Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups that say they are google adds. Can't download ANYTHING


  • This topic is locked This topic is locked
21 replies to this topic

#1 jacko16

jacko16

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 27 November 2013 - 02:14 AM

Popups in the left hand and right hand bottom corners and when you hover over them it has the websites name and that it says its from google ads when its clearly not. Also i cant download anything even safe stuff like adobe reader or something ive tried it in google chrome and internet explorer and neither works. When i do it in google chrome it says virus scan failed but im not sure what that exactly means. Because of this i couldn't download the dds thing but i found on this website someone with the same problem and they got told to download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ on another computer and then transfer it to my current computer and get the log which i did with success and its below.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-11-2013 01
Ran by jmitch16 (administrator) on JMITCH16-T730 on 27-11-2013 17:55:59
Running from C:\Users\jmitch16\Desktop
Windows 7 Professional Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Could not list processes ===============
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [LoadFUJ02E3] - C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe [36712 2009-10-14] (FUJITSU LIMITED)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [FjStrtAp] - C:\Program Files\Fujitsu\Utils\FjStrtAp.exe [20480 2009-10-12] (Fujitsu Computer Systems Corp.)
HKLM\...\Run: [Apoint] - C:\Program Files\Apoint2K\Apoint.exe [271728 2011-01-13] (Alps Electric Co., Ltd.)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7862816 2009-10-28] (Realtek Semiconductor)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [ClientAppLogon] - C:\Program Files\TrueSuite\TrueSuite.ClientAppLogonExe.exe [307520 2010-07-29] (AuthenTec, Inc.)
HKLM\...\Run: [UpdatePDRShortCut] - C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM\...\Run: [RemoteControl8] - C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe [91432 2009-07-16] (CyberLink Corp.)
HKLM\...\Run: [PDVD8LanguageShortcut] - C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe [50472 2009-04-15] (CyberLink Corp.)
HKLM\...\Run: [YouCam Mirror Tray icon] - C:\Program Files\CyberLink\YouCam\YouCamTray.exe [167008 2010-01-15] (CyberLink Corp.)
HKLM\...\Run: [ccApp] - C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115560 2011-02-18] (Symantec Corporation)
HKLM\...\Run: [BCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe [35736 2011-01-31] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-05] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM\...\Run: [snp2uvc] - C:\Windows\vsnp2uvc.exe [662016 2009-08-12] (Sonix)
HKLM\...\Run: [SNUVCDSM] - C:\Windows\snuvcdsm.exe [24576 2009-05-22] ()
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-11-28] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [151952 2012-11-29] (Apple Inc.)
HKLM\...\Run: [BigPondWirelessBroadbandCM] - C:\Program Files\Telstra\Mobile Broadband Manager\TelstraUCM.exe [6198168 2011-08-12] (Telstra)
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE [2565520 2011-03-15] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenuEx] - C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE [1612920 2011-08-04] (CANON INC.)
HKLM\...\Run: [IJNetworkScannerSelectorEX] - C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452016 2011-01-15] (CANON INC.)
HKCU\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-11-29] (Google Inc.)
HKCU\...\Run: [GoogleChromeAutoLaunch_558C8A73E68E7DA62B43996849CDEDFA] - C:\Program Files\Google\Chrome\Application\chrome.exe [863184 2013-11-14] (Google Inc.)
HKCU\...\Run: [{C7011194-44EB-25B1-BA6B-CC90A7146962}] - C:\Users\jmitch16\AppData\Roaming\Rixeyxb\hufyru.exe [217600 2013-03-27] ()
HKCU\...\Run: [Windows Update Server] - C:\Users\jmitch16\kcjoa86k0r3m-11280.exe [132096 2013-11-15] ()
HKCU\...\Run: [RESTART_STICKY_NOTES] - C:\Windows\System32\StikyNot.exe [354304 2009-07-14] (Microsoft Corporation)
MountPoints2: {09ff4ac6-4a53-11e2-a6ac-e839df8beb81} - D:\WIN\setup.exe
Startup: C:\Users\IT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cybersafety Help Button.lnk
ShortcutTarget: Cybersafety Help Button.lnk -> C:\Program Files\Cybersafety Help Button\Cybersafety Help Button.exe ()
Startup: C:\Users\jmitch16\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
ProxyServer: daffy.igs.vic.edu.au:8080
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ivanhoeconnect.com
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ivanhoeconnect.com
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com.au
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: TrueSuite WebStore - {5cb2b77d-c8ca-44db-af20-a7a4df462a12} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: TrueSuite Website Log On - {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files\TrueSuite\TrueSuite.IEBHO.dll (AuthenTec Inc.)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 10 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.138
 
Chrome: 
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\31.0.1650.57\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\31.0.1650.57\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\31.0.1650.57\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.240.7) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java™ Platform SE 6 U24) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (CANON iMAGE GATEWAY Album Plugin Utility for IJ) - C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\4.0.60129.0\npctrl.dll No File
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Extension: (Bejeweled) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\adpkifcfcacgmnggcbpbjbkdijciiigm\2_0
CHR Extension: (Angry Birds) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.5.0.7_1
CHR Extension: (YouTube) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Bloxorz) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfkaiemjhgblkkcanmhciiopcehlhnhi\2.0.0_0
CHR Extension: (Crazy Rollercoaster) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\eafhgomkapdagnpmmgilphbolnejepoc\1.3_0
CHR Extension: (Stopwatch) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggnidjbcahhbnleinchgobfnabopeioh\3.8_0
CHR Extension: (Planetarium) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\gheikhdfflhlbemfmhcfpeblehemeklp\1.1.2_0
CHR Extension: (Cut the Rope) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkddaofiamhgfjmaccfcfpfolpgbeomj\16_0
CHR Extension: (Typing Test - KeyHero) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcieoaeooeidmpaopkpjpjfakidlabm\1.4.0_1
CHR Extension: (Torch Share) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiplfnciaokpcennlkldkdaeaaomamof\1.0.0.2504_0
CHR Extension: (Little Alchemy) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\knkapnclbofjjgicpkfoagdjohlfjhpd\0.0.15.7_0
CHR Extension: (Webcam Toy) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfbgimoladefibpklnfmkpknadbklade\1.5_0
CHR Extension: (Google Maps) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh\5.2.7_0
CHR Extension: (Poppit) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0
CHR Extension: (mt buller bottom) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhooddfgleajhcpacfciijioiacoabpa\1.0_0
CHR Extension: (Google Wallet) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0
CHR Extension: (Where is the red) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohpblkkbmfceapbolfogbfpkcjdlhonb\2_0
CHR Extension: (Gmail) - C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM\...\Chrome\Extension: [kiplfnciaokpcennlkldkdaeaaomamof] - C:\Users\jmitch16\AppData\Local\Torch\Plugins\TorchPlugin.crx
 
