Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mandiant virus infection, please help!


  • This topic is locked This topic is locked
39 replies to this topic

#1 jasm123

jasm123

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 05 September 2013 - 05:22 PM

One of our computers is infected withe mandiant virus.   when I login, it comes up with the "Mandiant USA Cyber Security" message and will not let me proceed.

 

I downloaded & ran the Farbar Recovery scan tool, per instructions to others in the forum (see below)

 

Please help and advise on next steps.

Thanks,

Jane

 

____________________________________________________________________

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-09-2013
Ran by SYSTEM on MININT-1OU5RG4 on 05-09-2013 18:59:07
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)
HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [609144 2011-04-12] (Alps Electric Co., Ltd.)
HKLM\...\Run: [QuickSet] - C:\Program Files\Dell\QuickSet\QuickSet.exe [3668336 2011-03-24] (Dell Inc.)
HKLM\...\Run: [IntelTBRunOnce] - C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs [4526 2010-11-29] ()
HKLM\...\Run: [IntelPAN] - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1935120 2011-07-27] (Intel® Corporation)
HKLM\...\Run: [BTMTrayAgent] - C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll [10365952 2011-05-19] (Intel Corporation)
HKLM\...\Run: [DellStage] - C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj [207845 2011-04-29] ()
HKLM\...\Policies\Explorer: [NoActiveDesktop] 1
HKLM\...\Policies\Explorer: [NoActiveDesktopChanges] 1
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [503942 2011-04-13] (Creative Technology Ltd)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-06] (Intel Corporation)
HKLM-x32\...\Run: [NUSB3MON] - C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [RoxWatchTray] - c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] - c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [Dell DataSafe Online] - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [35768 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AccuWeatherWidget] - C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj [2825741 2011-04-29] ()
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [UtilityChest_49 Browser Plugin Loader] - C:\PROGRA~2\UTILIT~2\bar\1.bin\49brmon.exe [x]
HKLM-x32\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1532992 2013-03-13] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [DATAMNGR] - C:\Program Files (x86)\Searchqu Toolbar\Datamngr\datamngrUI.exe [1823160 2012-06-06] (Bandoo Media, inc)
HKLM-x32\...\Run: [Sendori Tray] - C:\Program Files (x86)\Sendori\SendoriTray.exe [83232 2013-07-01] (Sendori, Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKU\Danny\...\Run: [EasyTether] - C:\Program Files (x86)\Mobile Stream\EasyTether\easytthr.exe [48648 2011-05-22] (Mobile Stream)
HKU\Danny\...\Run: [Google Update] - C:\Users\Danny\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-05-05] (Google Inc.)
HKU\Danny\...\Run: [GoogleChromeAutoLaunch_980F3E46EDCC36C8F965DDC05D156569] - C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe [825808 2013-06-14] (Google Inc.)
HKU\Danny\...\Winlogon: [Shell] explorer.exe,C:\Users\Danny\AppData\Roaming\cache.dat [85504 2013-07-08] () <==== ATTENTION 
AppInit_DLLs: C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll      [1528760 2012-06-06] (Bandoo Media, inc)
AppInit_DLLs-x32: C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll [1185208 2012-06-06] (Bandoo Media, inc)
 
==================== Services (Whitelisted) =================
 
S2 0226641378417031mcinstcleanup; C:\windows\TEMP\022664~1.EXE [834664 2013-07-30] (McAfee, Inc.)
S2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [119072 2013-07-01] (Sendori, Inc.)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [383608 2012-11-16] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
S2 mfevtp; C:\windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-07-27] ()
S2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [22304 2013-07-01] (sendori)
S2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3623200 2013-07-01] (Sendori)
S2 WajamUpdater; C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe [109064 2013-04-04] (Wajam)
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\   \...\???\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
 
==================== Drivers (Whitelisted) ====================
 
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S3 easytether; C:\Windows\System32\DRIVERS\easytthr.sys [20752 2011-05-22] (Mobile Stream)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
S3 mfeavfk01; No ImagePath
S3 PCDSRVC{D3412D80-CF3B4A27-06020200}_0; \??\c:\program files\my dell\pcdsrvc_x64.pkms [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-08-29 14:41 - 2013-09-05 16:51 - 00000004 _____ C:\Users\Danny\AppData\Roaming\cache.ini
2013-08-29 14:40 - 2013-08-29 14:40 - 00000000 ____D C:\Program Files (x86)\Google
2013-08-27 11:14 - 2013-08-27 11:14 - 00000056 _____ C:\Users\Danny\AppData\Roaming\WB.CFG
2013-08-15 02:07 - 2013-07-26 00:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-08-15 02:07 - 2013-07-26 00:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-08-15 02:07 - 2013-07-26 00:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-08-15 02:07 - 2013-07-26 00:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-08-15 02:07 - 2013-07-25 22:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-08-15 02:07 - 2013-07-25 22:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-15 02:07 - 2013-07-25 22:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-15 02:07 - 2013-07-25 22:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-15 02:07 - 2013-07-25 21:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-15 02:07 - 2013-07-25 21:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-15 02:07 - 2013-07-25 20:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-15 02:06 - 2013-07-26 00:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-08-15 02:06 - 2013-07-26 00:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-08-15 02:06 - 2013-07-25 22:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-15 02:06 - 2013-07-25 22:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-15 02:01 - 2013-08-15 02:02 - 00000000 ____D C:\Windows\System32\MRT
2013-08-14 04:21 - 2013-07-09 00:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2013-08-14 04:21 - 2013-07-09 00:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-08-14 04:21 - 2013-07-09 00:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-08-14 04:21 - 2013-07-09 00:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-08-14 04:21 - 2013-07-08 23:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-14 04:21 - 2013-07-08 23:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-14 04:21 - 2013-07-08 23:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-14 04:21 - 2013-07-08 23:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-14 04:16 - 2013-07-18 20:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-08-14 04:16 - 2013-07-18 20:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-14 04:11 - 2013-07-25 04:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-08-14 04:11 - 2013-07-25 03:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-14 04:10 - 2013-07-09 00:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll
2013-08-14 04:10 - 2013-07-08 23:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-14 04:04 - 2013-07-09 01:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-08-14 04:04 - 2013-07-09 00:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-08-14 04:04 - 2013-07-09 00:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-08-14 04:04 - 2013-07-09 00:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-14 04:04 - 2013-07-09 00:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-14 04:04 - 2013-07-08 23:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-14 04:04 - 2013-07-08 23:53 - 00085504 _____ C:\Users\Danny\AppData\Roaming\cache.dat
2013-08-14 04:04 - 2013-07-08 23:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-14 04:04 - 2013-07-08 21:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-14 04:04 - 2013-07-08 21:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-14 04:04 - 2013-07-08 21:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-14 04:04 - 2013-07-08 21:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-14 04:03 - 2013-07-06 01:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-08-14 04:03 - 2013-06-14 23:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
 
