Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed Trojan Alureon with Windows Defender Offline and now OS won't boot


  • This topic is locked This topic is locked
26 replies to this topic

#1 tutorcom

tutorcom

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 24 June 2013 - 03:54 PM

Hi there, first time posting here.

 

I recently helped my father-in-law remove a trojan named alureon using Windows Defender Offline. Immediately after it was removed, Windows 7 would blue screen on the OS load screen and crash.

 

Two questions:

 

1) Is the trojan successfully removed from the PC? Using Microsoft Security Essentials scan in Windows Defender Offline indicated a clean computer, but now it won't boot so I'm not sure.

 

2) How can I fix this issue and get it to boot up?

 

Thanks.


Edited by hamluis, 24 June 2013 - 04:05 PM.
Moved from MRL to Am I Infected, no logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:51 AM

Posted 24 June 2013 - 08:29 PM

I'll report this topic to appropriate helpers.

Hold on there....


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 tutorcom

tutorcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 24 June 2013 - 08:48 PM

I've followed up on similar topics and attached a farbar scan output file. See below:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-06-2013 01
Ran by SYSTEM on 24-06-2013 21:39:47
Running from K:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [610360 2009-09-14] ()
HKLM\...\Run: [PC-Doctor for Windows localizer] C:\Program Files\PC-Doctor for Windows\localizer.exe [x]
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [BATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe [2068992 2009-05-08] (Hewlett-Packard)
HKLM-x32\...\Run: [LaunchHPOSIAPP] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe [385024 2009-04-03] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-08-24] (Hewlett-Packard)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2009-10-02] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-12-01] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [600936 2009-06-29] (Symantec Corporation)
HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [300400 2010-03-10] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [IndexSearch] "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe" [46368 2010-03-08] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe" [29984 2010-03-08] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PPort12reminder] "C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\12\Config\Ereg\Ereg.ini" [328992 2010-02-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [ControlCenter4] C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun [139264 2011-04-20] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN [2621440 2010-06-10] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [1686528 2012-03-27] (Wondershare)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [x]
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1685048 2009-09-29] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1685048 2009-09-29] (Hewlett-Packard)
HKU\Guest\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1685048 2009-09-29] (Hewlett-Packard)
HKU\Guest\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Guest\...\Run: [Google Update] "C:\Users\Mok\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-09-27] (Google Inc.)
HKU\Guest\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [x]
HKU\Guest\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [x]
HKU\Guest\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2009-05-05] (Acresso Corporation)
HKU\Mikey\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1685048 2009-09-29] (Hewlett-Packard)
HKU\Mikey\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\mikey.Mok-PC\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1685048 2009-09-29] (Hewlett-Packard)
HKU\mikey.Mok-PC\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\MIKEYYYYYYYYYYYYYYYY\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW [1685048 2009-09-29] (Hewlett-Packard)
HKU\MIKEYYYYYYYYYYYYYYYY\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Mok\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1685048 2009-09-29] (Hewlett-Packard)
HKU\Mok\...\Run: [Google Update] "C:\Users\Mok\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-09-27] (Google Inc.)
HKU\Mok\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [x]
HKU\Mok\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2009-05-05] (Acresso Corporation)
HKU\Mok\...\Policies\system: [LogonHoursAction] 2
HKU\Mok\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\nike\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1685048 2009-09-29] (Hewlett-Packard)
HKU\nike\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
AppInit_DLLs-x32: c:\progra~3\browse~1\261040~1.25\{c16c1~1\browse~1.dll [2202728 2012-12-25] ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\Citrix Access Gateway.lnk
ShortcutTarget: Citrix Access Gateway.lnk -> C:\Program Files\Citrix\Secure Access Client\nsload.exe (Citrix Systems, Inc)
Startup: C:\ProgramData\Start Menu\Programs\Startup\PictureMover.lnk
ShortcutTarget: PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)
Startup: C:\Users\Mok\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Services (Whitelisted) =================
 
S2 nsverctl; C:\Program Files\Citrix\Secure Access Client\nsverctl.exe [154776 2011-03-14] (Citrix Systems, Inc)
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-08] (Nuance Communications, Inc.)
 
