Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with toolbars, running slow, sweetpack


  • This topic is locked This topic is locked
23 replies to this topic

#1 markminer

markminer

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 22 August 2013 - 06:01 PM

Hi BC!

I had GREAT results with you when de-virusing my computer, so now I am coming to you with a friend's malware issues.

I'm seeing two tool-bars, and when I downloaded Mozilla Firefox for him, some "sweetpack" thing came across the screen. He is compliaining about it being slow.

It takes a long time to go from one page to the next.

Sometimes when he clicks on a site, he gets page after page after page of the same site.

and there's no way he can stop it.

A window pops up saying that his disk is 90% occupied, not much free space left.

(I have had him to disk clean up.)

He has problems deleting mail on yahoo,unless he constantly refreshes, presses 'Open."

He has CONSTANT anti-virus windows, "Clean up space disk"

 

His AVG is expired.

 

I have diligently followed the eight steps of preparation, and here paste dds.txt, and attach attach.txt.

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 6.0.2900.5512
Run by Johnson at 15:38:02 on 2013-08-22
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2941.1807 [GMT -7:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\24x7Help\App24x7Svc.exe
C:\Program Files\MyPC Backup\BackupStack.exe
C:\WINDOWS\system32\dmwu.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe
C:\Program Files\Wajam\Updater\WajamUpdater.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\loggingserver.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Inbox Toolbar\Inbox.exe
C:\Program Files\24x7Help\App24x7Help.exe
C:\Program Files\OnlineVault\OVTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Johnson\Local Settings\Application Data\Updater19866\Updater19866.exe
C:\PROGRA~1\REBATE~1\REBATE~1.EXE
C:\Program Files\24x7Help\App24x7Hook.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\MyPC Backup\MyPC Backup.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\WINDOWS\system32\jmdp\stij.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www2.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&iwk=%iwk&%language
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={712E4EB8-FEE4-11E2-BB08-001C25D91F7A}
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Inbox Toolbar: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - c:\program files\inbox toolbar\Inbox.dll
BHO: Deal Vault: {11111111-1111-1111-1111-110111981166} - c:\program files\deal vault\Deal Vault.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Updater By SweetPacks: {7D4F1959-3F72-49d5-8E59-F02F8AA6815D} - c:\program files\updater by sweetpacks\Extension32.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\15.5.0.2\AVG Secure Search_toolbar.dll
BHO: Wajam: {A7A6995D-6EE1-4FD1-A258-49395D5BF99C} -
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: <No Name>: {CCB69577-088B-4004-9ED8-FF5BCC83A039} - c:\program files\rebateinformer\RebateI.dll
BHO: Inbox Toolbar: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - c:\program files\inbox toolbar\Inbox.dll
BHO: SweetPacks Browser Helper: {EEE6C35C-6118-11DC-9C72-001320C79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: &Inbox Toolbar: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - c:\program files\inbox toolbar\Inbox.dll
TB: SweetPacks Toolbar for Internet Explorer: {EEE6C35B-6118-11DC-9C72-001320C79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\15.5.0.2\AVG Secure Search_toolbar.dll
TB: &Inbox Toolbar: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - c:\program files\inbox toolbar\Inbox.dll
TB: SweetPacks Toolbar for Internet Explorer: {EEE6C35B-6118-11DC-9C72-001320C79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Updater19866.exe] c:\documents and settings\johnson\local settings\application data\updater19866\Updater19866.exe /extensionid=19866 /extensionname='Deal Vault' /chromeid=mifpbickojhbejhppcfgifjbmiinpjap /stayidle /delay=300
uRun: [SystweakASP] "c:\program files\regclean pro\SystweakASP.exe" /verysilent
uRun: [ActiverisAM] "c:\program files\activeris antimalware\ActiverisAM.exe" /verysilent
uRun: [PCBReminder] c:\program files\fastagain pc booster\PCBooster.exe -rem
uRun: [RebateInformer] c:\progra~1\rebate~1\REBATE~1.EXE /STARTUP
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe  startup
mRun: [InboxToolbar] "c:\program files\inbox toolbar\Inbox.exe" /STARTUP
mRun: [24x7HELP] "c:\program files\24x7help\App24x7Help.exe" /STARTUP
mRun: [Online Vault] "c:\program files\onlinevault\OVTray.exe"
StartupFolder: c:\docume~1\johnson\startm~1\programs\startup\imvu.lnk - c:\documents and settings\johnson\application data\imvuclient\IMVUQualityAgent.exe
StartupFolder: c:\docume~1\johnson\startm~1\programs\startup\mypcba~1.lnk - c:\program files\mypc backup\MyPC Backup.exe
StartupFolder: c:\docume~1\johnson\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2011\QBW32.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{502B61E2-C6D0-4017-A51F-070E38A80EEA} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\program files\inbox toolbar\Inbox.dll