==================== One Month Modified Files and Folders =======
 
2013-09-05 16:51 - 2013-08-29 14:41 - 00000004 _____ C:\Users\Danny\AppData\Roaming\cache.ini
2013-09-05 16:46 - 2011-11-21 05:23 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-09-05 16:45 - 2011-11-21 05:32 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2013-09-05 16:45 - 2011-11-21 05:32 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2013-09-05 16:37 - 2012-02-12 11:13 - 00001830 _____ C:\Users\Public\Desktop\McAfee Security Center.lnk
2013-09-05 16:37 - 2012-02-12 11:13 - 00001830 _____ C:\ProgramData\Desktop\McAfee Security Center.lnk
2013-09-05 16:36 - 2012-02-12 11:12 - 00000000 ____D C:\Program Files (x86)\McAfee
2013-09-05 16:30 - 2009-07-13 23:45 - 00020928 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-05 16:30 - 2009-07-13 23:45 - 00020928 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-05 16:27 - 2011-11-21 04:25 - 02078503 _____ C:\Windows\WindowsUpdate.log
2013-09-05 16:25 - 2009-07-14 00:13 - 00778644 _____ C:\Windows\System32\PerfStringBackup.INI
2013-09-05 16:22 - 2012-10-25 08:16 - 00000000 ____D C:\ProgramData\Sendori
2013-09-05 16:20 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-05 16:20 - 2009-07-13 23:51 - 00065893 _____ C:\Windows\setupact.log
2013-08-29 14:46 - 2013-05-27 13:49 - 00003440 _____ C:\Windows\System32\Tasks\PCDEventLauncherTask
2013-08-29 14:40 - 2013-08-29 14:40 - 00000000 ____D C:\Program Files (x86)\Google
2013-08-27 12:18 - 2012-05-05 10:48 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1545699753-3831465931-2441376709-1000UA.job
2013-08-27 12:14 - 2013-04-23 18:12 - 00000286 _____ C:\Windows\Tasks\DSite.job
2013-08-27 11:18 - 2012-05-05 10:48 - 00000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1545699753-3831465931-2441376709-1000Core.job
2013-08-27 11:14 - 2013-08-27 11:14 - 00000056 _____ C:\Users\Danny\AppData\Roaming\WB.CFG
2013-08-27 11:14 - 2013-06-16 23:14 - 00000005 _____ C:\Users\Danny\AppData\Roaming\WBPU-TTL.DAT
2013-08-27 11:13 - 2012-05-05 10:48 - 00003878 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1545699753-3831465931-2441376709-1000UA
2013-08-27 11:13 - 2012-05-05 10:48 - 00003482 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1545699753-3831465931-2441376709-1000Core
2013-08-27 11:00 - 2010-11-20 22:47 - 00134832 _____ C:\Windows\PFRO.log
2013-08-27 10:35 - 2012-02-12 11:12 - 00000000 ____D C:\Program Files\McAfee
2013-08-24 23:33 - 2013-04-14 21:28 - 00000000 ____D C:\Program Files (x86)\Solid Savings
2013-08-22 09:11 - 2013-04-17 13:18 - 00000000 _____ C:\END
2013-08-15 03:02 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2013-08-15 02:02 - 2013-08-15 02:01 - 00000000 ____D C:\Windows\System32\MRT
2013-08-15 02:01 - 2011-12-31 14:57 - 78161360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
 
Files to move or delete:
====================
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Users\Danny\AppData\Roaming\cache.dat
C:\Users\Danny\AppData\Roaming\cache.ini
C:\Users\Danny\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Danny\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\Danny\AppData\Local\Temp\msimg32.dll
C:\Users\Danny\AppData\Local\Temp\MSN4980.exe
C:\Users\Danny\AppData\Local\Temp\PCFixSpeedSetup.exe
C:\Users\Danny\AppData\Local\Temp\redsn0w.exe
C:\Users\Danny\AppData\Local\Temp\SolidSavings.exe
C:\Users\Danny\AppData\Local\Temp\SpotifyUninstall.exe
C:\Users\Danny\AppData\Local\Temp\uninst1.exe
C:\Users\Danny\AppData\Local\Temp\Wajam_download.exe
C:\Users\Danny\AppData\Local\Temp\{C7650049-6D3D-4167-B551-4BA12CD16C1A}-27.0.1453.94_26.0.1410.64_chrome_updater.exe
C:\Users\Danny\AppData\Local\Temp\UpdateNavi_Temp\EPSON WorkForce 845 Series\Scanner\Driver\LIB\hhupd.exe
C:\Users\Danny\AppData\Local\Temp\is754907076\81166903_Setup.EXE
C:\Users\Danny\AppData\Local\Temp\is1590112554\DownloadManagerV2.exe
C:\Users\Danny\AppData\Local\Temp\is1590112554\nss_handler.exe
C:\Users\Danny\AppData\Local\Temp\is1590112554\PCFixSpeedSetup.exe
C:\Users\Danny\AppData\Local\Temp\is1590112554\SymCCIS.dll
C:\Users\Danny\AppData\Local\Temp\is1590112554\uninstaller.exe
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-07-28 02:00:32
Restore point made on: 2013-08-04 23:00:19
Restore point made on: 2013-08-12 23:00:17
Restore point made on: 2013-08-15 02:00:22
Restore point made on: 2013-08-22 23:00:23
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 6051.18 MB
Available physical RAM: 5138.63 MB
Total Pagefile: 6049.38 MB
Available Pagefile: 5124.8 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:581.42 GB) (Free:518.37 GB) NTFS
Drive e: (Recovery) (Fixed) (Total:14.65 GB) (Free:5.66 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (NEW VOLUME) (Removable) (Total:0.5 GB) (Free:0.49 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596 GB) (Disk ID: DA184564)
Partition 1: (Not Active) - (Size=100 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=581 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (Size: 512 MB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=512 MB) - (Type=06)
 
 
LastRegBack: 2013-08-21 23:24
 

 

 

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:49 AM

Posted 06 September 2013 - 01:30 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKLM-x32\...\Run: [DATAMNGR] - C:\Program Files (x86)\Searchqu Toolbar\Datamngr\datamngrUI.exe [1823160 2012-06-06] (Bandoo Media, inc)
    HKU\Danny\...\Winlogon: [Shell] explorer.exe,C:\Users\Danny\AppData\Roaming\cache.dat [85504 2013-07-08] () <==== ATTENTION
    AppInit_DLLs: C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll      [1528760 2012-06-06] (Bandoo Media, inc)
    AppInit_DLLs-x32: C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll [1185208 2012-06-06] (Bandoo Media, inc)
    S2 WajamUpdater; C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe [109064 2013-04-04] (Wajam)
    S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\   \...\???\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
    
    C:\Program Files (x86)\Searchqu Toolbar
    C:\Users\Danny\AppData\Roaming\cache.dat
    C:\Program Files (x86)\Wajam
    C:\Program Files (x86)\Google
    C:\Users\Danny\AppData\Roaming\cache.ini
    C:\Users\Danny\AppData\Local\Temp\*.*
     
     
    

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

Boot into windows now.