==================== Drivers (Whitelisted) ====================
 
S2 cag; C:\Program Files\Common Files\Deterministic Networks\Common Files\cag.sys [96384 2010-08-04] (Citrix Systems, Inc.)
S2 cag; C:\Program Files\Common Files\Deterministic Networks\Common Files\cag.sys [96384 2010-08-04] (Citrix Systems, Inc.)
S3 ctxva51; C:\Windows\System32\DRIVERS\ctxva51.sys [45720 2011-03-14] (Citrix Systems, Inc.)
S4 ccSet_NIS; \SystemRoot\system32\drivers\NISx64\1309010.00E\ccSetx64.sys [x]
S4 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\IPSDefs\20130509.001\IDSvia64.sys [x]
S4 SRTSPX; \SystemRoot\system32\drivers\NISx64\1309010.00E\SRTSPX64.SYS [x]
S4 SymDS; system32\drivers\NISx64\1309010.00E\SYMDS64.SYS [x]
S4 SymEFA; system32\drivers\NISx64\1309010.00E\SYMEFA64.SYS [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-06-24 21:37 - 2013-06-24 21:37 - 00000000 ____D C:\FRST
2013-06-20 22:39 - 2013-06-23 23:46 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-06-20 17:58 - 2013-06-20 23:25 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-06-19 13:00 - 2013-06-19 13:00 - 00000000 __SHD C:\$$PendingFiles
2013-06-19 12:07 - 2013-06-19 12:07 - 00000000 ____D C:\Users\Mok\AppData\Local\Symantec
2013-06-19 12:05 - 2013-06-19 12:06 - 00000000 ____D C:\Program Files\Symantec
2013-06-19 12:00 - 2013-06-19 19:04 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-06-19 09:58 - 2013-06-19 09:58 - 00000000 ____D C:\Users\Mok\AppData\Roaming\Malwarebytes
2013-06-19 09:58 - 2013-06-19 09:58 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-11 23:04 - 2013-05-16 20:05 - 17824768 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-11 23:04 - 2013-05-16 19:27 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-11 23:04 - 2013-05-16 19:09 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-11 23:04 - 2013-05-16 19:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-11 23:04 - 2013-05-16 19:02 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon(57).dll
2013-06-11 23:04 - 2013-05-16 19:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-11 23:04 - 2013-05-16 19:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url(56).dll
2013-06-11 23:04 - 2013-05-16 18:58 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-11 23:04 - 2013-05-16 18:56 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript(58).dll
2013-06-11 23:04 - 2013-05-16 18:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-11 23:04 - 2013-05-16 18:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-11 23:04 - 2013-05-16 18:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-11 23:04 - 2013-05-16 18:53 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-11 23:04 - 2013-05-16 18:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-11 23:04 - 2013-05-16 18:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-11 23:04 - 2013-05-16 18:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-11 23:04 - 2013-05-16 15:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-11 23:04 - 2013-05-16 14:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-11 23:04 - 2013-05-16 14:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-11 23:04 - 2013-05-16 14:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-11 23:04 - 2013-05-16 14:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-11 23:04 - 2013-05-16 14:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-06-11 23:04 - 2013-05-16 14:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-06-11 23:04 - 2013-05-16 14:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-11 23:04 - 2013-05-16 14:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-11 23:04 - 2013-05-16 14:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-06-11 23:04 - 2013-05-16 14:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-06-11 23:04 - 2013-05-16 14:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-11 23:04 - 2013-05-16 14:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-11 23:04 - 2013-05-16 14:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-06-11 23:04 - 2013-05-16 14:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-11 23:04 - 2013-05-16 14:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-11 19:21 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-11 19:21 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-11 19:21 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-11 19:21 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-11 19:21 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-11 19:21 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-11 19:21 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-11 19:21 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-11 19:21 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-11 19:21 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-11 19:21 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-11 19:21 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-11 19:21 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-11 19:21 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl(59).dll
2013-06-11 19:21 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-09 17:34 - 2013-06-09 17:44 - 150901107 ____A C:\Users\Mok\Downloads\mikey-music.zip
2013-06-06 11:25 - 2013-06-06 11:25 - 00001745 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-06 11:24 - 2013-06-06 11:25 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-06 11:24 - 2013-06-06 11:25 - 00000000 ____D C:\Program Files\iTunes
2013-06-06 11:24 - 2013-06-06 11:25 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-06 11:24 - 2013-06-06 11:24 - 00000000 ____D C:\Program Files\iPod
2013-05-28 23:03 - 2013-05-28 23:03 - 00275304 ____A C:\Windows\Minidump\052913-38781-01.dmp
 