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - c:\program files\rebateinformer\RebateI.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\15.5.0\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1     mpa.one.microsoft.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\johnson\application data\mozilla\firefox\profiles\0z06sgwr.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://start.sweetpacks.com?src=6&barid={712E4EB8-FEE4-11E2-BB08-001C25D91F7A}&crg=3.5000006.10045&st=23&q=
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\15.5.0\npsitesafety.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - ExtSQL: 2013-08-06 15:07; {8E9E3331-D360-4f87-8803-52DE43566502}; c:\program files\updater by sweetpacks\Firefox
FF - ExtSQL: 2013-08-14 14:20; avg@toolbar; c:\documents and settings\all users\application data\avg secure search\firefoxext\15.5.0.2
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-10-15 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 177376]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2012-10-5 94048]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-9-14 35552]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-10-22 179936]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2012-9-21 19936]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-10-2 159712]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-9-21 164832]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-11-21 37664]
R2 24x7HelpSvc;24x7HelpService;c:\program files\24x7help\App24x7Svc.exe [2013-7-31 342608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2012-11-16 5814904]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2012-10-22 196664]
R2 BackupStack;Computer Backup (MyPC Backup);c:\program files\mypc backup\BackupStack.exe [2013-7-1 32808]
R2 IBUpdaterService;IBUpdaterService;c:\windows\system32\dmwu.exe [2013-8-6 1344304]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-11-9 1248256]
R2 Updater By SweetPacks;Updater By SweetPacks;c:\program files\updater by sweetpacks\ExtensionUpdaterService.exe [2013-8-6 188760]
R2 vToolbarUpdater15.5.0;vToolbarUpdater15.5.0;c:\program files\common files\avg secure search\vtoolbarupdater\15.5.0\ToolbarUpdater.exe [2013-8-14 1643184]
R2 WajamUpdater;WajamUpdater;c:\program files\wajam\updater\WajamUpdater.exe [2013-5-2 109064]
R3 BrSerIb;Brother Serial Interface Driver(WDM);c:\windows\system32\drivers\BrSerIb.sys [2013-1-17 71424]
R3 BrUsbSIb;Brother Serial USB Driver(WDM);c:\windows\system32\drivers\BrUsbSib.sys [2013-1-17 11520]
R3 QuickBooksDB21;QuickBooksDB21;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb21 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB21 [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-08-08 21:07:05    --------    d-----w-    c:\documents and settings\johnson\local settings\application data\PCHealth
2013-08-06 22:07:56    --------    d-----w-    c:\program files\Free Window Registry Repair
2013-08-06 22:07:36    --------    d-----w-    c:\documents and settings\all users\application data\SweetIM
2013-08-06 22:07:15    --------    d-----w-    c:\documents and settings\johnson\local settings\application data\Wajam
2013-08-06 22:07:14    --------    d-----w-    c:\program files\Wajam
2013-08-06 22:07:04    --------    d-----w-    c:\program files\Updater By SweetPacks
2013-08-06 22:06:55    --------    d-----w-    c:\program files\SweetIM
2013-08-06 22:06:44    --------    d-----w-    c:\documents and settings\johnson\AppData
2013-08-06 22:06:42    --------    d-----w-    c:\windows\system32\jmdp
2013-08-06 22:06:38    632656    ----a-w-    c:\windows\system32\msvcr80.dll
2013-08-06 22:06:38    554832    ----a-w-    c:\windows\system32\msvcp80.dll
2013-08-06 22:06:38    479232    ----a-w-    c:\windows\system32\msvcm80.dll
2013-08-06 22:06:38    --------    d-----w-    c:\windows\system32\ARFC
2013-08-06 22:06:37    27136    ----a-w-    c:\windows\system32\ImHttpComm.dll
2013-08-06 22:06:37    1344304    ----a-w-    c:\windows\system32\dmwu.exe
2013-08-06 22:06:36    --------    d-----w-    c:\windows\system32\WNLT
2013-07-31 22:51:17    --------    d-----w-    c:\documents and settings\johnson\application data\RebateInformer
2013-07-31 22:50:14    --------    d-----w-    c:\documents and settings\johnson\application data\OnlineVault
2013-07-31 22:50:11    --------    d-----w-    c:\program files\OnlineVault
2013-07-31 22:50:04    --------    d-----w-    c:\program files\Inbox.com
2013-07-31 22:50:03    --------    d-----w-    c:\program files\RebateInformer
2013-07-31 22:50:02    --------    d-----w-    c:\documents and settings\johnson\application data\24x7 Help
2013-07-31 22:49:59    --------    d-----w-    c:\program files\24x7Help
2013-07-31 22:49:14    --------    d-----w-    c:\documents and settings\johnson\application data\Inbox Toolbar
2013-07-31 22:49:13    --------    d-----w-    c:\program files\Inbox Toolbar
.
==================== Find3M  ====================
.
2013-08-20 18:41:02    692104    -c--a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-08-20 18:41:01    71048    -c--a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-14 21:19:53    37664    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
.
============= FINISH: 15:43:14.87 ===============
 

