Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Need Help...


  • This topic is locked This topic is locked
7 replies to this topic

#1 ImNotPaulBradshaw

ImNotPaulBradshaw

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 24 September 2013 - 05:58 PM

I've tried to remove the GoogleUpdate root kit virus(I believe that's what it's called) without help, and it just keeps coming back. I now admit defeat and I believe this is the right place to post. I have seen other topics created and responses that generated success, but I followed these, and I obviously suck at this...any help will be greatly appreciated.

 

Thanks in advance,

 

Paul Bradshaw



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 AM

Posted 25 September 2013 - 04:06 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply

 

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 ImNotPaulBradshaw

ImNotPaulBradshaw
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 30 September 2013 - 07:42 AM

I apologize for replying so late

Here is the DDS scan

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.40.2
Run by Paul at 7:43:41 on 2013-09-30
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3318.1730 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbmcoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\mfevtps.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.1\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.1\loggingserver.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Lexmark 4200 Series\LXBMmon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\AOL\1377622223\ee\aolsoftware.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uWindow Title = Windows Internet Explorer provided by AOL
mWindow Title = Windows Internet Explorer provided by Comcast
uProxyOverride = <local>
uURLSearchHooks: Quixley_2KMb Toolbar: {12a9db21-42a2-492d-a85c-cdde0c88b608} - c:\program files\quixley_2kmb\prxtbQuix.dll
uURLSearchHooks: {2b2505fa-fd68-0144-9128-cd617bdca8c2} - <orphaned>
uURLSearchHooks: <No Name>:  - LocalServer32 - <no file>
uURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
mURLSearchHooks: Quixley_2KMb Toolbar: {12a9db21-42a2-492d-a85c-cdde0c88b608} - c:\program files\quixley_2kmb\prxtbQuix.dll
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.0.318\McAfeeMSS_IE.dll
BHO: Quixley_2KMb Toolbar: {12a9db21-42a2-492d-a85c-cdde0c88b608} - c:\program files\quixley_2kmb\prxtbQuix.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Quixley_2KMb Toolbar: {12A9DB21-42A2-492D-A85C-CDDE0C88B608} - c:\program files\quixley_2kmb\prxtbQuix.dll
TB: Quixley_2KMb Toolbar: {12a9db21-42a2-492d-a85c-cdde0c88b608} - c:\program files\quixley_2kmb\prxtbQuix.dll
uRun: [srfugyaj] c:\users\paul\appdata\local\hvfmdoown\egqshdbtssd.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [iCloudServices] c:\program files\common files\apple\internet services\iCloudServices.exe
mRun: [lxbmmon.exe] "c:\program files\lexmark 4200 series\lxbmmon.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [HostManager] c:\program files\common files\aol\1377622223\ee\AOLSoftware.exe
mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: c:\users\paul\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\users\paul\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.318\SSScheduler.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{48841743-D87A-4799-B823-10BDBE17539D} : DHCPNameServer = 192.168.1.254
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\17.0.1\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SecurityProviders: SecurityProviders = credssp.dll, AwjohjuDmusm.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\paul\appdata\roaming\mozilla\firefox\profiles\c5qyabmo.default\
FF - prefs.js: keyword.URL - 
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\15.3.0\npsitesafety.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mcafee security scan\3.0.318\npMcAfeeMSS.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\paul\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\users\paul\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_149.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2012-7-17 565888]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-3 37664]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2013-9-23 27080]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-7-17 210608]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-9-20 22856]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2013-3-12 235264]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2013-3-12 363080]
S3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;c:\windows\system32\drivers\BUSB2902.sys [2010-2-15 384576]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2008-7-26 42280]
S3 BUSB_AUDIO_WDM;BEHRINGER USB WDM AUDIO;c:\windows\system32\drivers\busbwdm.sys [2010-2-15 39488]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2013-3-12 60920]
S3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2011-5-6 13904]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [2012-6-22 19984]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-26 39272]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-12-12 36608]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2013-3-12 146872]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2013-3-12 65928]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-3-12 92632]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-11 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-11 40552]
.
=============== File Associations ===============
.
FileExt: .vbe: VBEFile=NOTEPAD.EXE "%1"
FileExt: .vbs: VBSFile=NOTEPAD.EXE "%1"
FileExt: .js: JSFile=NOTEPAD.EXE "%1"
FileExt: .jse: JSEFile=NOTEPAD.EXE "%1"
FileExt: .wsf: WSFFile=NOTEPAD.EXE "%1"
ShellExec: switch.exe: open="c:\program files\nch software\switch\switch" "%L"
.
=============== Created Last 30 ================
.
2013-09-30 12:37:22 -------- d-----w- c:\users\paul\appdata\roaming\Malwarebytes
2013-09-25 12:49:48 -------- d-----w- c:\program files\iPod
2013-09-25 12:49:46 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-09-25 12:49:46 -------- d-----w- c:\program files\iTunes
2013-09-23 17:40:58 27080 ----a-w- c:\windows\system32\drivers\ElRawDsk.sys
2013-09-21 13:57:27 -------- d-----w- c:\users\paul\appdata\local\adawarebp
2013-09-20 16:37:52 -------- d-----w- c:\programdata\Malwarebytes
2013-09-20 16:37:45 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-20 16:37:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-09-20 13:50:23 -------- d-----w- c:\program files\Trend Micro
2013-09-20 12:51:40 -------- d-----w- c:\windows\ERUNT
2013-09-20 12:48:17 -------- d-----w- c:\programdata\Oracle
2013-09-20 12:46:51 868264 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-09-20 12:46:32 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-09-20 12:18:15 -------- d-----w- c:\program files\VS Revo Group
2013-09-08 21:33:01 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2013-09-08 21:33:00 -------- d-----w- c:\program files\MagicDisc
.
==================== Find3M  ====================
.
2013-09-28 10:45:02 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-09-22 21:51:53 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-22 21:51:53 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-20 12:46:12 790440 ----a-w- c:\windows\system32\deployJava1.dll
2013-09-15 21:18:10 41616 ----a-w- c:\windows\system32\iolobtdfg.exe
2013-09-15 21:18:00 23568 ----a-w- c:\windows\system32\smrgdf.exe
2013-09-15 20:59:12 2097984 ----a-w- c:\windows\system32\Incinerator32.dll
2013-08-27 18:38:05 44424 ----a-w- c:\windows\system32\sbbd.exe
2013-08-27 18:38:05 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-08-27 16:38:31 58696 ----a-w- c:\windows\system32\AOLParconLink.exe
.
============= FINISH:  7:55:41.75 ===============
 