==================== One Month Modified Files and Folders =======
 
2013-06-24 21:37 - 2013-06-24 21:37 - 00000000 ____D C:\FRST
2013-06-24 21:31 - 2012-12-10 23:19 - 00000000 ____D C:\ProgramData\Recovery
2013-06-23 23:46 - 2013-06-20 22:39 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-06-20 23:26 - 2013-03-08 05:09 - 00000000 ____D C:\Windows\Minidump
2013-06-20 23:26 - 2013-01-01 07:23 - 00000000 ____D C:\Users\Mok\AppData\Roaming\WindowsLiveMovieMakerPackages
2013-06-20 23:26 - 2012-06-09 06:18 - 00000000 ____D C:\Users\Mok\AppData\Roaming\PC-FAX TX
2013-06-20 23:26 - 2012-04-22 11:50 - 00000000 ____D C:\users\nike
2013-06-20 23:26 - 2012-04-15 11:59 - 00000000 ____D C:\users\mikey.Mok-PC
2013-06-20 23:26 - 2012-04-11 10:44 - 00000000 ____D C:\users\MIKEYYYYYYYYYYYYYYYY
2013-06-20 23:26 - 2012-03-26 07:09 - 00000000 ____D C:\Users\Mok\AppData\Roaming\ControlCenter4
2013-06-20 23:26 - 2012-02-22 08:37 - 00000000 ____D C:\Users\Mok\AppData\Roaming\.minecraft
2013-06-20 23:26 - 2011-11-18 13:58 - 00000000 ____D C:\Users\Mok\AppData\Roaming\Skype
2013-06-20 23:26 - 2011-07-10 18:33 - 00000000 ____D C:\Users\Mok\AppData\Roaming\Mozilla
2013-06-20 23:26 - 2011-05-28 20:54 - 00000000 ____D C:\Users\Public\Downloads\Norton
2013-06-20 23:26 - 2011-05-18 17:06 - 00000000 ____D C:\Users\Mok\AppData\Roaming\ChessBase
2013-06-20 23:26 - 2011-05-18 17:04 - 00000000 ____D C:\Users\Mok\Documents\ChessBase
2013-06-20 23:26 - 2011-02-24 10:39 - 00000000 ____D C:\users\Mikey
2013-06-20 23:26 - 2010-12-25 08:28 - 00000000 ____D C:\Users\Mok\Documents\StarCraft II
2013-06-20 23:26 - 2010-09-03 08:00 - 00000000 ____D C:\Users\Mok\AppData\Roaming\ICAClient
2013-06-20 23:26 - 2010-06-04 02:57 - 00000000 ____D C:\users\Guest
2013-06-20 23:26 - 2010-05-10 15:49 - 00000000 ____D C:\Users\Mok\AppData\Roaming\PictureMover
2013-06-20 23:26 - 2010-05-10 12:45 - 00000000 ____D C:\users\Mok
2013-06-20 23:26 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Offline Web Pages
2013-06-20 23:26 - 2009-07-13 19:20 - 00000000 __RHD C:\Users\Public\Libraries
2013-06-20 23:26 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2013-06-20 23:25 - 2013-06-20 17:58 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-06-20 23:25 - 2012-03-26 05:22 - 00000000 ____D C:\Brother
2013-06-20 23:25 - 2011-05-18 17:07 - 00000000 ____D C:\Users\Mok\AppData\Local\ChessBase
2013-06-20 23:25 - 2011-01-02 18:01 - 00000000 ____D C:\Users\Mok\AppData\Local\Microsoft Help
2013-06-20 23:25 - 2010-12-25 08:28 - 00000000 ____D C:\Program Files (x86)\StarCraft II
2013-06-20 23:25 - 2010-06-25 23:15 - 00000000 ____D C:\Users\Mok\AppData\Local\Apple
2013-06-20 23:25 - 2010-04-29 13:08 - 00000000 ___HD C:\hp
2013-06-20 23:25 - 2010-04-29 12:52 - 00000000 ____D C:\ProgramData\Norton
2013-06-20 23:25 - 2010-04-29 12:52 - 00000000 ____D C:\Program Files (x86)\Norton Internet Security
2013-06-20 23:25 - 2010-04-29 12:43 - 00000000 ____D C:\ProgramData\WildTangent
2013-06-20 23:25 - 2010-04-29 12:38 - 00000000 ____D C:\ProgramData\Symantec
2013-06-20 23:25 - 2010-04-29 12:38 - 00000000 ____D C:\Program Files (x86)\Symantec
2013-06-20 23:25 - 2010-04-29 12:29 - 00000000 ____D C:\ProgramData\Hewlett-Packard