 

 



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:32 PM

Posted 23 August 2013 - 03:06 AM


Hello markminer

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 markminer

markminer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 23 August 2013 - 02:36 PM

 
Hi Gringo,
Glad to have a pro on board!
Johnson (owner of computer) reports that system is running faster after removing temporary files and defragging.
I observe that the buttons on ADWcleaner are now labeled SCAN and CLEAN, rather than " Delete."

I ran both AdwCleaner and JRT without incident, and I paste the logs here.
Johnson also has "Fast Again PC Booster" , a malware, on the desktop.

Thanks so much!

---Mark Miner

AdwCleaner
# AdwCleaner v3.000 - Report created 23/08/2013 at 09:24:16
# Updated 20/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Johnson - FRONTDESK
# Running from : C:\Documents and Settings\Johnson\My Documents\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

[#] Service Deleted : 24x7HelpSvc
[#] Service Deleted : BackupStack
[#] Service Deleted : IBUpdaterService
[#] Service Deleted : Updater By SweetPacks
[#] Service Deleted : WajamUpdater

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\All Users\Application Data\SweetIM
Folder Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\24x7 Help
Folder Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\Inbox Toolbar
Folder Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\RebateInformer
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Deal Vault
Folder Deleted : C:\Program Files\Inbox Toolbar
Folder Deleted : C:\Program Files\Inbox.com
[!] Folder Deleted : C:\Program Files\MyPC Backup
Folder Deleted : C:\Program Files\RebateInformer
Folder Deleted : C:\Program Files\SweetIM
Folder Deleted : C:\Program Files\Updater By SweetPacks
Folder Deleted : C:\Program Files\Wajam
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\WINDOWS\system32\ARFC
Folder Deleted : C:\WINDOWS\system32\jmdp
Folder Deleted : C:\WINDOWS\system32\WNLT
Folder Deleted : C:\Documents and Settings\Johnson\Local Settings\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Johnson\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Johnson\Local Settings\Application Data\Wajam
Folder Deleted : C:\Documents and Settings\Johnson\Application Data\24x7 Help
Folder Deleted : C:\Documents and Settings\Johnson\Application Data\Advanced System Protector
Folder Deleted : C:\Documents and Settings\Johnson\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Johnson\Application Data\DefaultTab
Folder Deleted : C:\Documents and Settings\Johnson\Application Data\Inbox Toolbar
Folder Deleted : C:\Documents and Settings\Johnson\Application Data\PriceGong
Folder Deleted : C:\Documents and Settings\Johnson\Application Data\RebateInformer
Folder Deleted : C:\Documents and Settings\Johnson\Application Data\Systweak
Folder Deleted : C:\Documents and Settings\Johnson\Start Menu\Programs\MyPC Backup
Folder Deleted : C:\Documents and Settings\Johnson\Start Menu\Programs\Wajam
[!] Folder Deleted : C:\Documents and Settings\Johnson\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
[!] Folder Deleted : C:\Documents and Settings\Johnson\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
[!] Folder Deleted : C:\Documents and Settings\Johnson\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj
[!] Folder Deleted : C:\Documents and Settings\Johnson\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pbofibgamhkgoonaocfgemncghhadmgb
[!] Folder Deleted : C:\Documents and Settings\Johnson\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pbofibgamhkgoonaocfgemncghhadmgb
File Deleted : C:\Documents and Settings\All Users\Desktop\24x7 Help.lnk
File Deleted : C:\Documents and Settings\All Users\Desktop\RebateInformer.lnk
File Deleted : C:\WINDOWS\system32\dmwu.exe
File Deleted : C:\WINDOWS\system32\ImhxxpComm.dll
File Deleted : C:\WINDOWS\system32\roboot.exe
File Deleted : C:\Documents and Settings\Johnson\Start Menu\Programs\Startup\MyPC Backup.lnk
File Deleted : C:\Documents and Settings\Johnson\Desktop\MyPC Backup.lnk