 

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 jasm123

jasm123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 07 September 2013 - 10:16 AM

Good morning, Marius, thank you for helping me.

 

I've attached the Malwarebytes file, and below is the frst,log.

 

Jane

______________________________________________________

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-09-2013
Ran by SYSTEM on MININT-VNC4GHQ on 07-09-2013 09:40:33
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)
HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [609144 2011-04-12] (Alps Electric Co., Ltd.)
HKLM\...\Run: [QuickSet] - C:\Program Files\Dell\QuickSet\QuickSet.exe [3668336 2011-03-24] (Dell Inc.)
HKLM\...\Run: [IntelTBRunOnce] - C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs [4526 2010-11-29] ()
HKLM\...\Run: [IntelPAN] - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1935120 2011-07-27] (Intel® Corporation)
HKLM\...\Run: [BTMTrayAgent] - C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll [10365952 2011-05-19] (Intel Corporation)
HKLM\...\Run: [DellStage] - C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj [207845 2011-04-29] ()
HKLM\...\Policies\Explorer: [NoActiveDesktop] 1
HKLM\...\Policies\Explorer: [NoActiveDesktopChanges] 1
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [503942 2011-04-13] (Creative Technology Ltd)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-06] (Intel Corporation)
HKLM-x32\...\Run: [NUSB3MON] - C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [RoxWatchTray] - c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] - c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [Dell DataSafe Online] - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [35768 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AccuWeatherWidget] - C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj [2825741 2011-04-29] ()
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [UtilityChest_49 Browser Plugin Loader] - C:\PROGRA~2\UTILIT~2\bar\1.bin\49brmon.exe [x]
HKLM-x32\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1532992 2013-03-13] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [DATAMNGR] - C:\Program Files (x86)\Searchqu Toolbar\Datamngr\datamngrUI.exe [1823160 2012-06-06] (Bandoo Media, inc)
HKLM-x32\...\Run: [Sendori Tray] - C:\Program Files (x86)\Sendori\SendoriTray.exe [83232 2013-07-01] (Sendori, Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKU\Danny\...\Run: [EasyTether] - C:\Program Files (x86)\Mobile Stream\EasyTether\easytthr.exe [48648 2011-05-22] (Mobile Stream)
HKU\Danny\...\Run: [Google Update] - C:\Users\Danny\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-05-05] (Google Inc.)
HKU\Danny\...\Run: [GoogleChromeAutoLaunch_980F3E46EDCC36C8F965DDC05D156569] - C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe [825808 2013-06-14] (Google Inc.)
HKU\Danny\...\Winlogon: [Shell] explorer.exe,C:\Users\Danny\AppData\Roaming\cache.dat [85504 2013-07-08] () <==== ATTENTION 
AppInit_DLLs: C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll      [1528760 2012-06-06] (Bandoo Media, inc)
AppInit_DLLs-x32: C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll [1185208 2012-06-06] (Bandoo Media, inc)
 
==================== Services (Whitelisted) =================
 
S4 0226641378417031mcinstcleanup; C:\windows\TEMP\022664~1.EXE [834664 2013-07-30] (McAfee, Inc.)
S2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [119072 2013-07-01] (Sendori, Inc.)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [383608 2012-11-16] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
S2 mfevtp; C:\windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-07-27] ()
S2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [22304 2013-07-01] (sendori)
S2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3623200 2013-07-01] (Sendori)
S2 WajamUpdater; C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe [109064 2013-04-04] (Wajam)
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\   \...\???\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
 
==================== Drivers (Whitelisted) ====================
 
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S3 easytether; C:\Windows\System32\DRIVERS\easytthr.sys [20752 2011-05-22] (Mobile Stream)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
S3 mfeavfk01; No ImagePath
S3 PCDSRVC{D3412D80-CF3B4A27-06020200}_0; \??\c:\program files\my dell\pcdsrvc_x64.pkms [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-09-05 18:59 - 2013-09-05 18:59 - 00000000 ____D C:\FRST
2013-08-29 14:41 - 2013-09-05 16:51 - 00000004 _____ C:\Users\Danny\AppData\Roaming\cache.ini
2013-08-29 14:40 - 2013-08-29 14:40 - 00000000 ____D C:\Program Files (x86)\Google
2013-08-27 11:14 - 2013-08-27 11:14 - 00000056 _____ C:\Users\Danny\AppData\Roaming\WB.CFG
2013-08-15 02:07 - 2013-07-26 00:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-08-15 02:07 - 2013-07-26 00:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-08-15 02:07 - 2013-07-26 00:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-08-15 02:07 - 2013-07-26 00:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-08-15 02:07 - 2013-07-26 00:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-08-15 02:07 - 2013-07-25 22:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-08-15 02:07 - 2013-07-25 22:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-15 02:07 - 2013-07-25 22:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-15 02:07 - 2013-07-25 22:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-15 02:07 - 2013-07-25 22:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-15 02:07 - 2013-07-25 21:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-15 02:07 - 2013-07-25 21:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-15 02:07 - 2013-07-25 20:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-15 02:06 - 2013-07-26 00:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-08-15 02:06 - 2013-07-26 00:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-08-15 02:06 - 2013-07-25 22:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-15 02:06 - 2013-07-25 22:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-15 02:01 - 2013-08-15 02:02 - 00000000 ____D C:\Windows\System32\MRT
2013-08-14 04:21 - 2013-07-09 00:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2013-08-14 04:21 - 2013-07-09 00:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-08-14 04:21 - 2013-07-09 00:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-08-14 04:21 - 2013-07-09 00:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-08-14 04:21 - 2013-07-08 23:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-14 04:21 - 2013-07-08 23:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-14 04:21 - 2013-07-08 23:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-14 04:21 - 2013-07-08 23:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-14 04:16 - 2013-07-18 20:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-08-14 04:16 - 2013-07-18 20:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-14 04:11 - 2013-07-25 04:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-08-14 04:11 - 2013-07-25 03:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-14 04:10 - 2013-07-09 00:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll
2013-08-14 04:10 - 2013-07-08 23:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-14 04:04 - 2013-07-09 01:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-08-14 04:04 - 2013-07-09 00:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-08-14 04:04 - 2013-07-09 00:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-08-14 04:04 - 2013-07-09 00:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-14 04:04 - 2013-07-09 00:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-14 04:04 - 2013-07-08 23:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-14 04:04 - 2013-07-08 23:53 - 00085504 _____ C:\Users\Danny\AppData\Roaming\cache.dat
2013-08-14 04:04 - 2013-07-08 23:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-14 04:04 - 2013-07-08 21:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-14 04:04 - 2013-07-08 21:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-14 04:04 - 2013-07-08 21:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-14 04:04 - 2013-07-08 21:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-14 04:03 - 2013-07-06 01:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-08-14 04:03 - 2013-06-14 23:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
 