2013-06-20 23:25 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-06-20 23:19 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-06-20 18:05 - 2010-04-29 13:08 - 00000000 ____D C:\Windows\Panther
2013-06-20 17:50 - 2010-07-27 16:33 - 00000000 ____D C:\Users\Mok\AppData\Roaming\HpUpdate
2013-06-20 17:50 - 2010-07-27 16:33 - 00000000 ____D C:\Users\Mok\AppData\Roaming\HP Support Assistant
2013-06-19 19:04 - 2013-06-19 12:00 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-06-19 13:15 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-06-19 13:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-06-19 13:14 - 2010-05-10 15:47 - 00000000 ____D C:\Users\Mok\AppData\Local\Hewlett-Packard
2013-06-19 13:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-06-19 13:00 - 2013-06-19 13:00 - 00000000 __SHD C:\$$PendingFiles
2013-06-19 12:07 - 2013-06-19 12:07 - 00000000 ____D C:\Users\Mok\AppData\Local\Symantec
2013-06-19 12:06 - 2013-06-19 12:05 - 00000000 ____D C:\Program Files\Symantec
2013-06-19 09:58 - 2013-06-19 09:58 - 00000000 ____D C:\Users\Mok\AppData\Roaming\Malwarebytes
2013-06-19 09:58 - 2013-06-19 09:58 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-19 09:43 - 2010-09-27 16:06 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-19 09:42 - 2012-05-27 17:03 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-19 09:30 - 2009-07-13 20:45 - 00015984 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-19 09:30 - 2009-07-13 20:45 - 00015984 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-19 09:29 - 2010-04-29 12:16 - 01749932 ____A C:\Windows\WindowsUpdate.log
2013-06-19 09:28 - 2010-09-27 16:06 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-19 09:24 - 2010-10-02 08:13 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-493937805-1474452604-143301560-1001UA.job
2013-06-19 09:23 - 2013-01-10 00:33 - 00004311 ____A C:\Windows\setupact.log
2013-06-19 09:23 - 2010-10-02 08:13 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-493937805-1474452604-143301560-1001Core.job
2013-06-19 09:23 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-13 17:59 - 2011-10-27 14:14 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-06-13 17:59 - 2010-07-27 16:33 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2013-06-11 23:04 - 2013-03-25 23:06 - 00000129 ____A C:\Windows\System32\MRT.INI
2013-06-11 23:02 - 2010-05-20 08:18 - 75825640 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-11 19:06 - 2012-05-27 17:03 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-11 19:06 - 2011-05-28 20:21 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-09 17:44 - 2013-06-09 17:34 - 150901107 ____A C:\Users\Mok\Downloads\mikey-music.zip
2013-06-08 23:00 - 2011-02-24 16:23 - 00000324 ____A C:\Windows\Tasks\HPCeeScheduleForMok.job
2013-06-06 11:25 - 2013-06-06 11:25 - 00001745 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-06 11:25 - 2013-06-06 11:24 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-06 11:25 - 2013-06-06 11:24 - 00000000 ____D C:\Program Files\iTunes
2013-06-06 11:25 - 2013-06-06 11:24 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-06-06 11:24 - 2013-06-06 11:24 - 00000000 ____D C:\Program Files\iPod
2013-05-30 13:04 - 2013-03-08 05:08 - 825979881 ____A C:\Windows\MEMORY.DMP
2013-05-28 23:03 - 2013-05-28 23:03 - 00275304 ____A C:\Windows\Minidump\052913-38781-01.dmp
 