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj
Key Deleted : HKCU\Software\Google\Chrome\Extensions\pbofibgamhkgoonaocfgemncghhadmgb
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pbofibgamhkgoonaocfgemncghhadmgb
Key Deleted : HKLM\SOFTWARE\Classes\AppID\Extension.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\priam_bho.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\CShared.TB4Client
Key Deleted : HKLM\SOFTWARE\Classes\CShared.TB4Script
Key Deleted : HKLM\SOFTWARE\Classes\CShared.TB4Server
Key Deleted : HKLM\SOFTWARE\Classes\CShared.TB4Server2
Key Deleted : HKLM\SOFTWARE\Classes\Extension.ExtensionHelperObject
Key Deleted : HKLM\SOFTWARE\Classes\Extension.ExtensionHelperObject.1
Key Deleted : HKLM\SOFTWARE\Classes\Inbox.AppServer
Key Deleted : HKLM\SOFTWARE\Classes\Inbox.IBX404
Key Deleted : HKLM\SOFTWARE\Classes\Inbox.JSServer
Key Deleted : HKLM\SOFTWARE\Classes\Inbox.Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\inbox
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\rebinfo
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\RebateI.Rebate Informer BHO
Key Deleted : HKLM\SOFTWARE\Classes\RebateI.RebateInformImageGen
Key Deleted : HKLM\SOFTWARE\Classes\RebateInf.RebateInfObj
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar
Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO.1
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader.1
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [RebateInformer]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [24x7HELP]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [InboxToolbar]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WajamUpdater
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0019866.BHO
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0019866.BHO.1
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0019866.Sandbox
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0019866.Sandbox.1
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Updater19866.exe]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B302A1BD-0157-49FA-90F1-4E94F22C7B4B}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{183643C8-EE67-4574-9A38-927852E34163}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4EF645BD-65B0-4F98-AD56-D0437B7045F6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{54ECA872-DB2A-4C6B-BBB2-F3777C6786CC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7D4F1959-3F72-49D5-8E59-F02F8AA6815D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AF808758-C780-404C-A4EE-4526323FD9B6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CCB69577-088B-4004-9ED8-FF5BCC83A039}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DB35C569-5624-4CFC-8043-E5139F55A073}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110111981166}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{01C78433-6FDF-4E5A-A82D-B535C32E03DF}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{41349826-5C7F-4BF0-8279-5DAF1DE6E9AE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{604EA016-1EDE-41E6-A23E-76CF8F2A4808}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A36867C6-302D-49FC-9D8E-1EB037B5F1AB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B3BA5582-79A9-464D-A7FA-711C5888C6E9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E9BBD270-4B87-4EE2-912F-6635674986C0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1D5A4199-956E-49BC-B89F-6A35C57C0D13}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{438B047C-C041-4D15-98CF-A97C6B366C28}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{506F578A-91E1-46CE-830F-E2F4268E9966}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D4F1959-3F72-49D5-8E59-F02F8AA6815D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCB69577-088B-4004-9ED8-FF5BCC83A039}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110111981166}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7D4F1959-3F72-49D5-8E59-F02F8AA6815D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CCB69577-088B-4004-9ED8-FF5BCC83A039}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110111981166}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110111981166}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{21111111-1111-1111-1111-110111981166}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D7E97865-918F-41E4-9CD0-25AB1C574CE8}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D7E97865-918F-41E4-9CD0-25AB1C574CE8}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{D3D233D5-9F6D-436C-B6C7-E63F77503B30}]
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\WINDOWS\system32\ARFC\wrtc.exe]
Key Deleted : HKCU\Software\24x7HELP
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\Crossrider
Key Deleted : HKCU\Software\CToolbar
Key Deleted : HKCU\Software\Deal Vault
Key Deleted : HKCU\Software\Default Tab
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\Inbox Toolbar
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\Wajam
Key Deleted : HKCU\Software\WNLT
Key Deleted : HKLM\Software\24x7HELP
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\CToolbar
Key Deleted : HKLM\Software\Default Tab
Key Deleted : HKLM\Software\Inbox Toolbar
Key Deleted : HKLM\Software\systweak
Key Deleted : HKLM\Software\Wajam
Key Deleted : HKLM\Software\WNLT
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4EF645BD-65B0-4F98-AD56-D0437B7045F6}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{612AD33D-9824-4E87-8396-92374E91C4BB}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A957F04C-49F4-4375-8C8A-D04B769EFE47}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deal Vault
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WNLT
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{4EF645BD-65B0-4F98-AD56-D0437B7045F6}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{612AD33D-9824-4E87-8396-92374E91C4BB}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{A957F04C-49F4-4375-8C8A-D04B769EFE47}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Deal Vault
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wajam
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\WNLT

