Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected computer/adware


  • This topic is locked This topic is locked
32 replies to this topic

#1 Skammunist

Skammunist

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 25 July 2013 - 12:49 PM

Hi, just recently my computer has been infected which makes browsing the web extremely slow. I can no longer use Internet Explorer in 32 bit and must use the 64 bit version. When using Internet Explorer in 32 bit, browsing is nearly impossible and popups/ads constantly appear. In 64 bit, the internet is usable but I am still prone to the occasional popups. Any help is appreciated, thank you!



BC AdBot (Login to Remove)

 


#2 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 27 July 2013 - 04:33 AM

**In any case where you happen to be busy or unable to give us a reply, we would be grateful if you keep us informed in advance and we will be more than happy to wait. Failure to do so we will have your thread closed in THREE(3) days.

:)


Hello there, Skammunist

:welcome:

I'm Conspire, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Read the entire procedure
  • It is important to perform ALL actions in sequence.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with me till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
IMPORTANT NOTE : Please do not delete anything unless instructed to. Remember to backup all your important data(if possible) before moving on.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#3 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 27 July 2013 - 04:34 AM

Hello there,

Please download DDS by sUBs from one of the following links and save it to your desktop.
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
===================================================

Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • Allow it to update where necessary
  • Click Scan
    • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
    • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.
===================================================

Download TDSSKiller.exe and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Press Start Scan
If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

===================================================

On your next reply please post :
DDS log
aswMBR log
TDSSKiller log


Please STOP and let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#4 Skammunist

Skammunist
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 27 July 2013 - 03:55 PM

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457  BrowserJavaVersion: 10.25.2
Run by dungtran at 16:52:05 on 2013-07-27
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4023.2125 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_d15ed671de43d681\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_d15ed671de43d681\AESTSr64.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files (x86)\QuickTime\qttask.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://msn.com/
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: SySaver: {2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} - C:\Users\dungtran\AppData\Local\SySaver\temp.dat
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
BHO: LessTabs: {3178A392-8963-471E-B7A2-969CB58D6496} - C:\Program Files (x86)\LessTabs\IE32\LessTabsClientIE.dll
BHO: sayfEE osyAve: {5AA6FA4E-6729-37B0-2CE3-178A721A0AF3} - C:\ProgramData\sayfEE osyAve\51dad8344f28b.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [Corel File Shell Monitor] C:\Program Files (x86)\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
mRun: [HPCam_Menu] "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam" UpdateWithCreateOnce "Software\Hewlett-Packard\Media\Webcam"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
mRun: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe"  -osboot
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\dungtran\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{2649A3AD-E5F4-42C9-813E-002D21F313D2} : DHCPNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{2649A3AD-E5F4-42C9-813E-002D21F313D2}\2456374702E41696C637027457563747 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{2649A3AD-E5F4-42C9-813E-002D21F313D2}\642494 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{2649A3AD-E5F4-42C9-813E-002D21F313D2}\C4F4C48435F575962756C6563737 : DHCPNameServer = 199.164.64.8
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
AppInit_DLLs= c:\progra~2\safesa~1\sprote~1.dll
SSODL: WebCheck - <orphaned>
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_d15ed671de43d681\AESTSr64.exe [2011-9-29 89600]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2009-7-8 30520]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-11-29 38608]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-11-16 228408]
R3 enecir;ENE CIR Receiver;C:\Windows\System32\drivers\enecir.sys [2009-6-29 70656]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2009-10-12 151040]
R3 JMCR;JMCR;C:\Windows\System32\drivers\jmcr.sys [2009-7-20 140712]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-12-25 25928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-25 418376]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-25 701512]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-11-9 160944]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-9-29 258560]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-12-26 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
.
=============== Created Last 30 ================
.
2013-07-26 07:20:24 9460976 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{EFE9EEBE-B562-495D-9A1B-17EA3EDB24A7}\mpengine.dll
2013-07-23 00:30:52 -------- d-----w- C:\Users\dungtran\AppData\Local\SySaver
2013-07-23 00:30:49 -------- d-----w- C:\Program Files (x86)\MyPC Backup
2013-07-23 00:30:25 -------- d-----w- C:\Users\dungtran\AppData\Roaming\DefaultTab
2013-07-23 00:30:21 -------- d-----w- C:\Program Files (x86)\LessTabs
2013-07-23 00:28:08 -------- d-----w- C:\Program Files (x86)\Yahoo!
2013-07-21 02:27:43 1409 ----a-w- C:\Windows\QTFont.for
2013-07-08 15:36:36 -------- d-----w- C:\ProgramData\StarApp
2013-07-08 15:18:15 -------- d-----w- C:\Program Files (x86)\SafeSaver
2013-07-08 15:18:12 -------- d-----w- C:\ProgramData\sayfEE osyAve
2013-07-08 15:17:28 -------- d-----w- C:\ProgramData\InstallMate
2013-07-04 01:33:05 -------- d-sh--w- C:\$RECYCLE.BIN
2013-07-01 02:32:01 -------- d-----w- C:\Windows\System32\catroot2
2013-07-01 02:22:41 -------- d-----w- C:\Windows\SysWow64\wbem\Performance
2013-07-01 01:57:17 -------- d-----w- C:\RegBackup
2013-06-30 07:41:28 -------- d-----w- C:\Program Files (x86)\Tweaking.com
2013-06-28 09:29:57 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-06-28 09:29:56 867240 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-06-28 09:29:52 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
.
==================== Find3M  ====================
.
2013-06-12 03:28:18 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 03:28:18 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-02 06:06:08 278800 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 16:52:56.10 ===============
 