Files to move or delete:
====================
C:\Windows\svchost.exe
ATTENTION ====> Check for partition/boot infection.
C:\Users\Mok\gotomypc_438.exe
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\en-US => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 
TDL4: custom:26000022 <===== ATTENTION!
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-06-13 23:00:28
Restore point made on: 2013-06-14 23:00:49
Restore point made on: 2013-06-15 23:00:51
Restore point made on: 2013-06-16 23:00:41
Restore point made on: 2013-06-17 23:01:10
Restore point made on: 2013-06-18 23:00:34
Restore point made on: 2013-06-19 09:27:35
Restore point made on: 2013-06-19 09:52:15
Restore point made on: 2013-06-19 11:54:57
Restore point made on: 2013-06-19 11:59:00
Restore point made on: 2013-06-19 13:09:56
Restore point made on: 2013-06-19 15:17:31
Restore point made on: 2013-06-19 15:20:15
Restore point made on: 2013-06-20 06:45:33
 
==================== Memory info =========================== 
 
Percentage of memory in use: 20%
Total physical RAM: 4055.08 MB
Available physical RAM: 3204.67 MB
Total Pagefile: 4053.23 MB
Available Pagefile: 3188.39 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB
 
==================== Drives ================================
 
Drive c: (HP) (Fixed) (Total:585.23 GB) (Free:470.22 GB) NTFS (Disk=0 Partition=2)
Drive e: (FACTORY_IMAGE) (Fixed) (Total:10.85 GB) (Free:1.58 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)]
Drive k: (WDO_Media64) (Removable) (Total:14.91 GB) (Free:14.82 GB) NTFS (Disk=5 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected.
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 596 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=585 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11 GB) - (Type=07 NTFS)
 
========================================================
Disk: 5 (MBR Code: Windows 7 or 8) (Size: 15 GB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=15 GB) - (Type=07 NTFS)
 
 
LastRegBack: 2013-06-12 20:10
 
==================== End Of Log ============================

 



#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:51 AM

Posted 24 June 2013 - 08:52 PM

This is not proper forum to post FRST log.

I'll ask mods to remove it.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 tutorcom

tutorcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 24 June 2013 - 09:14 PM

Would it be possible to move this thread to the appropriate forum instead of deleting it?

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:51 AM

Posted 24 June 2013 - 09:33 PM

I reported your computer as not bootable. That should bring someone here faster than using regular malware removal forum.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 AM

Posted 24 June 2013 - 11:27 PM


Hello tutorcom

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
TDL4: custom:26000022 <===== ATTENTION!
CMD: bootrec /FixMbr
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 tutorcom

tutorcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 25 June 2013 - 01:40 PM

I will be able to do this later this evening when I'm off work. Thank you for your reply.



#9 tutorcom

tutorcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 25 June 2013 - 08:55 PM

Here's the content of the Fixlog.txt file. Also, I was able to successfully boot the PC afterwards. What is your next reccomendation?

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-06-2013 01
Ran by SYSTEM at 2013-06-25 21:50:49 Run:1
Running from K:\
Boot Mode: Recovery
==============================================
 
 
The operation completed successfully.
The operation completed successfully.
 
=========  bootrec /FixMbr =========
 
ÿþT h e   o p e r a t i o n   c o m p l e t e d   s u c c e s s f u l l y . 
 
========= End of CMD: =========
 
 
==== End of Fixlog ====


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 AM

Posted 25 June 2013 - 09:52 PM



Hello tutorcom

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 tutorcom

tutorcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 June 2013 - 05:08 PM

Here is the output log from AdwCleaner:

 