***** [ Browsers ] *****

-\\ Internet Explorer v6.0.2900.5512

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Search Bar]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Documents and Settings\Johnson\Application Data\Mozilla\Firefox\Profiles\0z06sgwr.default\prefs.js ]

Line Deleted : user_pref("browser.newtab.url", "hxxp://start.sweetpacks.com/?barid={712E4EB8-FEE4-11E2-BB08-001C25D91F7A}&src=97&crg=3.5000006.10045&st=23");
Line Deleted : user_pref("extensions.installCache", "[{\"name\":\"winreg-app-global\",\"addons\":{\"avg@toolbar\":{\"descriptor\":\"C:\\\\Documents and Settings\\\\All Users\\\\Application Data\\\\AVG Secure Search\[...]

-\\ Google Chrome v29.0.1547.57

[ File : C:\Documents and Settings\Johnson\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted : search_url
Deleted : icon_url
Deleted : keyword

*************************

AdwCleaner[R0].txt - [21639 octets] - [23/08/2013 09:22:00]
AdwCleaner[S0].txt - [21774 octets] - [23/08/2013 09:24:16]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [21835 octets] ##########


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.4 (08.22.2013:1)
OS: Microsoft Windows XP x86
Ran by Johnson on Fri 08/23/2013 at  9:41:23.07
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\online vault
Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\systweakasp