Attached File  attach.txt   5.34KB   1 downloads



#5 Skammunist

Skammunist
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 27 July 2013 - 04:11 PM

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-07-27 16:58:02
-----------------------------
16:58:02.607    OS Version: Windows x64 6.1.7600
16:58:02.607    Number of processors: 4 586 0x2502
16:58:02.607    ComputerName: DUNGTRAN-PC  UserName: dungtran
16:58:04.978    Initialize success
17:03:36.493    AVAST engine defs: 13072701
17:03:39.614    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:03:39.629    Disk 0 Vendor: ST950032 0001 Size: 476940MB BusType: 3
17:03:39.739    Disk 0 MBR read successfully
17:03:39.754    Disk 0 MBR scan
17:03:39.754    Disk 0 unknown MBR code
17:03:39.770    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
17:03:39.770    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       458124 MB offset 409600
17:03:39.801    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        18512 MB offset 938647552
17:03:40.113    Disk 0 scanning C:\Windows\system32\drivers
17:03:51.017    Service scanning
17:04:13.616    Modules scanning
17:04:13.616    Disk 0 trace - called modules:
17:04:13.694    ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll
17:04:14.210    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800586d060]
17:04:14.210    3 CLASSPNP.SYS[fffff8800111443f] -> nt!IofCallDriver -> [0xfffffa80057038a0]
17:04:14.226    5 hpdskflt.sys[fffff880022e7289] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004a1a050]
17:04:15.645    AVAST engine scan C:\Windows
17:04:18.469    AVAST engine scan C:\Windows\system32
17:08:02.987    AVAST engine scan C:\Windows\system32\drivers
17:08:29.025    AVAST engine scan C:\Users\dungtran
17:09:24.947    Disk 0 MBR has been saved successfully to "C:\Users\dungtran\Desktop\MBR.dat"
17:09:24.947    The log file has been saved successfully to "C:\Users\dungtran\Desktop\aswMBR.txt"

 

Attached Files

  • Attached File  MBR.zip   522bytes   0 downloads

Edited by Skammunist, 27 July 2013 - 04:12 PM.


#6 Skammunist

Skammunist
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 27 July 2013 - 04:16 PM

TDSSKiller.exe reported no threats found.