# AdwCleaner v2.303 - Logfile created 06/26/2013 at 18:02:17
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Mok - MOK-PC
# Boot Mode : Normal
# Running from : C:\Users\Mok\Downloads\AdwCleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Windows\SysWOW64\conduitEngine.tmp
Folder Deleted : C:\Program Files (x86)\Common Files\Wondershare
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\ConduitEngine
Folder Deleted : C:\Program Files (x86)\registry mechanic
Folder Deleted : C:\Program Files (x86)\Wondershare
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\BrowserProtect
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare
Folder Deleted : C:\Users\mikey.Mok-PC\AppData\LocalLow\alotappbar
Folder Deleted : C:\Users\mikey.Mok-PC\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\mikey.Mok-PC\AppData\LocalLow\RebateInformer
Folder Deleted : C:\Users\MIKEYYYYYYYYYYYYYYYY\AppData\LocalLow\alotappbar
Folder Deleted : C:\Users\MIKEYYYYYYYYYYYYYYYY\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\MIKEYYYYYYYYYYYYYYYY\AppData\LocalLow\RebateInformer
Folder Deleted : C:\Users\Mok\AppData\Local\Conduit
Folder Deleted : C:\Users\Mok\AppData\Local\Wondershare
Folder Deleted : C:\Users\Mok\AppData\LocalLow\BabylonToolbar
Folder Deleted : C:\Users\Mok\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Mok\AppData\LocalLow\ConduitEngine
Folder Deleted : C:\Users\Mok\AppData\Roaming\Babylon
Folder Deleted : C:\Users\Mok\AppData\Roaming\registry mechanic
Folder Deleted : C:\Users\nike\AppData\LocalLow\alotappbar
Folder Deleted : C:\Users\nike\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\nike\AppData\LocalLow\RebateInformer
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\AppDataLow\Software\conduitEngine
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CCB69577-088B-4004-9ED8-FF5BCC83A039}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CC99A798-FD3D-4AB4-969E-6071612524F9}
Key Deleted : HKCU\Software\a48cdfe73abd49
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{A531D99C-5A22-449b-83DA-872725C6D0ED}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\conduitEngine
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC99A798-FD3D-4AB4-969E-6071612524F9}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Software
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [bProtectorDefaultScope]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D7E97865-918F-41E4-9CD0-25AB1C574CE8}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{D3D233D5-9F6D-436C-B6C7-E63F77503B30}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{30F9B915-B755-4826-820B-08FBA6BD249D}]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16490
 
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Search Bar] = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language --> hxxp://www.google.com
 
-\\ Google Chrome v27.0.1453.116
 
File : C:\Users\Mok\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
Deleted [l.2123] : homepage = "hxxp://search.babylon.com/?affID=110801&tt=0113_6&babsrc=HP_ss&mntrId=a2b6c6a8000000[...]
 
*************************
 
AdwCleaner[S1].txt - [5756 octets] - [26/06/2013 18:02:17]
 
########## EOF - C:\AdwCleaner[S1].txt - [5816 octets] ##########


#12 tutorcom

tutorcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 June 2013 - 05:17 PM

Here is the output from the JRT log file:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Home Premium x64
Ran by Mok on Wed 06/26/2013 at 18:11:57.48
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A1661750-43BE-47F5-BEC5-CA09DD81B17B}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{EE13E7A2-1C2F-4078-8567-11AAF064958B}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{EE13E7A2-1C2F-4078-8567-11AAF064958B}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\ProgramData\ammyy"
Successfully deleted: [Folder] "C:\Program Files (x86)\driver-soft"
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{0032117F-B53A-4E06-AFE6-D8C0D3E67BD0}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{12C37250-58CA-464E-AAC7-670A5F0738CD}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{179FE8A9-A4B1-4A88-A96C-FEA9AB79989F}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{271CFA88-6623-405A-8695-A3EBE02590E5}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{30AC1D5B-8974-4A9A-949D-BB409C94157D}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{41EC489A-A4AF-442F-B3B4-ACA215E23CEC}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{4BC7C8E7-041C-40CE-BD38-61682D87EE7B}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{4FD80255-A6AB-4BB1-B281-3E855F0DAF41}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{55EB5D2F-4F80-4BE6-9A00-424C5F6D8B61}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{58A15689-9A2C-4D74-A269-3F4304E2A554}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{5AFCE62A-C343-4F22-A5F5-407DA60B7911}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{732FC1AE-9220-4039-BB1E-13A18668718D}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{7615A4EC-DAD1-4667-8EAC-AC971DBB5F1A}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{95E75CF6-12D6-4E50-A4AA-E4149300C13D}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{9A0A6BBD-D2A1-4DC7-9334-61018559B822}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{B0089337-3D85-46FA-98B3-8A90AAE85AC6}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{C9E3FD45-78AB-4210-AD06-6E6D9949EFD8}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{CB296470-B2E0-4172-833C-25AD2523ECDD}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{CFB4B1DD-E7D5-438B-A230-DEC621498EC9}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{E9C8171B-3F82-4CDA-BCF7-B8F70B715554}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{FA8F65A5-8616-4C54-AA60-CCB9CCAE3727}
Successfully deleted: [Empty Folder] C:\Users\Mok\appdata\local\{FAD263D1-9C47-417C-8E20-92D201C7AD76}
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 06/26/2013 at 18:14:59.80
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#13 tutorcom

tutorcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 June 2013 - 05:18 PM

As far as I can tell, the PC seems to be running normally. Anything else that I should check?