========================== Services (Whitelisted) =================
 
R2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2011-02-18] (Symantec Corporation)
S2 CcmExec; C:\Windows\CCM\CcmExec.exe [1090656 2012-11-21] (Microsoft Corporation)
S2 ccmsetup; C:\Windows\ccmsetup\ccmsetup.exe [1614520 2013-09-11] (Microsoft Corporation)
R2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2011-02-18] (Symantec Corporation)
S4 CmRcService; C:\Windows\CCM\RemCtrl\CmRcService.exe [470112 2012-11-21] (Microsoft Corporation)
R2 FPLService; C:\Program Files\TrueSuite\TrueSuite.Service.exe [257344 2010-07-29] (AuthenTec, Inc)
R2 IJPLMSVC; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [138192 2011-02-07] ()
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093880 2010-09-07] (Symantec Corporation)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
R2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [247152 2009-07-07] ()
S2 SharedAccess; C:\Windows\System32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
R2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1893728 2011-02-18] (Symantec Corporation)
S3 smstsmgr; C:\Windows\CCM\TSManager.exe [275536 2012-11-21] (Microsoft Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357744 2011-02-18] (Symantec Corporation)
R2 SwiCardDetectSvc; C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe [238960 2011-06-24] (Sierra Wireless, Inc.)
R2 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1839776 2011-02-18] (Symantec Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] ()
R2 WTouchService; C:\Program Files\WTouch\WTouchService.exe [216944 2010-08-27] (Wacom Technology, Corp.)
 
==================== Drivers (Whitelisted) ====================
 
R3 acpials; C:\Windows\System32\DRIVERS\acpials.sys [7680 2009-07-14] (Microsoft Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376920 2013-11-21] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [108120 2013-11-21] (Symantec Corporation)
R3 Fjbtndrv; C:\Windows\system32\drivers\FjBtnDrv.sys [18816 2009-08-27] (Fujitsu America, Inc.)
R3 FUJ02B1; C:\Windows\system32\drivers\FUJ02B1.sys [5888 2006-11-01] (FUJITSU LIMITED)
R3 NAVENG; C:\ProgramData\Symantec\Definitions\VirusDefs\20131126.016\NAVENG.SYS [93272 2013-11-20] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Definitions\VirusDefs\20131126.016\NAVEX15.SYS [1612376 2013-11-20] (Symantec Corporation)
R3 NETwNs32; C:\Windows\System32\DRIVERS\Netwsn00.sys [10378992 2013-02-28] (Intel Corporation)
S3 prepdrvr; C:\Windows\System32\DRIVERS\prepdrv.sys [20848 2012-02-20] (Microsoft Corporation)
R3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [3487104 2009-09-04] ()
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2011-02-18] (Symantec Corporation)
R1 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [284720 2011-02-18] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [320944 2011-02-18] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2011-02-18] (Symantec Corporation)
S3 swg3kser00; C:\Windows\System32\DRIVERS\swg3kser00.sys [215552 2011-07-10] (Sierra Wireless Incorporated)
S3 swiwdmbx; C:\Windows\System32\DRIVERS\swiwdmbx.sys [83968 2011-07-10] (Sierra Wireless Inc.)
S3 SWNC8UA3; C:\Windows\System32\DRIVERS\swnc8ua3.sys [208128 2011-07-10] (Sierra Wireless Inc.)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [125488 2011-03-01] (Symantec Corporation)
R3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [26416 2011-02-18] (Symantec Corporation)
R1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [188080 2011-02-18] (Symantec Corporation)
S4 SysPlant; C:\Windows\SYSTEM32\Drivers\SysPlant.sys [99696 2011-02-18] (Symantec Corporation)
R3 Teefer2; C:\Windows\System32\DRIVERS\teefer2.sys [67472 2011-02-18] (Symantec Corporation)
S3 USBTINSP; C:\Windows\System32\DRIVERS\tinspusb.sys [122752 2010-03-29] (Texas Instruments)
R3 wacomvthid; C:\Windows\system32\drivers\WacomVTHid.sys [13680 2010-06-01] (Wacom Technology)
R3 WISDPen; C:\Windows\system32\drivers\wisdpen.sys [36904 2010-01-04] (Wacom Technology)
R1 WPS; C:\Windows\system32\drivers\wpsdrvnt.sys [43888 2011-02-18] (Symantec Corporation)
R3 WpsHelper; C:\Windows\system32\drivers\WpsHelper.sys [174056 2012-10-02] (Symantec Corporation)
R2 zntport; C:\Windows\system32\zntport.sys [6080 2001-01-22] (Zeal SoftStudio)
S1 ngarxbfi; \??\C:\Windows\system32\drivers\ngarxbfi.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-11-27 17:55 - 2013-11-27 17:56 - 00017976 _____ C:\Users\jmitch16\Desktop\FRST.txt
2013-11-27 17:55 - 2013-11-27 17:55 - 00000000 ____D C:\FRST
2013-11-27 17:55 - 2013-11-27 17:54 - 01091605 _____ (Farbar) C:\Users\jmitch16\Desktop\FRST.exe
2013-11-23 10:42 - 2013-11-23 10:42 - 00000000 ___RD C:\Users\jmitch16\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 8
2013-11-20 13:54 - 2013-11-20 13:54 - 00000000 ____D C:\Users\jmitch16\Documents\Wondershare Video Converter Ultimate
2013-11-16 15:09 - 2013-11-17 11:53 - 00000000 ____D C:\Users\jmitch16\Downloads\The Mentalist
2013-11-15 16:31 - 2013-11-15 16:31 - 00132096 ___SH C:\Users\jmitch16\kcjoa86k0r3m-11280.exe
2013-11-15 16:30 - 2013-11-27 17:36 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Hail
2013-11-15 16:30 - 2013-11-15 16:30 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Rixeyxb
2013-11-15 16:30 - 2013-11-15 16:30 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Husyi
2013-11-15 16:30 - 2013-11-15 16:30 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Cuaw
2013-11-14 20:04 - 2013-02-27 16:05 - 00101720 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2013-11-14 20:04 - 2013-02-27 15:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2013-11-14 20:04 - 2013-02-27 15:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\system32\shdocvw.dll
2013-11-14 20:04 - 2013-02-27 15:49 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2013-11-14 20:04 - 2013-02-27 15:49 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\appinfo.dll
2013-11-14 17:56 - 2013-06-15 14:38 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2013-11-14 12:18 - 2013-11-14 12:18 - 00000000 ____D C:\Users\jmitch16\AppData\Local\PearsonBookshelf
2013-11-14 12:17 - 2013-11-14 12:17 - 00000993 _____ C:\Users\Public\Desktop\PearsonBookshelf.lnk
2013-11-14 12:17 - 2013-11-14 12:17 - 00000000 ____D C:\Program Files\PearsonBookshelf
2013-11-13 20:05 - 2013-11-13 20:05 - 00010505 _____ C:\Users\jmitch16\Documents\timetable.xlsx
2013-11-13 18:43 - 2013-11-13 18:53 - 00000000 ____D C:\Users\jmitch16\Documents\2014 School
2013-11-13 14:16 - 2013-11-13 14:16 - 00004764 _____ C:\Windows\system32\CcmFramework.ini
2013-11-13 14:16 - 2013-11-13 14:16 - 00000704 _____ C:\Windows\system32\InstallUtil.InstallLog
2013-11-13 14:16 - 2013-11-13 14:16 - 00000621 _____ C:\Windows\system32\CcmFramework.h
2013-11-13 14:09 - 2013-11-13 14:09 - 00000000 ____D C:\Windows\system32\{3DA228BE-34DA-49f4-A081-66465B077429}
2013-11-13 14:09 - 2013-11-13 14:09 - 00000000 ____D C:\Windows\ms
2013-11-13 10:17 - 2013-11-13 10:17 - 00000000 ___RD C:\Users\IT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 8
2013-11-13 10:17 - 2013-11-13 10:17 - 00000000 ____D C:\Users\IT\AppData\Roaming\Sierra Wireless
2013-11-13 10:17 - 2013-11-13 10:17 - 00000000 ____D C:\Users\IT\AppData\Roaming\Canon
2013-11-13 10:17 - 2013-11-13 10:17 - 00000000 ____D C:\Users\IT\AppData\Roaming\Apple Computer
 