==================== One Month Modified Files and Folders =======
 
2013-09-06 18:27 - 2009-07-13 23:45 - 00020928 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-06 18:27 - 2009-07-13 23:45 - 00020928 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-06 18:24 - 2011-11-21 04:25 - 01055789 _____ C:\Windows\WindowsUpdate.log
2013-09-06 18:23 - 2009-07-14 00:13 - 00778644 _____ C:\Windows\System32\PerfStringBackup.INI
2013-09-06 18:18 - 2012-02-12 11:12 - 00000000 ____D C:\Program Files (x86)\McAfee
2013-09-06 18:18 - 2011-11-21 05:23 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-09-06 18:18 - 2010-11-20 22:47 - 00136060 _____ C:\Windows\PFRO.log
2013-09-06 18:18 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-06 18:18 - 2009-07-13 23:51 - 00065949 _____ C:\Windows\setupact.log
2013-09-05 18:59 - 2013-09-05 18:59 - 00000000 ____D C:\FRST
2013-09-05 16:51 - 2013-08-29 14:41 - 00000004 _____ C:\Users\Danny\AppData\Roaming\cache.ini
2013-09-05 16:45 - 2011-11-21 05:32 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2013-09-05 16:45 - 2011-11-21 05:32 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2013-09-05 16:37 - 2012-02-12 11:13 - 00001830 _____ C:\Users\Public\Desktop\McAfee Security Center.lnk
2013-09-05 16:37 - 2012-02-12 11:13 - 00001830 _____ C:\ProgramData\Desktop\McAfee Security Center.lnk
2013-09-05 16:22 - 2012-10-25 08:16 - 00000000 ____D C:\ProgramData\Sendori
2013-08-29 14:46 - 2013-05-27 13:49 - 00003440 _____ C:\Windows\System32\Tasks\PCDEventLauncherTask
2013-08-29 14:40 - 2013-08-29 14:40 - 00000000 ____D C:\Program Files (x86)\Google
2013-08-27 12:18 - 2012-05-05 10:48 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1545699753-3831465931-2441376709-1000UA.job
2013-08-27 12:14 - 2013-04-23 18:12 - 00000286 _____ C:\Windows\Tasks\DSite.job
2013-08-27 11:18 - 2012-05-05 10:48 - 00000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1545699753-3831465931-2441376709-1000Core.job
2013-08-27 11:14 - 2013-08-27 11:14 - 00000056 _____ C:\Users\Danny\AppData\Roaming\WB.CFG
2013-08-27 11:14 - 2013-06-16 23:14 - 00000005 _____ C:\Users\Danny\AppData\Roaming\WBPU-TTL.DAT
2013-08-27 11:13 - 2012-05-05 10:48 - 00003878 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1545699753-3831465931-2441376709-1000UA
2013-08-27 11:13 - 2012-05-05 10:48 - 00003482 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1545699753-3831465931-2441376709-1000Core
2013-08-27 10:35 - 2012-02-12 11:12 - 00000000 ____D C:\Program Files\McAfee
2013-08-24 23:33 - 2013-04-14 21:28 - 00000000 ____D C:\Program Files (x86)\Solid Savings
2013-08-22 09:11 - 2013-04-17 13:18 - 00000000 _____ C:\END
2013-08-15 03:02 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2013-08-15 02:02 - 2013-08-15 02:01 - 00000000 ____D C:\Windows\System32\MRT
2013-08-15 02:01 - 2011-12-31 14:57 - 78161360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
 
Files to move or delete:
====================
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Users\Danny\AppData\Roaming\cache.dat
C:\Users\Danny\AppData\Roaming\cache.ini
C:\Users\Danny\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Danny\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\Danny\AppData\Local\Temp\msimg32.dll
C:\Users\Danny\AppData\Local\Temp\MSN4980.exe
C:\Users\Danny\AppData\Local\Temp\PCFixSpeedSetup.exe
C:\Users\Danny\AppData\Local\Temp\redsn0w.exe
C:\Users\Danny\AppData\Local\Temp\SolidSavings.exe
C:\Users\Danny\AppData\Local\Temp\SpotifyUninstall.exe
C:\Users\Danny\AppData\Local\Temp\uninst1.exe
C:\Users\Danny\AppData\Local\Temp\Wajam_download.exe
C:\Users\Danny\AppData\Local\Temp\{C7650049-6D3D-4167-B551-4BA12CD16C1A}-27.0.1453.94_26.0.1410.64_chrome_updater.exe
C:\Users\Danny\AppData\Local\Temp\UpdateNavi_Temp\EPSON WorkForce 845 Series\Scanner\Driver\LIB\hhupd.exe
C:\Users\Danny\AppData\Local\Temp\is754907076\81166903_Setup.EXE
C:\Users\Danny\AppData\Local\Temp\is1590112554\DownloadManagerV2.exe
C:\Users\Danny\AppData\Local\Temp\is1590112554\nss_handler.exe
C:\Users\Danny\AppData\Local\Temp\is1590112554\PCFixSpeedSetup.exe
C:\Users\Danny\AppData\Local\Temp\is1590112554\SymCCIS.dll
C:\Users\Danny\AppData\Local\Temp\is1590112554\uninstaller.exe
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-07-28 02:00:32
Restore point made on: 2013-08-04 23:00:19
Restore point made on: 2013-08-12 23:00:17
Restore point made on: 2013-08-15 02:00:22
Restore point made on: 2013-08-22 23:00:23
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 6051.18 MB
Available physical RAM: 5139.32 MB
Total Pagefile: 6049.38 MB
Available Pagefile: 5137.29 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:581.42 GB) (Free:518.39 GB) NTFS
Drive e: (Recovery) (Fixed) (Total:14.65 GB) (Free:5.66 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (NEW VOLUME) (Removable) (Total:0.5 GB) (Free:0.49 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596 GB) (Disk ID: DA184564)
Partition 1: (Not Active) - (Size=100 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=581 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (Size: 512 MB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=512 MB) - (Type=06)
 