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 AM

Posted 26 June 2013 - 10:11 PM


Hello tutorcom

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 tutorcom

tutorcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 27 June 2013 - 09:23 PM

Below is the log from Combofix. I had no problems running it nor any other issues with the computer to note thus far. The PC is running normally it seems.

 

ComboFix 13-06-27.02 - Mok 06/27/2013  21:58:31.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4055.2275 [GMT -4:00]
Running from: c:\users\Mok\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\C__Windows_system32_config_systemprofile_AppData_Local_Microsoft_Windows_Temporary Internet Files_Content.IE5_FJHXTN9F_CA7HF049.HTM
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-28 to 2013-06-28  )))))))))))))))))))))))))))))))
.
.
2013-06-28 02:06 . 2013-06-28 02:06 -------- d-----w- c:\users\nike\AppData\Local\temp
2013-06-28 02:06 . 2013-06-28 02:06 -------- d-----w- c:\users\MIKEYYYYYYYYYYYYYYYY\AppData\Local\temp
2013-06-28 02:06 . 2013-06-28 02:06 -------- d-----w- c:\users\Mikey\AppData\Local\temp
2013-06-28 02:06 . 2013-06-28 02:06 -------- d-----w- c:\users\mikey.Mok-PC\AppData\Local\temp
2013-06-28 02:06 . 2013-06-28 02:06 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-06-28 02:06 . 2013-06-28 02:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-26 22:34 . 2013-06-12 00:08 9552976 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E4B002DE-67DF-493A-AA18-089E501C4024}\mpengine.dll
2013-06-26 22:11 . 2013-06-26 22:11 -------- d-----w- c:\windows\ERUNT
2013-06-26 22:09 . 2013-06-26 22:58 -------- d-----w- C:\JRT
2013-06-26 02:03 . 2013-06-26 02:03 -------- d-----w- c:\program files\CCleaner
2013-06-26 02:02 . 2013-06-26 02:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-06-26 02:02 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-06-26 02:01 . 2013-06-26 02:01 964552 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7D38134F-E1B8-435A-A401-B64F9E502FD3}\gapaengine.dll
2013-06-26 02:01 . 2013-06-12 00:08 9552976 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-26 02:01 . 2013-05-02 15:29 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-06-26 02:01 . 2013-06-26 02:01 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2013-06-25 05:37 . 2013-06-25 05:37 -------- d-----w- C:\FRST
2013-06-21 06:39 . 2013-06-24 07:46 -------- d-----w- c:\windows\Microsoft Antimalware
2013-06-21 01:58 . 2013-06-26 02:01 -------- d-----w- c:\program files\Microsoft Security Client
2013-06-19 21:00 . 2013-06-19 21:00 -------- d-sh--w- C:\$$PendingFiles
2013-06-19 20:07 . 2013-06-19 20:07 -------- d-----w- c:\users\Mok\AppData\Local\Symantec
2013-06-19 20:05 . 2013-06-19 20:06 -------- d-----w- c:\program files\Symantec
2013-06-19 20:00 . 2013-06-20 03:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2013-06-19 17:58 . 2013-06-19 17:58 -------- d-----w- c:\users\Mok\AppData\Roaming\Malwarebytes
2013-06-19 17:58 . 2013-06-19 17:58 -------- d-----w- c:\programdata\Malwarebytes
2013-06-19 17:58 . 2013-06-19 17:58 -------- d-----w- c:\users\Mok\AppData\Local\Programs
2013-06-12 03:21 . 2013-05-08 06:39 1910632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-06 19:24 . 2013-06-06 19:25 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-06-06 19:24 . 2013-06-06 19:25 -------- d-----w- c:\program files\iTunes
2013-06-06 19:24 . 2013-06-06 19:25 -------- d-----w- c:\program files (x86)\iTunes
2013-06-06 19:24 . 2013-06-06 19:24 -------- d-----w- c:\program files\iPod
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 07:02 . 2010-05-20 16:18 75825640 ----a-w- c:\windows\system32\MRT.exe
2013-06-12 03:06 . 2012-05-28 01:03 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-06-12 03:06 . 2011-05-29 04:21 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-09 01:58 . 2013-01-01 15:27 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-13 05:49 . 2013-05-15 07:04 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-15 07:04 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-15 07:04 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-15 07:04 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-15 07:04 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 07:04 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 14:45 . 2013-04-24 07:04 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 06:01 . 2013-05-15 07:04 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 06:01 . 2013-05-15 07:04 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 03:30 . 2013-05-15 07:04 3153920 ----a-w- c:\windows\system32\win32k.sys
