Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Moneypak Virus NO SafeMode... need help


  • This topic is locked This topic is locked
11 replies to this topic

#1 chucky99

chucky99

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 25 July 2013 - 01:08 PM

Hello,

 

I am infected with a version of the FBI Moneypak Virus that  does not even allow me to go safemode in any fashion. After reviewing several topics on this vicious virus I Ran Farbar Scan

The log is attached. Any help is greatly appreciated. 

 

THIS virus is the worst that I've ever had!!!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-07-2013
Ran by SYSTEM on 25-07-2013 10:18:12
Running from J:\
Windows 7 Ultimate (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM-x32\...\Run: [GrooveMonitor] - "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [31072 2008-10-25] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] - "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [RemoteControl11] - C:\Program Files (x86)\CyberLink\PowerDVD11\PDVD11Serv.exe [230696 2011-08-23] (CyberLink Corp.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [TkBellExe] - "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [296056 2012-06-12] (RealNetworks, Inc.)
HKLM-x32\...\Run: [iTunesHelper] - "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] - "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [642656 2013-03-28] (Advanced Micro Devices, Inc.)
HKU\Tiger\...\Run: [AirVideoServer] - C:\Program Files (x86)\AirVideoServer\AirVideoServer.exe [4923784 2010-09-21] ()
HKU\Tiger\...\Run: [DAEMON Tools Lite] - "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3514176 2011-11-10] (DT Soft Ltd)
HKU\Tiger\...\Run: [EPSON Stylus Photo RX680 Series] - C:\Windows\system32\spool\DRIVERS\x64\3\E_IATICJA.EXE /FU "C:\Users\Tiger\AppData\Local\Temp\E_S3374.tmp" /EF "HKCU" [144 2012-04-11] () <===== ATTENTION
HKU\Tiger\...\Run: [AnyDVD] - C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe [6241952 2012-07-30] (SlySoft, Inc.)
HKU\Tiger\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Tiger\AppData\Local\Temp\ijlewecvnlbmthymklm.bfg [79872 2013-07-25] (Cisco Systems, Inc.) <===== ATTENTION
HKU\Tiger\...\Winlogon: [Shell] cmd.exe [344576 2009-07-13] (Microsoft Corporation) <==== ATTENTION
HKU\Tiger\...\Command Processor: "C:\Users\Tiger\AppData\Local\Temp\ijlewecvnlbmthymklm.bfg" <===== ATTENTION!

==================== Services (Whitelisted) =================

S2 CLHNServiceForPowerDVD; C:\Program Files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe [83240 2011-08-23] ()
S2 CyberLink PowerDVD 11.0 Monitor Service; C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe [75048 2011-10-11] (CyberLink)
S2 CyberLink PowerDVD 11.0 Service; C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSServerForPDVD11.exe [292136 2011-10-11] (CyberLink)

==================== Drivers (Whitelisted) ====================

S3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [138360 2012-05-01] (SlySoft, Inc.)
S3 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [279616 2012-01-15] (DT Soft Ltd)
S0 mv61xx; C:\Windows\System32\DRIVERS\mv61xx.sys [182576 2011-05-06] (Marvell Semiconductor, Inc.)
S2 ntk_PowerDVD; C:\Program Files (x86)\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD_64.sys [75248 2011-08-23] (Cyberlink Corp.)
S2 ntk_PowerDVD; C:\Program Files (x86)\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD_64.sys [75248 2011-08-23] (Cyberlink Corp.)
S0 Si3132r5; C:\Windows\System32\DRIVERS\Si3132r5.sys [340520 2008-10-30] (Silicon Image, Inc)
S0 SiFilter; C:\Windows\System32\DRIVERS\SiWinAcc.sys [22568 2008-10-30] (Silicon Image, Inc.)
S0 SiRemFil; C:\Windows\System32\DRIVERS\SiRemFil.sys [16936 2008-10-30] (Silicon Image, Inc.)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [530488 2012-01-08] (Duplex Secure Ltd.)
S2 {329F96B6-DF1E-4328-BFDA-39EA953C1312}; C:\Program Files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl [148976 2011-10-18] (CyberLink Corp.)
S2 {329F96B6-DF1E-4328-BFDA-39EA953C1312}; C:\Program Files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl [148976 2011-10-18] (CyberLink Corp.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-25 10:17 - 2013-07-25 10:17 - 00000000 ____D C:\FRST
2013-07-25 08:36 - 2013-07-25 08:36 - 01097627 _____ C:\Users\Tiger\AppData\Local\2433f433
2013-07-25 08:36 - 2013-07-25 08:36 - 01097609 _____ C:\Users\Tiger\AppData\Roaming\2433f433
2013-07-25 08:36 - 2013-07-25 08:36 - 01097603 _____ C:\ProgramData\2433f433
2013-07-19 18:13 - 2013-07-19 18:13 - 00000000 ____D C:\Users\Tiger\Documents\Groupon
2013-07-09 23:00 - 2013-07-09 23:13 - 00017387 _____ C:\Users\Tiger\Documents\SeaVS Single Contract Calculation.xlsx