 
LastRegBack: 2013-08-21 23:24
 
==================== End Of Log ============================

 

 

 

 

 



#4 jasm123

jasm123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 07 September 2013 - 10:19 AM

Sorry, Marius,

Posted wrong file.  Below is Fixlog:

Jane

__________________________________________________________________________________

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-09-2013
Ran by SYSTEM at 2013-09-07 09:41:58 Run:1
Running from G:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
HKLM-x32\...\Run: [DATAMNGR] - C:\Program Files (x86)\Searchqu Toolbar\Datamngr\datamngrUI.exe [1823160 2012-06-06] (Bandoo Media, inc)
HKU\Danny\...\Winlogon: [Shell] explorer.exe,C:\Users\Danny\AppData\Roaming\cache.dat [85504 2013-07-08] () <==== ATTENTION
AppInit_DLLs: C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll      [1528760 2012-06-06] (Bandoo Media, inc)
AppInit_DLLs-x32: C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll [1185208 2012-06-06] (Bandoo Media, inc)
S2 WajamUpdater; C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe [109064 2013-04-04] (Wajam)
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\   \...\???\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
 
C:\Program Files (x86)\Searchqu Toolbar
C:\Users\Danny\AppData\Roaming\cache.dat
C:\Program Files (x86)\Wajam
C:\Program Files (x86)\Google
C:\Users\Danny\AppData\Roaming\cache.ini
C:\Users\Danny\AppData\Local\Temp\*.*
 
 
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\DATAMNGR => Value deleted successfully.
HKU\Danny\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs => Value was restored successfully.
WajamUpdater => Service deleted successfully.
*etadpug => Unable to delete service
*etadpug => Service should be removed with FRST outside recovery mode.
C:\Program Files (x86)\Searchqu Toolbar => Moved successfully.
C:\Users\Danny\AppData\Roaming\cache.dat => Moved successfully.
C:\Program Files (x86)\Wajam => Moved successfully.
C:\Program Files (x86)\Google => Moved successfully.
C:\Users\Danny\AppData\Roaming\cache.ini => Moved successfully.
"C:\Users\Danny\AppData\Local\Temp\*.*" => Could not move.
 
==== End of Fixlog ====

 



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:49 AM

Posted 08 September 2013 - 11:54 PM

Then boot into windows and run the scan I posted, please.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 jasm123

jasm123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 09 September 2013 - 05:35 AM

The malwarebytes log? I thought I attached it to the message per your request.  I will attach it again.

Attached Files



#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:49 AM

Posted 09 September 2013 - 08:38 AM

Fix with Malwarebytes Anti-Rootkit

Run another scan with mbar.exe and click the CleanUp button. It will require a reboot.

When it has rebooted, run another scan with mbar.exe and click CleanUp again if necessary.

Send the mbar-log.txt along with an update on machine behavior.

 

 

 

 

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 jasm123

jasm123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 09 September 2013 - 05:52 PM

Hi there,

I attached the new mbar-log.txt, and here below is the log from Farbar's Service scanner.

I am still having trouble, as I am now getting random ads opening in Chrome tabs with tech support landing pages.

 

 

Farbar Service Scanner Version: 05-09-2013
Ran by Danny (administrator) on 09-09-2013 at 20:44:20
Running from "F:\"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
Checking Start type of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
Checking ImagePath of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
Checking ServiceDll of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
 
Checking Start type of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ImagePath of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ServiceDll of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
 
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
 
 
**** End of log ****

 

Attached Files



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:49 AM

Posted 10 September 2013 - 12:44 AM

Download the attached fix.zip and extract it to your desktop.

Run PolicyAgent.reg by double click and confirm the messages to merge the information into your registry.

 

When finished, do the same with RemoteAccess.reg.

 

Reboot and post up a new FSS log again.

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

Attached Files

  • Attached File  fix.zip   3.54KB   5 downloads

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 jasm123

jasm123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 10 September 2013 - 05:40 PM

Hi Marius,

I can't extract the files - tried 2 computers.  I get error 0x80004005: Unspecified error.   Is there a trick to un-zipping these?

Jane



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:49 AM

Posted 10 September 2013 - 11:43 PM

I repacked them, please try again.

 

 

Attached Files

  • Attached File  fix.zip   4.3KB   2 downloads

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 jasm123

jasm123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 12 September 2013 - 07:13 AM

HI Marius,

 

Below are the FSS log, and Malwarebytes log.  When I opened Chrome to post these, another window appeared & siteadvisor caught it.  It doesn't look like I am free of virus yet.

 

Thanks,
Jane

 

Farbar Service Scanner Version: 05-09-2013
Ran by Danny (administrator) on 11-09-2013 at 23:08:07
Running from "F:\"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
 
 
**** End of log ****

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.09.10.12
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
Danny :: DANNY-PC [administrator]
 