Attached Files


Edited by ImNotPaulBradshaw, 30 September 2013 - 08:10 AM.


#4 ImNotPaulBradshaw

ImNotPaulBradshaw
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 30 September 2013 - 08:43 AM

Gmer Scan

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-09-30 08:42:44
Windows 6.1.7600  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST31000528AS rev.CC37 931.51GB
Running: v3e2emjt.exe; Driver: C:\Users\Paul\AppData\Local\Temp\kflyrkow.sys
 
 
---- System - GMER 2.1 ----
 
INT 0x01        \??\C:\Users\Paul\AppData\Local\Temp\mbr.sys                                                             9ED85C42
 
---- Kernel code sections - GMER 2.1 ----
 
.text           ntkrnlpa.exe!ZwRollbackTransaction + 13F9                                                                83658829 1 Byte  [06]
.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                   8367D132 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
?               C:\Users\Paul\AppData\Local\Temp\mbr.sys                                                                 The system cannot find the file specified. !
 
---- User code sections - GMER 2.1 ----
 
.text           C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[2168] kernel32.dll!LoadLibraryA              77232844 5 Bytes  JMP 6F488360 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll
.text           C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[2168] kernel32.dll!LoadLibraryW              77232892 5 Bytes  JMP 6F488460 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll
 
---- User IAT/EAT - GMER 2.1 ----
 
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                          [73EA24FA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                     [73E8565B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                    [73E85719] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                           [73EA2575] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                 [73E985D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                   [73E94D8D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                  [73E95134] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                 [73E95209] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP]        [73E96736] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                  [73E98330] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]             [73E9887F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]           [73E990E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                 [73E9E283] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
IAT             C:\Windows\Explorer.EXE[2632] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                     [73E94CBF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll
 
---- Devices - GMER 2.1 ----
 
Device                                                                                                                   Ntfs.sys
 
AttachedDevice  \Driver\tdx \Device\Tcp                                                                                  Mpfp.sys
AttachedDevice  \Driver\tdx \Device\Udp                                                                                  Mpfp.sys
AttachedDevice  \Driver\tdx \Device\RawIp                                                                                Mpfp.sys
 