==================== One Month Modified Files and Folders =======

2013-07-25 10:17 - 2013-07-25 10:17 - 00000000 ____D C:\FRST
2013-07-25 08:56 - 2013-06-16 22:26 - 00000376 _____ C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Tiger.job
2013-07-25 08:56 - 2012-01-14 03:41 - 00000892 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-25 08:56 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-25 08:56 - 2009-07-13 20:51 - 00047393 _____ C:\Windows\setupact.log
2013-07-25 08:40 - 2012-01-08 02:25 - 00470407 _____ C:\Windows\WindowsUpdate.log
2013-07-25 08:39 - 2012-01-09 23:57 - 00000000 ____D C:\Users\Tiger\AppData\Local\Newsbin
2013-07-25 08:36 - 2013-07-25 08:36 - 01097627 _____ C:\Users\Tiger\AppData\Local\2433f433
2013-07-25 08:36 - 2013-07-25 08:36 - 01097609 _____ C:\Users\Tiger\AppData\Roaming\2433f433
2013-07-25 08:36 - 2013-07-25 08:36 - 01097603 _____ C:\ProgramData\2433f433
2013-07-25 08:36 - 2013-03-20 21:08 - 00000000 ____D C:\Users\Tiger\AppData\Local\CrashDumps
2013-07-25 08:35 - 2012-01-09 00:39 - 00000000 ____D C:\Users\Tiger\AppData\Roaming\uTorrent
2013-07-25 08:31 - 2012-01-14 03:41 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-25 08:30 - 2012-01-09 00:44 - 00000000 ____D C:\Users\Tiger\Downloads\Subtitles
2013-07-25 08:03 - 2012-01-25 01:01 - 00000000 ____D C:\Users\Tiger\AppData\Roaming\vlc
2013-07-24 23:03 - 2013-06-16 22:26 - 00002960 _____ C:\Windows\System32\Tasks\ReclaimerUpdateXML_Tiger
2013-07-24 23:03 - 2013-06-16 22:26 - 00000366 _____ C:\Windows\Tasks\ReclaimerUpdateXML_Tiger.job
2013-07-24 18:11 - 2009-07-13 21:13 - 00726316 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-24 08:54 - 2009-07-13 20:45 - 00014016 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-24 08:54 - 2009-07-13 20:45 - 00014016 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-24 08:48 - 2010-10-06 22:03 - 00000000 ____D C:\jexepackres
2013-07-24 03:45 - 2013-06-16 22:26 - 00002964 _____ C:\Windows\System32\Tasks\ReclaimerUpdateFiles_Tiger
2013-07-24 03:45 - 2013-06-16 22:26 - 00000370 _____ C:\Windows\Tasks\ReclaimerUpdateFiles_Tiger.job
2013-07-23 00:07 - 2012-08-16 23:01 - 00000000 ____D C:\Users\Tiger\Downloads\Mediacoder
2013-07-19 18:13 - 2013-07-19 18:13 - 00000000 ____D C:\Users\Tiger\Documents\Groupon
2013-07-19 16:50 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-07-18 08:27 - 2012-01-09 00:16 - 00011864 _____ C:\Windows\PFRO.log
2013-07-12 15:34 - 2012-02-01 01:43 - 00002192 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-07-11 14:26 - 2012-01-14 03:41 - 00003892 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-07-11 14:26 - 2012-01-14 03:41 - 00003640 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-07-09 23:13 - 2013-07-09 23:00 - 00017387 _____ C:\Users\Tiger\Documents\SeaVS Single Contract Calculation.xlsx
2013-07-02 05:57 - 2013-01-21 14:13 - 00000000 ____D C:\Users\Public\Documents\VSC
2013-06-25 23:04 - 2012-01-26 19:37 - 00000000 ____D C:\Users\Tiger\AppData\Local\QuickPar

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3404124809-377345010-3751015181-1000\$06aedc2fff2cae3231741205d7b22f4c

Files to move or delete:
====================
C:\ProgramData\1875113.bat
C:\ProgramData\1875113.pad
C:\ProgramData\1875113.reg

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-07-04 23:08:08
Restore point made on: 2013-07-12 23:02:45
Restore point made on: 2013-07-20 23:02:34

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 6143.1 MB
Available physical RAM: 5445.5 MB
Total Pagefile: 6141.25 MB
Available Pagefile: 5451.04 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (Misc Apps) (Fixed) (Total:232.88 GB) (Free:64.23 GB) NTFS (Disk=0 Partition=1) ==>[Drive with boot components (obtained from BCD)]
Drive d: (New Media) (Fixed) (Total:1863.01 GB) (Free:6.76 GB) NTFS (Disk=1 Partition=1)
Drive e: (Recent Media) (Fixed) (Total:1863.01 GB) (Free:0.29 GB) NTFS (Disk=2 Partition=1)
Drive f: (Books and Magazines) (Fixed) (Total:2794.39 GB) (Free:116.97 GB) NTFS (Disk=3 Partition=2)
Drive g: (My Picture Files) (Fixed) (Total:195.31 GB) (Free:53.81 GB) NTFS (Disk=4 Partition=1)
Drive h: (HD Media 6) (Fixed) (Total:1667.7 GB) (Free:9.37 GB) NTFS (Disk=4 Partition=2)
Drive j: () (Removable) (Total:0.24 GB) (Free:0.16 GB) FAT (Disk=6 Partition=1)
Drive k: (HD Movies 1) (Fixed) (Total:3726.01 GB) (Free:771.19 GB) NTFS (Disk=7 Partition=1)
Drive l: (Elements) (Fixed) (Total:1863.01 GB) (Free:28.89 GB) NTFS (Disk=8 Partition=1)
Drive m: (My Book 3.0) (Fixed) (Total:2794.51 GB) (Free:11.26 GB) NTFS (Disk=9 Partition=1)
Drive n: (FreeAgent GoFlex Drive) (Fixed) (Total:2794.51 GB) (Free:7.87 GB) NTFS (Disk=10 Partition=1)
Drive o: (HD Media 8) (Fixed) (Total:1863.01 GB) (Free:17.45 GB) NTFS (Disk=11 Partition=1)
Drive p: (TV Shows 1) (Fixed) (Total:1863.01 GB) (Free:20.06 GB) NTFS (Disk=12 Partition=1)
Drive q: (HD Movies 2) (Fixed) (Total:931.51 GB) (Free:2.14 GB) NTFS (Disk=13 Partition=1)
Drive r: (Video - Music) (Fixed) (Total:931.51 GB) (Free:32.38 GB) NTFS (Disk=14 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: 00016627)
Partition 1: (Active) - (Size=233 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 5D591BCB)
Partition 1: (Not Active) - (Size=-198626508800) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 5FE91831)
Partition 1: (Not Active) - (Size=-198626508800) - (Type=07 NTFS)