9/12/2013 8:35:23 AM
mbam-log-2013-09-12 (08-35-23).txt
 
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 372544
Time elapsed: 1 hour(s), 4 minute(s), 52 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 56
HKCR\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634} (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
HKCR\AppID\{38A066B0-DD5F-4226-AC4F-6A27C1BFB892} (PUP.Optional.PricePeep.A) -> Quarantined and deleted successfully.
HKCR\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17} (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{11111111-1111-1111-1111-110211621178} (PUP.Optional.Crossrider) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440244624478} (PUP.Optional.Crossrider) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550255625578} (PUP.Optional.Crossrider) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0026278.BHO.1 (PUP.Optional.Crossrider) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110211621178} (PUP.Optional.Crossrider) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110211621178} (PUP.Optional.Crossrider) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110211621178} (PUP.Optional.Crossrider) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110211621178} (PUP.Optional.Crossrider) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110211621178} (PUP.Optional.Crossrider) -> Quarantined and deleted successfully.
HKCR\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5} (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D} (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2} (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
HKCR\wajam.WajamDownloader.1 (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
HKCR\wajam.WajamDownloader (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7} (PUP.Optional.SearchQu) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079A25-328F-4BD4-BE04-00955ACAA0A7} (PUP.Optional.SearchQu) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{99079A25-328F-4BD4-BE04-00955ACAA0A7} (PUP.Optional.SearchQu) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{99079A25-328F-4BD4-BE04-00955ACAA0A7} (PUP.Optional.SearchQu) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99079A25-328F-4BD4-BE04-00955ACAA0A7} (PUP.Optional.SearchQu) -> Quarantined and deleted successfully.
HKCR\CLSID\{9D717F81-9148-4f12-8568-69135F087DB0} (PUP.Optional.Bandoo.A) -> Quarantined and deleted successfully.
HKCR\TypeLib\{5B4144E1-B61D-495a-9A50-CD1A95D86D15} (PUP.Optional.Bandoo.A) -> Quarantined and deleted successfully.
HKCR\BrowserConnection.Loader.1 (PUP.Optional.Bandoo.A) -> Quarantined and deleted successfully.
HKCR\BrowserConnection.Loader (PUP.Optional.Bandoo.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4F12-8568-69135F087DB0} (PUP.Optional.Bandoo.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4F12-8568-69135F087DB0} (PUP.Optional.Bandoo.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D717F81-9148-4F12-8568-69135F087DB0} (PUP.Optional.Bandoo.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115} (PUP.Optional.Datamngr.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} (PUP.Optional.Wajam) -> Quarantined and deleted successfully.
HKCR\wajam.WajamBHO.1 (PUP.Optional.Wajam) -> Quarantined and deleted successfully.
HKCR\wajam.WajamBHO (PUP.Optional.Wajam) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} (PUP.Optional.Wajam) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} (PUP.Optional.Wajam) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} (PUP.Optional.Wajam) -> Quarantined and deleted successfully.
HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87} (PUP.Optional.Datamngr.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0026278.BHO (PUP.Optional.Crossrider) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iLivid (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PricePeep (PUP.Optional.PricePeep.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7B34B38-02A6-44D5-B8CC-06EB3B8ACFC9}_is1 (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0026278.Sandbox (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0026278.Sandbox.1 (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.
HKCR\SearchQUIEHelper.DNSGuard (PUP.Optional.SearchQu) -> Quarantined and deleted successfully.
HKCR\SearchQUIEHelper.DNSGuard.1 (PUP.Optional.SearchQu) -> Quarantined and deleted successfully.
HKCR\AppID\priam_bho.DLL (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
HKCR\AppID\PricePeep.DLL (PUP.Optional.PricePeep.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\DataMngr_Toolbar (PUP.Optional.DataMngr.A) -> Quarantined and deleted successfully.
HKCU\Software\DataMngr (PUP.Optional.DataMngr.A) -> Quarantined and deleted successfully.
HKCU\Software\AppDataLow\Software\PricePeep (PUP.Optional.PricePeep.A) -> Quarantined and deleted successfully.
HKCU\Software\Cr_Installer\26278 (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\WAJAM (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\DATAMNGR (PUP.Optional.Searchqu.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\DEFAULT TAB (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
 
Registry Values Detected: 6
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{99079A25-328F-4BD4-BE04-00955ACAA0A7} (PUP.Optional.SearchQu) -> Data: Searchqu Toolbar -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{99079a25-328f-4bd4-be04-00955acaa0a7} (PUP.Optional.SearchQu) -> Data:  -> Quarantined and deleted successfully.
HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) -> Data: 0T0E0C1F2R0U2Y1R -> Quarantined and deleted successfully.
HKCU\Software\Wajam|affiliate_id (PUP.Optional.Wajam.A) -> Data: 3221 -> Quarantined and deleted successfully.
HKLM\SOFTWARE\DataMngr|Folder (PUP.Optional.Searchqu.A) -> Data: C:\Program Files (x86)\Searchqu Toolbar -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Default Tab|Version (PUP.Optional.DefaultTab.A) -> Data: 1.0.0.0 -> Quarantined and deleted successfully.
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 10
C:\Users\Danny\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Solid Savings (PUP.Optional.SolidSavings.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\PricePeep (PUP.Optional.PricePeep.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\PCFixSpeed (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Fix Speed (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504} (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Cache (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Cache (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
 
Files Detected: 43
C:\Program Files (x86)\Solid Savings\Solid Savings.dll (PUP.Optional.Crossrider) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\Wajam\IE\priam_bho.dll (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\Wajam\Updater\WajamUpdater.exe (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\iLivid\uninstall.exe (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IF0D0F1O\SolidSavings[1] (Adware.Packed.Ranver) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IF0D0F1O\wajam_download[1].exe (PUP.Optional.Wajam) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J0CQLXWN\PCFixSpeedSetup[1] (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WDOX1I8F\wajam_install[1].exe (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Local\Temp\PCFixSpeedSetup.exe (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Local\Temp\Wajam_download.exe (PUP.Optional.Wajam) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Local\Temp\is1590112554\PCFixSpeedSetup.exe (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
C:\Users\Danny\Downloads\setup (2).exe (PUP.Optional.InstallCore.A) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E3WOFIT1\wajam_update[1].exe (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L2QLHMZN\wajam_update[1].exe (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Solid Savings\background.html (PUP.Optional.SolidSavings.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Solid Savings\ButtonUtil.dll (PUP.Optional.SolidSavings.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Solid Savings\Installer.log (PUP.Optional.SolidSavings.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Solid Savings\Solid Savings-bg.exe (PUP.Optional.SolidSavings.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Solid Savings\Solid Savings.exe (PUP.Optional.SolidSavings.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Solid Savings\Solid Savings.ico (PUP.Optional.SolidSavings.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Solid Savings\Solid Savings.ini (PUP.Optional.SolidSavings.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\PricePeep\installer.ico (PUP.Optional.PricePeep.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\PricePeep\pricepeep.crx (PUP.Optional.PricePeep.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\PricePeep\uninstall.exe (PUP.Optional.PricePeep.A) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Roaming\Mozilla\Extensions\{1FD91A9C-410C-4090-BBCC-55D3450EF433} (PUP.Optional.Searchqu.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\PCFixSpeed\PCFixSpeed.exe (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
C:\Program Files (x86)\PCFixSpeed\PCFixTray.exe (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
C:\Program Files (x86)\PCFixSpeed\unins000.dat (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
C:\Program Files (x86)\PCFixSpeed\unins000.exe (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
C:\Program Files (x86)\PCFixSpeed\unins000.msg (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Fix Speed\PC Fix Speed.lnk (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Fix Speed\PCFixSpeed.com.url (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Fix Speed\Uninstall PC Fix Speed.lnk (PUP.Optional.PCFixSpeed) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.dat (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.exe (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.ico (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setup.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
 
(end)


#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:49 AM

Posted 12 September 2013 - 08:22 AM

We´ll get rid of all this, don´t panic.

 

 

Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 jasm123

jasm123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 12 September 2013 - 05:05 PM

Here is the DDS log and I attached the file.