---- Registry - GMER 2.1 ----
 
Reg             HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers@AliveServerCount                            5
Reg             HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\AB1C4F5E-C3F2-4A3C-860B-10D560F94A25@Alive  0
 
---- EOF - GMER 2.1 ----


#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 AM

Posted 30 September 2013 - 09:23 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 ImNotPaulBradshaw

ImNotPaulBradshaw
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 30 September 2013 - 01:23 PM

ComboFix 13-09-30.02 - Paul 09/30/2013  11:58:01.1.2 - x86
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3318.2202 [GMT -5:00]
Running from: c:\users\Paul\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\3442128.pad
c:\users\Jo-Jo\AppData\Local\Google\Chrome\User Data\Default\Preferences
c:\users\Michelle\AppData\Local\Google\Chrome\User Data\Default\Preferences
c:\users\Paul\AppData\Local\Google\Chrome\User Data\Default\Preferences
c:\users\Paul\AppData\Roaming\Microsoft\AdjMmsVista.dll
c:\users\Theresa\AppData\Local\Google\Chrome\User Data\Default\Preferences
c:\users\Todd Bradshaw\AppData\Local\Google\Chrome\User Data\Default\Preferences
c:\users\Todd Bradshaw\AppData\Roaming\skype.ini
c:\windows\system32\nsl1D45.tmp
c:\windows\system32\nsv1CE6.tmp
c:\windows\system32\sysprep\cryptbase.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-28 to 2013-09-30  )))))))))))))))))))))))))))))))
.
.
2013-09-30 17:25 . 2013-09-30 17:25 -------- d-----w- c:\users\Michelle\AppData\Local\temp
2013-09-30 17:25 . 2013-09-30 17:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-30 17:25 . 2013-09-30 17:25 -------- d-----w- c:\users\Todd Bradshaw\AppData\Local\temp
2013-09-30 17:25 . 2013-09-30 17:25 -------- d-----w- c:\users\Jo-Jo\AppData\Local\temp
2013-09-30 17:25 . 2013-09-30 17:25 -------- d-----w- c:\users\Ayden.ToddBradshaw\AppData\Local\temp
2013-09-30 13:08 . 2013-09-30 13:08 -------- d-----w- c:\users\Paul\AppData\Local\WinZip
2013-09-30 13:07 . 2013-09-30 13:08 -------- d-----w- c:\programdata\WinZip
2013-09-30 12:37 . 2013-09-30 12:37 -------- d-----w- c:\users\Paul\AppData\Roaming\Malwarebytes
2013-09-25 12:49 . 2013-09-25 12:49 -------- d-----w- c:\program files\iPod
2013-09-25 12:49 . 2013-09-25 12:51 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-09-25 12:49 . 2013-09-25 12:51 -------- d-----w- c:\program files\iTunes
2013-09-23 17:40 . 2012-04-17 13:25 27080 ----a-w- c:\windows\system32\drivers\ElRawDsk.sys
2013-09-23 13:46 . 2013-09-23 13:46 -------- d-----w- c:\users\Todd Bradshaw\AppData\Local\Adobe
2013-09-22 18:35 . 2013-09-22 18:35 -------- d-----w- c:\users\Michelle\AppData\Local\Ahead
2013-09-22 18:35 . 2013-09-22 18:35 -------- d-----w- c:\users\Michelle\AppData\Local\AOL
2013-09-22 18:35 . 2013-09-22 18:35 -------- d-----w- c:\users\Michelle\AppData\Local\adawarebp
2013-09-21 16:30 . 2013-09-21 16:30 -------- d-----w- c:\users\Theresa\AppData\Local\Ahead
2013-09-21 16:30 . 2013-09-21 16:30 -------- d-----w- c:\users\Theresa\AppData\Local\AOL
2013-09-21 16:29 . 2013-09-21 16:30 -------- d-----w- c:\users\Theresa\AppData\Local\adawarebp
2013-09-21 13:57 . 2013-09-21 13:57 -------- d-----w- c:\users\Paul\AppData\Local\adawarebp
2013-09-21 13:56 . 2013-09-21 13:56 -------- d-----w- c:\users\Jo-Jo\AppData\Local\AOL
2013-09-21 13:56 . 2013-09-21 13:56 -------- d-----w- c:\users\Jo-Jo\AppData\Local\adawarebp
2013-09-20 16:39 . 2013-09-20 16:39 -------- d-----w- c:\users\Todd Bradshaw\AppData\Roaming\Malwarebytes
2013-09-20 16:37 . 2013-09-20 16:37 -------- d-----w- c:\programdata\Malwarebytes
2013-09-20 16:37 . 2013-09-20 16:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-09-20 16:37 . 2013-04-04 19:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-20 16:37 . 2013-09-20 16:37 -------- d-----w- c:\users\Todd Bradshaw\AppData\Local\Programs
2013-09-20 14:23 . 2013-09-20 14:24 -------- d-----w- c:\users\Todd Bradshaw\AppData\Local\adawarebp
2013-09-20 13:50 . 2013-09-20 13:50 388096 ----a-r- c:\users\Todd Bradshaw\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-09-20 13:50 . 2013-09-20 13:50 -------- d-----w- c:\program files\Trend Micro
2013-09-20 12:51 . 2013-09-20 12:51 -------- d-----w- c:\windows\ERUNT
2013-09-20 12:48 . 2013-09-20 12:48 -------- d-----w- c:\programdata\Oracle
2013-09-20 12:47 . 2013-09-20 12:47 -------- d-----w- c:\program files\Common Files\Java