2013-04-05 01:01 . 2013-05-16 07:01 1346560 ----a-w- c:\windows\system32\urlmon.dll
2013-04-05 00:58 . 2013-05-16 07:01 237056 ----a-w- c:\windows\system32\url.dll
2013-04-05 00:55 . 2013-05-16 07:01 599040 ----a-w- c:\windows\system32\vbscript.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-09-29 1685048]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"BATINDICATOR"="c:\program files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe" [2009-05-08 2068992]
"LaunchHPOSIAPP"="c:\program files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe" [2009-04-04 385024]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-12-02 98304]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-27 59240]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2011-04-20 139264]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-05-31 152392]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Citrix Access Gateway.lnk - c:\program files\Citrix\Secure Access Client\nsload.exe /noDisplayLogin [2011-3-14 1520280]
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe -det [2009-6-3 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [x]
R2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys;c:\windows\SYSNATIVE\DRIVERS\netaapl64.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 cag;Citrix cag plugin for Access Gateway;c:\program files\Common Files\Deterministic Networks\Common Files\cag.sys;c:\program files\Common Files\Deterministic Networks\Common Files\cag.sys [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe;c:\program files\Citrix\Secure Access Client\nsverctl.exe [x]
S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [x]
S2 TeamViewer5;TeamViewer 5;c:\program files (x86)\TeamViewer\Version5\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version5\TeamViewer_Service.exe [x]
S3 BrSerIb;Brother Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys;c:\windows\SYSNATIVE\DRIVERS\BrSerIb.sys [x]
S3 BrUsbSIb;Brother Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys;c:\windows\SYSNATIVE\DRIVERS\BrUsbSIb.sys [x]
S3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe [x]
S3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\DRIVERS\ctxva51.sys;c:\windows\SYSNATIVE\DRIVERS\ctxva51.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-28 03:06]
.
2013-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-28 00:06]
.
2013-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-28 00:06]
.
2013-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-493937805-1474452604-143301560-1001Core.job
- c:\users\Mok\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-02 00:06]
.
2013-06-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-493937805-1474452604-143301560-1001UA.job
- c:\users\Mok\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-02 00:06]
.
2013-06-09 c:\windows\Tasks\HPCeeScheduleForMok.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 03:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-09-14 610360]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer =  
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{65339110-43C6-4EC3-98A8-48032ED2E7B4} - (no file)
WebBrowser-{1C68C940-1B2F-46EB-BD8C-2E1612FF6A58} - (no file)
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,
   7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
   89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{551A852F-39A6-44A7-9C13-AFBEC9185A9D}"=hex:51,66,7a,6c,4c,1d,38,12,41,86,09,
   51,94,77,c9,01,e3,05,ec,fe,cc,46,1e,89
"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,
   64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,
   69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9FDDE16B-836F-4806-AB1F-1455CBEFF289}"=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,
   9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
   d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}"=hex:51,66,7a,6c,4c,1d,38,12,3b,d4,7c,
   e3,88,8f,a5,08,e0,05,da,fd,94,7c,7e,ca
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
   fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:6d,76,d7,13,76,2a,ce,01
.
[HKEY_USERS\S-1-5-21-493937805-1474452604-143301560-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-493937805-1474452604-143301560-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-06-27  22:17:07
ComboFix-quarantined-files.txt  2013-06-28 02:17
.
Pre-Run: 506,273,316,864 bytes free
Post-Run: 505,792,397,312 bytes free
.
- - End Of File - - FB035B1AB51C2187D0DE10B6E8FA22B5
D41D8CD98F00B204E9800998ECF8427E





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users