 

Jane

___________________________________________________________________________________________

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 1.6.0_31
Run by Danny at 19:58:57 on 2013-09-12
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6051.3282 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\windows\system32\mfevtps.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Sendori\sndappv2.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Sendori\SendoriSvc.exe
C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files (x86)\Sendori\Sendori.Service.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\rundll32.exe
C:\windows\system32\rundll32.exe
C:\windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Sendori\SendoriUp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\SearchIndexer.exe
C:\windows\System32\WUDFHost.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Users\Danny\AppData\Roaming\HOOLAP~1\Hoolapp.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Mobile Stream\EasyTether\easytthr.exe
C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Sendori\SendoriTray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe
C:\windows\system32\sppsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe
c:\PROGRA~2\mcafee\SITEAD~1\saui.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?affID=110803&tt=4312_3&babsrc=HP_ss&mntrId=7c4e86d4000000000000020054746872
uURLSearchHooks: <No Name>: {7a55cbb2-2b2e-4a41-9de1-6ac5d2c2be0a} - 
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
mWinlogon: Userinit = userinit.exe,
BHO: {1036AD63-AEAC-460B-9060-C96005D4DC86} - <orphaned>
BHO: Wincore Mediabar: {28387537-e3f9-4ed7-860c-11e69af4a8a0} - C:\Program Files (x86)\iMesh Applications\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\mcafee\SystemCore\ScriptSn.20120708130331.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Wincore Mediabar: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\ToolBar\wincorebsdtx.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - 
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
TB: Utility Chest: {CF67755F-9265-449C-87CF-B945519E073B} - 
TB: Utility Chest: {cf67755f-9265-449c-87cf-b945519e073b} - 
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
TB: Wincore Mediabar: {28387537-e3f9-4ed7-860c-11e69af4a8a0} - C:\Program Files (x86)\iMesh Applications\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll
TB: Wincore Mediabar: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\ToolBar\wincorebsdtx.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - 
uRun: [EasyTether] "C:\Program Files (x86)\Mobile Stream\EasyTether\easytthr.exe"
uRun: [Google Update] "C:\Users\Danny\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [GoogleChromeAutoLaunch_980F3E46EDCC36C8F965DDC05D156569] "C:\Users\Danny\AppData\Local\Google\Chrome\Application\chrome.exe" --no-startup-window
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [UtilityChest_49 Browser Plugin Loader] C:\PROGRA~2\UTILIT~2\bar\1.bin\49brmon.exe
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Download with Mipony - C:\Program Files (x86)\MiPony\Browser\IEContext.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{5470693B-1961-4C20-A97C-57C1359DDB2F} : DHCPNameServer = 192.168.88.21 192.168.88.22
TCP: Interfaces\{6FCA85C0-1533-4089-901D-895E3BE5B3ED} : DHCPNameServer = 198.224.187.135 198.224.186.135
TCP: Interfaces\{BD6FA5D1-7AB9-4DC0-B810-1417FD8B05D3} : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{DBCF643A-0282-44AC-AA62-468B4E829D8E} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{DBCF643A-0282-44AC-AA62-468B4E829D8E}\65562796A7F6E602D496649623230303029303443402355636572756 : NameServer = 192.168.1.1
TCP: Interfaces\{DBCF643A-0282-44AC-AA62-468B4E829D8E}\65562796A7F6E602D496649623230303029303443402355636572756 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{DBCF643A-0282-44AC-AA62-468B4E829D8E}\940786F6E656 : DHCPNameServer = 66.174.95.44 66.174.92.14
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Privacy Safeguard BHO: {1036AD63-AEAC-460B-9060-C96005D4DC86} - 
x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\mcafee\SystemCore\ScriptSn.20120707083203.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: DataMngr: {9D717F81-9148-4f12-8568-69135F087DB0} - 
x64-BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Run: [IgfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
x64-Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs"
x64-Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray
x64-Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
x64-Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Danny\AppData\Roaming\Mozilla\Firefox\Profiles\gat44ars.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=110803&tt=4312_3&babsrc=HP_ss&mntrId=7c4e86d4000000000000020054746872
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\progra~2\mcafee\msc\npMcSnFFPl.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\McAfee\SiteAdvisor\NPMcFFPlg32.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Danny\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=7c4e86d4000000000000020054746872&q=
FF - user.js: extensions.BabylonToolbar.id - 7c4e86d4000000000000020054746872
FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}
FF - user.js: extensions.BabylonToolbar.instlDay - 15638
FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.3.8
FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.3.8
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.3.89:16:59
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\windows\System32\drivers\mfehidk.sys [2011-3-13 771536]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\windows\System32\drivers\mfewfpk.sys [2012-2-12 340216]
R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2011-11-21 55856]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-11-21 89600]
R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-8-8 1166848]
R2 Application Sendori;Application Sendori;C:\Program Files (x86)\Sendori\SendoriSvc.exe [2013-7-1 119072]
R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2011-5-19 921664]
R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2011-5-19 995392]
R2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-6-3 134928]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-11-21 13336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [2012-10-8 201304]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [2012-10-8 201304]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [2012-10-8 201304]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [2012-10-8 201304]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2012-2-12 241456]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2012-2-12 218760]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\windows\System32\mfevtps.exe [2011-11-21 182752]
R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
R2 Service Sendori;Service Sendori;C:\Program Files (x86)\Sendori\Sendori.Service.exe [2013-7-1 22304]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2011-11-21 1692480]
R2 sndappv2;sndappv2;C:\Program Files (x86)\Sendori\sndappv2.exe [2013-7-1 3623200]