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{865D7100-82C7-42F4-9C06-860DEC0871B2}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\updater by sweetpacks
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\updater by sweetpacks
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{22222222-2222-2222-2222-220122982266}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{55555555-5555-5555-5555-550155985566}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66666666-6666-6666-6666-660166986666}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{44444444-4444-4444-4444-440144984466}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2612669
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3272718
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{55555555-5555-5555-5555-550155985566}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{66666666-6666-6666-6666-660166986666}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{44444444-4444-4444-4444-440144984466}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\pchealthboost"
Successfully deleted: [Folder] "C:\Documents and Settings\Johnson\Application Data\onlinevault"
Successfully deleted: [Folder] "C:\Documents and Settings\Johnson\Local Settings\Application Data\cre"
Successfully deleted: [Folder] "C:\Program Files\24x7help"
Successfully deleted: [Folder] "C:\Program Files\onlinevault"
Successfully deleted: [Folder] "C:\Documents and Settings\Johnson\start menu\programs\free window registry repair"



~~~ FireFox

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{8E9E3331-D360-4f87-8803-52DE43566502}





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 08/23/2013 at  9:44:36.37
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:32 PM

Posted 23 August 2013 - 04:44 PM


Hello markminer

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:32 PM

Posted 26 August 2013 - 09:23 AM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 markminer

markminer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 26 August 2013 - 02:47 PM

Sorry, busy weekend!

I'll get right on the CombiFix.

----Mark



#7 markminer

markminer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 26 August 2013 - 03:22 PM

OK,Gringo, Here's the COMBOFIX log . ..

 

 

 

ComboFix 13-08-25.01 - Johnson 08/26/2013  13:15:51.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2941.1835 [GMT -7:00]
Running from: c:\documents and settings\Johnson\My Documents\Downloads\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Johnson\Application Data\Microsoft\Internet Explorer\Quick Launch\24x7 Help.lnk
c:\documents and settings\Johnson\Desktop\Setup.exe
c:\windows\system32\Cache
c:\windows\system32\Cache\0eb68d87b9161621.fb
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\44276e7ae103922b.fb
c:\windows\system32\Cache\466808473252606f.fb
c:\windows\system32\Cache\4de607b8bb21ddcd.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\946f60b24567f928.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\ae36ef6a3f233490.fb
c:\windows\system32\Cache\b7d9707f18a00a05.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\c69e494758ca622e.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-26 to 2013-08-26  )))))))))))))))))))))))))))))))
.
.
2013-08-24 18:37 . 2013-08-24 18:37    --------    d-----w-    c:\documents and settings\Guest
2013-08-23 17:42 . 2013-08-23 17:42    21035    ----a-w-    c:\windows\system32\drivers\AegisP.sys
2013-08-23 17:41 . 2008-06-27 01:39    332928    ----a-r-    c:\windows\system32\drivers\RTL8187.sys
2013-08-23 17:41 . 2008-06-27 01:39    332928    ------r-    c:\windows\system\rtl8187.sys
2013-08-23 17:41 . 2013-08-23 17:41    --------    d-----w-    c:\windows\system32\REALTEK RTL8187 Wireless LAN Driver and Utility
2013-08-23 17:41 . 2007-10-09 20:13    38144    ----a-w-    c:\windows\system32\drivers\EAPPkt.sys
2013-08-23 16:41 . 2013-08-23 16:41    --------    d-----w-    c:\windows\ERUNT
2013-08-23 16:21 . 2013-08-23 16:26    --------    d-----w-    C:\AdwCleaner
2013-08-22 22:04 . 2013-08-22 22:04    --------    d-----w-    c:\documents and settings\Johnson\Local Settings\Application Data\Mozilla
2013-08-22 22:04 . 2013-08-22 22:04    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2013-08-08 21:07 . 2013-08-08 21:07    --------    d-----w-    c:\documents and settings\Johnson\Local Settings\Application Data\PCHealth
2013-08-06 22:07 . 2013-08-06 22:09    --------    d-----w-    c:\program files\Free Window Registry Repair
2013-08-06 22:06 . 2013-08-06 22:06    --------    d-----w-    c:\documents and settings\Johnson\AppData
2013-08-06 22:06 . 2013-07-04 07:12    632656    ----a-w-    c:\windows\system32\msvcr80.dll
2013-08-06 22:06 . 2013-07-04 07:12    554832    ----a-w-    c:\windows\system32\msvcp80.dll
2013-08-06 22:06 . 2013-07-04 07:12    479232    ----a-w-    c:\windows\system32\msvcm80.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-20 18:41 . 2012-11-22 03:14    692104    -c--a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-08-20 18:41 . 2012-11-22 03:14    71048    -c--a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-14 21:19 . 2012-11-22 02:07    37664    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1AMPCBOK]
@="{04cd1f3e-81d5-4904-a3ab-e0f99a7d769d}"
[HKEY_CLASSES_ROOT\CLSID\{04cd1f3e-81d5-4904-a3ab-e0f99a7d769d}]
2010-03-18 18:09    297808    ----a-w-    c:\windows\system32\mscoree.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ActiverisAM"="c:\program files\Activeris AntiMalware\ActiverisAM.exe" [2012-10-17 608296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2010-02-10 618496]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-12 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-12 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-12 141336]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-10 16851968]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-10-08 2643320]
.