#7 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 27 July 2013 - 10:40 PM

Please read through these instructions to familiarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide


Download ComboFix from one of these locations:

Link 1
Link 2



* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#8 Skammunist

Skammunist
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 27 July 2013 - 11:32 PM

ComboFix 13-07-27.01 - dungtran 07/28/2013   0:12.2.4 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4023.2593 [GMT -4:00]
Running from: c:\users\dungtran\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\sayfEE osyAve
c:\programdata\Microsoft\Windows\Start Menu\Programs\sayfEE osyAve\sayfEE osyAve.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\sayfEE osyAve\Uninstall.lnk
c:\programdata\sayfEE osyAve
c:\programdata\sayfEE osyAve\51dad8344f28b.dll
c:\programdata\sayfEE osyAve\51dad8344f28b.tlb
c:\programdata\sayfEE osyAve\data\sayfEE osyAve.dat
c:\programdata\sayfEE osyAve\settings.ini
c:\programdata\sayfEE osyAve\uninstall.exe
c:\users\dungtran\AppData\Local\SySaver\teMP.dat
c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab
c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab\addon.ico
c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab\amazon_ie.ico
c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.cfg
c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabUninstaller.exe
c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab\DT.ico
c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab\ebay_ie.ico
c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab\facebook_ie.ico
c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab\search_ie.ico
c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab\searchhere.ico
c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab\twitter_ie.ico
c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab\uninstalldt.exe
c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab\wikipedia_ie.ico
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-28 to 2013-07-28  )))))))))))))))))))))))))))))))
.
.
2013-07-28 04:21 . 2013-07-28 04:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-07-28 04:21 . 2013-07-28 04:21 -------- d-----w- c:\users\Devin Tran\AppData\Local\temp
2013-07-28 04:21 . 2013-07-28 04:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-28 04:21 . 2013-07-28 04:21 -------- d-----w- c:\users\ADMINI~1\AppData\Local\temp
2013-07-28 04:20 . 2013-07-28 04:20 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EFE9EEBE-B562-495D-9A1B-17EA3EDB24A7}\offreg.dll
2013-07-26 07:20 . 2013-07-02 08:34 9460976 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EFE9EEBE-B562-495D-9A1B-17EA3EDB24A7}\mpengine.dll
2013-07-23 00:30 . 2013-07-28 04:19 -------- d-----w- c:\users\dungtran\AppData\Local\SySaver
2013-07-23 00:30 . 2013-07-24 13:19 -------- d-----w- c:\program files (x86)\MyPC Backup
2013-07-23 00:30 . 2013-07-28 04:19 -------- d-----w- c:\users\dungtran\AppData\Roaming\DefaultTab
2013-07-23 00:30 . 2013-07-23 00:30 -------- d-----w- c:\program files (x86)\LessTabs
2013-07-23 00:28 . 2013-07-23 00:28 -------- d-----w- c:\programdata\Yahoo!
2013-07-23 00:28 . 2013-07-23 00:28 -------- d-----w- c:\programdata\Yahoo! Companion
2013-07-23 00:28 . 2013-07-23 00:28 -------- d-----w- c:\program files (x86)\Yahoo!
2013-07-23 00:28 . 2013-07-23 00:28 -------- d-----w- c:\users\dungtran\AppData\Roaming\Yahoo!
2013-07-21 02:27 . 2013-07-21 02:27 1409 ----a-w- c:\windows\QTFont.for
2013-07-08 15:36 . 2013-07-08 15:36 -------- d-----w- c:\programdata\StarApp
2013-07-08 15:18 . 2013-07-08 15:18 -------- d-----w- c:\program files (x86)\SafeSaver
2013-07-08 15:17 . 2013-07-08 15:36 -------- d-----w- c:\programdata\InstallMate
2013-07-05 04:59 . 2013-07-05 04:59 -------- d-----w- c:\windows\Sun
2013-07-01 02:32 . 2013-07-08 13:21 -------- d-----w- c:\windows\system32\catroot2
2013-07-01 02:22 . 2013-07-01 02:23 -------- d-----w- c:\windows\SysWow64\wbem\Performance
2013-07-01 01:57 . 2013-07-01 01:57 -------- d-----w- C:\RegBackup
2013-06-30 07:42 . 2013-07-01 03:10 181064 ----a-w- c:\windows\PSEXESVC.EXE
2013-06-30 07:41 . 2013-06-30 07:41 -------- d-----w- c:\program files (x86)\Tweaking.com
2013-06-28 09:30 . 2013-06-28 09:30 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-06-28 09:29 . 2013-06-28 09:29 789416 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-06-28 09:29 . 2013-06-28 09:29 867240 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-06-28 09:29 . 2013-06-28 09:29 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-28 08:48 . 2013-06-28 08:48 -------- d-----w- c:\program files (x86)\Common Files\Adobe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 03:28 . 2012-12-27 02:31 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 03:28 . 2012-12-27 02:31 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-02 06:06 . 2012-12-25 17:35 278800 ------w- c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-08-20 2363392]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-12-25 39408]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-11-09 17877168]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Corel File Shell Monitor"="c:\program files (x86)\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2009-08-26 15544]
"HPCam_Menu"="c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"QuickTime Task"="c:\program files (x86)\QuickTime\qttask.exe" [2006-09-01 282624]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-08-20 322104]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-06-29 600936]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2013-02-23 295072]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\users\dungtran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_d15ed671de43d681\AESTSr64.exe;c:\windows\SYSNATIVE\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_d15ed671de43d681\AESTSr64.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe [x]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [x]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys;c:\windows\SYSNATIVE\DRIVERS\enecir.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 34845867
*NewlyCreated* - 50448721
*NewlyCreated* - ASWMBR
*Deregistered* - 34845867
*Deregistered* - 50448721
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 20:24 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-27 03:28]
.
2013-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ce7ea5718c20a8.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-25 17:34]
.
2013-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-25 17:34]
.
2013-06-17 c:\windows\Tasks\ReclaimerResumeInstall_dungtran.job
- c:\users\dungtran\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\rnupgagent.exe [2013-06-17 02:38]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-29 16395880]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-10-21 487424]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-08-25 610872]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} - c:\users\dungtran\AppData\Local\SySaver\temp.dat
BHO-{5AA6FA4E-6729-37B0-2CE3-178A721A0AF3} - c:\programdata\sayfEE osyAve\51dad8344f28b.dll
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-DefaultTab - c:\users\dungtran\AppData\Roaming\DefaultTab\DefaultTab\uninstalldt.exe
AddRemove-{924C3DC2-8E4E-432E-F973-9A2174A39774} - c:\programdata\sayfEE osyAve\uninstall.exe
AddRemove-Havka FOkm - c:\windows\system32\javaws.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-07-28  00:31:15
ComboFix-quarantined-files.txt  2013-07-28 04:31
ComboFix2.txt  2013-06-26 01:48
.
Pre-Run: 406,830,841,856 bytes free
Post-Run: 407,078,445,056 bytes free
.
- - End Of File - - 7F620FFF1B527E38ECD97AB81F84B1E4
8B09E9F80CD636BF8C5D5D3A93DC84E7
 