========================================================
Disk: 3 (MBR Code: Windows 7 or 8) (Size: 2795 GB) (Disk ID: 00000000)

Partition: GPT Partition Type
========================================================
Disk: 4 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: DA9A2CF5)
Partition 1: (Not Active) - (Size=195 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=-408342757376) - (Type=07 NTFS)

========================================================
Disk: 5 (MBR Code: Windows XP) (Size: 466 GB) (Disk ID: 131C131C)
Partition 1: (Active) - (Size=466 GB) - (Type=42)
Partition 2: (Not Active) - (Size=1017 KB) - (Type=42)

========================================================
Disk: 6 (Size: 245 MB) (Disk ID: 7747E28A)
Partition 1: (Not Active) - (Size=245 MB) - (Type=06)
Attempted reading MBR returned 0 bytes.
 Could not read MBR for disk 7.

========================================================
Disk: 8 (MBR Code: Windows XP) (Size: 1863 GB) (Disk ID: 0003990F)
Partition 1: (Not Active) - (Size=-198627557376) - (Type=07 NTFS)
Attempted reading MBR returned 0 bytes.
 Could not read MBR for disk 9.
Attempted reading MBR returned 0 bytes.
 Could not read MBR for disk 10.

========================================================
Disk: 11 (MBR Code: Windows XP) (Size: 1863 GB) (Disk ID: 00197FCD)
Partition 1: (Not Active) - (Size=-198627557376) - (Type=07 NTFS)

========================================================
Disk: 12 (Size: 1863 GB) (Disk ID: 79EA3D1B)
Partition 1: (Not Active) - (Size=-198626966528) - (Type=07 NTFS)

========================================================
Disk: 13 (Size: 932 GB) (Disk ID: FDDF0896)
Partition 1: (Not Active) - (Size=932 GB) - (Type=07 NTFS)

========================================================
Disk: 14 (Size: 932 GB) (Disk ID: 0ED0FA6D)
Partition 1: (Not Active) - (Size=932 GB) - (Type=07 NTFS)

========================================================
Disk: 15 (Size: 932 GB) (Disk ID: 6CAF4C6B)
Partition 1: (Not Active) - (Size=932 GB) - (Type=07 NTFS)

LastRegBack: 2013-07-23 00:20

==================== End Of Log ============================

 

Attached Files

  • Attached File  FRST.txt   14.08KB   0 downloads


BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:58 PM

Posted 25 July 2013 - 05:50 PM

chucky99,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

In the upper right hand corner of the topic you will see the Follow This Topic button. Click on this then choose Receive Notification Immediately and then click Follow This Topic and you will be sent an email once I have posted a response and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.


:step1: Rerun FRST

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt
 

Start
HKU\Tiger\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Tiger\AppData\Local\Temp\ijlewecvnlbmthymklm.bfg
HKU\Tiger\...\Winlogon: [Shell] cmd.exe [344576 2009-07-13]
HKU\Tiger\...\Command Processor: "C:\Users\Tiger\AppData\Local\Temp\ijlewecvnlbmthymklm.bfg"

C:\Users\Tiger\AppData\Local\Temp\ijlewecvnlbmthymklm.bfg
C:\$Recycle.Bin\S-1-5-21-3404124809-377345010-3751015181-1000\$06aedc2fff2cae3231741205d7b22f4c
C:\ProgramData\1875113.bat
C:\ProgramData\1875113.pad
C:\ProgramData\1875113.reg

Folder: C:\Users\Tiger\AppData\Local\2433f433
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system!

Boot back into System Recovery Options, as you've done previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it in your reply.


Edited by jntkwx, 25 July 2013 - 05:53 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 chucky99

chucky99
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 26 July 2013 - 12:31 AM

Hi Jason,

 

Thanks for the help. I just reran FRST64 and pressed the fix button.

Attached is the Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-07-2013
Ran by SYSTEM at 2013-07-25 22:26:04 Run:1
Running from J:\
Boot Mode: Recovery
==============================================

HKU\Tiger\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value not found.
HKU\Tiger\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value not found.
HKU\Tiger\Software\Microsoft\Command Processor\\AutoRun => Value not found.
C:\Users\Tiger\AppData\Local\Temp\ijlewecvnlbmthymklm.bfg => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-3404124809-377345010-3751015181-1000\$06aedc2fff2cae3231741205d7b22f4c => Moved successfully.
C:\ProgramData\1875113.bat => Moved successfully.
C:\ProgramData\1875113.pad => Moved successfully.
C:\ProgramData\1875113.reg => Moved successfully.