==================== One Month Modified Files and Folders =======
 
2013-11-27 17:56 - 2013-11-27 17:55 - 00017976 _____ C:\Users\jmitch16\Desktop\FRST.txt
2013-11-27 17:55 - 2013-11-27 17:55 - 00000000 ____D C:\FRST
2013-11-27 17:54 - 2013-11-27 17:55 - 01091605 _____ (Farbar) C:\Users\jmitch16\Desktop\FRST.exe
2013-11-27 17:54 - 2009-07-14 15:39 - 00060702 _____ C:\Windows\setupact.log
2013-11-27 17:46 - 2012-11-29 17:05 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-27 17:44 - 2012-11-29 09:23 - 01620170 _____ C:\Windows\WindowsUpdate.log
2013-11-27 17:43 - 2013-02-15 15:43 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-11-27 17:36 - 2013-11-15 16:30 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Hail
2013-11-27 17:17 - 2009-07-14 15:34 - 00019360 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-27 17:17 - 2009-07-14 15:34 - 00019360 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-27 17:15 - 2012-11-29 17:05 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-27 14:06 - 2012-11-29 10:42 - 00000120 _____ C:\Windows\system32\config\netlogon.ftl
2013-11-23 16:35 - 2012-11-29 14:08 - 00000000 ___HD C:\Users\jmitch16\AppData\Local\Adobe
2013-11-23 11:49 - 2009-07-14 13:37 - 00000000 ____D C:\Windows\rescache
2013-11-23 10:42 - 2013-11-23 10:42 - 00000000 ___RD C:\Users\jmitch16\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 8
2013-11-23 10:40 - 2009-07-14 15:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-11-21 10:55 - 2012-11-29 09:34 - 00000000 ____D C:\Windows\ccmcache
2013-11-21 08:33 - 2012-11-29 09:33 - 00000611 _____ C:\Windows\SMSCFG.INI
2013-11-21 08:32 - 2012-11-29 10:44 - 00021148 __RSH C:\ProgramData\ntuser.pol
2013-11-20 19:15 - 2013-04-24 19:01 - 00000000 ____D C:\Program Files\Wondershare
2013-11-20 19:14 - 2013-04-24 18:32 - 00000000 ____D C:\Program Files\Common Files\AVSMedia
2013-11-20 19:14 - 2013-04-24 18:32 - 00000000 ____D C:\Program Files\AVS4YOU
2013-11-20 13:54 - 2013-11-20 13:54 - 00000000 ____D C:\Users\jmitch16\Documents\Wondershare Video Converter Ultimate
2013-11-20 13:54 - 2013-04-24 19:01 - 00000000 ____D C:\ProgramData\Wondershare Video Converter Ultimate
2013-11-20 11:26 - 2012-11-29 10:59 - 00004842 __RSH C:\Users\jmitch16\ntuser.pol
2013-11-20 11:26 - 2012-11-29 10:59 - 00000000 ____D C:\Users\jmitch16
2013-11-17 19:58 - 2013-01-20 18:17 - 00000000 ____D C:\ProgramData\CanonIJPLM
2013-11-17 11:58 - 2012-11-29 12:57 - 00000000 ____D C:\Users\jmitch16\AppData\Local\Google
2013-11-17 11:58 - 2011-03-03 09:44 - 00000000 ____D C:\Program Files\Google
2013-11-17 11:53 - 2013-11-16 15:09 - 00000000 ____D C:\Users\jmitch16\Downloads\The Mentalist
2013-11-16 21:04 - 2010-11-21 08:01 - 00746070 _____ C:\Windows\system32\PerfStringBackup.INI
2013-11-16 20:54 - 2011-03-03 09:42 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-11-16 20:54 - 2010-11-21 08:48 - 00015946 _____ C:\Windows\PFRO.log
2013-11-16 18:30 - 2012-11-29 10:59 - 00000000 ____D C:\Users\jmitch16\AppData\Local\VirtualStore
2013-11-16 16:44 - 2013-03-25 19:00 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\AnvSoft
2013-11-16 16:36 - 2013-04-24 18:25 - 00001370 _____ C:\Users\jmitch16\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Torch.lnk
2013-11-16 16:33 - 2013-03-08 09:05 - 00000000 ____D C:\Users\jmitch16\AppData\Local\Torch
2013-11-16 15:09 - 2013-05-04 12:47 - 00000000 ____D C:\Users\jmitch16\Downloads\movies
2013-11-16 14:47 - 2013-03-08 09:11 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Torch
2013-11-15 21:48 - 2012-11-29 17:16 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Google
2013-11-15 21:09 - 2013-04-09 18:09 - 00000000 ____D C:\Users\jmitch16\Documents\running songs
2013-11-15 18:17 - 2009-07-14 13:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-11-15 16:31 - 2013-11-15 16:31 - 00132096 ___SH C:\Users\jmitch16\kcjoa86k0r3m-11280.exe
2013-11-15 16:30 - 2013-11-15 16:30 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Rixeyxb
2013-11-15 16:30 - 2013-11-15 16:30 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Husyi
2013-11-15 16:30 - 2013-11-15 16:30 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Cuaw
2013-11-15 15:55 - 2013-02-01 16:21 - 00002131 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-11-15 11:47 - 2011-02-25 15:51 - 00059100 _____ C:\Windows\DPINST.LOG
2013-11-15 11:16 - 2011-03-01 13:58 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-11-14 12:18 - 2013-11-14 12:18 - 00000000 ____D C:\Users\jmitch16\AppData\Local\PearsonBookshelf
2013-11-14 12:17 - 2013-11-14 12:17 - 00000993 _____ C:\Users\Public\Desktop\PearsonBookshelf.lnk
2013-11-14 12:17 - 2013-11-14 12:17 - 00000000 ____D C:\Program Files\PearsonBookshelf
2013-11-13 20:05 - 2013-11-13 20:05 - 00010505 _____ C:\Users\jmitch16\Documents\timetable.xlsx
2013-11-13 18:53 - 2013-11-13 18:43 - 00000000 ____D C:\Users\jmitch16\Documents\2014 School
2013-11-13 18:52 - 2012-11-29 12:42 - 00000000 ____D C:\Users\jmitch16\Documents\2013 School
2013-11-13 16:43 - 2013-02-15 15:43 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-11-13 16:43 - 2013-02-15 15:43 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-11-13 14:22 - 2012-11-29 09:34 - 00000000 ____D C:\Windows\CCM
2013-11-13 14:16 - 2013-11-13 14:16 - 00004764 _____ C:\Windows\system32\CcmFramework.ini
2013-11-13 14:16 - 2013-11-13 14:16 - 00000704 _____ C:\Windows\system32\InstallUtil.InstallLog
2013-11-13 14:16 - 2013-11-13 14:16 - 00000621 _____ C:\Windows\system32\CcmFramework.h
2013-11-13 14:09 - 2013-11-13 14:09 - 00000000 ____D C:\Windows\system32\{3DA228BE-34DA-49f4-A081-66465B077429}
2013-11-13 14:09 - 2013-11-13 14:09 - 00000000 ____D C:\Windows\ms
2013-11-13 14:08 - 2012-11-29 10:59 - 00000605 _____ C:\Windows\ricdb.ini
2013-11-13 12:58 - 2012-11-29 09:33 - 00000000 ____D C:\Program Files\Microsoft Policy Platform
2013-11-13 12:48 - 2009-07-14 13:37 - 00000000 ____D C:\Windows\system32\NDF
2013-11-13 12:46 - 2013-02-01 10:19 - 00000000 ___HD C:\ProgramData\RICOH_DRV
2013-11-13 10:17 - 2013-11-13 10:17 - 00000000 ___RD C:\Users\IT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 8
2013-11-13 10:17 - 2013-11-13 10:17 - 00000000 ____D C:\Users\IT\AppData\Roaming\Sierra Wireless
2013-11-13 10:17 - 2013-11-13 10:17 - 00000000 ____D C:\Users\IT\AppData\Roaming\Canon
2013-11-13 10:17 - 2013-11-13 10:17 - 00000000 ____D C:\Users\IT\AppData\Roaming\Apple Computer
2013-11-13 10:16 - 2011-02-28 10:58 - 00000000 ____D C:\Users\IT\AppData\Roaming\WTablet
ZeroAccess:
C:\Users\jmitch16\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install
 