c:\documents and settings\Johnson\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2010-3-29 227712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe /Startup [2012-10-15 6153080]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-10-24 1157008]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2011\QBW32.EXE -silent [2012-10-24 1179024]
REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\Realtek\RTL8187 Wireless LAN Utility\RtWLan.exe /H [2013-8-23 815104]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2011\\QBDBMgrN.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [10/15/2012 4:48 AM 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/21/2012 4:46 AM 177376]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/14/2012 4:05 AM 35552]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [10/22/2012 2:02 PM 179936]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [9/21/2012 4:45 AM 19936]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/2/2012 4:30 AM 159712]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/21/2012 4:46 AM 164832]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [11/21/2012 7:07 PM 37664]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [10/22/2012 2:05 PM 196664]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [8/23/2013 10:41 AM 38144]
R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [11/9/2011 11:59 AM 1248256]
R3 BrSerIb;Brother Serial Interface Driver(WDM);c:\windows\system32\drivers\BrSerIb.sys [1/17/2013 1:44 PM 71424]
R3 BrUsbSIb;Brother Serial USB Driver(WDM);c:\windows\system32\drivers\BrUsbSib.sys [1/17/2013 1:44 PM 11520]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [11/16/2012 12:34 AM 5814904]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S2 vToolbarUpdater15.5.0;vToolbarUpdater15.5.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [?]
S3 QuickBooksDB21;QuickBooksDB21;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB21 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB21 [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [8/23/2013 10:41 AM 332928]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-22 19:52    1177552    ----a-w-    c:\program files\Google\Chrome\Application\29.0.1547.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-22 18:41]
.
2013-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-22 05:37]
.
2013-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-22 05:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Johnson\Application Data\Mozilla\Firefox\Profiles\0z06sgwr.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{4d87b7a7-23f1-470c-aa45-96b25b9bd138} - (no file)
c:\documents and settings\Johnson\Start Menu\Programs\Startup\IMVU.lnk - c:\documents and settings\Johnson\Application Data\IMVUClient\IMVUQualityAgent.exe "--startup"
AddRemove-MyPC Backup - c:\program files\MyPC Backup\uninst.exe
AddRemove-{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}_is1 - c:\program files\Updater By SweetPacks\unins000.exe
AddRemove-{FE60B87C-63A2-4A45-AC06-FFEFD5DB7846}_is1 - c:\program files\OnlineVault\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-26 13:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1136)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'winlogon.exe'(2424)
c:\windows\system32\igfxdev.dll
.
Completion time: 2013-08-26  13:19:29
ComboFix-quarantined-files.txt  2013-08-26 20:19
.
Pre-Run: 484,854,923,264 bytes free
Post-Run: 485,233,618,944 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 17253DF7DB8D3588BA4A6494FB2A1C81
8F558EB6672622401DA993E1E865C861
 



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:32 PM

Posted 26 August 2013 - 08:50 PM


Hello markminer

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 markminer

markminer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 28 August 2013 - 10:46 AM

OK,Gringo, here the log from running combox the second time.

I put the command on the note pad file and dragged it to Combofix to start it again.

---Mark Miner

 

 

ComboFix 13-08-25.01 - Johnson 08/28/2013   8:39.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2941.2312 [GMT -7:00]
Running from: c:\documents and settings\Johnson\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Johnson\Desktop\CFScript.txt
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-28 to 2013-08-28  )))))))))))))))))))))))))))))))
.
.
2013-08-24 18:37 . 2013-08-24 18:37    --------    d-----w-    c:\documents and settings\Guest
2013-08-23 17:42 . 2013-08-23 17:42    21035    ----a-w-    c:\windows\system32\drivers\AegisP.sys
2013-08-23 17:41 . 2008-06-27 01:39    332928    ----a-r-    c:\windows\system32\drivers\RTL8187.sys
2013-08-23 17:41 . 2008-06-27 01:39    332928    ------r-    c:\windows\system\rtl8187.sys
2013-08-23 17:41 . 2013-08-23 17:41    --------    d-----w-    c:\windows\system32\REALTEK RTL8187 Wireless LAN Driver and Utility
2013-08-23 17:41 . 2007-10-09 20:13    38144    ----a-w-    c:\windows\system32\drivers\EAPPkt.sys
2013-08-23 16:41 . 2013-08-23 16:41    --------    d-----w-    c:\windows\ERUNT
2013-08-23 16:21 . 2013-08-23 16:26    --------    d-----w-    C:\AdwCleaner
2013-08-22 22:04 . 2013-08-22 22:04    --------    d-----w-    c:\documents and settings\Johnson\Local Settings\Application Data\Mozilla
2013-08-22 22:04 . 2013-08-22 22:04    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2013-08-08 21:07 . 2013-08-08 21:07    --------    d-----w-    c:\documents and settings\Johnson\Local Settings\Application Data\PCHealth
2013-08-06 22:07 . 2013-08-06 22:09    --------    d-----w-    c:\program files\Free Window Registry Repair
2013-08-06 22:06 . 2013-08-06 22:06    --------    d-----w-    c:\documents and settings\Johnson\AppData
2013-08-06 22:06 . 2013-07-04 07:12    632656    ----a-w-    c:\windows\system32\msvcr80.dll
2013-08-06 22:06 . 2013-07-04 07:12    554832    ----a-w-    c:\windows\system32\msvcp80.dll