========================= Folder: C:\Users\Tiger\AppData\Local\2433f433 ========================

2013-07-25 08:36 - 2013-07-25 08:36 - 1097627 ____A () C:\Users\Tiger\AppData\Local\2433f433

====== End of Folder: ======

==== End of Fixlog ====



#4 chucky99

chucky99
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 26 July 2013 - 04:47 AM

Hi Jason,

 

Just wanted to let you know that after running your fixlist, I was able boot back into Win7 again. I then ran Malwarebytes which detected and deleted14 items. Thanks again for all of your help!!!! Everything seems normal again.

 

fyi, here is the log from Malwarebytes.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.26.01

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Tiger :: CENTRAL-PC [administrator]

7/25/2013 10:46:54 PM
mbam-log-2013-07-25 (22-46-54).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 820939
Time elapsed: 3 hour(s), 33 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 14
C:\FRST\Quarantine\ijlewecvnlbmthymklm.bfg (Trojan.Ransom.FV) -> Quarantined and deleted successfully.
C:\iPod Conversion Tools (Windows)\Xilisoft DVD to iPod Suite 2.1.55.1107b\keygen.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Multimedia.utilities\DVDInfo.Pro.v4.633-CORE.rar (PUP.Keygen.Intro) -> Quarantined and deleted successfully.
C:\Multimedia.utilities\Imagenomic.Noiseware.Professional.v4.1.1.0.for.Adobe.Photoshop-SSG.rar (PUP.Hacktool.Patcher) -> Quarantined and deleted successfully.
C:\Newsbin\DOWNLOAD\Call of Duty 4 - Modern Warfare - Keygen 2.rar (HackTool.Keygen) -> Quarantined and deleted successfully.
C:\Newsbin\DOWNLOAD\alt.binaries.cd.image\daemon400\daemon400.exe (Adware.WhenU) -> Quarantined and deleted successfully.
C:\Newsbin\DOWNLOAD\alt.binaries.games\HATRED.rar (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Newsbin\DOWNLOAD\alt.binaries.warez\FotoTime.FotoAlbum.Pro.v5.4.0.1\Linezer0.part6.rar (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Newsbin\DOWNLOAD\alt.binaries.warez\Riesen Jamba Paket - 4100 Games Progs Logos Sounds Ringtones\Handy Progs\Keys\SeleQ15i.zip (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\Users\Tiger\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\46601d9a-79df2e1f (Trojan.Ransom.FV) -> Quarantined and deleted successfully.
C:\Users\Tiger\Templates\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.
C:\ProgramData\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.
C:\Users\Tiger\AppData\Roaming\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.
C:\Users\Tiger\AppData\Local\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.

(end)



#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:58 PM

Posted 26 July 2013 - 04:10 PM

chucky99,
 
I just want to double check we've found all the malware.

:step1: Combofix

Please download Combofix from one of these links.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
3. Double click on combofix.exe & follow the prompts.

Important:

  • Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

:step2: ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png 
       icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

In your next reply, please include:

  • Combofix log
  • ESET log
  • How is your computer running now?

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:58 PM

Posted 28 July 2013 - 11:31 AM

chucky99,
 
It has been 2 days since my last post.
 
Please follow the instructions in my previous post. :thumbup2:


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 chucky99

chucky99
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 29 July 2013 - 11:19 AM

Hi Jason,

 

I just ran ComboFix and attached is the log. The ESET scan is taking a long time and is still scanning. I will post it later tonight when it is finished.

Thanks again for all of your help.

 