2013-09-20 12:46 . 2013-09-20 12:46 868264 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-09-20 12:46 . 2013-09-20 12:46 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-09-20 12:18 . 2013-09-20 12:18 -------- d-----w- c:\program files\VS Revo Group
2013-09-08 21:33 . 2009-02-24 23:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2013-09-08 21:33 . 2013-09-08 21:34 -------- d-----w- c:\program files\MagicDisc
2013-09-08 20:05 . 2013-09-08 20:05 -------- d-----w- c:\users\Jo-Jo\AppData\Local\Macromedia
2013-09-08 19:59 . 2013-09-08 19:59 -------- d-----w- c:\users\Jo-Jo\AppData\Local\Mozilla
2013-08-31 18:00 . 2013-09-06 04:37 -------- d-----w- c:\users\todd
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-28 10:45 . 2012-09-03 23:43 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-09-22 21:51 . 2012-04-03 13:50 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-22 21:51 . 2011-05-17 09:36 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-20 12:46 . 2010-05-15 14:03 790440 ----a-w- c:\windows\system32\deployJava1.dll
2013-09-15 21:18 . 2012-05-20 14:11 41616 ----a-w- c:\windows\system32\iolobtdfg.exe
2013-09-15 21:18 . 2012-05-20 14:11 23568 ----a-w- c:\windows\system32\smrgdf.exe
2013-09-15 20:59 . 2012-05-20 14:21 2097984 ----a-w- c:\windows\system32\Incinerator32.dll
2013-08-29 00:37 . 2013-08-29 00:37 110080 ----a-r- c:\users\Todd Bradshaw\AppData\Roaming\Microsoft\Installer\{DB847E94-446B-49E0-AC5D-C5627EC8B0C0}\IconF7A21AF7.exe
2013-08-29 00:37 . 2013-08-29 00:37 110080 ----a-r- c:\users\Todd Bradshaw\AppData\Roaming\Microsoft\Installer\{DB847E94-446B-49E0-AC5D-C5627EC8B0C0}\IconD7F16134.exe
2013-08-29 00:37 . 2013-08-29 00:37 110080 ----a-r- c:\users\Todd Bradshaw\AppData\Roaming\Microsoft\Installer\{DB847E94-446B-49E0-AC5D-C5627EC8B0C0}\IconCF33A0CE.exe
2013-08-27 18:38 . 2013-08-27 18:38 44424 ----a-w- c:\windows\system32\sbbd.exe
2013-08-27 18:38 . 2013-08-27 18:38 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-08-27 16:38 . 2013-08-27 16:53 58696 ----a-w- c:\windows\system32\AOLParconLink.exe
2013-02-16 00:35 . 2013-02-20 23:13 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{12a9db21-42a2-492d-a85c-cdde0c88b608}"= "c:\program files\Quixley_2KMb\prxtbQuix.dll" [2011-03-28 176936]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn2\yt.dll" [2012-03-21 1523512]
.
[HKEY_CLASSES_ROOT\clsid\{12a9db21-42a2-492d-a85c-cdde0c88b608}]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{12a9db21-42a2-492d-a85c-cdde0c88b608}]
2011-03-28 16:22 176936 ----a-w- c:\program files\Quixley_2KMb\prxtbQuix.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{12a9db21-42a2-492d-a85c-cdde0c88b608}"= "c:\program files\Quixley_2KMb\prxtbQuix.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{12a9db21-42a2-492d-a85c-cdde0c88b608}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{12A9DB21-42A2-492D-A85C-CDDE0C88B608}"= "c:\program files\Quixley_2KMb\prxtbQuix.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{12a9db21-42a2-492d-a85c-cdde0c88b608}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-11-22 2736128]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2013-09-14 59720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxbmmon.exe"="c:\program files\Lexmark 4200 Series\lxbmmon.exe" [2009-04-27 230056]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2013-09-28 2404376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-13 1278064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"HostManager"="c:\program files\Common Files\AOL\1377622223\ee\AOLSoftware.exe" [2010-03-08 41800]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2013-07-15 554384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-09-18 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-08-27 280576]
.
c:\users\Todd Bradshaw\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Todd Bradshaw\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-23 27776968]
Shrink Pic.lnk - c:\program files\Shrink Pic\shrink_pic.exe -s [2009-5-4 2528256]
.
c:\users\Jo-Jo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\users\Theresa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2013-9-8 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\users\Michelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-2-14 813584]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll, AwjohjuDmusm.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bluetooth Connection Assistant]
LBTWIZ.EXE -silent [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivX Download Manager