Files to move or delete:
====================
C:\ProgramData\sysqcl1129139270.dat
C:\Users\jmitch16\kcjoa86k0r3m-11280.exe
 
 
Some content of TEMP:
====================
C:\Users\IT\AppData\Local\Temp\ose00000.exe
C:\Users\jmitch16\AppData\Local\Temp\2SKKKKKKK.exe
C:\Users\jmitch16\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\jmitch16\AppData\Local\Temp\MSETUP4.EXE
C:\Users\jmitch16\AppData\Local\Temp\setup.exe
C:\Users\jmitch16\AppData\Local\Temp\uninstall.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 
 
LastRegBack: 2013-11-23 11:41
 
==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 AM

Posted 27 November 2013 - 07:17 AM


Hello jacko16

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
HKCU\...\Run: [{C7011194-44EB-25B1-BA6B-CC90A7146962}] - C:\Users\jmitch16\AppData\Roaming\Rixeyxb\hufyru.exe [217600 2013-03-27] ()
HKCU\...\Run: [Windows Update Server] - C:\Users\jmitch16\kcjoa86k0r3m-11280.exe [132096 2013-11-15] ()
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
S1 ngarxbfi; \??\C:\Windows\system32\drivers\ngarxbfi.sys [x]
2013-11-15 16:30 - 2013-11-27 17:36 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Hail
2013-11-15 16:30 - 2013-11-15 16:30 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Rixeyxb
2013-11-15 16:30 - 2013-11-15 16:30 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Husyi
2013-11-15 16:30 - 2013-11-15 16:30 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Cuaw
C:\Users\jmitch16\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
C:\ProgramData\sysqcl1129139270.dat
C:\Users\jmitch16\kcjoa86k0r3m-11280.exe
C:\Users\IT\AppData\Local\Temp\ose00000.exe
C:\Users\jmitch16\AppData\Local\Temp\2SKKKKKKK.exe
C:\Users\jmitch16\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\jmitch16\AppData\Local\Temp\MSETUP4.EXE
C:\Users\jmitch16\AppData\Local\Temp\setup.exe
C:\Users\jmitch16\AppData\Local\Temp\uninstall.exe
DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client - corrupted 2
DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client - corrupted
DeleteJunctionsIndirectory: C:\Windows\system64
cmd: Dir /b /a:l "C:\Program Files" /s
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jacko16

jacko16
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 28 November 2013 - 01:38 AM

i pressed fix but it came up and said there was an error but it still made the fixlog

i also restarted my computer but the ads still keep coming up and i cant download anything