#9 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 28 July 2013 - 12:20 AM

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
===================================================

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
===================================================

On your next reply please post :
Adwcleaner log
JRT log



Please STOP and let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#10 Skammunist

Skammunist
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 28 July 2013 - 09:12 AM

# AdwCleaner v2.306 - Logfile created 07/28/2013 at 09:49:49
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium  (64 bits)
# User : dungtran - DUNGTRAN-PC
# Boot Mode : Normal
# Running from : C:\Users\dungtran\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Users\dungtran\AppData\Roaming\DefaultTab

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\DefaultTab
Key Deleted : HKCU\Software\AppDataLow\SProtector
Key Deleted : HKCU\Software\Default Tab
Key Deleted : HKCU\Software\DefaultTab
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4B5C-9287-DA72D38F4FE6}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\DefaultTabBHO.DLL
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\Software\Default Tab
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\SP Global
Key Deleted : HKLM\Software\SProtector
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4B5C-9287-DA72D38F4FE6}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\dungtran\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [3454 octets] - [28/07/2013 09:49:49]

########## EOF - C:\AdwCleaner[S1].txt - [3514 octets] ##########



#11 Skammunist

Skammunist
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 28 July 2013 - 09:19 AM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.2.5 (07.26.2013:2)
OS: Windows 7 Home Premium x64
Ran by dungtran on Sun 07/28/2013 at 10:13:49.64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\firstsearch
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0035E2A3-49B9-41EB-8B2D-DBEE51A84B9A}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3178A392-8963-471E-B7A2-969CB58D6496}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Program Files (x86)\mypc backup"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 07/28/2013 at 10:18:11.44
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#12 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 28 July 2013 - 11:25 AM