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgentMonitor]
2012-11-08 02:26 377800 ----a-w- c:\program files\VTech\DownloadManager\System\AgentMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-22 02:43 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-09-18 04:45 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 21:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2011-08-05 17:29 159456 ----a-w- c:\program files\Zune\ZuneLauncher.exe
.
R0 Lbd;Lbd; [x]
R2 0274641380425373mcinstcleanup;McAfee Application Installer Cleanup (0274641380425373);c:\windows\TEMP\027464~1.EXE [x]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; [x]
R3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;c:\windows\system32\Drivers\BUSB2902.sys [2009-10-30 384576]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2008-07-26 42280]
R3 BUSB_AUDIO_WDM;BEHRINGER USB WDM AUDIO;c:\windows\system32\drivers\busbwdm.sys [2009-10-30 39488]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-05-06 13904]
R3 EsgScanner;EsgScanner;c:\windows\system32\DRIVERS\EsgScanner.sys [2012-06-22 19984]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-02-19 36608]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-04-20 146872]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.318\McCHSvc.exe [2013-02-05 235216]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-02-19 92632]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-01 1343400]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-09-28 37664]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2012-04-17 27080]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2013-02-19 210608]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2013-09-15 1164328]
S2 lxbm_device;lxbm_device;c:\windows\system32\lxbmcoms.exe [2007-01-30 537520]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2012-08-31 167784]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 167784]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2013-02-19 169320]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-02-19 172416]
S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [2009-07-17 3576320]
S2 PDFsFilter;PDFsFilter;c:\windows\system32\DRIVERS\PDFsFilter.sys [2012-07-26 68464]
S2 vToolbarUpdater17.0.1;vToolbarUpdater17.0.1;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.1\ToolbarUpdater.exe [2013-09-28 1734680]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2013-02-19 60920]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2013-02-19 363080]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ   getPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 20:18 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-19 12:54 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 21:51]
.
2013-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-07 17:40]
.
2013-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-07 17:40]
.
2013-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-12 18:22]
.
2013-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-12 18:22]
.
.
------- Supplementary Scan -------
.
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\17.0.1\ViProtocol.dll
FF - ProfilePath - c:\users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\c5qyabmo.default\
FF - prefs.js: keyword.URL - 
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE "%1"
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{2b2505fa-fd68-0144-9128-cd617bdca8c2} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
HKCU-Run-srfugyaj - c:\users\Paul\AppData\Local\hvfmdoown\egqshdbtssd.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,63,a2,24,a4,55,97,48,93,fe,75,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,63,a2,24,a4,55,97,48,93,fe,75,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
c:\program files\Common Files\Logishrd\Bluetooth\LBTServ.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.1\loggingserver.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\DllHost.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2013-09-30  12:50:44 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-30 17:50
.
Pre-Run: 322,426,908,672 bytes free
Post-Run: 322,874,064,896 bytes free
.
- - End Of File - - CE4CFD2F1008013C1D10E7E9A781D5EB
A36C5E4F47E84449FF07ED3517B43A31


#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 AM

Posted 01 October 2013 - 12:59 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 AM

Posted 08 October 2013 - 02:51 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users