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 25-11-2013 01
Ran by jmitch16 at 2013-11-28 17:19:42 Run:1
Running from C:\Users\jmitch16\Desktop
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
HKCU\...\Run: [{C7011194-44EB-25B1-BA6B-CC90A7146962}] - C:\Users\jmitch16\AppData\Roaming\Rixeyxb\hufyru.exe [217600 2013-03-27] ()
HKCU\...\Run: [Windows Update Server] - C:\Users\jmitch16\kcjoa86k0r3m-11280.exe [132096 2013-11-15] ()
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
S1 ngarxbfi; \??\C:\Windows\system32\drivers\ngarxbfi.sys [x]
2013-11-15 16:30 - 2013-11-27 17:36 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Hail
2013-11-15 16:30 - 2013-11-15 16:30 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Rixeyxb
2013-11-15 16:30 - 2013-11-15 16:30 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Husyi
2013-11-15 16:30 - 2013-11-15 16:30 - 00000000 ____D C:\Users\jmitch16\AppData\Roaming\Cuaw
C:\Users\jmitch16\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
C:\ProgramData\sysqcl1129139270.dat
C:\Users\jmitch16\kcjoa86k0r3m-11280.exe
C:\Users\IT\AppData\Local\Temp\ose00000.exe
C:\Users\jmitch16\AppData\Local\Temp\2SKKKKKKK.exe
C:\Users\jmitch16\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\jmitch16\AppData\Local\Temp\MSETUP4.EXE
C:\Users\jmitch16\AppData\Local\Temp\setup.exe
C:\Users\jmitch16\AppData\Local\Temp\uninstall.exe
DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client - corrupted 2
DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client - corrupted
DeleteJunctionsIndirectory: C:\Windows\system64
cmd: Dir /b /a:l "C:\Program Files" /s
*****************
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\{C7011194-44EB-25B1-BA6B-CC90A7146962} => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Update Server => Value deleted successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000005\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
ngarxbfi => Service deleted successfully.
C:\Users\jmitch16\AppData\Roaming\Hail => Moved successfully.
C:\Users\jmitch16\AppData\Roaming\Rixeyxb => Moved successfully.
C:\Users\jmitch16\AppData\Roaming\Husyi => Moved successfully.
C:\Users\jmitch16\AppData\Roaming\Cuaw => Moved successfully.
C:\Users\jmitch16\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Program Files\Google\Desktop\Install => Moved successfully.
C:\ProgramData\sysqcl1129139270.dat => Moved successfully.
C:\Users\jmitch16\kcjoa86k0r3m-11280.exe => Moved successfully.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 AM

Posted 28 November 2013 - 01:57 AM

Hello jacko16



I need you to download this script I have made for you --> Attached File  fixlist.txt   224bytes   5 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 AM

Posted 02 December 2013 - 01:29 AM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 jacko16

jacko16
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 02 December 2013 - 01:32 AM

Sorry i didn't reply i had camp and wasn't able to access my computer
here are the results of the scan but i still keep getting ad popups.
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 25-11-2013 01
Ran by jmitch16 at 2013-12-02 17:29:52 Run:2
Running from C:\Users\jmitch16\Desktop
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client
DeleteJunctionsIndirectory: C:\Windows\system64
cmd: Dir /b /a:l "C:\Program Files" /s
 
*****************
 
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client" => Not Found
"C:\Windows\system64" => Not Found
 
=========  Dir /b /a:l "C:\Program Files" /s =========
 
File Not Found
 
========= End of CMD: =========
 
 
==== End of Fixlog ====


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 AM

Posted 02 December 2013 - 01:45 AM



Hello jacko16

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 jacko16

jacko16
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 02 December 2013 - 03:00 AM

i ran both of the things and i can now download things (thank you so much for your help with that), but i still seem to get popups at the bottom left hand side of my screen but they are less frequent.

 

 

# AdwCleaner v3.014 - Report created 02/12/2013 at 18:25:11
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : jmitch16 - JMITCH16-T730
# Running from : C:\Users\jmitch16\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Program Files\Common Files\DVDVideoSoft\TB
Folder Deleted : C:\Users\jmitch16\AppData\Local\torch
Folder Deleted : C:\Users\jmitch16\AppData\Roaming\dvdvideosoftiehelpers
Folder Deleted : C:\Users\jmitch16\AppData\Roaming\OpenCandy
Folder Deleted : C:\Users\jmitch16\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\torch
Folder Deleted : C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiplfnciaokpcennlkldkdaeaaomamof
File Deleted : C:\Users\jmitch16\AppData\Local\Temp\Uninstall.exe
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\kiplfnciaokpcennlkldkdaeaaomamof
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A43DE495-3D00-47D4-9D2C-303115707939}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKCU\Software\torch
Key Deleted : HKLM\Software\torch
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\torch
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.7601.17514
 
 
-\\ Google Chrome v31.0.1650.57
 
[ File : C:\Users\jmitch16\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [2267 octets] - [02/12/2013 18:24:11]
AdwCleaner[S0].txt - [2238 octets] - [02/12/2013 18:25:11]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2298 octets] ##########
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Professional x86
Ran by jmitch16 on Mon 02/12/2013 at 18:33:26.34
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{02DD8284-A49F-43E5-9D84-CF19DC9AD21D}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{27DE7D30-BCCD-44D1-ADCB-A74A4259EBEF}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3A0EFC4E-F167-4D0E-9C24-FC5519237993}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{55D63393-DB17-4A2B-9052-15D85B4B1344}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\taskhost_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\taskhost_RASMANCS
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 02/12/2013 at 18:35:19.05
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 AM

Posted 02 December 2013 - 12:09 PM


Hello jacko16

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 jacko16

jacko16
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 07 December 2013 - 12:49 AM

so far after running the program i havent seen any popups and my computer doesnt seem to have anything wrong with it.
 
