K1llabeezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 June 2013 - 03:59 PM

Fix Log.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 22-06-2013
Ran by Administrator at 2013-06-24 16:52:05 Run:2
Running from E:\
Boot Mode: Normal

==============================================

C:\Users\Administrator\AppData\Local\temp\50892788-BAB0-7891-9655-0BC404FA0911 => Moved successfully.
C:\Users\Dr. Rojas\AppData\Roaming\Mozilla\Firefox\Profiles\7j30fj3v.default\extensions\plugin@yontoo.com => Moved successfully.

==== End of Fixlog ====

 

 

AdwCleaner

 

# AdwCleaner v2.303 - Logfile created 06/24/2013 at 16:52:38
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Administrator - RATS-ROJAS
# Boot Mode : Normal
# Running from : E:\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [5008 octets] - [24/06/2013 13:46:58]
AdwCleaner[S2].txt - [561 octets] - [24/06/2013 16:52:38]

########## EOF - C:\AdwCleaner[S2].txt - [620 octets] ##########

 

Checkup

 

 Results of screen317's Security Check version 0.99.67 
 Windows 7 Service Pack 1 x86 (UAC is disabled!) 
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled! 
Microsoft Security Essentials  
  (On Access scanning disabled!)
 Error obtaining update status for antivirus! 
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java™ 6 Update 24 
 Java 7 Update 25 
 Adobe Reader 10.1.2 Adobe Reader out of Date! 
 Mozilla Firefox 16.0.1 Firefox out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 



#15 K1llabeezz

K1llabeezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 24 June 2013 - 04:00 PM

MSE On Access Scan was still disabled from the ESET scan.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users