ComboFix 13-07-27.01 - Tiger 07/28/2013  21:10:41.1.2 - x64
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.6143.3844 [GMT -7:00]
Running from: c:\users\Tiger\Downloads\ComboFix\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\AutocompletePro
c:\program files (x86)\AutocompletePro\FireFoxExtension.exe
c:\program files (x86)\AutocompletePro\InstTracker.exe
c:\programdata\1875113.js
Q:\Autorun.inf
Q:\Setup.exe
R:\Autorun.inf
Z:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-28 to 2013-07-29  )))))))))))))))))))))))))))))))
.
.
2013-07-29 04:24 . 2013-07-29 04:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-29 02:49 . 2013-07-29 02:49 -------- d-----w- c:\program files (x86)\ESET
2013-07-29 02:39 . 2013-07-29 02:39 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-07-29 02:38 . 2013-07-29 02:38 867240 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-07-29 02:38 . 2013-07-29 02:38 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-29 02:33 . 2013-07-29 02:33 -------- d-----w- c:\programdata\McAfee
2013-07-26 23:26 . 2013-07-26 23:26 -------- d-----w- c:\program files\Microsoft Silverlight
2013-07-26 23:26 . 2013-07-26 23:26 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2013-07-25 18:17 . 2013-07-25 18:17 -------- d-----w- C:\FRST
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-29 02:38 . 2012-01-19 07:17 789416 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AirVideoServer"="c:\program files (x86)\AirVideoServer\AirVideoServer.exe" [2010-09-22 4923784]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
"AnyDVD"="c:\program files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe" [2012-07-30 6241952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"RemoteControl11"="c:\program files (x86)\CyberLink\PowerDVD11\PDVD11Serv.exe" [2011-08-24 230696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2012-06-12 296056]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2013-03-29 642656]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
S0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys;c:\windows\SYSNATIVE\DRIVERS\mv61xx.sys [x]
S0 mv91cons;Marvell 91xx Config Device Driver;c:\windows\system32\DRIVERS\mv91cons.sys;c:\windows\SYSNATIVE\DRIVERS\mv91cons.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2012/01/14 03:58];c:\program files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl;c:\program files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;c:\program files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe;c:\program files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe [x]
S2 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;c:\program files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe;c:\program files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe [x]
S2 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;c:\program files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSServerForPDVD11.exe;c:\program files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSServerForPDVD11.exe [x]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
S2 ntk_PowerDVD;ntk_PowerDVD;c:\program files (x86)\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD_64.sys;c:\program files (x86)\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD_64.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-12 23:31 1173456 ----a-w- c:\program files (x86)\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-14 11:41]
.
2013-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-14 11:41]
.
2013-07-28 c:\windows\Tasks\ReclaimerUpdateFiles_Tiger.job
- c:\users\Tiger\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\rnupgagent.exe [2013-06-17 03:24]
.
2013-07-28 c:\windows\Tasks\ReclaimerUpdateXML_Tiger.job
- c:\users\Tiger\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\rnupgagent.exe [2013-06-17 03:24]
.
2013-07-29 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Tiger.job
- c:\users\Tiger\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\rnupgagent.exe [2013-06-17 03:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\HardLinkMenu]
@="{0A479751-02BC-11d3-A855-0004AC2568AA}"
[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568AA}]
2011-06-24 06:03 456704 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHardLink]
@="{0A479751-02BC-11d3-A855-0004AC2568DD}"
[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568DD}]
2011-06-24 06:03 456704 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlaySymbolicLink]
@="{0A479751-02BC-11d3-A855-0004AC2568EE}"
[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568EE}]
2011-06-24 06:03 456704 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 10.0.1.1
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{329F96B6-DF1E-4328-BFDA-39EA953C1312}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3404124809-377345010-3751015181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e*x*e*(\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-07-28  21:28:06
ComboFix-quarantined-files.txt  2013-07-29 04:28
ComboFix2.txt  2011-12-20 03:17
ComboFix3.txt  2011-12-06 07:37
ComboFix4.txt  2011-07-04 01:10
ComboFix5.txt  2013-07-29 04:08
.
Pre-Run: 70,928,932,864 bytes free
Post-Run: 73,603,358,720 bytes free
.
- - End Of File - - CBAD7CD0F9670D2C683CB3D979C4879C
A36C5E4F47E84449FF07ED3517B43A31
 

 

 

 



#8 chucky99

chucky99
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 29 July 2013 - 12:00 PM

Jason,

 

The ESETSCAN finally completed. Here is the log.

 