ComboFix 13-12-07.01 - jmitch16 07/12/2013  16:01:07.1.4 - x86
Running from: c:\users\jmitch16\Downloads\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Cybersafety Help Button\Cybersafety Help Button.exe
c:\users\jmitch16\AppData\Local\Temp\2bity5n58yga7-11280.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-07 to 2013-12-07  )))))))))))))))))))))))))))))))
.
.
2013-12-07 05:08 . 2013-12-07 05:08 -------- d-----w- c:\users\IT\AppData\Local\temp
2013-12-02 07:33 . 2013-12-02 07:33 -------- d-----w- c:\windows\ERUNT
2013-12-02 07:19 . 2013-12-02 07:25 -------- d-----w- C:\AdwCleaner
2013-11-27 06:55 . 2013-11-27 06:55 -------- d-----w- C:\FRST
2013-11-15 05:31 . 2013-11-28 06:19 132096 ----a-w- c:\users\jmitch16\kcjoa86k0r3m-11280.exe
2013-11-15 04:51 . 2013-12-02 07:37 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{52E259A4-2ABC-480A-975E-80FDAC946D87}\offreg.dll
2013-11-14 09:16 . 2013-10-15 13:20 7796464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{52E259A4-2ABC-480A-975E-80FDAC946D87}\mpengine.dll
2013-11-14 09:04 . 2013-02-27 05:05 101720 ----a-w- c:\windows\system32\consent.exe
2013-11-14 09:04 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\system32\authui.dll
2013-11-14 09:04 . 2013-02-27 04:49 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-11-14 06:56 . 2013-06-15 03:38 31232 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-11-14 01:18 . 2013-11-14 01:18 -------- d-----w- c:\users\jmitch16\AppData\Local\PearsonBookshelf
2013-11-14 01:17 . 2013-11-14 01:17 -------- d-----w- c:\program files\PearsonBookshelf
2013-11-13 03:09 . 2013-11-13 03:09 -------- d-----w- c:\windows\system32\{3DA228BE-34DA-49f4-A081-66465B077429}
2013-11-13 03:09 . 2013-11-13 03:09 -------- d-----w- c:\windows\ms
2013-11-12 23:17 . 2013-11-12 23:17 -------- d-----w- c:\users\IT\AppData\Roaming\Sierra Wireless
2013-11-12 23:17 . 2013-11-12 23:17 -------- d-----w- c:\users\IT\AppData\Roaming\Canon
2013-11-12 23:17 . 2013-11-12 23:17 -------- d-----w- c:\users\IT\AppData\Roaming\Apple Computer
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-13 05:43 . 2013-02-15 04:43 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-13 05:43 . 2013-02-15 04:43 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-13 01:20 . 2010-06-24 00:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TSFPLOlayIcon]
@="{F4DD9208-8229-492D-BCBF-2955F7AC38F4}"
[HKEY_CLASSES_ROOT\CLSID\{F4DD9208-8229-492D-BCBF-2955F7AC38F4}]
2010-07-28 21:57 285504 ----a-w- c:\program files\TrueSuite\TrueSuite.FPLOlayIcon.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-11-29 39408]
"GoogleChromeAutoLaunch_558C8A73E68E7DA62B43996849CDEDFA"="c:\program files\Google\Chrome\Application\chrome.exe" [2013-12-04 863184]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2009-10-13 36712]
"FjStrtAp"="c:\program files\Fujitsu\Utils\FjStrtAp.exe" [2009-10-11 20480]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2011-01-13 271728]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-10-28 7862816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-11-04 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-11-04 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-11-04 170520]
"ClientAppLogon"="c:\program files\TrueSuite\TrueSuite.ClientAppLogonExe.exe" [2010-07-28 307520]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-07-16 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-15 50472]
"YouCam Mirror Tray icon"="c:\program files\CyberLink\YouCam\YouCamTray.exe" [2010-01-15 167008]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-02-18 115560]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2009-08-12 662016]
"SNUVCDSM"="c:\windows\snuvcdsm.exe" [2009-05-21 24576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-28 151952]
"BigPondWirelessBroadbandCM"="c:\program files\Telstra\Mobile Broadband Manager\TelstraUCM.exe" [2011-08-11 6198168]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-03-14 2565520]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2011-08-04 1612920]
"IJNetworkScannerSelectorEX"="c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2011-01-15 452016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-09-05 958576]
.
c:\users\jmitch16\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2010-3-29 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 ccmsetup;ccmsetup;c:\windows\ccmsetup\ccmsetup.exe [2013-09-11 1614520]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 lpasvc;Microsoft Policy Platform Local Authority;c:\program files\Microsoft Policy Platform\policyHost.exe [2012-08-02 48744]
R3 lppsvc;Microsoft Policy Platform Processor;c:\program files\Microsoft Policy Platform\policyHost.exe [2012-08-02 48744]
R3 massfilter;LTE Device Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-07-09 7168]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-12 6755840]
R3 swg3kser00;Sierra Wireless QMI USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\swg3kser00.sys [2011-07-09 215552]
R3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\DRIVERS\swiwdmbx.sys [2011-07-09 83968]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys [2011-07-09 208128]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 USBTINSP;TI-Nspire™ Handheld or TI Network Bridge Device Driver;c:\windows\system32\DRIVERS\tinspusb.sys [2010-03-29 122752]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-11-10 16168]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-27 1343400]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 20480]
R4 CmRcService;Configuration Manager Remote Control;c:\windows\CCM\RemCtrl\CmRcService.exe [2012-11-20 470112]
S2 FPLService;TrueSuiteService;c:\program files\TrueSuite\TrueSuite.Service.exe [2010-07-28 257344]
S2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files\Sierra Wireless Inc\Common\SwiCardDetect.exe [2011-06-24 238960]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-08-27 4916080]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2010-08-27 216944]
S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-13 7680]
S3 ATSwpWDF;AuthenTec TruePrint WBF Driver;c:\windows\system32\DRIVERS\ATSwpWDF.sys [2010-08-08 791240]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-12-09 214696]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-11-21 108120]
S3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [2009-08-27 18816]
S3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\FUJ02E3.sys [2006-11-01 5632]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-02-26 132480]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-08-31 269824]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\Netwsn00.sys [2013-02-27 10378992]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-05-13 48672]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-07-02 44064]
S3 wacomvthid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2010-05-31 13680]
S3 WISDPen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2010-01-04 36904]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPNAT
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-07 05:15 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-15 05:43]
.
2013-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-29 06:05]
.
2013-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-29 06:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ivanhoeconnect.com
uInternet Settings,ProxyServer = daffy.igs.vic.edu.au:8080
uInternet Settings,ProxyOverride = *.ivanhoeonline.net;ivanhoeonline.net;blackboard.igs.vic.edu.au;pluto.igs.vic.edu.au;*.myivanhoe.net;oliver.igs.vic.edu.au;myivanhoe.net;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\jmitch16\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - c:\users\jmitch16\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: goofy
Trusted Zone: myprofile.com.au\www
Trusted Zone: vic.edu.au\conan.igs
Trusted Zone: vic.edu.au\crystalreports.igs
Trusted Zone: vic.edu.au\goofy.igs
Trusted Zone: vic.edu.au\ocspool01.igs
Trusted Zone: vic.edu.au\oliver.igs
Trusted Zone: vic.edu.au\synergetic.igs
Trusted Zone: vic.edu.au\www.igs
Trusted Zone: vic.edu.au\www.vass
Trusted Zone: goofy
Trusted Zone: myprofile.com.au\www
Trusted Zone: vic.edu.au\crystalreports.igs
Trusted Zone: vic.edu.au\goofy.igs
Trusted Zone: vic.edu.au\ocspool01.igs
Trusted Zone: vic.edu.au\oliver.igs
Trusted Zone: vic.edu.au\synergetic.igs
Trusted Zone: vic.edu.au\www.igs
Trusted Zone: vic.edu.au\www.vass
TCP: DhcpNameServer = 10.0.0.138
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-{C7011194-44EB-25B1-BA6B-CC90A7146962} - c:\users\jmitch16\AppData\Roaming\Rixeyxb\hufyru.exe
c:\users\IT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cybersafety Help Button.lnk - c:\program files\Cybersafety Help Button\Cybersafety Help Button.exe
SafeBoot-Wdf01000.sys
SafeBoot-Symantec Antvirus
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\ccmsetup]
"ImagePath"="\"c:\windows\ccmsetup\ccmsetup.exe\" /runservice \"/AutoUpgrade\" \"/UpgradePackageVersion:4\" \"/UpgradeWinTask\" SMSSITECODE=\"AUTO\" CCMHTTPPORT=\"80\" CCMHTTPSPORT=\"443\" CCMCERTSTORE=\"MY\" CCMFIRSTCERT=\"1\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5304)
c:\program files\TrueSuite\TrueSuite.FPLOlayIcon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WUDFHost.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\windows\system32\o2flash.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\DllHost.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\system32\taskhost.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\system32\sppsvc.exe
c:\program files\TrueSuite\TrueSuite.TouchControl.exe
c:\program files\WTouch\WTouchUser.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
.
**************************************************************************
.
Completion time: 2013-12-07  16:25:05 - machine was rebooted
ComboFix-quarantined-files.txt  2013-12-07 05:25
.
Pre-Run: 375,064,690,688 bytes free
Post-Run: 375,651,418,112 bytes free
.
- - End Of File - - 1238C3FF59482820023994696170AAC9
A36C5E4F47E84449FF07ED3517B43A31