Please run DDS again. Also post the feedback on how your computer is behaving.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#13 Skammunist

Skammunist
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 28 July 2013 - 03:56 PM

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457  BrowserJavaVersion: 10.25.2
Run by dungtran at 16:52:11 on 2013-07-28
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4023.2698 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_d15ed671de43d681\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_d15ed671de43d681\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files (x86)\QuickTime\qttask.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://msn.com/
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
BHO: sayfEE osyAve: {5AA6FA4E-6729-37B0-2CE3-178A721A0AF3} -
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [Corel File Shell Monitor] C:\Program Files (x86)\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
mRun: [HPCam_Menu] "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam" UpdateWithCreateOnce "Software\Hewlett-Packard\Media\Webcam"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
mRun: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe"  -osboot
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\dungtran\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: Interfaces\{2649A3AD-E5F4-42C9-813E-002D21F313D2} : DHCPNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{2649A3AD-E5F4-42C9-813E-002D21F313D2}\2456374702E41696C637027457563747 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{2649A3AD-E5F4-42C9-813E-002D21F313D2}\642494 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{2649A3AD-E5F4-42C9-813E-002D21F313D2}\C4F4C48435F575962756C6563737 : DHCPNameServer = 199.164.64.8
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_d15ed671de43d681\AESTSr64.exe [2011-9-29 89600]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-25 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-25 701512]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-11-29 38608]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-11-16 228408]
R3 enecir;ENE CIR Receiver;C:\Windows\System32\drivers\enecir.sys [2009-6-29 70656]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2009-10-12 151040]
R3 JMCR;JMCR;C:\Windows\System32\drivers\jmcr.sys [2009-7-20 140712]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-12-25 25928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2009-7-8 30520]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-11-9 160944]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-9-29 258560]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-12-26 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
.
=============== Created Last 30 ================
.
2013-07-28 13:57:56 -------- d-sh--w- C:\$RECYCLE.BIN
2013-07-28 04:10:16 98816 ----a-w- C:\Windows\sed.exe
2013-07-28 04:10:16 256000 ----a-w- C:\Windows\PEV.exe
2013-07-28 04:10:16 208896 ----a-w- C:\Windows\MBR.exe
2013-07-26 07:20:24 9460976 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{EFE9EEBE-B562-495D-9A1B-17EA3EDB24A7}\mpengine.dll
2013-07-23 00:30:52 -------- d-----w- C:\Users\dungtran\AppData\Local\SySaver
2013-07-23 00:30:21 -------- d-----w- C:\Program Files (x86)\LessTabs
2013-07-23 00:28:08 -------- d-----w- C:\Program Files (x86)\Yahoo!
2013-07-21 02:27:43 1409 ----a-w- C:\Windows\QTFont.for
2013-07-08 15:36:36 -------- d-----w- C:\ProgramData\StarApp
2013-07-08 15:18:15 -------- d-----w- C:\Program Files (x86)\SafeSaver
2013-07-08 15:17:28 -------- d-----w- C:\ProgramData\InstallMate
2013-07-01 02:32:01 -------- d-----w- C:\Windows\System32\catroot2
2013-07-01 02:22:41 -------- d-----w- C:\Windows\SysWow64\wbem\Performance
2013-07-01 01:57:17 -------- d-----w- C:\RegBackup
2013-06-30 07:41:28 -------- d-----w- C:\Program Files (x86)\Tweaking.com
.
==================== Find3M  ====================
.
2013-06-28 09:29:41 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-28 09:29:40 867240 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-06-28 09:29:40 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-06-12 03:28:18 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 03:28:18 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-02 06:06:08 278800 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 16:53:52.58 ===============
 


Edited by Skammunist, 28 July 2013 - 03:57 PM.


#14 Skammunist

Skammunist
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 28 July 2013 - 04:09 PM

Internet Explorer in 32-bit seems to be running a bit smoother without ads or popups.

Attached Files



#15 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 28 July 2013 - 09:58 PM

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
ClearJavaCache::

Folder::
C:\Program Files (x86)\LessTabs

DDS::
BHO: sayfEE osyAve: {5AA6FA4E-6729-37B0-2CE3-178A721A0AF3} -

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

CFScriptB-4.gif
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users