C:\Windows.old.000\Users\Tiger\Local Settings\Temp\77662.exe probably a variant of MSIL/TrojanDropper.Binder.AS trojan 
C:\Windows.old.000\Users\Tiger\Local Settings\Temp\IXP000.TMP\ppi.exe a variant of Win32/Injector.ABYP trojan 
C:\Corel WinDVD Plus v9.0 Blu-ray\KeyGen\Corel WinDVD Plus v9.0 Blu-ray KeyGen.exe a variant of Win32/Keygen.AF application cleaned by deleting - quarantined
C:\MM Tools\Media Files\CoreAVC 1.6\edge.rar a variant of Win32/Keygen.EN application deleted - quarantined
C:\MM Tools\Media Files\CoreAVC 1.6\EDGE\keygen.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
C:\Multimedia.utilities\Adobe Premiere Pro v2.0 Key Generator\keygen.exe a variant of Win32/Keygen.AO application cleaned by deleting - quarantined
C:\Multimedia.utilities\Adobe Products Key Gens + Trial-To-Full\Adobe InDesign CS2 CE v3.0 Key Generator\Adobe InDesign CS CE v3.0 Key Generator.exe a variant of Win32/Keygen.DZ application cleaned by deleting - quarantined
C:\Multimedia.utilities\AVCataloger v3.7.1\AVCataloger v3.7.1\Patch\AVCataloger v3.7.1 Patch.exe a variant of Win32/HackTool.Patcher.A application cleaned by deleting - quarantined
C:\Multimedia.utilities\IPod Access for Windows v2.9.1\IPod Access for Windows v2.9.1\KeyGen\keygen.exe a variant of Win32/Keygen.CP application cleaned by deleting - quarantined
C:\Newsbin\DOWNLOAD\Call of Duty 4 No CD Crack.rar a variant of Win32/PSW.IMMultiPass trojan deleted - quarantined
C:\Newsbin\DOWNLOAD\alt.binaries.games\Quake 4\KEYGEN QUAKE 4 FOR NEWZBIN.rar Win32/Keygen.EW application deleted - quarantined
C:\Newsbin\DOWNLOAD\alt.binaries.games\Quake 4\KEYGEN QUAKE 4 FOR NEWZBIN\rld-q4kg.exe Win32/Keygen.EW application cleaned by deleting - quarantined
C:\Newsbin\DOWNLOAD\alt.binaries.warez\Riesen Jamba Paket - 4100 Games Progs Logos Sounds Ringtones\Handy Progs\MP3Go.v2.02.with.keygen.[m-internet.com].(SIS.7650.Nokia).zip Win32/Keygen.EI application deleted - quarantined
C:\Newsbin\DOWNLOAD\alt.binaries.warez\Riesen Jamba Paket - 4100 Games Progs Logos Sounds Ringtones\Handy Progs\Keys\mp3gons60_202_en.exe Win32/Keygen.EI application cleaned by deleting - quarantined
C:\Newsbin\DOWNLOAD\alt.binaries.warez\Riesen Jamba Paket - 4100 Games Progs Logos Sounds Ringtones\Handy Progs\Keys\RemindMe.exe probably a variant of Win32/Agent.LPTFRMX trojan cleaned by deleting - quarantined
C:\Newsbin\DOWNLOAD\alt.binaries.warez\Riesen Jamba Paket - 4100 Games Progs Logos Sounds Ringtones\Handy Progs\LCG ProfiMail 2.24\ProfiMail keygen.exe probably a variant of Win32/Agent.LSGQLDX trojan cleaned by deleting - quarantined
C:\Newsbin\DOWNLOAD\alt.binaries.warez\Riesen Jamba Paket - 4100 Games Progs Logos Sounds Ringtones\Handy Progs\LCG ProfiMail 2.24\ProfiMail UIQ keygen.exe probably a variant of Win32/Agent.LSGQLDX trojan cleaned by deleting - quarantined
C:\Newsbin\DOWNLOAD\alt.binaries.warez\Screensaver\3D screensaver Planesoft Keygenerator.exe Win32/Keygen.FJ application cleaned by deleting - quarantined
C:\Photoshop\Activator.exe a variant of Win32/Injector.AFN trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbarUpdater.exe.vir Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\ProgramData\1875113.js.vir JS/Agent.NID trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.G trojan cleaned by deleting - quarantined
C:\Turbo Tax\Intuit TurboTax Home and Business 2009 Lz0\Intuit TurboTax Home and Business 2009 Lz0\lz03p901\lz03p901.iso multiple threats deleted - quarantined
C:\Users\Tiger\AppData\Local\f0851ec9-8c44-41c5-835a-b29c4151495c.crx JS/Redirector.NCG trojan deleted - quarantined
C:\Users\Tiger\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\1753d812-2a8783ae a variant of Java/TrojanDownloader.Agent.NDN trojan cleaned by deleting - quarantined
C:\Users\Tiger\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\6febc037-6f466e33 multiple threats cleaned by deleting - quarantined
C:\Users\Tiger\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\stub_data\stubinst_pkg_en-us.cab Win32/OpenCandy application deleted - quarantined
C:\Users\Tiger\Downloads\bs_MediaCoder.exe Win32/Amonetize application cleaned by deleting - quarantined
C:\Users\Tiger\Downloads\MediaInfo_GUI_0.7.52_Windows_x64.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\Tiger\Downloads\SetupImgBurn_2.5.7.0.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\Tiger\Downloads\Daemon Tools Lite\DTLite4451-0236.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\Tiger\Downloads\Kingston 4GB Drive\Old Files\Virtumonde Fix\VirtumundoBeGone.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Users\Tiger\Downloads\Mediacoder\MediaCoder-0.8.13.5266.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\Tiger\Downloads\Mediacoder\MediaCoder-x64-0.8.14.5275.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Windows.old\Users\Tiger\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\42cc9baf-706fa6fc multiple threats cleaned by deleting - quarantined
C:\Windows.old\Users\Tiger\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\4f18cf7d-5129c9d6 Java/TrojanDownloader.OpenStream.NCA trojan cleaned by deleting - quarantined
C:\Windows.old\Users\Tiger\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\404cf589-1e4c383e Java/TrojanDownloader.OpenStream.NCA trojan cleaned by deleting - quarantined
C:\Windows.old\Users\Tiger\Downloads\FFSetup260.zip a variant of Win32/Bundled.Toolbar.Ask application deleted - quarantined
C:\Windows.old\Users\Tiger\Downloads\SetupImgBurn_2.5.4.0.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Windows.old.000\Users\Tiger\AppData\Local\Temp\77662.exe probably a variant of MSIL/TrojanDropper.Binder.AS trojan cleaned by deleting - quarantined
C:\Windows.old.000\Users\Tiger\AppData\Local\Temp\IXP000.TMP\ppi.exe a variant of Win32/Injector.ABYP trojan cleaned by deleting - quarantined
C:\Windows.old.003\Users\Tiger\Downloads\SetupImgBurn_2.5.5.0.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Windows.old.003\Users\Tiger\Downloads\MediaInfo\MediaInfo_GUI_0.7.45_Windows_x64.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Windows.old.003\Windows\assembly\temp\U\00000002.@ Win64/Conedex.F trojan cleaned by deleting - quarantined
C:\Windows.old.003\Windows\assembly\temp\U\80000004.@ Win64/Sirefef.AO trojan cleaned by deleting - quarantined
C:\Windows.old.003\Windows\assembly\temp\U\80000032.@ probably a variant of Win32/Olmarik.AVQ trojan cleaned by deleting - quarantined
C:\Windows.old.003\Windows\assembly\temp\U\80000064.@ Win64/Olmarik.AU trojan cleaned by deleting - quarantined