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 AM

Posted 07 December 2013 - 03:50 AM


Hello jacko16

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 jacko16

jacko16
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 07 December 2013 - 05:22 AM

Hey my computer still seems to be running fine and from what i know there doesn't seem to be anything else wrong with it.
 
ComboFix 13-12-07.01 - jmitch16 07/12/2013  21:07:32.2.4 - x86
Running from: c:\users\jmitch16\Downloads\ComboFix.exe
Command switches used :: c:\users\jmitch16\Desktop\CFScript.txt
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-07 to 2013-12-07  )))))))))))))))))))))))))))))))
.
.
2013-12-07 10:13 . 2013-12-07 10:13 -------- d-----w- c:\users\IT\AppData\Local\temp
2013-12-07 10:13 . 2013-12-07 10:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-12-07 10:13 . 2013-12-07 10:13 -------- d-----w- c:\users\ADMINI~1\AppData\Local\temp
2013-12-02 07:33 . 2013-12-02 07:33 -------- d-----w- c:\windows\ERUNT
2013-12-02 07:19 . 2013-12-02 07:25 -------- d-----w- C:\AdwCleaner
2013-11-27 06:55 . 2013-11-27 06:55 -------- d-----w- C:\FRST
2013-11-15 05:31 . 2013-11-28 06:19 132096 ----a-w- c:\users\jmitch16\kcjoa86k0r3m-11280.exe
2013-11-15 04:51 . 2013-12-02 07:37 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{52E259A4-2ABC-480A-975E-80FDAC946D87}\offreg.dll
2013-11-14 09:16 . 2013-10-15 13:20 7796464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{52E259A4-2ABC-480A-975E-80FDAC946D87}\mpengine.dll
2013-11-14 09:04 . 2013-02-27 05:05 101720 ----a-w- c:\windows\system32\consent.exe
2013-11-14 09:04 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\system32\authui.dll
2013-11-14 09:04 . 2013-02-27 04:49 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-11-14 06:56 . 2013-06-15 03:38 31232 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-11-14 01:18 . 2013-11-14 01:18 -------- d-----w- c:\users\jmitch16\AppData\Local\PearsonBookshelf
2013-11-14 01:17 . 2013-11-14 01:17 -------- d-----w- c:\program files\PearsonBookshelf
2013-11-13 03:09 . 2013-11-13 03:09 -------- d-----w- c:\windows\system32\{3DA228BE-34DA-49f4-A081-66465B077429}
2013-11-13 03:09 . 2013-11-13 03:09 -------- d-----w- c:\windows\ms
2013-11-12 23:17 . 2013-11-12 23:17 -------- d-----w- c:\users\IT\AppData\Roaming\Sierra Wireless
2013-11-12 23:17 . 2013-11-12 23:17 -------- d-----w- c:\users\IT\AppData\Roaming\Canon
2013-11-12 23:17 . 2013-11-12 23:17 -------- d-----w- c:\users\IT\AppData\Roaming\Apple Computer
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-13 05:43 . 2013-02-15 04:43 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-13 05:43 . 2013-02-15 04:43 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-13 01:20 . 2010-06-24 00:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TSFPLOlayIcon]
@="{F4DD9208-8229-492D-BCBF-2955F7AC38F4}"
[HKEY_CLASSES_ROOT\CLSID\{F4DD9208-8229-492D-BCBF-2955F7AC38F4}]
2010-07-28 21:57 285504 ----a-w- c:\program files\TrueSuite\TrueSuite.FPLOlayIcon.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-11-29 39408]
"GoogleChromeAutoLaunch_558C8A73E68E7DA62B43996849CDEDFA"="c:\program files\Google\Chrome\Application\chrome.exe" [2013-12-04 863184]
"RESTART_STICKY_NOTES"="c:\windows\system32\StikyNot.exe" [2009-07-14 354304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2009-10-13 36712]
"FjStrtAp"="c:\program files\Fujitsu\Utils\FjStrtAp.exe" [2009-10-11 20480]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2011-01-13 271728]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-10-28 7862816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-11-04 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-11-04 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-11-04 170520]
"ClientAppLogon"="c:\program files\TrueSuite\TrueSuite.ClientAppLogonExe.exe" [2010-07-28 307520]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-07-16 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-15 50472]
"YouCam Mirror Tray icon"="c:\program files\CyberLink\YouCam\YouCamTray.exe" [2010-01-15 167008]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-02-18 115560]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2009-08-12 662016]
"SNUVCDSM"="c:\windows\snuvcdsm.exe" [2009-05-21 24576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-28 151952]
"BigPondWirelessBroadbandCM"="c:\program files\Telstra\Mobile Broadband Manager\TelstraUCM.exe" [2011-08-11 6198168]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-03-14 2565520]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2011-08-04 1612920]
"IJNetworkScannerSelectorEX"="c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2011-01-15 452016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-09-05 958576]
.
c:\users\jmitch16\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2010-3-29 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 ccmsetup;ccmsetup;c:\windows\ccmsetup\ccmsetup.exe [2013-09-11 1614520]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 lpasvc;Microsoft Policy Platform Local Authority;c:\program files\Microsoft Policy Platform\policyHost.exe [2012-08-02 48744]
R3 lppsvc;Microsoft Policy Platform Processor;c:\program files\Microsoft Policy Platform\policyHost.exe [2012-08-02 48744]
R3 massfilter;LTE Device Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-07-09 7168]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-12 6755840]
R3 swg3kser00;Sierra Wireless QMI USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\swg3kser00.sys [2011-07-09 215552]
R3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\DRIVERS\swiwdmbx.sys [2011-07-09 83968]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys [2011-07-09 208128]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 USBTINSP;TI-Nspire™ Handheld or TI Network Bridge Device Driver;c:\windows\system32\DRIVERS\tinspusb.sys [2010-03-29 122752]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-11-10 16168]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-27 1343400]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 20480]
R4 CmRcService;Configuration Manager Remote Control;c:\windows\CCM\RemCtrl\CmRcService.exe [2012-11-20 470112]
S2 FPLService;TrueSuiteService;c:\program files\TrueSuite\TrueSuite.Service.exe [2010-07-28 257344]
S2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files\Sierra Wireless Inc\Common\SwiCardDetect.exe [2011-06-24 238960]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-08-27 4916080]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2010-08-27 216944]
S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-13 7680]
S3 ATSwpWDF;AuthenTec TruePrint WBF Driver;c:\windows\system32\DRIVERS\ATSwpWDF.sys [2010-08-08 791240]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-12-09 214696]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-11-21 108120]
S3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [2009-08-27 18816]
S3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\FUJ02E3.sys [2006-11-01 5632]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-02-26 132480]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-08-31 269824]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\Netwsn00.sys [2013-02-27 10378992]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-05-13 48672]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-07-02 44064]
S3 wacomvthid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2010-05-31 13680]
S3 WISDPen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2010-01-04 36904]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPNAT
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-07 05:15 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-15 05:43]
.
2013-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-29 06:05]
.
2013-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-29 06:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ivanhoeconnect.com
uInternet Settings,ProxyServer = daffy.igs.vic.edu.au:8080
uInternet Settings,ProxyOverride = *.ivanhoeonline.net;ivanhoeonline.net;blackboard.igs.vic.edu.au;pluto.igs.vic.edu.au;*.myivanhoe.net;oliver.igs.vic.edu.au;myivanhoe.net;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\jmitch16\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - c:\users\jmitch16\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: goofy
Trusted Zone: myprofile.com.au\www
Trusted Zone: vic.edu.au\conan.igs
Trusted Zone: vic.edu.au\crystalreports.igs
Trusted Zone: vic.edu.au\goofy.igs
Trusted Zone: vic.edu.au\ocspool01.igs
Trusted Zone: vic.edu.au\oliver.igs
Trusted Zone: vic.edu.au\synergetic.igs
Trusted Zone: vic.edu.au\www.igs
Trusted Zone: vic.edu.au\www.vass
Trusted Zone: goofy
Trusted Zone: myprofile.com.au\www
Trusted Zone: vic.edu.au\crystalreports.igs
Trusted Zone: vic.edu.au\goofy.igs
Trusted Zone: vic.edu.au\ocspool01.igs
Trusted Zone: vic.edu.au\oliver.igs
Trusted Zone: vic.edu.au\synergetic.igs
Trusted Zone: vic.edu.au\www.igs
Trusted Zone: vic.edu.au\www.vass
TCP: DhcpNameServer = 10.0.0.138
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\ccmsetup]
"ImagePath"="\"c:\windows\ccmsetup\ccmsetup.exe\" /runservice \"/AutoUpgrade\" \"/UpgradePackageVersion:4\" \"/UpgradeWinTask\" SMSSITECODE=\"AUTO\" CCMHTTPPORT=\"80\" CCMHTTPSPORT=\"443\" CCMCERTSTORE=\"MY\" CCMFIRSTCERT=\"1\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(764)
c:\program files\TrueSuite\TrueSuite.FPLOlayIcon.dll
.
Completion time: 2013-12-07  21:15:15
ComboFix-quarantined-files.txt  2013-12-07 10:15
ComboFix2.txt  2013-12-07 05:25
.
Pre-Run: 375,996,985,344 bytes free
Post-Run: 375,958,691,840 bytes free
.
- - End Of File - - B4F3F8552F76CA97D073EBE54520FE6A
A36C5E4F47E84449FF07ED3517B43A31