2013-08-06 22:06 . 2013-07-04 07:12    479232    ----a-w-    c:\windows\system32\msvcm80.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-20 18:41 . 2012-11-22 03:14    692104    -c--a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-08-20 18:41 . 2012-11-22 03:14    71048    -c--a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-14 21:19 . 2012-11-22 02:07    37664    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
2013-07-20 08:51 . 2012-09-21 11:46    246072    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2013-07-20 08:50 . 2012-10-22 21:02    208184    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-07-20 08:50 . 2012-10-15 11:48    60216    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2013-07-20 08:50 . 2012-10-02 11:30    171320    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2013-07-10 08:32 . 2012-09-14 11:05    39224    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
2013-07-01 08:45 . 2012-10-05 11:32    96568    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1AMPCBOK]
@="{04cd1f3e-81d5-4904-a3ab-e0f99a7d769d}"
[HKEY_CLASSES_ROOT\CLSID\{04cd1f3e-81d5-4904-a3ab-e0f99a7d769d}]
2010-03-18 18:09    297808    ----a-w-    c:\windows\system32\mscoree.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ActiverisAM"="c:\program files\Activeris AntiMalware\ActiverisAM.exe" [2012-10-17 608296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2010-02-10 618496]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-12 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-12 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-12 141336]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-10 16851968]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-07-01 4411440]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-10-08 2643320]
.
c:\documents and settings\Johnson\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2010-3-29 227712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe /Startup [2012-10-15 6153080]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-10-24 1157008]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2011\QBW32.EXE -silent [2012-10-24 1179024]
REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\Realtek\RTL8187 Wireless LAN Utility\RtWLan.exe /H [2013-8-23 815104]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2011\\QBDBMgrN.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [10/15/2012 4:48 AM 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/21/2012 4:46 AM 246072]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/14/2012 4:05 AM 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [10/22/2012 2:02 PM 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [9/21/2012 4:45 AM 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/2/2012 4:30 AM 171320]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/21/2012 4:46 AM 182072]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [11/21/2012 7:07 PM 37664]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [7/23/2013 7:09 PM 283136]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [8/23/2013 10:41 AM 38144]
R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [11/9/2011 11:59 AM 1248256]
R3 BrSerIb;Brother Serial Interface Driver(WDM);c:\windows\system32\drivers\BrSerIb.sys [1/17/2013 1:44 PM 71424]
R3 BrUsbSIb;Brother Serial USB Driver(WDM);c:\windows\system32\drivers\BrUsbSib.sys [1/17/2013 1:44 PM 11520]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [7/4/2013 3:53 PM 4939312]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S2 vToolbarUpdater15.5.0;vToolbarUpdater15.5.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [?]
S3 QuickBooksDB21;QuickBooksDB21;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB21 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB21 [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [8/23/2013 10:41 AM 332928]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-22 19:52    1177552    ----a-w-    c:\program files\Google\Chrome\Application\29.0.1547.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-22 18:41]
.
2013-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-22 05:37]
.
2013-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-22 05:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Johnson\Application Data\Mozilla\Firefox\Profiles\0z06sgwr.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-28 08:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(264)
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
.
Completion time: 2013-08-28  08:42:56
ComboFix-quarantined-files.txt  2013-08-28 15:42
ComboFix2.txt  2013-08-26 20:19
.
Pre-Run: 484,972,658,688 bytes free
Post-Run: 484,972,773,376 bytes free
.
- - End Of File - - 18A83EB311A0B85D406836F2A31CC8A4
8F558EB6672622401DA993E1E865C861
 



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:32 PM

Posted 28 August 2013 - 08:43 PM


Hello markminer

I would like to see a report that combofix makes.

extra combofix report
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok
copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:32 PM

Posted 31 August 2013 - 12:56 PM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 markminer

markminer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 31 August 2013 - 06:15 PM

Hi Gringo, sorry to dilly-dally.

The buildling owner is slow paying the COX bill, a not-uncommon occurence.

So no internet on that machine.

So I'm biding my time until it gets paid

---Mark Miner



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:32 PM

Posted 31 August 2013 - 09:33 PM

No problem and I will bump the topic in a few days so it does not get closed


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:32 PM

Posted 05 September 2013 - 12:23 AM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 markminer

markminer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 05 September 2013 - 12:27 AM

OK, Gringo, internet back up.

Will hit this first thing tomorrow morning.

---Mark






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users