C:\Windows.old.003\Windows\SysWOW64\srrstr.dll Win32/TrojanDownloader.Tracur.I trojan cleaned by deleting - quarantined
C:\Windows.old.003\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\defunix_net[1].htm HTML/TrojanDownloader.Applet.A trojan cleaned by deleting - quarantined
C:\Windows.old.003\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8WBIVW8A\defunix_net[1].htm HTML/TrojanDownloader.Applet.A trojan cleaned by deleting - quarantined
C:\winrar_3.80\wrar380.exe multiple threats deleted - quarantined
C:\WM Recorder 11.3\WM Recorder 11.3\Patch\WM.Recorder.v11.3_Patch.exe a variant of Win32/HackTool.Patcher.A application cleaned by deleting - quarantined
C:\wm.recorder.v11.3-engine\Crack\WM.Recorder.v11.3_Crk.exe a variant of Win32/HackTool.Patcher.A application cleaned by deleting - quarantined
F:\Old XP Operating System\VirtumundoBeGone.exe Win32/PrcView application cleaned by deleting - quarantined
F:\Old XP Operating System\Documents and Settings\All Users\proto.dll Win32/Spy.Delf.NXQ trojan cleaned by deleting - quarantined
F:\Old XP Operating System\Documents and Settings\HelpAssistant\Desktop\MM Tools\Media Files\CoreAVC 1.6\EDGE\keygen.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
F:\Old XP Operating System\Documents and Settings\Tony W\Desktop\MM Tools\Media Files\CoreAVC 1.6\edge.rar a variant of Win32/Keygen.EN application deleted - quarantined
F:\Old XP Operating System\Documents and Settings\Tony W\Desktop\MM Tools\Media Files\CoreAVC 1.6\EDGE\keygen.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
T:\Newsbin Download\b-ipod-video-converter.exe a variant of Win32/Injector.BBY trojan deleted - quarantined
T:\Newsbin Download\DVDVideosoft Studio 4.6.exe MSIL/TrojanDropper.Agent.BI trojan cleaned by deleting - quarantined
T:\Newsbin Download\keygen.exe a variant of Win32/Keygen.AD application cleaned by deleting - quarantined
T:\Newsbin Download\Xilisoft.DVD.Audio.Ripper.v5.0.50.0821.Cracked-QUANTiZE\x-dvd-audio-ripper5.exe BAT/TrojanDownloader.Agent.NBL trojan cleaned by deleting - quarantined
U:\Newsbin Downloads\bie786412.iso a variant of Win32/HackKMS.A application deleted - quarantined
U:\Newsbin Downloads\crack.rar Win32/HackKMS.A application deleted - quarantined
U:\Newsbin Downloads\Monkey Island 2 LeChucks Revenge Special Edition SKIDROW\sr-mi2se.iso a variant of Win32/Injector.ITQ trojan deleted - quarantined
U:\Newsbin Downloads\Stereoscopic Player v1.6.6 Final - Multilanguage - CRD\Stereoscopic.Player.v1.6.6.MULTILINGUAL-CRD.part1.rar a variant of Win32/Keygen.AK application deleted - quarantined
U:\Old Win7 June 8\Downloads\FFSetup260.zip a variant of Win32/Bundled.Toolbar.Ask application deleted - quarantined
U:\Old Win7 June 8\Downloads\SetupImgBurn_2.5.4.0.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
U:\Old XP Files\Documents and Settings\All Users\proto.dll Win32/Spy.Delf.NXQ trojan cleaned by deleting - quarantined
U:\Old XP Files\Documents and Settings\HelpAssistant\Desktop\MM Tools\Media Files\CoreAVC 1.6\EDGE\keygen.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\Old XP Files\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\WOBAB294\oHd2b502beV0100f080006R0143fdee102T99ad824a201l0409317[1].pdf JS/Exploit.Pdfka.ASD trojan cleaned by deleting - quarantined
U:\Old XP Files\Documents and Settings\Tony W\Desktop\MM Tools\Media Files\CoreAVC 1.6\edge.rar a variant of Win32/Keygen.EN application deleted - quarantined
U:\Old XP Files\Documents and Settings\Tony W\Desktop\MM Tools\Media Files\CoreAVC 1.6\EDGE\keygen.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\System Volume Information\_restore{F623C10C-4EA8-43E9-A4B7-C8219E514207}\RP1181\A0222654.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\System Volume Information\_restore{F623C10C-4EA8-43E9-A4B7-C8219E514207}\RP1182\A0228440.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\System Volume Information\_restore{F623C10C-4EA8-43E9-A4B7-C8219E514207}\RP1186\A0236457.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\System Volume Information\_restore{F623C10C-4EA8-43E9-A4B7-C8219E514207}\RP1186\A0244440.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\System Volume Information\_restore{F623C10C-4EA8-43E9-A4B7-C8219E514207}\RP1186\A0251611.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\System Volume Information\_restore{F623C10C-4EA8-43E9-A4B7-C8219E514207}\RP1186\A0259512.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\System Volume Information\_restore{F623C10C-4EA8-43E9-A4B7-C8219E514207}\RP1186\A0261606.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\System Volume Information\_restore{F623C10C-4EA8-43E9-A4B7-C8219E514207}\RP1186\A0269628.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\System Volume Information\_restore{F623C10C-4EA8-43E9-A4B7-C8219E514207}\RP1189\A0274111.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\System Volume Information\_restore{F623C10C-4EA8-43E9-A4B7-C8219E514207}\RP1190\A0281877.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\System Volume Information\_restore{F623C10C-4EA8-43E9-A4B7-C8219E514207}\RP1190\A0289877.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\System Volume Information\_restore{F623C10C-4EA8-43E9-A4B7-C8219E514207}\RP1192\A0298902.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
U:\UTorrent Downloads\Complete\Corel WinDVD Pro v11.0 Multilingual Incl Keymaker-CORE\keygen.exe a variant of Win32/Keygen.AU application deleted - quarantined
W:\Old XP Files\MM Tools\Media Files\CoreAVC 1.6\EDGE\keygen.exe a variant of Win32/Keygen.EN application cleaned by deleting - quarantined
X:\Ring Tones\Handy Progs\MP3Go.v2.02.with.keygen.[m-internet.com].(SIS.7650.Nokia).zip Win32/Keygen.EI application deleted - quarantined
X:\Ring Tones\Handy Progs\Keys\mp3gons60_202_en.exe Win32/Keygen.EI application cleaned by deleting - quarantined
X:\Ring Tones\Handy Progs\Keys\RemindMe.exe probably a variant of Win32/Agent.LPTFRMX trojan cleaned by deleting - quarantined
X:\Ring Tones\Handy Progs\LCG ProfiMail 2.24\ProfiMail keygen.exe probably a variant of Win32/Agent.LSGQLDX trojan cleaned by deleting - quarantined
X:\Ring Tones\Handy Progs\LCG ProfiMail 2.24\ProfiMail UIQ keygen.exe probably a variant of Win32/Agent.LSGQLDX trojan cleaned by deleting - quarantined
X:\Seabury Files\D400 Work Computer\Personal Files\CoreAVC 1.6\edge.rar a variant of Win32/Keygen.EN application deleted - quarantined
X:\Seabury Files\D400 Work Computer\Seabury Files\ILFC\AWSetup.exe multiple threats deleted - quarantined
 