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 AM

Posted 07 December 2013 - 12:05 PM


Hello jacko16

I would like to see a report that combofix makes.

extra combofix report
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok
copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 jacko16

jacko16
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 07 December 2013 - 04:27 PM

 
activBook Reader
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader XI (11.0.04)
ALPS Touch Pad Driver
Any Video Converter 5.0.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArtRage 2
Audacity 1.3.12 (Unicode)
AuthenTec TrueSuite
Bonjour
Canon Easy-PhotoPrint EX
Canon IJ Network Scanner Selector EX
Canon IJ Network Tool
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MG5300 series MP Drivers
Canon MG5300 series On-screen Manual
Canon MP Navigator EX 5.0
Canon My Printer
Canon Solution Menu EX
Comic Life
ConfigMgr Client Setup Bootstrap
Configuration Manager Client
CyberLink PowerDirector
CyberLink PowerDVD 8
CyberLink YouCam
Cybersafety Help Button
D3DX10
Definition update for Microsoft Office 2010 (KB982726)
FJ Camera
Free YouTube Download version 3.1.42.1212
Free YouTube to MP3 Converter version 3.11.37.1212
Fujitsu Button Utilities
Fujitsu System Extension Utility
Google Chrome
Google SketchUp 8
Google Toolbar for Internet Explorer
Google Update Helper
Inspiration 8 IE
InspireData
Intel® Graphics Media Accelerator Driver
Intel® Network Connections Drivers
iTunes
Java Auto Updater
Java™ 6 Update 24
LiveUpdate 3.3 (Symantec Corporation)
maths300
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Policy Platform
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Mobile Broadband Manager
MSVCRT
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2721691)
MSXML 4.0 SP3 Parser (KB2758694)
myNewbyte Data
myNewbyte License
O2Micro Flash Memory Card Windows Driver
Pearson Bookshelf
Pen Tablet
Photo Story 3 for Windows
QuickTime
Realtek High Definition Audio Driver
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio Creator LJ
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft Office 2010 (KB2289078)
Security Update for Microsoft Office 2010 (KB2289161)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft Publisher 2010 (KB2409055)
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Word 2010 (KB2345000)
Stop Motion Pro v5.1 Educational/Junior Site
Symantec Endpoint Protection
System Requirements Lab for Intel
Telstra Mobile Broadband Manager
Typing Tournament v1.2 Standard
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft Office 2010 (KB2413186)
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2433299)
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Windows Driver Package - Fujitsu America, Inc. (FjBtnDrv) HIDClass  (08/27/2009 4.2.0827.2009)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:32 AM

Posted 07 December 2013 - 08:42 PM









Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)
  • Programs to remove

    • Java™ 6 Update 24



Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.


Install Java:

Please go here to install Java
  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close
Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here CCleaner
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. default settings are fine
    • Click Run Cleaner.
    • Close CCleaner.
Run Malwarebytes

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




Download HijackThis
  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic
"information and logs"
  • In your next post I need the following
    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users