R2 TurboB;Turbo Boost UI Monitor driver;C:\windows\System32\drivers\TurboB.sys [2010-11-29 16120]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-11-21 2655768]
R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;C:\windows\System32\drivers\AmpPal.sys [2011-8-8 299008]
R3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2011-5-19 1335360]
R3 btmaudio;Intel Bluetooth Audio Service;C:\windows\System32\drivers\btmaud.sys [2011-5-19 51712]
R3 btmaux;Intel Bluetooth Auxiliary Service;C:\windows\System32\drivers\btmaux.sys [2011-5-19 53248]
R3 btmhsf;btmhsf;C:\windows\System32\drivers\btmhsf.sys [2011-7-19 282624]
R3 cfwids;McAfee Inc. cfwids;C:\windows\System32\drivers\cfwids.sys [2012-2-12 70112]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\windows\System32\drivers\CtClsFlt.sys [2011-11-21 176096]
R3 easytether;easytether;C:\windows\System32\drivers\easytthr.sys [2012-5-5 20752]
R3 iBtFltCoex;iBtFltCoex;C:\windows\System32\drivers\iBtFltCoex.sys [2011-7-19 59904]
R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2011-11-21 317440]
R3 iwdbus;IWD Bus Enumerator;C:\windows\System32\drivers\iwdbus.sys [2011-6-21 25496]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\windows\System32\drivers\mfeavfk.sys [2012-2-12 309840]
R3 mfefirek;McAfee Inc. mfefirek;C:\windows\System32\drivers\mfefirek.sys [2012-2-12 515968]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\windows\System32\drivers\nusb3hub.sys [2010-12-10 80384]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\windows\System32\drivers\nusb3xhc.sys [2010-12-10 181248]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2011-11-21 406632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;C:\windows\System32\drivers\AmpPal.sys [2011-8-8 299008]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-4-1 183560]
S3 fssfltr;fssfltr;C:\windows\System32\drivers\fssfltr.sys [2012-12-24 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
S3 HipShieldK;McAfee Inc. HipShieldK;C:\windows\System32\drivers\HipShieldK.sys [2012-10-8 196440]
S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\windows\System32\drivers\intelaud.sys [2011-6-21 34200]
S3 mferkdet;McAfee Inc. mferkdet;C:\windows\System32\drivers\mferkdet.sys [2012-2-12 106552]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-7-27 340240]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\windows\System32\drivers\netaapl64.sys [2011-8-2 22528]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2011-11-21 250984]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2010-11-29 149504]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2011-12-27 1255736]
S3 WSDScan;WSD Scan Support via UMB;C:\windows\System32\drivers\WSDScan.sys [2009-7-13 25088]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-09-12 04:02:42 155584 ----a-w- C:\windows\System32\drivers\ataport.sys
2013-09-12 03:19:59 7680 ----a-w- C:\windows\SysWow64\instnm.exe
2013-09-12 03:19:59 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
2013-09-12 03:19:59 3072 ---ha-w- C:\windows\System32\api-ms-win-core-console-l1-1-0.dll
2013-09-12 03:19:59 25600 ----a-w- C:\windows\SysWow64\setup16.exe
2013-09-12 03:19:58 6656 ----a-w- C:\windows\SysWow64\apisetschema.dll
2013-09-12 03:19:58 6656 ----a-w- C:\windows\System32\apisetschema.dll
2013-09-12 03:19:58 2048 ----a-w- C:\windows\SysWow64\user.exe
2013-09-12 03:15:17 3155456 ----a-w- C:\windows\System32\win32k.sys
2013-09-05 23:59:02 -------- d-----w- C:\FRST
2013-08-15 07:01:11 -------- d-----w- C:\windows\System32\MRT
2013-08-14 11:53:56 18634944 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
2013-08-14 09:21:59 224256 ----a-w- C:\windows\System32\wintrust.dll
2013-08-14 09:21:59 184320 ----a-w- C:\windows\System32\cryptsvc.dll
2013-08-14 09:21:59 175104 ----a-w- C:\windows\SysWow64\wintrust.dll
2013-08-14 09:21:59 1472512 ----a-w- C:\windows\System32\crypt32.dll
2013-08-14 09:21:59 140288 ----a-w- C:\windows\SysWow64\cryptsvc.dll
2013-08-14 09:21:59 139776 ----a-w- C:\windows\System32\cryptnet.dll
2013-08-14 09:21:59 1166848 ----a-w- C:\windows\SysWow64\crypt32.dll
2013-08-14 09:21:59 103936 ----a-w- C:\windows\SysWow64\cryptnet.dll
2013-08-14 09:16:31 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2013-08-14 09:16:31 2048 ----a-w- C:\windows\System32\tzres.dll
2013-08-14 09:11:22 1888768 ----a-w- C:\windows\System32\WMVDECOD.DLL
2013-08-14 09:11:22 1620992 ----a-w- C:\windows\SysWow64\WMVDECOD.DLL
2013-08-14 09:10:22 663552 ----a-w- C:\windows\SysWow64\rpcrt4.dll
2013-08-14 09:10:22 1217024 ----a-w- C:\windows\System32\rpcrt4.dll
2013-08-14 09:03:37 39936 ----a-w- C:\windows\System32\drivers\tssecsrv.sys
2013-08-14 09:03:37 1910208 ----a-w- C:\windows\System32\drivers\tcpip.sys
.
==================== Find3M  ====================
.
2013-08-10 05:22:18 2241024 ----a-w- C:\windows\System32\wininet.dll
2013-08-10 05:20:59 3959296 ----a-w- C:\windows\System32\jscript9.dll
2013-08-10 05:20:55 67072 ----a-w- C:\windows\System32\iesetup.dll
2013-08-10 05:20:55 136704 ----a-w- C:\windows\System32\iesysprep.dll
2013-08-10 03:59:10 1767936 ----a-w- C:\windows\SysWow64\wininet.dll
2013-08-10 03:58:09 2876928 ----a-w- C:\windows\SysWow64\jscript9.dll
2013-08-10 03:58:06 61440 ----a-w- C:\windows\SysWow64\iesetup.dll
2013-08-10 03:58:06 109056 ----a-w- C:\windows\SysWow64\iesysprep.dll
2013-08-10 03:17:38 2706432 ----a-w- C:\windows\System32\mshtml.tlb
2013-08-10 03:07:50 2706432 ----a-w- C:\windows\SysWow64\mshtml.tlb
2013-08-10 02:27:59 89600 ----a-w- C:\windows\System32\RegisterIEPKEYs.exe
2013-08-10 02:17:19 71680 ----a-w- C:\windows\SysWow64\RegisterIEPKEYs.exe
2013-08-02 02:23:53 5550528 ----a-w- C:\windows\System32\ntoskrnl.exe
2013-08-02 02:15:44 1732032 ----a-w- C:\windows\System32\ntdll.dll
2013-08-02 02:15:03 362496 ----a-w- C:\windows\System32\wow64win.dll
2013-08-02 02:15:03 243712 ----a-w- C:\windows\System32\wow64.dll
2013-08-02 02:15:03 13312 ----a-w- C:\windows\System32\wow64cpu.dll
2013-08-02 02:14:57 215040 ----a-w- C:\windows\System32\winsrv.dll
2013-08-02 02:14:11 16384 ----a-w- C:\windows\System32\ntvdm64.dll
2013-08-02 02:13:34 424448 ----a-w- C:\windows\System32\KernelBase.dll
2013-08-02 01:59:30 3968960 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2013-08-02 01:59:30 3913664 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2013-08-02 01:51:23 1292192 ----a-w- C:\windows\SysWow64\ntdll.dll
2013-08-02 01:50:42 5120 ----a-w- C:\windows\SysWow64\wow32.dll
2013-08-02 01:50:42 274944 ----a-w- C:\windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17 338432 ----a-w- C:\windows\System32\conhost.exe
2013-08-02 00:59:09 112640 ----a-w- C:\windows\System32\smss.exe
2013-08-02 00:45:36 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll
2013-08-02 00:43:05 6144 ---ha-w- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-07-27 07:08:18 9728 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-07-01 19:28:10 325920 ----a-w- C:\windows\SysWow64\Sendori.dll
.
============= FINISH: 19:59:34.61 ===============
 

 

Attached Files



#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:49 AM

Posted 13 September 2013 - 12:01 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users