#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:58 PM

Posted 29 July 2013 - 01:11 PM

Looking better.  :)

I notice in your last log cracks/keygens.

IMPORTANT NOTE: The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.
 

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

trendmicro.com/vinfo

 

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

 

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

 

...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Before we can continue, I need you to remove all cracks and keygens immediately to reduce the risk of infection/reinfection. If not, then we are just wasting time trying to clean your system. Further, other tools used during the disinfection process may detect crack and keygens so we need to ensure they have been removed.

Using these types of programs or the websites you visited to get them is almost a guaranteed way to get yourself infected!!


 
How's the computer running now?
 
Please also copy and paste C:\Qoobox\Add-Remove Programs.txt into your next reply.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 chucky99

chucky99
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 31 July 2013 - 09:03 PM

Hi Jason,

 

Thanks for the warnings about the warez and such. I have not used such software, keygens and such in the last 2-3 years. Much of the items must be from remnants from my older harddrive.

 

The computer is currently running well and all of the problems seem to be solved.

 

Here is the text of the Qoobox file that you requested.

 

µTorrent
2007 Microsoft Office Suite Service Pack 2 (SP2)
AC3Filter 1.63b
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.7)
Air Video Server 2.4.3
AnyDVD
Apple Application Support
Apple Software Update
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CDisplay 1.8
Cisco WebEx Meetings
CyberLink PowerDVD 11
DAEMON Tools Lite
Diablo III
DVD Audio Extractor 4.5.0
DVD Shrink 3.2
EPSON Scan
ESET Online Scanner v3
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Haali Media Splitter
ImgBurn
Java 7 Update 25
Java Auto Updater
Malwarebytes Anti-Malware version 1.75.0.1300
marvell 61xx
Marvell Miniport Driver
MediaCoder 0.8.13
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
MKVToolNix 6.2.0
Octoshape add-in for Adobe Flash Player
QuickPar 0.9
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Safari
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Subtitle Edit 3.2.8
Subtitle Workshop 2.51
TurboTax 2011
TurboTax 2011 wcaiper
TurboTax 2011 WinPerFedFormset
TurboTax 2011 WinPerReleaseEngine
TurboTax 2011 WinPerTaxSupport
TurboTax 2011 wrapper
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb972691)
VLC media player 2.0.4
VobSub v2.23 (Remove Only)
 



#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:58 PM

Posted 01 August 2013 - 04:34 PM

chucky99,
 
Your computer looks clean!

This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.

Let's take some preventative steps to ensure you don't get infected again:

 
============
P2P Client Caution
============
 
Going over your logs I noticed that you have µTorrent installed.

  • It is strongly recommended to avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
  • It is pretty much certain that if you continue to use P2P programs, you will get infected again.
    I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Programs and Features

:step1: Removing some the tools used

Why we need to remove some of our tools:

  • Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wrong time can make the computer an expensive paper weight. They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

    The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
     
  • DeFogger:

    Note Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.
  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.  Your Emulation drivers are now re-enabled.
  • Uninstall ComboFix:
  • Turn off all active protection software (antivirus)
  • Press the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • Please copy and past the following into the box, and click OK:

c:\users\Tiger\Downloads\ComboFix\ComboFix.exe

  • Note the space between the X and the /Uninstall, it needs to be there.
     
  • Remove the rest of our tools:

    Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your computer
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so. 


:step2: Outdated versions of Adobe Reader have vulnerabilities that malware can use to reinfect your computer. Please update to the latest, secure version:

:step3: Make Internet Explorer more secure:
Hold down the Windows Key, and press the R key.
In the Run Dialog box, type: inetcpl.cpl & click OK
Click on the Security tab,
Click Reset all zones to default level
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

:step4: Install the Latest Version of Common Software:
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting http://secunia.com/vulnerability_scanning/online/ and http://www.calendarofupdates.com/updates/calendar.html.

I recommend FileHippo's update checker that scans your computer for programs it recognizes and allows you to easily download new versions of common software: http://filehippo.com/updatechecker/UpdateChecker.exe

:step5: Finally, read this tutorial and follow each of the steps:
http://www.bleepingcomputer.com/tutorials/tutorial82.html

Please feel free to post any future computer problems in the appropriate forum. Have a great day! :)


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:58 PM

Posted 04 August 2013 - 03:49 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users